changes
This commit is contained in:
parent
6f28880d89
commit
f781f1343e
|
@ -22,7 +22,6 @@ Additionally I've found a handy [[https://ayats.org/blog/deploy-rs-example/][blo
|
|||
remarkably convenient. They were even kind enough to link to a [[https://github.com/viperML/deploy-rs-example][repo]] which I've
|
||||
shamelessly used as a starting point.
|
||||
|
||||
|
||||
Unfortunately, Hetnezer doesn't offer a NixOS image, but they do allow you to
|
||||
mount a NixOS install volume (22.05 as of writing) to your server after creating
|
||||
it. After doing so, starting the VM we can get it set up simply with:
|
||||
|
|
37
flake.lock
37
flake.lock
|
@ -1,5 +1,23 @@
|
|||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1652712410,
|
||||
"narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"deploy-rs": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
|
@ -72,6 +90,22 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1638587357,
|
||||
"narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e34c5379866833f41e2a36f309912fa675d687c7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-21.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1658985539,
|
||||
"narHash": "sha256-aRVZGndeuUct3S3T6vqOO64D9qY1F7qNTljd0zuwzak=",
|
||||
|
@ -89,9 +123,10 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"deploy-rs": "deploy-rs",
|
||||
"flake-utils-plus": "flake-utils-plus",
|
||||
"nixpkgs": "nixpkgs"
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
|
|
21
flake.nix
21
flake.nix
|
@ -4,36 +4,39 @@
|
|||
inputs = {
|
||||
nixpkgs.url = github:NixOS/nixpkgs/nixos-22.05;
|
||||
flake-utils-plus.url = github:gytis-ivaskevicius/flake-utils-plus;
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
deploy-rs = {
|
||||
url = github:serokell/deploy-rs;
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, nixpkgs, flake-utils-plus, ... }:
|
||||
outputs = inputs@{ self, nixpkgs, flake-utils-plus, agenix, ... }:
|
||||
let
|
||||
nixosModules = flake-utils-plus.lib.exportModules (
|
||||
nixpkgs.lib.mapAttrsToList (name: value: ./nixosModules/${name}) (builtins.readDir ./nixosModules)
|
||||
modules = flake-utils-plus.lib.exportModules (
|
||||
nixpkgs.lib.mapAttrsToList (name: value: ./modules/${name}) (builtins.readDir ./modules)
|
||||
);
|
||||
in
|
||||
flake-utils-plus.lib.mkFlake {
|
||||
inherit self inputs nixosModules;
|
||||
inherit self inputs modules;
|
||||
|
||||
hosts = {
|
||||
golgi.modules = with nixosModules; [
|
||||
golgi.modules = with modules; [
|
||||
common
|
||||
admin
|
||||
hardware-hetzner
|
||||
# docker
|
||||
agenix.nixosModule
|
||||
caddy
|
||||
gitea
|
||||
];
|
||||
};
|
||||
|
||||
deploy.nodes = {
|
||||
my-node = {
|
||||
hostname = "5.161.98.27";
|
||||
hostname = "tecosaur.net";
|
||||
fastConnection = false;
|
||||
profiles = {
|
||||
my-profile = {
|
||||
system = {
|
||||
sshUser = "admin";
|
||||
path =
|
||||
inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.golgi;
|
||||
|
@ -44,7 +47,7 @@
|
|||
};
|
||||
|
||||
outputsBuilder = (channels: {
|
||||
devShell = channels.nixpkgs.mkShell {
|
||||
devShells.default = channels.nixpkgs.mkShell {
|
||||
name = "my-deploy-shell";
|
||||
buildInputs = with channels.nixpkgs; [
|
||||
nixUnstable
|
||||
|
|
|
@ -47,5 +47,5 @@ mount -o "$BTRFS_OPTS,subvol=@boot" "${TARGET}2" "${MNT}"/boot
|
|||
findmnt -R --target "${MNT}"
|
||||
|
||||
# .#golgi is our hostname defined by our flake
|
||||
nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#golgi"
|
||||
nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#pre-golgi"
|
||||
umount -R /mnt
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
initialPassword = "1234";
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity" ];
|
||||
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity" ];
|
||||
};
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
nix.trustedUsers = [ "@wheel" ]; # https://github.com/serokell/deploy-rs/issues/25
|
17
modules/caddy.nix
Normal file
17
modules/caddy.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
|
||||
# If I end up wanting to add plugins, see:
|
||||
# https://mdleom.com/blog/2021/12/27/caddy-plugins-nixos/
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts."tecosaur.net".extraConfig = ''
|
||||
respond "Hello, world!"
