From 832471f37d1e5c438b652b10ff098744bbc4e793 Mon Sep 17 00:00:00 2001 From: soraefir Date: Sat, 20 Apr 2024 12:58:28 +0200 Subject: [PATCH] Wip Server --- flake.lock | 104 ++++++++++++++++++++++++++++ flake.nix | 3 + generator.nix | 1 + modules/server/default.nix | 13 +++- modules/server/docker/authentik.nix | 22 +++--- modules/server/docker/cloud.nix | 44 +++++++----- modules/shared/syscfg/default.nix | 7 ++ systems/sandbox/cfg.nix | 11 +++ systems/sandbox/default.nix | 2 +- 9 files changed, 174 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index 22aaa35..c1b573e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "arion": { + "inputs": { + "flake-parts": "flake-parts", + "haskell-flake": "haskell-flake", + "hercules-ci-effects": "hercules-ci-effects", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712285456, + "narHash": "sha256-A4EBTlFfeosNaO8zpN7rlWTgF9AHy755NxKBvhJ1b0w=", + "owner": "hercules-ci", + "repo": "arion", + "rev": "1886d25075aaf24c8bc687b3d2a87ae1f5d154ec", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "arion", + "type": "github" + } + }, "base16-schemes": { "flake": false, "locked": { @@ -37,6 +60,48 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "hercules-ci-effects", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709336216, + "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, "hardware": { "locked": { "lastModified": 1713521961, @@ -52,6 +117,44 @@ "type": "github" } }, + "haskell-flake": { + "locked": { + "lastModified": 1675296942, + "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e", + "type": "github" + }, + "original": { + "owner": "srid", + "ref": "0.1.0", + "repo": "haskell-flake", + "type": "github" + } + }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710478346, + "narHash": "sha256-Xjf8BdnQG0tLhPMlqQdwCIjOp7Teox0DP3N/jjyiGM4=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "64e7763d72c1e4c1e5e6472640615b6ae2d40fbf", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -244,6 +347,7 @@ }, "root": { "inputs": { + "arion": "arion", "darwin": "darwin", "hardware": "hardware", "home-manager": "home-manager", diff --git a/flake.nix b/flake.nix index 63b3116..9ded8b8 100755 --- a/flake.nix +++ b/flake.nix @@ -27,6 +27,9 @@ }; nix-colors.url = "github:misterio77/nix-colors"; + arion.url = "github:hercules-ci/arion"; + arion.inputs.nixpkgs.follows = "nixpkgs"; + }; outputs = inputs: diff --git a/generator.nix b/generator.nix index ad786c9..8be5edc 100755 --- a/generator.nix +++ b/generator.nix @@ -12,6 +12,7 @@ ./modules/nixos syscfg ./systems/${host} + inputs.arion.nixosModules.arion inputs.sops-nix.nixosModules.sops inputs.home-manager.nixosModules.home-manager { diff --git a/modules/server/default.nix b/modules/server/default.nix index 31f838d..5ef2989 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,4 +1,11 @@ -{ ... }: -{ - # virtualisation.arion.projects. +{ config,pkgs, ... }: +let +in { + virtualisation.arion = { + backend = "podman-socket"; + projects = { + cloud.settings = import ./docker/cloud.nix {inherit config pkgs;}; + authentik.settings = import ./docker/authentik.nix {inherit config pkgs;}; + }; + }; } diff --git a/modules/server/docker/authentik.nix b/modules/server/docker/authentik.nix index 660bce2..64482e2 100644 --- a/modules/server/docker/authentik.nix +++ b/modules/server/docker/authentik.nix @@ -1,4 +1,6 @@ -{ pkgs, ... }: { +{ config, pkgs, ... }: +let serverCfg = config.syscfg.server; +in { project.name = "Authentik"; networks = { @@ -40,8 +42,8 @@ restart = "unless-stopped"; networks = [ "internal" "external" ]; volumes = [ - "${DATA_PATH}/authentik/media:/media" - "${DATA_PATH}/authentik/templates:/templates" + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" ]; environment = { "AUTHENTIK_REDIS__HOST" = "auth_redis"; @@ -50,25 +52,25 @@ "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; - "AUTHENTIK_EMAIL__HOST" = "${MAIL_SERVER_DOMAIN}"; + "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; "AUTHENTIK_EMAIL__PORT" = "587"; - "AUTHENTIK_EMAIL__USERNAME" = "noreply@${MAIL_HOST_DOMAIN}"; + "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD"; "AUTHENTIK_EMAIL__USE_TLS" = "true"; "AUTHENTIK_EMAIL__USE_SSL" = "false"; "AUTHENTIK_EMAIL__TIMEOUT" = "10"; - "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${MAIL_HOST_DOMAIN}"; + "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; }; labels = { "traefik.enable" = "true"; "traefik.http.routers.sso.entrypoints" = "web-secure"; - "traefik.http.routers.sso.rule" = "Host(`sso.${HOST_DOMAIN}`)"; + "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; "traefik.http.routers.sso.tls" = "true"; "traefik.http.services.sso.loadbalancer.server.port" = "9000"; "traefik.docker.network" = "external"; }; command = "server"; - service.ports = [ + ports = [ "9999:9000" # host:container ]; }; @@ -79,8 +81,8 @@ restart = "unless-stopped"; networks = [ "internal" ]; volumes = [ - "${DATA_PATH}/authentik/media:/media" - "${DATA_PATH}/authentik/templates:/templates" + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" "/var/run/docker.sock:/var/run/docker.sock" ]; environment = { diff --git a/modules/server/docker/cloud.nix b/modules/server/docker/cloud.nix index c764a4f..742aa91 100644 --- a/modules/server/docker/cloud.nix +++ b/modules/server/docker/cloud.nix @@ -1,4 +1,6 @@ -{ pkgs, ... }: { +{ config, pkgs, ... }: +let serverCfg = config.syscfg.server; +in { project.name = "Cloud"; networks = { @@ -17,16 +19,17 @@ restart = "unless-stopped"; networks = [ "external" ]; volumes = [ - "${DATA_PATH}/data/nextcloud:/var/www/html" - "${DATA_PATH}/data/music:/media/music" - "${DATA_PATH}/data/video:/media/video" - "${DATA_PATH}/data/photo:/media/photo" + "${serverCfg.configPath}/data/nextcloud:/var/www/html" + "${serverCfg.dataPath}/data/music:/media/music" + "${serverCfg.dataPath}/data/video:/media/video" + "${serverCfg.dataPath}/data/photo:/media/photo" ]; tmpfs = [ "/tmp" ]; labels = { "traefik.enable" = "true"; "traefik.http.routers.nextcloud.entrypoints" = "web-secure"; - "traefik.http.routers.nextcloud.rule" = "Host(`cloud.${HOST_DOMAIN}`)"; + "traefik.http.routers.nextcloud.rule" = + "Host(`cloud.${serverCfg.hostDomain}`)"; "traefik.http.routers.nextcloud.tls" = "true"; "traefik.http.routers.nextcloud.middlewares" = "sts_headers,nextcloud-caldav"; @@ -52,9 +55,9 @@ environment = { username = "COLLABORA_USER"; password = "COLLABORA_PASSWORD"; - aliasgroup1 = "https://cloud.${HOST_DOMAIN}"; - server_name = "office.${HOST_DOMAIN}"; - VIRTUAL_HOST = "office.${HOST_DOMAIN}"; + aliasgroup1 = "https://cloud.${serverCfg.hostDomain}"; + server_name = "office.${serverCfg.hostDomain}"; + VIRTUAL_HOST = "office.${serverCfg.hostDomain}"; VIRTUAL_PORT = "9980"; VIRTUAL_PROTO = "http"; DONT_GEN_SSL_CERT = "true"; @@ -66,7 +69,8 @@ labels = { "traefik.enable" = "true"; "traefik.http.routers.collabora.entrypoints" = "web-secure"; - "traefik.http.routers.collabora.rule" = "Host(`office.