alex/nixos-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: alex:1834713f9829ed7a6442aa48b852c9f2a0730952
Branches Tags
alex:main
...
compare: alex:423ea622162a71825b639e435b815a4540003160
Branches Tags
alex:main

5 Commits
1834713f98 ... 423ea62216

Author SHA1 Message Date
Alexander Heldt
423ea62216 tadpole: Assert that nginx is running when using ppp.pm-site 2025-01-03 10:52:23 +01:00
Alexander Heldt
d0a9202615 tadpole: Assert that nginx is running when using gitea 2025-01-03 10:52:23 +01:00
Alexander Heldt
4663a710dc tadpole: Add WHIB backend 2025-01-03 10:52:23 +01:00
Alexander Heldt
c95209cf7c tadpole: Add secrets for whib service 2025-01-03 10:52:23 +01:00
Alexander Heldt
206e956dfb test-vm: Add WHIB backend 2025-01-03 10:52:23 +01:00
18 changed files with 278 additions and 14 deletions
Expand all files Collapse all files

24
flake.lock generated
View File

@@ -241,7 +241,8 @@
"nix-gc-env": "nix-gc-env", "nix-gc-env": "nix-gc-env",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pppdotpm-site": "pppdotpm-site" "pppdotpm-site": "pppdotpm-site",
"whib-backend": "whib-backend"
} }
}, },
"systems": { "systems": {
@@ -258,6 +259,27 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"whib-backend": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1735841882,
"narHash": "sha256-Fn7mOUV189e/AIzij1n6kvNOROOWA3qRY/8D4bcJRXk=",
"ref": "master",
"rev": "8952e41601f633eee9ec0ab6f8dd0d2783581b8d",
"revCount": 364,
"type": "git",
"url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
},
"original": {
"ref": "master",
"type": "git",
"url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
}
} }
}, },
"root": "root", "root": "root",

24
flake.nix
View File

@@ -37,6 +37,11 @@
url = "git+ssh://gitea@git.ppp.pm:1122/alex/ppp.pm-site.git?ref=main"; url = "git+ssh://gitea@git.ppp.pm:1122/alex/ppp.pm-site.git?ref=main";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
whib-backend = {
url = "git+ssh://gitea@git.ppp.pm:1122/alex/whib.git?ref=master";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@@ -77,13 +82,20 @@
]; ];
}; };
test-vm = inputs.nixpkgs.lib.nixosSystem { test-vm =
system = "x86_64-linux"; let
specialArgs = { system = "x86_64-linux";
inherit inputs; in
inputs.nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = {
inherit inputs;
};
modules = [
./hosts/test-vm/configuration.nix
inputs.whib-backend.nixosModules.${system}.default
];
}; };
modules = [ ./hosts/test-vm/configuration.nix ];
};
}; };
devShells = devShells =

2
hosts/pinwheel/home.nix
View File

@@ -14,6 +14,8 @@
home.homeDirectory = "/home/alex"; home.homeDirectory = "/home/alex";
home.packages = [ home.packages = [
inputs.whib-backend.packages.${pkgs.system}.whib-import
pkgs.beekeeper-studio
pkgs.bitwarden-desktop pkgs.bitwarden-desktop
pkgs.gimp pkgs.gimp
pkgs.zip pkgs.zip

5
hosts/tadpole/modules/certs/default.nix
View File

@@ -17,6 +17,11 @@
webroot = "/var/lib/acme/acme-challenge/"; webroot = "/var/lib/acme/acme-challenge/";
group = "nginx"; group = "nginx";
}; };
"api.whib.ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
group = "nginx";
};
}; };
}; };
} }

1
hosts/tadpole/modules/default.nix
View File

@@ -22,6 +22,7 @@ in
}; };
pppdotpm-site.enable = true; pppdotpm-site.enable = true;
whib-backend.enable = true;
}; };
}; };
} }

8
hosts/tadpole/modules/gitea/default.nix
View File

@@ -7,8 +7,6 @@
let let
conf = config.mod.gitea; conf = config.mod.gitea;
gitDomain = "git.${conf.baseDomain}"; gitDomain = "git.${conf.baseDomain}";
nginxEnable = config.mod.nginx.enable;
in in
{ {
options = { options = {
@@ -37,8 +35,12 @@ in
}; };
}; };
config = lib.mkIf (conf.enable && nginxEnable) { config = lib.mkIf conf.enable {
assertions = [ assertions = [
{
assertion = config.services.nginx.enable;
message = "Option 'config.services.nginx' must be enabled";
}
{ {
assertion = conf.baseDomain != ""; assertion = conf.baseDomain != "";
message = "Option 'mod.gitea.baseDomain' cannot be empty"; message = "Option 'mod.gitea.baseDomain' cannot be empty";

11
hosts/tadpole/modules/ppp.pm-site/default.nix
View File

@@ -6,8 +6,6 @@
}: }:
let let
enabled = config.mod.pppdotpm-site.enable; enabled = config.mod.pppdotpm-site.enable;
nginxEnabled = config.mod.nginx.enable;
in in
{ {
imports = [ inputs.pppdotpm-site.nixosModules.default ]; imports = [ inputs.pppdotpm-site.nixosModules.default ];
@@ -18,7 +16,14 @@ in
}; };
}; };
config = lib.mkIf (enabled && nginxEnabled) { config = lib.mkIf enabled {
assertions = [
{
assertion = config.services.nginx.enable;
message = "Option 'config.services.nginx' must be enabled";
}
];
services.pppdotpm-site = { services.pppdotpm-site = {
enable = true; enable = true;
domain = "ppp.pm"; domain = "ppp.pm";

72
hosts/tadpole/modules/whib/default.nix Normal file
View File

@@ -0,0 +1,72 @@
{
pkgs,
lib,
config,
...
}:
let
enabled = config.mod.whib-backend.enable;
in
{
options = {
mod.whib-backend = {
enable = lib.mkEnableOption "enable WHIB backend";
};
};
config = lib.mkIf enabled {
assertions = [
{
assertion = config.services.nginx.enable;
message = "Option 'config.services.nginx' must be enabled";
}
];
services.whib-backend = {
enable = true;
domain = "api.whib.ppp.pm";
useACMEHost = "api.whib.ppp.pm";
backend = {
signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
};
postgres = {
database = "whib";
host = "postgres";
port = "5432";
user = "whib";
password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
backup = {
interval = "*-*-* 00:00:00 UTC";
gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
};
};
grafana = {
domain = "grafana.whib.ppp.pm";
useACMEHost = "grafana.whib.ppp.pm";
password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
};
};
age.secrets = {
"whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
"whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
"whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
"whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
"whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
"whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
"whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
};
};
}

4
hosts/test-vm/configuration.nix
View File

@@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./ppp.pm-site.nix ./ppp.pm-site.nix
./whib-backend.nix
]; ];
config = { config = {
@@ -10,7 +11,8 @@
networking.hostName = "test-vm"; networking.hostName = "test-vm";
mod = { mod = {
pppdotpm-site.enable = true; pppdotpm-site.enable = false;
whib-backend.enable = true;
}; };
users.users.a = { users.users.a = {

89
hosts/test-vm/whib-backend.nix Normal file
View File

@@ -0,0 +1,89 @@
{
lib,
config,
...
}:
let
enabled = config.mod.whib-backend.enable;
in
{
options = {
mod.whib-backend = {
enable = lib.mkEnableOption "enable WHIB backend";
};
};
config = lib.mkIf enabled {
services.whib-backend = {
enable = true;
domain = "whib-backend.local";
backend = {
signingKey = "super-secret-key";
};
postgres = {
password = "postgrespassword";
backup = {
interval = "*-*-* *:*:00 UTC"; # Every minute, for testing
# Set these for test runs
gpgPassphraseFile = "";
backblazeBucket = "";
backblazeKeyID = "";
backblazeKey = "";
};
};
grafana = {
password = "granfanapassword";
};
};
virtualisation.vmVariant = {
virtualisation = {
sharedDirectories = {
my-shared = {
source = "/home/alex/whib-backup";
target = "/mnt/shared";
};
};
forwardPorts = [
{
# Service API
from = "host";
host.port = 8080;
guest.port = 8080;
}
{
# Service Metrics
from = "host";
host.port = 8181;
guest.port = 8181;
}
{
# Postgres
from = "host";
host.port = 5432;
guest.port = 5432;
}
{
# Grafana
from = "host";
host.port = 3000;
guest.port = 3000;
}
{
# Prometheus
from = "host";
host.port = 9090;
guest.port = 9090;
}
];
};
};
};
}

8
secrets/secrets.nix
View File

@@ -47,4 +47,12 @@ in {
"tadpole/alex.tadpole-git.ppp.pm.age".publicKeys = [ tadpole alex ]; "tadpole/alex.tadpole-git.ppp.pm.age".publicKeys = [ tadpole alex ];
"tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ]; "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
"tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ]; "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
"tadpole/whib-signing-key.age".publicKeys = [ tadpole alex ];
"tadpole/whib-postgres-password.age".publicKeys = [ tadpole alex ];
"tadpole/whib-grafana-password.age".publicKeys = [ tadpole alex ];
"tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
"tadpole/whib-backblaze-bucket.age".publicKeys = [ tadpole alex ];
"tadpole/whib-backblaze-key-id.age".publicKeys = [ tadpole alex ];
"tadpole/whib-backblaze-key.age".publicKeys = [ tadpole alex ];
} }

7
secrets/tadpole/whib-backblaze-bucket.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A V2ngjouYa4wi42HngK3TQfGRNqZ+gW4iQ01HxdnfNxo
vvK7WyZkdH/vmeBrC8cs3neLpaZ8RryvYg61sBzf12A
-> ssh-ed25519 +oNaHQ 1pK15FPOkaejA0GfotISM2ATOcE8tsUgZOpL0PONC08
dDjq/2ZH/FHgLCQHgRaYba/3JtOvHl4k9GgzxyQw+L4
--- yyW+//7KvwvcTHs76bPxtG9TUrFgJzp7KtqaqjP/0GY
徐~宰}"[黯nIm<49>ヲ2ムリtヌヒタT睹xwメTネヘナ5,5^涇w焔6l懆TΘ(モ

8
secrets/tadpole/whib-backblaze-key-id.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A YRCagpPHZ/4X9VyWgxWbugjSdYTzSUD2ncgWunzYVFs
7SKYPayWt4XGG5YVB3yKt+dpGKOBtJW3E/LZq3eJmGI
-> ssh-ed25519 +oNaHQ EHjg/EH4AbcqEHp27hhJqOLwa9P7sz2iavqIvkBkFQA
T/2Po7X5FFb575QSxvvE1LqwZpFoDX/gnKLopBw/NMU
--- 2cWhyrmkeeeiYNTyhJri/UHVhLqU0fJ3Py34rzhmr7c
clNó2ƒÊ<C692>˜“y~<7E>,lsXü¨½Ãs.«4Ð*!³«Ñj‡c
]uÖÆ·ûz£g“ŠÔö;F

7
secrets/tadpole/whib-backblaze-key.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A /exiuF2v+lsAUID7eT53DooUgVnQHsE0lJOPgdbLuzU
KPZKG2vYo7hczQ9iRTubb8mBUM9F3E19+1T6GExhsJM
-> ssh-ed25519 +oNaHQ 6/BOd1ahNHbKPH6V4DwiSWQ2MFPztTAqBHTc8V1HJFw
IF8V4HtNQqYzK58WdxYg1e2bfh9T7keV67VR/VzCUz0
--- WuqN3ez4lofmNyDaaKKXA23lFtnd+2VwuG7wT28u0xU
СQ™ÙVd«„Èî>\™ä

7
secrets/tadpole/whib-gpg-key.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A ORTl5WSeg4vSKUAwzCp9ABRL02SvjFZrBHuWLMbSmxI
obXt5wHXbfkdOAXwPySZeFelSFwJnCoH1EExtXNmBio
-> ssh-ed25519 +oNaHQ vxTHufUlEwbuztnIsCcprfXonpNUlv1ZcHQpEQjGtz8
uFym0SgmM6LZRqJrSPMLHI6DLZ5t/WLvKP0dMvM8bUc
--- 7UQLcCs/G20iP2YlwjCEmpFcXgqJfQacqSVGBBPmAbY
yµÓ†ÅÖ'”_K<07>­f‡3ŠÍ¾ÉXî€ï£_½tu[ù\¾£á—)uKÍÂ,Æ«äzqñ<71><C3B1>­å|¨1!XöYYág¿7¥¡EÚ›°^žÿ

BIN
secrets/tadpole/whib-grafana-password.age Normal file
View File

Binary file not shown.

7
secrets/tadpole/whib-postgres-password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A WqkH9G2AGAcQfa9u+w6+QVXYVlozt0JsB/icILH/Jnc
SGhXQ33eRtVtIEKdZCmpyxNUtFgtZhGUs9QX20GbHRg
-> ssh-ed25519 +oNaHQ k66ZToSUzHxDm0yZkI4+Gase/Q5GJrsB7c6+LvmgGSg
6x9dzdloKJT2Tcawn4m2d518KUjdINGi4u+PFvMt9tQ
--- 395jqjDR3lBIIPOUIlnOJW/048qeJPC5CJbMJdpSjTo
þÏ›Š<uIX"¤ <0C>^CÚj};‡é´ÃKdÌíÒÅÙ—X•—bÔ §ÆÂWü,{7u+xšL]ÿž

8
secrets/tadpole/whib-signing-key.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 5R7G9A ncGAywK2O0Geyy5E9HmRdDCmCD7RwmflyyBXFKH4KSc
4Izx8nT/k5yOMOG4InifQw+wzEDe9PqMyeF3LEicOKE
-> ssh-ed25519 +oNaHQ cPf/X971sb4pNKz9t0W318EpY3XJNB/OId7nGZ/ooXc
Vp5x6PZML0jtPEjuaDo7KjtHdKv5SyPAS2+Fvhjbro8
--- 4jGA5763tvEcNDmNnYaoCfw99xROjqpKW0dMG23BqbE
ŠŽ¼j^tþøª£…ÖÑB%<25>®a<>É×Å$öÖ8m}-LbMÎnè¼ÿþR÷×cZÁÿ=õ ˆ$ xû«}¿Û)PHº{X”3¥á<C2A5>»¦¤àü¶š½â£û€Õ•ª6Rs¦ùÌÿýr¡±b…nl<6E>]ƒž/ÈŽe@/‰*†¤õ:©Ú¸ãØV~¼¬V×a]`׫
“¿¸=Ù¿vz\…