forked from pub-solar/infra
refactor: use options for config parts
This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name
This commit is contained in:
parent
aa7ab4bc6b
commit
68278ad983
|
@ -49,6 +49,7 @@
|
||||||
self.nixosModules.overlays
|
self.nixosModules.overlays
|
||||||
self.nixosModules.core
|
self.nixosModules.core
|
||||||
|
|
||||||
|
self.nixosModules.keycloak
|
||||||
self.nixosModules.caddy
|
self.nixosModules.caddy
|
||||||
self.nixosModules.drone
|
self.nixosModules.drone
|
||||||
self.nixosModules.forgejo-actions-runner
|
self.nixosModules.forgejo-actions-runner
|
||||||
|
|
|
@ -5,11 +5,7 @@
|
||||||
, ...
|
, ...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.rules = [
|
services.caddy = {
|
||||||
"d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -"
|
|
||||||
];
|
|
||||||
|
|
||||||
services.caddy = {
|
|
||||||
enable = lib.mkForce true;
|
enable = lib.mkForce true;
|
||||||
group = config.pub-solar-os.authentication.robot.username;
|
group = config.pub-solar-os.authentication.robot.username;
|
||||||
email = config.pub-solar-os.adminEmail;
|
email = config.pub-solar-os.adminEmail;
|
||||||
|
@ -17,27 +13,6 @@
|
||||||
globalConfig = lib.mkForce ''
|
globalConfig = lib.mkForce ''
|
||||||
grace_period 60s
|
grace_period 60s
|
||||||
'';
|
'';
|
||||||
virtualHosts = {
|
|
||||||
"flora-6.pub.solar" = {
|
|
||||||
logFormat = lib.mkForce ''
|
|
||||||
output discard
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
basicauth * {
|
|
||||||
${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
|
|
||||||
}
|
|
||||||
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"obs-portal.pub.solar" = {
|
|
||||||
logFormat = lib.mkForce ''
|
|
||||||
output discard
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
, self
|
, self
|
||||||
, ...
|
, ...
|
||||||
}: {
|
}: {
|
||||||
services.nginx.virtualHosts."collabora.pub.solar" = {
|
services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
|
@ -32,8 +32,8 @@
|
||||||
"--pull=always"
|
"--pull=always"
|
||||||
];
|
];
|
||||||
environment = {
|
environment = {
|
||||||
server_name = "collabora.pub.solar";
|
server_name = "collabora.${config.pub-solar-os.networking.domain}";
|
||||||
aliasgroup1 = "https://cloud.pub.solar:443";
|
aliasgroup1 = "https://cloud.${config.pub-solar-os.networking.domain}:443";
|
||||||
DONT_GEN_SSL_CERT = "1";
|
DONT_GEN_SSL_CERT = "1";
|
||||||
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
|
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
|
||||||
SLEEPFORDEBUGGER = "0";
|
SLEEPFORDEBUGGER = "0";
|
||||||
|
|
|
@ -12,6 +12,18 @@
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "admins@pub.solar";
|
default = "admins@pub.solar";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
privacyPolicyUrl = mkOption {
|
||||||
|
description = "URL of the privacy policy. Used to link there from applications";
|
||||||
|
type = types.str;
|
||||||
|
default = "https://pub.solar/privacy";
|
||||||
|
};
|
||||||
|
|
||||||
|
imprintUrl = mkOption {
|
||||||
|
description = "URL of the imprint. Used to link there from applications";
|
||||||
|
type = types.str;
|
||||||
|
default = "https://pub.solar/about";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
max-port = 50000;
|
max-port = 50000;
|
||||||
use-auth-secret = true;
|
use-auth-secret = true;
|
||||||
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
|
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
|
||||||
realm = "turn.pub.solar";
|
realm = "turn.${config.pub-solar-os.networking.domain}";
|
||||||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
||||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||||
extraConfig =
|
extraConfig =
|
||||||
|
@ -89,7 +89,7 @@
|
||||||
services.nginx.virtualHosts.${config.services.coturn.realm} = {
|
services.nginx.virtualHosts.${config.services.coturn.realm} = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
globalRedirect = "pub.solar";
|
globalRedirect = "${config.pub-solar-os.networking.domain}";
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.nginx.extraGroups = [ "turnserver" ];
|
users.users.nginx.extraGroups = [ "turnserver" ];
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
"d '/var/lib/drone-db' 0750 drone drone - -"
|
"d '/var/lib/drone-db' 0750 drone drone - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.caddy.virtualHosts."ci.pub.solar" = {
|
services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
|
||||||
logFormat = lib.mkForce ''
|
logFormat = lib.mkForce ''
|
||||||
output discard
|
output discard
|
||||||
'';
|
'';
|
||||||
|
