forked from extern/nixos-wiki-infra
commit
24a0bb2fea
9
.sops.yaml
Normal file
9
.sops.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
keys:
|
||||
- &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||
- &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
|
||||
creation_rules:
|
||||
- path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *joerg
|
||||
- *nixos-wiki2
|
@ -1,8 +0,0 @@
|
||||
cut_body_after = "" # don't include text from the PR body in the merge commit message
|
||||
status = [
|
||||
"Evaluate flake.nix",
|
||||
"check treefmt [x86_64-linux]",
|
||||
"package default [x86_64-linux]",
|
||||
"nixosConfig nixos-wiki-thalheim-io",
|
||||
"nixosConfig staging-nixos-wiki-thalheim-io",
|
||||
]
|
67
flake.lock
67
flake.lock
@ -1,5 +1,25 @@
|
||||
{
|
||||
"nodes": {
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1698155728,
|
||||
"narHash": "sha256-PUJ40o/0LyMEgSBEfLVyPA0K3gQnPYQDq9dW9nCOU9M=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "8c5d52db5690c72406b0cb13a5ac8554a287c93a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
@ -7,11 +27,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1682984683,
|
||||
"narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=",
|
||||
"lastModified": 1696343447,
|
||||
"narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "86684881e184f41aa322e653880e497b66429f3e",
|
||||
"rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -22,11 +42,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1683286087,
|
||||
"narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=",
|
||||
"lastModified": 1697723726,
|
||||
"narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf",
|
||||
"rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -38,12 +58,35 @@
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"disko": "disko",
|
||||
"flake-parts": "flake-parts",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix",
|
||||
"srvos": "srvos",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": []
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1697943852,
|
||||
"narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"srvos": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@ -51,11 +94,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1683894417,
|
||||
"narHash": "sha256-Z7rbmaR76lY4vwhaG9yQWmLYl1yIQ4g2wrPkQW+tJJw=",
|
||||
"lastModified": 1698059971,
|
||||
"narHash": "sha256-/WsFn9aqrxNPglgxBdZMsfQE24U41PF85dXjd4ZQN3E=",
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"rev": "bca63963ab057d1075216e4db5c685dd6bd715d5",
|
||||
"rev": "8d554f30b308b06d20c3d5cef211e7c14d8d1a32",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -71,11 +114,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1683307174,
|
||||
"narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=",
|
||||
"lastModified": 1697388351,
|
||||
"narHash": "sha256-63N2eBpKaziIy4R44vjpUu8Nz5fCJY7okKrkixvDQmY=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "b44794f94514b61512352a18cd77c710f0005f15",
|
||||
"rev": "aae39f64f5ecbe89792d05eacea5cb241891292a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
18
flake.nix
18
flake.nix
@ -8,9 +8,16 @@
|
||||
treefmt-nix.url = "github:numtide/treefmt-nix";
|
||||
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
disko.url = "github:nix-community/disko";
|
||||
disko.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
srvos.url = "github:numtide/srvos";
|
||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
sops-nix.inputs.nixpkgs-stable.follows = "";
|
||||
};
|
||||
|
||||
outputs = inputs@{ flake-parts, ... }:
|
||||
@ -24,13 +31,18 @@
|
||||
perSystem = { config, pkgs, ... }: {
|
||||
treefmt = {
|
||||
projectRootFile = "flake.nix";
|
||||
programs.terraform.enable = true;
|
||||
programs.hclfmt.enable = true;
|
||||
programs.nixpkgs-fmt.enable = true;
|
||||
};
|
||||
packages.default = pkgs.mkShell {
|
||||
packages.default =
|
||||
let
|
||||
terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; });
|
||||
in
|
||||
pkgs.mkShell {
|
||||
packages = [
|
||||
pkgs.bashInteractive
|
||||
(pkgs.terraform.withPlugins (p: [
|
||||
pkgs.sops
|
||||
(terraformHalal.withPlugins (p: [
|
||||
p.netlify
|
||||
p.hcloud
|
||||
p.null
|
||||
|
@ -2,11 +2,19 @@
|
||||
flake.nixosModules = {
|
||||
hcloud.imports = [
|
||||
inputs.srvos.nixosModules.server
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
inputs.srvos.nixosModules.hardware-hetzner-cloud
|
||||
./single-disk.nix
|
||||
{
|
||||
sops.age.keyFile = "/var/lib/secrets/age";
|
||||
}
|
||||
];
|
||||
|
||||
nixos-wiki.imports = [
|
||||
./nixos-wiki.nix
|
||||
./nixos-wiki
|
||||
];
|
||||
nixos-wiki-backup.imports = [
|
||||
./nixos-wiki/backup.nix
|
||||
];
|
||||
};
|
||||
}
|
||||
|
@ -1 +0,0 @@
|
||||
{ ... }: { }
|
78
modules/nixos-wiki/backup.nix
Normal file
78
modules/nixos-wiki/backup.nix
Normal file
@ -0,0 +1,78 @@
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
wikiDump = "/var/backup/wikidump.xml.gz";
|
||||
|
||||
mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance"
|
||||
{
|
||||
nativeBuildInputs = [ pkgs.makeWrapper ];
|
||||
preferLocalBuild = true;
|
||||
} ''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-maintenance \
|
||||
--set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \
|
||||
--add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php
|
||||
'';
|
||||
|
||||
wiki-restore = pkgs.writeShellApplication {
|
||||
name = "wiki-restore";
|
||||
runtimeInputs = [
|
||||
pkgs.postgresql
|
||||
pkgs.coreutils
|
||||
pkgs.util-linux
|
||||
mediawiki-maintenance
|
||||
];
|
||||
text = ''
|
||||
tmpdir=$(mktemp -d)
|
||||
cleanup() { rm -rf "$tmpdir"; }
|
||||
cd "$tmpdir"
|
||||
chown mediawiki:nginx "$tmpdir"
|
||||
|
||||
rm -rf /var/lib/mediawiki-uploads
|
||||
install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads
|
||||
systemctl stop phpfpm-mediawiki.service
|
||||
runuser -u postgres -- dropdb mediawiki
|
||||
systemctl restart postgresql
|
||||
systemctl restart mediawiki-init.service
|
||||
cat <<EOF | runuser -u mediawiki -- mediawiki-maintenance deleteBatch.php
|
||||
Main_Page
|
||||
MediaWiki:About
|
||||
EOF
|
||||
trap cleanup EXIT
|
||||
cp ${wikiDump} "$tmpdir"
|
||||
chown mediawiki:nginx "$tmpdir/wikidump.xml.gz"
|
||||
chmod 644 "$tmpdir/wikidump.xml.gz"
|
||||
runuser -u mediawiki -- mediawiki-maintenance importDump.php --uploads "$tmpdir/wikidump.xml.gz"
|
||||
runuser -u mediawiki -- mediawiki-maintenance rebuildrecentchanges.php
|
||||
systemctl start phpfpm-mediawiki.service
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
environment.systemPackages = [ mediawiki-maintenance ];
|
||||
|
||||
systemd.services.wiki-backup = {
|
||||
startAt = "hourly";
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = [
|
||||
"${pkgs.wget}/bin/wget https://nixos.wiki/images/wikidump.xml.gz -O ${wikiDump}.new"
|
||||
"${pkgs.coreutils}/bin/mv ${wikiDump}.new ${wikiDump}"
|
||||
];
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.wiki-restore = {
|
||||
startAt = "daily";
|
||||
path = [ pkgs.postgresql mediawiki-maintenance ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${wiki-restore}/bin/wiki-restore";
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
|
||||
locations."=/wikidump.xml.gz".alias = wikiDump;
|
||||
};
|
||||
}
|
112
modules/nixos-wiki/default.nix
Normal file
112
modules/nixos-wiki/default.nix
Normal file
@ -0,0 +1,112 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
options = {
|
||||
services.nixos-wiki = {
|
||||
hostname = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "The hostname of the wiki";
|
||||
};
|
||||
githubClientId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "The github client id for the wiki";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
sops.secrets."nixos-wiki".owner = config.services.phpfpm.pools.mediawiki.user;
|
||||
sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
|
||||
services.mediawiki = {
|
||||
enable = true;
|
||||
webserver = "nginx";
|
||||
database.type = "postgres";
|
||||
nginx.hostName = config.services.nixos-wiki.hostname;
|
||||
uploadsDir = "/var/lib/mediawiki-uploads/";
|
||||
passwordFile = config.sops.secrets."nixos-wiki".path;
|
||||
|
||||
extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
|
||||
extensions.ParserFunctions = null;
|
||||
extensions.Cite = null;
|
||||
extensions.VisualEditor = null;
|
||||
extensions.AuthManagerOAuth = pkgs.fetchzip {
|
||||
url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.0/AuthManagerOAuth.zip";
|
||||
hash = "sha256-4ev8LwuConmHzFm5cPr+ni9aYPDOHLArGoJhzdugEn4=";
|
||||
}; # Github login
|
||||
extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
|
||||
extensions.StopForumSpam = pkgs.fetchzip {
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_40-71b57ba.tar.gz";
|
||||
hash = "sha256-g8v4zr11c2e4bY0BNipJ48miyAF4WTNvlSMgb/NxPBA=";
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
#$wgDebugLogFile = "/var/log/mediawiki/debug.log";
|
||||
|
||||
# allow local login
|
||||
$wgAuthManagerOAuthConfig = [
|
||||
'github' => [
|
||||
'clientId' => '${config.services.nixos-wiki.githubClientId}',
|
||||
'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"),
|
||||
'urlAuthorize' => 'https://github.com/login/oauth/authorize',
|
||||
'urlAccessToken' => 'https://github.com/login/oauth/access_token',
|
||||
'urlResourceOwnerDetails' => 'https://api.github.com/user'
|
||||
],
|
||||
];
|
||||
|
||||
# Enable account creation globally
|
||||
$wgGroupPermissions['*']['createaccount'] = true;
|
||||
$wgGroupPermissions['*']['autocreateaccount'] = true;
|
||||
|
||||
# Disable anonymous editing
|
||||
$wgGroupPermissions['*']['edit'] = false;
|
||||
|
||||
# Allow svg upload
|
||||
$wgFileExtensions[] = 'svg';
|
||||
$wgSVGConverterPath = "${pkgs.imagemagick}/bin";
|
||||
|
||||
# Pretty URLs
|
||||
$wgUsePathInfo = true;
|
||||
|
||||
# cache pages with APCu
|
||||
$wgMainCacheType = CACHE_ACCEL;
|
||||
|
||||
# TODO: nixos favicon
|
||||
#$wgFavicon = "/favicon.ico";
|
||||
$wgDefaultSkin = 'vector-2022';
|
||||
# configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos
|
||||
$wgLogos = [
|
||||
'1x' => '/nixos.png',
|
||||
'icon' => '/nixos.png',
|
||||
];
|
||||
|
||||
# Combat SPAM with IP-Blocklists (StopForumSpam extension)
|
||||
$wgEnableDnsBlacklist = true;
|
||||
$wgDnsBlacklistUrls = array(
|
||||
'dnsbl.dronebl.org'
|
||||
);
|
||||
|
||||
# required for fancy VisualEditor extension
|
||||
$wgGroupPermissions['user']['writeapi'] = true;
|
||||
|
||||
# Enable content security policy
|
||||
$wgCSPHeader = true;
|
||||
|
||||
# Disallow framing
|
||||
$wgEditPageFrameOptions = "DENY";
|
||||
|
||||
$wgEnableEmail = true;
|
||||
$wgAllowHTMLEmail = false;
|
||||
$wgEmergencyContact = "nixos-wiki-emergency@thalheim.io";
|
||||
$wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address
|
||||
$wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address
|
||||
'';
|
||||
};
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
|
||||
enableACME = lib.mkDefault true;
|
||||
forceSSL = true;
|
||||
locations."=/nixos.png".alias = ./nixos.png;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
BIN
modules/nixos-wiki/nixos.png
Normal file
BIN
modules/nixos-wiki/nixos.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 6.0 KiB |
41
modules/single-disk.nix
Normal file
41
modules/single-disk.nix
Normal file
@ -0,0 +1,41 @@
|
||||
{ self, ... }:
|
||||
let
|
||||
partitions = {
|
||||
boot = {
|
||||
size = "1M";
|
||||
type = "EF02"; # for grub MBR
|
||||
};
|
||||
esp = {
|
||||
size = "500M";
|
||||
type = "EF00"; # for grub MBR
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
self.inputs.disko.nixosModules.disko
|
||||
];
|
||||
disko.devices = {
|
||||
disk.sda = {
|
||||
type = "disk";
|
||||
device = "/dev/sda";
|
||||
content = {
|
||||
type = "gpt";
|
||||
inherit partitions;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1 +0,0 @@
|
||||
../staging.nixos-wiki.thalheim.io/apply.sh
|
@ -1,6 +0,0 @@
|
||||
{ self, ... }: {
|
||||
imports = [
|
||||
self.nixosModules.nixos-wiki
|
||||
self.nixosModules.hcloud
|
||||
];
|
||||
}
|
18
targets/nixos-wiki2.thalheim.io/configuration.nix
Normal file
18
targets/nixos-wiki2.thalheim.io/configuration.nix
Normal file
@ -0,0 +1,18 @@
|
||||
{ self, lib, ... }:
|
||||
let
|
||||
nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
self.nixosModules.nixos-wiki
|
||||
self.nixosModules.nixos-wiki-backup
|
||||
self.nixosModules.hcloud
|
||||
];
|
||||
users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
|
||||
system.stateVersion = "23.11";
|
||||
services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io";
|
||||
security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
|
||||
services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22";
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
|
||||
}
|
@ -1 +1 @@
|
||||
{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}
|
||||
{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}
|
32
targets/nixos-wiki2.thalheim.io/secrets.yaml
Normal file
32
targets/nixos-wiki2.thalheim.io/secrets.yaml
Normal file
@ -0,0 +1,32 @@
|
||||
nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str]
|
||||
nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str]
|
||||
age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNm9scHFONkwwY3dzWEtH
|
||||
TWJnSVgzQldBd1NsVS90MnVyQ3V6aFo5YVFJCjc2S3lUc3FUaTllZGQ2R2FFTTNj
|
||||
cWRQSC80a2FWQm12cnhXTmJNN3lSOW8KLS0tIGpPL2ZzQzBpak9HV0lES05SZk5x
|
||||
KzM1azdvWlZIVU5VWVd4Q1AyN1VNTDQKZPtiA9MWZMOi+u6d0/Cg4vlJnP8dcaRq
|
||||
QQKfP3LYCRqWBIrAPP8LWhza3kEjh22Wquh8Zh1SJtq2tgGKy+Pt+A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaHFwd3B5YUFUcnR2TTFw
|
||||
aTQ4UFFBUXFxL2pOcUhyTFAwQ1ZvTGlEQUFnCmlQeHBrb2NhQXovWEl4ODdvd0FI
|
||||
b2JMOGpXRHB3cHVHZmt3UUx2SUdtc28KLS0tIHVTZ2FISTZWbmdPaWlTdUZsTG1I
|
||||
OHk4MkVmaFozaWdRV1RpbVM0amEvQTgKHk2ZxC+ZMUzTWD6KS1miOtLCtXF9SN/t
|
||||
2DDz5UAadLKaJ425AL3Qg4BhOZqUz4qPoyQvD/3aBKXg0IxXHgJCtQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-24T15:17:00Z"
|
||||
mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
@ -1,8 +1,8 @@
|
||||
terraform {
|
||||
backend "http" {
|
||||
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io"
|
||||
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
|
||||
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
|
||||
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io"
|
||||
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
|
||||
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
|
||||
lock_method = "POST"
|
||||
unlock_method = "DELETE"
|
||||
retry_wait_min = "5"
|
||||
@ -11,12 +11,12 @@ terraform {
|
||||
|
||||
module "wiki" {
|
||||
source = "../../terraform/nixos-wiki"
|
||||
netlify_dns_zone = "nixos-wiki.thalheim.io"
|
||||
domain = "nixos-wiki.thalheim.io"
|
||||
nixos_flake_attr = "nixos-wiki-thalheim-io"
|
||||
netlify_dns_zone = "nixos-wiki2.thalheim.io"
|
||||
domain = "nixos-wiki2.thalheim.io"
|
||||
nixos_flake_attr = "nixos-wiki2-thalheim-io"
|
||||
nixos_vars_file = "${path.module}/nixos-vars.json"
|
||||
tags = {
|
||||
Terraform = "true"
|
||||
Target = "nixos-wiki.thalheim.io"
|
||||
Target = "nixos-wiki2.thalheim.io"
|
||||
}
|
||||
}
|
@ -1,6 +0,0 @@
|
||||
{ self, ... }: {
|
||||
imports = [
|
||||
self.nixosModules.nixos-wiki
|
||||
self.nixosModules.hcloud
|
||||
];
|
||||
}
|
@ -1,21 +0,0 @@
|
||||
terraform {
|
||||
backend "http" {
|
||||
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io"
|
||||
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
|
||||
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
|
||||
lock_method = "POST"
|
||||
unlock_method = "DELETE"
|
||||
retry_wait_min = "5"
|
||||
}
|
||||
}
|
||||
|
||||
module "wiki" {
|
||||
source = "../../terraform/nixos-wiki"
|
||||
netlify_dns_zone = "nixos-wiki.thalheim.io"
|
||||
nixos_flake_attr = "nixos-wiki-thalheim-io"
|
||||
nixos_vars_file = "${path.module}/nixos-vars.json"
|
||||
tags = {
|
||||
Terraform = "true"
|
||||
Target = "staging-nixos-wiki.thalheim.io"
|
||||
}
|
||||
}
|
8
terraform/nixos-wiki/decrypt-age-keys.sh
Executable file
8
terraform/nixos-wiki/decrypt-age-keys.sh
Executable file
@ -0,0 +1,8 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
mkdir -p var/lib/secrets
|
||||
|
||||
umask 0177
|
||||
sops --extract '["age-key"]' -d "secrets.yaml" > ./var/lib/secrets/age
|
||||
# restore umask
|
||||
umask 0022
|
@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" {
|
||||
}
|
||||
|
||||
resource "hcloud_server" "nixos_wiki" {
|
||||
image = "debian-10"
|
||||
image = "debian-11"
|
||||
keep_disk = true
|
||||
name = "nixos-wiki"
|
||||
server_type = var.server_type
|
||||
@ -21,15 +21,16 @@ resource "hcloud_server" "nixos_wiki" {
|
||||
}
|
||||
}
|
||||
|
||||
#module "deploy" {
|
||||
# depends_on = [local_file.nixos_vars]
|
||||
# source = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
|
||||
# nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
|
||||
# nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
|
||||
# target_host = hcloud_server.nixos_wiki.ipv4_address
|
||||
# instance_id = hcloud_server.nixos_wiki.id
|
||||
# debug_logging = true
|
||||
#}
|
||||
module "deploy" {
|
||||
depends_on = [local_file.nixos_vars]
|
||||
source = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
|
||||
nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
|
||||
nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps"
|
||||
target_host = hcloud_server.nixos_wiki.ipv4_address
|
||||
instance_id = hcloud_server.nixos_wiki.id
|
||||
extra_files_script = "${path.module}/decrypt-age-keys.sh"
|
||||
debug_logging = true
|
||||
}
|
||||
|
||||
locals {
|
||||
nixos_vars = {
|
||||
|
@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" {
|
||||
|
||||
provisioner "local-exec" {
|
||||
interpreter = ["bash", "-c"]
|
||||
command = "git add -f '${local_file.nixos_vars.filename}'"
|
||||
command = "git add -f '${var.nixos_vars_file}'"
|
||||
}
|
||||
# also pro-actively add hosts and flake-module.nix to git so nix can find it.
|
||||
provisioner "local-exec" {
|
||||
interpreter = ["bash", "-c"]
|
||||
command = <<EOT
|
||||
git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
|
||||
git add "$(dirname '${var.nixos_vars_file}')"/{hosts,flake-module.nix}
|
||||
EOT
|
||||
on_failure = continue
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user