feat(grfn/bbbg): Add NixOS module, deploy to mugwump
Change-Id: I0299242982c183fa9fc1f26b1bacb14f8fc14b28 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4684 Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: zseri <zseri.devel@ytrizja.de> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
This commit is contained in:
parent
169d7fb874
commit
503ac8c782
6 changed files with 156 additions and 2 deletions
135
users/grfn/bbbg/module.nix
Normal file
135
users/grfn/bbbg/module.nix
Normal file
|
@ -0,0 +1,135 @@
|
||||||
|
{ config, lib, pkgs, depot, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
bbbg = depot.users.grfn.bbbg;
|
||||||
|
cfg = config.services.bbbg;
|
||||||
|
in {
|
||||||
|
options = with lib; {
|
||||||
|
services.bbbg = {
|
||||||
|
enable = mkEnableOption "BBBG Server";
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 7222;
|
||||||
|
description = "Port to listen to for the HTTP server";
|
||||||
|
};
|
||||||
|
|
||||||
|
domain = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "bbbg.gws.fyi";
|
||||||
|
description = "Domain to host under";
|
||||||
|
};
|
||||||
|
|
||||||
|
proxy = {
|
||||||
|
enable = mkEnableOption "NGINX reverse proxy";
|
||||||
|
};
|
||||||
|
|
||||||
|
database = {
|
||||||
|
enable = mkEnableOption "BBBG Database Server";
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "bbbg";
|
||||||
|
description = "Database username";
|
||||||
|
};
|
||||||
|
|
||||||
|
host = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "localhost";
|
||||||
|
description = "Database host";
|
||||||
|
};
|
||||||
|
|
||||||
|
name = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "bbbg";
|
||||||
|
description = "Database name";
|
||||||
|
};
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 5432;
|
||||||
|
description = "Database host";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkMerge [
|
||||||
|
(lib.mkIf cfg.enable {
|
||||||
|
systemd.services.bbbg-server = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
DynamicUser = true;
|
||||||
|
Restart = "always";
|
||||||
|
EnvironmentFile = "/run/agenix/bbbg";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
PGHOST = cfg.database.host;
|
||||||
|
PGUSER = cfg.database.user;
|
||||||
|
PGDATABASE = cfg.database.name;
|
||||||
|
PORT = toString cfg.port;
|
||||||
|
};
|
||||||
|
|
||||||
|
script = "${bbbg.server}/bin/bbbg-server";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.migrate-bbbg = {
|
||||||
|
description = "Run database migrations for BBBG";
|
||||||
|
wantedBy = [ "bbbg-server.service" ];
|
||||||
|
after = ([ "network.target" ]
|
||||||
|
++ (if cfg.database.enable
|
||||||
|
then ["postgresql.service"]
|
||||||
|
else []));
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
EnvironmentFile = "/run/agenix/bbbg";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
PGHOST = cfg.database.host;
|
||||||
|
PGUSER = cfg.database.user;
|
||||||
|
PGDATABASE = cfg.database.name;
|
||||||
|
};
|
||||||
|
|
||||||
|
script = "${bbbg.db-util}/bin/bbbg-db-util migrate";
|
||||||
|
};
|
||||||
|
})
|
||||||
|
(lib.mkIf cfg.database.enable {
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
authentication = lib.mkForce ''
|
||||||
|
local all all trust
|
||||||
|
host all all 127.0.0.1/32 password
|
||||||
|
host all all ::1/128 password
|
||||||
|
hostnossl all all 127.0.0.1/32 password
|
||||||
|
hostnossl all all ::1/128 password
|
||||||
|
'';
|
||||||
|
|
||||||
|
ensureDatabases = [
|
||||||
|
cfg.database.name
|
||||||
|
];
|
||||||
|
|
||||||
|
ensureUsers = [{
|
||||||
|
name = cfg.database.user;
|
||||||
|
ensurePermissions = {
|
||||||
|
"DATABASE ${cfg.database.name}" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
})
|
||||||
|
(lib.mkIf cfg.proxy.enable {
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."${cfg.domain}" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
})
|
||||||
|
];
|
||||||
|
}
|
|
@ -353,7 +353,7 @@
|
||||||
~@body)))
|
~@body)))
|
||||||
|
|
||||||
(defn -main [& args]
|
(defn -main [& args]
|
||||||
(let [db (component/start (make-database {::config (env->config)}))]
|
(let [db (component/start (make-database (env->config)))]
|
||||||
(case (first args)
