nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions 1

feat: enable rustypaste https

Browse source
This commit is contained in:
Nydragon 2024-08-22 23:47:31 +02:00
parent 704d326400
commit a034aad6d5
Signed by: nydragon
SSH key fingerprint: SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
17 changed files with 210 additions and 244 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
home/scripts/default.nix
View file

@ -60,7 +60,7 @@ in
rpaste = pkgs.writers.writeBashBin "rpaste" ''
export $(cat ${config.age.secrets.rustypaste.path} | xargs)
curl -F "file=@$1" -H "Authorization: $AUTH_TOKEN" http://rusty.ccnlc.eu/
curl -F "file=@$1" -H "Authorization: $AUTH_TOKEN" https://rusty.ccnlc.eu/
'';
gentest = nixos-rebuild "gentest" "test";

1
hosts/brontes/home.nix
View file

@ -74,6 +74,7 @@
scripts.nixedit
scripts.set-background
scripts.fishl
scripts.nrun
scripts.rpaste
scripts.genswitch
scripts.gentest

2
hosts/default.nix
View file

@ -7,11 +7,13 @@ in
marr = lib.my.mkSystem {
hostname = "marr";
system = "x86_64-linux";
extraModules = [ inputs.agenix.nixosModules.default ];
};
brontes = lib.my.mkSystem {
hostname = "brontes";
system = "x86_64-linux";
extraModules = [ inputs.agenix.nixosModules.default ];
};
styrak = lib.my.mkSystem {

2
hosts/marr/configuration.nix
View file

@ -47,6 +47,8 @@
};
};
age.identityPaths = [ "/home/nico/.ssh/id_ed25519" ];
programs = {
dconf.enable = true;
steam.enable = true;

1
hosts/marr/home.nix
View file

@ -75,6 +75,7 @@
scripts.nixedit
scripts.set-background
scripts.rpaste
scripts.nrun
scripts.genswitch
scripts.gentest
];

46
hosts/raptus/configuration.nix
View file

@ -4,15 +4,26 @@
pkgs,
...
}:
let
sshAccess = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw" # brontes
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO" # marr
];
in
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./disk-config.nix
./docker-compose.nix
./container-root.nix
./rustypaste
./obsidian-livesync
../../modules/nix
];
age.secrets.couchdb.file = ../../secrets/couchdb.age;
age.secrets = {
couchdb.file = ../../secrets/couchdb.age;
rustypaste.file = ../../secrets/rustypaste.age;
};
device.type = {
vm.enable = true;
@ -27,18 +38,40 @@
networking.firewall = lib.mkForce {
enable = true;
allowedTCPPorts = [
80
22
443
5984 # couchdb
];
};
# User account to run remote builds
users.users.remote-build = {
isSystemUser = true;
hashedPassword = ""; # Only allow login via ssh
openssh.authorizedKeys.keys = sshAccess;
shell = pkgs.bash;
group = "remote-build";
extraGroups = [ "wheel" ];
};
security.sudo.wheelNeedsPassword = false;
users.groups.remote-build = { };
# Ensure the user can build derivations
nix.settings.trusted-users = [ "remote-build" ];
security.acme.defaults.email = "admin@ccnlc.eu";
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "50M";
virtualHosts."rusty.ccnlc.eu" = {
# TODO: Enable https
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
@ -56,10 +89,7 @@
pkgs.gitMinimal
];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw" # brontes
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO" # marr
];
users.users.root.openssh.authorizedKeys.keys = sshAccess;
system.stateVersion = "24.11";
}

40
hosts/raptus/container-root.nix Normal file
View file

@ -0,0 +1,40 @@
{ pkgs, ... }:
{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};
virtualisation.oci-containers.backend = "podman";
# Networks
systemd.services."podman-network-test_default" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "podman network rm -f test_default";
};
script = ''
podman network inspect test_default || podman network create test_default
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."podman-compose-test-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
}

136
hosts/raptus/docker-compose.nix
View file

@ -1,136 +0,0 @@
# Auto-generated using compose2nix v0.2.2-pre.
{
pkgs,
lib,
config,
...
}:
{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};
virtualisation.oci-containers.backend = "podman";
# Containers
virtualisation.oci-containers.containers."obsidian-livesync" = {
image = "couchdb";
environmentFiles = [ config.age.secrets.couchdb.path ];
volumes = [
"${./local.ini}:/opt/couchdb/etc/local.ini:rw"
"test_dbdata:/opt/couchdb/data:rw"
];
ports = [ "5984:5984/tcp" ];
log-driver = "journald";
extraOptions = [
"--network-alias=couchserver"
"--network=test_default"
];
};
systemd.services."podman-obsidian-livesync" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-test_default.service"
"podman-volume-test_dbdata.service"
];
requires = [
"podman-network-test_default.service"
"podman-volume-test_dbdata.service"
];
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
virtualisation.oci-containers.containers."rustypaste" = {
image = "orhunp/rustypaste:latest";
environment = {
"RUST_LOG" = "debug";
};
volumes = [
"${
(pkgs.formats.toml { }).generate "conf" (import ./rustypaste.nix { inherit config; })
}:/app/config.toml:ro"
"test_rustypaste-data:/app/upload:rw"
];
ports = [ "8000:8000/tcp" ];
log-driver = "journald";
extraOptions = [
"--network-alias=rustypaste"
"--network=test_default"
];
};
systemd.services."podman-rustypaste" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-test_default.service"
"podman-volume-test_rustypaste-data.service"
];
requires = [
"podman-network-test_default.service"
"podman-volume-test_rustypaste-data.service"
];
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
# Networks
systemd.services."podman-network-test_default" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "podman network rm -f test_default";
};
script = ''
podman network inspect test_default || podman network create test_default
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
# Volumes
systemd.services."podman-volume-test_dbdata" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect test_dbdata || podman volume create test_dbdata
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
systemd.services."podman-volume-test_rustypaste-data" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."podman-compose-test-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
}

28
hosts/raptus/docker-compose.yml
View file

@ -1,28 +0,0 @@
services:
couchserver:
image: couchdb
container_name: obsidian-livesync
restart: always
ports:
- 5984:5984
environment:
- COUCHDB_USER=USERNAME
- COUCHDB_PASSWORD=PASSWORD
volumes:
- dbdata:/opt/couchdb/data
- ./local.ini:/opt/couchdb/etc/local.ini
rustypaste:
image: orhunp/rustypaste:${IMAGE_TAG:-latest}
build: .
container_name: rustypaste
restart: always
environment:
- RUST_LOG=debug
ports:
- "8000:8000"
volumes:
- rustypaste-data:/app/upload
- ./rusty.toml:/app/config.toml
volumes:
dbdata:
rustypaste-data:

52
hosts/raptus/obsidian-livesync/default.nix Normal file
View file

@ -0,0 +1,52 @@
{
config,
lib,
pkgs,
...
}:
{
virtualisation.oci-containers.containers."obsidian-livesync" = {
image = "couchdb";
environmentFiles = [ config.age.secrets.couchdb.path ];
volumes = [
"${./local.ini}:/opt/couchdb/etc/local.ini:rw"
"test_dbdata:/opt/couchdb/data:rw"
];
ports = [ "5984:5984/tcp" ];
log-driver = "journald";
extraOptions = [
"--network-alias=couchserver"
"--network=test_default"
];
};
systemd.services."podman-obsidian-livesync" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-test_default.service"
"podman-volume-test_dbdata.service"
];
requires = [
"podman-network-test_default.service"
"podman-volume-test_dbdata.service"
];
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
# Volumes
systemd.services."podman-volume-test_dbdata" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect test_dbdata || podman volume create test_dbdata
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
}

