From 7e97353075b4acee96488d022e456f80f4f903ed Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 10 Nov 2022 09:15:50 +0100 Subject: surtr: etebase --- hosts/surtr/etebase/default.nix | 128 ++++++++++++++++++++++++++++++++++++++++ hosts/surtr/etebase/secret.txt | 26 ++++++++ 2 files changed, 154 insertions(+) create mode 100644 hosts/surtr/etebase/default.nix create mode 100644 hosts/surtr/etebase/secret.txt (limited to 'hosts/surtr/etebase') diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix new file mode 100644 index 00000000..3c71bed0 --- /dev/null +++ b/hosts/surtr/etebase/default.nix @@ -0,0 +1,128 @@ +{ config, pkgs, ... }: + +{ + config = { + services.etebase-server = { + enable = true; + port = null; + unixSocket = "/run/etebase-server/etebase-server.sock"; + user = "etebase"; + settings = { + allowed_hosts.allowed_host1 = "etesync.yggdrasil.li"; + global.secret_file = config.sops.secrets."etebase-server-secret.txt".path; + database = { + engine = "django.db.backends.postgresql"; + name = "etebase"; + user = "etebase"; + }; + }; + }; + + systemd.services.etebase-server = { + serviceConfig = { + RuntimeDirectory = "etebase-server"; + }; + }; + + sops.secrets."etebase-server-secret.txt" = { + format = "binary"; + sopsFile = ./secret.txt; + owner = config.services.etebase-server.user; + group = config.services.etebase-server.user; + restartUnits = ["etebase-server.service"]; + }; + + security.acme.domains = { + "etesync.yggdrasil.li".certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart nginx.service + ''; + }; + "app.etesync.yggdrasil.li".certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart nginx.service + ''; + }; + }; + + services.nginx = { + upstreams."etebase" = { + servers = { + "unix://${config.services.etebase-server.unixSocket}" = {}; + }; + }; + + virtualHosts = { + "etesync.yggdrasil.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem"; + extraConfig = '' + client_max_body_size 100M; + charset utf-8; + ''; + + locations = { + "/static/" = { + alias = "${config.services.etebase-server.settings.global.static_root}/"; + }; + "= /".return = "301 https://app.etesync.yggdrasil.li"; + "/".extraConfig = '' + proxy_pass http://etebase; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + ''; + }; + }; + + "app.etesync.yggdrasil.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem"; + + locations."/".alias = "${pkgs.etesync-web}/"; + }; + }; + }; + + systemd.services.nginx = { + serviceConfig = { + ReadPaths = [ + config.services.etebase-server.settings.global.static_root + pkgs.etesync-web + ]; + LoadCredential = [ + "etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem" + "etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem" + "etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem" + + "app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem" + "app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem" + "app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem" + ]; + }; + }; + + users = { + users.${config.services.etebase-server.user} = { + isSystemUser = true; + group = config.services.etebase-server.user; + home = config.services.etebase-server.dataDir; + }; + + groups.${config.services.etebase-server.user} = { + members = [ "nginx" ]; + }; + }; + }; +} diff --git a/hosts/surtr/etebase/secret.txt b/hosts/surtr/etebase/secret.txt new file mode 100644 index 00000000..acedb549 --- /dev/null +++ b/hosts/surtr/etebase/secret.txt @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:0iCyumWJXIVl/YnDZPCVeGM9FP4mGJ8A6Kp8nTXCZQfNOfXzvHRlJVXKlPtYuYD3/sXb,iv:gKJoiuXJIvL0/Eu48OM/7YPnX4p/3Bi8u/GvvNNSeg8=,tag:7XKIlfZ7ZimZ3wE0qVqU5w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-11-09T15:30:57Z", + "mac": "ENC[AES256_GCM,data:zb9S3tgUEja6IfCvrh6AJkzoiqAj5RyBtEvHHV7RkANGHxRer79YdDJW39I4qrg2WC8odr5CyJF3sVqw4fUeUeeq0QAJYupJVmINBqIaFcy6f5XtFDpHRNPmHT1WwrN6t5o8pqb4cv8H7JRfjySxlwFNmItgrQIQn6QBqE2ZkEc=,iv:BTzROI/DxqCmRYzsRkMrj+kTG3KTLP+nAF4z0l/dRbU=,tag:S+w0+XL55PBiHWkUKtDggQ==,type:str]", + "pgp": [ + { + "created_at": "2022-11-09T14:03:17Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfsNj4UmCNc1Qo5hi1YLaRjoeoudRZwNgVfaQTMsOPA8w\nfuIRUgq9Mybq4Frp4U/l86LwekOIwiF5tk1hPcK2HrmHG2z/ewr6WnrhczjFy+Qi\n0lwBMEtZWrD4h8GdTwan7E/jDLytEZYjDmXK72Ep5PubyO86H1BKy4Da5YIZw4Bc\nq3RaJ65wcp1EwIJ7gbEvG7a1a00AjFhXIwtsT/DhKTBy/OwPj9w4mFJ5rka8FQ==\n=2FIT\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + }, + { + "created_at": "2022-11-09T14:03:17Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdATs6pQrq07RGgFTTrNTI26pt3WSSF8tg9ywhepFvxfyUw\nItZrRfQUi42Yj6UC0GuxNmVYcS/Ogv7SngtM+22kofS476gfhkHT45/9gMhqve0D\n0lwBPaW0UHfU8Z3tbA6aRpMSYF20Srvvqfs2Q+PFSEWDFXx06RqpmH72LrhI3uYm\nbK9LykI7ucQAGJSSkHJQEbvEqyv1CMFGdDHkI1LyAetmcqgPZH8JRPx3LDagyg==\n=EsHC\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file -- cgit v1.2.3