From 8c8bb60d413f8e8cce2680e4cfd143ff785b2c7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 24 Oct 2023 17:33:05 +0200 Subject: [PATCH] add actual wiki configuration and lots of modernisations --- .sops.yaml | 9 ++ bors.toml | 8 -- flake.lock | 22 ++++ flake.nix | 5 + modules/flake-module.nix | 9 +- modules/nixos-wiki.nix | 1 - modules/nixos-wiki/backup.nix | 78 ++++++++++++ modules/nixos-wiki/default.nix | 112 ++++++++++++++++++ modules/nixos-wiki/nixos.png | Bin 0 -> 6093 bytes modules/single-disk.nix | 40 +++---- targets/nixos-wiki.thalheim.io/apply.sh | 1 - .../nixos-wiki.thalheim.io/configuration.nix | 10 -- .../apply.sh | 0 .../nixos-wiki2.thalheim.io/configuration.nix | 16 +++ .../nixos-vars.json | 2 +- targets/nixos-wiki2.thalheim.io/secrets.yaml | 32 +++++ .../terraform.tf | 14 +-- .../configuration.nix | 10 -- .../terraform.tf | 21 ---- terraform/nixos-wiki/decrypt-age-keys.sh | 8 ++ terraform/nixos-wiki/main.tf | 21 ++-- terraform/nixos-wiki/nixos_vars.tf | 4 +- 22 files changed, 326 insertions(+), 97 deletions(-) create mode 100644 .sops.yaml delete mode 100644 bors.toml delete mode 100644 modules/nixos-wiki.nix create mode 100644 modules/nixos-wiki/backup.nix create mode 100644 modules/nixos-wiki/default.nix create mode 100644 modules/nixos-wiki/nixos.png delete mode 120000 targets/nixos-wiki.thalheim.io/apply.sh delete mode 100644 targets/nixos-wiki.thalheim.io/configuration.nix rename targets/{staging.nixos-wiki.thalheim.io => nixos-wiki2.thalheim.io}/apply.sh (100%) create mode 100644 targets/nixos-wiki2.thalheim.io/configuration.nix rename targets/{nixos-wiki.thalheim.io => nixos-wiki2.thalheim.io}/nixos-vars.json (58%) create mode 100644 targets/nixos-wiki2.thalheim.io/secrets.yaml rename targets/{nixos-wiki.thalheim.io => nixos-wiki2.thalheim.io}/terraform.tf (59%) delete mode 100644 targets/staging.nixos-wiki.thalheim.io/configuration.nix delete mode 100644 targets/staging.nixos-wiki.thalheim.io/terraform.tf create mode 100755 terraform/nixos-wiki/decrypt-age-keys.sh diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..afe0d19 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + - &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2 +creation_rules: + - path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$ + key_groups: + - age: + - *joerg + - *nixos-wiki2 diff --git a/bors.toml b/bors.toml deleted file mode 100644 index 54f90de..0000000 --- a/bors.toml +++ /dev/null @@ -1,8 +0,0 @@ -cut_body_after = "" # don't include text from the PR body in the merge commit message -status = [ - "Evaluate flake.nix", - "check treefmt [x86_64-linux]", - "package default [x86_64-linux]", - "nixosConfig nixos-wiki-thalheim-io", - "nixosConfig staging-nixos-wiki-thalheim-io", -] diff --git a/flake.lock b/flake.lock index 8f67a48..6977f96 100644 --- a/flake.lock +++ b/flake.lock @@ -61,10 +61,32 @@ "disko": "disko", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "srvos": "srvos", "treefmt-nix": "treefmt-nix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [] + }, + "locked": { + "lastModified": 1697943852, + "narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "srvos": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 70f4f9f..d0534e8 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,10 @@ srvos.url = "github:numtide/srvos"; # Use the version of nixpkgs that has been tested to work with SrvOS srvos.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.inputs.nixpkgs-stable.follows = ""; }; outputs = inputs@{ flake-parts, ... }: @@ -35,6 +39,7 @@ in pkgs.mkShell { packages = [ pkgs.bashInteractive + pkgs.sops (terraformHalal.withPlugins (p: [ p.netlify p.hcloud diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 53f09c3..c4e16f6 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -2,12 +2,19 @@ flake.nixosModules = { hcloud.imports = [ inputs.srvos.nixosModules.server + inputs.sops-nix.nixosModules.sops inputs.srvos.nixosModules.hardware-hetzner-cloud ./single-disk.nix + { + sops.age.keyFile = "/var/lib/secrets/age"; + } ]; nixos-wiki.imports = [ - ./nixos-wiki.nix + ./nixos-wiki + ]; + nixos-wiki-backup.imports = [ + ./nixos-wiki/backup.nix ]; }; } diff --git a/modules/nixos-wiki.nix b/modules/nixos-wiki.nix deleted file mode 100644 index c915eb0..0000000 --- a/modules/nixos-wiki.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { } diff --git a/modules/nixos-wiki/backup.nix b/modules/nixos-wiki/backup.nix new file mode 100644 index 0000000..a5aeb58 --- /dev/null +++ b/modules/nixos-wiki/backup.nix @@ -0,0 +1,78 @@ +{ config, pkgs, ... }: +let + wikiDump = "/var/backup/wikidump.xml.gz"; + + mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + preferLocalBuild = true; + } '' + mkdir -p $out/bin + makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-maintenance \ + --set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \ + --add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php + ''; + + wiki-restore = pkgs.writeShellApplication { + name = "wiki-restore"; + runtimeInputs = [ + pkgs.postgresql + pkgs.coreutils + pkgs.util-linux + mediawiki-maintenance + ]; + text = '' + tmpdir=$(mktemp -d) + cleanup() { rm -rf "$tmpdir"; } + cd "$tmpdir" + chown mediawiki:nginx "$tmpdir" + + rm -rf /var/lib/mediawiki-uploads + install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads + systemctl stop phpfpm-mediawiki.service + runuser -u postgres -- dropdb mediawiki + systemctl restart postgresql + systemctl restart mediawiki-init.service + cat < tags + extensions.ParserFunctions = null; + extensions.Cite = null; + extensions.VisualEditor = null; + extensions.AuthManagerOAuth = pkgs.fetchzip { + url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.0/AuthManagerOAuth.zip"; + hash = "sha256-4ev8LwuConmHzFm5cPr+ni9aYPDOHLArGoJhzdugEn4="; + }; # Github login + extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha + extensions.StopForumSpam = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_40-71b57ba.tar.gz"; + hash = "sha256-g8v4zr11c2e4bY0BNipJ48miyAF4WTNvlSMgb/NxPBA="; + }; + + extraConfig = '' + #$wgDebugLogFile = "/var/log/mediawiki/debug.log"; + + # allow local login + $wgAuthManagerOAuthConfig = [ + 'github' => [ + 'clientId' => '${config.services.nixos-wiki.githubClientId}', + 'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"), + 'urlAuthorize' => 'https://github.com/login/oauth/authorize', + 'urlAccessToken' => 'https://github.com/login/oauth/access_token', + 'urlResourceOwnerDetails' => 'https://api.github.com/user' + ], + ]; + + # Enable account creation globally + $wgGroupPermissions['*']['createaccount'] = true; + $wgGroupPermissions['*']['autocreateaccount'] = true; + + # Disable anonymous editing + $wgGroupPermissions['*']['edit'] = false; + + # Allow svg upload + $wgFileExtensions[] = 'svg'; + $wgSVGConverterPath = "${pkgs.imagemagick}/bin"; + + # Pretty URLs + $wgUsePathInfo = true; + + # cache pages with APCu + $wgMainCacheType = CACHE_ACCEL; + + # TODO: nixos favicon + #$wgFavicon = "/favicon.ico"; + $wgDefaultSkin = 'vector-2022'; + # configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos + $wgLogos = [ + '1x' => '/nixos.png', + 'icon' => '/nixos.png', + ]; + + # Combat SPAM with IP-Blocklists (StopForumSpam extension) + $wgEnableDnsBlacklist = true; + $wgDnsBlacklistUrls = array( + 'dnsbl.dronebl.org' + ); + + # required for fancy VisualEditor extension + $wgGroupPermissions['user']['writeapi'] = true; + + # Enable content security policy + $wgCSPHeader = true; + + # Disallow framing + $wgEditPageFrameOptions = "DENY"; + + $wgEnableEmail = true; + $wgAllowHTMLEmail = false; + $wgEmergencyContact = "nixos-wiki-emergency@thalheim.io"; + $wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address + $wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address + ''; + }; + + security.acme.acceptTerms = true; + services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { + enableACME = lib.mkDefault true; + forceSSL = true; + locations."=/nixos.png".alias = ./nixos.png; + }; + }; + +} diff --git a/modules/nixos-wiki/nixos.png b/modules/nixos-wiki/nixos.png new file mode 100644 index 0000000000000000000000000000000000000000..6867428956ac01b88526e65d2a9d0aca3d59b215 GIT binary patch literal 6093 zcmZu#bx_n_wEr%#bcdj%fHV>!-JMHGBTIvHtu#xQbmt=7AuUqU@RL$%X^?JdBp$wh z-E?cDfUWI^_yxJvyn-OL<(A#Fv+q(2O6|(Ls9W78H`WM41KyIgG`tLY+rz8~Y|HHr|N8?zk1+F(C0o!7<#Qua@cZ z<{R>~@5A)-H}AN{&M+7!#d8MKdUtrCOMke5w&~auVMb5M_+r zHUj;vFG=>?a+cr$qpQ6MyS`jkiyL&_DL6KWMmUF_OAtSP`@?g5(jn^C>375N#Gx_!Zx62^F^+4sKPGkNxq+IcP{jul&X8 zDq$oktMAgrlK)c2y>H3V3cO~Uf@FjARASZmD2G-9-4Ujy_;@&m=U@P4~1K41mUv0 zj9k}9)g!~C7zWf6`ZVmfuh@{f^oa>U^jC|FlEg339POKK8~q&}l`?g@8B-KrRmV25 z@kU88NrCBkH(#|~}$oUngEHrlU{=VlXf=g z*fEI^hHG@+zcoLMbq}V$MN{)TYQu7xcjja*XMYLJf}Xx6_3h>~{JmK!*CkO}G9Z3; z9r*#S&?3gxD9kSWYj@vO(~qfoDMc%&i;)CC5{K`0znB7MuR!gV%&DGTSfPNm zSPuCGUZ0wE0bbJWD`x5+9d7PM#3A_8g;i)1T{2QwNdL1@uGITHz7Kusa0D6Wxa7!s z5~_vli12#}ZnS)+-0N9M-HSVMwYb*Ckzs&XScoO$5SGna(OlfGkFuHpJq1uUv58_> zFuEtyAAAc6&%1N|lc?}9*s)tD*xMsc6{VGLV!y16bzDV*32{hb;a&<#{-5-k$Mz9% z7;9#=Lw!0Kt>M$+3UOE2m0R2{l`WNol{&TqS0DL9@4?*|>!UICBbo!v>LkjVdZ0S* zo6PJQYMsXhak)6zY6pPF28%rY6QnjWIrX#c+g)hZ>-x#|II)Y|DYQ%`jCDX3CxFF> zU4%D(JfTpr{R|f_Mu=!emvBu%9~ns`dto@z%}(t0+tQ)hel~n!#*YHf$P3M&wg31Y zRzkqZ-Up_~g465wykj=GwB%znoAyGHY=EB9!%z>8#LuNxltJ9`I->on-gN8YR_+c% zv0fP6v`p7cCl9|y2n~eXN@DLax+|F~u8Vc=<}a%6&DLgmdogofX=5_(K-js-FX!Fk^wO3BGP=Fj zM?wPLus7X_d~y3d{_TLYRXal4(JZU5^=P@)(Ikdoc_frpagJ}aF(VP?J${-D&%AXkK4$#ozjSN=jLhDxW)ZqPObZ_&E5f$Gvp)!y%et zs%RCXuU`NA#Z55RvM$)$X3!wighFg+`Oy^^;;4QE!H0>h-J<#2bdqZa2Z&p~0E7r# z&6lp^8ns~W0W!P9QmajulwTeHb%z9Zct__4W*cy#a%#d75#2VD&G>I z=~@5$bu`U7oQkGI2Z#-}ACNLzywx3^>{D{3V18Nd_E^(CT&^?ea(7YS*+u@MLM=koLA4yt>3*tqn6K zvuIs4QG8uDMi_1sL6P1fEBjzY)Ebwy^6^+RU&GcX-23m4IGBs*&^q)AyLco4t7yDC}&{a@Xfh z@_S|Q(#H+x{<;`h4LB0(O%7$I>bzAn^p%b1#5svESzOf1)m*DJa-~w0*p7r$f6I*w zWD>Ivq6g%abTm~YLq6exHGF=WSm;vzp2t}=GMRYfELsKI=*+#JkG2-=Y+FeyJ$7p5 z7Rp%v$+m)WLVb=;(dV&nZCChG%HcM|)SSy@ApCVg_4Y%UGhV~)QMxl`4%MbdlHF*2 z`KYp=Pk+2G5f30~=3>^HH&6;3@V6Z?s41(&QIgGjK)B#T)HM~fhFb27AFNP4(j5ul zgy+13JMFWO7t?*Ku_e3uC%yALYvU@AA@t1_$6 zrR~OLdeAk-RHb>*b_l62$!yu}4$&jZhWt5Ro%zJC{Q`w0OvRkd1RgPVAIo~%)6AIW zh)NnO0pux!Q_0!F_WaP(7I{yR%ySUa{Z)gDw_Q{U2~@ zvhy?Fnqb3M0P>;Y?<&*@f2bF+8jHif7Xw@)Y_?LjJ2nkXd_PG81rat1pUC4U4r@1u%y7RlQg-W4 zI_WAZ@tY?IrV>n5OSIt#5+{1j;pyYjIDE0I7Vy{Kjy-%l?`fFdXW3 zS4d8+wTm;~Q22crZ4&VW-(G9`2)`drZ9g@wQDp@GBLh7)Pt)A4I7w{pV9()RxkXA0 z+UqD99H`uQ_A8>g$h$-nG*<4-{(2-#zvlrq!kX%Ol;q?ZE@&WeOvM)hsMqza9|n0j zg@5yzHk<7>p7;RY>6tQinUVV#ov6UmyOog)=boq3ZwTm5IpjU82Mc9HWgyZLwv)Ac zzD;4P3Gu^m=#Dr`cVtyS-F3ccD2zVmhvrFv=N4FQ9P@@(VnA|eD%hguAC|EpR zM4LWD&O9w3>=qi&KK==IokNwLBQFeRmv!W_W*XL;ycFJgXCX>HmDV8tU=hX{?3r=!8eP`nsVkp;UWLka6^_R9!j zePLU^IXr9GlQIbgh93ziYMac$#{9cH9wkT%S{PrAu1I?6>W)Dn8`;mEH<&JPp(l$Z zkAqbkI4I_Frb8k@fWf3$Hm}NFGmzmriGUq`5WJ~EL4w;__zB>r@Twe}ln3wb!0!Qh zrn=;h_YIS{SvIEuum*KVK1OgWnX?dYlGrg-AR%J_VEacni7H)_=kmpGIuiq|QvuW^ zMv=U+Oro!)%t^hJFTQ3|bag@(+D?~77|8mD>Ju_R(NZ_23=vOCfD7fQ#p{tKY$-Q3 z?-S5M(ya+_7HL&(6y-pY#+L`~`=jJvYs89G)+}7?q0h z9u3n(YP<5KSY_piy8gsqMo?}#Kbrr-Tc?vAL`bz7E^vG(PIQan1A+xo-nO5nQ{zp& zyI_KI?)s^Bdk%v6#R>?|j7ML%_mzZl)S*OMCwCTljibRysyLWQ#@}V^uvT7ek5%~d zTlbMSp%6a-aCqO(E~iBkvElzj58wW7-MJbB*|8;_yhjv%USq-%0<6S(e7 zKjCkS@)JKqRa2%$V4@#8R=$h!;^KLo>WbZrV$GC_m!z19bktB%3h1TW)f_wO>1_`B zffH^`yf;jqP|7mEmLnEODJ_4to~MdmjMxKQGW+`%Pg)k0n6}4-061wmX_iU-iuy{u z)s-V~)GnDWnwFp|)X7ZDKws!XCE3;3n!#yFv0V!pOYWugm*bSwFZV|I%_WBu+$hbT`S}%GjBxY>G_5A;O!Cif0^1A62fyAAkZvk*5>gtp`e{~OS@MA4$a?;L|eV% zQk$0J1}QxZbOOIBX4}};;jLTIB&fhSqbXsp$B+7=>(y%6fraly795Kg@`v(E`BxLC zKku|F)+mh{Urv32pl@hZa4}EMp-QrJVDPDU?8Srf}A}=U*s>TN-a~;y~ z^-Ig-<5+lrRz*EtKh`e0EQW@nqX^)EuBYajpgBNU_8>MSNlLY)`Uk?;g5UfYeG z>>#MXxqMS|;{8I^KoiA_o{{8mFBb0%^ofXWrYN+rLYAF~fxg=9EroXf$C_{59JTz2 zBnwSfe?di2=>CmtJMkn|rl15*oA3~JpQ36FzIhZkE>x#_Jm$KRsS)9U-p5XV&~%BA zZI_j2ljY;#t(iEKk0uj7ucGoRhPt9gCpn}tX+={R?)D6$VM-XbaZes07t4=%Pm)@f zzEeior84+e@RPrb2-bhaH4wA!#(e*i7nWQ{v!%8l zZbm<-T;KeDn%d2`!DN{QzXM|K;e(z9)y7IN9%rc6D|ud0E)T(0BY!wGzV1-MQ~|9( zo{(ePc9wLm?VQQ;$OxQ(hA`4bJ5h4G4I>JUjU?|;j2~nYdt>UNS7K`^9>!U$Kh+CkDHS?#)dpky%; ztWPNYfxDsT!4qzQ9!+CcvQ_UrSt#;GctfkjRHf(}v$8bUZBUh}g@e27#>(2h-5b_R z=R6vXXSB@uTi@8{#4rr67GrEdw*7Q>6B43y{-HArcjI=yu;#%zD&<)Rh$bvH`$_*T zzgLT#rxKc^ZwKxMM$O+dBOSq3(xN050K2j{`dm7S;G9hpcth`HUjlNZxp7C`8LZAY zdGzmw=1Fa7h^E5p!YJIc!sT;9Dre39j_a`DMBigFJUUC5+u?1DZGnl^V~-6cGSTNvgng6Q=KC+W zN@9KOvmX5CvpIqP`w}p#8|jZ%)YRUiJln5x$^Vr9_i<)heF+Q=k!5K3c-Ik7`|s$o zw@JB)zfUQJ06KdgeM;1QN?n#JMeFb zUYZ$U8>)R)Do3yHEyiFFFZ3gp;i7xa7f@eV1jDpkHay3DLz3O#DG){_RNs3=QupWO zWoITC^`B?+U(tyVo6)mTtjOk<*a5#OdrrJnrS0<*|1^3GAVCazgT9Rgt{f2MLz#(T zL^_skl=#;bi-%*`b)>wA7$&jIvVIdw_0O;9vC+0AK2@35WGJSs{%>OWYbfQ`S6af_ zD(}tvSV9$VGe_-^go-7x^PbPF7+k8p2&5k!QFH`enTyAj~iNS21@nr)87ak(fB0w;773?4ReTd_d?>-CErfg=s60UPXj9UkYeF;Z(yCW zFj9A{yuAMJ@Fd8RrV@<9($m9n4t3hm&|(o3{$Yvk35>oJX3e$ z)&;$C$zY0$3a3T-HO^Vn3znObH$_otsMo4>jmm7gH|eQ3Pr}<9MUor!! z#ApU}+K71$7B$LU+m`otf*9>1cIx~ie z^DB}(OToKhX%<_*(b+Bb^iJ;L$v7=1Gm^~UVwoW#Q?rQqQvexie*HumOn?MAM}T3F zYb-h6A1LA%l}V~?x|tsziN&^STU>XTb>n#9+)seKLz=d`isNeY`uY=9!xXy{`o`aN zw)nKpB#E|ZgC_C7J+8~;-92eWlMHEX($Ru&YH)I$Sbr!j7pu675iJ8ovN^P=@5&wn z{B@xt(2m|~)5DVpC2~F`Vsa#k1cGv{IOjvphQ@b6>BjiM87+iPoDYljwGcx#@^89Y z8xbDbSjy`0y=!^u7iY2jA2cf{iebUet25X*nGAtOS!5)gc|A<#BAy&GFJDV6l{&<|Kw-X*`_{EJqa+|qJ@ci^wi!Rf zQY*#eZ~y9mg4(Wae;RJL5p!YSUtX(<@u4-3q#kTv&mU^t&a>pIr^+N%qX=VpM-dax zffLVVfvy9s-Ann{IVH5(q*r`?*}T)GM)RJdr8-0>E$YODpZhl^L!Xzwa1=E0w1#sF zc3b~cwW}Lb0jTyZeP=BPL;s$KeH(`;ioGq=o?XO+eY>?Rnm8&fgYE^ub+H#px(l&b zHwBdK<9F8v+uY~rv-2y(uc}Xlgx+%H`T(E&P@W@iL1k@?pC6sAIt#&V>8RIb9mkDl zBExK%#0=*S2k$C+=3z|_3?rUn6sK7KuWNeJ8(-7^h ./var/lib/secrets/age +# restore umask +umask 0022 diff --git a/terraform/nixos-wiki/main.tf b/terraform/nixos-wiki/main.tf index d0def33..b692f6e 100644 --- a/terraform/nixos-wiki/main.tf +++ b/terraform/nixos-wiki/main.tf @@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" { } resource "hcloud_server" "nixos_wiki" { - image = "debian-10" + image = "debian-11" keep_disk = true name = "nixos-wiki" server_type = var.server_type @@ -21,15 +21,16 @@ resource "hcloud_server" "nixos_wiki" { } } -#module "deploy" { -# depends_on = [local_file.nixos_vars] -# source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" -# nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" -# nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps" -# target_host = hcloud_server.nixos_wiki.ipv4_address -# instance_id = hcloud_server.nixos_wiki.id -# debug_logging = true -#} +module "deploy" { + depends_on = [local_file.nixos_vars] + source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" + nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" + nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps" + target_host = hcloud_server.nixos_wiki.ipv4_address + instance_id = hcloud_server.nixos_wiki.id + extra_files_script = "${path.module}/decrypt-age-keys.sh" + debug_logging = true +} locals { nixos_vars = { diff --git a/terraform/nixos-wiki/nixos_vars.tf b/terraform/nixos-wiki/nixos_vars.tf index b7a3e22..e210d0d 100644 --- a/terraform/nixos-wiki/nixos_vars.tf +++ b/terraform/nixos-wiki/nixos_vars.tf @@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" { provisioner "local-exec" { interpreter = ["bash", "-c"] - command = "git add -f '${local_file.nixos_vars.filename}'" + command = "git add -f '${var.nixos_vars_file}'" } # also pro-actively add hosts and flake-module.nix to git so nix can find it. provisioner "local-exec" { interpreter = ["bash", "-c"] command = <