changes
This commit is contained in:
parent
6f28880d89
commit
5e538217fd
|
@ -22,7 +22,6 @@ Additionally I've found a handy [[https://ayats.org/blog/deploy-rs-example/][blo
|
||||||
remarkably convenient. They were even kind enough to link to a [[https://github.com/viperML/deploy-rs-example][repo]] which I've
|
remarkably convenient. They were even kind enough to link to a [[https://github.com/viperML/deploy-rs-example][repo]] which I've
|
||||||
shamelessly used as a starting point.
|
shamelessly used as a starting point.
|
||||||
|
|
||||||
|
|
||||||
Unfortunately, Hetnezer doesn't offer a NixOS image, but they do allow you to
|
Unfortunately, Hetnezer doesn't offer a NixOS image, but they do allow you to
|
||||||
mount a NixOS install volume (22.05 as of writing) to your server after creating
|
mount a NixOS install volume (22.05 as of writing) to your server after creating
|
||||||
it. After doing so, starting the VM we can get it set up simply with:
|
it. After doing so, starting the VM we can get it set up simply with:
|
||||||
|
|
37
flake.lock
37
flake.lock
|
@ -1,5 +1,23 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"agenix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1652712410,
|
||||||
|
"narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"deploy-rs": {
|
"deploy-rs": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
|
@ -72,6 +90,22 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1638587357,
|
||||||
|
"narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "e34c5379866833f41e2a36f309912fa675d687c7",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "nixos-21.11",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1658985539,
|
"lastModified": 1658985539,
|
||||||
"narHash": "sha256-aRVZGndeuUct3S3T6vqOO64D9qY1F7qNTljd0zuwzak=",
|
"narHash": "sha256-aRVZGndeuUct3S3T6vqOO64D9qY1F7qNTljd0zuwzak=",
|
||||||
|
@ -89,9 +123,10 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"agenix": "agenix",
|
||||||
"deploy-rs": "deploy-rs",
|
"deploy-rs": "deploy-rs",
|
||||||
"flake-utils-plus": "flake-utils-plus",
|
"flake-utils-plus": "flake-utils-plus",
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs_2"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"utils": {
|
"utils": {
|
||||||
|
|
21
flake.nix
21
flake.nix
|
@ -4,36 +4,39 @@
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = github:NixOS/nixpkgs/nixos-22.05;
|
nixpkgs.url = github:NixOS/nixpkgs/nixos-22.05;
|
||||||
flake-utils-plus.url = github:gytis-ivaskevicius/flake-utils-plus;
|
flake-utils-plus.url = github:gytis-ivaskevicius/flake-utils-plus;
|
||||||
|
agenix.url = "github:ryantm/agenix";
|
||||||
deploy-rs = {
|
deploy-rs = {
|
||||||
url = github:serokell/deploy-rs;
|
url = github:serokell/deploy-rs;
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ self, nixpkgs, flake-utils-plus, ... }:
|
outputs = inputs@{ self, nixpkgs, flake-utils-plus, agenix, ... }:
|
||||||
let
|
let
|
||||||
nixosModules = flake-utils-plus.lib.exportModules (
|
modules = flake-utils-plus.lib.exportModules (
|
||||||
nixpkgs.lib.mapAttrsToList (name: value: ./nixosModules/${name}) (builtins.readDir ./nixosModules)
|
nixpkgs.lib.mapAttrsToList (name: value: ./modules/${name}) (builtins.readDir ./modules)
|
||||||
);
|
);
|
||||||
in
|
in
|
||||||
flake-utils-plus.lib.mkFlake {
|
flake-utils-plus.lib.mkFlake {
|
||||||
inherit self inputs nixosModules;
|
inherit self inputs modules;
|
||||||
|
|
||||||
hosts = {
|
hosts = {
|
||||||
golgi.modules = with nixosModules; [
|
golgi.modules = with modules; [
|
||||||
common
|
common
|
||||||
admin
|
admin
|
||||||
hardware-hetzner
|
hardware-hetzner
|
||||||
# docker
|
agenix.nixosModule
|
||||||
|
caddy
|
||||||
|
gitea
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
deploy.nodes = {
|
deploy.nodes = {
|
||||||
my-node = {
|
my-node = {
|
||||||
hostname = "5.161.98.27";
|
hostname = "tecosaur.net";
|
||||||
fastConnection = false;
|
fastConnection = false;
|
||||||
profiles = {
|
profiles = {
|
||||||
my-profile = {
|
system = {
|
||||||
sshUser = "admin";
|
sshUser = "admin";
|
||||||
path =
|
path =
|
||||||
inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.golgi;
|
inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.golgi;
|
||||||
|
@ -44,7 +47,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
outputsBuilder = (channels: {
|
outputsBuilder = (channels: {
|
||||||
devShell = channels.nixpkgs.mkShell {
|
devShells.default = channels.nixpkgs.mkShell {
|
||||||
name = "my-deploy-shell";
|
name = "my-deploy-shell";
|
||||||
buildInputs = with channels.nixpkgs; [
|
buildInputs = with channels.nixpkgs; [
|
||||||
nixUnstable
|
nixUnstable
|
||||||
|
|
|
@ -47,5 +47,5 @@ mount -o "$BTRFS_OPTS,subvol=@boot" "${TARGET}2" "${MNT}"/boot
|
||||||
findmnt -R --target "${MNT}"
|
findmnt -R --target "${MNT}"
|
||||||
|
|
||||||
# .#golgi is our hostname defined by our flake
|
# .#golgi is our hostname defined by our flake
|
||||||
nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#golgi"
|
nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#pre-golgi"
|
||||||
umount -R /mnt
|
umount -R /mnt
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
initialPassword = "1234";
|
initialPassword = "1234";
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "wheel" ];
|
||||||
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity" ];
|
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity" ];
|
||||||
};
|
};
|
||||||
security.sudo.wheelNeedsPassword = false;
|
security.sudo.wheelNeedsPassword = false;
|
||||||
nix.trustedUsers = [ "@wheel" ]; # https://github.com/serokell/deploy-rs/issues/25
|
nix.trustedUsers = [ "@wheel" ]; # https://github.com/serokell/deploy-rs/issues/25
|
|
@ -0,0 +1,17 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||||
|
|
||||||
|
# If I end up wanting to add plugins, see:
|
||||||
|
# https://mdleom.com/blog/2021/12/27/caddy-plugins-nixos/
|
||||||
|
services.caddy = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."tecosaur.net".extraConfig = ''
|
||||||
|
respond "Hello, world!"
|
||||||
|
'';
|
||||||
|
virtualHosts."git.tecosaur.net".extraConfig = ''
|
||||||
|
reverse_proxy localhost:3000
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,61 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
age.secrets.postgress = {
|
||||||
|
owner = "gitea";
|
||||||
|
group = "users";
|
||||||
|
file = ../../secrets/postgress.age;
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets.fastmail = {
|
||||||
|
owner = "gitea";
|
||||||
|
group = "users";
|
||||||
|
file = ../../secrets/fastmail.age;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.gitea = {
|
||||||
|
enable = true;
|
||||||
|
user = "gitea";
|
||||||
|
domain = "git.tecosaur.net";
|
||||||
|
rootUrl = "https://git.tecosaur.net";
|
||||||
|
httpAddress = "0.0.0.0";
|
||||||
|
httpPort = 3000;
|
||||||
|
appName = "Gitea";
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
passwordFile = config.age.secrets.postgress.path;
|
||||||
|
};
|
||||||
|
disableRegistration = true;
|
||||||
|
lfs.enable = true;
|
||||||
|
mailerPasswordFile = config.age.secrets.fastmail.path;
