diff --git a/flake.lock b/flake.lock index 4b6dee4..a99510a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,48 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -42,7 +85,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1710146030, @@ -59,6 +102,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -95,6 +159,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1723175592, "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=", @@ -110,7 +190,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1718428119, "narHash": "sha256-WdWDpNaq6u1IPtxtYHHWpl5BmabtpmLnMAx0RdJ/vo8=", @@ -150,17 +230,18 @@ }, "root": { "inputs": { + "agenix": "agenix", "disko": "disko", "flake-parts": "flake-parts", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "rofi-obsidian": "rofi-obsidian" } }, "rust-overlay": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1720318855, @@ -190,6 +271,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index b8be9c6..62698b5 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,9 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -19,6 +21,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + agenix.url = "github:ryantm/agenix"; + rofi-obsidian = { url = "github:nydragon/rofi-obsidian"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/default.nix b/hosts/default.nix index 4fd93a6..ddd05ec 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -23,7 +23,10 @@ in raptus = lib.my.mkSystem { hostname = "raptus"; system = "x86_64-linux"; - extraModules = [ inputs.disko.nixosModules.disko ]; + extraModules = [ + inputs.disko.nixosModules.disko + inputs.agenix.nixosModules.default + ]; }; }; } diff --git a/hosts/raptus/configuration.nix b/hosts/raptus/configuration.nix index 3946863..d64cd45 100644 --- a/hosts/raptus/configuration.nix +++ b/hosts/raptus/configuration.nix @@ -13,6 +13,8 @@ ../../modules/nix ]; + age.secrets.couchdb.file = ../../secrets/couchdb.age; + device.type = { vm.enable = true; server.enable = true; @@ -25,7 +27,11 @@ networking.firewall = lib.mkForce { enable = true; - allowedTCPPorts = [ 80 ]; + allowedTCPPorts = [ + 80 + 22 + 5984 # couchdb + ]; }; services.nginx = { @@ -33,12 +39,10 @@ recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."rusty.ccnlc.eu" = { - #enableACME = true; - #forceSSL = true; + # TODO: Enable https locations."/" = { proxyPass = "http://127.0.0.1:8000"; - proxyWebsockets = true; # needed if you need to use WebSocket extraConfig = '' proxy_ssl_server_name on; proxy_pass_header Authorization;''; diff --git a/hosts/raptus/disk-config.nix b/hosts/raptus/disk-config.nix index d70096a..3fb5b5c 100644 --- a/hosts/raptus/disk-config.nix +++ b/hosts/raptus/disk-config.nix @@ -32,7 +32,6 @@ mountOptions = [ "defaults" ]; }; }; - }; }; }; diff --git a/hosts/raptus/docker-compose.nix b/hosts/raptus/docker-compose.nix index 26e9df4..0c6b063 100644 --- a/hosts/raptus/docker-compose.nix +++ b/hosts/raptus/docker-compose.nix @@ -1,5 +1,10 @@ # Auto-generated using compose2nix v0.2.2-pre. -{ pkgs, lib, ... }: +{ + pkgs, + lib, + config, + ... +}: { # Runtime @@ -17,12 +22,9 @@ # Containers virtualisation.oci-containers.containers."obsidian-livesync" = { image = "couchdb"; - environment = { - "COUCHDB_PASSWORD" = ""; - "COUCHDB_USER" = ""; - }; + environmentFiles = [ config.age.secrets.couchdb.path ]; volumes = [ - "${./local.ini}:/opt/couchdb/etc/local.ini:ro" + "${./local.ini}:/opt/couchdb/etc/local.ini:rw" "test_dbdata:/opt/couchdb/data:rw" ]; ports = [ "5984:5984/tcp" ]; diff --git a/hosts/raptus/docker-compose.yml b/hosts/raptus/docker-compose.yml new file mode 100644 index 0000000..8d2bb07 --- /dev/null +++ b/hosts/raptus/docker-compose.yml @@ -0,0 +1,28 @@ +services: + couchserver: + image: couchdb + container_name: obsidian-livesync + restart: always + ports: + - 5984:5984 + environment: + - COUCHDB_USER=USERNAME + - COUCHDB_PASSWORD=PASSWORD + volumes: + - dbdata:/opt/couchdb/data + - ./local.ini:/opt/couchdb/etc/local.ini + rustypaste: + image: orhunp/rustypaste:${IMAGE_TAG:-latest} + build: . + container_name: rustypaste + restart: always + environment: + - RUST_LOG=debug + ports: + - "8000:8000" + volumes: + - rustypaste-data:/app/upload + - ./rusty.toml:/app/config.toml +volumes: + dbdata: + rustypaste-data: diff --git a/hosts/raptus/rusty.toml b/hosts/raptus/rusty.toml index fe93d3b..545d135 100644 --- a/hosts/raptus/rusty.toml +++ b/hosts/raptus/rusty.toml @@ -3,9 +3,9 @@ refresh_rate = "1s" [server] address = "127.0.0.1:8000" -url = "https://vps.ccnlc.eu" -#workers=4 -max_content_length = "10MB" +url = "http://rusty.ccnlc.eu" +workers = 4 +max_content_length = "50MB" upload_path = "./upload" timeout = "30s" expose_version = false @@ -65,6 +65,6 @@ mime_blacklist = [ "application/java-archive", "application/java-vm", ] -duplicate_files = true -# default_expiry = "1h" +duplicate_files = false +default_expiry = "1h" delete_expired_files = { enabled = true, interval = "1h" } diff --git a/secrets/couchdb.age b/secrets/couchdb.age new file mode 100644 index 0000000..265d067 --- /dev/null +++ b/secrets/couchdb.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 JjL30A 1/KAH0fjeZMgw4Dk/bC+CEf2NDQKdtfjSWxictQp5HI +6JHuy5vMZ6+v8G3PWfIEb3swCR59Tk0bDKKWya61LmM +-> ssh-ed25519 nueAfA MnaKgyOTgK1mPfjeZ4eb4MFj1zuOPDJhgzmCn5GaG3Y +Qh/hMUMNiCsgSiG7yisCnGixuWEvcK9X0OKhuzonIj8 +-> ssh-ed25519 WcjW5A J4391GLRJBvK2j6K7uuFOlQSAvohDSGJCKff3yTwkGY +spDoDXT5elna781WJK+fynbSHaXsQacX+ED5Q1KDrfA +--- ZM3EXe2MWKhl9NfO0r8vKaC0dfCE75GB03+s9RkQye4 +f4Ø,EWYYòG£ÜUÛ³«Í˜¨úÌ1Gnó³háQÉ^v TïDŒÉò†²Ÿ^X¹šc+Úÿ +QdÒ† EÚ»n«ýèªN”\ÒΑiôÀFÓGþ]çrÞE*éš¡‡—qølç¾ËMÿgÉü’£•:¿«ŒŠ¥È¯ÏpÛìà|ƒ6D=Ÿ<ñ5,rÐr½×ö:wÞG–µÀ KÈpY]mhå?ŽD ˜sTÞ2 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..1bc7a24 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,16 @@ +let + userBrontes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw"; + + userMarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO"; + + users = [ + userMarr + userBrontes + ]; + + raptus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErbhkpCL0DuJQTxeTqxtrGvELCQFkyZmhTZ8fagszOU"; + systems = [ raptus ]; +in +{ + "couchdb.age".publicKeys = [ raptus ] ++ users; +}