courses: move into folder

2024-03-12 12:11:44 +01:00 · 2024-03-12 12:11:44 +01:00 · fea01b0b2e
commit fea01b0b2e
parent 527651706e
3 changed files with 2 additions and 3 deletions
--- a/modules/courses/default.nix
+++ b/modules/courses/default.nix
@ -0,0 +1,69 @@
+{ config, lib, ... }:
+let
+  hostName = "kurse.${config.networking.domain}";
+in
+{
+  imports = [ ./phil.nix ];
+  sops.secrets =
+    let inherit (config.services.course-management) user;
+    in
+    {
+      "course-management/secret-key".owner = user;
+      "course-management/adminpass".owner = user;
+    };
+
+  systemd.services.course-management.after = [ "postgresql.service" ];
+  services.course-management = {
+    inherit hostName;
+    enable = true;
+
+    settings = {
+      secretKeyFile = config.sops.secrets."course-management/secret-key".path;
+      adminPassFile = config.sops.secrets."course-management/adminpass".path;
+      admins = [{
+        name = "Root iFSR";
+        email = "root@${config.networking.domain}";
+      }];
+      database = {
+        ENGINE = "django.db.backends.postgresql";
+        NAME = "course-management";
+      };
+      email = lib.mkDefault {
+        fromEmail = "noreply@${config.networking.domain}";
+        serverEmail = "root@${config.networking.domain}";
+      };
+    };
+  };
+
+  services.postgresql = {
+    enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force
+    ensureUsers = [{
+      name = "course-management";
+      ensureDBOwnership = true;
+    }];
+    ensureDatabases = [ "course-management" ];
+  };
+
+  services.nginx.virtualHosts.${hostName} = {
+    enableACME = true;
+    forceSSL = true;
+
+    # phil redirects
+    locations =
+      let
+        philDomain = "https://kurse-phil.ifsr.de";
+        courses = [ "238" "239" "240" "241" "242" "243" ];
+        subjects = [
+          "ESE 2023 PHIL Campustour"
+          "ESE 2023 PHIL Bowlingabend"
+          "ESE 2023 PHIL Filmabend"
+          "ESE 2023 PHIL Wandern"
+          "ESE 2023 PHIL Spieleabend Pen and Paper"
+        ];
+      in
+      {
+        "~ \"^/course/(${builtins.concatStringsSep "|" courses})/\"".return = "301 ${philDomain}/course/$1";
+        "~ \"^/subject/(${builtins.concatStringsSep "|" subjects})/\"".return = "301 ${philDomain}/subject/$1";
+      };
+  };
+}
--- a/modules/courses/phil.nix
+++ b/modules/courses/phil.nix
@ -0,0 +1,93 @@
+{ config, lib, course-management, ... }:
+let
+  hostName = "kurse-phil.${config.networking.domain}";
+in
+{
+  services.nginx.virtualHosts."${hostName}" = {
+    locations."/".proxyPass = "http://127.0.0.1:8084";
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  sops.secrets = {
+    "course-management-phil/secret-key" = { };
+    "course-management-phil/adminpass" = { };
+  };
+  containers."courses-phil" = {
+    autoStart = true;
+    extraFlags = [
+      "--load-credential=course-secret-key:${config.sops.secrets."course-management-phil/secret-key".path}"
+      "--load-credential=course-adminpass:${config.sops.secrets."course-management-phil/adminpass".path}"
+    ];
+    config = { config, ... }: {
+      system.stateVersion = "23.05";
+      networking.domain = "ifsr.de";
+      imports = [
+        course-management.nixosModules.default
+      ];
+      systemd.services.course-management = {
+        after = [ "postgresql.service" ];
+        serviceConfig = {
+          LoadCredential = [
+            "secret-key:course-secret-key"
+            "adminpass:course-adminpass"
+          ];
+        };
+      };
+      services.course-management = {
+        inherit hostName;
+        enable = true;
+        listenPort = 5001;
+
+        settings = {
+          secretKeyFile = "$CREDENTIALS_DIRECTORY/secret-key";
+          adminPassFile = "$CREDENTIALS_DIRECTORY/adminpass";
+          admins = [{
+            name = "Root iFSR";
+            email = "root@${config.networking.domain}";
+          }];
+          database = {
+            ENGINE = "django.db.backends.postgresql";
+            NAME = "course-management";
+          };
+          email = lib.mkDefault {
+            fromEmail = "noreply@${config.networking.domain}";
+            serverEmail = "root@${config.networking.domain}";
+          };
+        };
+      };
+      security.acme = {
+        acceptTerms = true;
+        defaults = {
+          email = "root@${config.networking.domain}";
+        };
+      };
+      services.postgresql = {
+        enable = true;
+        enableTCPIP = lib.mkForce false;
+        ensureUsers = [{
+          name = "course-management";
+          ensureDBOwnership = true;
+        }];
+        ensureDatabases = [ "course-management" ];
+      };
+      systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${config.services.postgresql.package}/bin/postgres -c listen_addresses=''";
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedTlsSettings = true;
+
+
+        virtualHosts.${hostName} = {
+          listen = [{
+            addr = "127.0.0.1";
+            port = 8084;
+          }];
+        };
+      };
+
+    };
+  };
+}