diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-11-10 09:15:50 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-11-10 09:15:50 +0100 |
commit | 7e97353075b4acee96488d022e456f80f4f903ed (patch) | |
tree | 570260991c2ecf972b885b45ea4acd76dde0dbd9 /hosts/surtr/etebase | |
parent | 9d616c8d297db37cc929b711e63f249c3cbe44a5 (diff) | |
download | nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.gz nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.bz2 nixos-7e97353075b4acee96488d022e456f80f4f903ed.tar.xz nixos-7e97353075b4acee96488d022e456f80f4f903ed.zip |
surtr: etebase
Diffstat (limited to 'hosts/surtr/etebase')
-rw-r--r-- | hosts/surtr/etebase/default.nix | 128 | ||||
-rw-r--r-- | hosts/surtr/etebase/secret.txt | 26 |
2 files changed, 154 insertions, 0 deletions
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix new file mode 100644 index 00000000..3c71bed0 --- /dev/null +++ b/hosts/surtr/etebase/default.nix | |||
@@ -0,0 +1,128 @@ | |||
1 | { config, pkgs, ... }: | ||
2 | |||
3 | { | ||
4 | config = { | ||
5 | services.etebase-server = { | ||
6 | enable = true; | ||
7 | port = null; | ||
8 | unixSocket = "/run/etebase-server/etebase-server.sock"; | ||
9 | user = "etebase"; | ||
10 | settings = { | ||
11 | allowed_hosts.allowed_host1 = "etesync.yggdrasil.li"; | ||
12 | global.secret_file = config.sops.secrets."etebase-server-secret.txt".path; | ||
13 | database = { | ||
14 | engine = "django.db.backends.postgresql"; | ||
15 | name = "etebase"; | ||
16 | user = "etebase"; | ||
17 | }; | ||
18 | }; | ||
19 | }; | ||
20 | |||
21 | systemd.services.etebase-server = { | ||
22 | serviceConfig = { | ||
23 | RuntimeDirectory = "etebase-server"; | ||
24 | }; | ||
25 | }; | ||
26 | |||
27 | sops.secrets."etebase-server-secret.txt" = { | ||
28 | format = "binary"; | ||
29 | sopsFile = ./secret.txt; | ||
30 | owner = config.services.etebase-server.user; | ||
31 | group = config.services.etebase-server.user; | ||
32 | restartUnits = ["etebase-server.service"]; | ||
33 | }; | ||
34 | |||
35 | security.acme.domains = { | ||
36 | "etesync.yggdrasil.li".certCfg = { | ||
37 | postRun = '' | ||
38 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service | ||
39 | ''; | ||
40 | }; | ||
41 | "app.etesync.yggdrasil.li".certCfg = { | ||
42 | postRun = '' | ||
43 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service | ||
44 | ''; | ||
45 | }; | ||
46 | }; | ||
47 | |||
48 | services.nginx = { | ||
49 | upstreams."etebase" = { | ||
50 | servers = { | ||
51 | "unix://${config.services.etebase-server.unixSocket}" = {}; | ||
52 | }; | ||
53 | }; | ||
54 | |||
55 | virtualHosts = { | ||
56 | "etesync.yggdrasil.li" = { | ||
57 | forceSSL = true; | ||
58 | sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; | ||
59 | sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; | ||
60 | sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem"; | ||
61 | extraConfig = '' | ||
62 | client_max_body_size 100M; | ||
63 | charset utf-8; | ||
64 | ''; | ||
65 | |||
66 | locations = { | ||
67 | "/static/" = { | ||
68 | alias = "${config.services.etebase-server.settings.global.static_root}/"; | ||
69 | }; | ||
70 | "= /".return = "301 https://app.etesync.yggdrasil.li"; | ||
71 | "/".extraConfig = '' | ||
72 | proxy_pass http://etebase; | ||
73 | |||
74 | proxy_http_version 1.1; | ||
75 | proxy_set_header Upgrade $http_upgrade; | ||
