From 06db871bd75a714a61434dd4b13bc87e1319ba92 Mon Sep 17 00:00:00 2001 From: sterni Date: Sun, 31 Dec 2023 00:19:22 +0100 Subject: chore(sterni/machines): move http services from edwin to ingeborg * Make sterni.lv declarative * Disable gopher server * Disable likely-music.sterni.lv for now * Don't give systemd too much leeway with scheduling git syncs Change-Id: Ie8507d96f2df76ad8e393b2181ed7378c37829d0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/10480 Autosubmit: sterni Reviewed-by: sterni Tested-by: BuildkiteCI --- users/sterni/machines/edwin/default.nix | 5 - users/sterni/machines/edwin/gopher.nix | 19 -- .../sterni/machines/edwin/http/code.sterni.lv.nix | 262 --------------------- users/sterni/machines/edwin/http/fcgiwrap.nix | 15 -- .../edwin/http/flipdot.openlab-augsburg.de.nix | 36 --- .../machines/edwin/http/likely-music.sterni.lv.nix | 23 -- users/sterni/machines/edwin/http/nginx.nix | 28 --- users/sterni/machines/edwin/http/sterni.lv.nix | 16 -- users/sterni/machines/ingeborg/default.nix | 10 + users/sterni/machines/ingeborg/gopher.nix | 19 ++ .../machines/ingeborg/http/code.sterni.lv.nix | 261 ++++++++++++++++++++ users/sterni/machines/ingeborg/http/fcgiwrap.nix | 15 ++ .../ingeborg/http/flipdot.openlab-augsburg.de.nix | 36 +++ .../ingeborg/http/likely-music.sterni.lv.nix | 23 ++ users/sterni/machines/ingeborg/http/nginx.nix | 30 +++ users/sterni/machines/ingeborg/http/sterni.lv.nix | 34 +++ 16 files changed, 428 insertions(+), 404 deletions(-) delete mode 100644 users/sterni/machines/edwin/gopher.nix delete mode 100644 users/sterni/machines/edwin/http/code.sterni.lv.nix delete mode 100644 users/sterni/machines/edwin/http/fcgiwrap.nix delete mode 100644 users/sterni/machines/edwin/http/flipdot.openlab-augsburg.de.nix delete mode 100644 users/sterni/machines/edwin/http/likely-music.sterni.lv.nix delete mode 100644 users/sterni/machines/edwin/http/nginx.nix delete mode 100644 users/sterni/machines/edwin/http/sterni.lv.nix create mode 100644 users/sterni/machines/ingeborg/gopher.nix create mode 100644 users/sterni/machines/ingeborg/http/code.sterni.lv.nix create mode 100644 users/sterni/machines/ingeborg/http/fcgiwrap.nix create mode 100644 users/sterni/machines/ingeborg/http/flipdot.openlab-augsburg.de.nix create mode 100644 users/sterni/machines/ingeborg/http/likely-music.sterni.lv.nix create mode 100644 users/sterni/machines/ingeborg/http/nginx.nix create mode 100644 users/sterni/machines/ingeborg/http/sterni.lv.nix diff --git a/users/sterni/machines/edwin/default.nix b/users/sterni/machines/edwin/default.nix index 00b2851e4e..68f20787a9 100644 --- a/users/sterni/machines/edwin/default.nix +++ b/users/sterni/machines/edwin/default.nix @@ -11,11 +11,6 @@ ./network.nix # These modules configure services, websites etc. (depot.path.origSrc + "/ops/modules/btrfs-auto-scrub.nix") - ./gopher.nix - ./http/sterni.lv.nix - ./http/code.sterni.lv.nix - ./http/flipdot.openlab-augsburg.de.nix - ./http/likely-music.sterni.lv.nix ]; config = { diff --git a/users/sterni/machines/edwin/gopher.nix b/users/sterni/machines/edwin/gopher.nix deleted file mode 100644 index 57275e13a5..0000000000 --- a/users/sterni/machines/edwin/gopher.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ depot, ... }: - -{ - config = { - services.spacecookie = { - enable = true; - openFirewall = true; - settings = { - hostname = "sterni.lv"; - root = depot.users.sterni.lv.gopher; - log = { - enable = true; - hide-ips = true; - hide-time = true; - }; - }; - }; - }; -} diff --git a/users/sterni/machines/edwin/http/code.sterni.lv.nix b/users/sterni/machines/edwin/http/code.sterni.lv.nix deleted file mode 100644 index 79af1f27d0..0000000000 --- a/users/sterni/machines/edwin/http/code.sterni.lv.nix +++ /dev/null @@ -1,262 +0,0 @@ -{ depot, pkgs, lib, config, ... }: - -let - virtualHost = "code.sterni.lv"; - - repoSections = [ - { - section = "active"; - repos = { - spacecookie = { - description = "gopher server (and library for Haskell)"; - upstream = "https://github.com/sternenseemann/spacecookie.git"; - }; - "mirror/depot" = { - description = "monorepo for the virus lounge"; - upstream = "https://code.tvl.fyi/depot.git"; - cgit.defbranch = "canon"; - }; - "mirror/flipdot-gschichtler" = { - description = "message queue system for OpenLab's flipdot display"; - upstream = "https://github.com/openlab-aux/flipdot-gschichtler.git"; - }; - "mirror/nixpkgs" = { - description = "Nix packages collection"; - upstream = "https://github.com/nixos/nixpkgs.git"; - cgit.enable-commit-graph = "0"; # too slow - }; - "mirror/vuizvui" = { - description = "Nix(OS) expressions used by the OpenLab and its members"; - upstream = "https://github.com/openlab-aux/vuizvui.git"; - }; - }; - } - { - section = "poc"; - repos = { - emoji-generic = { - description = "generic emoji library for Haskell"; - upstream = "https://github.com/sternenseemann/emoji-generic.git"; - }; - grav2ty = { - description = "“realistic” 2d space game"; - upstream = "https://github.com/sternenseemann/grav2ty.git"; - }; - haskell-dot-time = { - description = "UTC-centric time library for haskell with dot time support"; - cgit.defbranch = "main"; - }; - buchstabensuppe = { - description = "toy font rendering for low pixelcount, high contrast displays"; - upstream = "https://github.com/sternenseemann/buchstabensuppe.git"; - cgit.defbranch = "main"; - }; - "mirror/saneterm" = { - description = "modern line-oriented terminal emulator without support for TUIs"; - upstream = "https://git.8pit.net/saneterm.git"; - }; - }; - } - { - # TODO(sterni): resisort, klammeraffe, cl-ca, ponify, tinyrl - section = "archive"; - repos = { - gopher-proxy = { - description = "Gopher over HTTP proxy"; - upstream = "https://github.com/sternenseemann/gopher-proxy.git"; - }; - likely-music = { - description = "experimental application for probabilistic music composition"; - upstream = "https://github.com/sternenseemann/likely-music.git"; - }; - logbook = { - description = "file format for keeping a personal log"; - upstream = "https://github.com/sternenseemann/logbook.git"; - }; - sternenblog = { - description = "file based cgi blog software"; - upstream = "https://github.com/sternenseemann/sternenblog.git"; - }; - }; - } - ]; - - repoPath = name: repo: repo.path or "/srv/git/${name}.git"; - - cgitRepoEntry = name: repo: - lib.concatStringsSep "\n" ( - [ - "repo.url=${name}" - "repo.path=${repoPath name repo}" - ] - ++ lib.optional (repo ? description) "repo.desc=${repo.description}" - ++ lib.mapAttrsToList (n: v: "repo.${n}=${v}") repo.cgit or { } - ); - - cgitHead = pkgs.writeText "cgit-head.html" '' - - ''; - - cgitConfig = pkgs.writeText "cgitrc" '' - virtual-root=/ - - enable-http-clone=1 - clone-url=https://${virtualHost}/$CGIT_REPO_URL - - enable-blame=1 - enable-log-filecount=1 - enable-log-linecount=1 - enable-index-owner=0 - enable-blame=1 - enable-commit-graph=1 - - root-title=code.sterni.lv - css=/cgit.css - head-include=${cgitHead} - - mimetype-file=${pkgs.mime-types}/etc/mime.types - - about-filter=${depot.tools.cheddar.about-filter}/bin/cheddar-about - source-filter=${depot.tools.cheddar}/bin/cheddar - readme=:README.md - readme=:readme.md - - section-sort=0 - ${ - lib.concatMapStringsSep "\n" (section: - '' - section=${section.section} - - '' - + builtins.concatStringsSep "\n\n" (lib.mapAttrsToList cgitRepoEntry section.repos) - ) repoSections - } - ''; - - /* Merge a list of attrs, but fail when the same attribute occurs twice. - - Type: [ attrs ] -> attrs - */ - mergeManyDistinctAttrs = lib.foldAttrs - ( - val: nul: - if nul == null then val else throw "Every attribute name may occur only once" - ) - null; - - flatRepos = mergeManyDistinctAttrs - (builtins.map (section: section.repos) repoSections); - - reposToMirror = lib.filterAttrs (_: repo: repo ? upstream) flatRepos; - - # User and group name used for running the mirror scripts - mirroredReposOwner = "git"; - - # Make repo name suitable for systemd unit/timer - unitName = name: "mirror-${lib.strings.sanitizeDerivationName name}"; -in - -{ - imports = [ - ./nginx.nix - ./fcgiwrap.nix - ]; - - config = { - services.nginx.virtualHosts."