cst1/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

web01: Rename from web-01

Browse source
This commit is contained in:
Tom Hubrecht 2023-07-20 14:21:25 +02:00
parent 2274668f9b
commit 6c0e2818ac
10 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
machines/web01/_configuration.nix Normal file
View file

@ -0,0 +1,25 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ name, ... }:
{
imports =
[
./networking.nix
./plausible.nix
# ./wordpress
];
networking.hostName = name;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

21
machines/web01/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
(let sources = import ../../npins; in sources.disko + "/module.nix")
./disko.nix
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "ahci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

80
machines/web01/disko.nix Normal file
View file

@ -0,0 +1,80 @@
_:
let
luksName = "mainfs";
in
{
boot.initrd.luks.devices.${luksName} = {
keyFile = "/dev/zero";
keyFileSize = 1;
};
disko.devices = {
disk = {
vdb = {
device = "/dev/vdb";
type = "disk";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "ESP";
start = "1MiB";
end = "512MiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "luks";
start = "512MiB";
end = "-4GiB";
content = rec {
type = "luks";
name = luksName;
extraOpenArgs = [ "--keyfile-size=1" ];
extraFormatArgs = extraOpenArgs;
keyFile = "/dev/zero";
content = {
type = "btrfs";
mountpoint = "/mnt/btrfs-root";
subvolumes = {
"/rootfs" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" ];
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"/var-log" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/var/log";
};
"/nix" = {
mountOptions = [ "noatime" "compress=zstd" ];
mountpoint = "/nix";
};
};
};
};
}
{
name = "swap";
start = "-4GiB";
end = "100%";
content = {
type = "swap";
randomEncryption = true;
};
}
];
};
};
};
};
}

4
machines/web01/networking.nix Normal file
View file

@ -0,0 +1,4 @@
{ lib, ... }: {
# TODO: Switch to networkd
networking.useDHCP = lib.mkDefault true;
}

59
machines/web01/plausible.nix Normal file
View file

@ -0,0 +1,59 @@
{ config, ... }:
let
host = "analytics.dgnum.eu";
port = 8111;
in
{
services.plausible = {
enable = true;
mail = {
email = "analytics@infra.dgnum.eu";
smtp = {
user = "web-services@infra.dgnum.eu";
passwordFile = config.age.secrets."_smtp-password-file".path;
hostPort = 465;
hostAddr = "kurisu.lahfa.xyz";
enableSSL = true;
};
};
server = {
baseUrl = "https://${host}";
inherit port;
disableRegistration = false;
secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path;
};
releaseCookiePath = config.age.secrets."plausible_release-cookie-file".path;
adminUser = {
passwordFile = config.age.secrets."plausible_admin-user-password-file".path;
email = "tom.hubrecht@dgnum.eu";
name = "thubrecht";
activate = true;
};
};
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
};
# dgn-secrets.options."_smtp-password-file".owner = "plausible";
#
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

25
machines/web01/secrets/_smtp-password-file Normal file
View file

@ -0,0 +1,25 @@
age-encryption.org/v1
-> ssh-ed25519 0IVRbA cZCE8mKHO2PTChNTA6+1H4I3q4s2uHn+EG6lt3MM8Xs
FUID2ymmT2Cpp1hSCEoe6Msb6q5DvCebNOgqM6oXME8
-> ssh-ed25519 JGx7Ng LEbrpjdHw8A79rj6+WVFRJNj5pCw5Sass8Hca2c3FFg
fI+RUcxfsjXCes7BfqBAQ+DnqLZzxhMTC5jykb/mDdM
-> ssh-rsa krWCLQ
NzUVdayQo5mroNmgSUZvY2s73af6UbEscX8rE3fJIOyryCKR1D3oZ4Obvp7Pt8wP
NkyNC3yZ/1awTc13RWvHw8YGeTPugrbmLfxcE6HEYk8i/k4X6spgxdNVOMqfXlsR
zUdgjrwFB6LVjdcsjIuTeRtJqE7wF0FCq/f9aTolcvJzptuCIr/J5oQOlWJba88r
24b+FKFyxiL3zFfuCv+OhCSQnwaVcISUt39Cve8htElO7aUAprwM69Sr0R/HeYOi
palhdzakhQ00E9LTDLoMl3H/nLRbDF8SwRY60jTScMHIlwxnTC4vFmFpEktPmvTf
CNpD+v4JnPcOrXrNYTHjRQ
-> ssh-ed25519 /vwQcQ BzKg1eOPWJ4Yldf7CI5QW4aBUfg6gSuhwhoqBOnev04
3+t9+Rx37FKGhIM0xf65QF0hqgI/4SsKe/XHxMVE2OY
-> ssh-ed25519 0R97PA 7ueqrFZXhEUlqK+y8ZT0kXd3+CzChefB9C5ejnlWDEk
A858uk0/BtyqrbwIv6gX1hE7AHcnywJuI9m5hLgtmSs
-> ssh-ed25519 jIXfPA JioutJFJ+egzcMCiNumBPMNeeEAQVoMQMtbpMtmqoQk
iabPYCNe3yuEJTRJD6tkhQHv4ofXXAVudpj9EWO0ZEY
-> ssh-ed25519 QlRB9Q HzVChUjrV3VmSKm4MEYdXTLEY3MnkwoY6Y4H/HfZT0E
smqbVsRJGgoYGoJBrK0c88ty3GDDIlGEytXyadqmVvg
-> `-grease ?wWe@l T#Zco G5 nxA
606wl2wFtQEpgUend2CvF3JHFR3iJnmkdrAU8+xPs3O8VjTmAxmnuheKI1Aoi9AF
rmHvXSMqq7cwbWParl8iHSXGhikyjon1Ju0uzZxuXN4hgiAMWh/1Hw+T3nggMg
--- KrORJ/ccXLK8gZnnQKBUsHomAaOvk3+WQRV1Vv2ZOi4
‡H$imç"•ˆê<CB86>ʨñmR\ý5,:AŒgÖˆÒ—Ïìgf<VôHêEÿáÀ.ê°[ìw…'Æ’+ê+FGÔ, R

BIN
machines/web01/secrets/plausible_admin-user-password-file Normal file
View file

Binary file not shown.

24
machines/web01/secrets/plausible_release-cookie-file Normal file
View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 0IVRbA 0jTTPBKyGia3BvT9EJlTY0UVqIF05D6zWokv6wE+Swc
LLt0vGzPA8wKKa/s794GQ+4CVIV9DApJXswEjOx4kYw
-> ssh-ed25519 JGx7Ng /oOaCppA2fnvo3kv27Ynl9P9NO04UWbs/yw9OrtfkzI
Jt0wq/IdyiTBDxE78drV90zHgnfXT7JT305THHrcH+0
-> ssh-rsa krWCLQ
1yYjwCF3m/n+wOeQIiXbZAl4tVttROXIlRIhRqgK9pbsI22WmXIXV0qmMsac8VZQ
OsaZJGvY38yhUpYfDZZZHN3JNKL5yZcPFX+HeXQo305oFKsuUSs5EGIWDZmE5XsJ
AFcqwrSRhNLHCJ3PVk6+C9RWfLMhbTNl4Kelndv/KqOfG5AkW193ZG4DHOWSwE3k
8nUgwUGrY79ZVCpGkQAi65TJ4C/3toGcooVxwFVsBX8tfVX53VLvLuUIeD/uvV6A
pZ+cdzwanUK8BNDY3yWPN+a8IYltlWKxruF2Q/Ae+eez5BFHC9p9bok558GTrMwC
+0cu/C1X2nqFormascUW2Q
-> ssh-ed25519 /vwQcQ Ei8pI/GiyHtZWyqxYPoNTz5UVXtSdZllCQU8sF7CYH0
oPuVJbkDVCgWZUp45wkPbogRP3AliLiidKTNP7ttzCY
-> ssh-ed25519 0R97PA RLo/0D0TUnvH6yoLbjV9jEVIYZG/G/2nK9RaA/Zepg0
18hpQWaZmJJFjABVvQJiM6pe7PtcF94BIg3J61+BX14
-> ssh-ed25519 jIXfPA X+zJWTGGvy0LPBgTFRURdS4Rsnd+eSYiW7JhdnlK9yc
mQjvg4cijN8VOeQR0ht9tyHKUX0Eg0iazcN36AAKQE8
-> ssh-ed25519 QlRB9Q KI6rxe4Kek4IkMlDQvDlaO4MgMEKc/DdpWX4pCJFGjI
MAaBVH1HlRntm8gFdbXPPYy1dQcHv8aU6OPCIuVLXYc
-> kEXh"WN-grease WpN@loT^ MVM G\
dL1RrBYkPiADu5E7PXyTBfx3UOhAhaFf66Dajg3aZwgwPOlSciKtsQqu4Q
--- ApT4k9TGTnj3hpJVkSbIElRAwBNliRfmnLYBKsVutpA
žBÍë¦6™È ÝtÈËí§1ùX»Ÿ±!o.ö<>þÜë=Z<>ÉXüåÚt}ÊåO £Kò¤ œg°;<3B>a—ÒÑÚVyYt¤¤Äë«ßM)â´÷ü ›Š!þ;—].ÒX´ÇÛPG;=f‡37 …­2³ÒWk<+IXûµ<C3BB>l§„*ËQS€Epçoc¶@«Â‚{=ß×ݞα*_Ž)ì

