From 3c17c0ad6a7c8ecd560b8de7e794c9f9d5cf8468 Mon Sep 17 00:00:00 2001 From: quitte Date: Wed, 27 Sep 2023 15:08:12 +0200 Subject: [PATCH] course-phil: on-metal fixes --- flake.nix | 2 + modules/courses-phil.nix | 125 ++++++++++++++++++++++++++------------- test.sh | 2 + 3 files changed, 87 insertions(+), 42 deletions(-) create mode 100644 test.sh diff --git a/flake.nix b/flake.nix index b906f62..10cbe22 100755 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,7 @@ nixosConfigurations = { quitte = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = inputs; modules = [ inputs.sops-nix.nixosModules.sops inputs.kpp.nixosModules.default @@ -53,6 +54,7 @@ ./modules/website.nix ./modules/zsh.nix ./modules/course-management.nix + ./modules/courses-phil.nix ./modules/gitea.nix { sops.defaultSopsFile = ./secrets/quitte.yaml; diff --git a/modules/courses-phil.nix b/modules/courses-phil.nix index de2ae6d..3dc0058 100644 --- a/modules/courses-phil.nix +++ b/modules/courses-phil.nix @@ -1,54 +1,95 @@ -{ config, lib, ... }: +{ config, lib, sops-nix, course-management, ... }: let hostName = "phil.${config.networking.domain}"; in { + services.nginx.virtualHosts."${hostName}" = { + locations."/".proxyPass = "http://127.0.0.1:8084"; + enableACME = true; + forceSSL = true; + }; - containers."courses-phil".config = { - sops.defaultSopsFile = ../secrets/quitte.yaml; - sops.secrets = - let inherit (config.services.course-management) user; - in - { - "course-management/secret-key".owner = user; - "course-management/adminpass".owner = user; + containers."courses-phil" = { + autoStart = true; + # forbidden sadly, I will copy the keys manually. Not very beautiful but it works + # bindMounts = { + # hostPath = "/etc/ssh"; + # mountPoint = "/etc/ssh"; + # }; + config = { pkgs, config, ... }: { + networking.domain = "ifsr.de"; + imports = [ + sops-nix.nixosModules.sops + course-management.nixosModules.default + ]; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.generateKey = false; + sops.defaultSopsFile = ../secrets/quitte.yaml; + sops.secrets = + let inherit (config.services.course-management) user; + in + { + "course-management-phil/secret-key".owner = user; + "course-management-phil/adminpass".owner = user; + }; + systemd.services.course-management.after = [ "postgresql.service" ]; + services.course-management = { + inherit hostName; + enable = true; + listenPort = 5001; + + settings = { + secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path; + adminPassFile = config.sops.secrets."course-management-phil/adminpass".path; + admins = [{ + name = "Root iFSR"; + email = "root@${config.networking.domain}"; + }]; + database = { + ENGINE = "django.db.backends.postgresql"; + NAME = "course-management"; + }; + email = lib.mkDefault { + fromEmail = "noreply@${config.networking.domain}"; + serverEmail = "root@${config.networking.domain}"; + }; + }; }; - systemd.services.course-management.after = [ "postgresql.service" ]; - services.course-management = { - inherit hostName; - enable = true; - - settings = { - secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path; - adminPassFile = config.sops.secrets."course-management-phil/adminpass".path; - admins = [{ - name = "Root iFSR"; + security.acme = { + acceptTerms = true; + defaults = { email = "root@${config.networking.domain}"; - }]; - database = { - ENGINE = "django.db.backends.postgresql"; - NAME = "course-management"; - }; - email = lib.mkDefault { - fromEmail = "noreply@${config.networking.domain}"; - serverEmail = "root@${config.networking.domain}"; }; }; - }; - services.postgresql = { - enable = true; - ensureUsers = [{ - name = "course-management"; - ensurePermissions = { - "DATABASE \"course-management\"" = "ALL PRIVILEGES"; - }; - }]; - ensureDatabases = [ "course-management" ]; - }; - services.nginx.virtualHosts.${hostName} = { - enableACME = true; - forceSSL = true; - }; + services.postgresql = { + enable = true; + enableTCPIP = lib.mkForce false; + # port = 55555; + ensureUsers = [{ + name = "course-management"; + ensurePermissions = { + "DATABASE \"course-management\"" = "ALL PRIVILEGES"; + }; + }]; + ensureDatabases = [ "course-management" ]; + }; + systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${pkgs.postgresql}/bin/postgres -c listen_addresses=''"; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts.${hostName} = { + listen = [{ + addr = "127.0.0.1"; + port = 8084; + }]; + }; + }; + + }; }; } diff --git a/test.sh b/test.sh new file mode 100644 index 0000000..0cd1f1f --- /dev/null +++ b/test.sh @@ -0,0 +1,2 @@ +ldapsearch -o ldif-wrap=no -x -D "uid=search,ou=users,dc=ifsr,dc=de" -w $(cat /run/secrets/portunus/search-password) '(&(objectClass=posixAccount)(uid='rouven.seifert'))' 'sshPublicKey' -b "ou=users,dc=ifsr,dc=de" \ +| awk '/^sshPublicKey/{$1=""; p=1} /^$/{p=0} {printf p?$0:""}'