${virtualHost}" = { - enableACME = true; - forceSSL = true; - root = "${pkgs.cgit-pink}/cgit/"; - extraConfig = '' - try_files $uri @cgit; - - location @cgit { - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit-pink}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_param CGIT_CONFIG ${cgitConfig}; - fastcgi_pass unix:${toString config.services.fcgiwrap.socketAddress}; - } - ''; - }; - - users = { - users.${mirroredReposOwner} = { - group = mirroredReposOwner; - isSystemUser = true; - }; - - groups.${mirroredReposOwner} = { }; - }; - - - systemd.timers = lib.mapAttrs' - ( - name: repo: - { - name = unitName name; - value = { - description = "regularly update mirror git repository ${name}"; - wantedBy = [ "timers.target" ]; - enable = true; - timerConfig = { - # Fire every 6h and distribute the workload over next 6h randomly - OnCalendar = "*-*-* 00/6:00:00"; - AccuracySec = "6h"; - RandomizedDelaySec = "6h"; - Persistent = true; - }; - }; - } - ) - reposToMirror; - - systemd.services = lib.mapAttrs' - ( - name: repo: - { - name = unitName name; - value = { - description = "mirror git repository ${name}"; - after = [ "network-online.target" ]; - script = - let - path = repoPath name repo; - in - '' - set -euo pipefail - - export PATH="${lib.makeBinPath [ pkgs.coreutils pkgs.git ]}" - - if test ! -d "${path}"; then - mkdir -p "$(dirname "${path}")" - git clone --mirror "${repo.upstream}" "${path}" - exit 0 - fi - - cd "${path}" - - git fetch "${repo.upstream}" '+refs/*:refs/*' --prune - ''; - - serviceConfig = { - Type = "oneshot"; - User = mirroredReposOwner; - Group = mirroredReposOwner; - }; - }; - } - ) - reposToMirror; - }; -} diff --git a/users/sterni/machines/edwin/http/fcgiwrap.nix b/users/sterni/machines/edwin/http/fcgiwrap.nix deleted file mode 100644 index 19696d85d4..0000000000 --- a/users/sterni/machines/edwin/http/fcgiwrap.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - imports = [ - ./nginx.nix - ]; - - config.services.fcgiwrap = { - enable = true; - socketType = "unix"; - socketAddress = "/run/fcgiwrap.sock"; - user = "http"; - group = "http"; - }; -} diff --git a/users/sterni/machines/edwin/http/flipdot.openlab-augsburg.de.nix b/users/sterni/machines/edwin/http/flipdot.openlab-augsburg.de.nix deleted file mode 100644 index c86956a0a4..0000000000 --- a/users/sterni/machines/edwin/http/flipdot.openlab-augsburg.de.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ depot, lib, config, ... }: - -let - inherit (depot.users.sterni.external.flipdot-gschichtler) - bahnhofshalle - warteraum - nixosModule - ; -in - -{ - imports = [ - nixosModule - ./nginx.nix - ]; - - config = { - age.secrets = lib.genAttrs [ - "warteraum-salt" - "warteraum-tokens" - ] - (name: { - file = depot.users.sterni.secrets."${name}.age"; - }); - - services.flipdot-gschichtler = { - enable = true; - virtualHost = "flipdot.openlab-augsburg.de"; - packages = { - inherit bahnhofshalle warteraum; - }; - saltFile = config.age.secretsDir + "/warteraum-salt"; - tokensFile = config.age.secretsDir + "/warteraum-tokens"; - }; - }; -} diff --git a/users/sterni/machines/edwin/http/likely-music.sterni.lv.nix b/users/sterni/machines/edwin/http/likely-music.sterni.lv.nix deleted file mode 100644 index 8da03ac5e6..0000000000 --- a/users/sterni/machines/edwin/http/likely-music.sterni.lv.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ depot, ... }: - -let - inherit (depot.users.sterni.external.likely-music) - nixosModule - likely-music - ; -in - -{ - imports = [ - ./nginx.nix - nixosModule - ]; - - config = { - services.likely-music = { - enable = true; - virtualHost = "likely-music.sterni.lv"; - package = likely-music; - }; - }; -} diff --git a/users/sterni/machines/edwin/http/nginx.nix b/users/sterni/machines/edwin/http/nginx.nix deleted file mode 100644 index 7c99cdd150..0000000000 --- a/users/sterni/machines/edwin/http/nginx.