Refactor flora-6 services a bit

2022-11-27 23:31:08 +01:00 · 2022-11-27 23:31:08 +01:00 · 2b03c98cf2
parent 756845c187
commit 2b03c98cf2
4 changed files with 137 additions and 115 deletions
--- a/hosts/flora-6/caddy.nix
+++ b/hosts/flora-6/caddy.nix
@ -0,0 +1,32 @@
+{ config
+, lib
+, pkgs
+, self
+, ...
+}:
+{
+  services.caddy = {
+    enable = lib.mkForce true;
+    email = "admins@pub.solar";
+    globalConfig = lib.mkForce "";
+    virtualHosts = {
+      "auth.pub.solar" = {
+        logFormat = lib.mkForce ''
+          output discard
+        '';
+        extraConfig = ''
+          reverse_proxy :8080
+        '';
+      };
+      "git.pub.solar" = {
+        logFormat = lib.mkForce ''
+          output discard
+        '';
+        extraConfig = ''
+          reverse_proxy :3000
+        '';
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/hosts/flora-6/flora-6.nix
+++ b/hosts/flora-6/flora-6.nix
@ -17,6 +17,10 @@ in
    ./hardware-configuration.nix
    ./triton-vmtools.nix

+    ./caddy.nix
+    ./keycloak.nix
+    ./gitea.nix
+
    profiles.base-user
    profiles.users.root # make sure to configure ssh keys
    profiles.users.barkeeper
@ -39,121 +43,6 @@ in
      lite = true;
    };

-    age.secrets.keycloak-database-password = {
-      file = "${self}/secrets/keycloak-database-password.age";
-      mode = "700";
-      #owner = "keycloak";
-    };
-    age.secrets.gitea-database-password = {
-      file = "${self}/secrets/gitea-database-password.age";
-      mode = "700";
-      owner = "gitea";
-    };
-    age.secrets.gitea-mailer-password = {
-      file = "${self}/secrets/gitea-mailer-password.age";
-      mode = "700";
-      owner = "gitea";
-    };
-
-    # # #
-    # # # Host packages and configuration
-    # # #
-
-    # caddy
-    services.caddy = {
-      enable = lib.mkForce true;
-      email = "admins@pub.solar";
-      globalConfig = lib.mkForce "";
-      virtualHosts = {
-        "auth.pub.solar" = {
-          logFormat = lib.mkForce ''
-            output discard
-          '';
-          extraConfig = ''
-            reverse_proxy :8080
-          '';
-        };
-        "git.pub.solar" = {
-          logFormat = lib.mkForce ''
-            output discard
-          '';
-          extraConfig = ''
-            reverse_proxy :3000
-          '';
-        };
-      };
-    };
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-    # keycloak
-    services.keycloak = {
-      enable = true;
-      database.passwordFile = config.age.secrets.keycloak-database-password.path;
-      settings = {
-        hostname = "auth.pub.solar";
-        http-host = "127.0.0.1";
-        http-port = 8080;
-        proxy = "edge";
-      };
-      themes = {
-        "pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
-      };
-    };
-
-    # gitea
-    services.gitea = {
-      enable = true;
-      appName = "pub.solar git server";
-      database = {
-        type = "postgres";
-        passwordFile = config.age.secrets.gitea-database-password.path;
-      };
-      domain = "git.pub.solar";
-      httpAddress = "127.0.0.1";
-      httpPort = 3000;
-      lfs.enable = true;
-      mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
-      rootUrl = "https://git.pub.solar";
-      settings = {
-        mailer = {
-          ENABLED = true;
-          MAILER_TYPE = "smtp";
-          HOST = "mail.greenbaum.cloud:465";
-          FROM = ''"pub.solar git server" <gitea@pub.solar>'';
-          USER = "admins@pub.solar";
-        };
-        "repository.signing" = {
-          SIGNING_KEY = "default";
-          MERGES = "always";
-        };
-        openid = {
-          ENABLE_OPENID_SIGNIN = true;
-          ENABLE_OPENID_SIGNUP = true;
-        };
-        # uncomment after initial deployment, first user is admin user
-        # required to setup SSO (oauth openid-connect, keycloak auth provider)
-        service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-        session.COOKIE_SECURE = lib.mkForce true;
-      };
-    };
-    # Required for gitea server side gpg signatures
-    # configured / setup manually in
-    # /var/lib/gitea/data/home/.gitconfig and
-    # /var/lib/gitea/data/home/.gnupg/
-    programs.gnupg.agent = {
-      enable = true;
-      pinentryFlavor = "curses";
-    };
-    # Required to make gpg work without a graphical environment?
-    # otherwise generating a new gpg key fails with this error:
-    # gpg: agent_genkey failed: No pinentry
-    # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
-    environment.variables = {
-      GPG_TTY = "$(tty)";
-    };
-
-    # netbird
-
    # Allow sudo without a password for the barkeeper user
    security.sudo.extraRules = [
      {
--- a/hosts/flora-6/gitea.nix
+++ b/hosts/flora-6/gitea.nix
@ -0,0 +1,72 @@
+{ config
+, lib
+, pkgs
+, self
+, ...
+}:
+{
+  age.secrets.gitea-database-password = {
+    file = "${self}/secrets/gitea-database-password.age";
+    mode = "700";
+    owner = "gitea";
+  };
+  age.secrets.gitea-mailer-password = {
+    file = "${self}/secrets/gitea-mailer-password.age";
+    mode = "700";
+    owner = "gitea";
+  };
+
+  # gitea
+  services.gitea = {
+    enable = true;
+    appName = "pub.solar git server";
+    database = {
+      type = "postgres";
+      passwordFile = config.age.secrets.gitea-database-password.path;
+    };
+    domain = "git.pub.solar";
+    httpAddress = "127.0.0.1";
+    httpPort = 3000;
+    lfs.enable = true;
+    mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
+    rootUrl = "https://git.pub.solar";
+    settings = {
+      mailer = {
+        ENABLED = true;
+        MAILER_TYPE = "smtp";
+        HOST = "mail.greenbaum.cloud:465";
+        FROM = ''"pub.solar git server" <gitea@pub.solar>'';
+        USER = "admins@pub.solar";
+      };
+      "repository.signing" = {
+        SIGNING_KEY = "default";
+        MERGES = "always";
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+      };
+      # uncomment after initial deployment, first user is admin user
+      # required to setup SSO (oauth openid-connect, keycloak auth provider)
+      service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+      session.COOKIE_SECURE = lib.mkForce true;
+    };
+  };
+
+  # Required for gitea server side gpg signatures
+  # configured / setup manually in
+  # /var/lib/gitea/data/home/.gitconfig and
+  # /var/lib/gitea/data/home/.gnupg/
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryFlavor = "curses";
+  };
+  # Required to make gpg work without a graphical environment?
+  # otherwise generating a new gpg key fails with this error:
+  # gpg: agent_genkey failed: No pinentry
+  # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
+  environment.variables = {
+    GPG_TTY = "$(tty)";
+  };
+
+}
--- a/hosts/flora-6/keycloak.nix
+++ b/hosts/flora-6/keycloak.nix
@ -0,0 +1,29 @@
+{ config
+, lib
+, inputs
+, pkgs
+, self
+, ...
+}:
+{
+  age.secrets.keycloak-database-password = {
+    file = "${self}/secrets/keycloak-database-password.age";
+    mode = "700";
+    #owner = "keycloak";
+  };
+
+  # keycloak
+  services.keycloak = {
+    enable = true;
+    database.passwordFile = config.age.secrets.keycloak-database-password.path;
+    settings = {
+      hostname = "auth.pub.solar";
+      http-host = "127.0.0.1";
+      http-port = 8080;
+      proxy = "edge";
+    };
+    themes = {
+      "pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
+    };
+  };
+}