Merge pull request #19 from Mic92/ci

update flake

.mergify.yml

@@ -0,0 +1,19 @@
+queue_rules:
+  - name: default
+    merge_conditions:
+      - check-success=Evaluate flake.nix
+      - check-success=check treefmt [x86_64-linux]
+      - check-success=nixosConfig nixos-wiki2-thalheim-io
+      - check-success=package default [x86_64-linux]
+defaults:
+  actions:
+    queue:
+      allow_merging_configuration_change: true
+      method: rebase
+pull_request_rules:
+  - name: merge using the merge queue
+    conditions:
+      - base=main
+      - label~=merge-queue|dependencies
+    actions:
+      queue: {}

.sops.yaml

@@ -0,0 +1,9 @@
+keys:
+  - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+  - &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
+creation_rules:
+  - path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$
+    key_groups:
+    - age:
+      - *joerg
+      - *nixos-wiki2

LICENSE.md

@@ -0,0 +1,26 @@
+The MIT License (MIT)
+=====================
+
+Copyright © `2023` `Jörg Thalheim`
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the “Software”), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+

README.md

@@ -0,0 +1,21 @@
+# nixos-wiki-infra
+
+This project contains everything to setup yourself a mirror of https://nixos.wiki/
+
+## Demo
+
+I have one instance deployed [here](https://nixos-wiki.thalheim.io/wiki/Main_Page)
+
+## Examples
+
+Checkout [./targets/nixos-wiki2.thalheim.io]() for an example terraform deployment on hetzner cloud.
+
+## Restoring from an backup
+
+After installing run:
+
+```
+systemctl start wiki-backup.service && systemctl start wiki-restore
+```
+
+Note that `nixos-wiki-backup` will do this restore every night.

bors.toml

@@ -1,8 +0,0 @@
-cut_body_after = "" # don't include text from the PR body in the merge commit message
-status = [
-  "Evaluate flake.nix",
-  "check treefmt [x86_64-linux]",
-  "package default [x86_64-linux]",
-  "nixosConfig nixos-wiki-thalheim-io",
-  "nixosConfig staging-nixos-wiki-thalheim-io",
-]

checks/flake-module.nix

@@ -0,0 +1,11 @@
+{ self, ... }: {
+  perSystem =
+    { pkgs
+    , lib
+    , ...
+    }: {
+      checks = lib.optionalAttrs pkgs.stdenv.isLinux {
+        test = import ./test.nix { inherit self pkgs; };
+      };
+    };
+}

checks/lib.nix

@@ -0,0 +1,20 @@
+# tests/lib.nix
+# The first argument to this function is the test module itself
+test:
+# These arguments are provided by `flake.nix` on import, see checkArgs
+{ pkgs, self }:
+let
+  inherit (pkgs) lib;
+  # this imports the nixos library that contains our testing framework
+  nixos-lib = import (pkgs.path + "/nixos/lib") { };
+in
+(nixos-lib.runTest {
+  hostPkgs = pkgs;
+  # This speeds up the evaluation by skipping evaluating documentation (optional)
+  defaults.documentation.enable = lib.mkDefault false;
+  # This makes `self` available in the NixOS configuration of our virtual machines.
+  # This is useful for referencing modules or packages from your own flake
+  # as well as importing from other flakes.
+  node.specialArgs = { inherit self; };
+  imports = [ test ];
+}).config.result

