From 503ac8c78253b8339fd99719a3c02658ddf6e70e Mon Sep 17 00:00:00 2001 From: Griffin Smith Date: Sun, 26 Dec 2021 16:06:07 -0500 Subject: feat(grfn/bbbg): Add NixOS module, deploy to mugwump Change-Id: I0299242982c183fa9fc1f26b1bacb14f8fc14b28 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4684 Reviewed-by: grfn Reviewed-by: zseri Autosubmit: grfn Tested-by: BuildkiteCI --- users/grfn/bbbg/module.nix | 135 ++++++++++++++++++++++++++ users/grfn/bbbg/src/bbbg/db.clj | 2 +- users/grfn/keys.nix | 3 +- users/grfn/secrets/bbbg.age | 10 ++ users/grfn/secrets/secrets.nix | 1 + users/grfn/system/system/machines/mugwump.nix | 7 ++ 6 files changed, 156 insertions(+), 2 deletions(-) create mode 100644 users/grfn/bbbg/module.nix create mode 100644 users/grfn/secrets/bbbg.age (limited to 'users') diff --git a/users/grfn/bbbg/module.nix b/users/grfn/bbbg/module.nix new file mode 100644 index 000000000000..cff971396277 --- /dev/null +++ b/users/grfn/bbbg/module.nix @@ -0,0 +1,135 @@ +{ config, lib, pkgs, depot, ... }: + +let + bbbg = depot.users.grfn.bbbg; + cfg = config.services.bbbg; +in { + options = with lib; { + services.bbbg = { + enable = mkEnableOption "BBBG Server"; + + port = mkOption { + type = types.int; + default = 7222; + description = "Port to listen to for the HTTP server"; + }; + + domain = mkOption { + type = types.str; + default = "bbbg.gws.fyi"; + description = "Domain to host under"; + }; + + proxy = { + enable = mkEnableOption "NGINX reverse proxy"; + }; + + database = { + enable = mkEnableOption "BBBG Database Server"; + + user = mkOption { + type = types.str; + default = "bbbg"; + description = "Database username"; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = "Database host"; + }; + + name = mkOption { + type = types.str; + default = "bbbg"; + description = "Database name"; + }; + + port = mkOption { + type = types.int; + default = 5432; + description = "Database host"; + }; + }; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + systemd.services.bbbg-server = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + Restart = "always"; + EnvironmentFile = "/run/agenix/bbbg"; + }; + + environment = { + PGHOST = cfg.database.host; + PGUSER = cfg.database.user; + PGDATABASE = cfg.database.name; + PORT = toString cfg.port; + }; + + script = "${bbbg.server}/bin/bbbg-server"; + }; + + systemd.services.migrate-bbbg = { + description = "Run database migrations for BBBG"; + wantedBy = [ "bbbg-server.service" ]; + after = ([ "network.target" ] + ++ (if cfg.database.enable + then ["postgresql.service"] + else [])); + + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "/run/agenix/bbbg"; + }; + + environment = { + PGHOST = cfg.database.host; + PGUSER = cfg.database.user; + PGDATABASE = cfg.database.name; + }; + + script = "${bbbg.db-util}/bin/bbbg-db-util migrate"; + }; + }) + (lib.mkIf cfg.database.enable { + services.postgresql = { + enable = true; + authentication = lib.mkForce '' + local all all trust + host all all 127.0.0.1/32 password + host all all ::1/128 password + hostnossl all all 127.0.0.1/32 password + hostnossl all all ::1/128 password + ''; + + ensureDatabases = [ + cfg.database.name + ]; + + ensureUsers = [{ + name = cfg.database.user; + ensurePermissions = { + "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; + }; + }]; + }; + }) + (lib.mkIf cfg.proxy.enable { + services.nginx = { + enable = true; + virtualHosts."${cfg.domain}" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:${toString cfg.port}"; + }; + }; + }) + ]; +} diff --git a/users/grfn/bbbg/src/bbbg/db.clj b/users/grfn/bbbg/src/bbbg/db.clj index a775574b7a0c..5bbf88925aa1 100644 --- a/users/grfn/bbbg/src/bbbg/db.clj +++ b/users/grfn/bbbg/src/bbbg/db.clj @@ -353,7 +353,7 @@ ~@body))) (defn -main [& args] - (let [db (component/start (make-database {::config (env->config)}))] + (let [db (component/start (make-database (env->config)))] (case (first args) "migrate" (migrate! db) "rollback" (rollback! db)))) diff --git a/users/grfn/keys.nix b/users/grfn/keys.nix index c52229b3a898..29d5a3fa631b 100644 --- a/users/grfn/keys.nix +++ b/users/grfn/keys.nix @@ -1,5 +1,6 @@ { ... }: { whitby = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIwl+xQYRCk6Ijz/Ll8eXKZrcTH9/7xwlvIowiuqDSFtGkf+73QJkwVJ0YiKHWAPwIUWMzCEO/Ab2g6j4PcR+XYu8kXbrwT5aW65L/AK1oaav2RfV1bnQEVUP9FRPL52BN42J0ibI2QJZKJVws9JF7vxTWPPG0V0eoxcaRMk1ZEqq+/k3GuN8D69VSV8xo9lB8yZEvTxs0YQRiiF7Q6t/3jhYtz6lCdazQviRcSEOj5AVsDjcf1XIAPOcLK4Q4OEXL49T3UaitSYMyKIO8hzNLiyGAUlSbshAnutPXdyNBypkCs6FrSPSRdBfFjzUVE/a+JWCPmx0q0xAVd497Efxby+Vsa2/TPMp7tSisPaqk3MpPmjBS7eI/y4Pl2GpAB4OVANEBNd1Q6K2/37Pk+PrZtIUBiRG8sM0Od36BjwLCxvG0G5P/UYZ93aC8GzqkRf4evOBMiJCvR2o9CDEDycNyTm1y5dyJzQewOTWX9nsiF1rllc92W0ZALvpO03+W2+k= grfn@chupacabra"; - main = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro"; + main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA"; + old = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHPiNpPB6Uqs/VSW/C8tR/Z5wCQxKppNL2iETb1ucsYsFf1B2apG5txj06NMT6IWXwWpZXq7ld+/sA+a2I03lO2INP7S1Dto5nAwpNhhKN/UBXk76qYTdY5tEvb9J89S2ZzfQWR30aZ0CEDDrcbc+YktU1eSLdluu6QH+M/uPBweSiVn5wNHkc5sRdbyiVsZSQJ41MO7PQrzGpe7Pxola/ghOHdEFlESJMKA5uoRpCGboxtDE9tMJwG5MxNwHERpfI9FjvvLsJRrp9dRf6A/RQjlV/nb1GmpX0I8pvrXEPxm/l0rOAgE81VSsM+BxJ7ZvCe8u/YqMYJ8xVfskzlVsf griffin@MacBook-Pro"; } diff --git a/users/grfn/secrets/bbbg.age b/users/grfn/secrets/bbbg.age new file mode 100644 index 000000000000..d2d4c7362597 --- /dev/null +++ b/users/grfn/secrets/bbbg.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 CpJBgQ dHPaZt3ZRV6rBPQrqiEpKXd48OjUC1joVIm/ZHcimVQ +Q8JwGJ91nsxspJFwZaq2BENdJYHxdHG30Ef0/Cae58M +-> ssh-ed25519 LfBFbQ oN98wLqM69Kv2Ldg31v0eBNtfpNP4nbyqAC+gCOT3yI +U8weIdIqhGs2eoKXqCxO8zHe2Ddo5fVJ5ZYua/hcBs8 +-> \Z^u8-grease ., ,^=lH#0> +P=Z," d +fwUdQTFyoVYOmMUWN2nQ9JWg+Mj0iF325eJaEYkWTNvDZfUGioravnCEQxAErbAN +S1v0wgUUM8/ja3uI +--- erMVG5PLHMBECjcKtR+OLq5hYa+6dS4gPsQ5CzQByQ0 +S8Y"g|DZ0X 1gg|.]&m=4O-T=Em8(\bD~~+ha~ReW#-5bfO`m4 <'|U8"\ө3$@ϔ8;|:u WKz@%#NE?+!1xN8h> \ No newline at end of file diff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix index ef5ddb791ba0..03871cc5cd4c 100644 --- a/users/grfn/secrets/secrets.nix +++ b/users/grfn/secrets/secrets.nix @@ -4,5 +4,6 @@ let in { + "bbbg.age".publicKeys = [ grfn mugwump ]; "cloudflare.age".publicKeys = [ grfn mugwump ]; } diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index d4e61b74a4c6..05cc87fc784b 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -9,6 +9,7 @@ with lib; "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix" "${depot.path}/users/grfn/xanthous/server/module.nix" "${depot.third_party.agenix.src}/modules/age.nix" + "${depot.path}/users/grfn/bbbg/module.nix" ]; networking.hostName = "mugwump"; @@ -68,6 +69,7 @@ with lib; age.secrets = let secret = name: depot.users.grfn.secrets."${name}.age"; in { + bbbg.file = secret "bbbg"; cloudflare.file = secret "cloudflare"; }; @@ -247,6 +249,11 @@ with lib; services.xanthous-server.enable = true; + services.bbbg.enable = true; + services.bbbg.domain = "staging.bbbg.gws.fyi"; + services.bbbg.database.enable = true; + services.bbbg.proxy.enable = true; + virtualisation.docker.enable = true; services.buildkite-agents = listToAttrs (map (n: rec { -- cgit 1.4.1