2023-09-27 16:43:12 +02:00
3 changed files with 87 additions and 42 deletions
--- a/flake.nix
+++ b/flake.nix
@ -22,6 +22,7 @@
      nixosConfigurations = {
        quitte = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
+          specialArgs = inputs;
          modules = [
            inputs.sops-nix.nixosModules.sops
            inputs.kpp.nixosModules.default
@ -53,6 +54,7 @@
            ./modules/website.nix
            ./modules/zsh.nix
            ./modules/course-management.nix
+            ./modules/courses-phil.nix
            ./modules/gitea.nix
            {
              sops.defaultSopsFile = ./secrets/quitte.yaml;
--- a/modules/courses-phil.nix
+++ b/modules/courses-phil.nix
@ -1,54 +1,95 @@
-{ config, lib, ... }:
+{ config, lib, sops-nix, course-management, ... }:
 let
  hostName = "phil.${config.networking.domain}";
 in
 {
+  services.nginx.virtualHosts."${hostName}" = {
+    locations."/".proxyPass = "http://127.0.0.1:8084";
+    enableACME = true;
+    forceSSL = true;
+  };

-  containers."courses-phil".config = {
-    sops.defaultSopsFile = ../secrets/quitte.yaml;
-    sops.secrets =
-      let inherit (config.services.course-management) user;
-      in
-      {
-        "course-management/secret-key".owner = user;
-        "course-management/adminpass".owner = user;
+  containers."courses-phil" = {
+    autoStart = true;
+    # forbidden sadly, I will copy the keys manually. Not very beautiful but it works
+    # bindMounts = {
+    #   hostPath = "/etc/ssh";
+    #   mountPoint = "/etc/ssh";
+    # };
+    config = { pkgs, config, ... }: {
+      networking.domain = "ifsr.de";
+      imports = [
+        sops-nix.nixosModules.sops
+        course-management.nixosModules.default
+      ];
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      sops.age.generateKey = false;
+      sops.defaultSopsFile = ../secrets/quitte.yaml;
+      sops.secrets =
+        let inherit (config.services.course-management) user;
+        in
+        {
+          "course-management-phil/secret-key".owner = user;
+          "course-management-phil/adminpass".owner = user;
+        };
+      systemd.services.course-management.after = [ "postgresql.service" ];
+      services.course-management = {
+        inherit hostName;
+        enable = true;
+        listenPort = 5001;
+
+        settings = {
+          secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path;
+          adminPassFile = config.sops.secrets."course-management-phil/adminpass".path;
+          admins = [{
+            name = "Root iFSR";
+            email = "root@${config.networking.domain}";
+          }];
+          database = {
+            ENGINE = "django.db.backends.postgresql";
+            NAME = "course-management";
+          };
+          email = lib.mkDefault {
+            fromEmail = "noreply@${config.networking.domain}";
+            serverEmail = "root@${config.networking.domain}";
+          };
+        };
      };
-    systemd.services.course-management.after = [ "postgresql.service" ];
-    services.course-management = {
-      inherit hostName;
-      enable = true;
-
-      settings = {
-        secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path;
-        adminPassFile = config.sops.secrets."course-management-phil/adminpass".path;
-        admins = [{
-          name = "Root iFSR";
+      security.acme = {
+        acceptTerms = true;
+        defaults = {
          email = "root@${config.networking.domain}";
-        }];
-        database = {
-          ENGINE = "django.db.backends.postgresql";
-          NAME = "course-management";
-        };
-        email = lib.mkDefault {
-          fromEmail = "noreply@${config.networking.domain}";
-          serverEmail = "root@${config.networking.domain}";
        };
      };
-    };
-    services.postgresql = {
-      enable = true;
-      ensureUsers = [{
-        name = "course-management";
-        ensurePermissions = {
-          "DATABASE \"course-management\"" = "ALL PRIVILEGES";
-        };
-      }];
-      ensureDatabases = [ "course-management" ];
-    };
-    services.nginx.virtualHosts.${hostName} = {
-      enableACME = true;
-      forceSSL = true;
-    };
+      services.postgresql = {
+        enable = true;
+        enableTCPIP = lib.mkForce false;
+        # port = 55555;
+        ensureUsers = [{
+          name = "course-management";
+          ensurePermissions = {
+            "DATABASE \"course-management\"" = "ALL PRIVILEGES";
+          };
+        }];
+        ensureDatabases = [ "course-management" ];
+      };
+      systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${pkgs.postgresql}/bin/postgres -c listen_addresses=''";
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedTlsSettings = true;

+
+        virtualHosts.${hostName} = {
+          listen = [{
+            addr = "127.0.0.1";
+            port = 8084;
+          }];
+        };
+      };
+
+    };
  };
 }
--- a/test.sh
+++ b/test.sh
@ -0,0 +1,2 @@
+ldapsearch -o ldif-wrap=no -x -D "uid=search,ou=users,dc=ifsr,dc=de" -w $(cat /run/secrets/portunus/search-password) '(&(objectClass=posixAccount)(uid='rouven.seifert'))' 'sshPublicKey' -b "ou=users,dc=ifsr,dc=de" \
+| awk '/^sshPublicKey/{$1=""; p=1} /^$/{p=0} {printf p?$0:""}'