diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..afe0d19 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + - &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2 +creation_rules: + - path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$ + key_groups: + - age: + - *joerg + - *nixos-wiki2 diff --git a/bors.toml b/bors.toml deleted file mode 100644 index 54f90de..0000000 --- a/bors.toml +++ /dev/null @@ -1,8 +0,0 @@ -cut_body_after = "" # don't include text from the PR body in the merge commit message -status = [ - "Evaluate flake.nix", - "check treefmt [x86_64-linux]", - "package default [x86_64-linux]", - "nixosConfig nixos-wiki-thalheim-io", - "nixosConfig staging-nixos-wiki-thalheim-io", -] diff --git a/flake.lock b/flake.lock index 79d9aab..6977f96 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698155728, + "narHash": "sha256-PUJ40o/0LyMEgSBEfLVyPA0K3gQnPYQDq9dW9nCOU9M=", + "owner": "nix-community", + "repo": "disko", + "rev": "8c5d52db5690c72406b0cb13a5ac8554a287c93a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -7,11 +27,11 @@ ] }, "locked": { - "lastModified": 1682984683, - "narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=", + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "86684881e184f41aa322e653880e497b66429f3e", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", "type": "github" }, "original": { @@ -22,11 +42,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1683286087, - "narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=", + "lastModified": 1697723726, + "narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf", + "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0", "type": "github" }, "original": { @@ -38,12 +58,35 @@ }, "root": { "inputs": { + "disko": "disko", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "srvos": "srvos", "treefmt-nix": "treefmt-nix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [] + }, + "locked": { + "lastModified": 1697943852, + "narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "srvos": { "inputs": { "nixpkgs": [ @@ -51,11 +94,11 @@ ] }, "locked": { - "lastModified": 1683894417, - "narHash": "sha256-Z7rbmaR76lY4vwhaG9yQWmLYl1yIQ4g2wrPkQW+tJJw=", + "lastModified": 1698059971, + "narHash": "sha256-/WsFn9aqrxNPglgxBdZMsfQE24U41PF85dXjd4ZQN3E=", "owner": "numtide", "repo": "srvos", - "rev": "bca63963ab057d1075216e4db5c685dd6bd715d5", + "rev": "8d554f30b308b06d20c3d5cef211e7c14d8d1a32", "type": "github" }, "original": { @@ -71,11 +114,11 @@ ] }, "locked": { - "lastModified": 1683307174, - "narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=", + "lastModified": 1697388351, + "narHash": "sha256-63N2eBpKaziIy4R44vjpUu8Nz5fCJY7okKrkixvDQmY=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "b44794f94514b61512352a18cd77c710f0005f15", + "rev": "aae39f64f5ecbe89792d05eacea5cb241891292a", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1fbeb54..0180fa7 100644 --- a/flake.nix +++ b/flake.nix @@ -8,9 +8,16 @@ treefmt-nix.url = "github:numtide/treefmt-nix"; treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; # Use the version of nixpkgs that has been tested to work with SrvOS srvos.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.inputs.nixpkgs-stable.follows = ""; }; outputs = inputs@{ flake-parts, ... }: @@ -24,21 +31,26 @@ perSystem = { config, pkgs, ... }: { treefmt = { projectRootFile = "flake.nix"; - programs.terraform.enable = true; + programs.hclfmt.enable = true; programs.nixpkgs-fmt.enable = true; }; - packages.default = pkgs.mkShell { - packages = [ - pkgs.bashInteractive - (pkgs.terraform.withPlugins (p: [ - p.netlify - p.hcloud - p.null - p.external - p.local - ])) - ]; - }; + packages.default = + let + terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; }); + in + pkgs.mkShell { + packages = [ + pkgs.bashInteractive + pkgs.sops + (terraformHalal.withPlugins (p: [ + p.netlify + p.hcloud + p.null + p.external + p.local + ])) + ]; + }; }; }); } diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 5681a9a..c4e16f6 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -2,11 +2,19 @@ flake.nixosModules = { hcloud.imports = [ inputs.srvos.nixosModules.server + inputs.sops-nix.nixosModules.sops inputs.srvos.nixosModules.hardware-hetzner-cloud + ./single-disk.nix + { + sops.age.keyFile = "/var/lib/secrets/age"; + } ]; nixos-wiki.imports = [ - ./nixos-wiki.nix + ./nixos-wiki + ]; + nixos-wiki-backup.imports = [ + ./nixos-wiki/backup.nix ]; }; } diff --git a/modules/nixos-wiki.nix b/modules/nixos-wiki.nix deleted file mode 100644 index c915eb0..0000000 --- a/modules/nixos-wiki.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { } diff --git a/modules/nixos-wiki/backup.nix b/modules/nixos-wiki/backup.nix new file mode 100644 index 0000000..a5aeb58 --- /dev/null +++ b/modules/nixos-wiki/backup.nix @@ -0,0 +1,78 @@ +{ config, pkgs, ... }: +let + wikiDump = "/var/backup/wikidump.xml.gz"; + + mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + preferLocalBuild = true; + } '' + mkdir -p $out/bin + makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-maintenance \ + --set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \ + --add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php + ''; + + wiki-restore = pkgs.writeShellApplication { + name = "wiki-restore"; + runtimeInputs = [ + pkgs.postgresql + pkgs.coreutils + pkgs.util-linux + mediawiki-maintenance + ]; + text = '' + tmpdir=$(mktemp -d) + cleanup() { rm -rf "$tmpdir"; } + cd "$tmpdir" + chown mediawiki:nginx "$tmpdir" + + rm -rf /var/lib/mediawiki-uploads + install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads + systemctl stop phpfpm-mediawiki.service + runuser -u postgres -- dropdb mediawiki + systemctl restart postgresql + systemctl restart mediawiki-init.service + cat < tags + extensions.ParserFunctions = null; + extensions.Cite = null; + extensions.VisualEditor = null; + extensions.AuthManagerOAuth = pkgs.fetchzip { + url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.0/AuthManagerOAuth.zip"; + hash = "sha256-4ev8LwuConmHzFm5cPr+ni9aYPDOHLArGoJhzdugEn4="; + }; # Github login + extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha + extensions.StopForumSpam = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_40-71b57ba.tar.gz"; + hash = "sha256-g8v4zr11c2e4bY0BNipJ48miyAF4WTNvlSMgb/NxPBA="; + }; + + extraConfig = '' + #$wgDebugLogFile = "/var/log/mediawiki/debug.log"; + + # allow local login + $wgAuthManagerOAuthConfig = [ + 'github' => [ + 'clientId' => '${config.services.nixos-wiki.githubClientId}', + 'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"), + 'urlAuthorize' => 'https://github.com/login/oauth/authorize', + 'urlAccessToken' => 'https://github.com/login/oauth/access_token', + 'urlResourceOwnerDetails' => 'https://api.github.com/user' + ], + ]; + + # Enable account creation globally + $wgGroupPermissions['*']['createaccount'] = true; + $wgGroupPermissions['*']['autocreateaccount'] = true; + + # Disable anonymous editing + $wgGroupPermissions['*']['edit'] = false; + + # Allow svg upload + $wgFileExtensions[] = 'svg'; + $wgSVGConverterPath = "${pkgs.imagemagick}/bin"; + + # Pretty URLs + $wgUsePathInfo = true; + + # cache pages with APCu + $wgMainCacheType = CACHE_ACCEL; + + # TODO: nixos favicon + #$wgFavicon = "/favicon.ico"; + $wgDefaultSkin = 'vector-2022'; + # configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos + $wgLogos = [ + '1x' => '/nixos.png', + 'icon' => '/nixos.png', + ]; + + # Combat SPAM with IP-Blocklists (StopForumSpam extension) + $wgEnableDnsBlacklist = true; + $wgDnsBlacklistUrls = array( + 'dnsbl.dronebl.org' + ); + + # required for fancy VisualEditor extension + $wgGroupPermissions['user']['writeapi'] = true; + + # Enable content security policy + $wgCSPHeader = true; + + # Disallow framing + $wgEditPageFrameOptions = "DENY"; + + $wgEnableEmail = true; + $wgAllowHTMLEmail = false; + $wgEmergencyContact = "nixos-wiki-emergency@thalheim.io"; + $wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address + $wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address + ''; + }; + + security.acme.acceptTerms = true; + services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { + enableACME = lib.mkDefault true; + forceSSL = true; + locations."=/nixos.png".alias = ./nixos.png; + }; + }; + +} diff --git a/modules/nixos-wiki/nixos.png b/modules/nixos-wiki/nixos.png new file mode 100644 index 0000000..6867428 Binary files /dev/null and b/modules/nixos-wiki/nixos.png differ diff --git a/modules/single-disk.nix b/modules/single-disk.nix new file mode 100644 index 0000000..5f09304 --- /dev/null +++ b/modules/single-disk.nix @@ -0,0 +1,41 @@ +{ self, ... }: +let + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + esp = { + size = "500M"; + type = "EF00"; # for grub MBR + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; +in +{ + imports = [ + self.inputs.disko.nixosModules.disko + ]; + disko.devices = { + disk.sda = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + inherit partitions; + }; + }; + }; +} diff --git a/targets/nixos-wiki.thalheim.io/apply.sh b/targets/nixos-wiki.thalheim.io/apply.sh deleted file mode 120000 index 1bbce45..0000000 --- a/targets/nixos-wiki.thalheim.io/apply.sh +++ /dev/null @@ -1 +0,0 @@ -../staging.nixos-wiki.thalheim.io/apply.sh \ No newline at end of file diff --git a/targets/nixos-wiki.thalheim.io/configuration.nix b/targets/nixos-wiki.thalheim.io/configuration.nix deleted file mode 100644 index 9d57beb..0000000 --- a/targets/nixos-wiki.thalheim.io/configuration.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ self, ... }: { - imports = [ - self.nixosModules.nixos-wiki - self.nixosModules.hcloud - ]; -} diff --git a/targets/staging.nixos-wiki.thalheim.io/apply.sh b/targets/nixos-wiki2.thalheim.io/apply.sh similarity index 100% rename from targets/staging.nixos-wiki.thalheim.io/apply.sh rename to targets/nixos-wiki2.thalheim.io/apply.sh diff --git a/targets/nixos-wiki2.thalheim.io/configuration.nix b/targets/nixos-wiki2.thalheim.io/configuration.nix new file mode 100644 index 0000000..9d8ddab --- /dev/null +++ b/targets/nixos-wiki2.thalheim.io/configuration.nix @@ -0,0 +1,18 @@ +{ self, lib, ... }: +let + nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); +in +{ + imports = [ + self.nixosModules.nixos-wiki + self.nixosModules.nixos-wiki-backup + self.nixosModules.hcloud + ]; + users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; + system.stateVersion = "23.11"; + services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io"; + security.acme.defaults.email = "joerg.letsencrypt@thalheim.io"; + services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22"; + sops.defaultSopsFile = ./secrets.yaml; + boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ]; +} diff --git a/targets/nixos-wiki.thalheim.io/nixos-vars.json b/targets/nixos-wiki2.thalheim.io/nixos-vars.json similarity index 58% rename from targets/nixos-wiki.thalheim.io/nixos-vars.json rename to targets/nixos-wiki2.thalheim.io/nixos-vars.json index c02d9a4..6900953 100644 --- a/targets/nixos-wiki.thalheim.io/nixos-vars.json +++ b/targets/nixos-wiki2.thalheim.io/nixos-vars.json @@ -1 +1 @@ -{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]} \ No newline at end of file +{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]} \ No newline at end of file diff --git a/targets/nixos-wiki2.thalheim.io/secrets.yaml b/targets/nixos-wiki2.thalheim.io/secrets.yaml new file mode 100644 index 0000000..89891d7 --- /dev/null +++ b/targets/nixos-wiki2.thalheim.io/secrets.yaml @@ -0,0 +1,32 @@ +nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str] +nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str] +age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNm9scHFONkwwY3dzWEtH + TWJnSVgzQldBd1NsVS90MnVyQ3V6aFo5YVFJCjc2S3lUc3FUaTllZGQ2R2FFTTNj + cWRQSC80a2FWQm12cnhXTmJNN3lSOW8KLS0tIGpPL2ZzQzBpak9HV0lES05SZk5x + KzM1azdvWlZIVU5VWVd4Q1AyN1VNTDQKZPtiA9MWZMOi+u6d0/Cg4vlJnP8dcaRq + QQKfP3LYCRqWBIrAPP8LWhza3kEjh22Wquh8Zh1SJtq2tgGKy+Pt+A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaHFwd3B5YUFUcnR2TTFw + aTQ4UFFBUXFxL2pOcUhyTFAwQ1ZvTGlEQUFnCmlQeHBrb2NhQXovWEl4ODdvd0FI + b2JMOGpXRHB3cHVHZmt3UUx2SUdtc28KLS0tIHVTZ2FISTZWbmdPaWlTdUZsTG1I + OHk4MkVmaFozaWdRV1RpbVM0amEvQTgKHk2ZxC+ZMUzTWD6KS1miOtLCtXF9SN/t + 2DDz5UAadLKaJ425AL3Qg4BhOZqUz4qPoyQvD/3aBKXg0IxXHgJCtQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-24T15:17:00Z" + mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/targets/nixos-wiki.thalheim.io/terraform.tf b/targets/nixos-wiki2.thalheim.io/terraform.tf similarity index 59% rename from targets/nixos-wiki.thalheim.io/terraform.tf rename to targets/nixos-wiki2.thalheim.io/terraform.tf index 7270afd..1b9608c 100644 --- a/targets/nixos-wiki.thalheim.io/terraform.tf +++ b/targets/nixos-wiki2.thalheim.io/terraform.tf @@ -1,8 +1,8 @@ terraform { backend "http" { - address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io" - lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock" - unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock" + address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io" + lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock" + unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock" lock_method = "POST" unlock_method = "DELETE" retry_wait_min = "5" @@ -11,12 +11,12 @@ terraform { module "wiki" { source = "../../terraform/nixos-wiki" - netlify_dns_zone = "nixos-wiki.thalheim.io" - domain = "nixos-wiki.thalheim.io" - nixos_flake_attr = "nixos-wiki-thalheim-io" + netlify_dns_zone = "nixos-wiki2.thalheim.io" + domain = "nixos-wiki2.thalheim.io" + nixos_flake_attr = "nixos-wiki2-thalheim-io" nixos_vars_file = "${path.module}/nixos-vars.json" tags = { Terraform = "true" - Target = "nixos-wiki.thalheim.io" + Target = "nixos-wiki2.thalheim.io" } } diff --git a/targets/staging.nixos-wiki.thalheim.io/configuration.nix b/targets/staging.nixos-wiki.thalheim.io/configuration.nix deleted file mode 100644 index 9d57beb..0000000 --- a/targets/staging.nixos-wiki.thalheim.io/configuration.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ self, ... }: { - imports = [ - self.nixosModules.nixos-wiki - self.nixosModules.hcloud - ]; -} diff --git a/targets/staging.nixos-wiki.thalheim.io/terraform.tf b/targets/staging.nixos-wiki.thalheim.io/terraform.tf deleted file mode 100644 index 23d6548..0000000 --- a/targets/staging.nixos-wiki.thalheim.io/terraform.tf +++ /dev/null @@ -1,21 +0,0 @@ -terraform { - backend "http" { - address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io" - lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock" - unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock" - lock_method = "POST" - unlock_method = "DELETE" - retry_wait_min = "5" - } -} - -module "wiki" { - source = "../../terraform/nixos-wiki" - netlify_dns_zone = "nixos-wiki.thalheim.io" - nixos_flake_attr = "nixos-wiki-thalheim-io" - nixos_vars_file = "${path.module}/nixos-vars.json" - tags = { - Terraform = "true" - Target = "staging-nixos-wiki.thalheim.io" - } -} diff --git a/terraform/nixos-wiki/decrypt-age-keys.sh b/terraform/nixos-wiki/decrypt-age-keys.sh new file mode 100755 index 0000000..045f787 --- /dev/null +++ b/terraform/nixos-wiki/decrypt-age-keys.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +mkdir -p var/lib/secrets + +umask 0177 +sops --extract '["age-key"]' -d "secrets.yaml" > ./var/lib/secrets/age +# restore umask +umask 0022 diff --git a/terraform/nixos-wiki/main.tf b/terraform/nixos-wiki/main.tf index a58daba..b692f6e 100644 --- a/terraform/nixos-wiki/main.tf +++ b/terraform/nixos-wiki/main.tf @@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" { } resource "hcloud_server" "nixos_wiki" { - image = "debian-10" + image = "debian-11" keep_disk = true name = "nixos-wiki" server_type = var.server_type @@ -21,19 +21,20 @@ resource "hcloud_server" "nixos_wiki" { } } -#module "deploy" { -# depends_on = [local_file.nixos_vars] -# source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" -# nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" -# nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps" -# target_host = hcloud_server.nixos_wiki.ipv4_address -# instance_id = hcloud_server.nixos_wiki.id -# debug_logging = true -#} +module "deploy" { + depends_on = [local_file.nixos_vars] + source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" + nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" + nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps" + target_host = hcloud_server.nixos_wiki.ipv4_address + instance_id = hcloud_server.nixos_wiki.id + extra_files_script = "${path.module}/decrypt-age-keys.sh" + debug_logging = true +} locals { nixos_vars = { ipv6_address = hcloud_server.nixos_wiki.ipv6_address - ssh_keys = data.hcloud_ssh_keys.nixos_wiki.ssh_keys.*.public_key + ssh_keys = data.hcloud_ssh_keys.nixos_wiki.ssh_keys.*.public_key } } diff --git a/terraform/nixos-wiki/nixos_vars.tf b/terraform/nixos-wiki/nixos_vars.tf index b7a3e22..e210d0d 100644 --- a/terraform/nixos-wiki/nixos_vars.tf +++ b/terraform/nixos-wiki/nixos_vars.tf @@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" { provisioner "local-exec" { interpreter = ["bash", "-c"] - command = "git add -f '${local_file.nixos_vars.filename}'" + command = "git add -f '${var.nixos_vars_file}'" } # also pro-actively add hosts and flake-module.nix to git so nix can find it. provisioner "local-exec" { interpreter = ["bash", "-c"] command = <