extern/nixos-wiki-infra
1
0
Fork 1
mirror of https://github.com/Mic92/nixos-wiki-infra.git synced 2024-11-22 08:14:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #29 from NixOS/joerg-ci

Browse Source 
add opendkim
This commit is contained in:
Jörg Thalheim 2024-03-06 23:13:51 +01:00 committed by GitHub
commit dbc4a2947b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 108 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/flake-module.nix
View File

@ -6,6 +6,7 @@
inputs.sops-nix.nixosModules.sops
inputs.srvos.nixosModules.hardware-hetzner-cloud
inputs.srvos.nixosModules.mixins-telegraf
./postfix.nix
./single-disk.nix
./monitoring.nix
{

96
modules/nixos-wiki/backup.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
let
wikiDump = "/var/backup/wikidump.xml.gz";
wikiDump = "/var/lib/mediawiki/backup/wikidump.xml.zst";
mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance"
{
@ -21,14 +21,25 @@ let
pkgs.util-linux
];
text = ''
tmpdir=$(mktemp -d)
cleanup() { rm -rf "$tmpdir"; }
chown postgres:users "$tmpdir"
mkdir -p /var/lib/mediawiki/backup/
runuser -u postgres -- pg_dump --format=custom --file "$tmpdir"/db mediawiki
cp "$tmpdir"/db /var/lib/mediawiki/backup/db
trap cleanup EXIT
runuser -u postgres -- pg_dump --format=custom mediawiki > /var/lib/mediawiki/backup/db.tmp
mv /var/lib/mediawiki/backup/{db.tmp,db}
'';
};
# to restore:
# $ runuser -u postgres -- pg_restore --format=custom -d mediawiki < /tmp/db
wiki-dump = pkgs.writeShellApplication
{
name = "wiki-dump";
runtimeInputs = [ pkgs.util-linux pkgs.coreutils ];
text = ''
mkdir -p /var/lib/mediawiki/backup/
runuser -u mediawiki -- ${mediawiki-maintenance}/bin/mediawiki-maintenance dumpBackup.php \
--full --include-files --uploads --quiet | \
${pkgs.zstd}/bin/zstd > ${wikiDump}.tmp
mv ${wikiDump}{.tmp,}
'';
};
@ -41,6 +52,12 @@ let
mediawiki-maintenance
];
text = ''
if $# != 1; then
echo "Usage: $0 <wikidump.xml.gz>" >&2
exit 1
fi
dump=$1
tmpdir=$(mktemp -d)
cleanup() { rm -rf "$tmpdir"; }
cd "$tmpdir"
@ -58,7 +75,7 @@ let
MediaWiki:About
EOF
trap cleanup EXIT
cp ${wikiDump} "$tmpdir"
cp "$dump" "$tmpdir/wikidump.xml.gz"
chown mediawiki:nginx "$tmpdir/wikidump.xml.gz"
chmod 644 "$tmpdir/wikidump.xml.gz"
runuser -u mediawiki -- mediawiki-maintenance importDump.php --uploads "$tmpdir/wikidump.xml.gz"
@ -68,33 +85,12 @@ let
};
in
{
environment.systemPackages = [ mediawiki-maintenance ];
systemd.services.old-wiki-backup = {
startAt = "hourly";
serviceConfig = {
ExecStart = [
"${pkgs.coreutils}/bin/mkdir -p /var/backup"
"${pkgs.wget}/bin/wget https://nixos.wiki/images/wikidump.xml.gz -O ${wikiDump}.new"
"${pkgs.coreutils}/bin/mv ${wikiDump}.new ${wikiDump}"
environment.systemPackages = [
mediawiki-maintenance
old-wiki-restore
];
Type = "oneshot";
};
};
systemd.services.old-wiki-restore = {
startAt = "daily";
path = [ pkgs.postgresql mediawiki-maintenance ];
serviceConfig = {
ExecStart = "${old-wiki-restore}/bin/old-wiki-restore";
Type = "oneshot";
};
};
systemd.services.wiki-backup = {
startAt = "daily";
path = [ pkgs.postgresql ];
unitConfig = {
@ -108,11 +104,21 @@ in
};
};
systemd.services.wiki-dump = {
startAt = "daily";
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
locations."=/wikidump.xml.gz".alias = wikiDump;
unitConfig = {
Conflicts = [ "phpfpm-mediawiki.service" ];
OnSuccess = [ "phpfpm-mediawiki.service" ];
OnFailure = [ "phpfpm-mediawiki.service" ];
};
serviceConfig = {
ExecStart = "${wiki-dump}/bin/wiki-dump";
Type = "oneshot";
};
};
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName}.locations."=/wikidump.xml.zst".alias = wikiDump;
sops.secrets.storagebox-ssh-key = {
sopsFile = ../../targets/nixos-wiki.nixos.org/secrets/backup_share_ssh_key;
@ -132,7 +138,6 @@ in
group = "root";
};
programs.ssh.knownHosts."[u391032.your-storagebox.de]:23".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
systemd.services.borgbackup-job-state = {
@ -140,7 +145,7 @@ in
after = [ "wiki-backup.service" ];
};
services.borgbackup.jobs.state = {
services.borgbackup.jobs.${config.networking.hostName} = {
# Create the repo
doInit = true;
@ -158,6 +163,17 @@ in
repo = "u391032-sub1@u391032.your-storagebox.de:wiki.nixos.org/repo";
environment.BORG_RSH = "ssh -p 23 -i /var/keys/storagebox-ssh-key";
preHook = ''
set -x
${config.systemd.package}/bin/systemctl start wiki-backup
set +x
'';
postHook = ''
cat > /var/log/telegraf/borgbackup-job-${config.networking.hostName}.service <<EOF
task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
EOF
'';
# Authenticated & encrypted, key resides in the repository
encryption = {
mode = "repokey-blake2";
@ -171,7 +187,7 @@ in
extraCreateArgs = "--stats";
};
systemd.services."borgbackup-job-${config.networking.hostName}".serviceConfig.ReadWritePaths = [
"/var/log/telegraf"
];
}

