feat(compute01): init pages server #151

Open
Luj wants to merge 3 commits from init-dgnum-page into main
4 changed files with 149 additions and 0 deletions

View file

@ -23,6 +23,7 @@ lib.extra.mkConfig {
"nextcloud"
"ollama-proxy"
"outline"
"pages"
"plausible"
"postgresql"
"rstudio-server"

View file

@ -0,0 +1,115 @@
{
config,
lib,
pkgs,
nixpkgs,
...
}:
let
environment = {
ACME_ACCEPT_TERMS = "true";
ACME_EMAIL = "acme@dgnum.eu";
DNS_PROVIDER = "ovh";
OVH_ENDPOINT = "ovh-eu";
ENABLE_HTTP_SERVER = "false";
GITEA_ROOT = "https://git.dgnum.eu";
PORT = "8010";
PAGES_DOMAIN = "dgnum.page";
RAW_DOMAIN = "raw.dgnum.page";
PAGES_BRANCHES = "pages,main,master";
};
# Necessary until upstream cuts a new release because of
# https://codeberg.org/Codeberg/pages-server/issues/235
# that is fixed on main
package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: {
src = pkgs.fetchFromGitea {
domain = "codeberg.org";
owner = "Codeberg";
repo = "pages-server";
rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12";
hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8=";
};
vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI=";
});
in
{
options.services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
config.extraConfig = ''
real_ip_header proxy_protocol;
set_real_ip_from 127.0.0.1;
'';
}
);
};
config = {
systemd.services.codeberg-pages = {
inherit environment;
description = "Codeberg pages server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
StateDirectory = "codeberg-pages";
EnvironmentFile = config.age.secrets."pages-environment_file".path;
WorkingDirectory = "/var/lib/codeberg-pages";
DynamicUser = true;
ExecStart = lib.getExe package;
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
};
};
services.nginx = {
defaultListen = [
{
addr = "127.0.0.1";
port = 8446;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
ssl = false;
}
];
streamConfig = ''
map $ssl_preread_server_name $sni_upstream {
default 127.0.0.1:8010;
${
lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") (
lib.attrNames config.services.nginx.virtualHosts
)
}
}
server {
listen 443;
ssl_preread on;
proxy_pass $sni_upstream;
proxy_protocol on;
}
'';
};
};
}

View file

@ -0,0 +1,32 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU
gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA
-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI
wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0
-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI
6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU
-> ssh-rsa krWCLQ
JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw
WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe
rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3
gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT
io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1
eAH2s9h4H8UOiLe2yskoWQ
-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig
4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk
-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04
bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM
-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8
vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw
-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw
dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE
-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q
MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0
-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng
SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk
-> %,-grease Ud+Q +v ; )/g!O
72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G
cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit
--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY
-¹Vº­áTÕSÎ\ŠõÐ<C3B5>ƒä¾]é/^*õÈT¡å)g¾!÷>,<2C>¾i«Z¯<÷æ4%{ Y€”«ïEàïІQ³UÈ<55>/¦¿›¼<5cþér,%CËdX3ÖmÙSŽ ¼
H6ð`¤8¢;|/ï׫Ó%DšPNs`³^O-ßê8+äoXÞsŽgöqA²“¶BŽ7Á ®KÔ0ïà ê÷[ M9IÆ<49>ÐS•

View file

@ -21,6 +21,7 @@
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"
"pages-environment_file"
"plausible-admin_user_password_file"
"plausible-secret_key_base_file"
"plausible-smtp_password_file"