tadpole: Assert that nginx is running when using ppp.pm-site

tadpole: Assert that nginx is running when using gitea
tadpole: Add WHIB backend
2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00 · 2025-01-03 10:52:23 +01:00
11 changed files with 51 additions and 17 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -267,11 +267,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734875198,
+        "lastModified": 1735841882,
-        "narHash": "sha256-nTrmbQjVANsbTJ+uzL95MXZq8nTbJ/Ar4qfeHMfVtlE=",
+        "narHash": "sha256-Fn7mOUV189e/AIzij1n6kvNOROOWA3qRY/8D4bcJRXk=",
        "ref": "master",
-        "rev": "18225f1644a3fba957ed27d7ec92d03a3eea5579",
+        "rev": "8952e41601f633eee9ec0ab6f8dd0d2783581b8d",
-        "revCount": 362,
+        "revCount": 364,
        "type": "git",
        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
      },
--- a/hosts/pinwheel/home.nix
+++ b/hosts/pinwheel/home.nix
@@ -3,8 +3,6 @@
  imports = [ inputs.home-manager.nixosModules.home-manager ];
  config = {
    hardware.saleae-logic.enable = true;
    home-manager = {
      useGlobalPkgs = true;
      useUserPackages = true;
@@ -27,7 +25,6 @@
          pkgs.htop
          pkgs.onlyoffice-bin
          pkgs.wdisplays
          pkgs.saleae-logic-2
        ];
        home.stateVersion = "23.05";
--- a/hosts/tadpole/modules/certs/default.nix
+++ b/hosts/tadpole/modules/certs/default.nix
@@ -18,7 +18,7 @@
        group = "nginx";
      };
-      "whib-api.ppp.pm" = {
+      "api.whib.ppp.pm" = {
        webroot = "/var/lib/acme/acme-challenge/";
        group = "nginx";
      };
--- a/hosts/tadpole/modules/default.nix
+++ b/hosts/tadpole/modules/default.nix
@@ -22,6 +22,7 @@ in
      };
      pppdotpm-site.enable = true;
      whib-backend.enable = true;
    };
  };
 }
--- a/hosts/tadpole/modules/gitea/default.nix
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -7,8 +7,6 @@
 let
  conf = config.mod.gitea;
  gitDomain = "git.${conf.baseDomain}";
  nginxEnable = config.mod.nginx.enable;
 in
 {
  options = {
@@ -37,8 +35,12 @@ in
    };
  };
-  config = lib.mkIf (conf.enable && nginxEnable) {
+  config = lib.mkIf conf.enable {
    assertions = [
      {
        assertion = config.services.nginx.enable;
        message = "Option 'config.services.nginx' must be enabled";
      }
      {
        assertion = conf.baseDomain != "";
        message = "Option 'mod.gitea.baseDomain' cannot be empty";
--- a/hosts/tadpole/modules/ppp.pm-site/default.nix
+++ b/hosts/tadpole/modules/ppp.pm-site/default.nix
@@ -6,8 +6,6 @@
 }:
 let
  enabled = config.mod.pppdotpm-site.enable;
  nginxEnabled = config.mod.nginx.enable;
 in
 {
  imports = [ inputs.pppdotpm-site.nixosModules.default ];
@@ -18,7 +16,14 @@ in
    };
  };
-  config = lib.mkIf (enabled && nginxEnabled) {
+  config = lib.mkIf enabled {
    assertions = [
      {
        assertion = config.services.nginx.enable;
        message = "Option 'config.services.nginx' must be enabled";
      }
    ];
    services.pppdotpm-site = {
      enable = true;
      domain = "ppp.pm";
--- a/hosts/tadpole/modules/whib/default.nix
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -15,11 +15,18 @@ in
  };
  config = lib.mkIf enabled {
    assertions = [
      {
        assertion = config.services.nginx.enable;