|
||||
'';
|
||||
virtualHosts."git.tecosaur.net".extraConfig = ''
|
||||
reverse_proxy localhost:3000
|
||||
'';
|
||||
};
|
||||
}
|
56
modules/gitea.nix
Normal file
56
modules/gitea.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
age.secrets.postgress = {
|
||||
owner = "gitea";
|
||||
group = "users";
|
||||
file = ../secrets/postgress.age;
|
||||
};
|
||||
|
||||
age.secrets.fastmail = {
|
||||
owner = "gitea";
|
||||
group = "users";
|
||||
file = ../secrets/fastmail.age;
|
||||
};
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "gitea";
|
||||
domain = "git.tecosaur.net";
|
||||
rootUrl = "https://git.tecosaur.net";
|
||||
httpAddress = "0.0.0.0";
|
||||
httpPort = 3000;
|
||||
appName = "Gitea";
|
||||
database = {
|
||||
type = "postgres";
|
||||
passwordFile = config.age.secrets.postgress.path;
|
||||
};
|
||||
disableRegistration = true;
|
||||
lfs.enable = true;
|
||||
mailerPasswordFile = config.age.secrets.fastmail.path;
|
||||
settings = {
|
||||
mailer = {
|
||||
# Update when https://github.com/go-gitea/gitea/pull/18982 is merged.
|
||||
ENABLED = true;
|
||||
MAILER_TYPE = "smtp";
|
||||
FROM = "gitea@tecosaur.net";
|
||||
USER = "tec@tecosaur.net";
|
||||
HOST = "smtp.fastmail.com:587";
|
||||
IS_TLS_ENABLED = false;
|
||||
};
|
||||
service = {
|
||||
REGISTER_EMAIL_CONFIRM = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# users.users.gitea.uid = 997;
|
||||
# users.enforceIdUniqueness = false;
|
||||
# users.users.git = {
|
||||
# uid = config.users.users.gitea.uid;
|
||||
# home = config.services.gitea.stateDir;
|
||||
# useDefaultShell = true;
|
||||
# group = "gitea";
|
||||
# isSystemUser = true;
|
||||
# };
|
||||
}
|
10
secrets/fastmail.age
Normal file
10
secrets/fastmail.age
Normal file
|
@ -0,0 +1,10 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 eobz4w FcmiT3apVrf7KhLsq3c9vhHnE0/I63k0woqEdXIiwy0
|
||||
5zZHjjaKV05N1Hb2sHnBi/tRumXcSvWA3Dl0+/ub+O8
|
||||
-> ssh-ed25519 kfYPBA UylrZ1En/h1zN7m9v9F/tcrlktiJcBgXOBjWxHfHS3w
|
||||
u9nJyvFY7BfHuxvrKC/mQU45V5emvHnnfknWseO1lzA
|
||||
-> ~-grease \2mTF >GC6'u*^ _8lvH
|
||||
yHPvYv5ocSkEzkegwrexK8D0q++kZ3nh5ccYmCLxcNb26QDPrJ6dquRrNN/QBQXr
|
||||
/tZp48mDJodmGw1DS0DUwoItfYC3FQ7q7kwHk9KWUjwE6U0R5VS9eLnSJBGR
|
||||
--- JWoLagyTrCavi7haqY1twoZO+roMG2dgVhbL+xpIFnU
|
||||
J½xC³[Ëo0CA;pMÊMEr%s s¹1Íí•€Z¬%ç¸ÍT<æ[î )Rä§
|
10
secrets/postgress.age
Normal file
10
secrets/postgress.age
Normal file
|
@ -0,0 +1,10 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 eobz4w hrfcGZbIKusO/5PLsHao1qo2YpZPoEhDENtQ8l3cvQA
|
||||
KWTPJIgBlJ/95vXaE3qb6hJvezyPSo9ZvWD0YPx7oH0
|
||||
-> ssh-ed25519 kfYPBA Vx2UvfdjG0pwCroN/gu+ks9arQ6L5NVeuonV6YiPdHQ
|
||||
Kk2mxOPTjrtgowUZx/Wh4wR87aDHmv63lN+vlvixLE0
|
||||
-> SRp-grease G6+2
|
||||
aT1udmbGn0pxAGwokyHwNVen/Lwg6fnyqPIj0YCLNDkHRCyA1r/NvDoHNhpLpA0Q
|
||||
wgNPL3C4km4H/VsH6niFmMXmFdwBlDNxvDu93ovFo6FOBgr/0lEEL2XY
|
||||
--- 30HSItfbyb1AsTeXEReilESTUTUN+QSMNuC9s4wAqOs
|
||||
—‡ÜÌ;f]ƒ€–lï´Ã‰r³‡Né¡FÐ"¥çÕ*+RóŒ¶<C592>)áŠR¶¾„F
|
9
secrets/secrets.nix
Normal file
9
secrets/secrets.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
let
|
||||
base = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt tec@tranquillity";
|
||||
golgi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEmWE6y+gkNdOdgooahbgalxguyoPos7dKCAeVzokm/ root@golgi";
|
||||
systems = [ base golgi ];
|
||||
in
|
||||
{
|
||||
"postgress.age".publicKeys = systems;
|
||||
"fastmail.age".publicKeys = systems;
|
||||
}
|
Loading…
Reference in a new issue