course-phil: on-metal fixes

This commit is contained in:
quitte 2023-09-27 15:08:12 +02:00
parent a5d29c3338
commit 3c17c0ad6a
3 changed files with 87 additions and 42 deletions

View file

@ -22,6 +22,7 @@
nixosConfigurations = {
quitte = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs;
modules = [
inputs.sops-nix.nixosModules.sops
inputs.kpp.nixosModules.default
@ -53,6 +54,7 @@
./modules/website.nix
./modules/zsh.nix
./modules/course-management.nix
./modules/courses-phil.nix
./modules/gitea.nix
{
sops.defaultSopsFile = ./secrets/quitte.yaml;

View file

@ -1,54 +1,95 @@
{ config, lib, ... }:
{ config, lib, sops-nix, course-management, ... }:
let
hostName = "phil.${config.networking.domain}";
in
{
services.nginx.virtualHosts."${hostName}" = {
locations."/".proxyPass = "http://127.0.0.1:8084";
enableACME = true;
forceSSL = true;
};
containers."courses-phil".config = {
sops.defaultSopsFile = ../secrets/quitte.yaml;
sops.secrets =
let inherit (config.services.course-management) user;
in
{
"course-management/secret-key".owner = user;
"course-management/adminpass".owner = user;
containers."courses-phil" = {
autoStart = true;
# forbidden sadly, I will copy the keys manually. Not very beautiful but it works
# bindMounts = {
# hostPath = "/etc/ssh";
# mountPoint = "/etc/ssh";
# };
config = { pkgs, config, ... }: {
networking.domain = "ifsr.de";
imports = [
sops-nix.nixosModules.sops
course-management.nixosModules.default
];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.generateKey = false;
sops.defaultSopsFile = ../secrets/quitte.yaml;
sops.secrets =
let inherit (config.services.course-management) user;
in
{
"course-management-phil/secret-key".owner = user;
"course-management-phil/adminpass".owner = user;
};
systemd.services.course-management.after = [ "postgresql.service" ];
services.course-management = {
inherit hostName;
enable = true;
listenPort = 5001;
settings = {
secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path;
adminPassFile = config.sops.secrets."course-management-phil/adminpass".path;
admins = [{
name = "Root iFSR";
email = "root@${config.networking.domain}";
}];
database = {
ENGINE = "django.db.backends.postgresql";
NAME = "course-management";
};
email = lib.mkDefault {
fromEmail = "noreply@${config.networking.domain}";
serverEmail = "root@${config.networking.domain}";
};
};
};
systemd.services.course-management.after = [ "postgresql.service" ];
services.course-management = {
inherit hostName;
enable = true;
settings = {
secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path;
adminPassFile = config.sops.secrets."course-management-phil/adminpass".path;
admins = [{
name = "Root iFSR";
security.acme = {
acceptTerms = true;
defaults = {
email = "root@${config.networking.domain}";
}];
database = {
ENGINE = "django.db.backends.postgresql";
NAME = "course-management";
};
email = lib.mkDefault {
fromEmail = "noreply@${config.networking.domain}";
serverEmail = "root@${config.networking.domain}";
};
};
};
services.postgresql = {
enable = true;
ensureUsers = [{
name = "course-management";
ensurePermissions = {
"DATABASE \"course-management\"" = "ALL PRIVILEGES";
};
}];
ensureDatabases = [ "course-management" ];
};
services.nginx.virtualHosts.${hostName} = {
enableACME = true;
forceSSL = true;
};
services.postgresql = {
enable = true;
enableTCPIP = lib.mkForce false;
# port = 55555;
ensureUsers = [{
name = "course-management";
ensurePermissions = {
"DATABASE \"course-management\"" = "ALL PRIVILEGES";
};
}];
ensureDatabases = [ "course-management" ];
};
systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${pkgs.postgresql}/bin/postgres -c listen_addresses=''";
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts.${hostName} = {
listen = [{
addr = "127.0.0.1";
port = 8084;
}];
};
};
};
};
}

2
test.sh Normal file
View file

@ -0,0 +1,2 @@
ldapsearch -o ldif-wrap=no -x -D "uid=search,ou=users,dc=ifsr,dc=de" -w $(cat /run/secrets/portunus/search-password) '(&(objectClass=posixAccount)(uid='rouven.seifert'))' 'sshPublicKey' -b "ou=users,dc=ifsr,dc=de" \
| awk '/^sshPublicKey/{$1=""; p=1} /^$/{p=0} {printf p?$0:""}'