feat(grfn/bbbg): Add NixOS module, deploy to mugwump

Change-Id: I0299242982c183fa9fc1f26b1bacb14f8fc14b28
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4684
Reviewed-by: grfn <grfn@gws.fyi>
Reviewed-by: zseri <zseri.devel@ytrizja.de>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
This commit is contained in:
Griffin Smith 2021-12-26 16:06:07 -05:00 committed by clbot
parent 169d7fb874
commit 503ac8c782
6 changed files with 156 additions and 2 deletions

135
users/grfn/bbbg/module.nix Normal file
View file

@ -0,0 +1,135 @@
{ config, lib, pkgs, depot, ... }:
let
bbbg = depot.users.grfn.bbbg;
cfg = config.services.bbbg;
in {
options = with lib; {
services.bbbg = {
enable = mkEnableOption "BBBG Server";
port = mkOption {
type = types.int;
default = 7222;
description = "Port to listen to for the HTTP server";
};
domain = mkOption {
type = types.str;
default = "bbbg.gws.fyi";
description = "Domain to host under";
};
proxy = {
enable = mkEnableOption "NGINX reverse proxy";
};
database = {
enable = mkEnableOption "BBBG Database Server";
user = mkOption {
type = types.str;
default = "bbbg";
description = "Database username";
};
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host";
};
name = mkOption {
type = types.str;
default = "bbbg";
description = "Database name";
};
port = mkOption {
type = types.int;
default = 5432;
description = "Database host";
};
};
};
};
config = lib.mkMerge [
(lib.mkIf cfg.enable {
systemd.services.bbbg-server = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
DynamicUser = true;
Restart = "always";
EnvironmentFile = "/run/agenix/bbbg";
};
environment = {
PGHOST = cfg.database.host;
PGUSER = cfg.database.user;
PGDATABASE = cfg.database.name;
PORT = toString cfg.port;
};
script = "${bbbg.server}/bin/bbbg-server";
};
systemd.services.migrate-bbbg = {
description = "Run database migrations for BBBG";
wantedBy = [ "bbbg-server.service" ];
after = ([ "network.target" ]
++ (if cfg.database.enable
then ["postgresql.service"]
else []));
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "/run/agenix/bbbg";
};
environment = {
PGHOST = cfg.database.host;
PGUSER = cfg.database.user;
PGDATABASE = cfg.database.name;
};
script = "${bbbg.db-util}/bin/bbbg-db-util migrate";
};
})
(lib.mkIf cfg.database.enable {
services.postgresql = {
enable = true;
authentication = lib.mkForce ''
local all all trust
host all all 127.0.0.1/32 password
host all all ::1/128 password
hostnossl all all 127.0.0.1/32 password
hostnossl all all ::1/128 password
'';
ensureDatabases = [
cfg.database.name
];
ensureUsers = [{
name = cfg.database.user;
ensurePermissions = {
"DATABASE ${cfg.database.name}" = "ALL PRIVILEGES";
};
}];
};
})
(lib.mkIf cfg.proxy.enable {
services.nginx = {
enable = true;
virtualHosts."${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
};
})
];
}

View file

@ -353,7 +353,7 @@
~@body))) ~@body)))
(defn -main [& args] (defn -main [& args]
(let [db (component/start (make-database {::config (env->config)}))] (let [db (component/start (make-database (env->config)))]
(case (first args) (case (first args)
"migrate" (migrate! db) "migrate" (migrate! db)
"rollback" (rollback! db)))) "rollback" (rollback! db))))