@ -87,11 +87,11 @@
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
"--network=drone-net"
|
"--network=drone-net"
|
||||||
"--pull=always"
|
"--pull=always"
|
||||||
"--add-host=nachtigall.pub.solar:10.7.6.1"
|
"--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
|
||||||
];
|
];
|
||||||
environment = {
|
environment = {
|
||||||
DRONE_GITEA_SERVER = "https://git.pub.solar";
|
DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}";
|
||||||
DRONE_SERVER_HOST = "ci.pub.solar";
|
DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}";
|
||||||
DRONE_SERVER_PROTO = "https";
|
DRONE_SERVER_PROTO = "https";
|
||||||
DRONE_DATABASE_DRIVER = "postgres";
|
DRONE_DATABASE_DRIVER = "postgres";
|
||||||
};
|
};
|
||||||
|
@ -111,10 +111,10 @@
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
"--network=drone-net"
|
"--network=drone-net"
|
||||||
"--pull=always"
|
"--pull=always"
|
||||||
"--add-host=nachtigall.pub.solar:10.7.6.1"
|
"--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
|
||||||
];
|
];
|
||||||
environment = {
|
environment = {
|
||||||
DRONE_RPC_HOST = "ci.pub.solar";
|
DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}";
|
||||||
DRONE_RPC_PROTO = "https";
|
DRONE_RPC_PROTO = "https";
|
||||||
DRONE_RUNNER_CAPACITY = "2";
|
DRONE_RUNNER_CAPACITY = "2";
|
||||||
DRONE_RUNNER_NAME = "flora-6-docker-runner";
|
DRONE_RUNNER_NAME = "flora-6-docker-runner";
|
||||||
|
|
|
@ -29,7 +29,7 @@
|
||||||
user = "gitea";
|
user = "gitea";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."git.pub.solar" = {
|
services.nginx.virtualHosts."git.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
|
@ -78,8 +78,8 @@
|
||||||
DEFAULT.APP_NAME = "pub.solar git server";
|
DEFAULT.APP_NAME = "pub.solar git server";
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
ROOT_URL = "https://git.pub.solar";
|
ROOT_URL = "https://git.${config.pub-solar-os.networking.domain}";
|
||||||
DOMAIN = "git.pub.solar";
|
DOMAIN = "git.${config.pub-solar-os.networking.domain}";
|
||||||
HTTP_ADDR = "127.0.0.1";
|
HTTP_ADDR = "127.0.0.1";
|
||||||
HTTP_PORT = 3000;
|
HTTP_PORT = 3000;
|
||||||
START_SSH_SERVER = true;
|
START_SSH_SERVER = true;
|
||||||
|
@ -123,7 +123,7 @@
|
||||||
|
|
||||||
# https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook
|
# https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook
|
||||||
webhook = {
|
webhook = {
|
||||||
ALLOWED_HOST_LIST = "loopback,external,*.pub.solar";
|
ALLOWED_HOST_LIST = "loopback,external,*.${config.pub-solar-os.networking.domain}";
|
||||||
};
|
};
|
||||||
|
|
||||||
# See https://forgejo.org/docs/latest/admin/actions/
|
# See https://forgejo.org/docs/latest/admin/actions/
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.caddy.virtualHosts."grafana.pub.solar" = {
|
services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
|
||||||
logFormat = lib.mkForce ''
|
logFormat = lib.mkForce ''
|
||||||
output discard
|
output discard
|
||||||
'';
|
'';
|
||||||
|
@ -51,8 +51,8 @@
|
||||||
# and Port
|
# and Port
|
||||||
http_port = 3000;
|
http_port = 3000;
|
||||||
# Grafana needs to know on which domain and URL it's running
|
# Grafana needs to know on which domain and URL it's running
|
||||||
domain = "grafana.pub.solar";
|
domain = "grafana.${config.pub-solar-os.networking.domain}";
|
||||||
root_url = "https://grafana.pub.solar";
|
root_url = "https://grafana.${config.pub-solar-os.networking.domain}";
|
||||||
enable_gzip = true;
|
enable_gzip = true;
|
||||||
};
|
};
|
||||||
smtp = {
|
smtp = {
|
||||||
|
@ -78,9 +78,9 @@
|
||||||
email_attribute_path = "email";
|
email_attribute_path = "email";
|
||||||
login_attribute_path = "preferred_username";
|
login_attribute_path = "preferred_username";
|
||||||
name_attribute_path = "full_name";
|
name_attribute_path = "full_name";
|
||||||
auth_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/auth";
|
auth_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/auth";
|
||||||
token_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/token";
|
token_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/token";
|
||||||
api_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/userinfo";
|
api_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/userinfo";
|
||||||
role_attribute_path = "contains(roles[*], 'admin') && 'GrafanaAdmin' || 'Viewer'";
|
role_attribute_path = "contains(roles[*], 'admin') && 'GrafanaAdmin' || 'Viewer'";
|
||||||
allow_assign_grafana_admin = true;
|
allow_assign_grafana_admin = true;
|
||||||
};
|
};
|
||||||
|
|
|
@ -4,93 +4,105 @@
|
||||||
, pkgs
|
, pkgs
|
||||||
, ...
|
, ...
