user and group juggling
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
f5279133f8
commit
4625d62d83
|
@ -18,12 +18,46 @@ in {
|
||||||
age.secrets."hosting.de-api.key" = {
|
age.secrets."hosting.de-api.key" = {
|
||||||
file = "${self}/secrets/hosting.de-api.key";
|
file = "${self}/secrets/hosting.de-api.key";
|
||||||
mode = "440";
|
mode = "440";
|
||||||
owner = "acme";
|
group = "acme";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '/data/acme' 0750 root acme - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
users.groups.acme = {};
|
||||||
|
ids.uids.acme = 997;
|
||||||
|
ids.gids.acme = 997;
|
||||||
|
|
||||||
|
containers.acme = {
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.101.0";
|
||||||
|
localAddress = "192.168.106.0";
|
||||||
|
hostAddress6 = "fc00::1";
|
||||||
|
localAddress6 = "fc00::6";
|
||||||
|
|
||||||
|
bindMounts = {
|
||||||
|
"/var/lib/acme" = {
|
||||||
|
hostPath = "/data/acme";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
"${config.age.secrets."hosting.de-api.key".path}" = {
|
||||||
|
hostPath = "${config.age.secrets."hosting.de-api.key".path}";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
networking.nameservers = ["1.1.1.1"];
|
||||||
|
users.groups.acme = config.users.groups.acme;
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults.email = "acme@benjaminbaedorf.eu";
|
defaults.email = "acme@benjaminbaedorf.eu";
|
||||||
|
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
|
defaults.group = "acme";
|
||||||
|
|
||||||
certs."b12f.io" = hostingdeProviderConf;
|
certs."b12f.io" = hostingdeProviderConf;
|
||||||
certs."mail.b12f.io" = hostingdeProviderConf;
|
certs."mail.b12f.io" = hostingdeProviderConf;
|
||||||
|
@ -40,4 +74,6 @@ in {
|
||||||
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
|
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
|
||||||
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
|
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,9 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
pubsolarDomain = import ./pubsolar-domain.nix;
|
pubsolarDomain = import ./pubsolar-domain.nix;
|
||||||
|
# Machine user for CI pipelines
|
||||||
in {
|
in {
|
||||||
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
|
networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
|
||||||
networking.nat = {
|
networking.nat = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -17,13 +19,35 @@ in {
|
||||||
# Lazy IPv6 connectivity for the container
|
# Lazy IPv6 connectivity for the container
|
||||||
enableIPv6 = true;
|
enableIPv6 = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '/data/www' 0750 root www - -"
|
||||||
|
"d '/data/caddy' 0750 root caddy - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
users.groups.caddy = {};
|
||||||
|
users.groups.www = {};
|
||||||
|
users.users.hakkonaut.extraGroups = ["www"];
|
||||||
|
ids.uids.www = 996;
|
||||||
|
ids.gids.www = 996;
|
||||||
|
|
||||||
|
fileSystems."/var/lib/caddy" = {
|
||||||
|
device = "/data/caddy";
|
||||||
|
options = ["bind"];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/srv/www" = {
|
||||||
|
device = "/data/www";
|
||||||
|
options = ["bind"];
|
||||||
|
};
|
||||||
|
|
||||||
containers.caddy = {
|
containers.caddy = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.101.0";
|
hostAddress = "192.168.101.0";
|
||||||
localAddress = "192.168.102.0";
|
localAddress = "192.168.103.0";
|
||||||
hostAddress6 = "fc00::1";
|
hostAddress6 = "fc00::1";
|
||||||
localAddress6 = "fc00::2";
|
localAddress6 = "fc00::3";
|
||||||
|
|
||||||
forwardPorts = [
|
forwardPorts = [
|
||||||
{
|
{
|
||||||
|
@ -40,20 +64,36 @@ in {
|
||||||
|
|
||||||
bindMounts = {
|
bindMounts = {
|
||||||
"/srv/www/" = {
|
"/srv/www/" = {
|
||||||
hostPath = "/data/www/";
|
hostPath = "/data/www";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
"/var/lib/caddy/" = {
|
||||||
|
hostPath = "/data/caddy";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
"/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory" = {
|
||||||
|
hostPath = "/data/acme";
|
||||||
isReadOnly = false;
|
isReadOnly = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
users.groups.caddy = {};
|
||||||
|
users.groups.www = {};
|
||||||
|
