From 36e05c009a307822d609c5f77047f6fe4ab6fb30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 14 May 2023 20:17:36 +0200 Subject: [PATCH 1/7] inherit ssh keys from terraform --- targets/nixos-wiki.thalheim.io/configuration.nix | 5 ++++- targets/staging.nixos-wiki.thalheim.io/configuration.nix | 5 ++++- terraform/nixos-wiki/main.tf | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/targets/nixos-wiki.thalheim.io/configuration.nix b/targets/nixos-wiki.thalheim.io/configuration.nix index 9d57beb..5657f2a 100644 --- a/targets/nixos-wiki.thalheim.io/configuration.nix +++ b/targets/nixos-wiki.thalheim.io/configuration.nix @@ -1,6 +1,9 @@ -{ self, ... }: { +{ self, ... }: let + nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); +in { imports = [ self.nixosModules.nixos-wiki self.nixosModules.hcloud ]; + config.users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; } diff --git a/targets/staging.nixos-wiki.thalheim.io/configuration.nix b/targets/staging.nixos-wiki.thalheim.io/configuration.nix index 9d57beb..5657f2a 100644 --- a/targets/staging.nixos-wiki.thalheim.io/configuration.nix +++ b/targets/staging.nixos-wiki.thalheim.io/configuration.nix @@ -1,6 +1,9 @@ -{ self, ... }: { +{ self, ... }: let + nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); +in { imports = [ self.nixosModules.nixos-wiki self.nixosModules.hcloud ]; + config.users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; } diff --git a/terraform/nixos-wiki/main.tf b/terraform/nixos-wiki/main.tf index a58daba..d0def33 100644 --- a/terraform/nixos-wiki/main.tf +++ b/terraform/nixos-wiki/main.tf @@ -34,6 +34,6 @@ resource "hcloud_server" "nixos_wiki" { locals { nixos_vars = { ipv6_address = hcloud_server.nixos_wiki.ipv6_address - ssh_keys = data.hcloud_ssh_keys.nixos_wiki.ssh_keys.*.public_key + ssh_keys = data.hcloud_ssh_keys.nixos_wiki.ssh_keys.*.public_key } } From 3d8ddfad86128835e6760392acc0bdd2a3034387 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 14 May 2023 20:41:19 +0200 Subject: [PATCH 2/7] add disko configuration --- flake.lock | 21 +++++++++++++++++ flake.nix | 3 +++ modules/flake-module.nix | 1 + modules/single-disk.nix | 51 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 modules/single-disk.nix diff --git a/flake.lock b/flake.lock index 79d9aab..6755d8e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684003056, + "narHash": "sha256-zl11zyRNKzAW7YLvTkxmFjSBqxZbEvfwZqNCT91ELfU=", + "owner": "nix-community", + "repo": "disko", + "rev": "8f95856432e091e5ac56fea2df81e905ddd02d27", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -38,6 +58,7 @@ }, "root": { "inputs": { + "disko": "disko", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", "srvos": "srvos", diff --git a/flake.nix b/flake.nix index 1fbeb54..af87ea4 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,9 @@ treefmt-nix.url = "github:numtide/treefmt-nix"; treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; # Use the version of nixpkgs that has been tested to work with SrvOS srvos.