|
||||||
}: {
|
}: {
|
||||||
age.secrets.keycloak-database-password = {
|
options.pub-solar-os.auth = with lib; {
|
||||||
file = "${flake.self}/secrets/keycloak-database-password.age";
|
enable = mkEnableOption "Enable keycloak to run on the node";
|
||||||
mode = "600";
|
|
||||||
#owner = "keycloak";
|
realm = mkOption {
|
||||||
|
description = "Name of the realm";
|
||||||
|
type = types.str;
|
||||||
|
default = config.pub-solar-os.networking.domain;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."auth.pub.solar" = {
|
config = lib.mkIf config.pub-solar-os.auth.enable {
|
||||||
enableACME = true;
|
age.secrets.keycloak-database-password = {
|
||||||
forceSSL = true;
|
file = "${flake.self}/secrets/keycloak-database-password.age";
|
||||||
|
mode = "600";
|
||||||
|
#owner = "keycloak";
|
||||||
|
};
|
||||||
|
|
||||||
locations = {
|
services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
|
||||||
"= /" = {
|
enableACME = true;
|
||||||
extraConfig = ''
|
forceSSL = true;
|
||||||
return 302 /realms/pub.solar/account;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
"/" = {
|
locations = {
|
||||||
extraConfig = ''
|
"= /" = {
|
||||||
proxy_pass http://127.0.0.1:8080;
|
extraConfig = ''
|
||||||
proxy_buffer_size 8k;
|
return 302 /realms/${config.pub-solar-os.auth.realm}/account;
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
"/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_pass http://127.0.0.1:8080;
|
||||||
|
proxy_buffer_size 8k;
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
# keycloak
|
# keycloak
|
||||||
services.keycloak = {
|
services.keycloak = {
|
||||||
enable = true;
|
enable = true;
|
||||||
database.passwordFile = config.age.secrets.keycloak-database-password.path;
|
database.passwordFile = config.age.secrets.keycloak-database-password.path;
|
||||||
settings = {
|
settings = {
|
||||||
hostname = "auth.pub.solar";
|
hostname = "auth.${config.pub-solar-os.networking.domain}";
|
||||||
http-host = "127.0.0.1";
|
http-host = "127.0.0.1";
|
||||||
http-port = 8080;
|
http-port = 8080;
|
||||||
proxy = "edge";
|
proxy = "edge";
|
||||||
features = "declarative-user-profile";
|
features = "declarative-user-profile";
|
||||||
|
};
|
||||||
|
themes = {
|
||||||
|
"pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
themes = {
|
|
||||||
"pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.restic.backups.keycloak-droppie = {
|
services.restic.backups.keycloak-droppie = {
|
||||||
paths = [
|
paths = [
|
||||||
"/tmp/keycloak-backup.sql"
|
"/tmp/keycloak-backup.sql"
|
||||||
];
|
];
|
||||||
timerConfig = {
|
timerConfig = {
|
||||||
OnCalendar = "*-*-* 02:00:00 Etc/UTC";
|
OnCalendar = "*-*-* 02:00:00 Etc/UTC";
|
||||||
# droppie will be offline if nachtigall misses the timer
|
# droppie will be offline if nachtigall misses the timer
|
||||||
Persistent = false;
|
Persistent = false;
|
||||||
|
};
|
||||||
|
initialize = true;
|
||||||
|
passwordFile = config.age.secrets."restic-repo-droppie".path;
|
||||||
|
repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
|
||||||
|
backupPrepareCommand = ''
|
||||||
|
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
|
||||||
|
'';
|
||||||
|
backupCleanupCommand = ''
|
||||||
|
rm /tmp/keycloak-backup.sql
|
||||||
|
'';
|
||||||
|
pruneOpts = [
|
||||||
|
"--keep-daily 7"
|
||||||
|
"--keep-weekly 4"
|
||||||
|
"--keep-monthly 3"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
initialize = true;
|
|
||||||
passwordFile = config.age.secrets."restic-repo-droppie".path;
|
|
||||||
repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
|
|
||||||
backupPrepareCommand = ''
|
|
||||||
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
|
|
||||||
'';
|
|
||||||
backupCleanupCommand = ''
|
|
||||||
rm /tmp/keycloak-backup.sql
|
|
||||||
'';
|
|
||||||
pruneOpts = [
|
|
||||||
"--keep-daily 7"
|
|
||||||
"--keep-weekly 4"
|
|
||||||
"--keep-monthly 3"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.restic.backups.keycloak-storagebox = {
|
services.restic.backups.keycloak-storagebox = {
|
||||||
paths = [
|
paths = [
|
||||||
"/tmp/keycloak-backup.sql"
|
"/tmp/keycloak-backup.sql"
|
||||||
];
|
];
|
||||||
timerConfig = {
|
timerConfig = {
|
||||||
OnCalendar = "*-*-* 04:10:00 Etc/UTC";
|
OnCalendar = "*-*-* 04:10:00 Etc/UTC";
|
||||||
|
};
|
||||||
|
initialize = true;
|
||||||
|
passwordFile = config.age.secrets."restic-repo-storagebox".path;
|
||||||
|
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
||||||
|
backupPrepareCommand = ''
|
||||||
|
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
|
||||||
|
'';
|
||||||
|
backupCleanupCommand = ''
|
||||||
|
rm /tmp/keycloak-backup.sql
|
||||||
|
'';
|
||||||
|
pruneOpts = [
|
||||||
|
"--keep-daily 7"
|
||||||
|
"--keep-weekly 4"
|
||||||
|
"--keep-monthly 3"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
initialize = true;
|
|
||||||
passwordFile = config.age.secrets."restic-repo-storagebox".path;
|
|
||||||
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
|
||||||
backupPrepareCommand = ''
|
|
||||||
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
|
|
||||||
'';
|
|
||||||
backupCleanupCommand = ''
|
|
||||||
rm /tmp/keycloak-backup.sql
|
|
||||||
'';
|
|
||||||
pruneOpts = [
|
|
||||||
"--keep-daily 7"
|
|
||||||
"--keep-weekly 4"
|
|
||||||
"--keep-monthly 3"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,19 @@
|
||||||
, flake
|
, flake
|
||||||
, ...
