From 9eabab4e372ac6951771a4460050aefce76f682d Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Fri, 11 Oct 2024 01:12:44 +0200 Subject: [PATCH] feat(compute01): init pages server --- machines/compute01/_configuration.nix | 1 + machines/compute01/pages.nix | 91 +++++++++++++++++++ .../compute01/secrets/pages-environment_file | 32 +++++++ machines/compute01/secrets/secrets.nix | 1 + 4 files changed, 125 insertions(+) create mode 100644 machines/compute01/pages.nix create mode 100644 machines/compute01/secrets/pages-environment_file diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index 1f26c83..aee720a 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -23,6 +23,7 @@ lib.extra.mkConfig { "nextcloud" "ollama-proxy" "outline" + "pages" "plausible" "postgresql" "rstudio-server" diff --git a/machines/compute01/pages.nix b/machines/compute01/pages.nix new file mode 100644 index 0000000..588198b --- /dev/null +++ b/machines/compute01/pages.nix @@ -0,0 +1,91 @@ +{ + config, + lib, + pkgs, + nixpkgs, + ... +}: + +let + environment = { + ACME_ACCEPT_TERMS = "true"; + ACME_EMAIL = "acme@dgnum.eu"; + DNS_PROVIDER = "ovh"; + OVH_ENDPOINT = "ovh-eu"; + ENABLE_HTTP_SERVER = "false"; + GITEA_ROOT = "https://git.dgnum.eu"; + PORT = "8010"; + PAGES_DOMAIN = "dgnum.page"; + RAW_DOMAIN = "raw.dgnum.page"; + PAGES_BRANCHES = "pages,main,master"; + }; + + # Necessary until upstream cuts a new release because of + # https://codeberg.org/Codeberg/pages-server/issues/235 + # that is fixed on main + package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: { + src = pkgs.fetchFromGitea { + domain = "codeberg.org"; + owner = "Codeberg"; + repo = "pages-server"; + rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12"; + hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8="; + }; + vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI="; + }); +in + +{ + + systemd.services.codeberg-pages = { + inherit environment; + description = "Codeberg pages server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + StateDirectory = "codeberg-pages"; + EnvironmentFile = config.age.secrets."pages-environment_file".path; + WorkingDirectory = "/var/lib/codeberg-pages"; + DynamicUser = true; + ExecStart = lib.getExe package; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + }; + }; + + services.nginx = { + streamConfig = '' + map $ssl_preread_server_name $sni_upstream { + hostnames; + default 127.0.0.1:8010; + ${lib.concatMapStringsSep "\n" (vhost: " ${vhost} 127.0.0.1:8446;") ( + lib.attrNames config.services.nginx.virtualHosts + )} + } + + server { + listen [::]:443; + ssl_preread on; + proxy_pass $sni_upstream; + } + + ''; + defaultSSLListenPort = 8446; + }; + +} diff --git a/machines/compute01/secrets/pages-environment_file b/machines/compute01/secrets/pages-environment_file new file mode 100644 index 0000000..d1e4ced --- /dev/null +++ b/machines/compute01/secrets/pages-environment_file @@ -0,0 +1,32 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU +gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA +-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI +wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0 +-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI +6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU +-> ssh-rsa krWCLQ +JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw +WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe +rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3 +gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT +io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1 +eAH2s9h4H8UOiLe2yskoWQ +-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig +4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk +-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04 +bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM +-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8 +vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw +-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw +dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE +-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q +MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0 +-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng +SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk +-> %,-grease Ud+Q +v ; )/g!O +72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G +cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit +--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY +-VTS\Џ]/^*T)g!>,iZ<4%{ YEІQUȍ/<5cr,%CdX3mS +H6`8;|/׫%DPNs`^O-8+oXsgqAB7 K0 [ M9IƍS \ No newline at end of file diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index 9af2cdd..ee63ae8 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -21,6 +21,7 @@ "outline-oidc_client_secret_file" "outline-smtp_password_file" "outline-storage_secret_key_file" + "pages-environment_file" "plausible-admin_user_password_file" "plausible-secret_key_base_file" "plausible-smtp_password_file"