users.groups.acme = {};
|
||||||
|
users.users.caddy.extraGroups = ["www" "acme"];
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
|
environment.etc."resolv.conf".text = "nameserver 1.1.1.0";
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = lib.mkForce true;
|
enable = lib.mkForce true;
|
||||||
group = "hakkonaut";
|
|
||||||
email = "admins@pub.solar";
|
email = "acme@benjaminbaedorf.eu";
|
||||||
globalConfig = lib.mkForce ''
|
globalConfig = lib.mkForce "";
|
||||||
auto_https off
|
|
||||||
'';
|
|
||||||
acmeCA = null;
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"dashboard.nougat-2.b12f.io" = {
|
"dashboard.nougat-2.b12f.io" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -113,7 +153,7 @@ in {
|
||||||
'';
|
'';
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
redir / /realms/${pubsolarDomain}/account temporary
|
redir / /realms/${pubsolarDomain}/account temporary
|
||||||
reverse_proxy 192.168.103.0:8080
|
reverse_proxy 192.168.104.0:8080
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"git.${pubsolarDomain}" = {
|
"git.${pubsolarDomain}" = {
|
||||||
|
@ -122,7 +162,7 @@ in {
|
||||||
'';
|
'';
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
redir /user/login /user/oauth2/keycloak temporary
|
redir /user/login /user/oauth2/keycloak temporary
|
||||||
reverse_proxy 192.168.101.0:3000
|
reverse_proxy 192.168.105.0:3000
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"ci.${pubsolarDomain}" = {
|
"ci.${pubsolarDomain}" = {
|
||||||
|
@ -135,7 +175,6 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,22 +33,31 @@ in {
|
||||||
description = "Concourse Service";
|
description = "Concourse Service";
|
||||||
home = "/var/lib/concourse";
|
home = "/var/lib/concourse";
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
uid = 10001;
|
|
||||||
group = "concourse";
|
group = "concourse";
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.concourse = {};
|
users.groups.concourse = {};
|
||||||
|
users.groups.postgres = {};
|
||||||
|
ids.uids.concourse = 995;
|
||||||
|
ids.gids.concourse = 995;
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '/var/lib/concourse' 0750 concourse concourse - -"
|
"d '/data/concourse/db' 0770 ${builtins.toString config.ids.uids.postgres} postgres - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
system.activationScripts.mkConcourseNet = let
|
||||||
|
docker = config.virtualisation.oci-containers.backend;
|
||||||
|
dockerBin = "${pkgs.${docker}}/bin/${docker}";
|
||||||
|
in ''
|
||||||
|
${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24
|
||||||
|
'';
|
||||||
|
|
||||||
virtualisation.oci-containers = {
|
virtualisation.oci-containers = {
|
||||||
containers."concourse-db" = {
|
containers."concourse-db" = {
|
||||||
image = "postgres:14";
|
image = "postgres:14";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
user = "994";
|
user = builtins.toString config.ids.uids.postgres;
|
||||||
volumes = [
|
volumes = [
|
||||||
"/data/concourse/db:/var/lib/postgresql/data"
|
"/data/concourse/db:/var/lib/postgresql/data"
|
||||||
];
|
];
|
||||||
|
@ -63,7 +72,7 @@ in {
|
||||||
containers."concourse" = {
|
containers."concourse" = {
|
||||||
image = "concourse/concourse:7.9.1";
|
image = "concourse/concourse:7.9.1";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
user = "10001";
|
user = builtins.toString config.ids.uids.concourse;
|
||||||
ports = [
|
ports = [
|
||||||
"8080:8080"
|
"8080:8080"
|
||||||
];
|
];
|
||||||
|
|
|
@ -76,7 +76,7 @@ in {
|
||||||
interface = "enp0s31f6";
|
interface = "enp0s31f6";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.nameservers = ["8.8.8.8"];
|
networking.nameservers = ["1.1.1.1"];
|
||||||
|
|
||||||
# Initial empty root password for easy login:
|
# Initial empty root password for easy login:
|
||||||
users.users.root.initialHashedPassword = "";
|
users.users.root.initialHashedPassword = "";
|
||||||
|
@ -85,6 +85,21 @@ in {
|
||||||
then psCfg.user.publicKeys
|
then psCfg.user.publicKeys
|
||||||
else [];
|
else [];
|
||||||
|
|
||||||
|
users.users.hakkonaut = {
|
||||||
|
home = "/home/hakkonaut";
|
||||||
|
description = "CI and automation user";
|
||||||
|
useDefaultShell = true;
|
||||||
|
group = "hakkonaut";
|
||||||
|