|
, ...
|
||||||
}: {
|
}: {
|
||||||
|
services.caddy.virtualHosts = {
|
||||||
|
"flora-6.${config.pub-solar-os.networking.domain}" = {
|
||||||
|
logFormat = lib.mkForce ''
|
||||||
|
output discard
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
basicauth * {
|
||||||
|
${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
|
||||||
|
}
|
||||||
|
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
# source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e
|
# source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e
|
||||||
# https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml
|
# https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml
|
||||||
services.loki = {
|
services.loki = {
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
users.users.nginx.extraGroups = [ "mailman" ];
|
users.users.nginx.extraGroups = [ "mailman" ];
|
||||||
|
|
||||||
services.nginx.virtualHosts."list.pub.solar" = {
|
services.nginx.virtualHosts."list.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
@ -24,15 +24,15 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
||||||
# get TLS certs for list.pub.solar from acme
|
# get TLS certs for list.pub.solar from acme
|
||||||
sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem";
|
sslCert = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
|
||||||
sslKey = "/var/lib/acme/list.pub.solar/key.pem";
|
sslKey = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/key.pem";
|
||||||
config = {
|
config = {
|
||||||
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||||
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||||
};
|
};
|
||||||
rootAlias = "admins@pub.solar";
|
rootAlias = "admins@pub.solar";
|
||||||
postmasterAlias = "admins@pub.solar";
|
postmasterAlias = "admins@pub.solar";
|
||||||
hostname = "list.pub.solar";
|
hostname = "list.${config.pub-solar-os.networking.domain}";
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.paths.watcher-acme-ssl-file = {
|
systemd.paths.watcher-acme-ssl-file = {
|
||||||
|
@ -40,7 +40,7 @@
|
||||||
documentation = [ "systemd.path(5)" ];
|
documentation = [ "systemd.path(5)" ];
|
||||||
partOf = [ "postfix-reload.service" ];
|
partOf = [ "postfix-reload.service" ];
|
||||||
pathConfig = {
|
pathConfig = {
|
||||||
PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem";
|
PathChanged = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
|
||||||
Unit = "postfix-reload.service";
|
Unit = "postfix-reload.service";
|
||||||
};
|
};
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
@ -64,7 +64,7 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
serve.enable = true;
|
serve.enable = true;
|
||||||
hyperkitty.enable = true;
|
hyperkitty.enable = true;
|
||||||
webHosts = [ "list.pub.solar" ];
|
webHosts = [ "list.${config.pub-solar-os.networking.domain}" ];
|
||||||
siteOwner = "admins@pub.solar";
|
siteOwner = "admins@pub.solar";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@
|
||||||
services.mastodon = {
|
services.mastodon = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# Different from WEB_DOMAIN in our case
|
# Different from WEB_DOMAIN in our case
|
||||||
localDomain = "pub.solar";
|
localDomain = "${config.pub-solar-os.networking.domain}";
|
||||||
enableUnixSocket = true;
|
enableUnixSocket = true;
|
||||||
# Number of processes used by the mastodon-streaming service
|
# Number of processes used by the mastodon-streaming service
|
||||||
# Recommended is the amount of your CPU cores minus one
|
# Recommended is the amount of your CPU cores minus one
|
||||||
|
@ -68,7 +68,7 @@
|
||||||
"/run/agenix/mastodon-extra-env-secrets"
|
"/run/agenix/mastodon-extra-env-secrets"
|
||||||
];
|
];
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
WEB_DOMAIN = "mastodon.pub.solar";
|
WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}";
|
||||||
# Defined in ./opensearch.nix
|
# Defined in ./opensearch.nix
|
||||||
ES_HOST = "127.0.0.1";
|
ES_HOST = "127.0.0.1";
|
||||||
# S3 File storage (optional)
|
# S3 File storage (optional)
|
||||||
|
@ -77,7 +77,7 @@
|
||||||
S3_BUCKET = "pub-solar-mastodon";
|
S3_BUCKET = "pub-solar-mastodon";
|
||||||
S3_REGION = "europe-west-1";
|
S3_REGION = "europe-west-1";
|
||||||
S3_ENDPOINT = "https://gateway.tardigradeshare.io";
|
S3_ENDPOINT = "https://gateway.tardigradeshare.io";
|
||||||
S3_ALIAS_HOST = "files.pub.solar";
|
S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}";
|
||||||
# Translation (optional)
|
# Translation (optional)
|
