Merge pull request #5 from nix-pizza/aciceri/hedgedoc

Hedgedoc
nix-pizza · May 2, 2024 · c848e90 · c848e90
2 parents 7d4ae01 + 3ae2b0b
commit c848e90
Show file tree

Hide file tree

Showing 21 changed files with 429 additions and 222 deletions.
diff --git a/hosts/default.nix b/hosts/default.nix
@@ -1,146 +1,19 @@
-{ inputs, config, ... }: {
-  # TODO separate flake-parts module from NixOS modules
+{ config, inputs, ... }: {
   flake.nixosConfigurations.nix-pizza = inputs.nixpkgs.lib.nixosSystem {
     system = "aarch64-linux";
-
     modules = [
-      ({ modulesPath, ... }: {
-        imports = [
-          inputs.disko.nixosModules.disko
-          inputs.srvos.nixosModules.hardware-hetzner-online-arm
-          inputs.srvos.nixosModules.server
-          inputs.impermanence.nixosModules.impermanence
-          (modulesPath + "/profiles/qemu-guest.nix")
-        ];
-
-        boot.kernelParams = [ "console=tty" ];
-        boot.initrd.kernelModules = [ "virtio_gpu" ];
-        boot.initrd.systemd.enable = true;
-
-        boot.loader.efi.canTouchEfiVariables = true;
-        boot.loader.systemd-boot = {
-          enable = true;
-          configurationLimit = 5;
-        };
-
-        system.stateVersion = "23.05";
-        networking.hostName = "nix-pizza";
-
-        systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f8:c013:2189::1/64";
-
+      ./nix-pizza
+      inputs.disko.nixosModules.disko
+      inputs.srvos.nixosModules.hardware-hetzner-online-arm
+      inputs.srvos.nixosModules.server
+      inputs.impermanence.nixosModules.impermanence
+      inputs.agenix.nixosModules.age
+      {
         users.users.root.openssh.authorizedKeys.keys = with config.infra.sshKeys; [
           aciceri.key
           zarelit.key
         ];
-
-        environment.persistence."/persist" = {
-          hideMounts = true;
-          directories = [
-            "/etc/NetworkManager/system-connections"
-            "/var/db/dhcpcd/"
-            "/var/lib/NetworkManager/"
-            "/var/lib/nixos"
-            "/var/lib/systemd"
-            "/var/lib/systemd/coredump"
-            "/var/log"
-          ];
-          files = [
-            "/etc/machine-id"
-            "/etc/ssh/ssh_host_ed25519_key"
-            "/etc/ssh/ssh_host_ed25519_key.pub"
-            "/etc/ssh/ssh_host_rsa_key"
-            "/etc/ssh/ssh_host_rsa_key.pub"
-          ];
-        };
-
-        fileSystems."/persist".neededForBoot = true;
-        boot.tmp.cleanOnBoot = true;
-
-        disko.devices = {
-          nodev."/" = {
-            fsType = "tmpfs";
-            mountOptions = [ "size=1024M" "defaults" "mode=755" ];
-          };
-
-          disk = {
-            vdb = {
-              device = "/dev/sda";
-              type = "disk";
-              content = {
-                type = "gpt";
-                partitions = {
-                  ESP = {
-                    type = "EF00";
-                    size = "500M";
-                    content = {
-                      type = "filesystem";
-                      format = "vfat";
-                      mountpoint = "/boot";
-                    };
-                  };
-                  nixroot = {
-                    start = "512M";
-                    end = "-15G";
-                    content = {
-                      type = "filesystem";
-                      format = "ext4";
-                      mountpoint = "/nix";
-                    };
-                  };
-                  persist = {
-                    start = "-15G";
-                    end = "-5G";
-                    content = {
-                      type = "filesystem";
-                      format = "ext4";
-                      mountpoint = "/persist";
-                    };
-                  };
-                  tmp = {
-                    start = "-5G";
-                    end = "-4G";
-                    content = {
-                      type = "filesystem";
-                      format = "ext4";
-                      mountpoint = "/tmp";
-                    };
-                  };
-                  swap = {
-                    size = "100%";
-                    content = {
-                      type = "swap";
-                      randomEncryption = true;
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-
-        security.acme = {
-          acceptTerms = true;
-          defaults.email = "[email protected]";
-        };
-
-        # Just for testing
-        services.nginx = {
-          enable = true;
-          virtualHosts."ananas.nix.pizza" = {
-            default = true;
-            enableACME = true;
-            forceSSL = true;
-            locations = {
-              "/" = {
-                return = ''200 "Pizza con l'ananas"'';
-                extraConfig = "add_header Content-Type text/plain;";
-              };
-            };
-          };
-        };