45
modules/postfix.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, ... }:
let
domain = "wiki.nixos.org";
in
{
services.opendkim.enable = true;
services.opendkim.domains = domain;
services.opendkim.selector = "mail";
services.opendkim.user = config.services.postfix.user;
services.opendkim.group = config.services.postfix.group;
sops.secrets.opendkim-private-key.owner = config.services.postfix.user;
services.opendkim.keyPath = "/run/opendkim-keys";
systemd.tmpfiles.rules = [
"f /run/opendkim-keys/${config.services.opendkim.selector}.private 0600 ${config.services.postfix.user} ${config.services.postfix.group} - - - ${config.sops.secrets.opendkim-private-key.path}"
];
# postfix configuration for sending emails only
services.postfix = {
enable = true;
hostname = domain;
inherit domain;
config = {
smtp_tls_note_starttls_offer = "yes";
smtp_tls_security_level = "dane";
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
mydestination = "localhost.$mydomain, localhost, $myhostname";
myorigin = "$mydomain";
milter_default_action = "accept";
milter_protocol = "6";
smtpd_milters = "unix:/run/opendkim/opendkim.sock";
non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
inet_interfaces = "loopback-only";
inet_protocols = "all";
};
};
}

2
targets/nixos-wiki.nixos.org/configuration.nix
View File

@ -23,7 +23,7 @@ in
services.nixos-wiki = {
hostname = "wiki.staging.julienmalka.me";
adminPasswordFile = config.sops.secrets.nixos-wiki.path;
githubClientId = "Iv1.95ed182c83df1d22";
githubClientId = "Iv1.fcbe65bcecdda275";
githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
emergencyContact = "nixos-wiki@thalheim.io";
passwordSender = "nixos-wiki@thalheim.io";

7
targets/nixos-wiki.nixos.org/secrets/secrets.yaml
View File

@ -1,6 +1,7 @@
nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str]
nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str]
nixos-wiki-github-client-secret: ENC[AES256_GCM,data:4vSC1enVDcqeS08uBXMXyEmtE55kgvxy+HocC/caqKI3yicIR7VALA==,iv:FSMUmgwg1XjTel3ksCKywftJIszpOrz/mGnN+G8Xg+4=,tag:IUr1uVXkyrOe1f0AoghYTQ==,type:str]
age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str]
opendkim-private-key: ENC[AES256_GCM,data:qG2OIGGv0weUD0iKy8pZ450USg8RAtNLP5ar8LKSL4hP2+uWINRhjQ73w2GZKNq2/deW9bZEM1F3uxLFmxOocTq/CPcO3LWNbaezKns/Xhq5BbX/sIU+ht9Z2AAG86ZmLw251U+xR/VyEE3kdPIhePma+0qcJBPdu8e7CGxzqBooCw9XplLYrMljVrISlIoAhKHEgSqCpyqnQeoxOxSuXvecuErYB5aCstp8W2L20CK89hLHAIONo4vbXxLfwKmt4mMNqOhQxsaoaqPaNFVNO56QhK7+CY4Erhs/GyH3DJ+YdmVwo+rwqvhtegCJcdaKSTmYoWl6xpgg8zKKLJNkO4V0ijrDhgEJ0tSWdvp95Enh1pZ0kN/OuzW/O6z0lkWrcP3i4tdkCaE5ZxoD5P3u/dwQQop5MNdospvUdN5t3ehxCsFvWemSWC4hygdNBOnKA2Zm+JQLjx8gd5fcuOeONTRU2InE/He4otv4jwzCKH9nNJui2L8se0odi/xmZFQb6cfg2xamQUkQ9PgeoSxUgnoBOKdWSZ8A7D+FznI+zAKiZFhBHm6jwGnXQ8MPxlvPRB6fLO+1pOmDBtss0wR7Pywh6e83HFeYwz9L55B1KpFCQHt2pNr8iXjE2c7EEGuH5I1e5svA656yd7p5UiuiKYz7/8P9CgmEyoZ/Zljmk3Z7laCzwlXVpEVPy+R0nu2uiCDN4RIoayf0al/2wPtHZlGLXsECXh1eRjXicM8I2eOyVauBMns14brMdlBVB7eHRZVq96fUxpgwUhnC00unGSqICPBNRk0aCs62aRbbPjs9VC9N/CjqnzIKohi4CNSZHNCkFCFtxVmhO9P0zIsZn6ukUohNpde+PY4X4uuq3PkGEHfRE0zYfB4AgaoIvK/IISEo/Fv+eCIynfCYGq1W/VA8bZ8Kwubz2ixYseo2hHbpCiwysyF71Xcv5RH6OF0j15fpH7Jb4ELx+PL/AMcC4MF+erBWphHTu0Vw61OqeBGYFqXZemGCkNNw4xkIH+8QqipV5XRw7zDFeUYfqjz/VEmCf12TCiXhWjafkSH4H7W9F0fdWeHSPvI4PAIY+MGF/A0wxmN/jrYq+QRSpFb6StxTC9sBU6lUuLwzVOcvOZr5r5s3jMOFpTufVU7wD1FYsZI1ZfAGAeW99vq6i9PWSnmqtq8xaKbZwfhoWm1lJ1ogs4DGI0yAxQeX4blCdazQOYrg3Q==,iv:oNcXuUpfKyKMqHcLAUwFVEjo7BIIOiErbNQ4+LvXHJM=,tag:6jLuPC+cv6yh/he1I6Hurw==,type:str]
sops:
kms: []
gcp_kms: []
@ -43,8 +44,8 @@ sops:
NzdoVWR3TlBrZHYzYzBKelc0UTRvbUkK6O1Lpi6hcMHyFA3E8yJO+1LkXR/10xnW
ViKILGcsw4AdsRGNL5fHxQECR11WsEARetpX5GlixC0lvS/Til8YWA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-24T15:17:00Z"
mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str]
lastmodified: "2024-03-06T19:07:50Z"
mac: ENC[AES256_GCM,data:I8eH+R1DREziItvmEO+/vNM0NdR7Aq9Ob6AeyJ47JDabfkDM0ihwO8uz/WMHVyQ0FSwVDXj29VzcQZyYCEi6YIz6LV0sMbuOOC8Na26/O4GQ5rHIPD1J2li+qsKDNOgLfkyNZFUJXqXkrbX8hwiytM+Hda+xAYqfQGN/2S3jipM=,iv:wGP41trqYl9nYHYOKu4bPANnA+lsuDsxq78Qq8io70M=,tag:3f9sH171Dxys5fNphTgjbg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1