feat(grfn/bbbg): Add NixOS module, deploy to mugwump
Change-Id: I0299242982c183fa9fc1f26b1bacb14f8fc14b28 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4684 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
This commit is contained in:
parent
169d7fb874
commit
503ac8c782
6 changed files with 156 additions and 2 deletions
135
users/grfn/bbbg/module.nix
Normal file
135
users/grfn/bbbg/module.nix
Normal file
|
@ -0,0 +1,135 @@
|
|||
{ config, lib, pkgs, depot, ... }:
|
||||
|
||||
let
|
||||
bbbg = depot.users.grfn.bbbg;
|
||||
cfg = config.services.bbbg;
|
||||
in {
|
||||
options = with lib; {
|
||||
services.bbbg = {
|
||||
enable = mkEnableOption "BBBG Server";
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 7222;
|
||||
description = "Port to listen to for the HTTP server";
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = "bbbg.gws.fyi";
|
||||
description = "Domain to host under";
|
||||
};
|
||||
|
||||
proxy = {
|
||||
enable = mkEnableOption "NGINX reverse proxy";
|
||||
};
|
||||
|
||||
database = {
|
||||
enable = mkEnableOption "BBBG Database Server";
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "bbbg";
|
||||
description = "Database username";
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
description = "Database host";
|
||||
};
|
||||
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
default = "bbbg";
|
||||
description = "Database name";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 5432;
|
||||
description = "Database host";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkMerge [
|
||||
(lib.mkIf cfg.enable {
|
||||
systemd.services.bbbg-server = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Restart = "always";
|
||||
EnvironmentFile = "/run/agenix/bbbg";
|
||||
};
|
||||
|
||||
environment = {
|
||||
PGHOST = cfg.database.host;
|
||||
PGUSER = cfg.database.user;
|
||||
PGDATABASE = cfg.database.name;
|
||||
PORT = toString cfg.port;
|
||||
};
|
||||
|
||||
script = "${bbbg.server}/bin/bbbg-server";
|
||||
};
|
||||
|
||||
systemd.services.migrate-bbbg = {
|
||||
description = "Run database migrations for BBBG";
|
||||
wantedBy = [ "bbbg-server.service" ];
|
||||
after = ([ "network.target" ]
|
||||
++ (if cfg.database.enable
|
||||
then ["postgresql.service"]
|
||||
else []));
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
EnvironmentFile = "/run/agenix/bbbg";
|
||||
};
|
||||
|
||||
environment = {
|
||||
PGHOST = cfg.database.host;
|
||||
PGUSER = cfg.database.user;
|
||||
PGDATABASE = cfg.database.name;
|
||||
};
|
||||
|
||||
script = "${bbbg.db-util}/bin/bbbg-db-util migrate";
|
||||
};
|
||||
})
|
||||
(lib.mkIf cfg.database.enable {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
authentication = lib.mkForce ''
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 password
|
||||
host all all ::1/128 password
|
||||
hostnossl all all 127.0.0.1/32 password
|
||||
hostnossl all all ::1/128 password
|
||||
'';
|
||||
|
||||
ensureDatabases = [
|
||||
cfg.database.name
|
||||
];
|
||||
|
||||
ensureUsers = [{
|
||||
name = cfg.database.user;
|
||||
ensurePermissions = {
|
||||
"DATABASE ${cfg.database.name}" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
})
|
||||
(lib.mkIf cfg.proxy.enable {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${cfg.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
|
@ -353,7 +353,7 @@
|
|||
~@body)))
|
||||
|
||||
(defn -main [& args]
|
||||
(let [db (component/start (make-database {::config (env->config)}))]
|
||||
(let [db (component/start (make-database (env->config)))]
|
||||
(case (first args)
|
||||
"migrate" (migrate! db)
|
||||
"rollback" (rollback! db))))
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
{ ... }:
|
||||
{
|
||||
whitby = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIwl+xQYRCk6Ijz/Ll8eXKZrcTH9/7xwlvIowiuqDSFtGkf+73QJkwVJ0YiKHWAPwIUWMzCEO/Ab2g6j4PcR+XYu8kXbrwT5aW65L/AK1oaav2RfV1bnQEVUP9FRPL52BN42J0ibI2QJZKJVws9JF7vxTWPPG0V0eoxcaRMk1ZEqq+/k3GuN8D69VSV8xo9lB8yZEvTxs0YQRiiF7Q6t/3jhYtz6lCdazQviRcSEOj5AVsDjcf1XIAPOcLK4Q4OEXL49T3UaitSYMyKIO8hzNLiyGAUlSbshAnutPXdyNBypkCs6FrSPSRdBfFjzUVE/a+JWCPmx0q0xAVd497Efxby+Vsa2/TPMp7tSisPaqk3MpPmjBS7eI/y4Pl2GpAB4OVANEBNd1Q6K2/37Pk+PrZtIUBiRG8sM0Od36BjwLCxvG0G5P/UYZ93aC8GzqkRf4evOBMiJCvR2o9CDEDycNyTm1y5dyJzQewOTWX9nsiF1rllc92W0ZALvpO03+W2+k= grfn@chupacabra";
|
||||
main = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro";
|
||||
main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA";
|
||||
old = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro";
|
||||
}
|
||||
|
|
10
users/grfn/secrets/bbbg.age
Normal file
10
users/grfn/secrets/bbbg.age
Normal file
|
@ -0,0 +1,10 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 CpJBgQ dHPaZt3ZRV6rBPQrqiEpKXd48OjUC1joVIm/ZHcimVQ
|
||||
Q8JwGJ91nsxspJFwZaq2BENdJYHxdHG30Ef0/Cae58M
|
||||
-> ssh-ed25519 LfBFbQ oN98wLqM69Kv2Ldg31v0eBNtfpNP4nbyqAC+gCOT3yI
|
||||
U8weIdIqhGs2eoKXqCxO8zHe2Ddo5fVJ5ZYua/hcBs8
|
||||
-> \Z^u8-grease ., ,^=lH#0> +P=Z," d
|
||||
fwUdQTFyoVYOmMUWN2nQ9JWg+Mj0iF325eJaEYkWTNvDZfUGioravnCEQxAErbAN
|
||||
S1v0wgUUM8/ja3uI
|
||||
--- erMVG5PLHMBECjcKtR+OLq5hYa+6dS4gPsQ5CzQByQ0
|
||||
S°8÷Y×"g|DÉöZäîª0øX¶ É1¿ggïó¡ÈôÉ|¸.ä]&½m=µ‚4Oô´á˜-´äéT=EmÞ8(\þb„ßïD<C3AF>¿³ ~ˆæ~+áñ“hÍÐa´~«™ReÿÃÅïØWô#Á-š5‘±ŽbôÉÖfO`¡mñ4ñ€<'×|U‰Ô8"<DÕõÁð2>¸<>\Ó©3$@áÏ”Ù8;Ñ|:u WKz@×%#¶ÚÇNE?Ã+‹!1îxNœ”“„<E2809C>¤8h>
|
|
@ -4,5 +4,6 @@ let
|
|||
in
|
||||
|
||||
{
|
||||
"bbbg.age".publicKeys = [ grfn mugwump ];
|
||||
"cloudflare.age".publicKeys = [ grfn mugwump ];
|
||||
}
|
||||
|
|
|
@ -9,6 +9,7 @@ with lib;
|
|||
"${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
|
||||
"${depot.path}/users/grfn/xanthous/server/module.nix"
|
||||
"${depot.third_party.agenix.src}/modules/age.nix"
|
||||
"${depot.path}/users/grfn/bbbg/module.nix"
|
||||
];
|
||||
|
||||
networking.hostName = "mugwump";
|
||||
|
@ -68,6 +69,7 @@ with lib;
|
|||
age.secrets = let
|
||||
secret = name: depot.users.grfn.secrets."${name}.age";
|
||||
in {
|
||||
bbbg.file = secret "bbbg";
|
||||
cloudflare.file = secret "cloudflare";
|
||||
};
|
||||
|
||||
|
@ -247,6 +249,11 @@ with lib;
|
|||
|
||||
services.xanthous-server.enable = true;
|
||||
|
||||
services.bbbg.enable = true;
|
||||
services.bbbg.domain = "staging.bbbg.gws.fyi";
|
||||
services.bbbg.database.enable = true;
|
||||
services.bbbg.proxy.enable = true;
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
services.buildkite-agents = listToAttrs (map (n: rec {
|
||||
|
|
Loading…
Reference in a new issue