checks/test.nix

@@ -0,0 +1,38 @@
+(import ./lib.nix) {
+  name = "nixos-wiki";
+  nodes = {
+    # `self` here is set by using specialArgs in `lib.nix`
+    wiki = { self, pkgs, config, ... }: {
+      imports = [
+        self.nixosModules.nixos-wiki
+      ];
+      networking.extraHosts = ''
+        127.0.0.1 nixos-wiki.example.com
+      '';
+      security.acme.defaults.email = "admin@example.com";
+      services.nixos-wiki = {
+        hostname = "nixos-wiki.example.com";
+        adminPasswordFile = pkgs.writeText "adminPasswordFile" "Creation-Fabric-Untrimmed3";
+        githubClientId = "Iv1.95ed182c83df1d22";
+        githubClientSecretFile = pkgs.writeText "githubClientSecretFile" "secret";
+        emergencyContact = "nixos-wiki@thalheim.io";
+        passwordSender = "nixos-wiki@thalheim.io";
+        noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
+      };
+      services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
+        enableACME = false;
+        forceSSL = false;
+      };
+    };
+  };
+  # This is the test code that will check if our service is running correctly:
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("phpfpm-mediawiki.service")
+    machine.wait_for_unit("nginx.service")
+
+    page = machine.succeed("curl -vL http://nixos-wiki.example.com/")
+    assert "MediaWiki has been installed" in page
+  '';
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684003056,
-        "narHash": "sha256-zl11zyRNKzAW7YLvTkxmFjSBqxZbEvfwZqNCT91ELfU=",
+        "lastModified": 1703532766,
+        "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "8f95856432e091e5ac56fea2df81e905ddd02d27",
+        "rev": "1b191113874dee97796749bb21eac3d84735c70a",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682984683,
-        "narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=",
+        "lastModified": 1701473968,
+        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "86684881e184f41aa322e653880e497b66429f3e",
+        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
         "type": "github"
       },
       "original": {
@@ -42,11 +42,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1683286087,
-        "narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=",
+        "lastModified": 1703438236,
+        "narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf",
+        "rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b",
         "type": "github"
       },
       "original": {
@@ -61,22 +61,47 @@
         "disko": "disko",
         "flake-parts": "flake-parts",
         "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
         "srvos": "srvos",
         "treefmt-nix": "treefmt-nix"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": []
+      },
+      "locked": {
+        "lastModified": 1703387502,
+        "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "srvos": {
       "inputs": {
+        "nixos-stable": [
+          "nixpkgs"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1683894417,
-        "narHash": "sha256-Z7rbmaR76lY4vwhaG9yQWmLYl1yIQ4g2wrPkQW+tJJw=",
+        "lastModified": 1703469109,
+        "narHash": "sha256-hTQJ9uV43Vt8UXwervEj9mbDoQSN1mD3lwwPChG8jy8=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "bca63963ab057d1075216e4db5c685dd6bd715d5",
+        "rev": "52d07db520046c4775f1047e68a05dcb53bba9ec",
         "type": "github"
       },
       "original": {
@@ -92,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1683307174,
-        "narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=",
+        "lastModified": 1702979157,
+        "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "b44794f94514b61512352a18cd77c710f0005f15",
+        "rev": "2961375283668d867e64129c22af532de8e77734",
         "type": "github"
       },
       "original": {

flake.nix

@@ -14,34 +14,57 @@
     srvos.url = "github:numtide/srvos";
     # Use the version of nixpkgs that has been tested to work with SrvOS
     srvos.inputs.nixpkgs.follows = "nixpkgs";
+    srvos.inputs.nixos-stable.follows = "nixpkgs";
+
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.inputs.nixpkgs-stable.follows = "";
   };
 
   outputs = inputs@{ flake-parts, ... }:
-    flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {
-      systems = lib.systems.flakeExposed;
+    flake-parts.lib.mkFlake { inherit inputs; } ({ self, lib, ... }: {
+      systems = [
+        "aarch64-linux"
+        "x86_64-linux"
+        "riscv64-linux"
+
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
       imports = [
         inputs.treefmt-nix.flakeModule
         ./targets/flake-module.nix
         ./modules/flake-module.nix
+        ./checks/flake-module.nix
       ];
-      perSystem = { config, pkgs, ... }: {
+      perSystem = { config, self', system, pkgs, ... }: {
         treefmt = {
           projectRootFile = "flake.nix";
-          programs.terraform.enable = true;
+          programs.hclfmt.enable = true;
           programs.nixpkgs-fmt.enable = true;
         };
-        packages.default = pkgs.mkShell {
-          packages = [
-            pkgs.bashInteractive
-            (pkgs.terraform.withPlugins (p: [
-              p.netlify
-              p.hcloud
-              p.null
-              p.external
-              p.local
-            ]))
-          ];
-        };
+        packages.default =
+          pkgs.mkShell {
+            packages = [
+              pkgs.bashInteractive
+              pkgs.sops
+              (pkgs.opentofu.withPlugins (p: [
+                p.netlify
+                p.hcloud
+                p.null
+                p.external
+                p.local
+              ]))
+            ];
+          };
+
+        checks =
+          let
+            nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
+            packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
+            devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
+          in
+          nixosMachines // packages // devShells;
       };
     });
 }

modules/flake-module.nix

@@ -2,12 +2,20 @@
   flake.nixosModules = {
     hcloud.imports = [
       inputs.srvos.nixosModules.server
+      inputs.srvos.nixosModules.mixins-nginx
+      inputs.sops-nix.nixosModules.sops
       inputs.srvos.nixosModules.hardware-hetzner-cloud
       ./single-disk.nix
+      {
+        sops.age.keyFile = "/var/lib/secrets/age";
+      }
     ];
 
     nixos-wiki.imports = [
-      ./nixos-wiki.nix
+      ./nixos-wiki
+    ];
+    nixos-wiki-backup.imports = [
+      ./nixos-wiki/backup.nix
     ];
   };
 }

modules/nixos-wiki.nix

@@ -1 +0,0 @@
-{ ... }: { }

modules/nixos-wiki/backup.nix

@@ -0,0 +1,80 @@
+{ config, pkgs, ... }:
+let
+  wikiDump = "/var/backup/wikidump.xml.gz";
+
+  mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance"
+    {
+      nativeBuildInputs = [ pkgs.makeWrapper ];
+      preferLocalBuild = true;
+    } ''
+    mkdir -p $out/bin
+    makeWrapper ${config.services.phpfpm.pools.mediawiki.phpPackage}/bin/php $out/bin/mediawiki-maintenance \
+      --set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \
+      --add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php
+  '';
+
+  wiki-restore = pkgs.writeShellApplication {
+    name = "wiki-restore";
+    runtimeInputs = [
+      pkgs.postgresql
+      pkgs.coreutils
+      pkgs.util-linux
+      mediawiki-maintenance
+    ];
+    text = ''
+      tmpdir=$(mktemp -d)
+      cleanup() { rm -rf "$tmpdir"; }
+      cd "$tmpdir"
+      chown mediawiki:nginx "$tmpdir"
+
+      rm -rf /var/lib/mediawiki-uploads
+      install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads
+      systemctl stop phpfpm-mediawiki.service
+      runuser -u postgres -- dropdb mediawiki
+      systemctl restart postgresql
+      runuser -u postgres -- psql -c "ALTER DATABASE mediawiki OWNER TO mediawiki"
+      systemctl restart mediawiki-init.service
+      cat <<EOF | runuser -u mediawiki -- mediawiki-maintenance deleteBatch.php
+      Main_Page
+      MediaWiki:About
+      EOF
+      trap cleanup EXIT
+      cp ${wikiDump} "$tmpdir"
+      chown mediawiki:nginx "$tmpdir/wikidump.xml.gz"
+      chmod 644 "$tmpdir/wikidump.xml.gz"
+      runuser -u mediawiki -- mediawiki-maintenance importDump.php --uploads "$tmpdir/wikidump.xml.gz"
+      runuser -u mediawiki -- mediawiki-maintenance rebuildrecentchanges.php
+      systemctl start phpfpm-mediawiki.service
+    '';
+  };
+in
+{
+  environment.systemPackages = [ mediawiki-maintenance ];
+
+  systemd.services.wiki-backup = {
+    startAt = "hourly";
+
+    serviceConfig = {
+      ExecStart = [
+        "${pkgs.coreutils}/bin/mkdir -p /var/backup"
+        "${pkgs.wget}/bin/wget https://nixos.wiki/images/wikidump.xml.gz -O ${wikiDump}.new"
+        "${pkgs.coreutils}/bin/mv ${wikiDump}.new ${wikiDump}"
+      ];
+      Type = "oneshot";
+    };
+  };
+
+  systemd.services.wiki-restore = {
+    startAt = "daily";
+    path = [ pkgs.postgresql mediawiki-maintenance ];
+
+    serviceConfig = {
+      ExecStart = "${wiki-restore}/bin/wiki-restore";
+      Type = "oneshot";
+    };
+  };
+
+  services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
+    locations."=/wikidump.xml.gz".alias = wikiDump;
+  };
+}

modules/nixos-wiki/default.nix

@@ -0,0 +1,138 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.nixos-wiki;
+in
+{
+  options = {
+    services.nixos-wiki = {
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        description = "The hostname of the wiki";
+      };
+      adminPasswordFile = lib.mkOption {
+        type = lib.types.path;
+        description = "The password file for the wiki admin";
+      };
+      githubClientId = lib.mkOption {
+        type = lib.types.str;
+        description = "The github client id for the wiki";
+      };
+      githubClientSecretFile = lib.mkOption {
+        type = lib.types.path;
+        description = "The github client secret for the wiki";
+      };
+      emergencyContact = lib.mkOption {
+        type = lib.types.str;
+        description = "The emergency contact for the wiki";
+      };
+      passwordSender = lib.mkOption {
+        type = lib.types.str;
+        description = "default FROM address in emails";
+      };
+      noReplyAddress = lib.mkOption {
+        type = lib.types.str;
+        description = "default Reply-To address in emails";
+      };
+    };
+  };
+
+  config = {
+    services.mediawiki = {
+      enable = true;
+      webserver = "nginx";
+      database.type = "postgres";
+      nginx.hostName = config.services.nixos-wiki.hostname;
+      uploadsDir = "/var/lib/mediawiki-uploads/";
+      passwordFile = cfg.adminPasswordFile;
+
+      extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
+      extensions.ParserFunctions = null;
+      extensions.Cite = null;
+      extensions.VisualEditor = null;
+      extensions.AuthManagerOAuth = pkgs.fetchzip {
+        url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.2/AuthManagerOAuth.zip";
+        hash = "sha256-hr/DLyL6IzQs67eA46RdmuVlfCiAbq+eZCRLfjLxUpc=";
+      }; # Github login
+      extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
+      extensions.StopForumSpam = pkgs.fetchzip {
+        url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_41-0abdc44.tar.gz";
+        hash = "sha256-FLaL8ztlJtUPh76/3WCFPKuH2+gjz1paaWWZ8pu66hA=";
+      };
+
+      extraConfig = ''
+        #$wgDebugLogFile = "/var/log/mediawiki/debug.log";
+
+        # allow local login
+        $wgAuthManagerOAuthConfig = [
+          'github' => [
+            'clientId'                => '${cfg.githubClientId}',
+            'clientSecret'            => file_get_contents("${cfg.githubClientSecretFile}"),
+            'urlAuthorize'            => 'https://github.com/login/oauth/authorize',
+            'urlAccessToken'          => 'https://github.com/login/oauth/access_token',
+            'urlResourceOwnerDetails' => 'https://api.github.com/user'
+          ],
+        ];
+
+        # Enable account creation globally
+        $wgGroupPermissions['*']['createaccount'] = true;
+        $wgGroupPermissions['*']['autocreateaccount'] = true;
+
+        # Disable anonymous editing
+        $wgGroupPermissions['*']['edit'] = false;
+
+        # Allow svg upload
+        $wgFileExtensions[] = 'svg';
+        $wgSVGConverterPath = "${pkgs.imagemagick}/bin";
+
+        # Pretty URLs
+        $wgUsePathInfo = true;
+
+        # cache pages with APCu
+        $wgMainCacheType = CACHE_ACCEL;
+
+        # TODO: nixos favicon
+        #$wgFavicon = "/favicon.ico";
+        $wgDefaultSkin = 'vector-2022';
+        # configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos
+        $wgLogos = [
+          '1x' => '/nixos.png',
+          'icon' => '/nixos.png',
+        ];
+
+        # Combat SPAM with IP-Blocklists (StopForumSpam extension)
+        $wgEnableDnsBlacklist = true;
+        $wgDnsBlacklistUrls = array(
+          'dnsbl.dronebl.org'
+        );
+
+        # required for fancy VisualEditor extension
+        $wgGroupPermissions['user']['writeapi'] = true;
+
+        # Enable content security policy
+        $wgCSPHeader = true;
+
+        # Disallow framing
+        $wgEditPageFrameOptions = "DENY";
+
+        $wgEnableEmail = true;
+        $wgAllowHTMLEmail = false;
+
+        $wgEmergencyContact = "${cfg.emergencyContact}";
+        $wgPasswordSender   = "${cfg.passwordSender}";
+        $wgNoReplyAddress   = "${cfg.noReplyAddress}";
+
+        # To purge all page cache increase this using: date +%Y%m%d%H%M%S
+        $wgCacheEpoch = 20231115172319;
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = [ 443 80 ];
+    security.acme.acceptTerms = true;
+    services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
+      enableACME = lib.mkDefault true;
+      forceSSL = lib.mkDefault true;
+      locations."=/nixos.png".alias = ./nixos.png;
+    };
+  };
+
+}

modules/single-disk.nix

@@ -1,37 +1,28 @@
 { self, ... }:
 let
-  partitions = [
-    {
-      name = "grub";
-      end = "1M";
-      part-type = "primary";
-      flags = [ "bios_grub" ];
-    }
-    {
-      name = "ESP";
-      start = "1MiB";
-      end = "500MiB";
-      bootable = true;
+  partitions = {
+    boot = {
+      size = "1M";
+      type = "EF02"; # for grub MBR
+    };
+    esp = {
+      size = "500M";
+      type = "EF00"; # for grub MBR
       content = {
         type = "filesystem";
         format = "vfat";
         mountpoint = "/boot";
       };
-    }
-    {
-      name = "root";
-      start = "100MiB";
-      end = "100%";
-      part-type = "primary";
-      bootable = true;
+    };
+    root = {
+      size = "100%";
       content = {
         type = "filesystem";
-        # We use xfs because it has support for compression and has a quite good performance for databases
-        format = "xfs";
+        format = "ext4";
         mountpoint = "/";
       };
-    }
-  ];
+    };
+  };
 in
 {
   imports = [
@@ -42,8 +33,7 @@ in
       type = "disk";
       device = "/dev/sda";
       content = {
-        type = "table";
-        format = "gpt";
+        type = "gpt";
         inherit partitions;
       };
     };

targets/nixos-wiki.thalheim.io/apply.sh

@@ -1 +0,0 @@
-../staging.nixos-wiki.thalheim.io/apply.sh

targets/nixos-wiki.thalheim.io/configuration.nix

@@ -1,10 +0,0 @@
-{ self, ... }: let
-  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
-in {
-  imports = [
-    self.nixosModules.nixos-wiki
-    self.nixosModules.hcloud
-  ];
-  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
-  system.stateVersion = "23.05";
-}

targets/nixos-wiki2.thalheim.io/configuration.nix

@@ -0,0 +1,30 @@
+{ self, lib, config, ... }:
+let
+  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
+in
+{
+  imports = [
+    self.nixosModules.nixos-wiki
+    self.nixosModules.nixos-wiki-backup
+    self.nixosModules.hcloud
+  ];
+  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
+  system.stateVersion = "23.11";
+  security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
+
+  sops.secrets.nixos-wiki.owner = config.services.phpfpm.pools.mediawiki.user;
+  sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
+
+  services.nixos-wiki = {
+    hostname = "nixos-wiki2.thalheim.io";
+    adminPasswordFile = config.sops.secrets.nixos-wiki.path;
+    githubClientId = "Iv1.95ed182c83df1d22";
+    githubClientSecretFile = config.sops.secrets.nixos-wiki-github-client-secret.path;
+    emergencyContact = "nixos-wiki@thalheim.io";
+    passwordSender = "nixos-wiki@thalheim.io";
+    noReplyAddress = "nixos-wiki-no-reply@thalheim.io";
+  };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
+}

targets/nixos-wiki2.thalheim.io/nixos-vars.json

@@ -1 +1 @@
-{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}
+{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}

targets/nixos-wiki2.thalheim.io/secrets.yaml

@@ -0,0 +1,32 @@
+nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str]
+nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str]
+age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNm9scHFONkwwY3dzWEtH
+            TWJnSVgzQldBd1NsVS90MnVyQ3V6aFo5YVFJCjc2S3lUc3FUaTllZGQ2R2FFTTNj
+            cWRQSC80a2FWQm12cnhXTmJNN3lSOW8KLS0tIGpPL2ZzQzBpak9HV0lES05SZk5x
+            KzM1azdvWlZIVU5VWVd4Q1AyN1VNTDQKZPtiA9MWZMOi+u6d0/Cg4vlJnP8dcaRq
+            QQKfP3LYCRqWBIrAPP8LWhza3kEjh22Wquh8Zh1SJtq2tgGKy+Pt+A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaHFwd3B5YUFUcnR2TTFw
+            aTQ4UFFBUXFxL2pOcUhyTFAwQ1ZvTGlEQUFnCmlQeHBrb2NhQXovWEl4ODdvd0FI
+            b2JMOGpXRHB3cHVHZmt3UUx2SUdtc28KLS0tIHVTZ2FISTZWbmdPaWlTdUZsTG1I
+            OHk4MkVmaFozaWdRV1RpbVM0amEvQTgKHk2ZxC+ZMUzTWD6KS1miOtLCtXF9SN/t
+            2DDz5UAadLKaJ425AL3Qg4BhOZqUz4qPoyQvD/3aBKXg0IxXHgJCtQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-24T15:17:00Z"
+    mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

targets/nixos-wiki2.thalheim.io/terraform.tf

@@ -1,8 +1,8 @@
 terraform {
   backend "http" {
-    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io"
-    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
-    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
+    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io"
+    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
+    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
     lock_method    = "POST"
     unlock_method  = "DELETE"
     retry_wait_min = "5"
@@ -11,12 +11,13 @@ terraform {
 
 module "wiki" {
   source           = "../../terraform/nixos-wiki"
-  netlify_dns_zone = "nixos-wiki.thalheim.io"
-  domain           = "nixos-wiki.thalheim.io"
-  nixos_flake_attr = "nixos-wiki-thalheim-io"
+  netlify_dns_zone = "nixos-wiki2.thalheim.io"
+  domain           = "nixos-wiki2.thalheim.io"
+  nixos_flake_attr = "nixos-wiki2-thalheim-io"
   nixos_vars_file  = "${path.module}/nixos-vars.json"
+  sops_file        = abspath("${path.module}/secrets.yaml")
   tags = {
     Terraform = "true"
-    Target    = "nixos-wiki.thalheim.io"
+    Target    = "nixos-wiki2.thalheim.io"
   }
 }

targets/staging.nixos-wiki.thalheim.io/configuration.nix

@@ -1,10 +0,0 @@
-{ self, ... }: let
-  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
-in {
-  imports = [
-    self.nixosModules.nixos-wiki
-    self.nixosModules.hcloud
-  ];
-  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
-  system.stateVersion = "23.05";
-}

targets/staging.nixos-wiki.thalheim.io/terraform.tf

@@ -1,21 +0,0 @@
-terraform {
-  backend "http" {
-    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io"
-    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
-    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
-    lock_method    = "POST"
-    unlock_method  = "DELETE"
-    retry_wait_min = "5"
-  }
-}
-
-module "wiki" {
-  source           = "../../terraform/nixos-wiki"
-  netlify_dns_zone = "nixos-wiki.thalheim.io"
-  nixos_flake_attr = "nixos-wiki-thalheim-io"
-  nixos_vars_file  = "${path.module}/nixos-vars.json"
-  tags = {
-    Terraform = "true"
-    Target    = "staging-nixos-wiki.thalheim.io"
-  }
-}

terraform/nixos-wiki/decrypt-age-keys.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -euo pipefail -x
+
+mkdir -p var/lib/secrets
+
+umask 0177
+sops --extract '["age-key"]' -d "$SOPS_FILE" > ./var/lib/secrets/age
+# restore umask
+umask 0022

terraform/nixos-wiki/main.tf

@@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" {
 }
 
 resource "hcloud_server" "nixos_wiki" {
-  image       = "debian-10"
+  image       = "debian-11"
   keep_disk   = true
   name        = "nixos-wiki"
   server_type = var.server_type
@@ -21,15 +21,19 @@ resource "hcloud_server" "nixos_wiki" {
   }
 }
 
-#module "deploy" {
-#  depends_on             = [local_file.nixos_vars]
-#  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
-#  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
-#  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
-#  target_host            = hcloud_server.nixos_wiki.ipv4_address
-#  instance_id            = hcloud_server.nixos_wiki.id
-#  debug_logging          = true
-#}
+module "deploy" {
+  depends_on             = [local_file.nixos_vars]
+  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
+  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps"
+  target_host            = hcloud_server.nixos_wiki.ipv4_address
+  instance_id            = hcloud_server.nixos_wiki.id
+  extra_files_script     = "${path.module}/decrypt-age-keys.sh"
+  extra_environment = {
+    SOPS_FILE = var.sops_file
+  }
+  debug_logging = true
+}
 
 locals {
   nixos_vars = {

terraform/nixos-wiki/nixos_vars.tf

@@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" {
 
   provisioner "local-exec" {
     interpreter = ["bash", "-c"]
-    command     = "git add -f '${local_file.nixos_vars.filename}'"
+    command     = "git add -f '${var.nixos_vars_file}'"
   }
   # also pro-actively add hosts and flake-module.nix to git so nix can find it.
   provisioner "local-exec" {
     interpreter = ["bash", "-c"]
     command     = <<EOT
-git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
+git add "$(dirname '${var.nixos_vars_file}')"/{hosts,flake-module.nix}
 EOT
     on_failure  = continue
   }

terraform/nixos-wiki/variables.tf

@@ -20,6 +20,11 @@ variable "nixos_vars_file" {
   description = "File to write NixOS configuration variables to"
 }
 
+variable "sops_file" {
+  type        = string
+  description = "File to SOPS secrets file"
+}
+
 variable "nixos_flake_attr" {
   type        = string
   description = "NixOS configuration flake attribute"