diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index 1f26c83..aee720a 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -23,6 +23,7 @@ lib.extra.mkConfig { "nextcloud" "ollama-proxy" "outline" + "pages" "plausible" "postgresql" "rstudio-server" diff --git a/machines/compute01/codeberg-pages-custom.nix b/machines/compute01/codeberg-pages-custom.nix new file mode 100644 index 0000000..90c7d79 --- /dev/null +++ b/machines/compute01/codeberg-pages-custom.nix @@ -0,0 +1,51 @@ +{ + lib, + fetchFromGitea, + buildGoModule, + nix-update-script, +}: + +buildGoModule rec { + pname = "codeberg-pages"; + version = "5.1"; + + src = fetchFromGitea { + domain = "codeberg.org"; + owner = "Codeberg"; + repo = "pages-server"; + rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12"; + hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8="; + }; + + vendorHash = "sha256-TivaGyKR5axr+DX/hvt4u5qbxyc2AqL5jVDuTG7zf3g="; + + postPatch = '' + # disable httptest + rm server/handler/handler_test.go + ''; + + ldflags = [ + "-s" + "-w" + ]; + + tags = [ + "sqlite" + "sqlite_unlock_notify" + "netgo" + ]; + + passthru.updateScript = nix-update-script { }; + + meta = with lib; { + mainProgram = "pages"; + maintainers = with maintainers; [ + laurent-f1z1 + christoph-heiss + ]; + license = licenses.eupl12; + homepage = "https://codeberg.org/Codeberg/pages-server"; + description = "Static websites hosting from Gitea repositories"; + changelog = "https://codeberg.org/Codeberg/pages-server/releases/tag/v${version}"; + }; +} diff --git a/machines/compute01/pages.nix b/machines/compute01/pages.nix new file mode 100644 index 0000000..bc1b59a --- /dev/null +++ b/machines/compute01/pages.nix @@ -0,0 +1,90 @@ +{ + pkgs, + lib, + config, + ... +}: + +let + settings = { + ACME_ACCEPT_TERMS = "true"; + ACME_EMAIL = "acme@dgnum.eu"; + DNS_PROVIDER = "ovh"; + OVH_ENDPOINT = "ovh-eu"; + ENABLE_HTTP_SERVER = "false"; + GITEA_ROOT = "https://git.dgnum.eu"; + PORT = "8010"; + PAGES_DOMAIN = "dgnum.page"; + RAW_DOMAIN = "raw.dgnum.page"; + }; + + # Necessary until upstream cuts a new release because of + # https://codeberg.org/Codeberg/pages-server/issues/235 + # that is fixed on main + package = pkgs.callPackage ./codeberg-pages-custom.nix { }; +in + +{ + + age-secrets.autoMatch = [ "pages_env_file" ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + systemd.services.codeberg-pages = { + description = "Codeberg pages server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = settings; + serviceConfig = { + Type = "simple"; + StateDirectory = "codeberg-pages"; + EnvironmentFile = config.age.secrets."pages_env_file".path; + WorkingDirectory = "/var/lib/codeberg-pages"; + DynamicUser = true; + ExecStart = "${package}/bin/pages"; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + }; + }; + + services.nginx = { + enable = true; + streamConfig = '' + map $ssl_preread_server_name $sni_upstream { + hostnames; + default 0.0.0.0:8010; + ${lib.concatStringsSep "\n" ( + map (vhost: " ${vhost} 0.0.0.0 8443;") (lib.attrNames config.services.nginx.virtualHosts) + )} + } + + server { + listen [::]:443; + ssl_preread on; + proxy_pass $sni_upstream; + } + + ''; + + defaultSSLListenPort = 8443; + + }; + +} diff --git a/machines/compute01/secrets/pages_env_file b/machines/compute01/secrets/pages_env_file new file mode 100644 index 0000000..d1e4ced --- /dev/null +++ b/machines/compute01/secrets/pages_env_file @@ -0,0 +1,32 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU +gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA +-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI +wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0 +-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI +6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU +-> ssh-rsa krWCLQ +JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw +WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe +rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3 +gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT +io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1 +eAH2s9h4H8UOiLe2yskoWQ +-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig +4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk +-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04 +bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM +-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8 +vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw +-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw +dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE +-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q +MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0 +-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng +SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk +-> %,-grease Ud+Q +v ; )/g!O +72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G +cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit +--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY +-VTS\Џ]/^*T)g!>,iZ<4%{ YEІQUȍ/<5cr,%CdX3mS +H6`8;|/׫%DPNs`^O-8+oXsgqAB7 K0 [ M9IƍS \ No newline at end of file diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index 9af2cdd..bfcf33f 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -21,6 +21,7 @@ "outline-oidc_client_secret_file" "outline-smtp_password_file" "outline-storage_secret_key_file" + "pages_env_file" "plausible-admin_user_password_file" "plausible-secret_key_base_file" "plausible-smtp_password_file"