WIP: feat/automated-account-deletion #174

Draft
b12f wants to merge 23 commits from feat/automated-account-deletion into main
8 changed files with 213 additions and 24 deletions
Showing only changes of commit ec01fe5eea - Show all commits

View file

@ -64,7 +64,7 @@
]; ];
perSystem = perSystem =
{ args@{
system, system,
pkgs, pkgs,
config, config,
@ -82,25 +82,7 @@
master = import inputs.master { inherit system; }; master = import inputs.master { inherit system; };
}; };
packages = packages = import ./tests ({ inherit inputs self; } // args);
let
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
testDir = builtins.attrNames (builtins.readDir ./tests);
testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
in
builtins.listToAttrs (
map (x: {
name = "test-${lib.strings.removeSuffix ".nix" x}";
value = nixos-lib.runTest (
import (./tests + "/${x}") {
inherit self;
inherit pkgs;
inherit lib;
inherit config;
}
);
}) testFiles
);
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
@ -124,8 +106,7 @@
devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; }; devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
}; };
flake = flake = let
let
username = "barkeeper"; username = "barkeeper";
in in
{ {

View file

@ -43,6 +43,17 @@
]; ];
}; };
nachtigall-test = {
imports = [
self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager
./nachtigall/test-vm.nix
self.nixosModules.overlays
self.nixosModules.core
self.nixosModules.docker
];
};
flora-6 = self.nixos-flake.lib.mkLinuxSystem { flora-6 = self.nixos-flake.lib.mkLinuxSystem {
imports = [ imports = [
self.inputs.agenix.nixosModules.default self.inputs.agenix.nixosModules.default

View file

@ -0,0 +1,98 @@
{ flake
, config
, lib
, pkgs
, ...
}: {
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
services.nginx.virtualHosts."auth.pub.solar" = {
enableACME = true;
forceSSL = true;
locations = {
"= /" = {
extraConfig = ''
return 302 /realms/pub.solar/account;
'';
};
"/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8080;
proxy_buffer_size 8k;
'';
};
};
};
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = {
hostname = "auth.pub.solar";
http-host = "127.0.0.1";
http-port = 8080;
proxy = "edge";
features = "declarative-user-profile";
};
themes = {
"pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
plugins = [
flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener
];
};
services.restic.backups.keycloak-droppie = {
paths = [
"/tmp/keycloak-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 02:00:00 Etc/UTC";
# droppie will be offline if nachtigall misses the timer
Persistent = false;
};
initialize = true;
passwordFile = config.age.secrets."restic-repo-droppie".path;
repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/keycloak-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
services.restic.backups.keycloak-storagebox = {
paths = [
"/tmp/keycloak-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 04:10:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/keycloak-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
}

View file

@ -0,0 +1,54 @@
{ flake, lib, ... }:
{
imports =
[
./backups.nix
./apps/nginx.nix
./apps/collabora.nix
./apps/coturn.nix
./apps/forgejo.nix
./apps/keycloak.nix
./apps/mailman.nix
./apps/mastodon.nix
./apps/mediawiki.nix
./apps/nextcloud.nix
./apps/nginx-mastodon.nix
./apps/nginx-mastodon-files.nix
./apps/nginx-prometheus-exporters.nix
./apps/nginx-website.nix
./apps/nginx-website-miom.nix
./apps/opensearch.nix
./apps/owncast.nix
./apps/postgresql.nix
./apps/prometheus-exporters.nix
./apps/promtail.nix
./apps/searx.nix
./apps/tmate.nix
./apps/matrix/irc.nix
./apps/matrix/mautrix-telegram.nix
./apps/matrix/synapse.nix
./apps/nginx-matrix.nix
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
security.acme.preliminarySelfsigned = true;
networking.useDHCP = true;
networking.interfaces."enp35s0".ipv4.addresses = [
{
address = "10.0.0.1";
prefixLength = 26;
}
];
networking.interfaces."enp35s0".ipv6.addresses = [
{
address = "2a01:4f8:172:1c25::1";
prefixLength = 64;
}
];
}

View file

@ -7,8 +7,7 @@
{ {
# Configuration common to all Linux systems # Configuration common to all Linux systems
flake = { flake = {
lib = lib = let
let
callLibs = file: import file { inherit lib; }; callLibs = file: import file { inherit lib; };
in in
rec { rec {

5
modules/test-vm.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
security.acme.preliminarySelfsigned = true;
}

19
tests/default.nix Normal file
View file

@ -0,0 +1,19 @@
args@{
self,
lib,
system,
pkgs,
inputs,
...
}: let
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
loadTestFiles = with lib; dir: mapAttrs' (name: _: let
test = ((import (dir + "/${name}")) args);
in {
name = "test-" + (lib.strings.removeSuffix ".nix" name);
value = nixos-lib.runTest test;
})
(filterAttrs (name: _: (hasSuffix ".nix" name) && name != "default.nix")
(builtins.readDir dir));
in loadTestFiles ./.

View file

@ -1,4 +1,5 @@
{ {
<<<<<<< HEAD
self, self,
pkgs, pkgs,
lib, lib,
@ -55,5 +56,26 @@
nachtigall.succeed("ping ca.test.pub.solar -c 2") nachtigall.succeed("ping ca.test.pub.solar -c 2")
nachtigall.wait_for_unit("nginx.service") nachtigall.wait_for_unit("nginx.service")
nachtigall.wait_until_succeeds("curl https://test.pub.solar/") nachtigall.wait_until_succeeds("curl https://test.pub.solar/")
=======
self,
pkgs,
lib,
config,
...
}: {
name = "website";
nodes.nachtigall-test = self.nixosConfigurations.nachtigall-test;
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
hostPkgs = pkgs;
enableOCR = true;
testScript = ''
machine.wait_for_unit("system.slice")
machine.succeed("ping 127.0.0.1 -c 2")
machine.succeed("ping iregendeinscheiss.de -c 2")
>>>>>>> af599c9 (test: add initial e2e test for nachtigall)
''; '';
} }