tadpole: Add WHIB backend

2025-01-02 19:32:59 +01:00
parent 119b8efc90
commit 0532588679
4 changed files with 97 additions and 9 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -71,14 +71,19 @@
          ];
        };
-        tadpole = inputs.nixpkgs.lib.nixosSystem {
+        tadpole =
          let
            system = "x86_64-linux";
          in
          inputs.nixpkgs.lib.nixosSystem {
            inherit system;
            specialArgs = {
              inherit inputs;
            };
            modules = [
              ./hosts/tadpole/configuration.nix
              ./hosts/tadpole/home.nix
              inputs.whib-backend.nixosModules.${system}.default
            ];
          };
--- a/hosts/tadpole/modules/certs/default.nix
+++ b/hosts/tadpole/modules/certs/default.nix
@@ -17,6 +17,16 @@
        webroot = "/var/lib/acme/acme-challenge/";
        group = "nginx";
      };
      "api.whib.ppp.pm" = {
        webroot = "/var/lib/acme/acme-challenge/";
        group = "nginx";
      };
      "grafana.whib.ppp.pm" = {
        webroot = "/var/lib/acme/acme-challenge/";
        group = "nginx";
      };
    };
  };
 }
--- a/hosts/tadpole/modules/default.nix
+++ b/hosts/tadpole/modules/default.nix
@@ -22,6 +22,7 @@ in
      };
      pppdotpm-site.enable = true;
      whib-backend.enable = true;
    };
  };
 }
--- a/hosts/tadpole/modules/whib/default.nix
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -0,0 +1,72 @@
 {
  pkgs,
  lib,
  config,
  ...
 }:
 let
  enabled = config.mod.whib-backend.enable;
 in
 {
  options = {
    mod.whib-backend = {
      enable = lib.mkEnableOption "enable WHIB backend";
    };
  };
  config = lib.mkIf enabled {
    assertions = [
      {
        assertion = config.services.nginx.enable;
        message = "Option 'config.services.nginx' must be enabled";
      }
    ];
    services.whib-backend = {
      enable = true;
      domain = "api.whib.ppp.pm";
      useACMEHost = "api.whib.ppp.pm";
      backend = {
        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
      };
      postgres = {
        database = "whib";
        host = "postgres";
        port = "5432";
        user = "whib";
        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
        backup = {
          interval = "*-*-* 00:00:00 UTC";
          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
        };
      };
      grafana = {
        domain = "grafana.whib.ppp.pm";
        useACMEHost = "grafana.whib.ppp.pm";
        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
      };
    };
    age.secrets = {
      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
    };
  };
 }