Compare commits
10 Commits
584add408d
...
4f86c92941
Author | SHA1 | Date |
---|---|---|
Benjamin Yule Bädorf | 4f86c92941 | |
teutat3s | d62b6cda92 | |
teutat3s | c580fe0fbb | |
teutat3s | 60aef1d038 | |
teutat3s | fa9ce9d435 | |
teutat3s | 9541e5029e | |
teutat3s | c4d0d34807 | |
teutat3s | d5fe65b60d | |
teutat3s | 0e7dc95250 | |
teutat3s | c86e22b292 |
|
@ -24,26 +24,48 @@ jobs:
|
|||
echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Restore and cache Nix store
|
||||
uses: https://github.com/nix-community/cache-nix-action@v5
|
||||
uses: https://github.com/nix-community/cache-nix-action@v4.0.3
|
||||
id: nix-store-cache
|
||||
with:
|
||||
primary-key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
|
||||
restore-prefixes-first-match: |
|
||||
key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
|
||||
restore-keys: |
|
||||
cache-${{ runner.os }}-nix-store-
|
||||
|
||||
gc-linux: true
|
||||
gc-max-store-size-linux: 10000000000
|
||||
|
||||
purge: true
|
||||
purge-prefixes: cache-${{ runner.os }}-nix-store-
|
||||
purge-created: 42
|
||||
purge-caches: true
|
||||
purge-key: cache-${{ runner.os }}-nix-store-
|
||||
purge-created: true
|
||||
purge-created-max-age: 42
|
||||
|
||||
- name: Prepare cachix
|
||||
uses: https://github.com/cachix/cachix-action@v14
|
||||
with:
|
||||
name: pub-solar
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
useDaemon: false
|
||||
|
||||
- name: Run flake checks
|
||||
run: |
|
||||
# Prevent cache garbage collection by creating GC roots
|
||||
for target in $(nix flake show --json --all-systems | jq '
|
||||
.["nixosConfigurations"] |
|
||||
to_entries[] |
|
||||
.key
|
||||
' | tr -d '"'
|
||||
); do
|
||||
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
|
||||
build --out-link ./result-$target ".#nixosConfigurations.${target}.config.system.build.toplevel"
|
||||
done
|
||||
|
||||
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check
|
||||
|
||||
# Add GC roots for flake inputs, too
|
||||
# https://github.com/NixOS/nix/issues/4250#issuecomment-1146878407
|
||||
mkdir --parents "$NIX_USER_PROFILE_DIR"
|
||||
gc_root_prefix="$NIX_USER_PROFILE_DIR"/infra-flake-
|
||||
echo "Adding gcroots flake inputs with prefix $gc_root_prefix ..."
|
||||
nix flake archive --json 2>/dev/null | jq --raw-output '.inputs | to_entries[] | "ln --force --symbolic --no-target-directory "+.value.path+" \"'"$gc_root_prefix"'"+.key+"\""' | while read -r line; do
|
||||
eval "$line"
|
||||
done
|
||||
|
|
|
@ -13,16 +13,43 @@
|
|||
# Needed for the docker runner to communicate with the act_runner cache
|
||||
networking.firewall.trustedInterfaces = [ "br-+" ];
|
||||
|
||||
users.users.gitea-runner = {
|
||||
home = "/var/lib/gitea-runner/flora-6";
|
||||
useDefaultShell = true;
|
||||
group = "gitea-runner";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.gitea-runner = {};
|
||||
|
||||
systemd.services."gitea-runner-flora\\x2d6".serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -"
|
||||
"d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -"
|
||||
];
|
||||
|
||||
# forgejo actions runner
|
||||
# https://forgejo.org/docs/latest/admin/actions/
|
||||
# https://docs.gitea.com/usage/actions/quickstart
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
package = pkgs.forgejo-runner;
|
||||
instances."flora-6" = {
|
||||
enable = true;
|
||||
name = config.networking.hostName;
|
||||
url = "https://git.pub.solar";
|
||||
tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
|
||||
settings = {
|
||||
cache = {
|
||||
enabled = true;
|
||||
dir = "/data/gitea-actions-runner/actcache";
|
||||
host = "";
|
||||
port = 0;
|
||||
external_server = "";
|
||||
};
|
||||
};
|
||||
labels = [
|
||||
# provide a debian 12 bookworm base with Node.js for actions
|
||||
"debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
|
||||
|
|
|
@ -0,0 +1,140 @@
|
|||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, self
|
||||
, flake
|
||||
, ...