||||||
# -----------------------
|
# -----------------------
|
||||||
DEEPL_PLAN = "free";
|
DEEPL_PLAN = "free";
|
||||||
|
@ -85,11 +85,11 @@
|
||||||
# --------------
|
# --------------
|
||||||
OIDC_ENABLED = "true";
|
OIDC_ENABLED = "true";
|
||||||
OIDC_DISPLAY_NAME = "pub.solar ID";
|
OIDC_DISPLAY_NAME = "pub.solar ID";
|
||||||
OIDC_ISSUER = "https://auth.pub.solar/realms/pub.solar";
|
OIDC_ISSUER = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}";
|
||||||
OIDC_DISCOVERY = "true";
|
OIDC_DISCOVERY = "true";
|
||||||
OIDC_SCOPE = "openid,profile,email";
|
OIDC_SCOPE = "openid,profile,email";
|
||||||
OIDC_UID_FIELD = "preferred_username";
|
OIDC_UID_FIELD = "preferred_username";
|
||||||
OIDC_REDIRECT_URI = "https://mastodon.pub.solar/auth/auth/openid_connect/callback";
|
OIDC_REDIRECT_URI = "https://mastodon.${config.pub-solar-os.networking.domain}/auth/auth/openid_connect/callback";
|
||||||
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
|
||||||
# only use OIDC for login / registration
|
# only use OIDC for login / registration
|
||||||
OMNIAUTH_ONLY = "true";
|
OMNIAUTH_ONLY = "true";
|
||||||
|
|
|
@ -25,9 +25,9 @@ in
|
||||||
registrationUrl = "http://localhost:8010";
|
registrationUrl = "http://localhost:8010";
|
||||||
settings = {
|
settings = {
|
||||||
homeserver = {
|
homeserver = {
|
||||||
domain = "pub.solar";
|
domain = "${config.pub-solar-os.networking.domain}";
|
||||||
url = "http://127.0.0.1:${synapseClientPort}";
|
url = "http://127.0.0.1:${synapseClientPort}";
|
||||||
media_url = "https://matrix.pub.solar";
|
media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
|
||||||
enablePresence = false;
|
enablePresence = false;
|
||||||
};
|
};
|
||||||
ircService = {
|
ircService = {
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
homeserver = {
|
homeserver = {
|
||||||
# TODO: Use the port from synapse config
|
# TODO: Use the port from synapse config
|
||||||
address = "http://127.0.0.1:8008";
|
address = "http://127.0.0.1:8008";
|
||||||
domain = "pub.solar";
|
domain = "${config.pub-solar-os.networking.domain}";
|
||||||
verify_ssl = true;
|
verify_ssl = true;
|
||||||
};
|
};
|
||||||
appservice = {
|
appservice = {
|
||||||
|
@ -34,7 +34,7 @@
|
||||||
};
|
};
|
||||||
public = {
|
public = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
external = "https://matrix.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
|
external = "https://matrix.${config.pub-solar-os.networking.domain}/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
|
||||||
prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
|
prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -140,7 +140,7 @@
|
||||||
username_template = "telegram_{userid}";
|
username_template = "telegram_{userid}";
|
||||||
|
|
||||||
permissions = {
|
permissions = {
|
||||||
"pub.solar" = "full";
|
"${config.pub-solar-os.networking.domain}" = "full";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ flake, config, pkgs, ... }:
|
{ flake, config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
publicDomain = "matrix.pub.solar";
|
publicDomain = "matrix.${config.pub-solar-os.networking.domain}";
|
||||||
serverDomain = "pub.solar";
|
serverDomain = "${config.pub-solar-os.networking.domain}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
age.secrets."matrix-synapse-signing-key" = {
|
age.secrets."matrix-synapse-signing-key" = {
|
||||||
|
|
|
@ -26,14 +26,14 @@ let
|
||||||
## For more information on customizing the URLs
|
## For more information on customizing the URLs
|
||||||
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
|
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
|
||||||
## https://www.mediawiki.org/wiki/Manual:Short_URL
|
## https://www.mediawiki.org/wiki/Manual:Short_URL
|
||||||
$wgScriptPath = "https://wiki.pub.solar";
|
$wgScriptPath = "https://wiki.${config.pub-solar-os.networking.domain}";
|
||||||
|
|
||||||
## https://www.mediawiki.org/wiki/Manual:Short_URL
|
## https://www.mediawiki.org/wiki/Manual:Short_URL
|
||||||
## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues
|
## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues
|
||||||
$wgArticlePath = "/index.php/$1";
|
$wgArticlePath = "/index.php/$1";
|
||||||
|
|
||||||
## The protocol and server name to use in fully-qualified URLs
|
## The protocol and server name to use in fully-qualified URLs
|
||||||
$wgServer = "https://wiki.pub.solar";
|
$wgServer = "https://wiki.${config.pub-solar-os.networking.domain}";