View file

@ -1,5 +1,6 @@
{ ... }: { ... }:
{ {
whitby = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIwl+xQYRCk6Ijz/Ll8eXKZrcTH9/7xwlvIowiuqDSFtGkf+73QJkwVJ0YiKHWAPwIUWMzCEO/Ab2g6j4PcR+XYu8kXbrwT5aW65L/AK1oaav2RfV1bnQEVUP9FRPL52BN42J0ibI2QJZKJVws9JF7vxTWPPG0V0eoxcaRMk1ZEqq+/k3GuN8D69VSV8xo9lB8yZEvTxs0YQRiiF7Q6t/3jhYtz6lCdazQviRcSEOj5AVsDjcf1XIAPOcLK4Q4OEXL49T3UaitSYMyKIO8hzNLiyGAUlSbshAnutPXdyNBypkCs6FrSPSRdBfFjzUVE/a+JWCPmx0q0xAVd497Efxby+Vsa2/TPMp7tSisPaqk3MpPmjBS7eI/y4Pl2GpAB4OVANEBNd1Q6K2/37Pk+PrZtIUBiRG8sM0Od36BjwLCxvG0G5P/UYZ93aC8GzqkRf4evOBMiJCvR2o9CDEDycNyTm1y5dyJzQewOTWX9nsiF1rllc92W0ZALvpO03+W2+k= grfn@chupacabra"; whitby = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIwl+xQYRCk6Ijz/Ll8eXKZrcTH9/7xwlvIowiuqDSFtGkf+73QJkwVJ0YiKHWAPwIUWMzCEO/Ab2g6j4PcR+XYu8kXbrwT5aW65L/AK1oaav2RfV1bnQEVUP9FRPL52BN42J0ibI2QJZKJVws9JF7vxTWPPG0V0eoxcaRMk1ZEqq+/k3GuN8D69VSV8xo9lB8yZEvTxs0YQRiiF7Q6t/3jhYtz6lCdazQviRcSEOj5AVsDjcf1XIAPOcLK4Q4OEXL49T3UaitSYMyKIO8hzNLiyGAUlSbshAnutPXdyNBypkCs6FrSPSRdBfFjzUVE/a+JWCPmx0q0xAVd497Efxby+Vsa2/TPMp7tSisPaqk3MpPmjBS7eI/y4Pl2GpAB4OVANEBNd1Q6K2/37Pk+PrZtIUBiRG8sM0Od36BjwLCxvG0G5P/UYZ93aC8GzqkRf4evOBMiJCvR2o9CDEDycNyTm1y5dyJzQewOTWX9nsiF1rllc92W0ZALvpO03+W2+k= grfn@chupacabra";
main = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro"; main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA";
old = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro";
} }

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 CpJBgQ dHPaZt3ZRV6rBPQrqiEpKXd48OjUC1joVIm/ZHcimVQ
Q8JwGJ91nsxspJFwZaq2BENdJYHxdHG30Ef0/Cae58M
-> ssh-ed25519 LfBFbQ oN98wLqM69Kv2Ldg31v0eBNtfpNP4nbyqAC+gCOT3yI
U8weIdIqhGs2eoKXqCxO8zHe2Ddo5fVJ5ZYua/hcBs8
-> \Z^u8-grease ., ,^=lH#0> +P=Z," d
fwUdQTFyoVYOmMUWN2nQ9JWg+Mj0iF325eJaEYkWTNvDZfUGioravnCEQxAErbAN
S1v0wgUUM8/ja3uI
--- erMVG5PLHMBECjcKtR+OLq5hYa+6dS4gPsQ5CzQByQ0
S°8÷Y×"g|DÉöZäîª0øX¶ É1¿ggïó¡ÈôÉ|¸]&½m=µ4Oô´á˜-´äéT=EmÞ8(\þb„ßïD<C3AF>¿³ ~ˆæ~+áñ“hÍÐa´~«™ReÿÃÅïØWô#Á-š5±ŽbôÉÖfO`¡mñ4ñ €<'×|U‰Ô8"<DÕõÁð2>¸<>\Ó©3$@áÏ”Ù8;Ñ|:u WKz@×%#¶ÚÇNE?Ã+!1îxNœ”“„<E2809C>¤8h>

View file

@ -4,5 +4,6 @@ let
in in
{ {
"bbbg.age".publicKeys = [ grfn mugwump ];
"cloudflare.age".publicKeys = [ grfn mugwump ]; "cloudflare.age".publicKeys = [ grfn mugwump ];
} }

View file

@ -9,6 +9,7 @@ with lib;
"${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix" "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
"${depot.path}/users/grfn/xanthous/server/module.nix" "${depot.path}/users/grfn/xanthous/server/module.nix"
"${depot.third_party.agenix.src}/modules/age.nix" "${depot.third_party.agenix.src}/modules/age.nix"
"${depot.path}/users/grfn/bbbg/module.nix"
]; ];
networking.hostName = "mugwump"; networking.hostName = "mugwump";
@ -68,6 +69,7 @@ with lib;
age.secrets = let age.secrets = let
secret = name: depot.users.grfn.secrets."${name}.age"; secret = name: depot.users.grfn.secrets."${name}.age";
in { in {
bbbg.file = secret "bbbg";
cloudflare.file = secret "cloudflare"; cloudflare.file = secret "cloudflare";
}; };
@ -247,6 +249,11 @@ with lib;
services.xanthous-server.enable = true; services.xanthous-server.enable = true;
services.bbbg.enable = true;
services.bbbg.domain = "staging.bbbg.gws.fyi";
services.bbbg.database.enable = true;
services.bbbg.proxy.enable = true;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.buildkite-agents = listToAttrs (map (n: rec { services.buildkite-agents = listToAttrs (map (n: rec {