From db168ad3a4dacb5e167e83b97f19c1d4f0bca8cd Mon Sep 17 00:00:00 2001
From: Riley Apeldoorn <me@riley.lgbt>
Date: Fri, 27 May 2022 13:34:37 +0200
Subject: [PATCH] Sif config, remote website build, agenix for secrets

---
 common.nix                     |  6 ++++-
 flake.lock                     | 45 ++++++++++++++++++++++++++++++----
 flake.nix                      |  5 ++++
 machines/sif/README.md         |  3 +++
 machines/sif/configuration.nix | 38 ++++++++++++++++++++++++++++
 machines/sif/nginx.nix         | 42 +++++++++++++++++++++++++++++++
 machines/sif/website.nix       | 26 ++++++++++++++++++++
 secrets/secrets.nix            |  4 +++
 secrets/website-secret.age     |  7 ++++++
 9 files changed, 170 insertions(+), 6 deletions(-)
 create mode 100644 machines/sif/README.md
 create mode 100644 machines/sif/nginx.nix
 create mode 100644 machines/sif/website.nix
 create mode 100644 secrets/secrets.nix
 create mode 100644 secrets/website-secret.age

diff --git a/common.nix b/common.nix
index 9d21577..55a0f0e 100644
--- a/common.nix
+++ b/common.nix
@@ -1,7 +1,9 @@
 # Holds common settings for *all* systems, including both servers and
 # clients.
 
-{ pkgs, oxalica, ... }: {
+{ pkgs, oxalica, agenix, ... }: {
+
+	imports = [ agenix.nixosModule ];
 
     nix = {
         optimise.automatic = true;
@@ -24,6 +26,8 @@
         ];
     };
 
+    age.secrets."website-secret".file = ./secrets/website-secret.age;
+
     boot.cleanTmpDir = true;
 
     environment.systemPackages = [
diff --git a/flake.lock b/flake.lock
index 5b3ee07..7a13626 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1652712410,
+        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "locked": {
         "lastModified": 1637014545,
@@ -17,7 +35,7 @@
     },
     "home-manager": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1653153149,
@@ -34,6 +52,22 @@
       }
     },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1638587357,
+        "narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e34c5379866833f41e2a36f309912fa675d687c7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1653117584,
         "narHash": "sha256-5uUrHeHBIaySBTrRExcCoW8fBBYVSDjDYDU5A6iOl+k=",
@@ -47,7 +81,7 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1653060744,
         "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
@@ -63,7 +97,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1637453606,
         "narHash": "sha256-Gy6cwUswft9xqsjWxFYEnx/63/qzaFUwatcbV5GF/GQ=",
@@ -82,7 +116,7 @@
     "oxalica": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_4"
       },
       "locked": {
         "lastModified": 1653273659,
@@ -100,8 +134,9 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "oxalica": "oxalica"
       }
     }
diff --git a/flake.nix b/flake.nix
index c52903f..db49b4c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,6 +17,11 @@
             url = github:oxalica/rust-overlay;
         };
 
+		# For managing secrets
+        agenix = {
+            url = "github:ryantm/agenix";
+        };
+
     };
 
     outputs = args: with args.nixpkgs; {
diff --git a/machines/sif/README.md b/machines/sif/README.md
new file mode 100644
index 0000000..c1ebd51
--- /dev/null
+++ b/machines/sif/README.md
@@ -0,0 +1,3 @@
+# Sif
+
+Sif is the server that hosts my website. It's a Raspberry Pi 3.
diff --git a/machines/sif/configuration.nix b/machines/sif/configuration.nix
index 093837a..2b6425b 100644
--- a/machines/sif/configuration.nix
+++ b/machines/sif/configuration.nix
@@ -3,7 +3,15 @@
 {
 
     imports = [
+
 		../../modules
+
+		# Reverse proxy
+		./nginx.nix
+
+		# Website
+		./website.nix
+
     ];
 
 	networking.hostName = "sif";
@@ -13,6 +21,8 @@
 		generic-extlinux-compatible.enable = true;
 	};
 
+	documentation.enable = false;
+
 	environment.systemPackages = with pkgs; [
 		git
 		vim
@@ -33,6 +43,8 @@
 		extraGroups = [ "wheel" ];
 	};
 
+	networking.interfaces.eth0.useDHCP = true;
+
 	boot.kernelPackages = pkgs.linuxPackages_latest;
 
 	fileSystems."/" = {
@@ -40,4 +52,30 @@
 		fsType = "ext4";
 	};
 
+	nix = {
+		distributedBuilds = true;
+		buildMachines = [{
+			hostName = "thor";
+			systems = [
+    			"x86_64-linux"
+                "aarch64-linux"
+			];
+            supportedFeatures = [
+                "nixos-test"
+                "benchmark"
+                "big-parallel"
+                "kvm"
+            ];
+		}];
+	};
+
+	programs.ssh.extraConfig = ''
+        Host thor
+            HostName thor
+            Port 22
+            User riley
+            IdentitiesOnly yes
+            IdentityFile /root/.ssh/id_ed25519
+    '';
+
 }
diff --git a/machines/sif/nginx.nix b/machines/sif/nginx.nix
new file mode 100644
index 0000000..faa7941
--- /dev/null
+++ b/machines/sif/nginx.nix
@@ -0,0 +1,42 @@
+{ ... }:
+
+{
+
+    security.acme = {
+        acceptTerms = true;
+        email = "me@riley.lgbt";
+    };
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts = {
+        "riley.lgbt" = {
+            listen = [{
+                port = 443;
+                addr = "77.169.117.112";
+            }];
+            enableACME = true;
+            locations."/" = {
+                 proxyPass = "http://localhost:3000";
+                 extraConfig = ''
+                     proxy_set_header Host $host;
+                     proxy_buffering off;
+                 '';
+            };
+        };
+        "rly.cx" = {
+            listen = [{
+                port = 443;
+                addr = "77.169.117.112";
+            }];
+            enableACME = true;
+            locations."/" = {
+                 proxyPass = "http://localhost:3000";
+                 extraConfig = ''
+                     proxy_set_header Host $host;
+                     proxy_buffering off;
+                 '';
+            };
+        };
+    };
+
+}
diff --git a/machines/sif/website.nix b/machines/sif/website.nix
new file mode 100644
index 0000000..c7bda2a
--- /dev/null
+++ b/machines/sif/website.nix
@@ -0,0 +1,26 @@
+{ pkgs, lib, config, ... }:
+
+let secret = config.age.secrets."website-secret".path;
+    website = pkgs.rustPlatform.buildRustPackage {
+    	pname = "website";
+    	version = "1.0.0";
+        cargoSha256 = "sha256-sT5BONGXWCpc+455TS1rc/SwNUtc6hXbwUMO/q/tiJ0=";
+
+    	postPatch = ''
+    		cp ${secret} secret
+    	'';
+        
+    	src = pkgs.fetchgit {
+    		url = "https://im.badat.dev/riley/website.git";
+    		rev = "refs/heads/mistress";
+    		sha256 = "sha256-NiFinpSOE1wokOgBmgpZfMqR9AsENA9t/N84c/Ms2vU=";
+    	};
+    };
+in {
+	systemd.services."website" = {
+		enable = true;
+		description = "Run my website :)";
+		path = [ website ];
+		script = "${website}/bin/website";
+	};
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..5988491
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,4 @@
+let commonKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOIXreYQgV6lS0rJ1NlAbgq3Iv5FJ8o1MOr08NhLTGFG";
+in {
+	"website-secret.age".publicKeys = [ commonKey ];
+}
diff --git a/secrets/website-secret.age b/secrets/website-secret.age
new file mode 100644
index 0000000..239465f
--- /dev/null
+++ b/secrets/website-secret.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZEUNCQ D7HH+PR/jwjbb2LKJLVyADJjPvFflRDf61PywFWvpH0
+4pEJdyC8Obe7t+S5a2Yn52lfM7klw8eAsfZ6H48ivbg
+-> ^MruyW-grease S`2pFl
+z8kUgel+3sOrgcGwRRRPcvqCF7X1EmmbR6mUymUbuT0
+--- GvdH/J6Aa9dnK5QttDoOQTuZZos7s7xqPvPNJRF5A/k
+€[Å4mm!›‡Â¾8‰Ü,%t;´“'áNæª11ò™ÿOQh5×['¨’_
\ No newline at end of file