|
||||
}: let
|
||||
configPy = pkgs.writeText "obs-portal-config.py" ''
|
||||
DEBUG = False
|
||||
VERBOSE = DEBUG
|
||||
AUTO_RESTART = DEBUG
|
||||
LEAN_MODE = False
|
||||
FRONTEND_URL = None
|
||||
FRONTEND_HTTPS = True
|
||||
FRONTEND_DIR = "../frontend/build/"
|
||||
FRONTEND_CONFIG = {
|
||||
"imprintUrl": "https://pub.solar/about",
|
||||
"privacyPolicyUrl": "https://pub.solar/privacy",
|
||||
"mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97},
|
||||
"banner": {
|
||||
"text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.",
|
||||
"style": "info"
|
||||
},
|
||||
}
|
||||
TILES_FILE = None
|
||||
ADDITIONAL_CORS_ORIGINS = None
|
||||
'';
|
||||
|
||||
env = {
|
||||
OBS_KEYCLOAK_URI = "auth.pub.solar";
|
||||
OBS_PORTAL_URI = "obs-portal.pub.solar";
|
||||
|
||||
OBS_POSTGRES_MAX_OVERFLOW = "20";
|
||||
OBS_POSTGRES_POOL_SIZE = "40";
|
||||
|
||||
OBS_HOST = "0.0.0.0";
|
||||
OBS_PORT = "3000";
|
||||
OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/";
|
||||
OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal";
|
||||
OBS_DEDICATED_WORKER = "True";
|
||||
OBS_DATA_DIR = "/data";
|
||||
OBS_PROXIES_COUNT = "1";
|
||||
};
|
||||
in {
|
||||
age.secrets.obs-portal-env = {
|
||||
file = "${flake.self}/secrets/obs-portal-env.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets.obs-portal-database-env = {
|
||||
file = "${flake.self}/secrets/obs-portal-database-env.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
systemd.services."docker-network-obs-portal" =
|
||||
let
|
||||
docker = config.virtualisation.oci-containers.backend;
|
||||
dockerBin = "${pkgs.${docker}}/bin/${docker}";
|
||||
in
|
||||
{
|
||||
serviceConfig.Type = "oneshot";
|
||||
before = [ "docker-obs-portal.service" ];
|
||||
script = ''
|
||||
${dockerBin} network inspect obs-portal-net >/dev/null 2>&1 || ${dockerBin} network create obs-portal-net --subnet 172.20.0.0/24
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."obs-portal.pub.solar" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:3001;
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
oci-containers = {
|
||||
backend = "docker";
|
||||
|
||||
containers."obs-portal" = {
|
||||
image = "git.pub.solar/pub-solar/obs-portal:latest";
|
||||
autoStart = true;
|
||||
ports = [ "localhost:3001:${env.OBS_PORT}" ];
|
||||
|
||||
environment = env;
|
||||
environmentFiles = [ config.age.secrets.obs-portal-env.path ];
|
||||
|
||||
volumes = [
|
||||
"${configPy}:/opt/obs/api/config.py"
|
||||
"/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}"
|
||||
"/var/lib/obs-portal/tiles/:/tiles"
|
||||
"/var/lib/obs-portal/pbf/:/pbf"
|
||||
];
|
||||
|
||||
extraOptions = [
|
||||
"--network=obs-portal-net"
|
||||
];
|
||||
};
|
||||
|
||||
containers."obs-portal-worker" = {
|
||||
image = "git.pub.solar/pub-solar/obs-portal:latest";
|
||||
autoStart = true;
|
||||
|
||||
cmd = [ "python" "tools/process_track.py" ];
|
||||
|
||||
environment = env;
|
||||
environmentFiles = [ config.age.secrets.obs-portal-env.path ];
