From 7e97353075b4acee96488d022e456f80f4f903ed Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 10 Nov 2022 09:15:50 +0100
Subject: surtr: etebase

---
 hosts/surtr/etebase/default.nix | 128 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 hosts/surtr/etebase/default.nix

(limited to 'hosts/surtr/etebase/default.nix')

diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
new file mode 100644
index 00000000..3c71bed0
--- /dev/null
+++ b/hosts/surtr/etebase/default.nix
@@ -0,0 +1,128 @@
+{ config, pkgs, ... }:
+
+{
+  config = {
+    services.etebase-server = {
+      enable = true;
+      port = null;
+      unixSocket = "/run/etebase-server/etebase-server.sock";
+      user = "etebase";
+      settings = {
+        allowed_hosts.allowed_host1 = "etesync.yggdrasil.li";
+        global.secret_file = config.sops.secrets."etebase-server-secret.txt".path;
+        database = {
+          engine = "django.db.backends.postgresql";
+          name = "etebase";
+          user = "etebase";
+        };
+      };
+    };
+
+    systemd.services.etebase-server = {
+      serviceConfig = {
+        RuntimeDirectory = "etebase-server";
+      };
+    };
+
+    sops.secrets."etebase-server-secret.txt" = {
+      format = "binary";
+      sopsFile = ./secret.txt;
+      owner = config.services.etebase-server.user;
+      group = config.services.etebase-server.user;
+      restartUnits = ["etebase-server.service"];
+    };
+
+    security.acme.domains = {
+      "etesync.yggdrasil.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+      "app.etesync.yggdrasil.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+
+    services.nginx = {
+      upstreams."etebase" = {
+        servers = {
+          "unix://${config.services.etebase-server.unixSocket}" = {};
+        };
+      };
+
+      virtualHosts = {
+        "etesync.yggdrasil.li" = {
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            client_max_body_size 100M;
+            charset utf-8;
+          '';
+
+          locations = {
+            "/static/" = {
+              alias = "${config.services.etebase-server.settings.global.static_root}/";
+            };
+            "= /".return = "301 https://app.etesync.yggdrasil.li";
+            "/".extraConfig = ''
+              proxy_pass http://etebase;
+
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+            '';
+          };
+        };
+
+        "app.etesync.yggdrasil.li" = {
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem";
+
+          locations."/".alias = "${pkgs.etesync-web}/";
+        };
+      };
+    };
+
+    systemd.services.nginx = {
+      serviceConfig = {
+        ReadPaths = [
+          config.services.etebase-server.settings.global.static_root
+          pkgs.etesync-web
+        ];
+        LoadCredential = [
+          "etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem"
+          "etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem"
+          "etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem"
+
+          "app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem"
+          "app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem"
+          "app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+
+    users = {
+      users.${config.services.etebase-server.user} = {
+        isSystemUser = true;
+        group = config.services.etebase-server.user;
+        home = config.services.etebase-server.dataDir;
+      };
+
+      groups.${config.services.etebase-server.user} = {
+        members = [ "nginx" ];
+      };
+    };
+  };
+}
-- 
cgit v1.2.3