From 3f1d7201bfc46ff9edaa109bc41b59908f99c23b Mon Sep 17 00:00:00 2001 From: EuAndreh Date: Sun, 6 Sep 2020 09:53:58 -0300 Subject: Refactor vps-configuration.nix: Split secrets from config and envsubst vars Also rename thingTLD to thingDomain. --- .envrc | 27 +- README.md | 2 +- TODOs.org | 26 +- .../5d05f383bcf61-snapshot-configuration.nix | 1 + .../c565f318e4aea-snapshot-configuration.nix | 1 + .../e1d5f317b0f7a-snapshot-configuration.nix | 107 ++++++ envsubst-configuration.nix | 13 + gen-hash.sh | 9 + nixos-switch.sh | 28 +- secrets/base-image-old-password.txt | Bin 0 -> 80 bytes .../nix/5d05f383bcf61-snapshot-configuration.nix | 1 - .../nix/c565f318e4aea-snapshot-configuration.nix | 1 - .../nix/e1d5f317b0f7a-snapshot-configuration.nix | Bin 4297 -> 0 bytes secrets/passwords/matrix-registration.txt | Bin 0 -> 87 bytes secrets/passwords/nextcloud-admin.txt | Bin 0 -> 53 bytes secrets/passwords/nextcloud-database.txt | Bin 0 -> 1022 bytes secrets/passwords/user-hash.txt | Bin 0 -> 129 bytes secrets/secret-envrc.sh | Bin 4144 -> 0 bytes .../plan-files/2020-09-06T11:35:40-03:00.tfplan | Bin 0 -> 3779 bytes .../plan-files/2020-09-06T12:18:46-03:00.tfplan | Bin 0 -> 3564 bytes .../plan-files/2020-09-06T12:21:46-03:00.tfplan | Bin 0 -> 2297 bytes .../plan-files/2020-09-06T14:41:36-03:00.tfplan | Bin 0 -> 2303 bytes .../plan-files/2020-09-06T15:37:03-03:00.tfplan | Bin 0 -> 2299 bytes secrets/terraform/terraform.tfstate | Bin 3051 -> 3058 bytes secrets/terraform/terraform.tfstate.backup | Bin 3060 -> 3054 bytes secrets/terraform/vultr-api-key.txt | Bin 0 -> 59 bytes secrets/user-password.txt | Bin 0 -> 1021 bytes secrets/user-salt.txt | Bin 0 -> 39 bytes terraform-apply.sh | 3 + vps-configuration.env.nix | 414 --------------------- vps-configuration.nix | 410 ++++++++++++++++++++ 31 files changed, 618 insertions(+), 425 deletions(-) mode change 120000 => 100644 .envrc create mode 120000 base-image/5d05f383bcf61-snapshot-configuration.nix create mode 120000 base-image/c565f318e4aea-snapshot-configuration.nix create mode 100644 base-image/e1d5f317b0f7a-snapshot-configuration.nix create mode 100644 envsubst-configuration.nix create mode 100755 gen-hash.sh create mode 100644 secrets/base-image-old-password.txt delete mode 120000 secrets/nix/5d05f383bcf61-snapshot-configuration.nix delete mode 120000 secrets/nix/c565f318e4aea-snapshot-configuration.nix delete mode 100644 secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix create mode 100644 secrets/passwords/matrix-registration.txt create mode 100644 secrets/passwords/nextcloud-admin.txt create mode 100644 secrets/passwords/nextcloud-database.txt create mode 100644 secrets/passwords/user-hash.txt delete mode 100644 secrets/secret-envrc.sh create mode 100644 secrets/terraform/plan-files/2020-09-06T11:35:40-03:00.tfplan create mode 100644 secrets/terraform/plan-files/2020-09-06T12:18:46-03:00.tfplan create mode 100644 secrets/terraform/plan-files/2020-09-06T12:21:46-03:00.tfplan create mode 100644 secrets/terraform/plan-files/2020-09-06T14:41:36-03:00.tfplan create mode 100644 secrets/terraform/plan-files/2020-09-06T15:37:03-03:00.tfplan create mode 100644 secrets/terraform/vultr-api-key.txt create mode 100644 secrets/user-password.txt create mode 100644 secrets/user-salt.txt delete mode 100644 vps-configuration.env.nix create mode 100644 vps-configuration.nix diff --git a/.envrc b/.envrc deleted file mode 120000 index 9178137..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -secrets/secret-envrc.sh \ No newline at end of file diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..d51f280 --- /dev/null +++ b/.envrc @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# envsubst variables for: +# - envsubst-configuration.nix +# - nixos-update.sh +# +export TLD='euandreh.xyz' +export DATA_ROOT='/data' +export FAVICONS_ROOT="${DATA_ROOT}/favicons" +export STATIC_ROOT="${DATA_ROOT}/static" +export CI_LOGS_ROOT="${STATIC_ROOT}/ci-logs" +export GIT_ROOT="${DATA_ROOT}/git" +export SYSTEM_STATE_VERSION='20.03' +export USER_NAME='andreh' +export SECRETS_ROOT='/secrets' +export NEXTCLOUD_DATABASE_USER='nextcloud' +export PROSODY_ENABLE='false' + +# +# Terraform +# +export TF_VAR_tld="${TLD}" +export TF_VAR_hostname="sovereignty-nixos" +export TF_VAR_storage_name="sovereignty-nixos-storage" diff --git a/README.md b/README.md index 578826e..5ead83e 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ The basic `configuration.nix` file in the current snapshots looks just like this uid = 1000; isNormalUser = true; extraGroups = [ "wheel" ]; - password = "...password..."; + password = "...tmp password..."; openssh.authorizedKeys.keys = [ "...ssh public key..." ]; diff --git a/TODOs.org b/TODOs.org index 53eae48..0504aef 100644 --- a/TODOs.org +++ b/TODOs.org @@ -1,6 +1,15 @@ * Tasks - v4 -** TODO cgit: show README in about section -** TODO Update matterbridge version +** TODO "Migration": use =euandreh_nextcloud_= prefix to database table +** DONE cgit: show README in about section +CLOSED: [2020-09-06 dim. 08:59] +- State "DONE" from [2020-09-06 dim. 08:59] +** CANCELLED Update matterbridge version +CLOSED: [2020-09-06 dim. 08:59] +- State "CANCELLED" from [2020-09-06 dim. 08:59] \\ +I found matterbridge to be too simplistic for what it was proposing to do. The +puppeting bridges from Matrix are a much more robust solution, and I'll try that +instead later. + https://github.com/42wim/matterbridge/issues/1061 ** DONE Add Prosody DNS record to allow me to use eu@euandreh.xyz as an XMPP address CLOSED: [2020-08-23 dim. 18:40] @@ -17,7 +26,9 @@ Or even better: switch to SQLite. *** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]] *** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]] *** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]] -*** TODO Move secrets outside the Nix store +*** DONE Move secrets outside the Nix store +CLOSED: [2020-09-06 dim. 11:35] +- State "DONE" from [2020-09-06 dim. 11:35] *** TODO Properly configure PostgreSQL *** TODO Separate lighttpd user ownership from =$GIT_ROOT=? ** TODO Add volume @@ -113,6 +124,15 @@ Instead, explicitly call =ansible-playbook= after =terraform apply= finished run This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources. We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution. +** On public SSH key leakage +As described in "[[https://rushter.com/blog/public-ssh-keys/][Public SSH keys can leak your private infrastructure]]", public +SSH keys can expose undesired infrastructure, specially for targeted attacks. + +I'm not considering this a threat, since the link between the server and me is +already public. It may be much more effective to just change the SSH port away +from the default: it doesn't accomplish the same thing, but it prevents simple +detections. It is still possible to find this out via a script, but is orders of +magnitute harder for the attacker. * Questions ** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation? ** Enable 2FA for Nextcloud? diff --git a/base-image/5d05f383bcf61-snapshot-configuration.nix b/base-image/5d05f383bcf61-snapshot-configuration.nix new file mode 120000 index 0000000..c59f37b --- /dev/null +++ b/base-image/5d05f383bcf61-snapshot-configuration.nix @@ -0,0 +1 @@ +e1d5f317b0f7a-snapshot-configuration.nix \ No newline at end of file diff --git a/base-image/c565f318e4aea-snapshot-configuration.nix b/base-image/c565f318e4aea-snapshot-configuration.nix new file mode 120000 index 0000000..c59f37b --- /dev/null +++ b/base-image/c565f318e4aea-snapshot-configuration.nix @@ -0,0 +1 @@ +e1d5f317b0f7a-snapshot-configuration.nix \ No newline at end of file diff --git a/base-image/e1d5f317b0f7a-snapshot-configuration.nix b/base-image/e1d5f317b0f7a-snapshot-configuration.nix new file mode 100644 index 0000000..b80eab0 --- /dev/null +++ b/base-image/e1d5f317b0f7a-snapshot-configuration.nix @@ -0,0 +1,107 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only + + # networking.hostName = "nixos"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n = { + # consoleFont = "Lat2-Terminus16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ vim ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.permitRootLogin = "no"; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable touchpad support. + # services.xserver.libinput.enable = true; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.sddm.enable = true; + # services.xserver.desktopManager.plasma5.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.jane = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # }; + + users.extraUsers.andreh = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" ]; + password = + "...tmp password..."; # stored in secrets/base-image-old-password.txt + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org" + ]; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "19.09"; # Did you read the comment? + +} diff --git a/envsubst-configuration.nix b/envsubst-configuration.nix new file mode 100644 index 0000000..e0fa592 --- /dev/null +++ b/envsubst-configuration.nix @@ -0,0 +1,13 @@ +{ }: { + TLD = "$TLD"; + dataRoot = "$DATA_ROOT"; + faviconsRoot = "$FAVICONS_ROOT"; + staticRoot = "$STATIC_ROOT"; + ciLogsRoot = "$CI_LOGS_ROOT"; + gitRoot = "$GIT_ROOT"; + systemStateVersion = "$SYSTEM_STATE_VERSION"; + userName = "$USER_NAME"; + nextcloudDatabaseUser = "$NEXTCLOUD_DATABASE_USER"; + secretsRoot = "$SECRETS_ROOT"; + prosodyEnable = "$PROSODY_ENABLE"; +} diff --git a/gen-hash.sh b/gen-hash.sh new file mode 100755 index 0000000..774f9f9 --- /dev/null +++ b/gen-hash.