tadpole: Assert that nginx is running when using ppp.pm-site

tadpole: Assert that nginx is running when using gitea
tadpole: Add WHIB backend
2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00
18 changed files with 278 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -241,7 +241,8 @@
        "nix-gc-env": "nix-gc-env",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
-        "pppdotpm-site": "pppdotpm-site"
+        "pppdotpm-site": "pppdotpm-site",
+        "whib-backend": "whib-backend"
      }
    },
    "systems": {
@@ -258,6 +259,27 @@
        "repo": "default",
        "type": "github"
      }
+    },
+    "whib-backend": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735841882,
+        "narHash": "sha256-Fn7mOUV189e/AIzij1n6kvNOROOWA3qRY/8D4bcJRXk=",
+        "ref": "master",
+        "rev": "8952e41601f633eee9ec0ab6f8dd0d2783581b8d",
+        "revCount": 364,
+        "type": "git",
+        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
+      },
+      "original": {
+        "ref": "master",
+        "type": "git",
+        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,11 @@
      url = "git+ssh://gitea@git.ppp.pm:1122/alex/ppp.pm-site.git?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    whib-backend = {
+      url = "git+ssh://gitea@git.ppp.pm:1122/alex/whib.git?ref=master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
@@ -77,12 +82,19 @@
          ];
        };

-        test-vm = inputs.nixpkgs.lib.nixosSystem {
+        test-vm =
+          let
            system = "x86_64-linux";
+          in
+          inputs.nixpkgs.lib.nixosSystem {
+            inherit system;
            specialArgs = {
              inherit inputs;
            };
-          modules = [ ./hosts/test-vm/configuration.nix ];
+            modules = [
+              ./hosts/test-vm/configuration.nix
+              inputs.whib-backend.nixosModules.${system}.default
+            ];
          };
      };

--- a/hosts/pinwheel/home.nix
+++ b/hosts/pinwheel/home.nix
@@ -14,6 +14,8 @@
        home.homeDirectory = "/home/alex";

        home.packages = [
+          inputs.whib-backend.packages.${pkgs.system}.whib-import
+          pkgs.beekeeper-studio
          pkgs.bitwarden-desktop
          pkgs.gimp
          pkgs.zip
--- a/hosts/tadpole/modules/certs/default.nix
+++ b/hosts/tadpole/modules/certs/default.nix
@@ -17,6 +17,11 @@
        webroot = "/var/lib/acme/acme-challenge/";
        group = "nginx";
      };
+
+      "api.whib.ppp.pm" = {
+        webroot = "/var/lib/acme/acme-challenge/";
+        group = "nginx";
+      };
    };
  };
 }
--- a/hosts/tadpole/modules/default.nix
+++ b/hosts/tadpole/modules/default.nix
@@ -22,6 +22,7 @@ in
      };

      pppdotpm-site.enable = true;
+      whib-backend.enable = true;
    };
  };
 }
--- a/hosts/tadpole/modules/gitea/default.nix
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -7,8 +7,6 @@
 let
  conf = config.mod.gitea;
  gitDomain = "git.${conf.baseDomain}";
-
-  nginxEnable = config.mod.nginx.enable;
 in
 {
  options = {
@@ -37,8 +35,12 @@ in
    };
  };

-  config = lib.mkIf (conf.enable && nginxEnable) {
+  config = lib.mkIf conf.enable {
    assertions = [
+      {
+        assertion = config.services.nginx.enable;
+        message = "Option 'config.services.nginx' must be enabled";
+      }
      {
        assertion = conf.baseDomain != "";
        message = "Option 'mod.gitea.baseDomain' cannot be empty";
--- a/hosts/tadpole/modules/ppp.pm-site/default.nix
+++ b/hosts/tadpole/modules/ppp.pm-site/default.nix
@@ -6,8 +6,6 @@
 }:
 let
  enabled = config.mod.pppdotpm-site.enable;
-
-  nginxEnabled = config.mod.nginx.enable;
 in
 {
  imports = [ inputs.pppdotpm-site.nixosModules.default ];
@@ -18,7 +16,14 @@ in
    };
  };

