From 8627ed8dc10c28ee150000606760c35c9621021f Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Fri, 19 Jul 2024 11:35:19 +0200 Subject: [PATCH] yuzuru/li7y: Init For now, it is implemented using OCI containers for fast deployments. --- machines/yuzuru/configuration.nix | 1 + machines/yuzuru/secrets.yaml | 5 +-- machines/yuzuru/services/li7y.nix | 60 +++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 machines/yuzuru/services/li7y.nix diff --git a/machines/yuzuru/configuration.nix b/machines/yuzuru/configuration.nix index 6ef8a75..e873c1c 100644 --- a/machines/yuzuru/configuration.nix +++ b/machines/yuzuru/configuration.nix @@ -10,6 +10,7 @@ ../../modules ./services/static-sites.nix + ./services/li7y.nix ]; sbruder = { diff --git a/machines/yuzuru/secrets.yaml b/machines/yuzuru/secrets.yaml index 8f307b2..ff423c9 100644 --- a/machines/yuzuru/secrets.yaml +++ b/machines/yuzuru/secrets.yaml @@ -1,12 +1,13 @@ wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str] +li7y-environment: ENC[AES256_GCM,data:cm4+672JelbYsBm0rwrF/I9gS72XfAlj335v0+EfXmPSD1LCBJ3clR7jZC7SVH5D9ZSaSlrY8J/+7hgDmzsiR2kypNBvfMvN825AF5QFehnYeHhxUktU+uig7RzpRUeWSPM0r8j6lmpGNc7vd3S+L3TWn2ZfCJ8Kc28Ad2M9yFiZ7PPqB6qqLnsx2peQuafDhefuohLPOYA=,iv:84yL6l7zqeb7l3w3ARskJoQEvI1+HxoCCKrLhB0kx7E=,tag:GCetAOW7pvyjKEM26A9ZbA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-01-02T22:37:47Z" - mac: ENC[AES256_GCM,data:oBfM/DF/TfWJIW1VlvZ4Z+vBQxCmHm8J83pjILtHFBwU14f1H09iIsswY1xyAwO9wO3cttf4xjrSa6mGGUyQFqLdEzj8z/JkCm1vwpLZQW+j8FpRjH1ryyE6G/3eS5tboUZgmAwBPDsulJr3NBi121RHhZvWf1dv2T/J5IcZMxI=,iv://TpDpO8tNaibh8ABqE1AT6CPK62rtUZiFmYP9ST3MA=,tag:5SErG/jDycIdxX3ABOcsow==,type:str] + lastmodified: "2024-07-14T17:32:43Z" + mac: ENC[AES256_GCM,data:7D9xHNpdhI6CgX94PAoJJIJqVZ403ZL7dXbdnod2do4M+Qf0yRrRDxi6hPipf0BX0vsSq1npdiXcnwP50PZHal8LW7IJRjfefW5WnO+BLD42sIxt5mikdNfZhpyg3dHB7j+8m1lE1+veK/Ho06V32sckibhBG4AFBfMZ/k1VIns=,iv:NS9CaSyEUdmJEKFejiaugtZ5Nf8norhoaCaOwPZsxow=,tag:Y2Nu92iYO0PSqtXMLc3D7g==,type:str] pgp: - created_at: "2024-01-22T00:20:20Z" enc: |- diff --git a/machines/yuzuru/services/li7y.nix b/machines/yuzuru/services/li7y.nix new file mode 100644 index 0000000..681df9d --- /dev/null +++ b/machines/yuzuru/services/li7y.nix @@ -0,0 +1,60 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ config, pkgs, ... }: + +{ + sops.secrets.li7y-environment = { + sopsFile = ../secrets.yaml; + owner = "li7y"; + }; + + users.users.li7y = { + isSystemUser = true; + home = "/var/lib/li7y"; + createHome = true; + group = "li7y"; + }; + users.groups.li7y = { }; + + virtualisation = { + podman = { + enable = true; + defaultNetwork.settings = { + ipv6_enabled = true; + }; + }; + }; + + systemd.services.podman-li7y = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStartPre = "${pkgs.podman}/bin/podman pull git.sbruder.de/simon/li7y"; + ExecStart = "${pkgs.podman}/bin/podman run --rm --name=li7y --userns=keep-id -v /run/postgresql:/run/postgresql --env-file ${config.sops.secrets.li7y-environment.path} -e 'DATABASE_URL=postgres:///?port=5432&host=/run/postgresql' -e LISTEN_ADDRESS=:: -p 127.0.0.1:8080:8080 git.sbruder.de/simon/li7y"; + User = "li7y"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."i7y.eu" = { + forceSSL = true; + enableACME = true; + + locations."/".proxyPass = "http://127.0.0.1:8080"; + }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "li7y" ]; + ensureUsers = [ + { + name = "li7y"; + ensureDBOwnership = true; + } + ]; + }; +}