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -Eeuo pipefail +cd "$(dirname "${BASH_SOURCE[0]}")" + +mkpasswd -m sha-512 \ + "$(cat ./secrets/user-password.txt)" \ + "$(cat ./secrets/user-salt.txt)" \ + | tr -d '\n' \ + > ./secrets/passwords/user-hash.txt diff --git a/nixos-switch.sh b/nixos-switch.sh index dc7797d..e704437 100755 --- a/nixos-switch.sh +++ b/nixos-switch.sh @@ -4,13 +4,33 @@ set -Eeuo pipefail cd "$(dirname "${BASH_SOURCE[0]}")" -envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /etc/nixos/configuration.nix' +if [[ "${1:-}" = '--bootstrap' ]]; then + USER_PASSWORD="$(cat ./secrets/base-image-old-password.txt)" +else + USER_PASSWORD="$(cat ./secrets/user-password.txt)" +fi + +# Copy secrets +echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\ +sudo mkdir -p ${SECRETS_ROOT}; \ +sudo chown -R ${USER_NAME}:users ${SECRETS_ROOT}/; \ +sudo chmod 700 ${SECRETS_ROOT}/; \ +sudo touch /etc/nixos/envsubst-configuration.nix; \ +sudo chown -R ${USER_NAME}:users /etc/nixos/envsubst-configuration.nix;" +rsync -avzP secrets/passwords/ "${TLD}:${SECRETS_ROOT}/" +envsubst < envsubst-configuration.nix | ssh "$TLD" 'cat > /etc/nixos/envsubst-configuration.nix' +echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\ +sudo chown nextcloud:users ${SECRETS_ROOT}/nextcloud-admin.txt; \ +sudo chown nextcloud:users ${SECRETS_ROOT}/nextcloud-database.txt;" + +# Run nixos-rebuild +scp vps-configuration.nix "${TLD}:/etc/nixos/configuration.nix" echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.org/channels/nixos-${SYSTEM_STATE_VERSION}" nixos echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade -ssh "${TLD}" rm -rf "${DATA_ROOT}/favicons/" -rsync -avzP favicons/ "${TLD}:${DATA_ROOT}/favicons/" - +# Copy support files +ssh "${TLD}" rm -rf "${FAVICONS_ROOT}/" +rsync -avzP favicons/ "${TLD}:${FAVICONS_ROOT}/" scp cgit-about.html "${TLD}:${GIT_ROOT}/about.html" scp ci-gen-index.sh "${TLD}:${CI_LOGS_ROOT}/ci-gen-index.sh" scp bash-profile.sh "${TLD}:.bash_profile" diff --git a/secrets/base-image-old-password.txt b/secrets/base-image-old-password.txt new file mode 100644 index 0000000..e8c8f00 Binary files /dev/null and b/secrets/base-image-old-password.txt differ diff --git a/secrets/nix/5d05f383bcf61-snapshot-configuration.nix b/secrets/nix/5d05f383bcf61-snapshot-configuration.nix deleted file mode 120000 index c59f37b..0000000 --- a/secrets/nix/5d05f383bcf61-snapshot-configuration.nix +++ /dev/null @@ -1 +0,0 @@ -e1d5f317b0f7a-snapshot-configuration.nix \ No newline at end of file diff --git a/secrets/nix/c565f318e4aea-snapshot-configuration.nix b/secrets/nix/c565f318e4aea-snapshot-configuration.nix deleted file mode 120000 index c59f37b..0000000 --- a/secrets/nix/c565f318e4aea-snapshot-configuration.nix +++ /dev/null @@ -1 +0,0 @@ -e1d5f317b0f7a-snapshot-configuration.nix \ No newline at end of file diff --git a/secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix b/secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix deleted file mode 100644 index 8dcfe98..0000000 Binary files a/secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix and /dev/null differ diff --git a/secrets/passwords/matrix-registration.txt b/secrets/passwords/matrix-registration.txt new file mode 100644 index 0000000..86c632e Binary files /dev/null and b/secrets/passwords/matrix-registration.txt differ diff --git a/secrets/passwords/nextcloud-admin.txt b/secrets/passwords/nextcloud-admin.txt new file mode 100644 index 0000000..0fd239d Binary files /dev/null and b/secrets/passwords/nextcloud-admin.txt differ diff --git a/secrets/passwords/nextcloud-database.txt b/secrets/passwords/nextcloud-database.txt new file mode 100644 index 0000000..084e356 Binary files /dev/null and b/secrets/passwords/nextcloud-database.txt differ diff --git a/secrets/passwords/user-hash.txt b/secrets/passwords/user-hash.txt new file mode 100644 index 0000000..e315081 Binary files /dev/null and b/secrets/passwords/user-hash.txt differ diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh deleted file mode 100644 index 87656dc..0000000 Binary files a/secrets/secret-envrc.sh and /dev/null differ diff --git a/secrets/terraform/plan-files/2020-09-06T11:35:40-03:00.tfplan