|
(case (first args)
|
||||||
"migrate" (migrate! db)
|
"migrate" (migrate! db)
|
||||||
"rollback" (rollback! db))))
|
"rollback" (rollback! db))))
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
whitby = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIwl+xQYRCk6Ijz/Ll8eXKZrcTH9/7xwlvIowiuqDSFtGkf+73QJkwVJ0YiKHWAPwIUWMzCEO/Ab2g6j4PcR+XYu8kXbrwT5aW65L/AK1oaav2RfV1bnQEVUP9FRPL52BN42J0ibI2QJZKJVws9JF7vxTWPPG0V0eoxcaRMk1ZEqq+/k3GuN8D69VSV8xo9lB8yZEvTxs0YQRiiF7Q6t/3jhYtz6lCdazQviRcSEOj5AVsDjcf1XIAPOcLK4Q4OEXL49T3UaitSYMyKIO8hzNLiyGAUlSbshAnutPXdyNBypkCs6FrSPSRdBfFjzUVE/a+JWCPmx0q0xAVd497Efxby+Vsa2/TPMp7tSisPaqk3MpPmjBS7eI/y4Pl2GpAB4OVANEBNd1Q6K2/37Pk+PrZtIUBiRG8sM0Od36BjwLCxvG0G5P/UYZ93aC8GzqkRf4evOBMiJCvR2o9CDEDycNyTm1y5dyJzQewOTWX9nsiF1rllc92W0ZALvpO03+W2+k= grfn@chupacabra";
|
whitby = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIwl+xQYRCk6Ijz/Ll8eXKZrcTH9/7xwlvIowiuqDSFtGkf+73QJkwVJ0YiKHWAPwIUWMzCEO/Ab2g6j4PcR+XYu8kXbrwT5aW65L/AK1oaav2RfV1bnQEVUP9FRPL52BN42J0ibI2QJZKJVws9JF7vxTWPPG0V0eoxcaRMk1ZEqq+/k3GuN8D69VSV8xo9lB8yZEvTxs0YQRiiF7Q6t/3jhYtz6lCdazQviRcSEOj5AVsDjcf1XIAPOcLK4Q4OEXL49T3UaitSYMyKIO8hzNLiyGAUlSbshAnutPXdyNBypkCs6FrSPSRdBfFjzUVE/a+JWCPmx0q0xAVd497Efxby+Vsa2/TPMp7tSisPaqk3MpPmjBS7eI/y4Pl2GpAB4OVANEBNd1Q6K2/37Pk+PrZtIUBiRG8sM0Od36BjwLCxvG0G5P/UYZ93aC8GzqkRf4evOBMiJCvR2o9CDEDycNyTm1y5dyJzQewOTWX9nsiF1rllc92W0ZALvpO03+W2+k= grfn@chupacabra";
|
||||||
main = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro";
|
main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA";
|
||||||
|
old = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro";
|
||||||
}
|
}
|
||||||
|
|
10
users/grfn/secrets/bbbg.age
Normal file
10
users/grfn/secrets/bbbg.age
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 CpJBgQ dHPaZt3ZRV6rBPQrqiEpKXd48OjUC1joVIm/ZHcimVQ
|
||||||
|
Q8JwGJ91nsxspJFwZaq2BENdJYHxdHG30Ef0/Cae58M
|
||||||
|
-> ssh-ed25519 LfBFbQ oN98wLqM69Kv2Ldg31v0eBNtfpNP4nbyqAC+gCOT3yI
|
||||||
|
U8weIdIqhGs2eoKXqCxO8zHe2Ddo5fVJ5ZYua/hcBs8
|
||||||
|
-> \Z^u8-grease ., ,^=lH#0> +P=Z," d
|
||||||
|
fwUdQTFyoVYOmMUWN2nQ9JWg+Mj0iF325eJaEYkWTNvDZfUGioravnCEQxAErbAN
|
||||||
|
S1v0wgUUM8/ja3uI
|
||||||
|
--- erMVG5PLHMBECjcKtR+OLq5hYa+6dS4gPsQ5CzQByQ0
|
||||||
|
S°8÷Y×"g|DÉöZäîª0øX¶ É1¿ggïó¡ÈôÉ|¸.ä]&½m=µ‚4Oô´á˜-´äéT=EmÞ8(\þb„ßïD<C3AF>¿³ ~ˆæ~+áñ“hÍÐa´~«™ReÿÃÅïØWô#Á-š5‘±ŽbôÉÖfO`¡mñ4ñ€<'×|U‰Ô8"<DÕõÁð2>¸<>\Ó©3$@áÏ”Ù8;Ñ|:u WKz@×%#¶ÚÇNE?Ã+‹!1îxNœ”“„<E2809C>¤8h>
|
|
@ -4,5 +4,6 @@ let
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
"bbbg.age".publicKeys = [ grfn mugwump ];
|
||||||
"cloudflare.age".publicKeys = [ grfn mugwump ];
|
"cloudflare.age".publicKeys = [ grfn mugwump ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ with lib;
|
||||||
"${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
|
"${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
|
||||||
"${depot.path}/users/grfn/xanthous/server/module.nix"
|
"${depot.path}/users/grfn/xanthous/server/module.nix"
|
||||||
"${depot.third_party.agenix.src}/modules/age.nix"
|
"${depot.third_party.agenix.src}/modules/age.nix"
|
||||||
|
"${depot.path}/users/grfn/bbbg/module.nix"
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "mugwump";
|
networking.hostName = "mugwump";
|
||||||
|
@ -68,6 +69,7 @@ with lib;
|
||||||
age.secrets = let
|
age.secrets = let
|
||||||
secret = name: depot.users.grfn.secrets."${name}.age";
|
secret = name: depot.users.grfn.secrets."${name}.age";
|
||||||
in {
|
in {
|
||||||
|
bbbg.file = secret "bbbg";
|
||||||
cloudflare.file = secret "cloudflare";
|
cloudflare.file = secret "cloudflare";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -247,6 +249,11 @@ with lib;
|
||||||
|
|
||||||
services.xanthous-server.enable = true;
|
services.xanthous-server.enable = true;
|
||||||
|
|
||||||
|
services.bbbg.enable = true;
|
||||||
|
services.bbbg.domain = "staging.bbbg.gws.fyi";
|
||||||
|
services.bbbg.database.enable = true;
|
||||||
|
services.bbbg.proxy.enable = true;
|
||||||
|
|
||||||
virtualisation.docker.enable = true;
|
virtualisation.docker.enable = true;
|
||||||
|
|
||||||
services.buildkite-agents = listToAttrs (map (n: rec {
|
services.buildkite-agents = listToAttrs (map (n: rec {
|
||||||
|
|
Loading…
Reference in a new issue