2024-10-11 01:28:53 +02:00 · 2024-10-11 01:28:19 +02:00 · 2024-10-11 01:44:07 +02:00 · 2024-10-11 01:20:32 +02:00 · 2024-10-11 01:22:47 +02:00 · 2024-10-11 01:23:43 +02:00
4 changed files with 149 additions and 0 deletions
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -23,6 +23,7 @@ lib.extra.mkConfig {
    "nextcloud"
    "ollama-proxy"
    "outline"
    "pages"
    "plausible"
    "postgresql"
    "rstudio-server"
--- a/machines/compute01/pages.nix
+++ b/machines/compute01/pages.nix
@ -0,0 +1,115 @@
 {
  config,
  lib,
  pkgs,
  nixpkgs,
  ...
 }:
 let
  environment = {
    ACME_ACCEPT_TERMS = "true";
    ACME_EMAIL = "acme@dgnum.eu";
    DNS_PROVIDER = "ovh";
    OVH_ENDPOINT = "ovh-eu";
    ENABLE_HTTP_SERVER = "false";
    GITEA_ROOT = "https://git.dgnum.eu";
    PORT = "8010";
    PAGES_DOMAIN = "dgnum.page";
    RAW_DOMAIN = "raw.dgnum.page";
    PAGES_BRANCHES = "pages,main,master";
  };
  # Necessary until upstream cuts a new release because of 
  # https://codeberg.org/Codeberg/pages-server/issues/235
  # that is fixed on main
  package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: {
    src = pkgs.fetchFromGitea {
      domain = "codeberg.org";
      owner = "Codeberg";
      repo = "pages-server";
      rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12";
      hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8=";
    };
    vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI=";
  });
 in
 {
  options.services.nginx.virtualHosts = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule {
        config.extraConfig = ''
          real_ip_header proxy_protocol;
          set_real_ip_from 127.0.0.1;
        '';
      }
    );
  };
  config = {
    systemd.services.codeberg-pages = {
      inherit environment;
      description = "Codeberg pages server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        StateDirectory = "codeberg-pages";
        EnvironmentFile = config.age.secrets."pages-environment_file".path;
        WorkingDirectory = "/var/lib/codeberg-pages";
        DynamicUser = true;
        ExecStart = lib.getExe package;
        Restart = "on-failure";
        ProtectHome = true;
        ProtectSystem = "strict";
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        NoNewPrivileges = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        PrivateMounts = true;
      };
    };
    services.nginx = {
      defaultListen = [
        {
          addr = "127.0.0.1";
          port = 8446;
          ssl = true;
          proxyProtocol = true;
        }
        {
          addr = "0.0.0.0";
          ssl = false;
        }
      ];
      streamConfig = ''
        map $ssl_preread_server_name $sni_upstream {
          default 127.0.0.1:8010;
          ${
            lib.concatMapStringsSep "\n  " (vhost: "${vhost} 127.0.0.1:8446;") (
              lib.attrNames config.services.nginx.virtualHosts
            )
          }
        }
        server {
          listen 443;
          ssl_preread on;
          proxy_pass $sni_upstream;
          proxy_protocol on;
        }
      '';
    };
  };
 }
--- a/machines/compute01/secrets/pages-environment_file
+++ b/machines/compute01/secrets/pages-environment_file
@ -0,0 +1,32 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU
 gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA
 -> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI
 wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0
 -> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI
 6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU
 -> ssh-rsa krWCLQ
 JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw
 WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe
 rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3
 gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT
 io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1
 eAH2s9h4H8UOiLe2yskoWQ
 -> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig
 4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk
 -> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04
 bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM
 -> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8
 vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw
 -> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw
 dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE
 -> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q
 MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0
 -> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng
 SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk
 -> %,-grease Ud+Q +v ; )/g!O
 72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G
 cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit
 --- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY
 -¹VºáTÕSÎ\ŠõÐ<C3B5>ƒä¾]é/^*õÈT¡å)g¾!÷>,<2C>¾i«Z¯<÷æ4‹%{
Y€”«ïEàïÐ†Q³UÈ<55>/¦¿›¼<5cþér,%CËdX3ÖmÙSŽ ¼
 H6ð`›¤8¢;|/ï×«Ó%DšPNs`³^O-ßê8+äoXÞsŽgöqA²“¶BŽ7Á
®KÔ0ïÃê÷[M9IÆ<49>ÐS•
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -21,6 +21,7 @@
  "outline-oidc_client_secret_file"
  "outline-smtp_password_file"
  "outline-storage_secret_key_file"
  "pages-environment_file"
  "plausible-admin_user_password_file"
  "plausible-secret_key_base_file"
  "plausible-smtp_password_file"