b/secrets/terraform/plan-files/2020-09-06T11:35:40-03:00.tfplan new file mode 100644 index 0000000..7b45ac1 Binary files /dev/null and b/secrets/terraform/plan-files/2020-09-06T11:35:40-03:00.tfplan differ diff --git a/secrets/terraform/plan-files/2020-09-06T12:18:46-03:00.tfplan b/secrets/terraform/plan-files/2020-09-06T12:18:46-03:00.tfplan new file mode 100644 index 0000000..eeb2f97 Binary files /dev/null and b/secrets/terraform/plan-files/2020-09-06T12:18:46-03:00.tfplan differ diff --git a/secrets/terraform/plan-files/2020-09-06T12:21:46-03:00.tfplan b/secrets/terraform/plan-files/2020-09-06T12:21:46-03:00.tfplan new file mode 100644 index 0000000..a75b3ca Binary files /dev/null and b/secrets/terraform/plan-files/2020-09-06T12:21:46-03:00.tfplan differ diff --git a/secrets/terraform/plan-files/2020-09-06T14:41:36-03:00.tfplan b/secrets/terraform/plan-files/2020-09-06T14:41:36-03:00.tfplan new file mode 100644 index 0000000..2b56aea Binary files /dev/null and b/secrets/terraform/plan-files/2020-09-06T14:41:36-03:00.tfplan differ diff --git a/secrets/terraform/plan-files/2020-09-06T15:37:03-03:00.tfplan b/secrets/terraform/plan-files/2020-09-06T15:37:03-03:00.tfplan new file mode 100644 index 0000000..3a5f186 Binary files /dev/null and b/secrets/terraform/plan-files/2020-09-06T15:37:03-03:00.tfplan differ diff --git a/secrets/terraform/terraform.tfstate b/secrets/terraform/terraform.tfstate index d7179d0..cea16aa 100644 Binary files a/secrets/terraform/terraform.tfstate and b/secrets/terraform/terraform.tfstate differ diff --git a/secrets/terraform/terraform.tfstate.backup b/secrets/terraform/terraform.tfstate.backup index 306bed7..58a911b 100644 Binary files a/secrets/terraform/terraform.tfstate.backup and b/secrets/terraform/terraform.tfstate.backup differ diff --git a/secrets/terraform/vultr-api-key.txt b/secrets/terraform/vultr-api-key.txt new file mode 100644 index 0000000..557429a Binary files /dev/null and b/secrets/terraform/vultr-api-key.txt differ diff --git a/secrets/user-password.txt b/secrets/user-password.txt new file mode 100644 index 0000000..63555f9 Binary files /dev/null and b/secrets/user-password.txt differ diff --git a/secrets/user-salt.txt b/secrets/user-salt.txt new file mode 100644 index 0000000..60fb774 Binary files /dev/null and b/secrets/user-salt.txt differ diff --git a/terraform-apply.sh b/terraform-apply.sh index 8179b96..588e1bb 100755 --- a/terraform-apply.sh +++ b/terraform-apply.sh @@ -4,6 +4,9 @@ set -Eeuo pipefail cd "$(dirname "${BASH_SOURCE[0]}")" +TF_VAR_vultr_api_key="$(cat ./secrets/terraform/vultr-api-key.txt)" +export TF_VAR_vultr_api_key + rm -rf .terraform/ terraform init PLAN_FILE="./secrets/terraform/plan-files/$(date -Iseconds).tfplan" diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix deleted file mode 100644 index d5a7f54..0000000 --- a/vps-configuration.env.nix +++ /dev/null @@ -1,414 +0,0 @@ -{ config, pkgs, ... }: - -let - envsubstConfiguration = { - TLD = "$TLD"; - nextcloudTLD = "$NEXTCLOUD_TLD"; - gitTLD = "$GIT_TLD"; - prosodyTLD = "$PROSODY_TLD"; - bonecoTLD = "$BONECO_TLD"; - pdfsTLD = "$PDFS_TLD"; - ciLogsTLD = "$CI_LOGS_TLD"; - songbooksDocumentationTLD = "$SONGBOOKS_DOCUMENTATION_TLD"; - piresDocumentationTLD = "$PIRES_DOCUMENTATION_TLD"; - mediatorDocumentationTLD = "$MEDIATOR_DOCUMENTATION_TLD"; - cementDocumentationTLD = "$CEMENT_DOCUMENTATION_TLD"; - piresProdTLD = "$PIRES_PROD_TLD"; - piresProdPort = "$PIRES_PROD_PORT"; - piresProdDir = "$PIRES_PROD_DIR"; - letsencryptEmail = "$LETSENCRYPT_EMAIL"; - authorizedKey = "$AUTHORIZED_KEY"; - userPassword = "$USER_PASSWORD"; - userName = "$USER_NAME"; - dataRoot = "$DATA_ROOT"; - staticRoot = "$STATIC_ROOT"; - ciLogsRoot = "$CI_LOGS_ROOT"; - faviconsRoot = "$FAVICONS_ROOT"; - nextcloudDatabaseUser = "$NEXTCLOUD_DATABASE_USER"; - nextcloudDatabasePassword = "$NEXTCLOUD_DATABASE_PASSWORD"; - nextcloudAdminUser = "$NEXTCLOUD_ADMIN_USER"; - nextcloudAdminPassword = "$NEXTCLOUD_ADMIN_PASSWORD"; - nextcloudTablePrefix = "$NEXTCLOUD_TABLE_PREFIX"; - gitPort = "$GIT_PORT"; - gitRoot = "$GIT_ROOT"; - systemStateVersion = "$SYSTEM_STATE_VERSION"; - prosodyConverseTLD = "$PROSODY_CONVERSE_TLD"; - prosodyAdminUser = "$PROSODY_ADMIN_USER"; - prosodyMUCTLD = "$PROSODY_MUC_TLD"; - prosodyPort = "$PROSODY_PORT"; - prosodyHTTPPort = "$PROSODY_HTTP_PORT"; - prosodyEnable = $PROSODY_ENABLE; - }; - staticSiteFromRepo = repoName: - pkgs.stdenv.mkDerivation { - name = repoName; - src = fetchTarball - "https://git.sr.ht/~euandreh/${DOLLAR}{repoName}/archive/master.tar.gz"; - phases = "unpackPhase buildPhase"; - buildPhase = '' - mkdir ${DOLLAR}out - cp index.html ${DOLLAR}out - cp favicon.ico ${DOLLAR}out - ''; - }; - pkgsUnstable = import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz"; - }) { }; - piresProd = pkgs.writeShellScriptBin "run-pires.sh" '' - export FLASK_CONFIG=production - - export PIRES_PROD_DIR="$" - if [[ ! -d ${envsubstConfiguration.piresProdDir} ]]; then - ${pkgs.git}/bin/git clone https://gitlab.com/EuAndreh/pires.git ${envsubstConfiguration.piresProdDir} - fi - pushd ${envsubstConfiguration.piresProdDir} - ${pkgs.git}/bin/git pull - ${pkgsUnstable.poetry}/bin/poetry install --no-dev --extras "waitress" - ${pkgsUnstable.poetry}/bin/poetry run flask inicializar-banco - ${pkgsUnstable.poetry}/bin/poetry run waitress-serve --host localhost --port ${envsubstConfiguration.piresProdPort} --call pires:create_app - ''; -in { - nix = { - binaryCaches = [ "https://euandreh.cachix.org" ]; - binaryCachePublicKeys = - [ "euandreh.cachix.org-1:ms8eOKJJtb20GJDPCf8Nvob8YI0oF8dREAMdx3XF/90=" ]; - }; - - imports = [ ./hardware-configuration.nix ]; - - boot.loader.grub = { - enable = true; - version = 2; - device = "/dev/vda"; - }; - - networking = { - useDHCP = false; - interfaces.ens3.useDHCP = true; - }; - - environment.systemPackages = with pkgs; [ - vim - git - gitAndTools.git-annex - gotop - ]; - - networking.firewall.allowedTCPPorts = [ - # SSH: OpenSSH - 22 - - # HTTP and HTPPS: NGINX - 80 - 443 - ] ++ (if prosodyEnable then - [ - # XMPP: Prosody - # https://prosody.im/doc/ports - 5000 - 5222 - 5269 - 5280 - 5281 - 5347 - 5582 - ] else []); - - security.acme = { - acceptTerms = true; - email = envsubstConfiguration.letsencryptEmail; - }; - - services = { - openssh = { - enable = true; - permitRootLogin = "no"; - passwordAuthentication = false; - }; - - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { - "${envsubstConfiguration.nextcloudTLD}" = { - forceSSL = true; - enableACME = true; - }; - "${envsubstConfiguration.gitTLD}" = { - forceSSL = true; - enableACME = true; - extraConfig = '' - location = /favicon.ico { - alias ${envsubstConfiguration.dataRoot}/favicons/git.ico; - } - location / { - proxy_pass http://localhost:${envsubstConfiguration.gitPort}; - } - ''; - }; - "${envsubstConfiguration.bonecoTLD}" = { - forceSSL = true; - enableACME = true; - root = staticSiteFromRepo "boneco"; - }; - "${envsubstConfiguration.pdfsTLD}" = { - forceSSL = true; - enableACME = true; - root = staticSiteFromRepo "pdfs-da-d-maria"; - }; - "${envsubstConfiguration.ciLogsTLD}" = { - forceSSL = true; - enableACME = true; - root = "${envsubstConfiguration.ciLogsRoot}"; - }; - "${envsubstConfiguration.mediatorDocumentationTLD}" = { - forceSSL = true; - enableACME = true; - extraConfig = '' - location = / { - return 301 master/; - } - root ${envsubstConfiguration.staticRoot}/mediator/; - ''; - }; - "${envsubstConfiguration.cementDocumentationTLD}" = { - forceSSL = true; - enableACME = true; - extraConfig = '' - location = / { - return 301 master/; - } - root ${envsubstConfiguration.staticRoot}/cement/; - ''; - }; - "${envsubstConfiguration.songbooksDocumentationTLD}" = { - forceSSL = true; - enableACME = true; - extraConfig = '' - location = / { - return 301 en/master/; - } - root ${envsubstConfiguration.staticRoot}/songbooks/; - ''; - }; - "${envsubstConfiguration.piresDocumentationTLD}" = { - forceSSL = true; - enableACME = true; - root = "${envsubstConfiguration.staticRoot}/pires/"; - }; - "${envsubstConfiguration.piresProdTLD}" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = - "http://localhost:${envsubstConfiguration.piresProdPort}/"; - }; - }; - }; - # Generate and maintain TLS certificate with NGINX - # to be used by Prosody - "${envsubstConfiguration.prosodyTLD}" = { - forceSSL = true; - enableACME = true; - }; - "${envsubstConfiguration.prosodyConverseTLD}" = { - forceSSL = true; - enableACME = true; - extraConfig = '' - location = /favicon.ico { - alias ${envsubstConfiguration.dataRoot}/favicons/conversejs.ico; - } - location = / { - return 301 conversejs; - } - location / { - proxy_pass http://localhost:${envsubstConfiguration.prosodyHTTPPort}/; - } - ''; - }; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ "nextcloud" ]; - package = pkgs.postgresql_11; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - }]; - }; - - nextcloud = { - enable = true; - package = pkgs.nextcloud19; - nginx.enable = true; - hostName = envsubstConfiguration.nextcloudTLD; - https = true; - maxUploadSize = "4G"; - autoUpdateApps.enable = true; - config = { - overwriteProtocol = "https"; - dbtype = "pgsql"; - dbhost = "/run/postgresql"; - dbuser = envsubstConfiguration.nextcloudDatabaseUser; - dbpass = envsubstConfiguration.nextcloudDatabasePassword; - dbtableprefix = envsubstConfiguration.nextcloudTablePrefix; - adminuser = envsubstConfiguration.nextcloudAdminUser; - adminpass = envsubstConfiguration.nextcloudAdminPassword; - }; - }; - - prosody = let - XMPP = { - fullchainPEM = - "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; - keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; - }; - ConverseJS = { - fullchainPEM = - "/var/lib/acme/${envsubstConfiguration.prosodyConverseTLD}/fullchain.pem"; - keyPEM = - "/var/lib/acme/${envsubstConfiguration.prosodyConverseTLD}/key.pem"; - }; - in { - enable = prosodyEnable; - admins = [ envsubstConfiguration.prosodyAdminUser ]; - allowRegistration = false; - modules = { websocket = true; }; - package = pkgs.prosody.override { - withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ]; - }; - extraModules = [ "http_upload" "conversejs" "bookmarks" ]; - virtualHosts = { - "${envsubstConfiguration.prosodyTLD}" = { - enabled = true; - domain = "${envsubstConfiguration.prosodyTLD}"; - ssl = { - cert = XMPP.fullchainPEM; - key = XMPP.keyPEM; - }; - }; - "${envsubstConfiguration.prosodyConverseTLD}" = { - enabled = true; - domain = "${envsubstConfiguration.prosodyConverseTLD}"; - ssl = { - cert = ConverseJS.fullchainPEM; - key = ConverseJS.keyPEM; - }; - }; - }; - }; - - lighttpd = { - enable = true; - port = pkgs.lib.toInt envsubstConfiguration.gitPort; - cgit = { - enable = true; - subdir = ""; - configText = '' - enable-blame=1 - enable-commit-graph=1 - enable-follow-links=1 - enable-index-owner=0 - enable-log-filecount=1 - enable-log-linecount=1 - root-desc=public repositories - root-readme=${envsubstConfiguration.gitRoot}/about.html - readme=:README.md - readme=:README - readme=:README.rst - readme=:README.org - max-repodesc-length=120 - remove-suffix=1 - root-title=EuAndreh's git repositories - snapshots=tar.gz zip - source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py - about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh - scan-path=${envsubstConfiguration.gitRoot} - ''; - }; - }; - - logrotate = { - enable = - false; # disabled due to extraConfig not being yet out of unstable - # extraConfig = '' - # compress - - # ${envsubstConfiguration.ciLogsRoot}/*/*.log { - # rotate 5 - # daily - # olddir ${envsubstConfiguration.staticRoot}/logrorate/ - # createolddir 744 andreh users - # su andreh users - # } - # ''; - }; - }; - - systemd.services = { - "nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - }; - "data-folder-init" = { - enable = true; - description = "Setup data folders and permissions"; - wantedBy = [ "multi-user.target" ]; - script = pkgs.lib.fold (p: acc: - acc + '' - mkdir -p ${DOLLAR}{p} - chown -R andreh:users ${DOLLAR}{p} - chmod -R 755 ${DOLLAR}{p} - '') "" (with envsubstConfiguration; [ - staticRoot - gitRoot - faviconsRoot - ciLogsRoot - dataRoot - ]); - serviceConfig = { Type = "oneshot"; }; - }; - "poor-mans-logrotate" = { - enable = true; - description = "Delete old CI log files"; - wantedBy = [ "multi-user.target" ]; - script = '' - pushd ${envsubstConfiguration.ciLogsRoot} - find . -type f -name '*.log' -mtime 1 -delete - find . -type d -empty -delete - ${pkgs.bash}/bin/bash ci-gen-index.sh - ''; - serviceConfig = { Type = "oneshot"; }; - }; - "pires-prod" = { - enable = true; - # Unit - description = "Service for pires server deployment"; - after = [ "network.target" ]; - # Service - serviceConfig = { - User = "${envsubstConfiguration.userName}"; - ExecStart = "${DOLLAR}{piresProd}/bin/run-pires.sh"; - Restart = "always"; - }; - # Install - wantedBy = [ "multi-user.target" ]; - }; - }; - - users.extraUsers."${envsubstConfiguration.userName}" = { - uid = 1000; - isNormalUser = true; - extraGroups = [ "wheel" ]; - password = envsubstConfiguration.userPassword; - openssh.authorizedKeys.keys = [ envsubstConfiguration.authorizedKey ]; - }; - - system.stateVersion = envsubstConfiguration.systemStateVersion; -} diff --git a/vps-configuration.nix b/vps-configuration.nix new file mode 100644 index 0000000..06d0e29 --- /dev/null +++ b/vps-configuration.nix @@ -0,0 +1,410 @@ +{ config, pkgs, ... }: + +let + envsubstConfiguration = + pkgs.callPackage /etc/nixos/envsubst-configuration.nix { }; + config = rec { + letsencryptEmail = + "eu@euandre.org"; # this should change when adding email to the box + authorizedKey = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org"; + TLD = envsubstConfiguration.TLD; + nextcloudDomain = "cloud.${TLD}"; + gitDomain = "git.${TLD}"; + prosodyDomain = "${TLD}"; + bonecoDomain = "boneco.${TLD}"; + pdfsDomain = "pdfs-da-d-maria.${TLD}"; + ciLogsDomain = "ci.${TLD}"; + songbooksDocumentationDomain = "songbooks.${TLD}"; + piresDocumentationDomain = "pires.${TLD}"; + mediatorDocumentationDomain = "mediator.${TLD}"; + cementDocumentationDomain = "cement.${TLD}"; + piresProdDomain = "pires-prod.${TLD}"; + piresProdPort = "1234"; + piresProdDir = "/home/andreh/pires-git/"; + nextcloudDatabaseUser = "nextcloud"; + nextcloudAdminUser = envsubstConfiguration.userName; + nextcloudTablePrefix = "euandreh_"; + gitPort = "81"; + prosodyConverseDomain = "chat.${TLD}"; + prosodyAdminUser = "eu@${TLD}"; + prosodyMUCDomain = "conference.${TLD}"; + prosodyPort = "5222"; + prosodyHTTPPort = "5280"; + prosodyEnable = envsubstConfiguration.prosodyEnable == "true"; + openSSHPort = 23841; + }; + staticSiteFromRepo = repoName: + pkgs.stdenv.mkDerivation { + name = repoName; + src = fetchTarball + "https://git.sr.ht/~euandreh/${repoName}/archive/master.tar.gz"; + phases = "unpackPhase buildPhase"; + buildPhase = '' + mkdir $out + cp index.html $out + cp favicon.ico $out + ''; + }; + pkgsUnstable = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz"; + }) { }; + piresProd = pkgs.writeShellScriptBin "run-pires.sh" '' + export FLASK_CONFIG=production + + export PIRES_PROD_DIR="$" + if [[ ! -d ${config.piresProdDir} ]]; then + ${pkgs.git}/bin/git clone https://gitlab.com/EuAndreh/pires.git ${config.piresProdDir} + fi + pushd ${config.piresProdDir} + ${pkgs.git}/bin/git pull + ${pkgsUnstable.poetry}/bin/poetry install --no-dev --extras "waitress" + ${pkgsUnstable.poetry}/bin/poetry run flask inicializar-banco + ${pkgsUnstable.poetry}/bin/poetry run waitress-serve --host localhost --port ${config.piresProdPort} --call pires:create_app + ''; +in { + nix = { + binaryCaches = [ "https://euandreh.cachix.org" ]; + binaryCachePublicKeys = + [ "euandreh.cachix.org-1:ms8eOKJJtb20GJDPCf8Nvob8YI0oF8dREAMdx3XF/90=" ]; + }; + + imports = [ ./hardware-configuration.nix ]; + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + useDHCP = false; + interfaces.ens3.useDHCP = true; + }; + + environment.systemPackages = with pkgs; [ + vim + git + gitAndTools.git-annex + gotop + ]; + + networking.firewall.allowedTCPPorts = [ + config.openSSHPort + + # HTTP and HTPPS: NGINX + 80 + 443 + ] ++ (if config.prosodyEnable then [ + # XMPP: Prosody + # https://prosody.im/doc/ports + 5000 + 5222 + 5269 + 5280 + 5281 + 5347 + 5582 + ] else + [ ]); + + security.acme = { + acceptTerms = true; + email = config.letsencryptEmail; + }; + + services = { + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + ports = [ config.openSSHPort ]; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "${config.nextcloudDomain}" = { + forceSSL = true; + enableACME = true; + }; + "${config.gitDomain}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + location = /favicon.ico { + alias ${envsubstConfiguration.dataRoot}/favicons/git.ico; + } + location / { + proxy_pass http://localhost:${config.gitPort}; + } + ''; + }; + "${config.bonecoDomain}" = { + forceSSL = true; + enableACME = true; + root = staticSiteFromRepo "boneco"; + }; + "${config.pdfsDomain}" = { + forceSSL = true; + enableACME = true; + root = staticSiteFromRepo "pdfs-da-d-maria"; + }; + "${config.ciLogsDomain}" = { + forceSSL = true; + enableACME = true; + root = "${envsubstConfiguration.ciLogsRoot}"; + }; + "${config.mediatorDocumentationDomain}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + location = / { + return 301 master/; + } + root ${envsubstConfiguration.staticRoot}/mediator/; + ''; + }; + "${config.cementDocumentationDomain}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + location = / { + return 301 master/; + } + root ${envsubstConfiguration.staticRoot}/cement/; + ''; + }; + "${config.songbooksDocumentationDomain}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + location = / { + return 301 en/master/; + } + root ${envsubstConfiguration.staticRoot}/songbooks/; + ''; + }; + "${config.piresDocumentationDomain}" = { + forceSSL = true; + enableACME = true; + root = "${envsubstConfiguration.staticRoot}/pires/"; + }; + "${config.piresProdDomain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { proxyPass = "http://localhost:${config.piresProdPort}/"; }; + }; + }; + # Generate and maintain TLS certificate with NGINX + # to be used by Prosody + "${config.prosodyDomain}" = { + forceSSL = true; + enableACME = true; + }; + "${config.prosodyConverseDomain}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + location = /favicon.ico { + alias ${envsubstConfiguration.dataRoot}/favicons/conversejs.ico; + } + location = / { + return 301 conversejs; + } + location / { + proxy_pass http://localhost:${config.prosodyHTTPPort}/; + } + ''; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + package = pkgs.postgresql_11; + ensureUsers = [{ + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + }]; + }; + + nextcloud = { + enable = true; + package = pkgs.nextcloud19; + nginx.enable = true; + hostName = config.nextcloudDomain; + https = true; + maxUploadSize = "4G"; + autoUpdateApps.enable = true; + config = { + overwriteProtocol = "https"; + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + dbuser = envsubstConfiguration.nextcloudDatabaseUser; + dbpassFile = + "${envsubstConfiguration.secretsRoot}/nextcloud-database.txt"; + dbtableprefix = config.nextcloudTablePrefix; + adminuser = config.nextcloudAdminUser; + adminpassFile = + "${envsubstConfiguration.secretsRoot}/nextcloud-admin.txt"; + }; + }; + + prosody = let + XMPP = { + fullchainPEM = "/var/lib/acme/${config.prosodyDomain}/fullchain.pem"; + keyPEM = "/var/lib/acme/${config.prosodyDomain}/key.pem"; + }; + ConverseJS = { + fullchainPEM = + "/var/lib/acme/${config.prosodyConverseDomain}/fullchain.pem"; + keyPEM = "/var/lib/acme/${config.prosodyConverseDomain}/key.pem"; + }; + in { + enable = config.prosodyEnable; + admins = [ config.prosodyAdminUser ]; + allowRegistration = false; + modules = { websocket = true; }; + package = pkgs.prosody.override { + withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ]; + }; + extraModules = [ "http_upload" "conversejs" "bookmarks" ]; + virtualHosts = { + "${config.prosodyDomain}" = { + enabled = true; + domain = "${config.prosodyDomain}"; + ssl = { + cert = XMPP.fullchainPEM; + key = XMPP.keyPEM; + }; + }; + "${config.prosodyConverseDomain}" = { + enabled = true; + domain = "${config.prosodyConverseDomain}"; + ssl = { + cert = ConverseJS.fullchainPEM; + key = ConverseJS.keyPEM; + }; + }; + }; + }; + + lighttpd = { + enable = true; + port = pkgs.lib.toInt config.gitPort; + cgit = { + enable = true; + subdir = ""; + configText = '' + enable-blame=1 + enable-commit-graph=1 + enable-follow-links=1 + enable-index-owner=0 + enable-log-filecount=1 + enable-log-linecount=1 + root-desc=public repositories + root-readme=${envsubstConfiguration.gitRoot}/about.html + readme=:README.md + readme=:README + readme=:README.rst + readme=:README.org + max-repodesc-length=120 + remove-suffix=1 + root-title=EuAndreh's git repositories + snapshots=tar.gz zip + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + scan-path=${envsubstConfiguration.gitRoot} + ''; + }; + }; + + logrotate = { + enable = + false; # disabled due to extraConfig not being yet out of unstable + # extraConfig = '' + # compress + + # ${config.ciLogsRoot}/*/*.log { + # rotate 5 + # daily + # olddir ${config.staticRoot}/logrorate/ + # createolddir 744 andreh users + # su andreh users + # } + # ''; + }; + }; + + systemd.services = { + "nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + "data-folder-init" = { + enable = true; + description = "Setup data folders and permissions"; + wantedBy = [ "multi-user.target" ]; + script = pkgs.lib.fold (p: acc: + acc + '' + mkdir -p ${p} + chown -R andreh:users ${p} + chmod -R 755 ${p} + '') "" (with envsubstConfiguration; [ + staticRoot + gitRoot + faviconsRoot + ciLogsRoot + dataRoot + ]); + serviceConfig = { Type = "oneshot"; }; + }; + "poor-mans-logrotate" = { + enable = true; + description = "Delete old CI log files"; + wantedBy = [ "multi-user.target" ]; + script = '' + pushd ${envsubstConfiguration.ciLogsRoot} + find . -type f -name '*.log' -mtime 1 -delete + find . -type d -empty -delete + ${pkgs.bash}/bin/bash ci-gen-index.sh + ''; + serviceConfig = { Type = "oneshot"; }; + }; + "pires-prod" = { + enable = true; + # Unit + description = "Service for pires server deployment"; + after = [ "network.target" ]; + # Service + serviceConfig = { + User = "${envsubstConfiguration.userName}"; + ExecStart = "${piresProd}/bin/run-pires.sh"; + Restart = "always"; + }; + # Install + wantedBy = [ "multi-user.target" ]; + }; + }; + + users = { + mutableUsers = false; + extraUsers."${envsubstConfiguration.userName}" = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" ]; + hashedPassword = + builtins.readFile "${envsubstConfiguration.secretsRoot}/user-hash.txt"; + openssh.authorizedKeys.keys = [ config.authorizedKey ]; + }; + }; + + system.stateVersion = envsubstConfiguration.systemStateVersion; +} -- cgit v1.2.3