diff options
| -rw-r--r-- | README.md | 18 | ||||
| -rw-r--r-- | hosts/by-name/server3/configuration.nix | 6 | ||||
| -rw-r--r-- | hosts/by-name/server3/websites.nix | 36 | ||||
| -rw-r--r-- | modules/by-name/co/constants/module.nix | 2 | ||||
| -rw-r--r-- | modules/by-name/ni/nix-sync/hosts.nix | 48 | ||||
| -rw-r--r-- | modules/by-name/ni/nix-sync/module.nix | 70 |
6 files changed, 115 insertions, 65 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..0e343d2 --- /dev/null +++ b/README.md @@ -0,0 +1,18 @@ +# Vhack.eu server infrastructure +This repository includes the all configurations for all services at vhack.eu and +foss-syndicate.org. + +## Contributing +### Issue reporting +Issues are tracked [online](https://issues.foss-syndicate.org/issues/open) by +[back](./pkgs/by-name/ba/back). + +Please send issue reports via mail to [admin@vhack.eu](mailto://admin@vhack.eu). Beware +that we use [git-bug](https://github.com/git-bug/git-bug) for issue tracking, so you can +clone this repository and get a list of open issues with `git bug ls`. +We plan to improve this issue reporting system in the future. + +### Patches +Please send your patches for now to [admin@vhack.eu](mailto://admin@vhack.eu) (with `git +format-patch` and `git send-email`). We're hoping to set up a mailing list the future to +improve this process. diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix index b87dc67..d819e81 100644 --- a/hosts/by-name/server3/configuration.nix +++ b/hosts/by-name/server3/configuration.nix @@ -1,4 +1,4 @@ -{config, ...}: { +{...}: { imports = [ ./networking.nix # network configuration that just works ./hardware.nix @@ -12,6 +12,10 @@ user = "u384702-sub4"; }; fail2ban.enable = true; + nix-sync = { + enable = true; + domains = import ./websites.nix {}; + }; mastodon = { enable = true; domain = "mastodon.vhack.eu"; diff --git a/hosts/by-name/server3/websites.nix b/hosts/by-name/server3/websites.nix new file mode 100644 index 0000000..466f1e9 --- /dev/null +++ b/hosts/by-name/server3/websites.nix @@ -0,0 +1,36 @@ +{...}: let + mkWkd = domain: { + domain = "openpgpkey.${domain}"; + repositoryUrl = "https://git.foss-syndicate.org/vhack.eu/pgp-wkd.git"; + extraSettings = { + locations."/.well-known/openpgpkey/".extraConfig = '' + default_type application/octet-stream; + + # Came from: https://www.uriports.com/blog/setting-up-openpgp-web-key-directory/ + # No idea if it is actually necessary + # add_header Access-Control-Allow-Origin * always; + ''; + }; + }; +in [ + { + domain = "vhack.eu"; + repositoryUrl = "https://codeberg.org/vhack.eu/website.git"; + } + { + domain = "b-peetz.de"; + repositoryUrl = "https://git.foss-syndicate.org/bpeetz/b-peetz.de.git"; + } + + # Trinitrix + { + domain = "trinitrix.vhack.eu"; + repositoryUrl = "https://codeberg.org/trinitrix/website.git"; + } + + # WKD + (mkWkd "b-peetz.de") + (mkWkd "s-schoeffel.de") + (mkWkd "sils.li") + (mkWkd "vhack.eu") +] diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix index b344fcd..fed14d3 100644 --- a/modules/by-name/co/constants/module.nix +++ b/modules/by-name/co/constants/module.nix @@ -25,6 +25,7 @@ nscd = 330; sshd = 331; systemd-oom = 332; + nix-sync = 334; redis-peertube = 990; peertube = 992; # TODO Sort correctly mastodon = 996; @@ -47,6 +48,7 @@ sshd = 331; systemd-oom = 332; resolvconf = 333; # This group is not matched to an user? + nix-sync = 334; systemd-coredump = 151; # matches systemd-coredump user redis-peertube = 990; peertube = 992; diff --git a/modules/by-name/ni/nix-sync/hosts.nix b/modules/by-name/ni/nix-sync/hosts.nix deleted file mode 100644 index 98dbbf1..0000000 --- a/modules/by-name/ni/nix-sync/hosts.nix +++ /dev/null @@ -1,48 +0,0 @@ -{...}: let - extraWkdSettings = { - locations."/.well-known/openpgpkey/hu/".extraConfig = '' - default_type application/octet-stream; - - # Came from: https://www.uriports.com/blog/setting-up-openpgp-web-key-directory/ - # No idea if it is actually necessary - # add_header Access-Control-Allow-Origin * always; - ''; - }; -in [ - { - domain = "vhack.eu"; - url = "https://codeberg.org/vhack.eu/website.git"; - } - { - domain = "b-peetz.de"; - url = "https://codeberg.org/bpeetz/b-peetz.de.git"; - } - - # Trinitrix - { - domain = "trinitrix.vhack.eu"; - url = "https://codeberg.org/trinitrix/website.git"; - } - - # WKD - { - domain = "openpgpkey.b-peetz.de"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } - { - domain = "openpgpkey.s-schoeffel.de"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } - { - domain = "openpgpkey.sils.li"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } - { - domain = "openpgpkey.vhack.eu"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } -] diff --git a/modules/by-name/ni/nix-sync/module.nix b/modules/by-name/ni/nix-sync/module.nix index de096b9..9ddd210 100644 --- a/modules/by-name/ni/nix-sync/module.nix +++ b/modules/by-name/ni/nix-sync/module.nix @@ -1,43 +1,44 @@ { config, lib, + modulesPath, + nixLib, ... }: let cfg = config.vhack.nix-sync; mkNixSyncRepository = { domain, - root ? "", - url, - extraSettings ? {}, + repositoryUrl, + extraSettings, }: { name = "${domain}"; value = { - path = "/etc/nginx/websites/${domain}/${root}"; - uri = "${url}"; + path = "/etc/nginx/websites/${domain}"; + uri = "${repositoryUrl}"; inherit extraSettings; }; }; - nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains); + nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository cfg.domains); mkVirtHost = { domain, - root ? "", - url, - extraSettings ? {}, + repositoryUrl, + extraSettings, }: { name = "${domain}"; value = - lib.recursiveUpdate { + # FIXME(@bpeetz): We cannot use something like `lib.recursiveUpdate` because the + # `extraSettings` are instantiated from the “real” nginx type. As such the + # `extaSettings` would override our values here. Therefore, the direct merge. <2025-02-07> + extraSettings + // { forceSSL = true; enableACME = true; - root = "/etc/nginx/websites/${domain}/${root}"; - } - extraSettings; + root = "/etc/nginx/websites/${domain}"; + }; }; - virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains); - - domains = import ./hosts.nix {}; + virtHosts = builtins.listToAttrs (builtins.map mkVirtHost cfg.domains); in { imports = [ ./internal_module.nix @@ -47,6 +48,38 @@ in { enable = lib.mkEnableOption '' a website git ops solution. ''; + + domains = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { + options = { + domain = lib.mkOption { + type = lib.types.str; + example = "b-peetz.de"; + description = '' + The fully qualified domain to use as base of this website. + ''; + }; + repositoryUrl = lib.mkOption { + type = lib.types.str; + example = "b-peetz.de"; + description = '' + The url used for the source git repository, which is deployed at this domain. + ''; + }; + extraSettings = lib.mkOption { + type = + lib.types.submodule (import (modulesPath + "/services/web-servers/nginx/vhost-options.nix") {inherit config lib;}); + example = { + locations."/.well-known/openpgpkey/".extraConfig = "default_type application/octet-stream"; + }; + default = {}; + description = '' + Extra configuration to add to the nginx virtual host. + ''; + }; + }; + }); + }; }; config = lib.mkIf cfg.enable { @@ -66,5 +99,10 @@ in { vhack.nginx.enable = true; services.nginx.virtualHosts = virtHosts; + + users = { + users.nix-sync.uid = config.vhack.constants.ids.uids.nix-sync; + groups.nix-sync.gid = config.vhack.constants.ids.gids.nix-sync; + }; }; } |