feat(compute01): init pages server
All checks were successful
Check meta / check_meta (pull_request) Successful in 19s
Check meta / check_dns (pull_request) Successful in 19s
lint / check (push) Successful in 24s
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m10s
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m12s
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m33s
build configuration / build_and_cache_krz01 (pull_request) Successful in 2m9s
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m11s
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m13s
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m20s
lint / check (pull_request) Successful in 23s
build configuration / build_and_cache_web01 (pull_request) Successful in 1m43s
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m3s
build configuration / build_and_cache_web02 (pull_request) Successful in 1m11s
All checks were successful
Check meta / check_meta (pull_request) Successful in 19s
Check meta / check_dns (pull_request) Successful in 19s
lint / check (push) Successful in 24s
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m10s
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m12s
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m33s
build configuration / build_and_cache_krz01 (pull_request) Successful in 2m9s
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m11s
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m13s
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m20s
lint / check (pull_request) Successful in 23s
build configuration / build_and_cache_web01 (pull_request) Successful in 1m43s
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m3s
build configuration / build_and_cache_web02 (pull_request) Successful in 1m11s
This commit is contained in:
parent
f20353b727
commit
69650d6540
5 changed files with 175 additions and 0 deletions
|
@ -23,6 +23,7 @@ lib.extra.mkConfig {
|
||||||
"nextcloud"
|
"nextcloud"
|
||||||
"ollama-proxy"
|
"ollama-proxy"
|
||||||
"outline"
|
"outline"
|
||||||
|
"pages"
|
||||||
"plausible"
|
"plausible"
|
||||||
"postgresql"
|
"postgresql"
|
||||||
"rstudio-server"
|
"rstudio-server"
|
||||||
|
|
51
machines/compute01/codeberg-pages-custom.nix
Normal file
51
machines/compute01/codeberg-pages-custom.nix
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
fetchFromGitea,
|
||||||
|
buildGoModule,
|
||||||
|
nix-update-script,
|
||||||
|
}:
|
||||||
|
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "codeberg-pages";
|
||||||
|
version = "5.1";
|
||||||
|
|
||||||
|
src = fetchFromGitea {
|
||||||
|
domain = "codeberg.org";
|
||||||
|
owner = "Codeberg";
|
||||||
|
repo = "pages-server";
|
||||||
|
rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12";
|
||||||
|
hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8=";
|
||||||
|
};
|
||||||
|
|
||||||
|
vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI=";
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
# disable httptest
|
||||||
|
rm server/handler/handler_test.go
|
||||||
|
'';
|
||||||
|
|
||||||
|
ldflags = [
|
||||||
|
"-s"
|
||||||
|
"-w"
|
||||||
|
];
|
||||||
|
|
||||||
|
tags = [
|
||||||
|
"sqlite"
|
||||||
|
"sqlite_unlock_notify"
|
||||||
|
"netgo"
|
||||||
|
];
|
||||||
|
|
||||||
|
passthru.updateScript = nix-update-script { };
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
mainProgram = "pages";
|
||||||
|
maintainers = with maintainers; [
|
||||||
|
laurent-f1z1
|
||||||
|
christoph-heiss
|
||||||
|
];
|
||||||
|
license = licenses.eupl12;
|
||||||
|
homepage = "https://codeberg.org/Codeberg/pages-server";
|
||||||
|
description = "Static websites hosting from Gitea repositories";
|
||||||
|
changelog = "https://codeberg.org/Codeberg/pages-server/releases/tag/v${version}";
|
||||||
|
};
|
||||||
|
}
|
90
machines/compute01/pages.nix
Normal file
90
machines/compute01/pages.nix
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
settings = {
|
||||||
|
ACME_ACCEPT_TERMS = "true";
|
||||||
|
ACME_EMAIL = "acme@dgnum.eu";
|
||||||
|
DNS_PROVIDER = "ovh";
|
||||||
|
OVH_ENDPOINT = "ovh-eu";
|
||||||
|
ENABLE_HTTP_SERVER = "false";
|
||||||
|
GITEA_ROOT = "https://git.dgnum.eu";
|
||||||
|
PORT = "8010";
|
||||||
|
PAGES_DOMAIN = "dgnum.page";
|
||||||
|
RAW_DOMAIN = "raw.dgnum.page";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Necessary until upstream cuts a new release because of
|
||||||
|
# https://codeberg.org/Codeberg/pages-server/issues/235
|
||||||
|
# that is fixed on main
|
||||||
|
package = pkgs.callPackage ./codeberg-pages-custom.nix { };
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
age-secrets.autoMatch = [ "pages_env_file" ];
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
80
|
||||||
|
443
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services.codeberg-pages = {
|
||||||
|
description = "Codeberg pages server";
|
||||||
|
after = [ "network.target" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
environment = settings;
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "simple";
|
||||||
|
StateDirectory = "codeberg-pages";
|
||||||
|
EnvironmentFile = config.age.secrets."pages_env_file".path;
|
||||||
|
WorkingDirectory = "/var/lib/codeberg-pages";
|
||||||
|
DynamicUser = true;
|
||||||
|
ExecStart = "${package}/bin/pages";
|
||||||
|
Restart = "on-failure";
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
streamConfig = ''
|
||||||
|
map $ssl_preread_server_name $sni_upstream {
|
||||||
|
hostnames;
|
||||||
|
default 0.0.0.0:8010;
|
||||||
|
${lib.concatStringsSep "\n" (
|
||||||
|
map (vhost: " ${vhost} 0.0.0.0:8443;") (lib.attrNames config.services.nginx.virtualHosts)
|
||||||
|
)}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen [::]:443;
|
||||||
|
ssl_preread on;
|
||||||
|
proxy_pass $sni_upstream;
|
||||||
|
}
|
||||||
|
|
||||||
|
'';
|
||||||
|
|
||||||
|
defaultSSLListenPort = 8443;
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
32
machines/compute01/secrets/pages_env_file
Normal file
32
machines/compute01/secrets/pages_env_file
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU
|
||||||
|
gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA
|
||||||
|
-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI
|
||||||
|
wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0
|
||||||
|
-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI
|
||||||
|
6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw
|
||||||
|
WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe
|
||||||
|
rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3
|
||||||
|
gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT
|
||||||
|
io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1
|
||||||
|
eAH2s9h4H8UOiLe2yskoWQ
|
||||||
|
-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig
|
||||||
|
4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk
|
||||||
|
-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04
|
||||||
|
bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM
|
||||||
|
-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8
|
||||||
|
vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw
|
||||||
|
-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw
|
||||||
|
dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE
|
||||||
|
-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q
|
||||||
|
MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0
|
||||||
|
-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng
|
||||||
|
SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk
|
||||||
|
-> %,-grease Ud+Q +v ; )/g!O
|
||||||
|
72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G
|
||||||
|
cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit
|
||||||
|
--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY
|
||||||
|
-¹VºáTÕSÎ\ŠõÐ<C3B5>ƒä¾]é/^*õÈT¡å)g¾!÷>,<2C>¾i«Z¯<÷æ4‹%{
Y€”«ïEàïІQ³UÈ<55>/¦¿›¼<5cþér,%CËdX3ÖmÙSŽ ¼
|
||||||
|
H6ð`›¤8¢;|/ï׫Ó%DšPNs`³^O-ßê8+äoXÞsŽgöqA²“¶BŽ7Á
®KÔ0ïÃê÷[M9IÆ<49>ÐS•
|
|
@ -21,6 +21,7 @@
|
||||||
"outline-oidc_client_secret_file"
|
"outline-oidc_client_secret_file"
|
||||||
"outline-smtp_password_file"
|
"outline-smtp_password_file"
|
||||||
"outline-storage_secret_key_file"
|
"outline-storage_secret_key_file"
|
||||||
|
"pages_env_file"
|
||||||
"plausible-admin_user_password_file"
|
"plausible-admin_user_password_file"
|
||||||
"plausible-secret_key_base_file"
|
"plausible-secret_key_base_file"
|
||||||
"plausible-smtp_password_file"
|
"plausible-smtp_password_file"
|
||||||
|
|
Loading…
Reference in a new issue