feat(compute01): init pages server #151
|
@ -23,6 +23,7 @@ lib.extra.mkConfig {
|
|||
"nextcloud"
|
||||
"ollama-proxy"
|
||||
"outline"
|
||||
"pages"
|
||||
"plausible"
|
||||
"postgresql"
|
||||
"rstudio-server"
|
||||
|
|
115
machines/compute01/pages.nix
Normal file
|
@ -0,0 +1,115 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
Outdated
Review
```nix
config,
lib,
pkgs,
```
|
||||
nixpkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
environment = {
|
||||
ACME_ACCEPT_TERMS = "true";
|
||||
ACME_EMAIL = "acme@dgnum.eu";
|
||||
DNS_PROVIDER = "ovh";
|
||||
OVH_ENDPOINT = "ovh-eu";
|
||||
ENABLE_HTTP_SERVER = "false";
|
||||
GITEA_ROOT = "https://git.dgnum.eu";
|
||||
PORT = "8010";
|
||||
PAGES_DOMAIN = "dgnum.page";
|
||||
RAW_DOMAIN = "raw.dgnum.page";
|
||||
PAGES_BRANCHES = "pages,main,master";
|
||||
};
|
||||
|
||||
# Necessary until upstream cuts a new release because of
|
||||
# https://codeberg.org/Codeberg/pages-server/issues/235
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
C'est pas faisable de juste override le paquet ? c.f. https://github.com/NixOS/nixpkgs/pull/225051 C'est pas faisable de juste override le paquet ? c.f. https://github.com/NixOS/nixpkgs/pull/225051
Luj
commented
Je savais pas que ça avait été fix, will do Je savais pas que ça avait été fix, will do
|
||||
# that is fixed on main
|
||||
package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: {
|
||||
src = pkgs.fetchFromGitea {
|
||||
domain = "codeberg.org";
|
||||
owner = "Codeberg";
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
Ça ne fait pas ce que tu penses, ça associe à l'user Ça ne fait pas ce que tu penses, ça associe à l'user `toto` tous les secrets de la forme `toto-.*`
|
||||
repo = "pages-server";
|
||||
rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12";
|
||||
hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8=";
|
||||
};
|
||||
vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI=";
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
C'est déjà ouvert, pas la peine de le redéclarer C'est déjà ouvert, pas la peine de le redéclarer
|
||||
});
|
||||
in
|
||||
|
||||
{
|
||||
options.services.nginx.virtualHosts = lib.mkOption {
|
||||
type = lib.types.attrsOf (
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
Autant appeler directement la variable Autant appeler directement la variable `environment`, comme ça tu peux faire un inherit et c'est plus clair dans le ``let ... in
|
||||
lib.types.submodule {
|
||||
config.extraConfig = ''
|
||||
real_ip_header proxy_protocol;
|
||||
set_real_ip_from 127.0.0.1;
|
||||
'';
|
||||
}
|
||||
);
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
`getExe package`
|
||||
};
|
||||
|
||||
config = {
|
||||
systemd.services.codeberg-pages = {
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
C'est strictement égal à C'est strictement égal à `lib.getExe package`
|
||||
inherit environment;
|
||||
description = "Codeberg pages server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
StateDirectory = "codeberg-pages";
|
||||
EnvironmentFile = config.age.secrets."pages-environment_file".path;
|
||||
WorkingDirectory = "/var/lib/codeberg-pages";
|
||||
DynamicUser = true;
|
||||
ExecStart = lib.getExe package;
|
||||
Restart = "on-failure";
|
||||
ProtectHome = true;
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectHostname = true;
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
nginx est déja activé nginx est déja activé
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
`concatMapStringsSep` existe ( https://noogle.dev/f/lib/concatMapStringsSep )
|
||||
NoNewPrivileges = true;
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
`127.0.0.1` plutôt que `0.0.0.0` et il manque un `:` entre l'ip et le port
thubrecht
commented
Je comprends pas très bien à quoi sert ce hostnames d'ailleurs sachant que c'est pas défini ailleurs Je comprends pas très bien à quoi sert ce hostnames d'ailleurs sachant que c'est pas défini ailleurs
Luj
commented
Je pense que tu as raison Je pense que tu as raison
Luj
commented
le "hostnames" sert à pouvoir mettre des éléments du type *.dgnum.eu dans la map, effectivement plus utile ici le "hostnames" sert à pouvoir mettre des éléments du type *.dgnum.eu dans la map, effectivement plus utile ici
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
thubrecht
commented
L'alignement est décalé de deux caractères sur la gauche L'alignement est décalé de deux caractères sur la gauche
Luj
commented
C'est pour avoir l'indentation correcte sur le fichier de config (regarde les deux espaces au début de chaque ligne). C'est pour avoir l'indentation correcte sur le fichier de config (regarde les deux espaces au début de chaque ligne).
Comme tu préfères
thubrecht
commented
Ah, hmmm Ah, hmmm
Autre option, tu mets "\n " comme séparateur et pas les espaces dans la string du vhost
|
||||
RemoveIPC = true;
|
||||
PrivateMounts = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
defaultListen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8446;
|
||||
ssl = true;
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
ligne vide en trop ? ligne vide en trop ?
|
||||
proxyProtocol = true;
|
||||
}
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
idem idem
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
ssl = false;
|
||||
}
|
||||
];
|
||||
|
||||
streamConfig = ''
|
||||
map $ssl_preread_server_name $sni_upstream {
|
||||
default 127.0.0.1:8010;
|
||||
${
|
||||
lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") (
|
||||
lib.attrNames config.services.nginx.virtualHosts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
ssl_preread on;
|
||||
proxy_pass $sni_upstream;
|
||||
proxy_protocol on;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
32
machines/compute01/secrets/pages-environment_file
Normal file
|
@ -0,0 +1,32 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU
|
||||
gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA
|
||||
-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI
|
||||
wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0
|
||||
-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI
|
||||
6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU
|
||||
-> ssh-rsa krWCLQ
|
||||
JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw
|
||||
WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe
|
||||
rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3
|
||||
gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT
|
||||
io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1
|
||||
eAH2s9h4H8UOiLe2yskoWQ
|
||||
-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig
|
||||
4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk
|
||||
-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04
|
||||
bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM
|
||||
-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8
|
||||
vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw
|
||||
-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw
|
||||
dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE
|
||||
-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q
|
||||
MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0
|
||||
-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng
|
||||
SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk
|
||||
-> %,-grease Ud+Q +v ; )/g!O
|
||||
72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G
|
||||
cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit
|
||||
--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY
|
||||
-¹VºáTÕSÎ\ŠõÐ<C3B5>ƒä¾]é/^*õÈT¡å)g¾!÷>,<2C>¾i«Z¯<÷æ4‹%{
Y€”«ïEàïІQ³UÈ<55>/¦¿›¼<5cþér,%CËdX3ÖmÙSŽ ¼
|
||||
H6ð`›¤8¢;|/ï׫Ó%DšPNs`³^O-ßê8+äoXÞsŽgöqA²“¶BŽ7Á
®KÔ0ïÃê÷[M9IÆ<49>ÐS•
|
|
@ -21,6 +21,7 @@
|
|||
"outline-oidc_client_secret_file"
|
||||
"outline-smtp_password_file"
|
||||
"outline-storage_secret_key_file"
|
||||
"pages-environment_file"
|
||||
Luj marked this conversation as resolved
Outdated
thubrecht
commented
`pages-environment_file` plutôt
|
||||
"plausible-admin_user_password_file"
|
||||
"plausible-secret_key_base_file"
|
||||
"plausible-smtp_password_file"
|
||||
|
|