changes

2022-07-30 01:25:12 +08:00 · 2022-07-30 01:25:12 +08:00 · 5e538217fd
parent 6f28880d89
commit 5e538217fd
15 changed files with 175 additions and 13 deletions
--- a/README.org
+++ b/README.org
@ -22,7 +22,6 @@ Additionally I've found a handy [[https://ayats.org/blog/deploy-rs-example/][blo
 remarkably convenient. They were even kind enough to link to a [[https://github.com/viperML/deploy-rs-example][repo]] which I've
 shamelessly used as a starting point.

-
 Unfortunately, Hetnezer doesn't offer a NixOS image, but they do allow you to
 mount a NixOS install volume (22.05 as of writing) to your server after creating
 it. After doing so, starting the VM we can get it set up simply with:
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,23 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1652712410,
+        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -72,6 +90,22 @@
      }
    },
    "nixpkgs": {
+      "locked": {
+        "lastModified": 1638587357,
+        "narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e34c5379866833f41e2a36f309912fa675d687c7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
      "locked": {
        "lastModified": 1658985539,
        "narHash": "sha256-aRVZGndeuUct3S3T6vqOO64D9qY1F7qNTljd0zuwzak=",
@ -89,9 +123,10 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "deploy-rs": "deploy-rs",
        "flake-utils-plus": "flake-utils-plus",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "utils": {
--- a/flake.nix
+++ b/flake.nix
@ -4,36 +4,39 @@
  inputs = {
    nixpkgs.url = github:NixOS/nixpkgs/nixos-22.05;
    flake-utils-plus.url = github:gytis-ivaskevicius/flake-utils-plus;
+    agenix.url = "github:ryantm/agenix";
    deploy-rs = {
      url = github:serokell/deploy-rs;
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

-  outputs = inputs@{ self, nixpkgs, flake-utils-plus, ... }:
+  outputs = inputs@{ self, nixpkgs, flake-utils-plus, agenix, ... }:
    let
-      nixosModules = flake-utils-plus.lib.exportModules (
-        nixpkgs.lib.mapAttrsToList (name: value: ./nixosModules/${name}) (builtins.readDir ./nixosModules)
+      modules = flake-utils-plus.lib.exportModules (
+        nixpkgs.lib.mapAttrsToList (name: value: ./modules/${name}) (builtins.readDir ./modules)
      );
    in
    flake-utils-plus.lib.mkFlake {
-      inherit self inputs nixosModules;
+      inherit self inputs modules;

      hosts = {
-        golgi.modules = with nixosModules; [
+        golgi.modules = with modules; [
          common
          admin
          hardware-hetzner
-          # docker
+          agenix.nixosModule
+          caddy
+          gitea
        ];
      };

      deploy.nodes = {
        my-node = {
-          hostname = "5.161.98.27";
+          hostname = "tecosaur.net";
          fastConnection = false;
          profiles = {
-            my-profile = {
+            system = {
              sshUser = "admin";
              path =
                inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.golgi;
@ -44,7 +47,7 @@
      };

      outputsBuilder = (channels: {
-        devShell = channels.nixpkgs.mkShell {
+        devShells.default = channels.nixpkgs.mkShell {
          name = "my-deploy-shell";
          buildInputs = with channels.nixpkgs; [
            nixUnstable
--- a/install.sh
+++ b/install.sh
@ -47,5 +47,5 @@ mount -o "$BTRFS_OPTS,subvol=@boot" "${TARGET}2" "${MNT}"/boot
 findmnt -R --target "${MNT}"

 # .#golgi is our hostname defined by our flake
-nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#golgi"
+nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#pre-golgi"
 umount -R /mnt
--- a/nixosModules/admin.nix
+++ b/nixosModules/admin.nix
@ -6,7 +6,7 @@
    initialPassword = "1234";
    isNormalUser = true;
    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt  tec@tranquillity" ];
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity" ];
  };
  security.sudo.wheelNeedsPassword = false;
  nix.trustedUsers = [ "@wheel" ]; # https://github.com/serokell/deploy-rs/issues/25
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+
+  # If I end up wanting to add plugins, see:
+  # https://mdleom.com/blog/2021/12/27/caddy-plugins-nixos/
+  services.caddy = {
+    enable = true;
+    virtualHosts."tecosaur.net".extraConfig = ''
+respond "Hello, world!"
+  '';
+    virtualHosts."git.tecosaur.net".extraConfig = ''
+reverse_proxy localhost:3000
+  '';
+  };
+}
--- a/nixosModules/common.nix
+++ b/nixosModules/common.nix
--- a/nixosModules/docker.nix
+++ b/nixosModules/docker.nix
--- a/modules/gitea/default.nix
+++ b/modules/gitea/default.nix
@ -0,0 +1,61 @@
+{ config, pkgs, ... }:
+
+{
+  age.secrets.postgress = {
+    owner = "gitea";
+    group = "users";
+    file = ../../secrets/postgress.age;
+  };
+
+  age.secrets.fastmail = {
+    owner = "gitea";
+    group = "users";
+    file = ../../secrets/fastmail.age;
+  };
+
+  services.gitea = {
+    enable = true;
+    user = "gitea";
+    domain = "git.tecosaur.net";
+    rootUrl = "https://git.tecosaur.net";
+    httpAddress = "0.0.0.0";
+    httpPort = 3000;
+    appName = "Gitea";
+    database = {
+      type = "postgres";
+      passwordFile = config.age.secrets.postgress.path;
+    };
+    disableRegistration = true;
+    lfs.enable = true;
+    mailerPasswordFile = config.age.secrets.fastmail.path;
+    settings = {
+      mailer = {
+        # Update when https://github.com/go-gitea/gitea/pull/18982 is merged.
+        ENABLED = true;
+        MAILER_TYPE = "smtp";
+        FROM = "gitea@tecosaur.net";
+        USER = "tec@tecosaur.net";
+        HOST = "smtp.fastmail.com:587";
+        IS_TLS_ENABLED = false;
+      };
+      service = {
+        REGISTER_EMAIL_CONFIRM = true;
+      };
+    };
+  };
+
+  # users.users.gitea.uid = 997;
+  # users.enforceIdUniqueness = false;
+  # users.users.git = {
+  #   uid = config.users.users.gitea.uid;
+  #   home = config.services.gitea.stateDir;
+  #   useDefaultShell = true;
+  #   group = "gitea";
+  #   isSystemUser = true;
+  # };
+
+  systemd.tmpfiles.rules = [
+    "L+ ${config.services.gitea.stateDir}/custom/templates/home.tmpl - - - - ${./template-home.tmpl}"
+    "L+ ${config.services.gitea.stateDir}/custom/public/img/tree-gitea-themed.svg - - - - ${./tree-gitea-themed.svg}"
+  ];
+}
--- a/modules/gitea/template-home.tmpl
+++ b/modules/gitea/template-home.tmpl
@ -0,0 +1,17 @@
+{{template "base/head" .}}
+<div class="page-content home">
+  <div class="ui stackable middle very relaxed page grid">
+    <div class="sixteen wide center aligned centered column">
+      <div>
+        <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/tree-gitea-themed.svg"/>
+      </div>
+      <div class="hero">
+        <h1 class="ui icon header title">
+          The personal forge of <a href="/tec" style="color: var(--color-primary);">TEC</a>
+        </h1>
+        <h2>Thanks to Gitea, a painless, self-hosted Git service.</h2>
+      </div>
+    </div>
+  </div>
+</div>
+{{template "base/footer" .}}
--- a/modules/gitea/tree-gitea-themed.svg
+++ b/modules/gitea/tree-gitea-themed.svg
--- a/nixosModules/hardware-hetzner.nix
+++ b/nixosModules/hardware-hetzner.nix
--- a/secrets/fastmail.age
+++ b/secrets/fastmail.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 eobz4w FcmiT3apVrf7KhLsq3c9vhHnE0/I63k0woqEdXIiwy0
+5zZHjjaKV05N1Hb2sHnBi/tRumXcSvWA3Dl0+/ub+O8
+-> ssh-ed25519 kfYPBA UylrZ1En/h1zN7m9v9F/tcrlktiJcBgXOBjWxHfHS3w
+u9nJyvFY7BfHuxvrKC/mQU45V5emvHnnfknWseO1lzA
+-> ~-grease \2mTF >GC6'u*^ _8lvH
+yHPvYv5ocSkEzkegwrexK8D0q++kZ3nh5ccYmCLxcNb26QDPrJ6dquRrNN/QBQXr
+/tZp48mDJodmGw1DS0DUwoItfYC3FQ7q7kwHk9KWUjwE6U0R5VS9eLnSJBGR
+--- JWoLagyTrCavi7haqY1twoZO+roMG2dgVhbL+xpIFnU
+J½xC³[Ëo0CA;pMÊMEr%s s¹1Íí•€Z¬%ç¸ÍT<æ[î )Rä§
--- a/secrets/postgress.age
+++ b/secrets/postgress.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 eobz4w hrfcGZbIKusO/5PLsHao1qo2YpZPoEhDENtQ8l3cvQA
+KWTPJIgBlJ/95vXaE3qb6hJvezyPSo9ZvWD0YPx7oH0
+-> ssh-ed25519 kfYPBA Vx2UvfdjG0pwCroN/gu+ks9arQ6L5NVeuonV6YiPdHQ
+Kk2mxOPTjrtgowUZx/Wh4wR87aDHmv63lN+vlvixLE0
+-> SRp-grease G6+2
+aT1udmbGn0pxAGwokyHwNVen/Lwg6fnyqPIj0YCLNDkHRCyA1r/NvDoHNhpLpA0Q
+wgNPL3C4km4H/VsH6niFmMXmFdwBlDNxvDu93ovFo6FOBgr/0lEEL2XY
+--- 30HSItfbyb1AsTeXEReilESTUTUN+QSMNuC9s4wAqOs
+—‡ÜÌ;f]ƒ€–lï´Ã‰r³‡Né¡FÐ"¥çÕ*+RóŒ¶<C592>)áŠR¶¾„F
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,9 @@
+let
+  base = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity";
+  golgi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEmWE6y+gkNdOdgooahbgalxguyoPos7dKCAeVzokm/ root@golgi";
+  systems = [ base golgi ];
+in
+{
+  "postgress.age".publicKeys = systems;
+  "fastmail.age".publicKeys = systems;
+}