surtr: etebase

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-11-10 09:15:50 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-11-10 09:15:50 +0100
commit: 7e97353075b4acee96488d022e456f80f4f903ed (patch)
tree: 570260991c2ecf972b885b45ea4acd76dde0dbd9 /hosts/surtr/etebase/default.nix
parent: 9d616c8d297db37cc929b711e63f249c3cbe44a5 (diff)
download: nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar
nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.gz
nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.bz2
nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.xz
nixos-7e97353075b4acee96488d022e456f80f4f903ed.zip
1 files changed, 128 insertions, 0 deletions
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
new file mode 100644
index 00000000..3c71bed0
--- /dev/null
+++ b/hosts/surtr/etebase/default.nix
@@ -0,0 +1,128 @@
+{ config, pkgs, ... }:
+{
+  config = {
+    services.etebase-server = {
+      enable = true;
+      port = null;
+      unixSocket = "/run/etebase-server/etebase-server.sock";
+      user = "etebase";
+      settings = {
+        allowed_hosts.allowed_host1 = "etesync.yggdrasil.li";
+        global.secret_file = config.sops.secrets."etebase-server-secret.txt".path;
+        database = {
+          engine = "django.db.backends.postgresql";
+          name = "etebase";
+          user = "etebase";
+        };
+      };
+    };
+    systemd.services.etebase-server = {
+      serviceConfig = {
+        RuntimeDirectory = "etebase-server";
+      };
+    };
+    sops.secrets."etebase-server-secret.txt" = {
+      format = "binary";
+      sopsFile = ./secret.txt;
+      owner = config.services.etebase-server.user;
+      group = config.services.etebase-server.user;
+      restartUnits = ["etebase-server.service"];
+    };
+    security.acme.domains = {
+      "etesync.yggdrasil.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+      "app.etesync.yggdrasil.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+    services.nginx = {
+      upstreams."etebase" = {
+        servers = {
+          "unix://${config.services.etebase-server.unixSocket}" = {};
+        };
+      };
+      virtualHosts = {
+        "etesync.yggdrasil.li" = {
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            client_max_body_size 100M;
+            charset utf-8;
+          '';
+          locations = {
+            "/static/" = {
+              alias = "${config.services.etebase-server.settings.global.static_root}/";
+            };
+            "= /".return = "301 https://app.etesync.yggdrasil.li";
+            "/".extraConfig = ''
+              proxy_pass http://etebase;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+            '';
+          };
+        };
+        "app.etesync.yggdrasil.li" = {
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem";
+          locations."/".alias = "${pkgs.etesync-web}/";
+        };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        ReadPaths = [
+          config.services.etebase-server.settings.global.static_root
+          pkgs.etesync-web
+        ];
+        LoadCredential = [
+          "etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem"
+          "etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem"
+          "etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem"
+          "app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem"
+          "app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem"
+          "app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+    users = {
+      users.${config.services.etebase-server.user} = {
+        isSystemUser = true;
+        group = config.services.etebase-server.user;
+        home = config.services.etebase-server.dataDir;
+      };
+      groups.${config.services.etebase-server.user} = {
+        members = [ "nginx" ];
+      };
+    };
+  };
+}
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-11-10 09:15:50 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-11-10 09:15:50 +0100
commit	7e97353075b4acee96488d022e456f80f4f903ed (patch)
tree	570260991c2ecf972b885b45ea4acd76dde0dbd9 /hosts/surtr/etebase/default.nix
parent	9d616c8d297db37cc929b711e63f249c3cbe44a5 (diff)
download	nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.gz nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.bz2 nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.xz nixos-7e97353075b4acee96488d022e456f80f4f903ed.zip

diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix new file mode 100644 index 00000000..3c71bed0 --- /dev/null +++ b/hosts/surtr/etebase/default.nix
@@ -0,0 +1,128 @@
	1	{ config, pkgs, ... }:
	2
	3	{
	4	config = {
	5	services.etebase-server = {
	6	enable = true;
	7	port = null;
	8	unixSocket = "/run/etebase-server/etebase-server.sock";
	9	user = "etebase";
	10	settings = {
	11	allowed_hosts.allowed_host1 = "etesync.yggdrasil.li";
	12	global.secret_file = config.sops.secrets."etebase-server-secret.txt".path;
	13	database = {
	14	engine = "django.db.backends.postgresql";
	15	name = "etebase";
	16	user = "etebase";
	17	};
	18	};
	19	};
	20
	21	systemd.services.etebase-server = {
	22	serviceConfig = {
	23	RuntimeDirectory = "etebase-server";
	24	};
	25	};
	26
	27	sops.secrets."etebase-server-secret.txt" = {
	28	format = "binary";
	29	sopsFile = ./secret.txt;
	30	owner = config.services.etebase-server.user;
	31	group = config.services.etebase-server.user;
	32	restartUnits = ["etebase-server.service"];
	33	};
	34
	35	security.acme.domains = {
	36	"etesync.yggdrasil.li".certCfg = {
	37	postRun = ''
	38	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	39	'';
	40	};
	41	"app.etesync.yggdrasil.li".certCfg = {
	42	postRun = ''
	43	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	44	'';
	45	};
	46	};
	47
	48	services.nginx = {
	49	upstreams."etebase" = {
	50	servers = {
	51	"unix://${config.services.etebase-server.unixSocket}" = {};
	52	};
	53	};
	54
	55	virtualHosts = {
	56	"etesync.yggdrasil.li" = {
	57	forceSSL = true;
	58	sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
	59	sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
	60	sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem";
	61	extraConfig = ''
	62	client_max_body_size 100M;
	63	charset utf-8;
	64	'';
	65
	66	locations = {
	67	"/static/" = {
	68	alias = "${config.services.etebase-server.settings.global.static_root}/";
	69	};
	70	"= /".return = "301 https://app.etesync.yggdrasil.li";
	71	"/".extraConfig = ''
	72	proxy_pass http://etebase;
	73
	74	proxy_http_version 1.1;
	75	proxy_set_header Upgrade $http_upgrade;
	76	proxy_set_header Connection "upgrade";
	77
	78	proxy_redirect off;
	79	proxy_set_header Host $host;
	80	proxy_set_header X-Real-IP $remote_addr;
	81	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	82	proxy_set_header X-Forwarded-Host $server_name;
	83	'';
	84	};
	85	};
	86
	87	"app.etesync.yggdrasil.li" = {
	88	forceSSL = true;
	89	sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
	90	sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
	91	sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem";
	92
	93	locations."/".alias = "${pkgs.etesync-web}/";
	94	};
	95	};
	96	};
	97
	98	systemd.services.nginx = {
	99	serviceConfig = {
	100	ReadPaths = [
	101	config.services.etebase-server.settings.global.static_root
	102	pkgs.etesync-web
	103	];
	104	LoadCredential = [
	105	"etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem"
	106	"etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem"
	107	"etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem"
	108
	109	"app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem"
	110	"app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem"
	111	"app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem"
	112	];
	113	};
	114	};
	115
	116	users = {
	117	users.${config.services.etebase-server.user} = {
	118	isSystemUser = true;
	119	group = config.services.etebase-server.user;
	120	home = config.services.etebase-server.dataDir;
	121	};
	122
	123	groups.${config.services.etebase-server.user} = {
	124	members = [ "nginx" ];
	125	};
	126	};
	127	};
	128	}