courses: phil: init as container #73
|
|
@ -22,6 +22,7 @@
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
quitte = nixpkgs.lib.nixosSystem {
|
quitte = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
specialArgs = inputs;
|
||||||
modules = [
|
modules = [
|
||||||
inputs.sops-nix.nixosModules.sops
|
inputs.sops-nix.nixosModules.sops
|
||||||
inputs.kpp.nixosModules.default
|
inputs.kpp.nixosModules.default
|
||||||
|
|
@ -53,6 +54,7 @@
|
||||||
./modules/website.nix
|
./modules/website.nix
|
||||||
./modules/zsh.nix
|
./modules/zsh.nix
|
||||||
./modules/course-management.nix
|
./modules/course-management.nix
|
||||||
|
./modules/courses-phil.nix
|
||||||
./modules/gitea.nix
|
./modules/gitea.nix
|
||||||
{
|
{
|
||||||
sops.defaultSopsFile = ./secrets/quitte.yaml;
|
sops.defaultSopsFile = ./secrets/quitte.yaml;
|
||||||
|
|
|
||||||
|
|
@ -1,54 +1,95 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, sops-nix, course-management, ... }:
|
||||||
let
|
let
|
||||||
hostName = "phil.${config.networking.domain}";
|
hostName = "phil.${config.networking.domain}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
services.nginx.virtualHosts."${hostName}" = {
|
||||||
|
locations."/".proxyPass = "http://127.0.0.1:8084";
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
containers."courses-phil".config = {
|
containers."courses-phil" = {
|
||||||
sops.defaultSopsFile = ../secrets/quitte.yaml;
|
autoStart = true;
|
||||||
sops.secrets =
|
# forbidden sadly, I will copy the keys manually. Not very beautiful but it works
|
||||||
let inherit (config.services.course-management) user;
|
# bindMounts = {
|
||||||
in
|
# hostPath = "/etc/ssh";
|
||||||
{
|
# mountPoint = "/etc/ssh";
|
||||||
"course-management/secret-key".owner = user;
|
# };
|
||||||
"course-management/adminpass".owner = user;
|
config = { pkgs, config, ... }: {
|
||||||
|
networking.domain = "ifsr.de";
|
||||||
|
imports = [
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
course-management.nixosModules.default
|
||||||
|
];
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
sops.age.generateKey = false;
|
||||||
|
sops.defaultSopsFile = ../secrets/quitte.yaml;
|
||||||
|
sops.secrets =
|
||||||
|
let inherit (config.services.course-management) user;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"course-management-phil/secret-key".owner = user;
|
||||||
|
"course-management-phil/adminpass".owner = user;
|
||||||
|
};
|
||||||
|
systemd.services.course-management.after = [ "postgresql.service" ];
|
||||||
|
services.course-management = {
|
||||||
|
inherit hostName;
|
||||||
|
enable = true;
|
||||||
|
listenPort = 5001;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path;
|
||||||
|
adminPassFile = config.sops.secrets."course-management-phil/adminpass".path;
|
||||||
|
admins = [{
|
||||||
|
name = "Root iFSR";
|
||||||
|
email = "root@${config.networking.domain}";
|
||||||
|
}];
|
||||||
|
database = {
|
||||||
|
ENGINE = "django.db.backends.postgresql";
|
||||||
|
NAME = "course-management";
|
||||||
|
};
|
||||||
|
email = lib.mkDefault {
|
||||||
|
fromEmail = "noreply@${config.networking.domain}";
|
||||||
|
serverEmail = "root@${config.networking.domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
systemd.services.course-management.after = [ "postgresql.service" ];
|
security.acme = {
|
||||||
services.course-management = {
|
acceptTerms = true;
|
||||||
inherit hostName;
|
defaults = {
|
||||||
enable = true;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path;
|
|
||||||
adminPassFile = config.sops.secrets."course-management-phil/adminpass".path;
|
|
||||||
admins = [{
|
|
||||||
name = "Root iFSR";
|
|
||||||
email = "root@${config.networking.domain}";
|
email = "root@${config.networking.domain}";
|
||||||
}];
|
|
||||||
database = {
|
|
||||||
ENGINE = "django.db.backends.postgresql";
|
|
||||||
NAME = "course-management";
|
|
||||||
};
|
|
||||||
email = lib.mkDefault {
|
|
||||||
fromEmail = "noreply@${config.networking.domain}";
|
|
||||||
serverEmail = "root@${config.networking.domain}";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
services.postgresql = {
|
||||||
services.postgresql = {
|
enable = true;
|
||||||
enable = true;
|
enableTCPIP = lib.mkForce false;
|
||||||
ensureUsers = [{
|
# port = 55555;
|
||||||
name = "course-management";
|
ensureUsers = [{
|
||||||
ensurePermissions = {
|
name = "course-management";
|
||||||
"DATABASE \"course-management\"" = "ALL PRIVILEGES";
|
ensurePermissions = {
|
||||||
};
|
"DATABASE \"course-management\"" = "ALL PRIVILEGES";
|
||||||
}];
|
};
|
||||||
ensureDatabases = [ "course-management" ];
|
}];
|
||||||
};
|
ensureDatabases = [ "course-management" ];
|
||||||
services.nginx.virtualHosts.${hostName} = {
|
};
|
||||||
enableACME = true;
|
systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${pkgs.postgresql}/bin/postgres -c listen_addresses=''";
|
||||||
forceSSL = true;
|
services.nginx = {
|
||||||
};
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
|
||||||
|
virtualHosts.${hostName} = {
|
||||||
|
listen = [{
|
||||||
|
addr = "127.0.0.1";
|
||||||
|
port = 8084;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
2
test.sh
Normal file
2
test.sh
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
ldapsearch -o ldif-wrap=no -x -D "uid=search,ou=users,dc=ifsr,dc=de" -w $(cat /run/secrets/portunus/search-password) '(&(objectClass=posixAccount)(uid='rouven.seifert'))' 'sshPublicKey' -b "ou=users,dc=ifsr,dc=de" \
|
||||||
|
| awk '/^sshPublicKey/{$1=""; p=1} /^$/{p=0} {printf p?$0:""}'
|
||||||
Loading…
Reference in a new issue