76 | proxy_set_header Connection "upgrade"; | ||
77 | |||
78 | proxy_redirect off; | ||
79 | proxy_set_header Host $host; | ||
80 | proxy_set_header X-Real-IP $remote_addr; | ||
81 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
82 | proxy_set_header X-Forwarded-Host $server_name; | ||
83 | ''; | ||
84 | }; | ||
85 | }; | ||
86 | |||
87 | "app.etesync.yggdrasil.li" = { | ||
88 | forceSSL = true; | ||
89 | sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; | ||
90 | sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; | ||
91 | sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem"; | ||
92 | |||
93 | locations."/".alias = "${pkgs.etesync-web}/"; | ||
94 | }; | ||
95 | }; | ||
96 | }; | ||
97 | |||
98 | systemd.services.nginx = { | ||
99 | serviceConfig = { | ||
100 | ReadPaths = [ | ||
101 | config.services.etebase-server.settings.global.static_root | ||
102 | pkgs.etesync-web | ||
103 | ]; | ||
104 | LoadCredential = [ | ||
105 | "etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem" | ||
106 | "etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem" | ||
107 | "etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem" | ||
108 | |||
109 | "app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem" | ||
110 | "app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem" | ||
111 | "app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem" | ||
112 | ]; | ||
113 | }; | ||
114 | }; | ||
115 | |||
116 | users = { | ||
117 | users.${config.services.etebase-server.user} = { | ||
118 | isSystemUser = true; | ||
119 | group = config.services.etebase-server.user; | ||
120 | home = config.services.etebase-server.dataDir; | ||
121 | }; | ||
122 | |||
123 | groups.${config.services.etebase-server.user} = { | ||
124 | members = [ "nginx" ]; | ||
125 | }; | ||
126 | }; | ||
127 | }; | ||
128 | } | ||
diff --git a/hosts/surtr/etebase/secret.txt b/hosts/surtr/etebase/secret.txt new file mode 100644 index 00000000..acedb549 --- /dev/null +++ b/hosts/surtr/etebase/secret.txt | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:0iCyumWJXIVl/YnDZPCVeGM9FP4mGJ8A6Kp8nTXCZQfNOfXzvHRlJVXKlPtYuYD3/sXb,iv:gKJoiuXJIvL0/Eu48OM/7YPnX4p/3Bi8u/GvvNNSeg8=,tag:7XKIlfZ7ZimZ3wE0qVqU5w==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-11-09T15:30:57Z", | ||
10 | "mac": "ENC[AES256_GCM,data:zb9S3tgUEja6IfCvrh6AJkzoiqAj5RyBtEvHHV7RkANGHxRer79YdDJW39I4qrg2WC8odr5CyJF3sVqw4fUeUeeq0QAJYupJVmINBqIaFcy6f5XtFDpHRNPmHT1WwrN6t5o8pqb4cv8H7JRfjySxlwFNmItgrQIQn6QBqE2ZkEc=,iv:BTzROI/DxqCmRYzsRkMrj+kTG3KTLP+nAF4z0l/dRbU=,tag:S+w0+XL55PBiHWkUKtDggQ==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-11-09T14:03:17Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfsNj4UmCNc1Qo5hi1YLaRjoeoudRZwNgVfaQTMsOPA8w\nfuIRUgq9Mybq4Frp4U/l86LwekOIwiF5tk1hPcK2HrmHG2z/ewr6WnrhczjFy+Qi\n0lwBMEtZWrD4h8GdTwan7E/jDLytEZYjDmXK72Ep5PubyO86H1BKy4Da5YIZw4Bc\nq3RaJ65wcp1EwIJ7gbEvG7a1a00AjFhXIwtsT/DhKTBy/OwPj9w4mFJ5rka8FQ==\n=2FIT\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-11-09T14:03:17Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdATs6pQrq07RGgFTTrNTI26pt3WSSF8tg9ywhepFvxfyUw\nItZrRfQUi42Yj6UC0GuxNmVYcS/Ogv7SngtM+22kofS476gfhkHT45/9gMhqve0D\n0lwBPaW0UHfU8Z3tbA6aRpMSYF20Srvvqfs2Q+PFSEWDFXx06RqpmH72LrhI3uYm\nbK9LykI7ucQAGJSSkHJQEbvEqyv1CMFGdDHkI1LyAetmcqgPZH8JRPx3LDagyg==\n=EsHC\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.3" | ||
25 | } | ||
26 | } \ No newline at end of file | ||