feat(compute01): init pages server #151
4 changed files with 149 additions and 0 deletions
|
@ -23,6 +23,7 @@ lib.extra.mkConfig {
|
|||
"nextcloud"
|
||||
"ollama-proxy"
|
||||
"outline"
|
||||
"pages"
|
||||
"plausible"
|
||||
"postgresql"
|
||||
"rstudio-server"
|
||||
|
|
115
machines/compute01/pages.nix
Normal file
115
machines/compute01/pages.nix
Normal file
|
@ -0,0 +1,115 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
nixpkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
environment = {
|
||||
ACME_ACCEPT_TERMS = "true";
|
||||
ACME_EMAIL = "acme@dgnum.eu";
|
||||
DNS_PROVIDER = "ovh";
|
||||
OVH_ENDPOINT = "ovh-eu";
|
||||
ENABLE_HTTP_SERVER = "false";
|
||||
GITEA_ROOT = "https://git.dgnum.eu";
|
||||
PORT = "8010";
|
||||
PAGES_DOMAIN = "dgnum.page";
|
||||
RAW_DOMAIN = "raw.dgnum.page";
|
||||
PAGES_BRANCHES = "pages,main,master";
|
||||
};
|
||||
|
||||
# Necessary until upstream cuts a new release because of
|
||||
# https://codeberg.org/Codeberg/pages-server/issues/235
|
||||
# that is fixed on main
|
||||
package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: {
|
||||
src = pkgs.fetchFromGitea {
|
||||
domain = "codeberg.org";
|
||||
owner = "Codeberg";
|
||||
repo = "pages-server";
|
||||
rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12";
|
||||
hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8=";
|
||||
};
|
||||
vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI=";
|
||||
});
|
||||
in
|
||||
|
||||
{
|
||||
options.services.nginx.virtualHosts = lib.mkOption {
|
||||
type = lib.types.attrsOf (
|
||||
lib.types.submodule {
|
||||
config.extraConfig = ''
|
||||
real_ip_header proxy_protocol;
|
||||
set_real_ip_from 127.0.0.1;
|
||||
'';
|
||||
}
|
||||
);
|
||||
};
|
||||
|
||||
config = {
|
||||
systemd.services.codeberg-pages = {
|
||||
inherit environment;
|
||||
description = "Codeberg pages server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
StateDirectory = "codeberg-pages";
|
||||
EnvironmentFile = config.age.secrets."pages-environment_file".path;
|
||||
WorkingDirectory = "/var/lib/codeberg-pages";
|
||||
DynamicUser = true;
|
||||
ExecStart = lib.getExe package;
|
||||
Restart = "on-failure";
|
||||
ProtectHome = true;
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
NoNewPrivileges = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RemoveIPC = true;
|
||||
PrivateMounts = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
defaultListen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8446;
|
||||
ssl = true;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
ssl = false;
|
||||
}
|
||||
];
|
||||
|
||||
streamConfig = ''
|
||||
map $ssl_preread_server_name $sni_upstream {
|
||||
default 127.0.0.1:8010;
|
||||
${
|
||||
lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") (
|
||||
lib.attrNames config.services.nginx.virtualHosts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
ssl_preread on;
|
||||
proxy_pass $sni_upstream;
|
||||
proxy_protocol on;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
32
machines/compute01/secrets/pages-environment_file
Normal file
32
machines/compute01/secrets/pages-environment_file
Normal file
|
@ -0,0 +1,32 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU
|
||||
gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA
|
||||
-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI
|
||||
wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0
|
||||
-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI
|
||||
6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU
|
||||
-> ssh-rsa krWCLQ
|
||||
JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw
|
||||
WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe
|
||||
rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3
|
||||
gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT
|
||||
io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1
|
||||
eAH2s9h4H8UOiLe2yskoWQ
|
||||
-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig
|
||||
4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk
|
||||
-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04
|
||||
bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM
|
||||
-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8
|
||||
vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw
|
||||
-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw
|
||||
dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE
|
||||
-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q
|
||||
MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0
|
||||
-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng
|
||||
SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk
|
||||
-> %,-grease Ud+Q +v ; )/g!O
|
||||
72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G
|
||||
cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit
|
||||
--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY
|
||||
-¹VºáTÕSÎ\ŠõÐ<C3B5>ƒä¾]é/^*õÈT¡å)g¾!÷>,<2C>¾i«Z¯<÷æ4‹%{
Y€”«ïEàïІQ³UÈ<55>/¦¿›¼<5cþér,%CËdX3ÖmÙSŽ ¼
|
||||
H6ð`›¤8¢;|/ï׫Ó%DšPNs`³^O-ßê8+äoXÞsŽgöqA²“¶BŽ7Á
®KÔ0ïÃê÷[M9IÆ<49>ÐS•
|
|
@ -21,6 +21,7 @@
|
|||
"outline-oidc_client_secret_file"
|
||||
"outline-smtp_password_file"
|
||||
"outline-storage_secret_key_file"
|
||||
"pages-environment_file"
|
||||
"plausible-admin_user_password_file"
|
||||
"plausible-secret_key_base_file"
|
||||
"plausible-smtp_password_file"
|
||||
|
|
Loading…
Reference in a new issue