|
||||||
|
|
||||||
## The URL path to static resources (images, scripts, etc.)
|
## The URL path to static resources (images, scripts, etc.)
|
||||||
$wgResourceBasePath = $wgScriptPath;
|
$wgResourceBasePath = $wgScriptPath;
|
||||||
|
@ -143,7 +143,7 @@ let
|
||||||
$wgPluggableAuth_Config[] = [
|
$wgPluggableAuth_Config[] = [
|
||||||
'plugin' => 'OpenIDConnect',
|
'plugin' => 'OpenIDConnect',
|
||||||
'data' => [
|
'data' => [
|
||||||
'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
|
'providerURL' => 'https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}',
|
||||||
'clientID' => 'mediawiki',
|
'clientID' => 'mediawiki',
|
||||||
'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
|
'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
|
||||||
]
|
]
|
||||||
|
@ -189,7 +189,7 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."wiki.pub.solar" = {
|
services.nginx.virtualHosts."wiki.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
|
|
|
@ -16,13 +16,13 @@
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."cloud.pub.solar" = {
|
services.nginx.virtualHosts."cloud.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
hostName = "cloud.pub.solar";
|
hostName = "cloud.${config.pub-solar-os.networking.domain}";
|
||||||
home = "/var/lib/nextcloud";
|
home = "/var/lib/nextcloud";
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -50,7 +50,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
extraOptions = {
|
extraOptions = {
|
||||||
overwrite.cli.url = "http://cloud.pub.solar";
|
overwrite.cli.url = "http://cloud.${config.pub-solar-os.networking.domain}";
|
||||||
|
|
||||||
installed = true;
|
installed = true;
|
||||||
default_phone_region = "+49";
|
default_phone_region = "+49";
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
{ ... }:
|
{
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
objStorHost = "link.tardigradeshare.io";
|
objStorHost = "link.tardigradeshare.io";
|
||||||
|
@ -6,7 +9,7 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"files.pub.solar" = {
|
"files.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ in
|
||||||
{
|
{
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"mastodon.pub.solar" = {
|
"mastodon.${config.pub-solar-os.networking.domain}" = {
|
||||||
root = "${cfg.package}/public/";
|
root = "${cfg.package}/public/";
|
||||||
# mastodon only supports https, but you can override this if you offload tls elsewhere.
|
# mastodon only supports https, but you can override this if you offload tls elsewhere.
|
||||||
forceSSL = lib.mkDefault true;
|
forceSSL = lib.mkDefault true;
|
||||||
|
@ -16,11 +16,11 @@ in
|
||||||
'';
|
'';
|
||||||
|
|
||||||
locations."/auth/confirmation/new".extraConfig = ''
|
locations."/auth/confirmation/new".extraConfig = ''
|
||||||
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
|
return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
locations."/auth/password/new".extraConfig = ''
|
locations."/auth/password/new".extraConfig = ''
|
||||||
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
|
return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
locations."/system/".alias = "/var/lib/mastodon/public-system/";
|
locations."/system/".alias = "/var/lib/mastodon/public-system/";
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, config, ... }:
|
||||||
let
|
let
|
||||||
commonHeaders = ''
|
commonHeaders = ''
|
||||||
add_header Permissions-Policy interest-cohort=() always;
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
@ -44,7 +44,7 @@ let
|
||||||
role = "m.role.admin";
|
role = "m.role.admin";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
support_page = "https://pub.solar/about";
|
support_page = "https://${config.pub-solar-os.networking.domain}/about";
|
||||||
};
|
};
|
||||||
mkWellKnown = data: ''
|
mkWellKnown = data: ''
|
||||||
add_header Content-Type application/json;
|
add_header Content-Type application/json;
|
||||||
|
@ -64,11 +64,11 @@ in
|
||||||
# This is already in production use #
|
# This is already in production use #
|
||||||
#####################################
|
#####################################
|
||||||
|
|
||||||
"pub.solar" = {
|
"${config.pub-solar-os.networking.domain}" = {
|
||||||
locations = wellKnownLocations "pub.solar";
|
locations = wellKnownLocations "${config.pub-solar-os.networking.domain}";
|
||||||
};
|
};
|
||||||
|
|
||||||
"chat.pub.solar" = {
|
"chat.${config.pub-solar-os.networking.domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
root = pkgs.element-web.override {
|
root = pkgs.element-web.override {
|
||||||
|
@ -76,13 +76,13 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
"stickers.chat.pub.solar" = {
|
"stickers.chat.${config.pub-solar-os.networking.domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
root = pkgs.element-stickerpicker;
|
root = pkgs.element-stickerpicker;
|
||||||
};
|
};
|
||||||
|
|
||||||
"matrix.pub.solar" = {
|
"matrix.${config.pub-solar-os.networking.domain}" = {
|
||||||
root = "/dev/null";
|
root = "/dev/null";
|
||||||
|
|
||||||
forceSSL = lib.mkDefault true;
|
forceSSL = lib.mkDefault true;
|
||||||
|
@ -122,8 +122,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"matrix.pub.solar-federation" = {
|
"matrix.${config.pub-solar-os.networking.domain}-federation" = {
|
||||||
serverName = "matrix.pub.solar";
|
serverName = "matrix.${config.pub-solar-os.networking.domain}";
|
||||||
forceSSL = lib.mkDefault true;
|
forceSSL = lib.mkDefault true;
|
||||||
enableACME = lib.mkDefault true;
|
enableACME = lib.mkDefault true;
|
||||||
listen = [{
|
listen = [{
|
||||||
|
|
|
@ -17,7 +17,7 @@ in
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"nachtigall.pub.solar" = {
|
"nachtigall.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}";
|
basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}";
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
{ lib, ... }: {
|
{
|
||||||
|
lib, config, ... }: {
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -"
|
"d '/srv/www/${config.pub-solar-os.networking.domain}' 0750 hakkonaut hakkonaut - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"www.pub.solar" = {
|
"www.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
|
|
||||||
|
@ -15,12 +16,12 @@
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
return 301 https://pub.solar$request_uri;
|
return 301 https://${config.pub-solar-os.networking.domain}$request_uri;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
"pub.solar" = {
|
"${config.pub-solar-os.networking.domain}" = {
|
||||||
default = true;
|
default = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -35,7 +36,7 @@
|
||||||
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
|
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
|
||||||
"/.well-known/host-meta" = {
|
"/.well-known/host-meta" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
return 301 https://mastodon.pub.solar$request_uri;
|
return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -44,11 +45,11 @@
|
||||||
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
|
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
if ($arg_resource) {
|
if ($arg_resource) {
|
||||||
return 301 https://mastodon.pub.solar$request_uri;
|
return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
add_header Content-Type text/plain;
|
add_header Content-Type text/plain;
|
||||||
return 200 '{\n "subject": "acct:admins@pub.solar",\n "links": [\n {\n "rel": "http://openid.net/specs/connect/1.0/issuer",\n "href": "https://auth.pub.solar/realms/pub.solar"\n }\n ]\n}';
|
return 200 '{\n "subject": "acct:admins@pub.solar",\n "links": [\n {\n "rel": "http://openid.net/specs/connect/1.0/issuer",\n "href": "https://auth.${config.pub-solar-os.networking.domain}/realms/pub.solar"\n }\n ]\n}';
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -59,7 +60,7 @@
|
||||||
"Expires: 2025-01-04T23:00:00.000Z"
|
"Expires: 2025-01-04T23:00:00.000Z"
|
||||||
"Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
|
"Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
|
||||||
"Preferred-Languages: en,de"
|
"Preferred-Languages: en,de"
|
||||||
"Canonical: https://pub.solar/.well-known/security.txt"
|
"Canonical: https://${config.pub-solar-os.networking.domain}/.well-known/security.txt"
|
||||||
];
|
];
|
||||||
in {
|
in {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -70,12 +71,12 @@
|
||||||
|
|
||||||
"/satzung" = {
|
"/satzung" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
return 302 https://cloud.pub.solar/s/iaKqiW25QJpHPYs;
|
return 302 https://cloud.${config.pub-solar-os.networking.domain}/s/iaKqiW25QJpHPYs;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
"/" = {
|
"/" = {
|
||||||
root = "/srv/www/pub.solar";
|
root = "/srv/www/${config.pub-solar-os.networking.domain}";
|
||||||
index = "index.html";
|
index = "index.html";
|
||||||
tryFiles = "$uri $uri/ =404";
|
tryFiles = "$uri $uri/ =404";
|
||||||
};
|
};
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
, ...
|
, ...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
acmeEmailAddress = "admins@pub.solar";
|
acmeEmailAddress = config.pub-solar-os.adminEmail;
|
||||||
webserverGroup = "hakkonaut";
|
webserverGroup = "hakkonaut";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
|
@ -14,8 +14,8 @@ FRONTEND_URL = None
|
||||||
FRONTEND_HTTPS = True
|
FRONTEND_HTTPS = True
|
||||||
FRONTEND_DIR = "../frontend/build/"
|
FRONTEND_DIR = "../frontend/build/"
|
||||||
FRONTEND_CONFIG = {
|
FRONTEND_CONFIG = {
|
||||||
"imprintUrl": "https://pub.solar/about",
|
"imprintUrl": "${config.pub-solar-os.imprintUrl}",
|
||||||
"privacyPolicyUrl": "https://pub.solar/privacy",
|
"privacyPolicyUrl": "${config.pub-solar-os.privacyPolicyUrl}",
|
||||||
"mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97},
|
"mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97},
|
||||||
"banner": {
|
"banner": {
|
||||||
"text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.",
|
"text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.",
|
||||||
|
@ -27,15 +27,15 @@ ADDITIONAL_CORS_ORIGINS = None
|
||||||
'';
|
'';
|
||||||
|
|
||||||
env = {
|
env = {
|
||||||
OBS_KEYCLOAK_URI = "auth.pub.solar";
|
OBS_KEYCLOAK_URI = "auth.${config.pub-solar-os.networking.domain}";
|
||||||
OBS_PORTAL_URI = "obs-portal.pub.solar";
|
OBS_PORTAL_URI = "obs-portal.${config.pub-solar-os.networking.domain}";
|
||||||
|
|
||||||
OBS_POSTGRES_MAX_OVERFLOW = "20";
|
OBS_POSTGRES_MAX_OVERFLOW = "20";
|
||||||
OBS_POSTGRES_POOL_SIZE = "40";
|
OBS_POSTGRES_POOL_SIZE = "40";
|
||||||
|
|
||||||
OBS_HOST = "0.0.0.0";
|
OBS_HOST = "0.0.0.0";
|
||||||
OBS_PORT = "3000";
|
OBS_PORT = "3000";
|
||||||
OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/";
|
OBS_KEYCLOAK_URL = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/";
|
||||||
OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal";
|
OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal";
|
||||||
OBS_DEDICATED_WORKER = "True";
|
OBS_DEDICATED_WORKER = "True";
|
||||||
OBS_DATA_DIR = "/data";
|
OBS_DATA_DIR = "/data";
|
||||||
|
@ -66,7 +66,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."obs-portal.pub.solar" = {
|
services.nginx.virtualHosts."obs-portal.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
, pkgs
|
, pkgs
|
||||||
, ...
|
, ...
|
||||||
}: {
|
}: {
|
||||||
services.nginx.virtualHosts."stream.pub.solar" = {
|
services.nginx.virtualHosts."stream.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
|
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
|
||||||
};
|
};
|
||||||
static_configs = [{
|
static_configs = [{
|
||||||
targets = [ "nachtigall.pub.solar" ];
|
targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
|
||||||
labels = {
|
labels = {
|
||||||
instance = "nachtigall";
|
instance = "nachtigall";
|
||||||
};
|
};
|
||||||
|
@ -58,7 +58,7 @@
|
||||||
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
|
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
|
||||||
};
|
};
|
||||||
static_configs = [{
|
static_configs = [{
|
||||||
targets = [ "nachtigall.pub.solar" ];
|
targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
|
||||||
labels = {
|
labels = {
|
||||||
instance = "nachtigall";
|
instance = "nachtigall";
|
||||||
};
|
};
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
filename = "/tmp/positions.yaml";
|
filename = "/tmp/positions.yaml";
|
||||||
};
|
};
|
||||||
clients = [{
|
clients = [{
|
||||||
url = "https://flora-6.pub.solar/loki/api/v1/push";
|
url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push";
|
||||||
basic_auth = {
|
basic_auth = {
|
||||||
username = "hakkonaut";
|
username = "hakkonaut";
|
||||||
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
|
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
mode = "600";
|
mode = "600";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."search.pub.solar" = {
|
services.nginx.virtualHosts."search.${config.pub-solar-os.networking.domain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
|
@ -38,14 +38,14 @@
|
||||||
use_default_settings = true;
|
use_default_settings = true;
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
base_url = "https://search.pub.solar";
|
base_url = "https://search.${config.pub-solar-os.networking.domain}";
|
||||||
secret_key = "@SEARX_SECRET_KEY@";
|
secret_key = "@SEARX_SECRET_KEY@";
|
||||||
};
|
};
|
||||||
|
|
||||||
general = {
|
general = {
|
||||||
debug = false;
|
debug = false;
|
||||||
instance_name = "search.pub.solar";
|
instance_name = "search.${config.pub-solar-os.networking.domain}";
|
||||||
privacypolicy_url = "https://pub.solar/privacy";
|
privacypolicy_url = config.pub-solar-os.privacyPolicyUrl;
|
||||||
# use true to use your own donation page written in searx/info/en/donate.md
|
# use true to use your own donation page written in searx/info/en/donate.md
|
||||||
# use false to disable the donation link
|
# use false to disable the donation link
|
||||||
donation_url = false;
|
donation_url = false;
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{ ... }:
|
{ config,... }:
|
||||||
{
|
{
|
||||||
services.tmate-ssh-server = {
|
services.tmate-ssh-server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 2222;
|
port = 2222;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
host = "tmate.pub.solar";
|
host = "tmate.${config.pub-solar-os.networking.domain}";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue