Merge #5

5: inherit ssh keys from terraform r=Mic92 a=Mic92



Co-authored-by: Jörg Thalheim <joerg@thalheim.io>

.mergify.yml

@@ -1,19 +0,0 @@
-queue_rules:
-  - name: default
-    merge_conditions:
-      - check-success=Evaluate flake.nix
-      - check-success=check treefmt [x86_64-linux]
-      - check-success=nixosConfig nixos-wiki2-thalheim-io
-      - check-success=package default [x86_64-linux]
-defaults:
-  actions:
-    queue:
-      allow_merging_configuration_change: true
-      method: rebase
-pull_request_rules:
-  - name: merge using the merge queue
-    conditions:
-      - base=main
-      - label~=merge-queue|dependencies
-    actions:
-      queue: {}

.sops.yaml

@@ -1,9 +0,0 @@
-keys:
-  - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
-  - &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
-creation_rules:
-  - path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$
-    key_groups:
-    - age:
-      - *joerg
-      - *nixos-wiki2

LICENSE.md

@@ -1,26 +0,0 @@
-The MIT License (MIT)
-=====================
-
-Copyright © `2023` `Jörg Thalheim`
-
-Permission is hereby granted, free of charge, to any person
-obtaining a copy of this software and associated documentation
-files (the “Software”), to deal in the Software without
-restriction, including without limitation the rights to use,
-copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the
-Software is furnished to do so, subject to the following
-conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
-OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
-OTHER DEALINGS IN THE SOFTWARE.
-

README.md

@@ -1,21 +0,0 @@
-# nixos-wiki-infra
-
-This project contains everything to setup yourself a mirror of https://nixos.wiki/
-
-## Demo
-
-I have one instance deployed [here](https://nixos-wiki.thalheim.io/wiki/Main_Page)
-
-## Examples
-
-Checkout [./targets/nixos-wiki2.thalheim.io]() for an example terraform deployment on hetzner cloud.
-
-## Restoring from an backup
-
-After installing run:
-
-```
-systemctl start wiki-backup.service && systemctl start wiki-restore
-```
-
-Note that `nixos-wiki-backup` will do this restore every night.

bors.toml

@@ -0,0 +1,8 @@
+cut_body_after = "" # don't include text from the PR body in the merge commit message
+status = [
+  "Evaluate flake.nix",
+  "check treefmt [x86_64-linux]",
+  "package default [x86_64-linux]",
+  "nixosConfig nixos-wiki-thalheim-io",
+  "nixosConfig staging-nixos-wiki-thalheim-io",
+]

checks/flake-module.nix

@@ -1,11 +0,0 @@
-{ self, ... }: {
-  perSystem =
-    { pkgs
-    , lib
-    , ...
-    }: {
-      checks = lib.optionalAttrs pkgs.stdenv.isLinux {
-        test = import ./test.nix { inherit self pkgs; };
-      };
-    };
-}

checks/lib.nix

@@ -1,20 +0,0 @@
-# tests/lib.nix
-# The first argument to this function is the test module itself
-test:
-# These arguments are provided by `flake.nix` on import, see checkArgs
-{ pkgs, self }:
-let
-  inherit (pkgs) lib;
-  # this imports the nixos library that contains our testing framework
-  nixos-lib = import (pkgs.path + "/nixos/lib") { };
-in
-(nixos-lib.runTest {
-  hostPkgs = pkgs;
-  # This speeds up the evaluation by skipping evaluating documentation (optional)
-  defaults.documentation.enable = lib.mkDefault false;
-  # This makes `self` available in the NixOS configuration of our virtual machines.
-  # This is useful for referencing modules or packages from your own flake
-  # as well as importing from other flakes.
-  node.specialArgs = { inherit self; };
-  imports = [ test ];
-}).config.result

checks/test.nix

@@ -1,38 +0,0 @@
-(import ./lib.nix) {
-  name = "nixos-wiki";
-  nodes = {
-    # `self` here is set by using specialArgs in `lib.nix`
-    wiki = { self, pkgs, config, ... }: {
-      imports = [
-        self.nixosModules.nixos-wiki
-      ];
-      networking.extraHosts = ''
-        127.0.0.1 nixos-wiki.example.com
-      '';
-      security.acme.defaults.email = "admin@example.com";
-      services.nixos-wiki = {
-        hostname = "nixos-wiki.example.com";
-        adminPasswordFile = pkgs.writeText "adminPasswordFile" "Creation-Fabric-Untrimmed3";
-        githubClientId = "Iv1.95ed182c83df1d22";
-        githubClientSecretFile = pkgs.writeText "githubClientSecretFile" "secret";
-        emergencyContact = "nixos-wiki@thalheim.io";
-        passwordSender = "nixos-wiki@thalheim.io";
-        noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
-      };
-      services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
-        enableACME = false;
-        forceSSL = false;
-      };
-    };
-  };
-  # This is the test code that will check if our service is running correctly:
-  testScript = ''
-    start_all()
-
-    machine.wait_for_unit("phpfpm-mediawiki.service")
-    machine.wait_for_unit("nginx.service")
-
-    page = machine.succeed("curl -vL http://nixos-wiki.example.com/")
-    assert "MediaWiki has been installed" in page
-  '';
-}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703532766,
-        "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=",
+        "lastModified": 1684003056,
+        "narHash": "sha256-zl11zyRNKzAW7YLvTkxmFjSBqxZbEvfwZqNCT91ELfU=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "1b191113874dee97796749bb21eac3d84735c70a",
+        "rev": "8f95856432e091e5ac56fea2df81e905ddd02d27",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701473968,
-        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
+        "lastModified": 1682984683,
+        "narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
+        "rev": "86684881e184f41aa322e653880e497b66429f3e",
         "type": "github"
       },
       "original": {
@@ -42,11 +42,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1703438236,
-        "narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=",
+        "lastModified": 1683286087,
+        "narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b",
+        "rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf",
         "type": "github"
       },
       "original": {
@@ -61,47 +61,22 @@
         "disko": "disko",
         "flake-parts": "flake-parts",
         "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix",
         "srvos": "srvos",
         "treefmt-nix": "treefmt-nix"
       }
     },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": []
-      },
-      "locked": {
-        "lastModified": 1703387502,
-        "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
-      }
-    },
     "srvos": {
       "inputs": {
-        "nixos-stable": [
-          "nixpkgs"
-        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1703469109,
-        "narHash": "sha256-hTQJ9uV43Vt8UXwervEj9mbDoQSN1mD3lwwPChG8jy8=",
+        "lastModified": 1683894417,
+        "narHash": "sha256-Z7rbmaR76lY4vwhaG9yQWmLYl1yIQ4g2wrPkQW+tJJw=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "52d07db520046c4775f1047e68a05dcb53bba9ec",
+        "rev": "bca63963ab057d1075216e4db5c685dd6bd715d5",
         "type": "github"
       },
       "original": {
@@ -117,11 +92,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702979157,
-        "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=",
+        "lastModified": 1683307174,
+        "narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "2961375283668d867e64129c22af532de8e77734",
+        "rev": "b44794f94514b61512352a18cd77c710f0005f15",
         "type": "github"
       },
       "original": {

flake.nix

@@ -14,57 +14,34 @@
     srvos.url = "github:numtide/srvos";
     # Use the version of nixpkgs that has been tested to work with SrvOS
     srvos.inputs.nixpkgs.follows = "nixpkgs";
-    srvos.inputs.nixos-stable.follows = "nixpkgs";
-
-    sops-nix.url = "github:Mic92/sops-nix";
-    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    sops-nix.inputs.nixpkgs-stable.follows = "";
   };
 
   outputs = inputs@{ flake-parts, ... }:
-    flake-parts.lib.mkFlake { inherit inputs; } ({ self, lib, ... }: {
-      systems = [
-        "aarch64-linux"
-        "x86_64-linux"
-        "riscv64-linux"
-
-        "x86_64-darwin"
-        "aarch64-darwin"
-      ];
+    flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {
+      systems = lib.systems.flakeExposed;
       imports = [
         inputs.treefmt-nix.flakeModule
         ./targets/flake-module.nix
         ./modules/flake-module.nix
-        ./checks/flake-module.nix
       ];
-      perSystem = { config, self', system, pkgs, ... }: {
+      perSystem = { config, pkgs, ... }: {
         treefmt = {
           projectRootFile = "flake.nix";
-          programs.hclfmt.enable = true;
+          programs.terraform.enable = true;
           programs.nixpkgs-fmt.enable = true;
         };
-        packages.default =
-          pkgs.mkShell {
-            packages = [
-              pkgs.bashInteractive
-              pkgs.sops
-              (pkgs.opentofu.withPlugins (p: [
-                p.netlify
-                p.hcloud
-                p.null
-                p.external
-                p.local
-              ]))
-            ];
-          };
-
-        checks =
-          let
-            nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
-            packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
-            devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
-          in
-          nixosMachines // packages // devShells;
+        packages.default = pkgs.mkShell {
+          packages = [
+            pkgs.bashInteractive
+            (pkgs.terraform.withPlugins (p: [
+              p.netlify
+              p.hcloud
+              p.null
+              p.external
+              p.local
+            ]))
+          ];
+        };
       };
     });
 }

modules/flake-module.nix

@@ -2,20 +2,12 @@
   flake.nixosModules = {
     hcloud.imports = [
       inputs.srvos.nixosModules.server
-      inputs.srvos.nixosModules.mixins-nginx
-      inputs.sops-nix.nixosModules.sops
       inputs.srvos.nixosModules.hardware-hetzner-cloud
       ./single-disk.nix
-      {
-        sops.age.keyFile = "/var/lib/secrets/age";
-      }
     ];
 
     nixos-wiki.imports = [
-      ./nixos-wiki
-    ];
-    nixos-wiki-backup.imports = [
-      ./nixos-wiki/backup.nix
+      ./nixos-wiki.nix
     ];
   };
 }

modules/nixos-wiki.nix

@@ -0,0 +1 @@
+{ ... }: { }

modules/nixos-wiki/backup.nix

@@ -1,80 +0,0 @@
-{ config, pkgs, ... }:
-let
-  wikiDump = "/var/backup/wikidump.xml.gz";
-
-  mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance"
-    {
-      nativeBuildInputs = [ pkgs.makeWrapper ];
-      preferLocalBuild = true;
-    } ''
-    mkdir -p $out/bin
-    makeWrapper ${config.services.phpfpm.pools.mediawiki.phpPackage}/bin/php $out/bin/mediawiki-maintenance \
-      --set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \
-      --add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php
-  '';
-
-  wiki-restore = pkgs.writeShellApplication {
-    name = "wiki-restore";
-    runtimeInputs = [
-      pkgs.postgresql
-      pkgs.coreutils
-      pkgs.util-linux
-      mediawiki-maintenance
-    ];
-    text = ''
-      tmpdir=$(mktemp -d)
-      cleanup() { rm -rf "$tmpdir"; }
-      cd "$tmpdir"
-      chown mediawiki:nginx "$tmpdir"
-
-      rm -rf /var/lib/mediawiki-uploads
-      install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads
-      systemctl stop phpfpm-mediawiki.service
-      runuser -u postgres -- dropdb mediawiki
-      systemctl restart postgresql
-      runuser -u postgres -- psql -c "ALTER DATABASE mediawiki OWNER TO mediawiki"
-      systemctl restart mediawiki-init.service
-      cat <<EOF | runuser -u mediawiki -- mediawiki-maintenance deleteBatch.php
-      Main_Page
-      MediaWiki:About
-      EOF
-      trap cleanup EXIT
-      cp ${wikiDump} "$tmpdir"
-      chown mediawiki:nginx "$tmpdir/wikidump.xml.gz"
-      chmod 644 "$tmpdir/wikidump.xml.gz"
-      runuser -u mediawiki -- mediawiki-maintenance importDump.php --uploads "$tmpdir/wikidump.xml.gz"
-      runuser -u mediawiki -- mediawiki-maintenance rebuildrecentchanges.php
-      systemctl start phpfpm-mediawiki.service
-    '';
-  };
-in
-{
-  environment.systemPackages = [ mediawiki-maintenance ];
-
-  systemd.services.wiki-backup = {
-    startAt = "hourly";
-
-    serviceConfig = {
-      ExecStart = [
-        "${pkgs.coreutils}/bin/mkdir -p /var/backup"
-        "${pkgs.wget}/bin/wget https://nixos.wiki/images/wikidump.xml.gz -O ${wikiDump}.new"
-        "${pkgs.coreutils}/bin/mv ${wikiDump}.new ${wikiDump}"
-      ];
-      Type = "oneshot";
-    };
-  };
-
-  systemd.services.wiki-restore = {
-    startAt = "daily";
-    path = [ pkgs.postgresql mediawiki-maintenance ];
-
-    serviceConfig = {
-      ExecStart = "${wiki-restore}/bin/wiki-restore";
-      Type = "oneshot";
-    };
-  };
-
-  services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
-    locations."=/wikidump.xml.gz".alias = wikiDump;
-  };
-}

modules/nixos-wiki/default.nix

@@ -1,138 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.nixos-wiki;
-in
-{
-  options = {
-    services.nixos-wiki = {
-      hostname = lib.mkOption {
-        type = lib.types.str;
-        description = "The hostname of the wiki";
-      };
-      adminPasswordFile = lib.mkOption {
-        type = lib.types.path;
-        description = "The password file for the wiki admin";
-      };
-      githubClientId = lib.mkOption {
-        type = lib.types.str;
-        description = "The github client id for the wiki";
-      };
-      githubClientSecretFile = lib.mkOption {
-        type = lib.types.path;
-        description = "The github client secret for the wiki";
-      };
-      emergencyContact = lib.mkOption {
-        type = lib.types.str;
-        description = "The emergency contact for the wiki";
-      };
-      passwordSender = lib.mkOption {
-        type = lib.types.str;
-        description = "default FROM address in emails";
-      };
-      noReplyAddress = lib.mkOption {
-        type = lib.types.str;
-        description = "default Reply-To address in emails";
-      };
-    };
-  };
-
-  config = {
-    services.mediawiki = {
-      enable = true;
-      webserver = "nginx";
-      database.type = "postgres";
-      nginx.hostName = config.services.nixos-wiki.hostname;
-      uploadsDir = "/var/lib/mediawiki-uploads/";
-      passwordFile = cfg.adminPasswordFile;
-
-      extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
-      extensions.ParserFunctions = null;
-      extensions.Cite = null;
-      extensions.VisualEditor = null;
-      extensions.AuthManagerOAuth = pkgs.fetchzip {
-        url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.2/AuthManagerOAuth.zip";
-        hash = "sha256-hr/DLyL6IzQs67eA46RdmuVlfCiAbq+eZCRLfjLxUpc=";
-      }; # Github login
-      extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
-      extensions.StopForumSpam = pkgs.fetchzip {
-        url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_41-0abdc44.tar.gz";
-        hash = "sha256-FLaL8ztlJtUPh76/3WCFPKuH2+gjz1paaWWZ8pu66hA=";
-      };
-
-      extraConfig = ''
-        #$wgDebugLogFile = "/var/log/mediawiki/debug.log";
-
-        # allow local login
-        $wgAuthManagerOAuthConfig = [
-          'github' => [
-            'clientId'                => '${cfg.githubClientId}',
-            'clientSecret'            => file_get_contents("${cfg.githubClientSecretFile}"),
-            'urlAuthorize'            => 'https://github.com/login/oauth/authorize',
-            'urlAccessToken'          => 'https://github.com/login/oauth/access_token',
-            'urlResourceOwnerDetails' => 'https://api.github.com/user'
-          ],
-        ];
-
-        # Enable account creation globally
-        $wgGroupPermissions['*']['createaccount'] = true;
-        $wgGroupPermissions['*']['autocreateaccount'] = true;
-
-        # Disable anonymous editing
-        $wgGroupPermissions['*']['edit'] = false;
-
-        # Allow svg upload
-        $wgFileExtensions[] = 'svg';
-        $wgSVGConverterPath = "${pkgs.imagemagick}/bin";
-
-        # Pretty URLs
-        $wgUsePathInfo = true;
-
-        # cache pages with APCu
-        $wgMainCacheType = CACHE_ACCEL;
-
-        # TODO: nixos favicon
-        #$wgFavicon = "/favicon.ico";
-        $wgDefaultSkin = 'vector-2022';
-        # configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos
-        $wgLogos = [
-          '1x' => '/nixos.png',
-          'icon' => '/nixos.png',
-        ];
-
-        # Combat SPAM with IP-Blocklists (StopForumSpam extension)
-        $wgEnableDnsBlacklist = true;
-        $wgDnsBlacklistUrls = array(
-          'dnsbl.dronebl.org'
-        );
-
-        # required for fancy VisualEditor extension
-        $wgGroupPermissions['user']['writeapi'] = true;
-
-        # Enable content security policy
-        $wgCSPHeader = true;
-
-        # Disallow framing
-        $wgEditPageFrameOptions = "DENY";
-
-        $wgEnableEmail = true;
-        $wgAllowHTMLEmail = false;
-
-        $wgEmergencyContact = "${cfg.emergencyContact}";
-        $wgPasswordSender   = "${cfg.passwordSender}";
-        $wgNoReplyAddress   = "${cfg.noReplyAddress}";
-
-        # To purge all page cache increase this using: date +%Y%m%d%H%M%S
-        $wgCacheEpoch = 20231115172319;
-      '';
-    };
-
-    networking.firewall.allowedTCPPorts = [ 443 80 ];
-    security.acme.acceptTerms = true;
-    services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
-      enableACME = lib.mkDefault true;
-      forceSSL = lib.mkDefault true;
-      locations."=/nixos.png".alias = ./nixos.png;
-    };
-  };
-
-}

modules/single-disk.nix

@@ -1,28 +1,37 @@
 { self, ... }:
 let
-  partitions = {
-    boot = {
-      size = "1M";
-      type = "EF02"; # for grub MBR
-    };
-    esp = {
-      size = "500M";
-      type = "EF00"; # for grub MBR
+  partitions = [
+    {
+      name = "grub";
+      end = "1M";
+      part-type = "primary";
+      flags = [ "bios_grub" ];
+    }
+    {
+      name = "ESP";
+      start = "1MiB";
+      end = "500MiB";
+      bootable = true;
       content = {
         type = "filesystem";
         format = "vfat";
         mountpoint = "/boot";
       };
-    };
-    root = {
-      size = "100%";
+    }
+    {
+      name = "root";
+      start = "100MiB";
+      end = "100%";
+      part-type = "primary";
+      bootable = true;
       content = {
         type = "filesystem";
-        format = "ext4";
+        # We use xfs because it has support for compression and has a quite good performance for databases
+        format = "xfs";
         mountpoint = "/";
       };
-    };
-  };
+    }
+  ];
 in
 {
   imports = [
@@ -33,7 +42,8 @@ in
       type = "disk";
       device = "/dev/sda";
       content = {
-        type = "gpt";
+        type = "table";
+        format = "gpt";
         inherit partitions;
       };
     };

targets/nixos-wiki.thalheim.io/apply.sh

@@ -0,0 +1 @@
+../staging.nixos-wiki.thalheim.io/apply.sh

targets/nixos-wiki.thalheim.io/configuration.nix

@@ -0,0 +1,10 @@
+{ self, ... }: let
+  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
+in {
+  imports = [
+    self.nixosModules.nixos-wiki
+    self.nixosModules.hcloud
+  ];
+  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
+  system.stateVersion = "23.05";
+}

targets/nixos-wiki.thalheim.io/nixos-vars.json

@@ -1 +1 @@
-{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}
+{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}

targets/nixos-wiki.thalheim.io/terraform.tf

@@ -1,8 +1,8 @@
 terraform {
   backend "http" {
-    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io"
-    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
-    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
+    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io"
+    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
+    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
     lock_method    = "POST"
     unlock_method  = "DELETE"
     retry_wait_min = "5"
@@ -11,13 +11,12 @@ terraform {
 
 module "wiki" {
   source           = "../../terraform/nixos-wiki"
-  netlify_dns_zone = "nixos-wiki2.thalheim.io"
-  domain           = "nixos-wiki2.thalheim.io"
-  nixos_flake_attr = "nixos-wiki2-thalheim-io"
+  netlify_dns_zone = "nixos-wiki.thalheim.io"
+  domain           = "nixos-wiki.thalheim.io"
+  nixos_flake_attr = "nixos-wiki-thalheim-io"
   nixos_vars_file  = "${path.module}/nixos-vars.json"
-  sops_file        = abspath("${path.module}/secrets.yaml")
   tags = {
     Terraform = "true"
-    Target    = "nixos-wiki2.thalheim.io"
+    Target    = "nixos-wiki.thalheim.io"
   }
 }

targets/nixos-wiki2.thalheim.io/configuration.nix

@@ -1,30 +0,0 @@
-{ self, lib, config, ... }:
-let
-  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
-in
-{
-  imports = [
-    self.nixosModules.nixos-wiki
-    self.nixosModules.nixos-wiki-backup
-    self.nixosModules.hcloud
-  ];
-  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
-  system.stateVersion = "23.11";
-  security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
-
-  sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user;
-  sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
-
-  services.nixos-wiki = {
-    hostname = "nixos-wiki2.thalheim.io";
-    adminPasswordFile = config.sops.secrets.nixos-wiki.path;
-    githubClientId = "Iv1.95ed182c83df1d22";
-    githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
-    emergencyContact = "nixos-wiki@thalheim.io";
-    passwordSender = "nixos-wiki@thalheim.io";
-    noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
-  };
-
-  sops.defaultSopsFile = ./secrets.yaml;
-  boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
-}

targets/nixos-wiki2.thalheim.io/secrets.yaml

@@ -1,32 +0,0 @@
-nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str]
-nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str]
-age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNm9scHFONkwwY3dzWEtH
-            TWJnSVgzQldBd1NsVS90MnVyQ3V6aFo5YVFJCjc2S3lUc3FUaTllZGQ2R2FFTTNj
-            cWRQSC80a2FWQm12cnhXTmJNN3lSOW8KLS0tIGpPL2ZzQzBpak9HV0lES05SZk5x
-            KzM1azdvWlZIVU5VWVd4Q1AyN1VNTDQKZPtiA9MWZMOi+u6d0/Cg4vlJnP8dcaRq
-            QQKfP3LYCRqWBIrAPP8LWhza3kEjh22Wquh8Zh1SJtq2tgGKy+Pt+A==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaHFwd3B5YUFUcnR2TTFw
-            aTQ4UFFBUXFxL2pOcUhyTFAwQ1ZvTGlEQUFnCmlQeHBrb2NhQXovWEl4ODdvd0FI
-            b2JMOGpXRHB3cHVHZmt3UUx2SUdtc28KLS0tIHVTZ2FISTZWbmdPaWlTdUZsTG1I
-            OHk4MkVmaFozaWdRV1RpbVM0amEvQTgKHk2ZxC+ZMUzTWD6KS1miOtLCtXF9SN/t
-            2DDz5UAadLKaJ425AL3Qg4BhOZqUz4qPoyQvD/3aBKXg0IxXHgJCtQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-24T15:17:00Z"
-    mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

targets/staging.nixos-wiki.thalheim.io/configuration.nix

@@ -0,0 +1,10 @@
+{ self, ... }: let
+  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
+in {
+  imports = [
+    self.nixosModules.nixos-wiki
+    self.nixosModules.hcloud
+  ];
+  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
+  system.stateVersion = "23.05";
+}

targets/staging.nixos-wiki.thalheim.io/terraform.tf

@@ -0,0 +1,21 @@
+terraform {
+  backend "http" {
+    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io"
+    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
+    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = "5"
+  }
+}
+
+module "wiki" {
+  source           = "../../terraform/nixos-wiki"
+  netlify_dns_zone = "nixos-wiki.thalheim.io"
+  nixos_flake_attr = "nixos-wiki-thalheim-io"
+  nixos_vars_file  = "${path.module}/nixos-vars.json"
+  tags = {
+    Terraform = "true"
+    Target    = "staging-nixos-wiki.thalheim.io"
+  }
+}

terraform/nixos-wiki/decrypt-age-keys.sh

@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail -x
-
-mkdir -p var/lib/secrets
-
-umask 0177
-sops --extract '["age-key"]' -d "$SOPS_FILE" > ./var/lib/secrets/age
-# restore umask
-umask 0022

terraform/nixos-wiki/main.tf

@@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" {
 }
 
 resource "hcloud_server" "nixos_wiki" {
-  image       = "debian-11"
+  image       = "debian-10"
   keep_disk   = true
   name        = "nixos-wiki"
   server_type = var.server_type
@@ -21,19 +21,15 @@ resource "hcloud_server" "nixos_wiki" {
   }
 }
 
-module "deploy" {
-  depends_on             = [local_file.nixos_vars]
-  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
-  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
-  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps"
-  target_host            = hcloud_server.nixos_wiki.ipv4_address
-  instance_id            = hcloud_server.nixos_wiki.id
-  extra_files_script     = "${path.module}/decrypt-age-keys.sh"
-  extra_environment = {
-    SOPS_FILE = var.sops_file
-  }
-  debug_logging = true
-}
+#module "deploy" {
+#  depends_on             = [local_file.nixos_vars]
+#  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+#  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
+#  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
+#  target_host            = hcloud_server.nixos_wiki.ipv4_address
+#  instance_id            = hcloud_server.nixos_wiki.id
+#  debug_logging          = true
+#}
 
 locals {
   nixos_vars = {

terraform/nixos-wiki/nixos_vars.tf

@@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" {
 
   provisioner "local-exec" {
     interpreter = ["bash", "-c"]
-    command     = "git add -f '${var.nixos_vars_file}'"
+    command     = "git add -f '${local_file.nixos_vars.filename}'"
   }
   # also pro-actively add hosts and flake-module.nix to git so nix can find it.
   provisioner "local-exec" {
     interpreter = ["bash", "-c"]
     command     = <<EOT
-git add "$(dirname '${var.nixos_vars_file}')"/{hosts,flake-module.nix}
+git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
 EOT
     on_failure  = continue
   }

terraform/nixos-wiki/variables.tf

@@ -20,11 +20,6 @@ variable "nixos_vars_file" {
   description = "File to write NixOS configuration variables to"
 }
 
-variable "sops_file" {
-  type        = string
-  description = "File to SOPS secrets file"
-}
-
 variable "nixos_flake_attr" {
   type        = string
   description = "NixOS configuration flake attribute"