From 8908b3bbffc8d947d582025646f9c271bcef9f85 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 27 Sep 2023 14:20:11 +0200 Subject: [PATCH 1/4] courses: phil: init as container --- modules/courses-phil.nix | 53 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 modules/courses-phil.nix diff --git a/modules/courses-phil.nix b/modules/courses-phil.nix new file mode 100644 index 0000000..3a51932 --- /dev/null +++ b/modules/courses-phil.nix @@ -0,0 +1,53 @@ +{ config, lib, ... }: +let + hostName = "phil.${config.networking.domain}"; +in +{ + + containers."courses-phil".config = { + sops.secrets = + let inherit (config.services.course-management) user; + in + { + "course-management/secret-key".owner = user; + "course-management/adminpass".owner = user; + }; + systemd.services.course-management.after = [ "postgresql.service" ]; + services.course-management = { + inherit hostName; + enable = true; + + settings = { + secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path; + adminPassFile = config.sops.secrets."course-management-phil/adminpass".path; + admins = [{ + name = "Root iFSR"; + email = "root@${config.networking.domain}"; + }]; + database = { + ENGINE = "django.db.backends.postgresql"; + NAME = "course-management"; + }; + email = lib.mkDefault { + fromEmail = "noreply@${config.networking.domain}"; + serverEmail = "root@${config.networking.domain}"; + }; + }; + }; + services.postgresql = { + enable = true; + ensureUsers = [{ + name = "course-management"; + ensurePermissions = { + "DATABASE \"course-management\"" = "ALL PRIVILEGES"; + }; + }]; + ensureDatabases = [ "course-management" ]; + }; + services.nginx.virtualHosts.${hostName} = { + enableACME = true; + forceSSL = true; + }; + + }; +} -- 2.44.2 From 7d7ac6c5718d556dd37071052bd0f9e64581c62c Mon Sep 17 00:00:00 2001 From: Fugi Date: Wed, 27 Sep 2023 14:23:22 +0200 Subject: [PATCH 2/4] add courses-phil secrets --- secrets/quitte.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index aee5279..feb0ca4 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -18,6 +18,9 @@ vaultwarden_env: ENC[AES256_GCM,data:lGDemdGgYemaaWhWBPEMuP4yie5Ceum5ZZ0hKRLz8TJ course-management: secret-key: ENC[AES256_GCM,data:wWzoUGt/5Yusy1s/RPhZbDJFdTCjxHiRODKhDnOUUik=,iv:svN+pmwBXlL7ghOiF4y04Tnivv9Zr6ZoVWrCVFzs/gY=,tag:+gTxfipVNLGuYZM8KDsoIg==,type:str] adminpass: ENC[AES256_GCM,data:Y2/WTOCGme1C8jbKla+I0dzNWbf3JtACtZD9pd9V3w0=,iv:zXAtduU460I7E4dQjyln71Icq9PYGP40qxqRfv85WIQ=,tag:dMz5jlyy1S04/sMt2xLb+A==,type:str] +course-management-phil: + secret-key: ENC[AES256_GCM,data:h48/SsIBitJ9RrpaULUgHPEl3PxVJ9lXNpmVWsXA0qM=,iv:aNbyff/S/8eWFVlR767syfj8Tbm3n27gv0T2T01dzu8=,tag:kIDe3c64FXWuPNKRKpBR7A==,type:str] + adminpass: ENC[AES256_GCM,data:dY3PKUybVw3h/wChbhXmfkuy9nCOHysIg0Gpix/hHaE=,iv:AnIiV95ZsGXFIdtDCjkFG2dIPbCUKiDbUDbbQ3Bvr4k=,tag:0De+S2rLN4fK9wx57jcKxg==,type:str] bacula: password: ENC[AES256_GCM,data:je85cIfdDrRl5mkOujiZM57xFG7HrtLyfsDNVab6tBAXMZ6TvcaZrrmzjfKDOYrT,iv:lfPpWXz2h8iSyECaPVJzi8sdks7fxPHewHagaKCBHY0=,tag:1WcE5wRA/q7IB7Y1TgjtvA==,type:str] keypair: ENC[AES256_GCM,data:lYDS3U7+++aXowGA2DLWGs4/pBxzjk9VXivEqqvEcMOLvgPwPiVKuXqHShw4NkH6qcoLzOqqjDpEt9aW5sYcVkIR7gNTiBcGLrVe88ZPHYNa1/mnwZbNVKGutM/S6wuyf8J33mrfbQ0ujkavSIE5zOqFyaHx4kU0wHdxjIl3q8RqUL+6s3+vwOoxubKndBzV7NhfvCZBZ7JRJK5bORuOrbgQMgwrACTysR4gRVyiu39ku/AlHXGCmrl+GBHTAm3EOJyrIBBoZSLNyGkFv5ay82Oe/CvRxzkR5lK2xHi7tdBUtoOOrqT1KNRKZxsXpKUP0N8ctCD5/4pAVYbhDE7KQDGfwWioT6xSJJvHF2IYAnxV+A63SkrgSSMWG/xj4ZtvMqbngJZ6KqGDqS8qmjupB4fS7mMp/lsOFcL4w8w+isAHM637Yb4/Sfw704+oBMViBFGFJ+o4V5BbjGHygIgUQXHabeOk4u17e+4V6CVxEIlrzafRcYPDAwQE1qvJ388dq9z6wws94dQnTgEaW1O6/ye8uAvtvuUzwgfnT5CU4ypqn0OylOzthNqJfr7KfX3/+Nu8tiAZEkzCvCDGDnyla0fzpm+BZwpLcAmhMv47vS5NwUghJ5iCGjssmdEDncclwolwi/vvmtYdPchbUKuKn+ro/R/ZkMDOGvQHvC9fmbn7lEJFUesCQLwtxHNsj6NqR6tYqJJRPIFOtSeak70DKak9/2NCInVwrbZ8Z12Lp6xGgc19RYDDVQ302cGhWkYfcXMoM7Vgxl5Ta57TALDbs0aZnvtlUxmWpUUwF43+t5gxKW6nEbJwHfD60G5Je8tiik0fuO0D/XsV56/ih9yKgqxhTqaMNrWgYoTjqmqg9dfhVwe8AhpXdlUR9R71TKAmkkmNJUHJmRNk4rp5ZIlVu193eybA9WyPPTWojMaKV8GQVdhkRKCUSeIyhttGZov1Xg5xIvpQ/l+TDYVpnF9ol/RR8zqCKguU+D8i1Bju28kCbmmogzlmS4Q3QoMJk5pn0wqX8NytE62mmE+sbmqSt+vK2xXIUvxUQSOvzka/Cyj6lyd0+9W1YiaTK1xe2no4QswJuTVZ7PRMZLQL2O3eGOrAR+BbVnIhsfi4fFNcQ1pxmtqCT+wvulaLd+CH1xUTBjkc30YbMpN+ElLFZBuhXv48RP82iizUSs6FumBNG53QHN+Ucv0u3wpqQwjlGlv9euARxJZVxqA65clXc7f2VzJNHBYXB97LG4eOTykVYUWsUS5fIurCZseGgyVAMCAo/YO2jMXrqcEJiyLs4EKCRo4Yin7wNyf34qhZ3ilpofADhKtSU17vXL8HQwKn0fpt6RI2hSc8xTalOAFF9B4J08a8f/6Mx5jy8FHKSEbu91usKDy9bGi/Cq/f09vBymwjoe0cvPdllOZT0Ik7WO1gl8UU8sXxDkjM0mekslQSE3vzlQpZ2JcjRHSxVsC0u+500jap979aShw63OJTa2sQ8KCQ/EJrw7P/xQJ8STtMxd5JBl/fX1e0AM7tKhb7h2JpwqrR221iQtG8FdJD8JUT6hTOQKMW5L3SZj3//GF4XrmsowP6eEbFJUhCXGUoSHWeVF2RZVALDHm8HC9cWUASIyiNCBJmV0mE1LgrAvSd7jkZE+P0DQcMOjjnMn44xYqnrQgplgI/glTt0QQqdyMfAgGrv8dfwQGn8TafY4rPjMU3L768Y3mvSCfE2//lKued4B88LAG4zBfxh8iF2wEAptU4xHy8cf3Y1cJWUPwg0xBVsslA0FKpxHKQ95LGIU0vq3EYvSOk+9eQ3BBmql9vflfhjlSlS7DUcwLJ6iGurTksapczu5kQu5vDuyc4OFUz21+rSPUph1LaOUj0PgF1B4NGRyevW4/LKIyYFxKj9ibYVWEfNrDvRXJnpXT/ffwT2t68OIMwyBIygNwLKaa2mg5RK6Il6T/F85CSxbNs0XMZnempZfbCDR1THtIY2B8WyPXH1WIEqDlEzxuAq/ldl+LOyql0R9Coos8+wVx6ehCLODsQLq+mwJIxbBc6Y91r54Pmjtk+Y4FNysLOvS1uvgRvuNJ+vz7ZJ5IB4wtFPUKGBFdUue7x9ov4GR67wHWnRARvnpgKGuvoA4ktupLXAsF6zzfgI2z/+aN6cxtUYR7yrGnxABPAA0LlWZnl6NCaGrOTNo/e8chbD+uoayVHUhQY0t4xbFedwHIEeB1c98i56SRbCqc07TpPKOV1w+DmmUvHWunUWfWMSAZs5hu5CipKSyvawnCLaHoEcvpx1nynffspzikgMeYdacxGKzR0UshySv7XWyV8ruPgjjCv7hc7hu/+ixAFKZql36Gl/uObNfSzIWjJ0qKWxzHiCQEfpkT37x9EBpLDZn426GsHix+UCH6Zucyoby4UveM+q24mi/JgBaokGcyItQHuJiTuD5fot+6bEowu4bm98R05aDjfDf3vdO3/W/31J4yYKPMvTf1z67A+pBRIfzNjDBpI8i5zXZoo5Y/urRGt6FdxT1ww1NzpkL5ebz9kbEpRqnJuHYs2JMqrsTPlQdJ25O6sPgHrU+XJPmehN1bKu09v6ThbUelVEn2+TROvzyemoPRzqjmE5BLfMjFrffnnTX4M09rNI2UhXivdDTmnFHZ5hdpZfVjhYFnPJaHwfNOSa9TQ/6zPwii1WcuxelD3JldTnZxx2k6BFsSo3g2qNefcpHBJTS9Nddu1qHAdbJLlHusc+go/yZ93h5mQdzSnO2NfNAv+cX7Liz4PP1Vj9SJiBmlNbowJxyoYF4ji0EQ/OxDvt/iLoQsdDXb5qN7YDecfdsULXY5uTdjmDlwkhvAYrCs0VHTEfPG7o8GxZna0GAK3dIFUzxMhL+ZjagMyq+YUrDe+nRzHOzGQqX87Oxv8/7WW8+uSY3URRQR0P3/gL7YyK2HsHrYR3ENMXg76a3M/pLFB6y95q7u57pJrceNed3W9j7cR5JTci34cNsfQ0VOnW8JcEjrKvve4wA97AedTUBPAjo2Uz7n6UWswbC3hv8Ffzld7SsAEdJW54uqQvUharR1vyp48RLrIv8Y51xtoQ0nfY+i65Ii09zm6LC5WR+/YV2i3Os3VKgDmBjuT/btDvi0tP82288vffR77Q5OToVRLUXfpXDd4FXzct79h4ZhXuy3tIlxPc+U1Oe6Ly6R6cKWRG58jTM+Epql2Dy79tpU+LCJon7A3UhglHlpJlT3tfVGbFyncm+Vfb4e9lTqhDRhqVo5CyWeRrMBhyHKAmBvzjeQp7Qur5c2Gsr9gYibiVTGnYijMAL5iigyndDt2tZoXolOmy908k9PfOWd4TAnXdTcYssoT4bI4C6jiIyZlf+WyxrjdvEBRxZ47+qkj49/wV3fYlpsgE1pzfPwvLDOMIeTr6sw6b22Wtir9LZUVY9OA46NZ7yzqMRDaolYIeH2MMEK1QwIrCVZrQi5NBi4Wy+ghVs4s6x0/W7gimFK7PV/Vjo2bhA2nNLcnrHvddey/k2JD0aG0TvNRYKuzr4fsXb4I92d08VNJ83zfcxeZJgzt2FOvbwLj66R56Rdy/ITKpAUNzYQXBSGyVdPiEPv5Lz8YvyAFIB+BySjXerb6jtdFsqbGRgXOn61kAlBZtADzAbi9en7mB1O0fBcFBW9En/rZ+dUkzd2pOokdXWDT7dKK604QFdcALFCnwEGlSljypU253yKMGoSYaD7E5vtjuhPxLXggq8ZP4yx0mll57VCHEgYjO/z5HzpoXbUzOtaBHsSFyEiecbHdHjlJGDHPh3sz20YyFu7bZLs6p8uKXD0wo3+wm+afkOm1zTH4sGCS1PwdekdknHLCK6PlPZRQ83n2ra6dLPvK66b1zPPvOwqrpf7OE1ieNg/WKRqmfUjViBNnaftpYnQ+wNq6Q0I75r/UfwarBoru3Xm59xRLupCGTRLqJSYEVRsyUOYBfOjhb3fAKvZJS1HSgexvQCD4b4kwCNToTdmpGBAYoPBsDJw1yZpto6eyXLO1Ad5sKmHUvlUFZHxL1tQghNCcSEVP9k/LLAwnHAV/XNPpFlvOGHtFolYSuI9t2s+EVioXLD7X+tlJHVQ+hrnGrJprvSVhjR+JJ/N1jPr6eBhbYzp55GG6C0svmhoxXDqFsG4LRhqTgHCxuajsMHOJc0uWuKKRjVWm5miIOx5qe140OgJ5mXYJv+3VJjrm4XnjppRhNeKM46Om2ovlgkqoJCMRxI4ct+AZtBCnF4NGLg40kYJpKZOSaOyuj2A6gB3G+sCOi2dKOPr6u5WseLFfy9u5fg01Z3G1MiXZIM5E7Ny0Ecos63ofyGYbSm0VXYknBsQt5XuKsgMLHlHcNZaaOpni7sn63hNI7JDsvCdQw191stL01hEL3VtmNOtfKPZXlOdaP6V2M2p933eApLCpV2VJ3eMDpB5z1WTVp0XQxDOD9IThDLKnt/AbhMC81ROklyp3sxTZY+AjHITkWdDGOFmY/zwjs9M2UuwEt8eo/4HkIqKDfK4u0y1jKf5NHzwf25hn7xAo8uvZR8ZSOpO1YNi3ecp9qUgesyY0acxY2Y5F0+Kyx9Mhfc4YetYL1Wtkr83SaFCxMjsMx5VOVNrb2q0IPJTYDY3iy2ElWlrDLKH1HNzUz3QsyH1h8csmblz2PbReHR4lUbwqfkNixNMkh752xNd4qA8CSKjK3shHle4vW44ewJQyaOLfevF9/+JkVrjbWjqdm5N4dCBQhNlfD43EHUuGTQVisbmokikapHE7lZZM1WXjT6hnvR2pnivV09GfaKxyruvFu40UZfIeD+ChXzDMcjom5knRLmB5njjpizlXiZw8cZoXy8QFNu0CtSxkP3b0VkJ8vrq5tJXfIOYO7Uc4FSIQKPig2LyYMXXuaOPPOkkwXxqo16ZFgdpBbqe3/uRciVgaxvYNrhdU0YZZj0DGsZlWgS3ClpRqO7Ka3AIZzzWJaSt5uh/YdXQtNqN9zUuSmfJkjLZ9s+Ojdw6BvJbC5y+Ia/MWOSfqxLTYZUMD5r2S0YLzF6nBGeIbZtzUKIdJ6X0Nq9N1l+2UdUJ9yvmFHfUBjUddRZWiVzIAQQ4rk0WFayHfA36dyr34wp1O8mD6rex+BHDRHPc2wwKEk3wBb2QwtLAJ21tANH//ZRhB4MM8lBLMxO5Ya90r4zXgp+buYuj0lFKz6/IowjvHY9M+fBpAVkrQi6AEPq5z6YtTC8HU1kcJ4Cmts8sacl9fsv8jvexuA0x6c0YTJq68oDgESfrcbEdDXkU1m/XxMUSVPxHGAxyhksELbfRsWRXrgOMUEGSlGC7gf0XnK25M3VdEAlKhKVIo5Qbg1Z0UllwrlAfG0IM+Br3VAghzIQJFDuycdNAjuArIo61U7iBd1veOBBch7g7nzwdbYqOhvPqmTz84pzRp/3yuEWYLkcCwph7YiAaBUh7yRwumxJQkDTk3qBIVh5M04PAXfFDFN0wekGEZ7qzv9JbNKxPl59al+hxrMnfGvvyuhVo9PvPKHa5xJCU22BNfB7LfKWo/OxxhKDVWDruNivz46/cSJcM5iaNPlwyU1hl8s8OXLJMzHSmZajkEDJWk+G677zHD0/2G+bdArdTHchQG2iE/EMq1mbD/so/Yf2T7U25Histn9DPnsi1/4Hq4/tUaPAUK8kEwTQSaWAtF+uf6hZtxoqtCtyGzpPcnxJX/yIthkJDqkhMA8YYPbbX7Uk1FrLEK4UiP758bu6lvuCRD6Y6u5e5HjODFV/RjGpoODKIVPIlVTNGXu9boaK/0wTmhS8LtXlUJfSZt5F/LDGzfDl7o9w7u3otf24DsQAEvvMBRKl7DqknUSuR0rjadxrnwzi2rbrOmMQ7VWGhcTaV8LnKh7owpAAeDdxH8X/Kg7BIvez9rjKiVQYSAV1SqEwUdOrEkaOnqIV2xnwYCETfuykoeNDJQ1M/GaVr2eNgYB0fAjHJdTYtVMEFLXJMJyxSYk95/RHNDMr862I+dHnhSJg5u13fACXricKsHZOg0gxMHgTs9pfieBGxQtG9+2JVK1ws8W73aKjVL2WYTysE7eh4j/J01nPjayRt6rNdkYePf2qhDi6mLc0Z1L7m6LlA5opzDpX3Fh/586k9XdEgizZ6OIC+/emHAdNteSzwBv6P73tXqZk9PsekA2/MYIKZoRVbBOi8C270WJNPA6lRBItyGrIUz/QZiyMTFg73NcX5lskk5AbiO2+0LfR2UCKVxM5dvzE4dYPLk0if6Zvl4uHBI0ayIVN9hi6IZIExsrER+91DqzalZM/AHSa6pl44qtk7o8+yGSJJG8i5TjgdPn7sq+LrXkJ7QJfa1YHGB7y2Q8bIvm+A4MdqDx535vWgNRQ+iYeRtdq0jtxQdJZspFas0ceaOJKYNByPLRIBXB7rBwusEmEdkAN0xMUAN/iO1T0B/A2WL4XZxbmaaEa03CJHf26gyJS/ARnDJLVgfP13EIwXVjD6vMrqC6x2dCpBEkcn48cLyd9wEskylfklEDAi6TLdwTyO/VGxvimdF42MkF5sdly4Ui/4xbjIHY3tNyXmagjJVvtKJnTlwEQT+tiHo1i83z84q9tgwnkL+3BAk+G66xcRmTAHBNfYhu8kBpb/gMeVIt/z2Gpe3tqlUCFyKvlebC+a0+7V1pRhBAgbFb1NmM++EPjEC8fFbilLbgbq9HKDm0Fqcrz3qewh8bAy93ZuAVQusnakUGKherN+tgw9WEcgfLI7lvbdAz37m4fyabustXMK+Zb6PYpF+X6P3n9hf1cZalh9RNytC22TFIksG6j2ZcbBKLF2wf6d8Y083BNceeE0ADW0vc5lEFmgx5AuaZHOUHzKIDX5Y8OXfevibnnmhlCtNjuRVPx1oR+ZD8LYhjv7KWlz+wiLkkKZnB0Hvy+GspSaFsMG6pO6m6vWZ8T14l3mkhe6oV8EO95Rxe2s5kIkq/hCzrKefc2K+GvXJ/aEmwU9OtN1YBS89QICIq8t/OMvx2CjN/Nd5aewc47mZBW2ashKiLute+2/0dJt/8JKG+SxGWHxtkDa7EPSwc4ZZjpoPF0MhXMB3PgbvoZWARegOihW7c6BvHFsxLQS+AjqYVxAYvcnx2NE2y8KS4EkTn/pKaIryG6mAvrAolpnXjVPBFTQU9PaYFlMJ1tQc1ZrUH3Yev4GP,iv:DEzZocX7nChUd6L9v3iqEeMcxWCZY+kbUnDLbikBVe8=,tag:ya/g5UxFYI7LJuiqbc7wPQ==,type:str] @@ -37,8 +40,8 @@ sops: dFpScGZzYlFQZWMyUEErOVhVVjc4SlkK3KUct/NJwDdeGeWrqbZ5eAIb/G8f/ZCI T4gO0Y/fznXkNf1fm5d3JHwTC8yAzxmSSGu2f/LLzKx1oNeAw0Ll4Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-04T06:55:01Z" - mac: ENC[AES256_GCM,data:CvdFvN0usYbFG+W6gTXEfoX3vOhKbXkAC0gy9k26zaywPeVNcUaCpkItAp32PL/9r60ZOUplrsUWd0HlOsCvYplS9wrSmSQomkoUjAw5vJFNUT+9Ci6r4T1dRAJnijNvSr5flCv0+Gu6KLBuDuVeS3zXj5HHOOtibrrt+1j7EhM=,iv:bwL9mW23jwfp4jcnuhT2iG4qyCNyfS42B2P3uuX2U0U=,tag:AdxTPlUAPSND9+ysG8O7Mw==,type:str] + lastmodified: "2023-09-27T12:23:03Z" + mac: ENC[AES256_GCM,data:KyHdr4zY5LPViILOVEqrxX6aQOuavBVfzPDyqXEEaOnhb3zzAKRfmmSmUq2c3Nh7Q0pQaJ0zUMwu8orHhdKOtjUqx/ToRZTyxf/OR/XIaVko65ci+CfOZFgfsXY1XONn5XnmJqPfSa+2jFkDFZrW34OWg6W9Q3TOic9H7lTvadQ=,iv:hmoDrwF/pC3zpBjiEMPc0/gO0D2D1Vk4DP/jneQvcOA=,tag:zJCRbw75kkZW/bmGA/kDYw==,type:str] pgp: - created_at: "2023-08-14T09:07:55Z" enc: | -- 2.44.2 From a5d29c33388aa49f6fba26a045360b1a84d885d0 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 27 Sep 2023 14:25:03 +0200 Subject: [PATCH 3/4] sops: set sopsfile --- modules/courses-phil.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/courses-phil.nix b/modules/courses-phil.nix index 3a51932..de2ae6d 100644 --- a/modules/courses-phil.nix +++ b/modules/courses-phil.nix @@ -5,6 +5,7 @@ in { containers."courses-phil".config = { + sops.defaultSopsFile = ../secrets/quitte.yaml; sops.secrets = let inherit (config.services.course-management) user; in -- 2.44.2 From 3c17c0ad6a7c8ecd560b8de7e794c9f9d5cf8468 Mon Sep 17 00:00:00 2001 From: quitte Date: Wed, 27 Sep 2023 15:08:12 +0200 Subject: [PATCH 4/4] course-phil: on-metal fixes --- flake.nix | 2 + modules/courses-phil.nix | 125 ++++++++++++++++++++++++++------------- test.sh | 2 + 3 files changed, 87 insertions(+), 42 deletions(-) create mode 100644 test.sh diff --git a/flake.nix b/flake.nix index b906f62..10cbe22 100755 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,7 @@ nixosConfigurations = { quitte = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = inputs; modules = [ inputs.sops-nix.nixosModules.sops inputs.kpp.nixosModules.default @@ -53,6 +54,7 @@ ./modules/website.nix ./modules/zsh.nix ./modules/course-management.nix + ./modules/courses-phil.nix ./modules/gitea.nix { sops.defaultSopsFile = ./secrets/quitte.yaml; diff --git a/modules/courses-phil.nix b/modules/courses-phil.nix index de2ae6d..3dc0058 100644 --- a/modules/courses-phil.nix +++ b/modules/courses-phil.nix @@ -1,54 +1,95 @@ -{ config, lib, ... }: +{ config, lib, sops-nix, course-management, ... }: let hostName = "phil.${config.networking.domain}"; in { + services.nginx.virtualHosts."${hostName}" = { + locations."/".proxyPass = "http://127.0.0.1:8084"; + enableACME = true; + forceSSL = true; + }; - containers."courses-phil".config = { - sops.defaultSopsFile = ../secrets/quitte.yaml; - sops.secrets = - let inherit (config.services.course-management) user; - in - { - "course-management/secret-key".owner = user; - "course-management/adminpass".owner = user; + containers."courses-phil" = { + autoStart = true; + # forbidden sadly, I will copy the keys manually. Not very beautiful but it works + # bindMounts = { + # hostPath = "/etc/ssh"; + # mountPoint = "/etc/ssh"; + # }; + config = { pkgs, config, ... }: { + networking.domain = "ifsr.de"; + imports = [ + sops-nix.nixosModules.sops + course-management.nixosModules.default + ]; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.generateKey = false; + sops.defaultSopsFile = ../secrets/quitte.yaml; + sops.secrets = + let inherit (config.services.course-management) user; + in + { + "course-management-phil/secret-key".owner = user; + "course-management-phil/adminpass".owner = user; + }; + systemd.services.course-management.after = [ "postgresql.service" ]; + services.course-management = { + inherit hostName; + enable = true; + listenPort = 5001; + + settings = { + secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path; + adminPassFile = config.sops.secrets."course-management-phil/adminpass".path; + admins = [{ + name = "Root iFSR"; + email = "root@${config.networking.domain}"; + }]; + database = { + ENGINE = "django.db.backends.postgresql"; + NAME = "course-management"; + }; + email = lib.mkDefault { + fromEmail = "noreply@${config.networking.domain}"; + serverEmail = "root@${config.networking.domain}"; + }; + }; }; - systemd.services.course-management.after = [ "postgresql.service" ]; - services.course-management = { - inherit hostName; - enable = true; - - settings = { - secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path; - adminPassFile = config.sops.secrets."course-management-phil/adminpass".path; - admins = [{ - name = "Root iFSR"; + security.acme = { + acceptTerms = true; + defaults = { email = "root@${config.networking.domain}"; - }]; - database = { - ENGINE = "django.db.backends.postgresql"; - NAME = "course-management"; - }; - email = lib.mkDefault { - fromEmail = "noreply@${config.networking.domain}"; - serverEmail = "root@${config.networking.domain}"; }; }; - }; - services.postgresql = { - enable = true; - ensureUsers = [{ - name = "course-management"; - ensurePermissions = { - "DATABASE \"course-management\"" = "ALL PRIVILEGES"; - }; - }]; - ensureDatabases = [ "course-management" ]; - }; - services.nginx.virtualHosts.${hostName} = { - enableACME = true; - forceSSL = true; - }; + services.postgresql = { + enable = true; + enableTCPIP = lib.mkForce false; + # port = 55555; + ensureUsers = [{ + name = "course-management"; + ensurePermissions = { + "DATABASE \"course-management\"" = "ALL PRIVILEGES"; + }; + }]; + ensureDatabases = [ "course-management" ]; + }; + systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${pkgs.postgresql}/bin/postgres -c listen_addresses=''"; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts.${hostName} = { + listen = [{ + addr = "127.0.0.1"; + port = 8084; + }]; + }; + }; + + }; }; } diff --git a/test.sh b/test.sh new file mode 100644 index 0000000..0cd1f1f --- /dev/null +++ b/test.sh @@ -0,0 +1,2 @@ +ldapsearch -o ldif-wrap=no -x -D "uid=search,ou=users,dc=ifsr,dc=de" -w $(cat /run/secrets/portunus/search-password) '(&(objectClass=posixAccount)(uid='rouven.seifert'))' 'sshPublicKey' -b "ou=users,dc=ifsr,dc=de" \ +| awk '/^sshPublicKey/{$1=""; p=1} /^$/{p=0} {printf p?$0:""}' -- 2.44.2