-
-        networking.firewall.allowedTCPPorts = [ 80 443 ];
-      })
+      }
     ];
   };
 }
diff --git a/hosts/nix-pizza/backup.nix b/hosts/nix-pizza/backup.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }: {
+  age.secrets = {
+    HETZNER_STORAGE_BOX_SSH_PASSWORD = {
+      file = ../../secrets/HETZNER_STORAGE_BOX_SSH_PASSWORD.age;
+      owner = "root";
+    };
+    NIX_PIZZA_RESTIC_PASSWORD = {
+      file = ../../secrets/NIX_PIZZA_RESTIC_PASSWORD.age;
+      owner = "root";
+    };
+  };
+
+  services.restic.backups.nix-pizza =
+    let
+      user = "u382036-sub2";
+      host = "u382036.your-storagebox.de";
+      port = "23";
+    in
+    {
+      paths = [ "/persist" ];
+      passwordFile = config.age.secrets.NIX_PIZZA_RESTIC_PASSWORD.path;
+      extraOptions = [
+        "sftp.command='${lib.getExe pkgs.sshpass} -f ${config.age.secrets.HETZNER_STORAGE_BOX_SSH_PASSWORD.path} ssh -p${port} ${user}@${host} -s sftp'"
+      ];
+      repository = "sftp://${user}@${host}:${port}/";
+      initialize = true;
+      timerConfig.OnCalendar = "daily";
+      timerConfig.RandomizedDelaySec = "1h";
+    };
+}
diff --git a/hosts/nix-pizza/default.nix b/hosts/nix-pizza/default.nix
@@ -0,0 +1,116 @@
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./postgres.nix
+    ./backup.nix
+    ./fail2ban.nix
+    ./nginx.nix
+    ./hedgedoc.nix
+  ];
+
+  boot.kernelParams = [ "console=tty" ];
+  boot.initrd.kernelModules = [ "virtio_gpu" ];
+  boot.initrd.systemd.enable = true;
+
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 5;
+  };
+
+  system.stateVersion = "23.05";
+  networking.hostName = "nix-pizza";
+
+  systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f8:c013:2189::1/64";
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/var/db/dhcpcd/"
+      "/var/lib/NetworkManager/"
+      "/var/lib/nixos"
+      "/var/lib/systemd"
+      "/var/lib/systemd/coredump"
+      "/var/log"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+  };
+
+  # Agenix decrypts before impermanence creates mounts so we have to get keys from /persist
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+    "/persist/etc/ssh/ssh_host_rsa_key"
+  ];
+
+  fileSystems."/persist".neededForBoot = true;
+  boot.tmp.cleanOnBoot = true;
+
+  disko.devices = {
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = [ "size=1024M" "defaults" "mode=755" ];
+    };
+
+    disk = {
+      vdb = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            nixroot = {
+              start = "512M";
+              end = "-15G";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/nix";
+              };
+            };
+            persist = {
+              start = "-15G";
+              end = "-5G";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/persist";
+              };
+            };
+            tmp = {
+              start = "-5G";
+              end = "-4G";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/tmp";
+              };
+            };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/nix-pizza/fail2ban.nix b/hosts/nix-pizza/fail2ban.nix
@@ -0,0 +1,8 @@
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 10;
+  };
+
+  # TODO should we persist the fail2ban database?
+}
diff --git a/hosts/nix-pizza/hedgedoc.nix b/hosts/nix-pizza/hedgedoc.nix
@@ -0,0 +1,55 @@
+{ config, ... }:
+let
+  cfg = config.services.hedgedoc;
+in
+{
+  services.nginx = {
+    virtualHosts."${cfg.settings.domain}" = {
+      default = true;
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://${cfg.settings.host}:${builtins.toString cfg.settings.port}";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ cfg.settings.db.database ];
+    ensureUsers = [
+      {
+        name = cfg.settings.db.username;
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  # Contains the environment variables for the GitHub OAuth2 app
+  # https://github.com/settings/applications/2562220
+  age.secrets.HEDGEDOC_ENVIRONMENT = {
+    file = ../../secrets/HEDGEDOC_ENVIRONMENT.age;
+    owner = "hedgedoc";
+    group = "hedgedoc";
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    settings = {
+      domain = "margherita.nix.pizza";
+      host = "localhost";
+      port = 3000;
+      allowGravatar = true;
+      protocolUseSSL = true;
+      db = {
+        username = "hedgedoc";
+        database = "hedgedoc";
+        host = "/run/postgresql";
+        dialect = "postgresql";
+      };
+      uploadPath = "/var/lib/hedgehog/uploads";
+    };
+    environmentFile = config.age.secrets.HEDGEDOC_ENVIRONMENT.path;
+  };
+
+  environment.persistence."/persist".directories = [
+    cfg.settings.uploadPath
+  ];
+}
diff --git a/hosts/nix-pizza/nginx.nix b/hosts/nix-pizza/nginx.nix
@@ -0,0 +1,20 @@
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "[email protected]";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/acme"
+  ];
+}