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: - -{ - config = { - users = { - users.http = { - isSystemUser = true; - group = "http"; - }; - - groups.http = { }; - }; - - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - user = "http"; - group = "http"; - - appendHttpConfig = '' - charset utf-8; - ''; - }; - }; -} diff --git a/users/sterni/machines/edwin/http/sterni.lv.nix b/users/sterni/machines/edwin/http/sterni.lv.nix deleted file mode 100644 index 44306c75bf..0000000000 --- a/users/sterni/machines/edwin/http/sterni.lv.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: - -{ - imports = [ - ./nginx.nix - ]; - - config = { - services.nginx.virtualHosts."sterni.lv" = { - enableACME = true; - forceSSL = true; - # TODO(sterni): take website from store, replace /tmp with a simple LRU thing - root = toString /srv/http; - }; - }; -} diff --git a/users/sterni/machines/ingeborg/default.nix b/users/sterni/machines/ingeborg/default.nix index 206d3fcf53..51b5fd4117 100644 --- a/users/sterni/machines/ingeborg/default.nix +++ b/users/sterni/machines/ingeborg/default.nix @@ -13,6 +13,16 @@ (depot.path.origSrc + "/ops/modules/btrfs-auto-scrub.nix") ./monitoring.nix ./minecraft.nix + ./http/sterni.lv.nix + ./http/code.sterni.lv.nix + ./http/flipdot.openlab-augsburg.de.nix + + # Inactive: + # ./http/likely-music.sterni.lv.nix + # ./gopher.nix + + # TODO(sterni): fail2ban + # TODO(sterni): automatic backups for full recovery ]; config = { diff --git a/users/sterni/machines/ingeborg/gopher.nix b/users/sterni/machines/ingeborg/gopher.nix new file mode 100644 index 0000000000..57275e13a5 --- /dev/null +++ b/users/sterni/machines/ingeborg/gopher.nix @@ -0,0 +1,19 @@ +{ depot, ... }: + +{ + config = { + services.spacecookie = { + enable = true; + openFirewall = true; + settings = { + hostname = "sterni.lv"; + root = depot.users.sterni.lv.gopher; + log = { + enable = true; + hide-ips = true; + hide-time = true; + }; + }; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/http/code.sterni.lv.nix b/users/sterni/machines/ingeborg/http/code.sterni.lv.nix new file mode 100644 index 0000000000..94d7915d7f --- /dev/null +++ b/users/sterni/machines/ingeborg/http/code.sterni.lv.nix @@ -0,0 +1,261 @@ +{ depot, pkgs, lib, config, ... }: + +let + virtualHost = "code.sterni.lv"; + + repoSections = [ + { + section = "active"; + repos = { + spacecookie = { + description = "gopher server (and library for Haskell)"; + upstream = "https://github.com/sternenseemann/spacecookie.git"; + }; + "mirror/depot" = { + description = "monorepo for the virus lounge"; + upstream = "https://code.tvl.fyi/depot.git"; + cgit.defbranch = "canon"; + }; + "mirror/flipdot-gschichtler" = { + description = "message queue system for OpenLab's flipdot display"; + upstream = "https://github.com/openlab-aux/flipdot-gschichtler.git"; + }; + "mirror/nixpkgs" = { + description = "Nix packages collection"; + upstream = "https://github.com/nixos/nixpkgs.git"; + cgit.enable-commit-graph = "0"; # too slow + }; + "mirror/vuizvui" = { + description = "Nix(OS) expressions used by the OpenLab and its members"; + upstream = "https://github.com/openlab-aux/vuizvui.git"; + }; + }; + } + { + section = "poc"; + repos = { + emoji-generic = { + description = "generic emoji library for Haskell"; + upstream = "https://github.com/sternenseemann/emoji-generic.git"; + }; + grav2ty = { + description = "“realistic” 2d space game"; + upstream = "https://github.com/sternenseemann/grav2ty.git"; + }; + haskell-dot-time = { + description = "UTC-centric time library for haskell with dot time support"; + cgit.defbranch = "main"; + }; + buchstabensuppe = { + description = "toy font rendering for low pixelcount, high contrast displays"; + upstream = "https://github.com/sternenseemann/buchstabensuppe.git"; + cgit.defbranch = "main"; + }; + "mirror/saneterm" = { + description = "modern line-oriented terminal emulator without support for TUIs"; + upstream = "https://git.8pit.net/saneterm.git"; + }; + }; + } + { + # TODO(sterni): resisort, klammeraffe, cl-ca, ponify, tinyrl + section = "archive"; + repos = { + gopher-proxy = { + description = "Gopher over HTTP proxy"; + upstream = "https://github.com/sternenseemann/gopher-proxy.git"; + }; + likely-music = { + description = "experimental application for probabilistic music composition"; + upstream = "https://github.com/sternenseemann/likely-music.git"; + }; + logbook = { + description = "file format for keeping a personal log"; + upstream = "https://github.com/sternenseemann/logbook.git"; + }; + sternenblog = { + description = "file based cgi blog software"; + upstream = "https://github.com/sternenseemann/sternenblog.git"; + }; + }; + } + ]; + + repoPath = name: repo: repo.path or "/srv/git/${name}.git"; + + cgitRepoEntry = name: repo: + lib.concatStringsSep "\n" ( + [ + "repo.url=${name}" + "repo.path=${repoPath name repo}" + ] + ++ lib.optional (repo ? description) "repo.desc=${repo.description}" + ++ lib.mapAttrsToList (n: v: "repo.${n}=${v}") repo.cgit or { } + ); + + cgitHead = pkgs.writeText "cgit-head.html" '' + + ''; + + cgitConfig = pkgs.writeText "cgitrc" '' + virtual-root=/ + + enable-http-clone=1 + clone-url=https://${virtualHost}/$CGIT_REPO_URL + + enable-blame=1 + enable-log-filecount=1 + enable-log-linecount=1 + enable-index-owner=0 + enable-blame=1 + enable-commit-graph=1 + + root-title=code.sterni.lv + css=/cgit.css + head-include=${cgitHead} + + mimetype-file=${pkgs.mime-types}/etc/mime.types + + about-filter=${depot.tools.cheddar.about-filter}/bin/cheddar-about + source-filter=${depot.tools.cheddar}/bin/cheddar + readme=:README.md + readme=:readme.md + + section-sort=0 + ${ + lib.concatMapStringsSep "\n" (section: + '' + section=${section.section} + + '' + + builtins.concatStringsSep "\n\n" (lib.mapAttrsToList cgitRepoEntry section.repos) + ) repoSections + } + ''; + + /* Merge a list of attrs, but fail when the same attribute occurs twice. + + Type: [ attrs ] -> attrs + */ + mergeManyDistinctAttrs = lib.foldAttrs + ( + val: nul: + if nul == null then val else throw "Every attribute name may occur only once" + ) + null; + + flatRepos = mergeManyDistinctAttrs + (builtins.map (section: section.repos) repoSections); + + reposToMirror = lib.filterAttrs (_: repo: repo ? upstream) flatRepos; + + # User and group name used for running the mirror scripts + mirroredReposOwner = "git"; + + # Make repo name suitable for systemd unit/timer + unitName = name: "mirror-${lib.strings.sanitizeDerivationName name}"; +in + +{ + imports = [ + ./nginx.nix + ./fcgiwrap.nix + ]; + + config = { + services.nginx.virtualHosts."${virtualHost}" = { + enableACME = true; + forceSSL = true; + root = "${pkgs.cgit-pink}/cgit/"; + extraConfig = '' + try_files $uri @cgit; + + location @cgit { + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit-pink}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param CGIT_CONFIG ${cgitConfig}; + fastcgi_pass unix:${toString config.services.fcgiwrap.socketAddress}; + } + ''; + }; + + users = { + users.${mirroredReposOwner} = { + group = mirroredReposOwner; + isSystemUser = true; + }; + + groups.