riley
/
config
1
0
Fork 0
Code Issues 10 Pull Requests Projects Releases Wiki Activity

Sif config, remote website build, agenix for secrets

This commit is contained in:
Riley Apeldoorn 2022-05-27 13:34:37 +02:00
parent 16d45d2bc2
commit db168ad3a4
9 changed files with 170 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
common.nix
View File

@ -1,7 +1,9 @@
# Holds common settings for *all* systems, including both servers and
# clients.
{ pkgs, oxalica, ... }: {
{ pkgs, oxalica, agenix, ... }: {
imports = [ agenix.nixosModule ];
nix = {
optimise.automatic = true;
@ -24,6 +26,8 @@
];
};
age.secrets."website-secret".file = ./secrets/website-secret.age;
boot.cleanTmpDir = true;
environment.systemPackages = [

45
flake.lock
View File

@ -1,5 +1,23 @@
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1652712410,
"narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
"owner": "ryantm",
"repo": "agenix",
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1637014545,
@ -17,7 +35,7 @@
},
"home-manager": {
"inputs": {
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1653153149,
@ -34,6 +52,22 @@
}
},
"nixpkgs": {
"locked": {
"lastModified": 1638587357,
"narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e34c5379866833f41e2a36f309912fa675d687c7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-21.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1653117584,
"narHash": "sha256-5uUrHeHBIaySBTrRExcCoW8fBBYVSDjDYDU5A6iOl+k=",
@ -47,7 +81,7 @@
"type": "indirect"
}
},
"nixpkgs_2": {
"nixpkgs_3": {
"locked": {
"lastModified": 1653060744,
"narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
@ -63,7 +97,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1637453606,
"narHash": "sha256-Gy6cwUswft9xqsjWxFYEnx/63/qzaFUwatcbV5GF/GQ=",
@ -82,7 +116,7 @@
"oxalica": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1653273659,
@ -100,8 +134,9 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"oxalica": "oxalica"
}
}

5
flake.nix
View File

@ -17,6 +17,11 @@
url = github:oxalica/rust-overlay;
};
# For managing secrets
agenix = {
url = "github:ryantm/agenix";
};
};
outputs = args: with args.nixpkgs; {

3
machines/sif/README.md Normal file
View File

@ -0,0 +1,3 @@
# Sif
Sif is the server that hosts my website. It's a Raspberry Pi 3.

38
machines/sif/configuration.nix
View File

@ -3,7 +3,15 @@
{
imports = [
../../modules
# Reverse proxy
./nginx.nix
# Website
./website.nix
];
networking.hostName = "sif";
@ -13,6 +21,8 @@
generic-extlinux-compatible.enable = true;
};
documentation.enable = false;
environment.systemPackages = with pkgs; [
git
vim
@ -33,6 +43,8 @@
extraGroups = [ "wheel" ];
};
networking.interfaces.eth0.useDHCP = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
fileSystems."/" = {
@ -40,4 +52,30 @@
fsType = "ext4";
};
nix = {
distributedBuilds = true;
buildMachines = [{
hostName = "thor";
systems = [
"x86_64-linux"
"aarch64-linux"
];
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
];
}];
};
programs.ssh.extraConfig = ''
Host thor
HostName thor
Port 22
User riley
IdentitiesOnly yes
IdentityFile /root/.ssh/id_ed25519
'';
}

42
machines/sif/nginx.nix Normal file
View File

@ -0,0 +1,42 @@
{ ... }:
{
security.acme = {
acceptTerms = true;
email = "me@riley.lgbt";
};
services.nginx.enable = true;
services.nginx.virtualHosts = {
"riley.lgbt" = {
listen = [{
port = 443;
addr = "77.169.117.112";
}];
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
};
"rly.cx" = {
listen = [{
port = 443;
addr = "77.169.117.112";
}];
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
};
};
}

26
machines/sif/website.nix Normal file
View File

@ -0,0 +1,26 @@
{ pkgs, lib, config, ... }:
let secret = config.age.secrets."website-secret".path;
website = pkgs.rustPlatform.buildRustPackage {
pname = "website";
version = "1.0.0";
cargoSha256 = "sha256-sT5BONGXWCpc+455TS1rc/SwNUtc6hXbwUMO/q/tiJ0=";
postPatch = ''
cp ${secret} secret
'';
src = pkgs.fetchgit {
url = "https://im.badat.dev/riley/website.git";
rev = "refs/heads/mistress";
sha256 = "sha256-NiFinpSOE1wokOgBmgpZfMqR9AsENA9t/N84c/Ms2vU=";
};
};
in {
systemd.services."website" = {
enable = true;
description = "Run my website :)";
path = [ website ];
script = "${website}/bin/website";
};
}

4
secrets/secrets.nix Normal file
View File

@ -0,0 +1,4 @@
let commonKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOIXreYQgV6lS0rJ1NlAbgq3Iv5FJ8o1MOr08NhLTGFG";
in {
"website-secret.age".publicKeys = [ commonKey ];
}

7
secrets/website-secret.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 ZEUNCQ D7HH+PR/jwjbb2LKJLVyADJjPvFflRDf61PywFWvpH0
4pEJdyC8Obe7t+S5a2Yn52lfM7klw8eAsfZ6H48ivbg
-> ^MruyW-grease S`2pFl
z8kUgel+3sOrgcGwRRRPcvqCF7X1EmmbR6mUymUbuT0
--- GvdH/J6Aa9dnK5QttDoOQTuZZos7s7xqPvPNJRF5A/k
€[Å4mm!‡Â¾8‰Ü,%<25><>t;´“'áNæª11ò™ÿOQh5×[' ¨_