2 files changed, 154 insertions, 0 deletions
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
new file mode 100644
index 00000000..3c71bed0
--- /dev/null
+++ b/hosts/surtr/etebase/default.nix
@@ -0,0 +1,128 @@
+{ config, pkgs, ... }:
+{
+  config = {
+    services.etebase-server = {
+      enable = true;
+      port = null;
+      unixSocket = "/run/etebase-server/etebase-server.sock";
+      user = "etebase";
+      settings = {
+        allowed_hosts.allowed_host1 = "etesync.yggdrasil.li";
+        global.secret_file = config.sops.secrets."etebase-server-secret.txt".path;
+        database = {
+          engine = "django.db.backends.postgresql";
+          name = "etebase";
+          user = "etebase";
+        };
+      };
+    };
+    systemd.services.etebase-server = {
+      serviceConfig = {
+        RuntimeDirectory = "etebase-server";
+      };
+    };
+    sops.secrets."etebase-server-secret.txt" = {
+      format = "binary";
+      sopsFile = ./secret.txt;
+      owner = config.services.etebase-server.user;
+      group = config.services.etebase-server.user;
+      restartUnits = ["etebase-server.service"];
+    };
+    security.acme.domains = {
+      "etesync.yggdrasil.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+      "app.etesync.yggdrasil.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+    services.nginx = {
+      upstreams."etebase" = {
+        servers = {
+          "unix://${config.services.etebase-server.unixSocket}" = {};
+        };
+      };
+      virtualHosts = {
+        "etesync.yggdrasil.li" = {
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            client_max_body_size 100M;
+            charset utf-8;
+          '';
+          locations = {
+            "/static/" = {
+              alias = "${config.services.etebase-server.settings.global.static_root}/";
+            };
+            "= /".return = "301 https://app.etesync.yggdrasil.li";
+            "/".extraConfig = ''
+              proxy_pass http://etebase;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+            '';
+          };
+        };
+        "app.etesync.yggdrasil.li" = {
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem";
+          locations."/".alias = "${pkgs.etesync-web}/";
+        };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        ReadPaths = [
+          config.services.etebase-server.settings.global.static_root
+          pkgs.etesync-web
+        ];
+        LoadCredential = [
+          "etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem"
+          "etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem"
+          "etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem"
+          "app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem"
+          "app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem"
+          "app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+    users = {
+      users.${config.services.etebase-server.user} = {
+        isSystemUser = true;
+        group = config.services.etebase-server.user;
+        home = config.services.etebase-server.dataDir;
+      };
+      groups.${config.services.etebase-server.user} = {
+        members = [ "nginx" ];
+      };
+    };
+  };
+}
diff --git a/hosts/surtr/etebase/secret.txt b/hosts/surtr/etebase/secret.txt
new file mode 100644
index 00000000..acedb549
--- /dev/null
+++ b/hosts/surtr/etebase/secret.txt