${mirroredReposOwner} = { }; + }; + + + systemd.timers = lib.mapAttrs' + ( + name: repo: + { + name = unitName name; + value = { + description = "regularly update mirror git repository ${name}"; + wantedBy = [ "timers.target" ]; + enable = true; + timerConfig = { + # Fire every 6h and distribute the workload over next 6h randomly + OnCalendar = "*-*-* 00/6:00:00"; + RandomizedDelaySec = "6h"; + Persistent = true; + }; + }; + } + ) + reposToMirror; + + systemd.services = lib.mapAttrs' + ( + name: repo: + { + name = unitName name; + value = { + description = "mirror git repository ${name}"; + after = [ "network-online.target" ]; + script = + let + path = repoPath name repo; + in + '' + set -euo pipefail + + export PATH="${lib.makeBinPath [ pkgs.coreutils pkgs.git ]}" + + if test ! -d "${path}"; then + mkdir -p "$(dirname "${path}")" + git clone --mirror "${repo.upstream}" "${path}" + exit 0 + fi + + cd "${path}" + + git fetch "${repo.upstream}" '+refs/*:refs/*' --prune + ''; + + serviceConfig = { + Type = "oneshot"; + User = mirroredReposOwner; + Group = mirroredReposOwner; + }; + }; + } + ) + reposToMirror; + }; +} diff --git a/users/sterni/machines/ingeborg/http/fcgiwrap.nix b/users/sterni/machines/ingeborg/http/fcgiwrap.nix new file mode 100644 index 0000000000..19696d85d4 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/fcgiwrap.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + imports = [ + ./nginx.nix + ]; + + config.services.fcgiwrap = { + enable = true; + socketType = "unix"; + socketAddress = "/run/fcgiwrap.sock"; + user = "http"; + group = "http"; + }; +} diff --git a/users/sterni/machines/ingeborg/http/flipdot.openlab-augsburg.de.nix b/users/sterni/machines/ingeborg/http/flipdot.openlab-augsburg.de.nix new file mode 100644 index 0000000000..c86956a0a4 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/flipdot.openlab-augsburg.de.nix @@ -0,0 +1,36 @@ +{ depot, lib, config, ... }: + +let + inherit (depot.users.sterni.external.flipdot-gschichtler) + bahnhofshalle + warteraum + nixosModule + ; +in + +{ + imports = [ + nixosModule + ./nginx.nix + ]; + + config = { + age.secrets = lib.genAttrs [ + "warteraum-salt" + "warteraum-tokens" + ] + (name: { + file = depot.users.sterni.secrets."${name}.age"; + }); + + services.flipdot-gschichtler = { + enable = true; + virtualHost = "flipdot.openlab-augsburg.de"; + packages = { + inherit bahnhofshalle warteraum; + }; + saltFile = config.age.secretsDir + "/warteraum-salt"; + tokensFile = config.age.secretsDir + "/warteraum-tokens"; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/http/likely-music.sterni.lv.nix b/users/sterni/machines/ingeborg/http/likely-music.sterni.lv.nix new file mode 100644 index 0000000000..8da03ac5e6 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/likely-music.sterni.lv.nix @@ -0,0 +1,23 @@ +{ depot, ... }: + +let + inherit (depot.users.sterni.external.likely-music) + nixosModule + likely-music + ; +in + +{ + imports = [ + ./nginx.nix + nixosModule + ]; + + config = { + services.likely-music = { + enable = true; + virtualHost = "likely-music.sterni.lv"; + package = likely-music; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/http/nginx.nix b/users/sterni/machines/ingeborg/http/nginx.nix new file mode 100644 index 0000000000..d551b8391d --- /dev/null +++ b/users/sterni/machines/ingeborg/http/nginx.nix @@ -0,0 +1,30 @@ +{ ... }: + +{ + config = { + users = { + users.http = { + isSystemUser = true; + group = "http"; + }; + + groups.http = { }; + }; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + user = "http"; + group = "http"; + + appendHttpConfig = '' + charset utf-8; + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} diff --git a/users/sterni/machines/ingeborg/http/sterni.lv.nix b/users/sterni/machines/ingeborg/http/sterni.lv.nix new file mode 100644 index 0000000000..50c1bac293 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/sterni.lv.nix @@ -0,0 +1,34 @@ +{ pkgs, depot, ... }: + +let + inherit (depot.users.sterni.nix.html) + __findFile + withDoctype + ; +in + +{ + imports = [ + ./nginx.nix + ]; + + config = { + services.nginx.virtualHosts."sterni.lv" = { + enableACME = true; + forceSSL = true; + root = pkgs.writeTextFile { + name = "sterni.lv-http-root"; + destination = "/index.html"; + text = withDoctype ( { } [ + ( { } [ + ( { charset = "utf-8"; } null) + ( { } "no thoughts") + ]) + (<body> { } "🦩") + ]); + }; + # TODO(sterni): tmp.sterni.lv + locations."/tmp/".root = toString /srv/http; + }; + }; +} -- cgit 1.4.1