        message = "Option 'config.services.nginx' must be enabled";
      }
    ];
    services.whib-backend = {
      enable = true;
-      domain = "whib-api.ppp.pm";
+      domain = "api.whib.ppp.pm";
-      useACMEHost = "whib-api.ppp.pm";
+      useACMEHost = "api.whib.ppp.pm";
      backend = {
        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
@@ -44,6 +51,9 @@ in
      };
      grafana = {
        domain = "grafana.whib.ppp.pm";
        useACMEHost = "grafana.whib.ppp.pm";
        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
      };
    };
@@ -51,11 +61,12 @@ in
    age.secrets = {
      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
    };
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -48,6 +48,9 @@ in {
  "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
  "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-signing-key.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-postgres-password.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-grafana-password.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-backblaze-bucket.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-backblaze-key-id.age".publicKeys = [ tadpole alex ];
--- a/secrets/tadpole/whib-grafana-password.age
+++ b/secrets/tadpole/whib-grafana-password.age
--- a/secrets/tadpole/whib-postgres-password.age
+++ b/secrets/tadpole/whib-postgres-password.age
@@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 5R7G9A WqkH9G2AGAcQfa9u+w6+QVXYVlozt0JsB/icILH/Jnc
 SGhXQ33eRtVtIEKdZCmpyxNUtFgtZhGUs9QX20GbHRg
 -> ssh-ed25519 +oNaHQ k66ZToSUzHxDm0yZkI4+Gase/Q5GJrsB7c6+LvmgGSg
 6x9dzdloKJT2Tcawn4m2d518KUjdINGi4u+PFvMt9tQ
 --- 395jqjDR3lBIIPOUIlnOJW/048qeJPC5CJbMJdpSjTo
 <EFBFBD>ϛ<EFBFBD><uI<75>X"<22><0C>^C<12>j};<3B><><EFBFBD><EFBFBD>Kd<4B><64><06><>ٗX<D997><58>b<EFBFBD><0C><><EFBFBD>W<>,{7u+x<>L]<5D>
--- a/secrets/tadpole/whib-signing-key.age
+++ b/secrets/tadpole/whib-signing-key.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 5R7G9A ncGAywK2O0Geyy5E9HmRdDCmCD7RwmflyyBXFKH4KSc
 4Izx8nT/k5yOMOG4InifQw+wzEDe9PqMyeF3LEicOKE
 -> ssh-ed25519 +oNaHQ cPf/X971sb4pNKz9t0W318EpY3XJNB/OId7nGZ/ooXc
 Vp5x6PZML0jtPEjuaDo7KjtHdKv5SyPAS2+Fvhjbro8
 --- 4jGA5763tvEcNDmNnYaoCfw99xROjqpKW0dMG23BqbE
 <1F><><EFBFBD>j^t<><74><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>B%<25><>a<><61><EFBFBD><EFBFBD>$<24><>8m}-LbM<62>n<EFBFBD><6E><18><1C>R<02><>cZ<63><5A><EFBFBD>=<3D><0C>$x<18><>}<7D><>)PH<50>{X<>3<EFBFBD>ᏻ<EFBFBD><E18FBB><EFBFBD>V<EFBFBD><15><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><12><><EFBFBD>Օ<EFBFBD>6Rs<52><73><EFBFBD><12><>r<EFBFBD><72>b<EFBFBD>nl<6E>]<5D><>/Ȏe@/<2F>*<2A><><EFBFBD>:<3A>ڸ<EFBFBD><DAB8>V~<7E><>V<EFBFBD>a]`<60><19>
 <EFBFBD><EFBFBD><EFBFBD>=ٿv<D9BF>z\<5C>
Author	SHA1	Message	Date
Alexander Heldt	423ea62216	tadpole: Assert that `nginx` is running when using `ppp.pm-site`	2025-01-03 10:52:23 +01:00
Alexander Heldt	d0a9202615	tadpole: Assert that `nginx` is running when using `gitea`	2025-01-03 10:52:23 +01:00
Alexander Heldt	4663a710dc	tadpole: Add `WHIB backend`	2025-01-03 10:52:23 +01:00
Alexander Heldt	c95209cf7c	tadpole: Add secrets for `whib` service	2025-01-03 10:52:23 +01:00
Alexander Heldt	206e956dfb	test-vm: Add `WHIB backend`	2025-01-03 10:52:23 +01:00