feat(compute01): init pages server
All checks were successful
Check meta / check_meta (pull_request) Successful in 19s
Check meta / check_dns (pull_request) Successful in 19s
lint / check (push) Successful in 24s
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m10s
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m12s
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m33s
build configuration / build_and_cache_krz01 (pull_request) Successful in 2m9s
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m11s
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m13s
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m20s
lint / check (pull_request) Successful in 23s
build configuration / build_and_cache_web01 (pull_request) Successful in 1m43s
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m3s
build configuration / build_and_cache_web02 (pull_request) Successful in 1m11s

This commit is contained in:
Julien Malka 2024-10-11 01:12:44 +02:00
parent f20353b727
commit 69650d6540
No known key found for this signature in database
GPG key ID: 6FC74C847011FD83
5 changed files with 175 additions and 0 deletions

View file

@ -23,6 +23,7 @@ lib.extra.mkConfig {
"nextcloud" "nextcloud"
"ollama-proxy" "ollama-proxy"
"outline" "outline"
"pages"
"plausible" "plausible"
"postgresql" "postgresql"
"rstudio-server" "rstudio-server"

View file

@ -0,0 +1,51 @@
{
lib,
fetchFromGitea,
buildGoModule,
nix-update-script,
}:
buildGoModule rec {
pname = "codeberg-pages";
version = "5.1";
src = fetchFromGitea {
domain = "codeberg.org";
owner = "Codeberg";
repo = "pages-server";
rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12";
hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8=";
};
vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI=";
postPatch = ''
# disable httptest
rm server/handler/handler_test.go
'';
ldflags = [
"-s"
"-w"
];
tags = [
"sqlite"
"sqlite_unlock_notify"
"netgo"
];
passthru.updateScript = nix-update-script { };
meta = with lib; {
mainProgram = "pages";
maintainers = with maintainers; [
laurent-f1z1
christoph-heiss
];
license = licenses.eupl12;
homepage = "https://codeberg.org/Codeberg/pages-server";
description = "Static websites hosting from Gitea repositories";
changelog = "https://codeberg.org/Codeberg/pages-server/releases/tag/v${version}";
};
}

View file

@ -0,0 +1,90 @@
{
pkgs,
lib,
config,
...
}:
let
settings = {
ACME_ACCEPT_TERMS = "true";
ACME_EMAIL = "acme@dgnum.eu";
DNS_PROVIDER = "ovh";
OVH_ENDPOINT = "ovh-eu";
ENABLE_HTTP_SERVER = "false";
GITEA_ROOT = "https://git.dgnum.eu";
PORT = "8010";
PAGES_DOMAIN = "dgnum.page";
RAW_DOMAIN = "raw.dgnum.page";
};
# Necessary until upstream cuts a new release because of
# https://codeberg.org/Codeberg/pages-server/issues/235
# that is fixed on main
package = pkgs.callPackage ./codeberg-pages-custom.nix { };
in
{
age-secrets.autoMatch = [ "pages_env_file" ];
networking.firewall.allowedTCPPorts = [
80
443
];
systemd.services.codeberg-pages = {
description = "Codeberg pages server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = settings;
serviceConfig = {
Type = "simple";
StateDirectory = "codeberg-pages";
EnvironmentFile = config.age.secrets."pages_env_file".path;
WorkingDirectory = "/var/lib/codeberg-pages";
DynamicUser = true;
ExecStart = "${package}/bin/pages";
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
};
};
services.nginx = {
enable = true;
streamConfig = ''
map $ssl_preread_server_name $sni_upstream {
hostnames;
default 0.0.0.0:8010;
${lib.concatStringsSep "\n" (
map (vhost: " ${vhost} 0.0.0.0:8443;") (lib.attrNames config.services.nginx.virtualHosts)
)}
}
server {
listen [::]:443;
ssl_preread on;
proxy_pass $sni_upstream;
}
'';
defaultSSLListenPort = 8443;
};
}

View file

@ -0,0 +1,32 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU
gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA
-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI
wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0
-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI
6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU
-> ssh-rsa krWCLQ
JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw
WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe
rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3
gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT
io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1
eAH2s9h4H8UOiLe2yskoWQ
-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig
4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk
-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04
bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM
-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8
vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw
-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw
dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE
-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q
MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0
-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng
SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk
-> %,-grease Ud+Q +v ; )/g!O
72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G
cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit
--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY
-¹Vº­áTÕSÎ\ŠõÐ<C3B5>ƒä¾]é/^*õÈT¡å)g¾!÷>,<2C>¾i«Z¯<÷æ4%{ Y€”«ïEàïІQ³UÈ<55>/¦¿›¼<5cþér,%CËdX3ÖmÙSŽ ¼
H6ð`¤8¢;|/ï׫Ó%DšPNs`³^O-ßê8+äoXÞsŽgöqA²“¶BŽ7Á ®KÔ0ïà ê÷[ M9IÆ<49>ÐS•

View file

@ -21,6 +21,7 @@
"outline-oidc_client_secret_file" "outline-oidc_client_secret_file"
"outline-smtp_password_file" "outline-smtp_password_file"
"outline-storage_secret_key_file" "outline-storage_secret_key_file"
"pages_env_file"
"plausible-admin_user_password_file" "plausible-admin_user_password_file"
"plausible-secret_key_base_file" "plausible-secret_key_base_file"
"plausible-smtp_password_file" "plausible-smtp_password_file"