diff options
-rw-r--r-- | nix/machines/vm-synology/default.nix | 2 | ||||
-rw-r--r-- | nix/machines/vm-synology/git.nix | 94 | ||||
-rw-r--r-- | nix/machines/vm-synology/web.nix | 60 | ||||
-rw-r--r-- | secrets/ddns-updater.age | bin | 839 -> 982 bytes | |||
-rw-r--r-- | secrets/restic-backups.age | 12 |
5 files changed, 161 insertions, 7 deletions
diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix index 690e474..68952c6 100644 --- a/nix/machines/vm-synology/default.nix +++ b/nix/machines/vm-synology/default.nix @@ -1,5 +1,5 @@ { ... }: { - imports = [ ./hardware.nix ../vm-shared.nix ./ddns.nix ]; + imports = [ ./hardware.nix ../vm-shared.nix ./ddns.nix ./web.nix ./git.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix new file mode 100644 index 0000000..a6e7f88 --- /dev/null +++ b/nix/machines/vm-synology/git.nix @@ -0,0 +1,94 @@ +{ pkgs, lib, ... }: { + + services.gitolite = { + enable = true; + adminPubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; + user = "git"; + group = "git"; + extraGitoliteRc = '' + # Make dirs/files group readable, needed for webserver/cgit. (Default + # setting is 0077.) + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; + $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; + push( @{$RC{ENABLE}}, 'symbolic-ref' ); + ''; + }; + + # let's make sure the default branch is `main'. + systemd.tmpfiles.rules = [ + "C /var/lib/gitolite/.gitconfig - git git 0644 ${ + pkgs.writeText "gitolite-gitconfig" '' + [init] + defaultBranch = main + '' + }" + ]; + + services.cgit.main = { + enable = true; + package = pkgs.cgit-pink; + user = "git"; + group = "git"; + nginx.virtualHost = "git.fcuny.net"; + scanPath = "/var/lib/gitolite/repositories"; + settings = { + css = "/cgit.css"; + logo = "/cgit.png"; + favicon = "/favicon.ico"; + robots = "noindex, nofollow"; + # TODO readme.org + readme = ":README.md"; + project-list = "/var/lib/gitolite/projects.list"; + about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; + source-filter = + "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; + clone-url = + (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]); + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + enable-blame = 1; + enable-commit-graph = 1; + enable-follow-links = 1; + enable-index-links = 1; + enable-remote-branches = 1; + enable-subject-links = 1; + enable-tree-linenumbers = 1; + max-atom-items = 108; + max-commit-count = 250; + max-repo-count = 500; + repository-sort = "age"; + snapshots = "tar.gz"; + root-title = "¯\\_(ツ)_/¯"; + root-desc = "source code of my various projects"; + }; + }; + + # TODO also rsync the backups to the nas + # TODO need the ssh key for the nas for rsync ? + age.secrets.restic = { + file = ../../../secrets/restic-backups.age; + owner = "root"; + group = "root"; + path = "/etc/restic/secret"; + mode = "600"; + }; + + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix + services.restic.backups.git = { + passwordFile = "/etc/restic/secret"; + repository = "/srv/backups/git"; + initialize = true; + paths = [ "/var/lib/gitolite" ]; + exclude = [ + "/var/lib/gitolite/.bash_history" + "/var/lib/gitolite/.ssh" + "/var/lib/gitolite/.viminfo" + ]; + extraBackupArgs = [ "--exclude-caches" "--compression=max" ]; + timerConfig = { OnCalendar = "daily"; }; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 3" ]; + }; +} diff --git a/nix/machines/vm-synology/web.nix b/nix/machines/vm-synology/web.nix new file mode 100644 index 0000000..f9c34cc --- /dev/null +++ b/nix/machines/vm-synology/web.nix @@ -0,0 +1,60 @@ +{ ... }: { + # container for excalidraw + virtualisation.oci-containers.containers.excalidraw = { + autoStart = true; + image = "excalidraw/excalidraw:latest"; + environment = { TZ = "America/Los_Angeles"; }; + ports = [ "127.0.0.1:3030:80" ]; + extraOptions = [ "--pull=always" ]; + }; + + security.acme = { + defaults.email = "acme@fcuny.net"; + acceptTerms = true; + }; + + services.nginx = { + enable = true; + + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts = { + "test.fcuny.net" = { + # make it the default site: if a request goes through nginx + # without a host header, this will be the default site we serve + # for that request. + default = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { root = "/srv/www/fcuny.net"; }; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "git.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "draw.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://127.0.0.1:3030"; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + }; + }; +} diff --git a/secrets/ddns-updater.age b/secrets/ddns-updater.age index d457178..7089031 100644 --- a/secrets/ddns-updater.age +++ b/secrets/ddns-updater.age Binary files differdiff --git a/secrets/restic-backups.age b/secrets/restic-backups.age index 5e8ea2f..70c4bcc 100644 --- a/secrets/restic-backups.age +++ b/secrets/restic-backups.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 9Ia8+w mPCN4AjX68aTAy5yMB2ZK7dGHex/1KzgHtIwH3EGn10 -qkAnGg8E6CaGoOFTl5KrkSrb2JVuUjRK2nJQM8UUQec --> ssh-ed25519 pXC0Mg pdnJb3OKYTDJ2I083v7On6MMfAm8GrgVWVtet/aJzCM -qs5Q/xk6KFWgFzN5L+oWAw6VGiGZ1ZXRt4WZglnrdV0 ---- 2ev3nTb+Qhfg6CZnPOJcayE9mp4B1QcHmywEM4al+R0 -PSܮR; z_b25ωEp5Wp \ No newline at end of file +-> ssh-ed25519 9Ia8+w yiSD9W1I3M/Rg8c6QpzRpEd7eNVLjfISYFh/3/dVgl0 +bR8A17+lv7sStJyxhsr8zQROWdzUbVWMkttpIXXA4tw +-> ssh-ed25519 pXC0Mg 6kBmBLXNvNzA/8a1XYTB5cZpSgL+6D2aeg23cy1GqU0 +MN7srTewbHXBWPOd8LAQdPF8TKZ7t3Fi1rOncDOCfoU +--- lNp487YxUggnR0bhdm4QA+1kYFdvbT34W79CzLWXE7I +;^{_Wp[gy[`(4rm۶hgOG \ No newline at end of file |