${HOST_DOMAIN}`)"; + "traefik.http.routers.collabora.rule" = + "Host(`office.${serverCfg.hostDomain}`)"; "traefik.http.routers.collabora.tls" = "true"; }; }; @@ -77,15 +81,15 @@ restart = "unless-stopped"; networks = [ "external" ]; volumes = [ - "${DATA_PATH}/ether/etherpad/data:/opt/etherpad-lite/var" - "/${DATA_PATH}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" + "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" + "/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" ]; environment = { NODE_ENV = "production"; TITLE = "Helcel-Pad"; DB_TYPE = "mysql"; - DB_HOST = DB_HOST; - DB_PORT = DB_PORT; + DB_HOST = serverCfg.dbHost; + DB_PORT = serverCfg.dbPort; DB_NAME = "etherpad"; DB_USER = "ETHERPAD_DB_USER"; DB_PASS = "ETHERPAD_DB_PASSWORD"; @@ -99,7 +103,8 @@ labels = { "traefik.enable" = "true"; "traefik.http.routers.etherpad.entrypoints" = "web-secure"; - "traefik.http.routers.etherpad.rule" = "Host(`pad.${HOST_DOMAIN}`)"; + "traefik.http.routers.etherpad.rule" = + "Host(`pad.${serverCfg.hostDomain}`)"; "traefik.http.routers.etherpad.tls" = "true"; }; }; @@ -110,8 +115,8 @@ restart = "unless-stopped"; networks = [ "external" "internal" ]; volumes = [ - "${DATA_PATH}/ether/etherpad/data:/opt/etherpad-lite/var" - "/${DATA_PATH}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" + "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" + "/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" ]; environment = { NODE_ENV = "production"; @@ -124,7 +129,8 @@ labels = { "traefik.enable" = "true"; "traefik.http.routers.ethercalc.entrypoints" = "web-secure"; - "traefik.http.routers.ethercalc.rule" = "Host(`calc.${HOST_DOMAIN}`)"; + "traefik.http.routers.ethercalc.rule" = + "Host(`calc.${serverCfg.hostDomain}`)"; "traefik.http.routers.ethercalc.tls" = "true"; }; }; @@ -134,7 +140,7 @@ container_name = "ethercalc-redis"; restart = "unless-stopped"; networks = [ "internal" ]; - volumes = [ "${DATA_PATH}/ether/ethercalc/redis:/data" ]; + volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ]; environment = { }; labels = { "traefik.enable" = "false"; }; }; diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix index f0eefed..f13779b 100644 --- a/modules/shared/syscfg/default.nix +++ b/modules/shared/syscfg/default.nix @@ -113,5 +113,12 @@ in with lib; { type = types.listOf (types.submodule { options = userOpt; }); default = [ ]; }; + server = mkOption { + type = types.oneOf [ + (types.attrs) + (types.submodule { options = serverOpt; }) + ]; + default = { }; + }; }; } diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix index 880bb31..158d61a 100644 --- a/systems/sandbox/cfg.nix +++ b/systems/sandbox/cfg.nix @@ -25,5 +25,16 @@ wlp = { enable = false; }; wg = { enable = false; }; }; + server = { + hostDomain = "test.helcel.net"; + mailDomain = "mail.helcel.net"; + mailServer = "mail.helcel.net"; + + dbHost = "localhost"; + dbPort = "3306"; + + configPath = "/home/media/config"; + dataPath = "/home/media/data"; + }; }; } diff --git a/systems/sandbox/default.nix b/systems/sandbox/default.nix index d39988c..abf89c8 100644 --- a/systems/sandbox/default.nix +++ b/systems/sandbox/default.nix @@ -1,5 +1,5 @@ { config, inputs, ... }: { - imports = [ ./hardware.nix ]; + imports = [ ./hardware.nix ../../modules/server ]; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [