diff --git a/README.org b/README.org index aca7e1b..f7807c9 100644 --- a/README.org +++ b/README.org @@ -22,7 +22,6 @@ Additionally I've found a handy [[https://ayats.org/blog/deploy-rs-example/][blo remarkably convenient. They were even kind enough to link to a [[https://github.com/viperML/deploy-rs-example][repo]] which I've shamelessly used as a starting point. - Unfortunately, Hetnezer doesn't offer a NixOS image, but they do allow you to mount a NixOS install volume (22.05 as of writing) to your server after creating it. After doing so, starting the VM we can get it set up simply with: diff --git a/flake.lock b/flake.lock index 42b3322..f29e80e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,23 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1652712410, + "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=", + "owner": "ryantm", + "repo": "agenix", + "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -72,6 +90,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1638587357, + "narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e34c5379866833f41e2a36f309912fa675d687c7", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1658985539, "narHash": "sha256-aRVZGndeuUct3S3T6vqOO64D9qY1F7qNTljd0zuwzak=", @@ -89,9 +123,10 @@ }, "root": { "inputs": { + "agenix": "agenix", "deploy-rs": "deploy-rs", "flake-utils-plus": "flake-utils-plus", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" } }, "utils": { diff --git a/flake.nix b/flake.nix index bfec544..9b1ee16 100644 --- a/flake.nix +++ b/flake.nix @@ -4,36 +4,39 @@ inputs = { nixpkgs.url = github:NixOS/nixpkgs/nixos-22.05; flake-utils-plus.url = github:gytis-ivaskevicius/flake-utils-plus; + agenix.url = "github:ryantm/agenix"; deploy-rs = { url = github:serokell/deploy-rs; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = inputs@{ self, nixpkgs, flake-utils-plus, ... }: + outputs = inputs@{ self, nixpkgs, flake-utils-plus, agenix, ... }: let - nixosModules = flake-utils-plus.lib.exportModules ( - nixpkgs.lib.mapAttrsToList (name: value: ./nixosModules/${name}) (builtins.readDir ./nixosModules) + modules = flake-utils-plus.lib.exportModules ( + nixpkgs.lib.mapAttrsToList (name: value: ./modules/${name}) (builtins.readDir ./modules) ); in flake-utils-plus.lib.mkFlake { - inherit self inputs nixosModules; + inherit self inputs modules; hosts = { - golgi.modules = with nixosModules; [ + golgi.modules = with modules; [ common admin hardware-hetzner - # docker + agenix.nixosModule + caddy + gitea ]; }; deploy.nodes = { my-node = { - hostname = "5.161.98.27"; + hostname = "tecosaur.net"; fastConnection = false; profiles = { - my-profile = { + system = { sshUser = "admin"; path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.golgi; @@ -44,7 +47,7 @@ }; outputsBuilder = (channels: { - devShell = channels.nixpkgs.mkShell { + devShells.default = channels.nixpkgs.mkShell { name = "my-deploy-shell"; buildInputs = with channels.nixpkgs; [ nixUnstable diff --git a/install.sh b/install.sh index a270417..c1dab88 100755 --- a/install.sh +++ b/install.sh @@ -47,5 +47,5 @@ mount -o "$BTRFS_OPTS,subvol=@boot" "${TARGET}2" "${MNT}"/boot findmnt -R --target "${MNT}" # .#golgi is our hostname defined by our flake -nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#golgi" +nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#pre-golgi" umount -R /mnt diff --git a/nixosModules/admin.nix b/modules/admin.nix similarity index 82% rename from nixosModules/admin.nix rename to modules/admin.nix index 7f730b7..59e5e97 100644 --- a/nixosModules/admin.nix +++ b/modules/admin.nix @@ -6,7 +6,7 @@ initialPassword = "1234"; isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity" ]; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity" ]; }; security.sudo.wheelNeedsPassword = false; nix.trustedUsers = [ "@wheel" ]; # https://github.com/serokell/deploy-rs/issues/25 diff --git a/modules/caddy.nix b/modules/caddy.nix new file mode 100644 index 0000000..63a35fa --- /dev/null +++ b/modules/caddy.nix @@ -0,0 +1,17 @@ +{ ... }: + +{ + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + + # If I end up wanting to add plugins, see: + # https://mdleom.com/blog/2021/12/27/caddy-plugins-nixos/ + services.caddy = { + enable = true; + virtualHosts."tecosaur.net".extraConfig = '' +respond "Hello, world!" + ''; + virtualHosts."git.tecosaur.net".extraConfig = '' +reverse_proxy localhost:3000 + ''; + }; +} diff --git a/nixosModules/common.nix b/modules/common.nix similarity index 100% rename from nixosModules/common.nix rename to modules/common.nix diff --git a/nixosModules/docker.nix b/modules/docker.nix similarity index 100% rename from nixosModules/docker.nix rename to modules/docker.nix diff --git a/modules/gitea/default.nix b/modules/gitea/default.nix new file mode 100644 index 0000000..7982a38 --- /dev/null +++ b/modules/gitea/default.nix @@ -0,0 +1,61 @@ +{ config, pkgs, ... }: + +{ + age.secrets.postgress = { + owner = "gitea"; + group = "users"; + file = ../../secrets/postgress.age; + }; + + age.secrets.fastmail = { + owner = "gitea"; + group = "users"; + file = ../../secrets/fastmail.age; + }; + + services.gitea = { + enable = true; + user = "gitea"; + domain = "git.tecosaur.net"; + rootUrl = "https://git.tecosaur.net"; + httpAddress = "0.0.0.0"; + httpPort = 3000; + appName = "Gitea"; + database = { + type = "postgres"; + passwordFile = config.age.secrets.postgress.path; + }; + disableRegistration = true; + lfs.enable = true; + mailerPasswordFile = config.age.secrets.fastmail.path; + settings = { + mailer = { + # Update when https://github.com/go-gitea/gitea/pull/18982 is merged. + ENABLED = true; + MAILER_TYPE = "smtp"; + FROM = "gitea@tecosaur.net"; + USER = "tec@tecosaur.net"; + HOST = "smtp.fastmail.com:587"; + IS_TLS_ENABLED = false; + }; + service = { + REGISTER_EMAIL_CONFIRM = true; + }; + }; + }; + + # users.users.gitea.uid = 997; + # users.enforceIdUniqueness = false; + # users.users.git = { + # uid = config.users.users.gitea.uid; + # home = config.services.gitea.stateDir; + # useDefaultShell = true; + # group = "gitea"; + # isSystemUser = true; + # }; + + systemd.tmpfiles.rules = [ + "L+ ${config.services.gitea.stateDir}/custom/templates/home.tmpl - - - - ${./template-home.tmpl}" + "L+ ${config.services.gitea.stateDir}/custom/public/img/tree-gitea-themed.svg - - - - ${./tree-gitea-themed.svg}" + ]; +} diff --git a/modules/gitea/template-home.tmpl b/modules/gitea/template-home.tmpl new file mode 100644 index 0000000..750bb73 --- /dev/null +++ b/modules/gitea/template-home.tmpl @@ -0,0 +1,17 @@ +{{template "base/head" .}} +