0
hosts/raptus/local.ini → hosts/raptus/obsidian-livesync/local.ini
View file

67
hosts/raptus/rusty.toml
View file

@ -1,67 +0,0 @@
[config]
refresh_rate = "1s"
[server]
address = "127.0.0.1:8000"
url = "http://rusty.ccnlc.eu"
workers = 4
max_content_length = "50MB"
upload_path = "./upload"
timeout = "30s"
expose_version = false
expose_list = false
auth_tokens = ["super_secret_token1", "super_secret_token2"]
#delete_tokens = [
# "super_secret_token1",
# "super_secret_token3",
#]
handle_spaces = "replace" # or "encode"
[landing_page]
text = """
Submit files via HTTP POST here:
curl -F 'file=@example.txt' <server>
This will return the URL of the uploaded file.
The server administrator might remove any pastes that they do not personally
want to host.
If you are the server administrator and want to change this page, just go
into your config file and change it! If you change the expiry time, it is
recommended that you do.
By default, pastes expire every hour. The server admin may or may not have
changed this.
Check out the GitHub repository at https://github.com/orhun/rustypaste
Command line tool is available at https://github.com/orhun/rustypaste-cli
"""
#file = "index.txt"
content_type = "text/plain; charset=utf-8"
[paste]
random_url = { type = "petname", words = 2, separator = "-" }
#random_url = { type = "alphanumeric", length = 8 }
#random_url = { type = "alphanumeric", length = 6, suffix_mode = true }
default_extension = "txt"
mime_override = [
{ mime = "image/jpeg", regex = "^.*\\.jpg$" },
{ mime = "image/png", regex = "^.*\\.png$" },
{ mime = "image/svg+xml", regex = "^.*\\.svg$" },
{ mime = "video/webm", regex = "^.*\\.webm$" },
{ mime = "video/x-matroska", regex = "^.*\\.mkv$" },
{ mime = "application/octet-stream", regex = "^.*\\.bin$" },
{ mime = "text/plain", regex = "^.*\\.(log|txt|diff|sh|rs|toml)$" },
]
mime_blacklist = [
"application/x-dosexec",
"application/java-archive",
"application/java-vm",
]
duplicate_files = false
default_expiry = "1h"
delete_expired_files = { enabled = true, interval = "1h" }

3
hosts/raptus/rustypaste.nix → hosts/raptus/rustypaste/conf.nix
View file

@ -1,11 +1,10 @@
{ config, ... }:
{
config = {
refresh_rate = "1s";
};
server = {
address = "127.0.0.1:8000";
url = "http://rusty.ccnlc.eu";
url = "https://rusty.ccnlc.eu";
workers = 4;
max_content_length = "50MB";
upload_path = "./upload";

53
hosts/raptus/rustypaste/default.nix Normal file
View file

@ -0,0 +1,53 @@
{
pkgs,
config,
lib,
...
}:
{
virtualisation.oci-containers.containers."rustypaste" = {
image = "orhunp/rustypaste:latest";
environment = {
"RUST_LOG" = "debug";
};
environmentFiles = [ config.age.secrets.rustypaste.path ];
volumes = [
"${(pkgs.formats.toml { }).generate "conf" (import ./conf.nix)}:/app/config.toml:ro"
"test_rustypaste-data:/app/upload:rw"
];
ports = [ "8000:8000/tcp" ];
log-driver = "journald";
extraOptions = [
"--network-alias=rustypaste"
"--network=test_default"
];
};
systemd.services."podman-rustypaste" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-test_default.service"
"podman-volume-test_rustypaste-data.service"
];
requires = [
"podman-network-test_default.service"
"podman-volume-test_rustypaste-data.service"
];
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
systemd.services."podman-volume-test_rustypaste-data" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
}

1
modules/default.nix
View file

@ -18,5 +18,6 @@
./env.nix
./system/printing.nix
./system/audio.nix
./secrets.nix
];
}

6
modules/secrets.nix Normal file
View file

@ -0,0 +1,6 @@
{
age.secrets.rustypaste = {
file = ../secrets/rustypaste.age;
owner = "nico";
};
}

14
options/default.nix
View file

@ -1,15 +1,25 @@
{ lib, ... }:
let
inherit (lib.types) bool array string;
in
{
options = {
device = {
pubKeys = lib.mkOption {
type = array string;
default = [ ];
};
type = {
gaming.enable = lib.mkEnableOption {
type = lib.types.bool;
type = bool;
default = false;
};
graphical.enable = lib.mkEnableOption {
type = lib.types.bool;
type = bool;
default = false;
};