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 5681a9a..53f09c3 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -3,6 +3,7 @@ hcloud.imports = [ inputs.srvos.nixosModules.server inputs.srvos.nixosModules.hardware-hetzner-cloud + ./single-disk.nix ]; nixos-wiki.imports = [ diff --git a/modules/single-disk.nix b/modules/single-disk.nix new file mode 100644 index 0000000..57c42d9 --- /dev/null +++ b/modules/single-disk.nix @@ -0,0 +1,51 @@ +{ self, ... }: +let + partitions = [ + { + name = "grub"; + end = "1M"; + part-type = "primary"; + flags = [ "bios_grub" ]; + } + { + name = "ESP"; + start = "1MiB"; + end = "500MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "100MiB"; + end = "100%"; + part-type = "primary"; + bootable = true; + content = { + type = "filesystem"; + # We use xfs because it has support for compression and has a quite good performance for databases + format = "xfs"; + mountpoint = "/"; + }; + } + ]; +in +{ + imports = [ + self.inputs.disko.nixosModules.disko + ]; + disko.devices = { + disk.sda = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "table"; + format = "gpt"; + inherit partitions; + }; + }; + }; +} From 1efd89b85da2aa707b08d38479f70139c755ceb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 14 May 2023 20:41:32 +0200 Subject: [PATCH 3/7] set stateVersion for all systems --- targets/nixos-wiki.thalheim.io/configuration.nix | 3 ++- targets/staging.nixos-wiki.thalheim.io/configuration.nix | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/targets/nixos-wiki.thalheim.io/configuration.nix b/targets/nixos-wiki.thalheim.io/configuration.nix index 5657f2a..d9de2fe 100644 --- a/targets/nixos-wiki.thalheim.io/configuration.nix +++ b/targets/nixos-wiki.thalheim.io/configuration.nix @@ -5,5 +5,6 @@ in { self.nixosModules.nixos-wiki self.nixosModules.hcloud ]; - config.users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; + users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; + system.stateVersion = "23.05"; } diff --git a/targets/staging.nixos-wiki.thalheim.io/configuration.nix b/targets/staging.nixos-wiki.thalheim.io/configuration.nix index 5657f2a..d9de2fe 100644 --- a/targets/staging.nixos-wiki.thalheim.io/configuration.nix +++ b/targets/staging.nixos-wiki.thalheim.io/configuration.nix @@ -5,5 +5,6 @@ in { self.nixosModules.nixos-wiki self.nixosModules.hcloud ]; - config.users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; + users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; + system.stateVersion = "23.05"; } From d2aec0afe7af934890edf03ce73de180dd3708be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 21 Jul 2023 14:54:14 +0200 Subject: [PATCH 4/7] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/8f95856432e091e5ac56fea2df81e905ddd02d27' (2023-05-13) → 'github:nix-community/disko/f2248036d2aeb61690903130458b4e7f975b1c78' (2023-07-21) flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/f2248036d2aeb61690903130458b4e7f975b1c78' (2023-07-21) → 'github:nix-community/disko/8c5d52db5690c72406b0cb13a5ac8554a287c93a' (2023-10-24) • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/86684881e184f41aa322e653880e497b66429f3e' (2023-05-01) → 'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/3e313808bd2e0a0669430787fb22e43b2f4bf8bf' (2023-05-05) → 'github:NixOS/nixpkgs/7c9cc5a6e5d38010801741ac830a3f8fd667a7a0' (2023-10-19) • Updated input 'srvos': 'github:numtide/srvos/bca63963ab057d1075216e4db5c685dd6bd715d5' (2023-05-12) → 'github:numtide/srvos/8d554f30b308b06d20c3d5cef211e7c14d8d1a32' (2023-10-23) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/b44794f94514b61512352a18cd77c710f0005f15' (2023-05-05) → 'github:numtide/treefmt-nix/aae39f64f5ecbe89792d05eacea5cb241891292a' (2023-10-15) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 6755d8e..8f67a48 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1684003056, - "narHash": "sha256-zl11zyRNKzAW7YLvTkxmFjSBqxZbEvfwZqNCT91ELfU=", + "lastModified": 1698155728, + "narHash": "sha256-PUJ40o/0LyMEgSBEfLVyPA0K3gQnPYQDq9dW9nCOU9M=", "owner": "nix-community", "repo": "disko", - "rev": "8f95856432e091e5ac56fea2df81e905ddd02d27", + "rev": "8c5d52db5690c72406b0cb13a5ac8554a287c93a", "type": "github" }, "original": { @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1682984683, - "narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=", + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "86684881e184f41aa322e653880e497b66429f3e", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", "type": "github" }, "original": { @@ -42,11 +42,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1683286087, - "narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=", + "lastModified": 1697723726, + "narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf", + "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0", "type": "github" }, "original": { @@ -72,11 +72,11 @@ ] }, "locked": { - "lastModified": 1683894417, - "narHash": "sha256-Z7rbmaR76lY4vwhaG9yQWmLYl1yIQ4g2wrPkQW+tJJw=", + "lastModified": 1698059971, + "narHash": "sha256-/WsFn9aqrxNPglgxBdZMsfQE24U41PF85dXjd4ZQN3E=", "owner": "numtide", "repo": "srvos", - "rev": "bca63963ab057d1075216e4db5c685dd6bd715d5", + "rev": "8d554f30b308b06d20c3d5cef211e7c14d8d1a32", "type": "github" }, "original": { @@ -92,11 +92,11 @@ ] }, "locked": { - "lastModified": 1683307174, - "narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=", + "lastModified": 1697388351, + "narHash": "sha256-63N2eBpKaziIy4R44vjpUu8Nz5fCJY7okKrkixvDQmY=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "b44794f94514b61512352a18cd77c710f0005f15", + "rev": "aae39f64f5ecbe89792d05eacea5cb241891292a", "type": "github" }, "original": { From c2ac99ce528061da1c31c5c70bd8b3ec816ca94c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 24 Oct 2023 16:51:11 +0200 Subject: [PATCH 5/7] make terraform halal again --- flake.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index af87ea4..70f4f9f 100644 --- a/flake.nix +++ b/flake.nix @@ -30,10 +30,12 @@ programs.terraform.enable = true; programs.nixpkgs-fmt.enable = true; }; - packages.default = pkgs.mkShell { + packages.default = let + terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; }); + in pkgs.mkShell { packages = [ pkgs.bashInteractive - (pkgs.terraform.withPlugins (p: [ + (terraformHalal.withPlugins (p: [ p.netlify p.hcloud p.null From 8c8bb60d413f8e8cce2680e4cfd143ff785b2c7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 24 Oct 2023 17:33:05 +0200 Subject: [PATCH 6/7] add actual wiki configuration and lots of modernisations --- .sops.yaml | 9 ++ bors.toml | 8 -- flake.lock | 22 ++++ flake.nix | 5 + modules/flake-module.nix | 9 +- modules/nixos-wiki.nix | 1 - modules/nixos-wiki/backup.nix | 78 ++++++++++++ modules/nixos-wiki/default.nix | 112 ++++++++++++++++++ modules/nixos-wiki/nixos.png | Bin 0 -> 6093 bytes modules/single-disk.nix | 40 +++---- targets/nixos-wiki.thalheim.io/apply.sh | 1 - .../nixos-wiki.thalheim.io/configuration.nix | 10 -- .../apply.sh | 0 .../nixos-wiki2.thalheim.io/configuration.nix | 16 +++ .../nixos-vars.json | 2 +- targets/nixos-wiki2.thalheim.io/secrets.yaml | 32 +++++ .../terraform.tf | 14 +-- .../configuration.nix | 10 -- .../terraform.tf | 21 ---- terraform/nixos-wiki/decrypt-age-keys.sh | 8 ++ terraform/nixos-wiki/main.tf | 21 ++-- terraform/nixos-wiki/nixos_vars.tf | 4 +- 22 files changed, 326 insertions(+), 97 deletions(-) create mode 100644 .sops.yaml delete mode 100644 bors.toml delete mode 100644 modules/nixos-wiki.nix create mode 100644 modules/nixos-wiki/backup.nix create mode 100644 modules/nixos-wiki/default.nix create mode 100644 modules/nixos-wiki/nixos.png delete mode 120000 targets/nixos-wiki.thalheim.io/apply.sh delete mode 100644 targets/nixos-wiki.thalheim.io/configuration.nix rename targets/{staging.nixos-wiki.thalheim.io => nixos-wiki2.thalheim.io}/apply.sh (100%) create mode 100644 targets/nixos-wiki2.thalheim.io/configuration.nix rename targets/{nixos-wiki.thalheim.io => nixos-wiki2.thalheim.io}/nixos-vars.json (58%) create mode 100644 targets/nixos-wiki2.thalheim.io/secrets.yaml rename targets/{nixos-wiki.thalheim.io => nixos-wiki2.thalheim.io}/terraform.tf (59%) delete mode 100644 targets/staging.nixos-wiki.thalheim.io/configuration.nix delete mode 100644 targets/staging.nixos-wiki.thalheim.io/terraform.tf create mode 100755 terraform/nixos-wiki/decrypt-age-keys.sh diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..afe0d19 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + - &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2 +creation_rules: + - path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$ + key_groups: + - age: + - *joerg + - *nixos-wiki2 diff --git a/bors.toml b/bors.toml deleted file mode 100644 index 54f90de..0000000 --- a/bors.toml +++ /dev/null @@ -1,8 +0,0 @@ -cut_body_after = "" # don't include text from the PR body in the merge commit message -status = [ - "Evaluate flake.nix", - "check treefmt [x86_64-linux]", - "package default [x86_64-linux]", - "nixosConfig nixos-wiki-thalheim-io", - "nixosConfig staging-nixos-wiki-thalheim-io", -] diff --git a/flake.lock b/flake.lock index 8f67a48..6977f96 100644 --- a/flake.lock +++ b/flake.lock @@ -61,10 +61,32 @@ "disko": "disko", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "srvos": "srvos", "treefmt-nix": "treefmt-nix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [] + }, + "locked": { + "lastModified": 1697943852, + "narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "srvos": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 70f4f9f..d0534e8 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,10 @@ srvos.url = "github:numtide/srvos"; # Use the version of nixpkgs that has been tested to work with SrvOS srvos.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.inputs.nixpkgs-stable.follows = ""; }; outputs = inputs@{ flake-parts, ... }: @@ -35,6 +39,7 @@ in pkgs.mkShell { packages = [ pkgs.bashInteractive + pkgs.sops (terraformHalal.withPlugins (p: [ p.netlify p.hcloud diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 53f09c3..c4e16f6 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -2,12 +2,19 @@ flake.nixosModules = { hcloud.imports = [ inputs.srvos.nixosModules.server + inputs.sops-nix.nixosModules.sops inputs.srvos.nixosModules.hardware-hetzner-cloud ./single-disk.nix + { + sops.age.keyFile = "/var/lib/secrets/age"; + } ]; nixos-wiki.imports = [ - ./nixos-wiki.nix + ./nixos-wiki + ]; + nixos-wiki-backup.imports = [ + ./nixos-wiki/backup.nix ]; }; } diff --git a/modules/nixos-wiki.nix b/modules/nixos-wiki.nix deleted file mode 100644 index c915eb0..0000000 --- a/modules/nixos-wiki.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { } diff --git a/modules/nixos-wiki/backup.nix b/modules/nixos-wiki/backup.nix new file mode 100644 index 0000000..a5aeb58 --- /dev/null +++ b/modules/nixos-wiki/backup.nix @@ -0,0 +1,78 @@ +{ config, pkgs, ... }: +let + wikiDump = "/var/backup/wikidump.xml.gz"; + + mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + preferLocalBuild = true; + } '' + mkdir -p $out/bin + makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-maintenance \ + --set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \ + --add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php + ''; + + wiki-restore = pkgs.writeShellApplication { + name = "wiki-restore"; + runtimeInputs = [ + pkgs.postgresql + pkgs.coreutils + pkgs.util-linux + mediawiki-maintenance + ]; + text = '' + tmpdir=$(mktemp -d) + cleanup() { rm -rf "$tmpdir"; } + cd "$tmpdir" + chown mediawiki:nginx "$tmpdir" + + rm -rf /var/lib/mediawiki-uploads + install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads + systemctl stop phpfpm-mediawiki.service + runuser -u postgres -- dropdb mediawiki + systemctl restart postgresql + systemctl restart mediawiki-init.service + cat < tags + extensions.ParserFunctions = null; + extensions.Cite = null; + extensions.VisualEditor = null; + extensions.AuthManagerOAuth = pkgs.fetchzip { + url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.0/AuthManagerOAuth.zip"; + hash = "sha256-4ev8LwuConmHzFm5cPr+ni9aYPDOHLArGoJhzdugEn4="; + }; # Github login + extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha + extensions.StopForumSpam = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_40-71b57ba.tar.gz"; + hash = "sha256-g8v4zr11c2e4bY0BNipJ48miyAF4WTNvlSMgb/NxPBA="; + }; + + extraConfig = '' + #$wgDebugLogFile = "/var/log/mediawiki/debug.log"; + + # allow local login + $wgAuthManagerOAuthConfig = [ + 'github' => [ + 'clientId' => '${config.services.nixos-wiki.githubClientId}', + 'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"), + 'urlAuthorize' => 'https://github.com/login/oauth/authorize', + 'urlAccessToken' => 'https://github.com/login/oauth/access_token', + 'urlResourceOwnerDetails' => 'https://api.github.com/user' + ], + ]; + + # Enable account creation globally + $wgGroupPermissions['*']['createaccount'] = true; + $wgGroupPermissions['*']['autocreateaccount'] = true; + + # Disable anonymous editing + $wgGroupPermissions['*']['edit'] = false; + + # Allow svg upload + $wgFileExtensions[] = 'svg'; + $wgSVGConverterPath = "${pkgs.imagemagick}/bin"; + + # Pretty URLs + $wgUsePathInfo = true; + + # cache pages with APCu + $wgMainCacheType = CACHE_ACCEL; + + # TODO: nixos favicon + #$wgFavicon = "/favicon.ico"; + $wgDefaultSkin = 'vector-2022'; + # configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos + $wgLogos = [ + '1x' => '/nixos.png', + 'icon' => '/nixos.png', + ]; + + # Combat SPAM with IP-Blocklists (StopForumSpam extension) + $wgEnableDnsBlacklist = true; + $wgDnsBlacklistUrls = array( + 'dnsbl.dronebl.org' + ); + + # required for fancy VisualEditor extension + $wgGroupPermissions['user']['writeapi'] = true; + + # Enable content security policy + $wgCSPHeader = true; + + # Disallow framing + $wgEditPageFrameOptions = "DENY"; + + $wgEnableEmail = true; + $wgAllowHTMLEmail = false; + $wgEmergencyContact = "nixos-wiki-emergency@thalheim.io"; + $wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address + $wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address + ''; + }; + + security.acme.acceptTerms = true; + services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { + enableACME = lib.mkDefault true; + forceSSL = true; + locations."=/nixos.png".alias = ./nixos.png; + }; + }; + +} diff --git a/modules/nixos-wiki/nixos.png b/modules/nixos-wiki/nixos.png new file mode 100644 index 0000000000000000000000000000000000000000..6867428956ac01b88526e65d2a9d0aca3d59b215 GIT binary patch literal 6093 zcmZu#bx_n_wEr%#bcdj%fHV>!-JMHGBTIvHtu#xQbmt=7AuUqU@RL$%X^?JdBp$wh z-E?cDfUWI^_yxJvyn-OL<(A#Fv+q(2O6|(Ls9W78H`WM41KyIgG`tLY+rz8~Y|HHr|N8?zk1+F(C0o!7<#Qua@cZ z<{R>~@5A)-H}AN{&M+7!#d8MKdUtrCOMke5w&~auVMb5M_+r zHUj;vFG=>?a+cr$qpQ6MyS`jkiyL&_DL6KWMmUF_OAtSP`@?g5(jn^C>375N#Gx_!Zx62^F^+4sKPGkNxq+IcP{jul&X8 zDq$oktMAgrlK)c2y>H3V3cO~Uf@FjARASZmD2G-9-4Ujy_;@&m=U@P4~1K41mUv0 zj9k}9)g!~C7zWf6`ZVmfuh@{f^oa>U^jC|FlEg339POKK8~q&}l`?g@8B-KrRmV25 z@kU88NrCBkH(#|~}$oUngEHrlU{=VlXf=g z*fEI^hHG@+zcoLMbq}V$MN{)TYQu7xcjja*XMYLJf}Xx6_3h>~{JmK!*CkO}G9Z3; z9r*#S&?3gxD9kSWYj@vO(~qfoDMc%&i;)CC5{K`0znB7MuR!gV%&DGTSfPNm zSPuCGUZ0wE0bbJWD`x5+9d7PM#3A_8g;i)1T{2QwNdL1@uGITHz7Kusa0D6Wxa7!s z5~_vli12#}ZnS)+-0N9M-HSVMwYb*Ckzs&XScoO$5SGna(OlfGkFuHpJq1uUv58_> zFuEtyAAAc6&%1N|lc?}9*s)tD*xMsc6{VGLV!y16bzDV*32{hb;a&<#{-5-k$Mz9% z7;9#=Lw!0Kt>M$+3UOE2m0R2{l`WNol{&TqS0DL9@4?*|>!UICBbo!v>LkjVdZ0S* zo6PJQYMsXhak)6zY6pPF28%rY6QnjWIrX#c+g)hZ>-x#|II)Y|DYQ%`jCDX3CxFF> zU4%D(JfTpr{R|f_Mu=!emvBu%9~ns`dto@z%}(t0+tQ)hel~n!#*YHf$P3M&wg31Y zRzkqZ-Up_~g465wykj=GwB%znoAyGHY=EB9!%z>8#LuNxltJ9`I->on-gN8YR_+c% zv0fP6v`p7cCl9|y2n~eXN@DLax+|F~u8Vc=<}a%6&DLgmdogofX=5_(K-js-FX!Fk^wO3BGP=Fj zM?wPLus7X_d~y3d{_TLYRXal4(JZU5^=P@)(Ikdoc_frpagJ}aF(VP?J${-D&%AXkK4$#ozjSN=jLhDxW)ZqPObZ_&E5f$Gvp)!y%et zs%RCXuU`NA#Z55RvM$)$X3!wighFg+`Oy^^;;4QE!H0>h-J<#2bdqZa2Z&p~0E7r# z&6lp^8ns~W0W!P9QmajulwTeHb%z9Zct__4W*cy#a%#d75#2VD&G>I z=~@5$bu`U7oQkGI2Z#-}ACNLzywx3^>{D{3V18Nd_E^(CT&^?ea(7YS*+u@MLM=koLA4yt>3*tqn6K zvuIs4QG8uDMi_1sL6P1fEBjzY)Ebwy^6^+RU&GcX-23m4IGBs*&^q)AyLco4t7yDC}&{a@Xfh z@_S|Q(#H+x{<;`h4LB0(O%7$I>bzAn^p%b1#5svESzOf1)m*DJa-~w0*p7r$f6I*w zWD>Ivq6g%abTm~YLq6exHGF=WSm;vzp2t}=GMRYfELsKI=*+#JkG2-=Y+FeyJ$7p5 z7Rp%v$+m)WLVb=;(dV&nZCChG%HcM|)SSy@ApCVg_4Y%UGhV~)QMxl`4%MbdlHF*2 z`KYp=Pk+2G5f30~=3>^HH&6;3@V6Z?s41(&QIgGjK)B#T)HM~fhFb27AFNP4(j5ul zgy+13JMFWO7t?*Ku_e3uC%yALYvU@AA@t1_$6 zrR~OLdeAk-RHb>*b_l62$!yu}4$&jZhWt5Ro%zJC{Q`w0OvRkd1RgPVAIo~%)6AIW zh)NnO0pux!Q_0!F_WaP(7I{yR%ySUa{Z)gDw_Q{U2~@ zvhy?Fnqb3M0P>;Y?<&*@f2bF+8jHif7Xw@)Y_?LjJ2nkXd_PG81rat1pUC4U4r@1u%y7RlQg-W4 zI_WAZ@tY?IrV>n5OSIt#5+{1j;pyYjIDE0I7Vy{Kjy-%l?`fFdXW3 zS4d8+wTm;~Q22crZ4&VW-(G9`2)`drZ9g@wQDp@GBLh7)Pt)A4I7w{pV9()RxkXA0 z+UqD99H`uQ_A8>g$h$-nG*<4-{(2-#zvlrq!kX%Ol;q?ZE@&WeOvM)hsMqza9|n0j zg@5yzHk<7>p7;RY>6tQinUVV#ov6UmyOog)=boq3ZwTm5IpjU82Mc9HWgyZLwv)Ac zzD;4P3Gu^m=#Dr`cVtyS-F3ccD2zVmhvrFv=N4FQ9P@@(VnA|eD%hguAC|EpR zM4LWD&O9w3>=qi&KK==IokNwLBQFeRmv!W_W*XL;ycFJgXCX>HmDV8tU=hX{?3r=!8eP`nsVkp;UWLka6^_R9!j zePLU^IXr9GlQIbgh93ziYMac$#{9cH9wkT%S{PrAu1I?6>W)Dn8`;mEH<&JPp(l$Z zkAqbkI4I_Frb8k@fWf3$Hm}NFGmzmriGUq`5WJ~EL4w;__zB>r@Twe}ln3wb!0!Qh zrn=;h_YIS{SvIEuum*KVK1OgWnX?dYlGrg-AR%J_VEacni7H)_=kmpGIuiq|QvuW^ zMv=U+Oro!)%t^hJFTQ3|bag@(+D?~77|8mD>Ju_R(NZ_23=vOCfD7fQ#p{tKY$-Q3 z?-S5M(ya+_7HL&(6y-pY#+L`~`=jJvYs89G)+}7?q0h z9u3n(YP<5KSY_piy8gsqMo?}#Kbrr-Tc?vAL`bz7E^vG(PIQan1A+xo-nO5nQ{zp& zyI_KI?)s^Bdk%v6#R>?|j7ML%_mzZl)S*OMCwCTljibRysyLWQ#@}V^uvT7ek5%~d zTlbMSp%6a-aCqO(E~iBkvElzj58wW7-MJbB*|8;_yhjv%USq-%0<6S(e7 zKjCkS@)JKqRa2%$V4@#8R=$h!;^KLo>WbZrV$GC_m!z19bktB%3h1TW)f_wO>1_`B zffH^`yf;jqP|7mEmLnEODJ_4to~MdmjMxKQGW+`%Pg)k0n6}4-061wmX_iU-iuy{u z)s-V~)GnDWnwFp|)X7ZDKws!XCE3;3n!#yFv0V!pOYWugm*bSwFZV|I%_WBu+$hbT`S}%GjBxY>G_5A;O!Cif0^1A62fyAAkZvk*5>gtp`e{~OS@MA4$a?;L|eV% zQk$0J1}QxZbOOIBX4}};;jLTIB&fhSqbXsp$B+7=>(y%6fraly795Kg@`v(E`BxLC zKku|F)+mh{Urv32pl@hZa4}EMp-QrJVDPDU?8Srf}A}=U*s>TN-a~;y~ z^-Ig-<5+lrRz*EtKh`e0EQW@nqX^)EuBYajpgBNU_8>MSNlLY)`Uk?;g5UfYeG z>>#MXxqMS|;{8I^KoiA_o{{8mFBb0%^ofXWrYN+rLYAF~fxg=9EroXf$C_{59JTz2 zBnwSfe?di2=>CmtJMkn|rl15*oA3~JpQ36FzIhZkE>x#_Jm$KRsS)9U-p5XV&~%BA zZI_j2ljY;#t(iEKk0uj7ucGoRhPt9gCpn}tX+={R?)D6$VM-XbaZes07t4=%Pm)@f zzEeior84+e@RPrb2-bhaH4wA!#(e*i7nWQ{v!%8l zZbm<-T;KeDn%d2`!DN{QzXM|K;e(z9)y7IN9%rc6D|ud0E)T(0BY!wGzV1-MQ~|9( zo{(ePc9wLm?VQQ;$OxQ(hA`4bJ5h4G4I>JUjU?|;j2~nYdt>UNS7K`^9>!U$Kh+CkDHS?#)dpky%; ztWPNYfxDsT!4qzQ9!+CcvQ_UrSt#;GctfkjRHf(}v$8bUZBUh}g@e27#>(2h-5b_R z=R6vXXSB@uTi@8{#4rr67GrEdw*7Q>6B43y{-HArcjI=yu;#%zD&<)Rh$bvH`$_*T zzgLT#rxKc^ZwKxMM$O+dBOSq3(xN050K2j{`dm7S;G9hpcth`HUjlNZxp7C`8LZAY zdGzmw=1Fa7h^E5p!YJIc!sT;9Dre39j_a`DMBigFJUUC5+u?1DZGnl^V~-6cGSTNvgng6Q=KC+W zN@9KOvmX5CvpIqP`w}p#8|jZ%)YRUiJln5x$^Vr9_i<)heF+Q=k!5K3c-Ik7`|s$o zw@JB)zfUQJ06KdgeM;1QN?n#JMeFb zUYZ$U8>)R)Do3yHEyiFFFZ3gp;i7xa7f@eV1jDpkHay3DLz3O#DG){_RNs3=QupWO zWoITC^`B?+U(tyVo6)mTtjOk<*a5#OdrrJnrS0<*|1^3GAVCazgT9Rgt{f2MLz#(T zL^_skl=#;bi-%*`b)>wA7$&jIvVIdw_0O;9vC+0AK2@35WGJSs{%>OWYbfQ`S6af_ zD(}tvSV9$VGe_-^go-7x^PbPF7+k8p2&5k!QFH`enTyAj~iNS21@nr)87ak(fB0w;773?4ReTd_d?>-CErfg=s60UPXj9UkYeF;Z(yCW zFj9A{yuAMJ@Fd8RrV@<9($m9n4t3hm&|(o3{$Yvk35>oJX3e$ z)&;$C$zY0$3a3T-HO^Vn3znObH$_otsMo4>jmm7gH|eQ3Pr}<9MUor!! z#ApU}+K71$7B$LU+m`otf*9>1cIx~ie z^DB}(OToKhX%<_*(b+Bb^iJ;L$v7=1Gm^~UVwoW#Q?rQqQvexie*HumOn?MAM}T3F zYb-h6A1LA%l}V~?x|tsziN&^STU>XTb>n#9+)seKLz=d`isNeY`uY=9!xXy{`o`aN zw)nKpB#E|ZgC_C7J+8~;-92eWlMHEX($Ru&YH)I$Sbr!j7pu675iJ8ovN^P=@5&wn z{B@xt(2m|~)5DVpC2~F`Vsa#k1cGv{IOjvphQ@b6>BjiM87+iPoDYljwGcx#@^89Y z8xbDbSjy`0y=!^u7iY2jA2cf{iebUet25X*nGAtOS!5)gc|A<#BAy&GFJDV6l{&<|Kw-X*`_{EJqa+|qJ@ci^wi!Rf zQY*#eZ~y9mg4(Wae;RJL5p!YSUtX(<@u4-3q#kTv&mU^t&a>pIr^+N%qX=VpM-dax zffLVVfvy9s-Ann{IVH5(q*r`?*}T)GM)RJdr8-0>E$YODpZhl^L!Xzwa1=E0w1#sF zc3b~cwW}Lb0jTyZeP=BPL;s$KeH(`;ioGq=o?XO+eY>?Rnm8&fgYE^ub+H#px(l&b zHwBdK<9F8v+uY~rv-2y(uc}Xlgx+%H`T(E&P@W@iL1k@?pC6sAIt#&V>8RIb9mkDl zBExK%#0=*S2k$C+=3z|_3?rUn6sK7KuWNeJ8(-7^h ./var/lib/secrets/age +# restore umask +umask 0022 diff --git a/terraform/nixos-wiki/main.tf b/terraform/nixos-wiki/main.tf index d0def33..b692f6e 100644 --- a/terraform/nixos-wiki/main.tf +++ b/terraform/nixos-wiki/main.tf @@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" { } resource "hcloud_server" "nixos_wiki" { - image = "debian-10" + image = "debian-11" keep_disk = true name = "nixos-wiki" server_type = var.server_type @@ -21,15 +21,16 @@ resource "hcloud_server" "nixos_wiki" { } } -#module "deploy" { -# depends_on = [local_file.nixos_vars] -# source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" -# nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" -# nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps" -# target_host = hcloud_server.nixos_wiki.ipv4_address -# instance_id = hcloud_server.nixos_wiki.id -# debug_logging = true -#} +module "deploy" { + depends_on = [local_file.nixos_vars] + source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" + nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" + nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps" + target_host = hcloud_server.nixos_wiki.ipv4_address + instance_id = hcloud_server.nixos_wiki.id + extra_files_script = "${path.module}/decrypt-age-keys.sh" + debug_logging = true +} locals { nixos_vars = { diff --git a/terraform/nixos-wiki/nixos_vars.tf b/terraform/nixos-wiki/nixos_vars.tf index b7a3e22..e210d0d 100644 --- a/terraform/nixos-wiki/nixos_vars.tf +++ b/terraform/nixos-wiki/nixos_vars.tf @@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" { provisioner "local-exec" { interpreter = ["bash", "-c"] - command = "git add -f '${local_file.nixos_vars.filename}'" + command = "git add -f '${var.nixos_vars_file}'" } # also pro-actively add hosts and flake-module.nix to git so nix can find it. provisioner "local-exec" { interpreter = ["bash", "-c"] command = < Date: Tue, 24 Oct 2023 17:34:54 +0200 Subject: [PATCH 7/7] apply treefmt --- flake.nix | 34 ++++++++++--------- .../nixos-wiki2.thalheim.io/configuration.nix | 6 ++-- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/flake.nix b/flake.nix index d0534e8..0180fa7 100644 --- a/flake.nix +++ b/flake.nix @@ -31,24 +31,26 @@ perSystem = { config, pkgs, ... }: { treefmt = { projectRootFile = "flake.nix"; - programs.terraform.enable = true; + programs.hclfmt.enable = true; programs.nixpkgs-fmt.enable = true; }; - packages.default = let - terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; }); - in pkgs.mkShell { - packages = [ - pkgs.bashInteractive - pkgs.sops - (terraformHalal.withPlugins (p: [ - p.netlify - p.hcloud - p.null - p.external - p.local - ])) - ]; - }; + packages.default = + let + terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; }); + in + pkgs.mkShell { + packages = [ + pkgs.bashInteractive + pkgs.sops + (terraformHalal.withPlugins (p: [ + p.netlify + p.hcloud + p.null + p.external + p.local + ])) + ]; + }; }; }); } diff --git a/targets/nixos-wiki2.thalheim.io/configuration.nix b/targets/nixos-wiki2.thalheim.io/configuration.nix index 8e06515..9d8ddab 100644 --- a/targets/nixos-wiki2.thalheim.io/configuration.nix +++ b/targets/nixos-wiki2.thalheim.io/configuration.nix @@ -1,6 +1,8 @@ -{ self, lib, ... }: let +{ self, lib, ... }: +let nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); -in { +in +{ imports = [ self.nixosModules.nixos-wiki self.nixosModules.nixos-wiki-backup