user and group juggling
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
f5279133f8
commit
4625d62d83
|
@ -18,12 +18,46 @@ in {
|
|||
age.secrets."hosting.de-api.key" = {
|
||||
file = "${self}/secrets/hosting.de-api.key";
|
||||
mode = "440";
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/data/acme' 0750 root acme - -"
|
||||
];
|
||||
|
||||
users.groups.acme = {};
|
||||
ids.uids.acme = 997;
|
||||
ids.gids.acme = 997;
|
||||
|
||||
containers.acme = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.101.0";
|
||||
localAddress = "192.168.106.0";
|
||||
hostAddress6 = "fc00::1";
|
||||
localAddress6 = "fc00::6";
|
||||
|
||||
bindMounts = {
|
||||
"/var/lib/acme" = {
|
||||
hostPath = "/data/acme";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"${config.age.secrets."hosting.de-api.key".path}" = {
|
||||
hostPath = "${config.age.secrets."hosting.de-api.key".path}";
|
||||
isReadOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
networking.nameservers = ["1.1.1.1"];
|
||||
users.groups.acme = config.users.groups.acme;
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "acme@benjaminbaedorf.eu";
|
||||
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
defaults.group = "acme";
|
||||
|
||||
certs."b12f.io" = hostingdeProviderConf;
|
||||
certs."mail.b12f.io" = hostingdeProviderConf;
|
||||
|
@ -40,4 +74,6 @@ in {
|
|||
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
|
||||
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
...
|
||||
}: let
|
||||
pubsolarDomain = import ./pubsolar-domain.nix;
|
||||
# Machine user for CI pipelines
|
||||
in {
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
|
@ -17,13 +19,35 @@ in {
|
|||
# Lazy IPv6 connectivity for the container
|
||||
enableIPv6 = true;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/data/www' 0750 root www - -"
|
||||
"d '/data/caddy' 0750 root caddy - -"
|
||||
];
|
||||
|
||||
users.groups.caddy = {};
|
||||
users.groups.www = {};
|
||||
users.users.hakkonaut.extraGroups = ["www"];
|
||||
ids.uids.www = 996;
|
||||
ids.gids.www = 996;
|
||||
|
||||
fileSystems."/var/lib/caddy" = {
|
||||
device = "/data/caddy";
|
||||
options = ["bind"];
|
||||
};
|
||||
|
||||
fileSystems."/srv/www" = {
|
||||
device = "/data/www";
|
||||
options = ["bind"];
|
||||
};
|
||||
|
||||
containers.caddy = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.101.0";
|
||||
localAddress = "192.168.102.0";
|
||||
localAddress = "192.168.103.0";
|
||||
hostAddress6 = "fc00::1";
|
||||
localAddress6 = "fc00::2";
|
||||
localAddress6 = "fc00::3";
|
||||
|
||||
forwardPorts = [
|
||||
{
|
||||
|
@ -40,20 +64,36 @@ in {
|
|||
|
||||
bindMounts = {
|
||||
"/srv/www/" = {
|
||||
hostPath = "/data/www/";
|
||||
hostPath = "/data/www";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"/var/lib/caddy/" = {
|
||||
hostPath = "/data/caddy";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory" = {
|
||||
hostPath = "/data/acme";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
users.groups.caddy = {};
|
||||
users.groups.www = {};
|
||||
users.groups.acme = {};
|
||||
users.users.caddy.extraGroups = ["www" "acme"];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
environment.etc."resolv.conf".text = "nameserver 1.1.1.0";
|
||||
|
||||
services.caddy = {
|
||||
enable = lib.mkForce true;
|
||||
group = "hakkonaut";
|
||||
email = "admins@pub.solar";
|
||||
globalConfig = lib.mkForce ''
|
||||
auto_https off
|
||||
'';
|
||||
acmeCA = null;
|
||||
|
||||
email = "acme@benjaminbaedorf.eu";
|
||||
globalConfig = lib.mkForce "";
|
||||
|
||||
virtualHosts = {
|
||||
"dashboard.nougat-2.b12f.io" = {
|
||||
extraConfig = ''
|
||||
|
@ -113,7 +153,7 @@ in {
|
|||
'';
|
||||
extraConfig = ''
|
||||
redir / /realms/${pubsolarDomain}/account temporary
|
||||
reverse_proxy 192.168.103.0:8080
|
||||
reverse_proxy 192.168.104.0:8080
|
||||
'';
|
||||
};
|
||||
"git.${pubsolarDomain}" = {
|
||||
|
@ -122,7 +162,7 @@ in {
|
|||
'';
|
||||
extraConfig = ''
|
||||
redir /user/login /user/oauth2/keycloak temporary
|
||||
reverse_proxy 192.168.101.0:3000
|
||||
reverse_proxy 192.168.105.0:3000
|
||||
'';
|
||||
};
|
||||
"ci.${pubsolarDomain}" = {
|
||||
|
@ -135,7 +175,6 @@ in {
|
|||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -33,22 +33,31 @@ in {
|
|||
description = "Concourse Service";
|
||||
home = "/var/lib/concourse";
|
||||
useDefaultShell = true;
|
||||
uid = 10001;
|
||||
group = "concourse";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.concourse = {};
|
||||
users.groups.postgres = {};
|
||||
ids.uids.concourse = 995;
|
||||
ids.gids.concourse = 995;
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/var/lib/concourse' 0750 concourse concourse - -"
|
||||
"d '/data/concourse/db' 0770 ${builtins.toString config.ids.uids.postgres} postgres - -"
|
||||
];
|
||||
|
||||
system.activationScripts.mkConcourseNet = let
|
||||
docker = config.virtualisation.oci-containers.backend;
|
||||
dockerBin = "${pkgs.${docker}}/bin/${docker}";
|
||||
in ''
|
||||
${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24
|
||||
'';
|
||||
|
||||
virtualisation.oci-containers = {
|
||||
containers."concourse-db" = {
|
||||
image = "postgres:14";
|
||||
autoStart = true;
|
||||
user = "994";
|
||||
user = builtins.toString config.ids.uids.postgres;
|
||||
volumes = [
|
||||
"/data/concourse/db:/var/lib/postgresql/data"
|
||||
];
|
||||
|
@ -63,7 +72,7 @@ in {
|
|||
containers."concourse" = {
|
||||
image = "concourse/concourse:7.9.1";
|
||||
autoStart = true;
|
||||
user = "10001";
|
||||
user = builtins.toString config.ids.uids.concourse;
|
||||
ports = [
|
||||
"8080:8080"
|
||||
];
|
||||
|
|
|
@ -76,7 +76,7 @@ in {
|
|||
interface = "enp0s31f6";
|
||||
};
|
||||
|
||||
networking.nameservers = ["8.8.8.8"];
|
||||
networking.nameservers = ["1.1.1.1"];
|
||||
|
||||
# Initial empty root password for easy login:
|
||||
users.users.root.initialHashedPassword = "";
|
||||
|
@ -85,6 +85,21 @@ in {
|
|||
then psCfg.user.publicKeys
|
||||
else [];
|
||||
|
||||
users.users.hakkonaut = {
|
||||
home = "/home/hakkonaut";
|
||||
description = "CI and automation user";
|
||||
useDefaultShell = true;
|
||||
group = "hakkonaut";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.hakkonaut = {};
|
||||
ids.uids.hakkonaut = 998;
|
||||
ids.gids.hakkonaut = 998;
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||
|
||||
|
@ -94,9 +109,6 @@ in {
|
|||
virtualisation = {
|
||||
docker = {
|
||||
enable = true;
|
||||
extraOptions = ''
|
||||
--data-root /data/docker
|
||||
'';
|
||||
};
|
||||
|
||||
oci-containers = {
|
||||
|
|
|
@ -10,7 +10,7 @@ in {
|
|||
age.secrets.gitea-database-password = {
|
||||
file = "${self}/secrets/gitea-database-password.age";
|
||||
mode = "600";
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
};
|
||||
|
||||
# age.secrets.gitea-mailer-password = {
|
||||
|
@ -19,6 +19,44 @@ in {
|
|||
# owner = "gitea";
|
||||
# };
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/data/gitea/db' 0770 root postgres - -"
|
||||
"d '/data/gitea/gitea' 0770 root gitea - -"
|
||||
];
|
||||
|
||||
users.groups.postgres = {};
|
||||
users.groups.gitea = {};
|
||||
ids.uids.gitea = 994;
|
||||
ids.gids.gitea = 994;
|
||||
|
||||
containers.gitea = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.101.0";
|
||||
localAddress = "192.168.105.0";
|
||||
hostAddress6 = "fc00::1";
|
||||
localAddress6 = "fc00::5";
|
||||
|
||||
bindMounts = {
|
||||
"/var/lib/postgresql/14" = {
|
||||
hostPath = "/data/gitea/db";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"/var/lib/gitea" = {
|
||||
hostPath = "/data/gitea/gitea";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"${config.age.secrets.gitea-database-password.path}" = {
|
||||
hostPath = "${config.age.secrets.gitea-database-password.path}";
|
||||
isReadOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
networking.nameservers = ["1.1.1.1"];
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
package = pkgs.forgejo;
|
||||
|
@ -81,4 +119,6 @@ in {
|
|||
environment.variables = {
|
||||
GPG_TTY = "$(tty)";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,26 +10,42 @@
|
|||
in {
|
||||
age.secrets.keycloak-database-password = {
|
||||
file = "${self}/secrets/keycloak-database-password.age";
|
||||
mode = "700";
|
||||
#owner = "keycloak";
|
||||
mode = "770";
|
||||
group = "keycloak";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/data/keycloak/db' 0770 root postgres - -"
|
||||
];
|
||||
|
||||
users.groups.postgres = {};
|
||||
users.groups.keycloak = {};
|
||||
ids.uids.keycloak = 993;
|
||||
ids.gids.keycloak = 993;
|
||||
|
||||
containers.keycloak = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.101.0";
|
||||
localAddress = "192.168.103.0";
|
||||
localAddress = "192.168.104.0";
|
||||
hostAddress6 = "fc00::1";
|
||||
localAddress6 = "fc00::3";
|
||||
localAddress6 = "fc00::4";
|
||||
|
||||
bindMounts = {
|
||||
"/var/lib/postgresql/14" = {
|
||||
hostPath = "/data/keycloak/db";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"${config.age.secrets.keycloak-database-password.path}" = {
|
||||
hostPath = "${config.age.secrets.keycloak-database-password.path}";
|
||||
isReadOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
networking.nameservers = ["1.1.1.1"];
|
||||
|
||||
services.keycloak = {
|
||||
enable = true;
|
||||
database.passwordFile = config.age.secrets.keycloak-database-password.path;
|
||||
|
|
Loading…
Reference in a new issue