|
||||
|
||||
volumes = [
|
||||
"${configPy}:/opt/obs/api/config.py"
|
||||
"/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}"
|
||||
];
|
||||
|
||||
extraOptions = [
|
||||
"--network=obs-portal-net"
|
||||
];
|
||||
};
|
||||
|
||||
containers."obs-portal-db" = {
|
||||
image = "openmaptiles/postgis:7.0";
|
||||
autoStart = true;
|
||||
|
||||
environmentFiles = [ config.age.secrets.obs-portal-database-env.path ];
|
||||
|
||||
volumes = [
|
||||
"/var/lib/postgres-obs-portal/data:/var/lib/postgresql/data"
|
||||
];
|
||||
|
||||
extraOptions = [
|
||||
"--network=obs-portal-net"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -32,6 +32,7 @@
|
|||
./apps/promtail.nix
|
||||
./apps/searx.nix
|
||||
./apps/tmate.nix
|
||||
./apps/obs-portal.nix
|
||||
|
||||
./apps/matrix/irc.nix
|
||||
./apps/matrix/mautrix-telegram.nix
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
};
|
||||
in
|
||||
{
|
||||
forgejo-runner = unstable.forgejo-runner;
|
||||
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
|
||||
})
|
||||
];
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 iDKjwg hAoEiOaK1U0HImALePEYHiE6xebOOqtVujaBWgNBZF8
|
||||
ecf/ykqYPihRJxI/Y7Oh6QhWSyncwevlzEZoRqm3aGM
|
||||
-> ssh-ed25519 uYcDNw NcIttsTn6wPCmoOYGtZ66IYhthjLDI3sYFe4pbW6cB4
|
||||
9hv4dEYoXXWSZ2pG1hy68vmTf++v+g3q7wVhT6cAog0
|
||||
-> ssh-rsa kFDS0A
|
||||
KoW3J2Tw90chM6Oy17umOQN0WFI4je7CBk3IgdImsd4Mz5q17/nXlhVlFFhx4ZEk
|
||||
Or9LaqytVk1NA6J4+suMRlx4Pd6oberXu1KBkFQMr1B3LKhNOaOZ+W1mrbQLGG9U
|
||||
YUTyOpkHxVkw0IOsvxB/0reMCHtjKHo661zFjim1YFmEk0WRt4hU1XqsMNiE4wbc
|
||||
GF0t9EWMN2pU2p7DpX/DzVTqu8yk8SQhCZc9kfzWcuawwf0rcjwUJ/Rk1MH5tMpK
|
||||
odRXXl1slPPwQinE+KJqeyrfuRDHqwqmxnOfOWG6KQwWkVSE1btiHEvfuuLOjSjl
|
||||
3wO+veRC9hW5sSCPANoFbuSQ1dprmoyaZnOyeRTbgw91ks/ogLBezF/KSkaMQeHx
|
||||
XRnfcceBmeeqHl9L3Z+3EmBjwIqu2Og0pvhDU8G/ZeA0cHS/22QYGzeD/gOqaEW7
|
||||
d1VyA6LZd8PxIjoBamdipIpY0TqZ8+cA/yaUKNnYXXRSlKQ5ggPxh7ZXfvRbGg+m
|
||||
WbNiHxBPcTK7/Bpzes4LJVcx0Ar4XeDxVQe1MITLpFWh+FDEQZEA3630JngZ153J
|
||||
vBvw+VFedPSr6Ov+/33/J3LKC0XRatGnc++AWfo4rWPLCE6qovEDyY+wmct8gv0j
|
||||
rMEK7OaNfyy+Z21mjrkwcEUbyoGt9ksEplaRblE0Lsk
|
||||
-> ssh-ed25519 YFSOsg LmLRtBYMSzjid3VkUgAQvDOS9r0imWSKE7fm0t/x41Y
|
||||
0mae0vsNmaS5aVOKezXit7KV44JKLpU+GWpuA++dCVo
|
||||
-> ssh-ed25519 iHV63A Tc2z2JciftAikoj4Hv9IBgkcYWAcyGuPJTNA3Yw2K1w
|
||||
cO5o/pbaZAtTvXUskOah9vWP/Tuvyi3QDM7g4AQ+b8s
|
||||
-> ssh-ed25519 BVsyTA mk6n6ytaI4V9JVoUZFtwfFOgaLYc6gvVOcSZXQj/FVI
|
||||
etqbUCqe0eY81qaVco7pMJjhfM+sA/bXLMW0bEsCLxI
|
||||
--- CmNq6ZPxFoFTsySVfr7BTHV0tm9cbRYGG6IR7DNgbEY
|
||||
!è烈í}
|
||||
ùSê<>ŸSl®Ds;!ÁjršZçR"—ë#ž¿»ÙÅ~!›Ÿ¤6AùwEn ? kËAcx~—ŽÜGVæ&M¯ý¾ä,
|
||||
a›U
|
Binary file not shown.
|
@ -1,4 +1,5 @@
|
|||
let
|
||||
<<<<<<< HEAD
|
||||
admins = import ../logins/admins.nix;
|
||||
|
||||
nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
|
||||
|
@ -64,4 +65,7 @@ in
|
|||
|
||||
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;
|
||||
|
||||
"obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue