add actual wiki configuration and lots of modernisations

2023-10-24 17:33:05 +02:00 · 2023-10-24 17:33:05 +02:00 · 8c8bb60d41
commit 8c8bb60d41
parent c2ac99ce52
22 changed files with 326 additions and 97 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,9 @@
 keys:
  - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
  - &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
 creation_rules:
  - path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$
    key_groups:
    - age:
      - *joerg
      - *nixos-wiki2
--- a/bors.toml
+++ b/bors.toml
@ -1,8 +0,0 @@
 cut_body_after = "" # don't include text from the PR body in the merge commit message
 status = [
  "Evaluate flake.nix",
  "check treefmt [x86_64-linux]",
  "package default [x86_64-linux]",
  "nixosConfig nixos-wiki-thalheim-io",
  "nixosConfig staging-nixos-wiki-thalheim-io",
 ]
--- a/flake.lock
+++ b/flake.lock
@ -61,10 +61,32 @@
        "disko": "disko",
        "flake-parts": "flake-parts",
        "nixpkgs": "nixpkgs",
        "sops-nix": "sops-nix",
        "srvos": "srvos",
        "treefmt-nix": "treefmt-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": []
      },
      "locked": {
        "lastModified": 1697943852,
        "narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "srvos": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@ -14,6 +14,10 @@
    srvos.url = "github:numtide/srvos";
    # Use the version of nixpkgs that has been tested to work with SrvOS
    srvos.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.inputs.nixpkgs-stable.follows = "";
  };
  outputs = inputs@{ flake-parts, ... }:
@ -35,6 +39,7 @@
        in pkgs.mkShell {
          packages = [
            pkgs.bashInteractive
            pkgs.sops
            (terraformHalal.withPlugins (p: [
              p.netlify
              p.hcloud
--- a/modules/flake-module.nix
+++ b/modules/flake-module.nix
@ -2,12 +2,19 @@
  flake.nixosModules = {
    hcloud.imports = [
      inputs.srvos.nixosModules.server
      inputs.sops-nix.nixosModules.sops
      inputs.srvos.nixosModules.hardware-hetzner-cloud
      ./single-disk.nix
      {
        sops.age.keyFile = "/var/lib/secrets/age";
      }
    ];
    nixos-wiki.imports = [
-      ./nixos-wiki.nix
+      ./nixos-wiki
    ];
    nixos-wiki-backup.imports = [
      ./nixos-wiki/backup.nix
    ];
  };
 }
--- a/modules/nixos-wiki.nix
+++ b/modules/nixos-wiki.nix
@ -1 +0,0 @@
 { ... }: { }
--- a/modules/nixos-wiki/backup.nix
+++ b/modules/nixos-wiki/backup.nix
@ -0,0 +1,78 @@
 { config, pkgs, ... }:
 let
  wikiDump = "/var/backup/wikidump.xml.gz";
  mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance"
    {
      nativeBuildInputs = [ pkgs.makeWrapper ];
      preferLocalBuild = true;
    } ''
    mkdir -p $out/bin
    makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-maintenance \
      --set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \
      --add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php
  '';
  wiki-restore = pkgs.writeShellApplication {
    name = "wiki-restore";
    runtimeInputs = [
      pkgs.postgresql
      pkgs.coreutils
      pkgs.util-linux
      mediawiki-maintenance
    ];
    text = ''
      tmpdir=$(mktemp -d)
      cleanup() { rm -rf "$tmpdir"; }
      cd "$tmpdir"
      chown mediawiki:nginx "$tmpdir"
      rm -rf /var/lib/mediawiki-uploads
      install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads
      systemctl stop phpfpm-mediawiki.service
      runuser -u postgres -- dropdb mediawiki
      systemctl restart postgresql
      systemctl restart mediawiki-init.service
      cat <<EOF | runuser -u mediawiki -- mediawiki-maintenance deleteBatch.php
      Main_Page
      MediaWiki:About
      EOF
      trap cleanup EXIT
      cp ${wikiDump} "$tmpdir"
      chown mediawiki:nginx "$tmpdir/wikidump.xml.gz"
      chmod 644 "$tmpdir/wikidump.xml.gz"
      runuser -u mediawiki -- mediawiki-maintenance importDump.php --uploads "$tmpdir/wikidump.xml.gz"
      runuser -u mediawiki -- mediawiki-maintenance rebuildrecentchanges.php
      systemctl start phpfpm-mediawiki.service
    '';
  };
 in
 {
  environment.systemPackages = [ mediawiki-maintenance ];
  systemd.services.wiki-backup = {
    startAt = "hourly";
    serviceConfig = {
      ExecStart = [
        "${pkgs.wget}/bin/wget https://nixos.wiki/images/wikidump.xml.gz -O ${wikiDump}.new"
        "${pkgs.coreutils}/bin/mv ${wikiDump}.new ${wikiDump}"
      ];
      Type = "oneshot";
    };
  };
  systemd.services.wiki-restore = {
    startAt = "daily";
    path = [ pkgs.postgresql mediawiki-maintenance ];
    serviceConfig = {
      ExecStart = "${wiki-restore}/bin/wiki-restore";
      Type = "oneshot";
    };
  };
  services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
    locations."=/wikidump.xml.gz".alias = wikiDump;
  };
 }
--- a/modules/nixos-wiki/default.nix
+++ b/modules/nixos-wiki/default.nix
@ -0,0 +1,112 @@
 { config, pkgs, lib, ... }:
 {
  options = {
    services.nixos-wiki = {
      hostname = lib.mkOption {
        type = lib.types.str;
        description = "The hostname of the wiki";
      };
      githubClientId = lib.mkOption {
        type = lib.types.str;
        description = "The github client id for the wiki";
      };
    };
  };
  config = {
    sops.secrets."nixos-wiki".owner = config.services.phpfpm.pools.mediawiki.user;
    sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
    services.mediawiki = {
      enable = true;
      webserver = "nginx";
      database.type = "postgres";
      nginx.hostName = config.services.nixos-wiki.hostname;
      uploadsDir = "/var/lib/mediawiki-uploads/";
      passwordFile = config.sops.secrets."nixos-wiki".path;
      extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
      extensions.ParserFunctions = null;
      extensions.Cite = null;
      extensions.VisualEditor = null;
      extensions.AuthManagerOAuth = pkgs.fetchzip {
        url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.0/AuthManagerOAuth.zip";
        hash = "sha256-4ev8LwuConmHzFm5cPr+ni9aYPDOHLArGoJhzdugEn4=";
      }; # Github login
      extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
      extensions.StopForumSpam = pkgs.fetchzip {
        url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_40-71b57ba.tar.gz";
        hash = "sha256-g8v4zr11c2e4bY0BNipJ48miyAF4WTNvlSMgb/NxPBA=";
      };
      extraConfig = ''
        #$wgDebugLogFile = "/var/log/mediawiki/debug.log";
        # allow local login
        $wgAuthManagerOAuthConfig = [
          'github' => [
            'clientId'                => '${config.services.nixos-wiki.githubClientId}',
            'clientSecret'            => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"),
            'urlAuthorize'            => 'https://github.com/login/oauth/authorize',
            'urlAccessToken'          => 'https://github.com/login/oauth/access_token',
            'urlResourceOwnerDetails' => 'https://api.github.com/user'
          ],
        ];
        # Enable account creation globally
        $wgGroupPermissions['*']['createaccount'] = true;
        $wgGroupPermissions['*']['autocreateaccount'] = true;
        # Disable anonymous editing
        $wgGroupPermissions['*']['edit'] = false;
        # Allow svg upload
        $wgFileExtensions[] = 'svg';
        $wgSVGConverterPath = "${pkgs.imagemagick}/bin";
        # Pretty URLs
        $wgUsePathInfo = true;
        # cache pages with APCu
        $wgMainCacheType = CACHE_ACCEL;
        # TODO: nixos favicon
        #$wgFavicon = "/favicon.ico";
        $wgDefaultSkin = 'vector-2022';
        # configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos
        $wgLogos = [
          '1x' => '/nixos.png',
          'icon' => '/nixos.png',
        ];
        # Combat SPAM with IP-Blocklists (StopForumSpam extension)
        $wgEnableDnsBlacklist = true;
        $wgDnsBlacklistUrls = array(
          'dnsbl.dronebl.org'
        );
        # required for fancy VisualEditor extension
        $wgGroupPermissions['user']['writeapi'] = true;
        # Enable content security policy
        $wgCSPHeader = true;
        # Disallow framing
        $wgEditPageFrameOptions = "DENY";
        $wgEnableEmail = true;
        $wgAllowHTMLEmail = false;
        $wgEmergencyContact = "nixos-wiki-emergency@thalheim.io";
        $wgPasswordSender   = "nixos-wiki@thalheim.io";           # Default FROM address
        $wgNoReplyAddress   = "nixos-wiki-no-reply@thalheim.io";  # Default Reply-To address
      '';
    };
    security.acme.acceptTerms = true;
    services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
      enableACME = lib.mkDefault true;
      forceSSL = true;
      locations."=/nixos.png".alias = ./nixos.png;
    };
  };
 }
--- a/modules/nixos-wiki/nixos.png
+++ b/modules/nixos-wiki/nixos.png
--- a/modules/single-disk.nix
+++ b/modules/single-disk.nix
@ -1,37 +1,28 @@
 { self, ... }:
 let
-  partitions = [
+  partitions = {
-    {
+    boot = {
-      name = "grub";
+      size = "1M";
-      end = "1M";
+      type = "EF02"; # for grub MBR
-      part-type = "primary";
+    };
-      flags = [ "bios_grub" ];
+    esp = {
-    }
+      size = "500M";
-    {
+      type = "EF00"; # for grub MBR
      name = "ESP";
      start = "1MiB";
      end = "500MiB";
      bootable = true;
      content = {
        type = "filesystem";
        format = "vfat";
        mountpoint = "/boot";
      };
-    }
+    };
-    {
+    root = {
-      name = "root";
+      size = "100%";
      start = "100MiB";
      end = "100%";
      part-type = "primary";
      bootable = true;
      content = {
        type = "filesystem";
-        # We use xfs because it has support for compression and has a quite good performance for databases
+        format = "ext4";
        format = "xfs";
        mountpoint = "/";
      };
-    }
+    };
-  ];
+  };
 in
 {
  imports = [
@ -42,8 +33,7 @@ in
      type = "disk";
      device = "/dev/sda";
      content = {
-        type = "table";
+        type = "gpt";
        format = "gpt";
        inherit partitions;
      };
    };
--- a/targets/nixos-wiki.thalheim.io/apply.sh
+++ b/targets/nixos-wiki.thalheim.io/apply.sh
@ -1 +0,0 @@
 ../staging.nixos-wiki.thalheim.io/apply.sh
--- a/targets/nixos-wiki.thalheim.io/configuration.nix
+++ b/targets/nixos-wiki.thalheim.io/configuration.nix
@ -1,10 +0,0 @@
 { self, ... }: let
  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
 in {
  imports = [
    self.nixosModules.nixos-wiki
    self.nixosModules.hcloud
  ];
  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
  system.stateVersion = "23.05";
 }
--- a/targets/staging.nixos-wiki.thalheim.io/apply.sh
+++ b/targets/staging.nixos-wiki.thalheim.io/apply.sh
--- a/targets/nixos-wiki2.thalheim.io/configuration.nix
+++ b/targets/nixos-wiki2.thalheim.io/configuration.nix
@ -0,0 +1,16 @@
 { self, lib, ... }: let
  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
 in {
  imports = [
    self.nixosModules.nixos-wiki
    self.nixosModules.nixos-wiki-backup
    self.nixosModules.hcloud
  ];
  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
  system.stateVersion = "23.11";
  services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io";
  security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
  services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22";
  sops.defaultSopsFile = ./secrets.yaml;
  boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
 }
--- a/targets/nixos-wiki2.thalheim.io/nixos-vars.json
+++ b/targets/nixos-wiki2.thalheim.io/nixos-vars.json
@ -1 +1 @@
-{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}
+{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}
--- a/targets/nixos-wiki2.thalheim.io/secrets.yaml
+++ b/targets/nixos-wiki2.thalheim.io/secrets.yaml
@ -0,0 +1,32 @@
 nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str]
 nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str]
 age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNm9scHFONkwwY3dzWEtH
            TWJnSVgzQldBd1NsVS90MnVyQ3V6aFo5YVFJCjc2S3lUc3FUaTllZGQ2R2FFTTNj
            cWRQSC80a2FWQm12cnhXTmJNN3lSOW8KLS0tIGpPL2ZzQzBpak9HV0lES05SZk5x
            KzM1azdvWlZIVU5VWVd4Q1AyN1VNTDQKZPtiA9MWZMOi+u6d0/Cg4vlJnP8dcaRq
            QQKfP3LYCRqWBIrAPP8LWhza3kEjh22Wquh8Zh1SJtq2tgGKy+Pt+A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaHFwd3B5YUFUcnR2TTFw
            aTQ4UFFBUXFxL2pOcUhyTFAwQ1ZvTGlEQUFnCmlQeHBrb2NhQXovWEl4ODdvd0FI
            b2JMOGpXRHB3cHVHZmt3UUx2SUdtc28KLS0tIHVTZ2FISTZWbmdPaWlTdUZsTG1I
            OHk4MkVmaFozaWdRV1RpbVM0amEvQTgKHk2ZxC+ZMUzTWD6KS1miOtLCtXF9SN/t
            2DDz5UAadLKaJ425AL3Qg4BhOZqUz4qPoyQvD/3aBKXg0IxXHgJCtQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-10-24T15:17:00Z"
    mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/targets/nixos-wiki2.thalheim.io/terraform.tf
+++ b/targets/nixos-wiki2.thalheim.io/terraform.tf
@ -1,8 +1,8 @@
 terraform {
  backend "http" {
-    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io"
+    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io"
-    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
+    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
-    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
+    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
    lock_method    = "POST"
    unlock_method  = "DELETE"
    retry_wait_min = "5"
@ -11,12 +11,12 @@ terraform {
 module "wiki" {
  source           = "../../terraform/nixos-wiki"
-  netlify_dns_zone = "nixos-wiki.thalheim.io"
+  netlify_dns_zone = "nixos-wiki2.thalheim.io"
-  domain           = "nixos-wiki.thalheim.io"
+  domain           = "nixos-wiki2.thalheim.io"
-  nixos_flake_attr = "nixos-wiki-thalheim-io"
+  nixos_flake_attr = "nixos-wiki2-thalheim-io"
  nixos_vars_file  = "${path.module}/nixos-vars.json"
  tags = {
    Terraform = "true"
-    Target    = "nixos-wiki.thalheim.io"
+    Target    = "nixos-wiki2.thalheim.io"
  }
 }
--- a/targets/staging.nixos-wiki.thalheim.io/configuration.nix
+++ b/targets/staging.nixos-wiki.thalheim.io/configuration.nix
@ -1,10 +0,0 @@
 { self, ... }: let
  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
 in {
  imports = [
    self.nixosModules.nixos-wiki
    self.nixosModules.hcloud
  ];
  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
  system.stateVersion = "23.05";
 }
--- a/targets/staging.nixos-wiki.thalheim.io/terraform.tf
+++ b/targets/staging.nixos-wiki.thalheim.io/terraform.tf
@ -1,21 +0,0 @@
 terraform {
  backend "http" {
    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io"
    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
    lock_method    = "POST"
    unlock_method  = "DELETE"
    retry_wait_min = "5"
  }
 }
 module "wiki" {
  source           = "../../terraform/nixos-wiki"
  netlify_dns_zone = "nixos-wiki.thalheim.io"
  nixos_flake_attr = "nixos-wiki-thalheim-io"
  nixos_vars_file  = "${path.module}/nixos-vars.json"
  tags = {
    Terraform = "true"
    Target    = "staging-nixos-wiki.thalheim.io"
  }
 }
--- a/terraform/nixos-wiki/decrypt-age-keys.sh
+++ b/terraform/nixos-wiki/decrypt-age-keys.sh
@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 mkdir -p var/lib/secrets
 umask 0177
 sops --extract '["age-key"]' -d "secrets.yaml" > ./var/lib/secrets/age
 # restore umask
 umask 0022
--- a/terraform/nixos-wiki/main.tf
+++ b/terraform/nixos-wiki/main.tf
@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" {
 }
 resource "hcloud_server" "nixos_wiki" {
-  image       = "debian-10"
+  image       = "debian-11"
  keep_disk   = true
  name        = "nixos-wiki"
  server_type = var.server_type
@ -21,15 +21,16 @@ resource "hcloud_server" "nixos_wiki" {
  }
 }
-#module "deploy" {
+module "deploy" {
-#  depends_on             = [local_file.nixos_vars]
+  depends_on             = [local_file.nixos_vars]
-#  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
-#  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
+  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
-#  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
+  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps"
-#  target_host            = hcloud_server.nixos_wiki.ipv4_address
+  target_host            = hcloud_server.nixos_wiki.ipv4_address
-#  instance_id            = hcloud_server.nixos_wiki.id
+  instance_id            = hcloud_server.nixos_wiki.id
-#  debug_logging          = true
+  extra_files_script     = "${path.module}/decrypt-age-keys.sh"
-#}
+  debug_logging          = true
 }
 locals {
  nixos_vars = {
--- a/terraform/nixos-wiki/nixos_vars.tf
+++ b/terraform/nixos-wiki/nixos_vars.tf
@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" {
  provisioner "local-exec" {
    interpreter = ["bash", "-c"]
-    command     = "git add -f '${local_file.nixos_vars.filename}'"
+    command     = "git add -f '${var.nixos_vars_file}'"
  }
  # also pro-actively add hosts and flake-module.nix to git so nix can find it.
  provisioner "local-exec" {
    interpreter = ["bash", "-c"]
    command     = <<EOT
-git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
+git add "$(dirname '${var.nixos_vars_file}')"/{hosts,flake-module.nix}
 EOT
    on_failure  = continue
  }
		`@ -1 +1 @@`
			`{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}`				`{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}`