diff options
Diffstat (limited to '')
| -rw-r--r-- | hosts/by-name/server3/secrets/matrix/passwd.age (renamed from modules/by-name/ma/matrix/passwd.age) | 0 | ||||
| -rw-r--r-- | modules/by-name/co/constants/module.nix | 2 | ||||
| -rw-r--r-- | modules/by-name/ma/matrix/module.nix | 6 | ||||
| -rw-r--r-- | modules/by-name/ni/nix-sync/hosts.nix | 48 | ||||
| -rw-r--r-- | modules/by-name/ni/nix-sync/module.nix | 70 |
5 files changed, 61 insertions, 65 deletions
diff --git a/modules/by-name/ma/matrix/passwd.age b/hosts/by-name/server3/secrets/matrix/passwd.age index 6386ed6..6386ed6 100644 --- a/modules/by-name/ma/matrix/passwd.age +++ b/hosts/by-name/server3/secrets/matrix/passwd.age diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix index b344fcd..fed14d3 100644 --- a/modules/by-name/co/constants/module.nix +++ b/modules/by-name/co/constants/module.nix @@ -25,6 +25,7 @@ nscd = 330; sshd = 331; systemd-oom = 332; + nix-sync = 334; redis-peertube = 990; peertube = 992; # TODO Sort correctly mastodon = 996; @@ -47,6 +48,7 @@ sshd = 331; systemd-oom = 332; resolvconf = 333; # This group is not matched to an user? + nix-sync = 334; systemd-coredump = 151; # matches systemd-coredump user redis-peertube = 990; peertube = 992; diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix index a73fd13..4b730da 100644 --- a/modules/by-name/ma/matrix/module.nix +++ b/modules/by-name/ma/matrix/module.nix @@ -24,10 +24,14 @@ in { type = lib.types.str; description = "The url the matrix-server should be known under."; }; + sharedSecretFile = lib.mkOption { + type = lib.types.path; + description = "The age encrypted shared secret file for synapse, passed to agenix"; + }; }; config = lib.mkIf cfg.enable { age.secrets.matrix-synapse_registration_shared_secret = { - file = ./passwd.age; + file = cfg.sharedSecretFile; mode = "700"; owner = "matrix-synapse"; group = "matrix-synapse"; diff --git a/modules/by-name/ni/nix-sync/hosts.nix b/modules/by-name/ni/nix-sync/hosts.nix deleted file mode 100644 index 98dbbf1..0000000 --- a/modules/by-name/ni/nix-sync/hosts.nix +++ /dev/null @@ -1,48 +0,0 @@ -{...}: let - extraWkdSettings = { - locations."/.well-known/openpgpkey/hu/".extraConfig = '' - default_type application/octet-stream; - - # Came from: https://www.uriports.com/blog/setting-up-openpgp-web-key-directory/ - # No idea if it is actually necessary - # add_header Access-Control-Allow-Origin * always; - ''; - }; -in [ - { - domain = "vhack.eu"; - url = "https://codeberg.org/vhack.eu/website.git"; - } - { - domain = "b-peetz.de"; - url = "https://codeberg.org/bpeetz/b-peetz.de.git"; - } - - # Trinitrix - { - domain = "trinitrix.vhack.eu"; - url = "https://codeberg.org/trinitrix/website.git"; - } - - # WKD - { - domain = "openpgpkey.b-peetz.de"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } - { - domain = "openpgpkey.s-schoeffel.de"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } - { - domain = "openpgpkey.sils.li"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } - { - domain = "openpgpkey.vhack.eu"; - url = "https://codeberg.org/vhack.eu/gpg_wkd.git"; - extraSettings = extraWkdSettings; - } -] diff --git a/modules/by-name/ni/nix-sync/module.nix b/modules/by-name/ni/nix-sync/module.nix index de096b9..9ddd210 100644 --- a/modules/by-name/ni/nix-sync/module.nix +++ b/modules/by-name/ni/nix-sync/module.nix @@ -1,43 +1,44 @@ { config, lib, + modulesPath, + nixLib, ... }: let cfg = config.vhack.nix-sync; mkNixSyncRepository = { domain, - root ? "", - url, - extraSettings ? {}, + repositoryUrl, + extraSettings, }: { name = "${domain}"; value = { - path = "/etc/nginx/websites/${domain}/${root}"; - uri = "${url}"; + path = "/etc/nginx/websites/${domain}"; + uri = "${repositoryUrl}"; inherit extraSettings; }; }; - nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains); + nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository cfg.domains); mkVirtHost = { domain, - root ? "", - url, - extraSettings ? {}, + repositoryUrl, + extraSettings, }: { name = "${domain}"; value = - lib.recursiveUpdate { + # FIXME(@bpeetz): We cannot use something like `lib.recursiveUpdate` because the + # `extraSettings` are instantiated from the “real” nginx type. As such the + # `extaSettings` would override our values here. Therefore, the direct merge. <2025-02-07> + extraSettings + // { forceSSL = true; enableACME = true; - root = "/etc/nginx/websites/${domain}/${root}"; - } - extraSettings; + root = "/etc/nginx/websites/${domain}"; + }; }; - virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains); - - domains = import ./hosts.nix {}; + virtHosts = builtins.listToAttrs (builtins.map mkVirtHost cfg.domains); in { imports = [ ./internal_module.nix @@ -47,6 +48,38 @@ in { enable = lib.mkEnableOption '' a website git ops solution. ''; + + domains = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { + options = { + domain = lib.mkOption { + type = lib.types.str; + example = "b-peetz.de"; + description = '' + The fully qualified domain to use as base of this website. + ''; + }; + repositoryUrl = lib.mkOption { + type = lib.types.str; + example = "b-peetz.de"; + description = '' + The url used for the source git repository, which is deployed at this domain. + ''; + }; + extraSettings = lib.mkOption { + type = + lib.types.submodule (import (modulesPath + "/services/web-servers/nginx/vhost-options.nix") {inherit config lib;}); + example = { + locations."/.well-known/openpgpkey/".extraConfig = "default_type application/octet-stream"; + }; + default = {}; + description = '' + Extra configuration to add to the nginx virtual host. + ''; + }; + }; + }); + }; }; config = lib.mkIf cfg.enable { @@ -66,5 +99,10 @@ in { vhack.nginx.enable = true; services.nginx.virtualHosts = virtHosts; + + users = { + users.nix-sync.uid = config.vhack.constants.ids.uids.nix-sync; + groups.nix-sync.gid = config.vhack.constants.ids.gids.nix-sync; + }; }; } |