26
machines/web01/secrets/plausible_secret-key-base-file Normal file
View file

@ -0,0 +1,26 @@
age-encryption.org/v1
-> ssh-ed25519 0IVRbA zuXFn55iEAtXdyZIrqGFhMuRmJWO7vVj6biT+/70Vk4
RqGr6dEsYs/zQML0nkaVgnWBdYkaLso0fBZCFNAVosk
-> ssh-ed25519 JGx7Ng 1qQXt05dyoJ/1MVe5XudTJEvDwnLPB8wPg+IDIfoyjw
wSW6ivHK38p+AcaayIY3bn3Io6mB54ut0eaLhvXBWxg
-> ssh-rsa krWCLQ
iaQb8f5LiExwJbZA5rF5FQNuKAh63XLmUjgyoxgkFOn6VprJ9oAH22Y8wq85SMrv
rp5SmOYTcdn9hG1LnABPiSCGcquW+vEfL1LnpQIk0E+sFAHW/P8Pt7iK7L6nyxmR
WF0xhKNBvZudysNMEtYtCWbAWf93awXx2qdH1+N/uITNGLgmviBXGThuz+sKGwVO
mi86qk+B1MKkOCYJpWL6CrFeRJrYgph51y1fHl8Rywb3LE605oDCJ18GyvqBTpKl
AGGtVDmMRIr16TEDVjfTg0XmNKQWDdmqvlpesxyXvKk1kU77eT4bfVtsdqyIDNjk
/9RQqW2kiUDrYuige+p1cg
-> ssh-ed25519 /vwQcQ 8rY5jPREmYfaWWP8KWjOEHgh87e241JbQO5EEgBhVBo
RQhE8XjdFuj/eQujOot4oFrKEb63LrZ34AIeSigosKc
-> ssh-ed25519 0R97PA G/zvtYihaKYoA6hFWoI4ceZt+T7ysxQ+aUSu2XZQHWA
Nud2DqDI/gOeMXg0vZZN75RnDcQxRQix+uKOVS0RMz4
-> ssh-ed25519 jIXfPA NnB25GAo+1eyVKI0m74E93V52XZ35UjECnYLgSTpFjY
ip2J8AW+vo3e3otTE67/ns1lelFQs38JaCdb6l6CLW8
-> ssh-ed25519 QlRB9Q 5PvEcPWMg0+k2fVP5oXjBQxcLLN2S3yV7zvzLO7d6gs
TyZSXXPDyQwZtJmoElqmcl915oHOAaY2EEBb38rfSSM
-> gS\H(UbE-grease xPm5+9D~ ` +jBi]
IMHs3CjXalMD9i1riMNx0E61OhfZfaeONQn0OEn074kj6Qtjll/kr34yXf4CTmG2
LtnT6xiGtf3Hq88Bk0QyuhmOyXpePk0//c40Qr+Ym82RR+mJmv9yRQ
--- fjFYmVm6FP+waGy4INlgyAQonGSp4Q4g1HS/OZfDJWI
†1ñ‰ÄpW¤
»¨<EFBFBD>ó¹èi8çfŸ¹¹Ü±´ å7ózö¥oHyÀehf3“N”c\Ϫ3;*È2ÑÝ8¶C…þtAw Ëc!H˜<68>˜®‰§pøˆt}¦$(`Àç> ¥T¬×´R`e†%ï´x•I¾…^®wѹîêÝËñ«_Amðsi×X£¼Í`´Ý6xÊÈ>j<><6A>2ffÕ÷C

11
machines/web01/secrets/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
let
lib = import ../../../lib { inherit (import <nixpkgs> { }) lib; };
publicKeys = lib.getNodeKeys "web-01";
in
lib.setDefault { inherit publicKeys; } [
"plausible_admin-user-password-file"
"plausible_secret-key-base-file"
"plausible_release-cookie-file"
"_smtp-password-file"
]