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:0iCyumWJXIVl/YnDZPCVeGM9FP4mGJ8A6Kp8nTXCZQfNOfXzvHRlJVXKlPtYuYD3/sXb,iv:gKJoiuXJIvL0/Eu48OM/7YPnX4p/3Bi8u/GvvNNSeg8=,tag:7XKIlfZ7ZimZ3wE0qVqU5w==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-11-09T15:30:57Z",
+                "mac": "ENC[AES256_GCM,data:zb9S3tgUEja6IfCvrh6AJkzoiqAj5RyBtEvHHV7RkANGHxRer79YdDJW39I4qrg2WC8odr5CyJF3sVqw4fUeUeeq0QAJYupJVmINBqIaFcy6f5XtFDpHRNPmHT1WwrN6t5o8pqb4cv8H7JRfjySxlwFNmItgrQIQn6QBqE2ZkEc=,iv:BTzROI/DxqCmRYzsRkMrj+kTG3KTLP+nAF4z0l/dRbU=,tag:S+w0+XL55PBiHWkUKtDggQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-11-09T14:03:17Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfsNj4UmCNc1Qo5hi1YLaRjoeoudRZwNgVfaQTMsOPA8w\nfuIRUgq9Mybq4Frp4U/l86LwekOIwiF5tk1hPcK2HrmHG2z/ewr6WnrhczjFy+Qi\n0lwBMEtZWrD4h8GdTwan7E/jDLytEZYjDmXK72Ep5PubyO86H1BKy4Da5YIZw4Bc\nq3RaJ65wcp1EwIJ7gbEvG7a1a00AjFhXIwtsT/DhKTBy/OwPj9w4mFJ5rka8FQ==\n=2FIT\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        },
+                        {
+                                "created_at": "2022-11-09T14:03:17Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdATs6pQrq07RGgFTTrNTI26pt3WSSF8tg9ywhepFvxfyUw\nItZrRfQUi42Yj6UC0GuxNmVYcS/Ogv7SngtM+22kofS476gfhkHT45/9gMhqve0D\n0lwBPaW0UHfU8Z3tbA6aRpMSYF20Srvvqfs2Q+PFSEWDFXx06RqpmH72LrhI3uYm\nbK9LykI7ucQAGJSSkHJQEbvEqyv1CMFGdDHkI1LyAetmcqgPZH8JRPx3LDagyg==\n=EsHC\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
+\ No newline at end of file

diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix new file mode 100644 index 00000000..3c71bed0 --- /dev/null +++ b/hosts/surtr/etebase/default.nix
@@ -0,0 +1,128 @@
	1	{ config, pkgs, ... }:
	2
	3	{
	4	config = {
	5	services.etebase-server = {
	6	enable = true;
	7	port = null;
	8	unixSocket = "/run/etebase-server/etebase-server.sock";
	9	user = "etebase";
	10	settings = {
	11	allowed_hosts.allowed_host1 = "etesync.yggdrasil.li";
	12	global.secret_file = config.sops.secrets."etebase-server-secret.txt".path;
	13	database = {
	14	engine = "django.db.backends.postgresql";
	15	name = "etebase";
	16	user = "etebase";
	17	};
	18	};
	19	};
	20
	21	systemd.services.etebase-server = {
	22	serviceConfig = {
	23	RuntimeDirectory = "etebase-server";
	24	};
	25	};
	26
	27	sops.secrets."etebase-server-secret.txt" = {
	28	format = "binary";
	29	sopsFile = ./secret.txt;
	30	owner = config.services.etebase-server.user;
	31	group = config.services.etebase-server.user;
	32	restartUnits = ["etebase-server.service"];
	33	};
	34
	35	security.acme.domains = {
	36	"etesync.yggdrasil.li".certCfg = {
	37	postRun = ''
	38	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	39	'';
	40	};
	41	"app.etesync.yggdrasil.li".certCfg = {
	42	postRun = ''
	43	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	44	'';
	45	};
	46	};
	47
	48	services.nginx = {
	49	upstreams."etebase" = {
	50	servers = {
	51	"unix://${config.services.etebase-server.unixSocket}" = {};
	52	};
	53	};
	54
	55	virtualHosts = {
	56	"etesync.yggdrasil.li" = {
	57	forceSSL = true;
	58	sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
	59	sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
	60	sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem";
	61	extraConfig = ''
	62	client_max_body_size 100M;
	63	charset utf-8;
	64	'';
	65
	66	locations = {
	67	"/static/" = {
	68	alias = "${config.services.etebase-server.settings.global.static_root}/";
	69	};
	70	"= /".return = "301 https://app.etesync.yggdrasil.li";
	71	"/".extraConfig = ''
	72	proxy_pass http://etebase;