isSystemUser = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.hakkonaut = {};
|
||||||
|
ids.uids.hakkonaut = 998;
|
||||||
|
ids.gids.hakkonaut = 998;
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||||
|
|
||||||
|
@ -94,9 +109,6 @@ in {
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
docker = {
|
docker = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraOptions = ''
|
|
||||||
--data-root /data/docker
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
oci-containers = {
|
oci-containers = {
|
||||||
|
|
|
@ -10,7 +10,7 @@ in {
|
||||||
age.secrets.gitea-database-password = {
|
age.secrets.gitea-database-password = {
|
||||||
file = "${self}/secrets/gitea-database-password.age";
|
file = "${self}/secrets/gitea-database-password.age";
|
||||||
mode = "600";
|
mode = "600";
|
||||||
owner = "gitea";
|
group = "gitea";
|
||||||
};
|
};
|
||||||
|
|
||||||
# age.secrets.gitea-mailer-password = {
|
# age.secrets.gitea-mailer-password = {
|
||||||
|
@ -19,6 +19,44 @@ in {
|
||||||
# owner = "gitea";
|
# owner = "gitea";
|
||||||
# };
|
# };
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '/data/gitea/db' 0770 root postgres - -"
|
||||||
|
"d '/data/gitea/gitea' 0770 root gitea - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
users.groups.postgres = {};
|
||||||
|
users.groups.gitea = {};
|
||||||
|
ids.uids.gitea = 994;
|
||||||
|
ids.gids.gitea = 994;
|
||||||
|
|
||||||
|
containers.gitea = {
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.101.0";
|
||||||
|
localAddress = "192.168.105.0";
|
||||||
|
hostAddress6 = "fc00::1";
|
||||||
|
localAddress6 = "fc00::5";
|
||||||
|
|
||||||
|
bindMounts = {
|
||||||
|
"/var/lib/postgresql/14" = {
|
||||||
|
hostPath = "/data/gitea/db";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
"/var/lib/gitea" = {
|
||||||
|
hostPath = "/data/gitea/gitea";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
"${config.age.secrets.gitea-database-password.path}" = {
|
||||||
|
hostPath = "${config.age.secrets.gitea-database-password.path}";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
networking.nameservers = ["1.1.1.1"];
|
||||||
|
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.forgejo;
|
package = pkgs.forgejo;
|
||||||
|
@ -81,4 +119,6 @@ in {
|
||||||
environment.variables = {
|
environment.variables = {
|
||||||
GPG_TTY = "$(tty)";
|
GPG_TTY = "$(tty)";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,26 +10,42 @@
|
||||||
in {
|
in {
|
||||||
age.secrets.keycloak-database-password = {
|
age.secrets.keycloak-database-password = {
|
||||||
file = "${self}/secrets/keycloak-database-password.age";
|
file = "${self}/secrets/keycloak-database-password.age";
|
||||||
mode = "700";
|
mode = "770";
|
||||||
#owner = "keycloak";
|
group = "keycloak";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '/data/keycloak/db' 0770 root postgres - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
users.groups.postgres = {};
|
||||||
|
users.groups.keycloak = {};
|
||||||
|
ids.uids.keycloak = 993;
|
||||||
|
ids.gids.keycloak = 993;
|
||||||
|
|
||||||
containers.keycloak = {
|
containers.keycloak = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.101.0";
|
hostAddress = "192.168.101.0";
|
||||||
localAddress = "192.168.103.0";
|
localAddress = "192.168.104.0";
|
||||||
hostAddress6 = "fc00::1";
|
hostAddress6 = "fc00::1";
|
||||||
localAddress6 = "fc00::3";
|
localAddress6 = "fc00::4";
|
||||||
|
|
||||||
bindMounts = {
|
bindMounts = {
|
||||||
"/var/lib/postgresql/14" = {
|
"/var/lib/postgresql/14" = {
|
||||||
hostPath = "/data/keycloak/db";
|
hostPath = "/data/keycloak/db";
|
||||||
isReadOnly = false;
|
isReadOnly = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"${config.age.secrets.keycloak-database-password.path}" = {
|
||||||
|
hostPath = "${config.age.secrets.keycloak-database-password.path}";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
networking.nameservers = ["1.1.1.1"];
|
||||||
|
|
||||||
services.keycloak = {
|
services.keycloak = {
|
||||||
enable = true;
|
enable = true;
|
||||||
database.passwordFile = config.age.secrets.keycloak-database-password.path;
|
database.passwordFile = config.age.secrets.keycloak-database-password.path;
|
||||||
|
|
Loading…
Reference in a new issue