-  config = lib.mkIf (enabled && nginxEnabled) {
+  config = lib.mkIf enabled {
+    assertions = [
+      {
+        assertion = config.services.nginx.enable;
+        message = "Option 'config.services.nginx' must be enabled";
+      }
+    ];
+
    services.pppdotpm-site = {
      enable = true;
      domain = "ppp.pm";
--- a/hosts/tadpole/modules/whib/default.nix
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -0,0 +1,72 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.whib-backend.enable;
+in
+{
+  options = {
+    mod.whib-backend = {
+      enable = lib.mkEnableOption "enable WHIB backend";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    assertions = [
+      {
+        assertion = config.services.nginx.enable;
+        message = "Option 'config.services.nginx' must be enabled";
+      }
+    ];
+
+    services.whib-backend = {
+      enable = true;
+
+      domain = "api.whib.ppp.pm";
+      useACMEHost = "api.whib.ppp.pm";
+
+      backend = {
+        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
+      };
+
+      postgres = {
+        database = "whib";
+        host = "postgres";
+        port = "5432";
+        user = "whib";
+        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
+
+        backup = {
+          interval = "*-*-* 00:00:00 UTC";
+
+          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
+
+          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
+          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
+          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
+        };
+      };
+
+      grafana = {
+        domain = "grafana.whib.ppp.pm";
+        useACMEHost = "grafana.whib.ppp.pm";
+
+        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
+      };
+    };
+
+    age.secrets = {
+      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
+      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
+      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
+
+      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
+      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
+      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
+      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
+    };
+  };
+}
--- a/hosts/test-vm/configuration.nix
+++ b/hosts/test-vm/configuration.nix
@@ -2,6 +2,7 @@
 {
  imports = [
    ./ppp.pm-site.nix
+    ./whib-backend.nix
  ];

  config = {
@@ -10,7 +11,8 @@
    networking.hostName = "test-vm";

    mod = {
-      pppdotpm-site.enable = true;
+      pppdotpm-site.enable = false;
+      whib-backend.enable = true;
    };

    users.users.a = {
--- a/hosts/test-vm/whib-backend.nix
+++ b/hosts/test-vm/whib-backend.nix
@@ -0,0 +1,89 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  enabled = config.mod.whib-backend.enable;
+in
+{
+  options = {
+    mod.whib-backend = {
+      enable = lib.mkEnableOption "enable WHIB backend";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services.whib-backend = {
+      enable = true;
+      domain = "whib-backend.local";
+
+      backend = {
+        signingKey = "super-secret-key";
+      };
+
+      postgres = {
+        password = "postgrespassword";
+
+        backup = {
+          interval = "*-*-* *:*:00 UTC"; # Every minute, for testing
+
+          # Set these for test runs
+          gpgPassphraseFile = "";
+
+          backblazeBucket = "";
+          backblazeKeyID = "";
+          backblazeKey = "";
+        };
+      };
+
+      grafana = {
+        password = "granfanapassword";
+      };
+    };
+
+    virtualisation.vmVariant = {
+      virtualisation = {
+        sharedDirectories = {
+          my-shared = {
+            source = "/home/alex/whib-backup";
+            target = "/mnt/shared";
+          };
+        };
+
+        forwardPorts = [
+          {
+            # Service API
+            from = "host";
+            host.port = 8080;
+            guest.port = 8080;
+          }
+          {
+            # Service Metrics
+            from = "host";
+            host.port = 8181;
+            guest.port = 8181;
+          }
+          {
+            # Postgres
+            from = "host";
+            host.port = 5432;
+            guest.port = 5432;
+          }
+          {
+            # Grafana
+            from = "host";
+            host.port = 3000;
+            guest.port = 3000;
+          }
+          {
+            # Prometheus
+            from = "host";
+            host.port = 9090;
+            guest.port = 9090;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -47,4 +47,12 @@ in {
  "tadpole/alex.tadpole-git.ppp.pm.age".publicKeys = [ tadpole alex ];
  "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
  "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
+
+  "tadpole/whib-signing-key.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-password.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-grafana-password.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-backblaze-bucket.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-backblaze-key-id.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-backblaze-key.age".publicKeys = [ tadpole alex ];
 }
--- a/secrets/tadpole/whib-backblaze-bucket.age
+++ b/secrets/tadpole/whib-backblaze-bucket.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A V2ngjouYa4wi42HngK3TQfGRNqZ+gW4iQ01HxdnfNxo
+vvK7WyZkdH/vmeBrC8cs3neLpaZ8RryvYg61sBzf12A
+-> ssh-ed25519 +oNaHQ 1pK15FPOkaejA0GfotISM2ATOcE8tsUgZOpL0PONC08
+dDjq/2ZH/FHgLCQHgRaYba/3JtOvHl4k9GgzxyQw+L4
+--- yyW+//7KvwvcTHs76bPxtG9TUrFgJzp7KtqaqjP/0GY
+<EFBFBD><EFBFBD>~<7E><>}"[<5B>~nIm<49><6D><EFBFBD>2<EFBFBD><32>t<EFBFBD><74><EFBFBD>T<EFBFBD><54>xw<78>T<EFBFBD><54><EFBFBD>5,5^<5E><>w<EFBFBD><77>6l<36><6C>T<EFBFBD><54>(<28>
--- a/secrets/tadpole/whib-backblaze-key-id.age
+++ b/secrets/tadpole/whib-backblaze-key-id.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A YRCagpPHZ/4X9VyWgxWbugjSdYTzSUD2ncgWunzYVFs
+7SKYPayWt4XGG5YVB3yKt+dpGKOBtJW3E/LZq3eJmGI