|
||||||
|
settings = {
|
||||||
|
mailer = {
|
||||||
|
# Update when https://github.com/go-gitea/gitea/pull/18982 is merged.
|
||||||
|
ENABLED = true;
|
||||||
|
MAILER_TYPE = "smtp";
|
||||||
|
FROM = "gitea@tecosaur.net";
|
||||||
|
USER = "tec@tecosaur.net";
|
||||||
|
HOST = "smtp.fastmail.com:587";
|
||||||
|
IS_TLS_ENABLED = false;
|
||||||
|
};
|
||||||
|
service = {
|
||||||
|
REGISTER_EMAIL_CONFIRM = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# users.users.gitea.uid = 997;
|
||||||
|
# users.enforceIdUniqueness = false;
|
||||||
|
# users.users.git = {
|
||||||
|
# uid = config.users.users.gitea.uid;
|
||||||
|
# home = config.services.gitea.stateDir;
|
||||||
|
# useDefaultShell = true;
|
||||||
|
# group = "gitea";
|
||||||
|
# isSystemUser = true;
|
||||||
|
# };
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"L+ ${config.services.gitea.stateDir}/custom/templates/home.tmpl - - - - ${./template-home.tmpl}"
|
||||||
|
"L+ ${config.services.gitea.stateDir}/custom/public/img/tree-gitea-themed.svg - - - - ${./tree-gitea-themed.svg}"
|
||||||
|
];
|
||||||
|
}
|
|
@ -0,0 +1,17 @@
|
||||||
|
{{template "base/head" .}}
|
||||||
|
<div class="page-content home">
|
||||||
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
|
<div class="sixteen wide center aligned centered column">
|
||||||
|
<div>
|
||||||
|
<img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/tree-gitea-themed.svg"/>
|
||||||
|
</div>
|
||||||
|
<div class="hero">
|
||||||
|
<h1 class="ui icon header title">
|
||||||
|
The personal forge of <a href="/tec" style="color: var(--color-primary);">TEC</a>
|
||||||
|
</h1>
|
||||||
|
<h2>Thanks to Gitea, a painless, self-hosted Git service.</h2>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
{{template "base/footer" .}}
|
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 31 KiB |
|
@ -0,0 +1,10 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 eobz4w FcmiT3apVrf7KhLsq3c9vhHnE0/I63k0woqEdXIiwy0
|
||||||
|
5zZHjjaKV05N1Hb2sHnBi/tRumXcSvWA3Dl0+/ub+O8
|
||||||
|
-> ssh-ed25519 kfYPBA UylrZ1En/h1zN7m9v9F/tcrlktiJcBgXOBjWxHfHS3w
|
||||||
|
u9nJyvFY7BfHuxvrKC/mQU45V5emvHnnfknWseO1lzA
|
||||||
|
-> ~-grease \2mTF >GC6'u*^ _8lvH
|
||||||
|
yHPvYv5ocSkEzkegwrexK8D0q++kZ3nh5ccYmCLxcNb26QDPrJ6dquRrNN/QBQXr
|
||||||
|
/tZp48mDJodmGw1DS0DUwoItfYC3FQ7q7kwHk9KWUjwE6U0R5VS9eLnSJBGR
|
||||||
|
--- JWoLagyTrCavi7haqY1twoZO+roMG2dgVhbL+xpIFnU
|
||||||
|
J½xC³[Ëo0CA;pMÊMEr%s s¹1Íí•€Z¬%ç¸ÍT<æ[î )Rä§
|
|
@ -0,0 +1,10 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 eobz4w hrfcGZbIKusO/5PLsHao1qo2YpZPoEhDENtQ8l3cvQA
|
||||||
|
KWTPJIgBlJ/95vXaE3qb6hJvezyPSo9ZvWD0YPx7oH0
|
||||||
|
-> ssh-ed25519 kfYPBA Vx2UvfdjG0pwCroN/gu+ks9arQ6L5NVeuonV6YiPdHQ
|
||||||
|
Kk2mxOPTjrtgowUZx/Wh4wR87aDHmv63lN+vlvixLE0
|
||||||
|
-> SRp-grease G6+2
|
||||||
|
aT1udmbGn0pxAGwokyHwNVen/Lwg6fnyqPIj0YCLNDkHRCyA1r/NvDoHNhpLpA0Q
|
||||||
|
wgNPL3C4km4H/VsH6niFmMXmFdwBlDNxvDu93ovFo6FOBgr/0lEEL2XY
|
||||||
|
--- 30HSItfbyb1AsTeXEReilESTUTUN+QSMNuC9s4wAqOs
|
||||||
|
—‡ÜÌ;f]ƒ€–lï´Ã‰r³‡Né¡FÐ"¥çÕ*+RóŒ¶<C592>)áŠR¶¾„F
|
|
@ -0,0 +1,9 @@
|
||||||
|
let
|
||||||
|
base = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity";
|
||||||
|
golgi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEmWE6y+gkNdOdgooahbgalxguyoPos7dKCAeVzokm/ root@golgi";
|
||||||
|
systems = [ base golgi ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"postgress.age".publicKeys = systems;
|
||||||
|
"fastmail.age".publicKeys = systems;
|
||||||
|
}
|
Loading…
Reference in New Issue