	73
	74	proxy_http_version 1.1;
	75	proxy_set_header Upgrade $http_upgrade;
	76	proxy_set_header Connection "upgrade";
	77
	78	proxy_redirect off;
	79	proxy_set_header Host $host;
	80	proxy_set_header X-Real-IP $remote_addr;
	81	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	82	proxy_set_header X-Forwarded-Host $server_name;
	83	'';
	84	};
	85	};
	86
	87	"app.etesync.yggdrasil.li" = {
	88	forceSSL = true;
	89	sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
	90	sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
	91	sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem";
	92
	93	locations."/".alias = "${pkgs.etesync-web}/";
	94	};
	95	};
	96	};
	97
	98	systemd.services.nginx = {
	99	serviceConfig = {
	100	ReadPaths = [
	101	config.services.etebase-server.settings.global.static_root
	102	pkgs.etesync-web
	103	];
	104	LoadCredential = [
	105	"etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem"
	106	"etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem"
	107	"etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem"
	108
	109	"app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem"
	110	"app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem"
	111	"app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem"
	112	];
	113	};
	114	};
	115
	116	users = {
	117	users.${config.services.etebase-server.user} = {
	118	isSystemUser = true;
	119	group = config.services.etebase-server.user;
	120	home = config.services.etebase-server.dataDir;
	121	};
	122
	123	groups.${config.services.etebase-server.user} = {
	124	members = [ "nginx" ];
	125	};
	126	};
	127	};
	128	}


diff --git a/hosts/surtr/etebase/secret.txt b/hosts/surtr/etebase/secret.txt new file mode 100644 index 00000000..acedb549 --- /dev/null +++ b/hosts/surtr/etebase/secret.txt
@@ -0,0 +1,26 @@
	1	{
	2	"data": "ENC[AES256_GCM,data:0iCyumWJXIVl/YnDZPCVeGM9FP4mGJ8A6Kp8nTXCZQfNOfXzvHRlJVXKlPtYuYD3/sXb,iv:gKJoiuXJIvL0/Eu48OM/7YPnX4p/3Bi8u/GvvNNSeg8=,tag:7XKIlfZ7ZimZ3wE0qVqU5w==,type:str]",
	3	"sops": {
	4	"kms": null,
	5	"gcp_kms": null,
	6	"azure_kv": null,
	7	"hc_vault": null,
	8	"age": null,
	9	"lastmodified": "2022-11-09T15:30:57Z",
	10	"mac": "ENC[AES256_GCM,data:zb9S3tgUEja6IfCvrh6AJkzoiqAj5RyBtEvHHV7RkANGHxRer79YdDJW39I4qrg2WC8odr5CyJF3sVqw4fUeUeeq0QAJYupJVmINBqIaFcy6f5XtFDpHRNPmHT1WwrN6t5o8pqb4cv8H7JRfjySxlwFNmItgrQIQn6QBqE2ZkEc=,iv:BTzROI/DxqCmRYzsRkMrj+kTG3KTLP+nAF4z0l/dRbU=,tag:S+w0+XL55PBiHWkUKtDggQ==,type:str]",
	11	"pgp": [
	12	{
	13	"created_at": "2022-11-09T14:03:17Z",
	14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfsNj4UmCNc1Qo5hi1YLaRjoeoudRZwNgVfaQTMsOPA8w\nfuIRUgq9Mybq4Frp4U/l86LwekOIwiF5tk1hPcK2HrmHG2z/ewr6WnrhczjFy+Qi\n0lwBMEtZWrD4h8GdTwan7E/jDLytEZYjDmXK72Ep5PubyO86H1BKy4Da5YIZw4Bc\nq3RaJ65wcp1EwIJ7gbEvG7a1a00AjFhXIwtsT/DhKTBy/OwPj9w4mFJ5rka8FQ==\n=2FIT\n-----END PGP MESSAGE-----\n",
	15	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
	16	},
	17	{
	18	"created_at": "2022-11-09T14:03:17Z",
	19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdATs6pQrq07RGgFTTrNTI26pt3WSSF8tg9ywhepFvxfyUw\nItZrRfQUi42Yj6UC0GuxNmVYcS/Ogv7SngtM+22kofS476gfhkHT45/9gMhqve0D\n0lwBPaW0UHfU8Z3tbA6aRpMSYF20Srvvqfs2Q+PFSEWDFXx06RqpmH72LrhI3uYm\nbK9LykI7ucQAGJSSkHJQEbvEqyv1CMFGdDHkI1LyAetmcqgPZH8JRPx3LDagyg==\n=EsHC\n-----END PGP MESSAGE-----\n",
	20	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
	21	}
	22	],
	23	"unencrypted_suffix": "_unencrypted",
	24	"version": "3.7.3"
	25	}
	26	} \ No newline at end of file