+-> ssh-ed25519 +oNaHQ EHjg/EH4AbcqEHp27hhJqOLwa9P7sz2iavqIvkBkFQA
+T/2Po7X5FFb575QSxvvE1LqwZpFoDX/gnKLopBw/NMU
+--- 2cWhyrmkeeeiYNTyhJri/UHVhLqU0fJ3Py34rzhmr7c
+clN<>2<EFBFBD>ʍ<EFBFBD><CA8D>y~<7E>,lsX<73><58><EFBFBD><EFBFBD>s.<2E><>4<EFBFBD>*!<21><><EFBFBD>j<EFBFBD>c
+]u<>Ʒ<EFBFBD>z<EFBFBD>g<EFBFBD><67><06><>;F
--- a/secrets/tadpole/whib-backblaze-key.age
+++ b/secrets/tadpole/whib-backblaze-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A /exiuF2v+lsAUID7eT53DooUgVnQHsE0lJOPgdbLuzU
+KPZKG2vYo7hczQ9iRTubb8mBUM9F3E19+1T6GExhsJM
+-> ssh-ed25519 +oNaHQ 6/BOd1ahNHbKPH6V4DwiSWQ2MFPztTAqBHTc8V1HJFw
+IF8V4HtNQqYzK58WdxYg1e2bfh9T7keV67VR/VzCUz0
+--- WuqN3ez4lofmNyDaaKKXA23lFtnd+2VwuG7wT28u0xU
+СQ<EFBFBD><EFBFBD>Vd<EFBFBD><EFBFBD><08><>>\<5C><11><15>
--- a/secrets/tadpole/whib-gpg-key.age
+++ b/secrets/tadpole/whib-gpg-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A ORTl5WSeg4vSKUAwzCp9ABRL02SvjFZrBHuWLMbSmxI
+obXt5wHXbfkdOAXwPySZeFelSFwJnCoH1EExtXNmBio
+-> ssh-ed25519 +oNaHQ vxTHufUlEwbuztnIsCcprfXonpNUlv1ZcHQpEQjGtz8
+uFym0SgmM6LZRqJrSPMLHI6DLZ5t/WLvKP0dMvM8bUc
+--- 7UQLcCs/G20iP2YlwjCEmpFcXgqJfQacqSVGBBPmAbY
+y<>ӆ<EFBFBD><D386>'<27>_K<07><>f<EFBFBD>3<EFBFBD>;<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>_<EFBFBD>tu[<5B>\<10><><EFBFBD><1F>)uK<75><4B>,ƫ<>zq񐏭<71>|<7C>1!X<>YY<59>g<EFBFBD>7<><37>Eڛ<>^<5E><>
--- a/secrets/tadpole/whib-grafana-password.age
+++ b/secrets/tadpole/whib-grafana-password.age
--- a/secrets/tadpole/whib-postgres-password.age
+++ b/secrets/tadpole/whib-postgres-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A WqkH9G2AGAcQfa9u+w6+QVXYVlozt0JsB/icILH/Jnc
+SGhXQ33eRtVtIEKdZCmpyxNUtFgtZhGUs9QX20GbHRg
+-> ssh-ed25519 +oNaHQ k66ZToSUzHxDm0yZkI4+Gase/Q5GJrsB7c6+LvmgGSg
+6x9dzdloKJT2Tcawn4m2d518KUjdINGi4u+PFvMt9tQ
+--- 395jqjDR3lBIIPOUIlnOJW/048qeJPC5CJbMJdpSjTo
+<EFBFBD>ϛ<EFBFBD><uI<75>X"<22><0C>^C<12>j};<3B><><EFBFBD><EFBFBD>Kd<4B><64><06><>ٗX<D997><58>b<EFBFBD><0C><><EFBFBD>W<>,{7u+x<>L]<5D>
--- a/secrets/tadpole/whib-signing-key.age
+++ b/secrets/tadpole/whib-signing-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A ncGAywK2O0Geyy5E9HmRdDCmCD7RwmflyyBXFKH4KSc
+4Izx8nT/k5yOMOG4InifQw+wzEDe9PqMyeF3LEicOKE
+-> ssh-ed25519 +oNaHQ cPf/X971sb4pNKz9t0W318EpY3XJNB/OId7nGZ/ooXc
+Vp5x6PZML0jtPEjuaDo7KjtHdKv5SyPAS2+Fvhjbro8
+--- 4jGA5763tvEcNDmNnYaoCfw99xROjqpKW0dMG23BqbE
+<1F><><EFBFBD>j^t<><74><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>B%<25><>a<><61><EFBFBD><EFBFBD>$<24><>8m}-LbM<62>n<EFBFBD><6E><18><1C>R<02><>cZ<63><5A><EFBFBD>=<3D><0C>$x<18><>}<7D><>)PH<50>{X<>3<EFBFBD>ᏻ<EFBFBD><E18FBB><EFBFBD>V<EFBFBD><15><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><12><><EFBFBD>Օ<EFBFBD>6Rs<52><73><EFBFBD><12><>r<EFBFBD><72>b<EFBFBD>nl<6E>]<5D><>/Ȏe@/<2F>*<2A><><EFBFBD>:<3A>ڸ<EFBFBD><DAB8>V~<7E><>V<EFBFBD>a]`<60><19>
+<EFBFBD><EFBFBD><EFBFBD>=ٿv<D9BF>z\<5C>
Author	SHA1	Message	Date
Alexander Heldt	423ea62216	tadpole: Assert that `nginx` is running when using `ppp.pm-site`	2025-01-03 10:52:23 +01:00
Alexander Heldt	d0a9202615	tadpole: Assert that `nginx` is running when using `gitea`	2025-01-03 10:52:23 +01:00
Alexander Heldt	4663a710dc	tadpole: Add `WHIB backend`	2025-01-03 10:52:23 +01:00
Alexander Heldt	c95209cf7c	tadpole: Add secrets for `whib` service	2025-01-03 10:52:23 +01:00
Alexander Heldt	206e956dfb	test-vm: Add `WHIB backend`	2025-01-03 10:52:23 +01:00