diff options
Diffstat (limited to 'nix')
| -rw-r--r-- | nix/machines/vm-synology/default.nix | 2 | ||||
| -rw-r--r-- | nix/machines/vm-synology/git.nix | 94 | ||||
| -rw-r--r-- | nix/machines/vm-synology/web.nix | 60 |
3 files changed, 155 insertions, 1 deletions
diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix index 690e474..68952c6 100644 --- a/nix/machines/vm-synology/default.nix +++ b/nix/machines/vm-synology/default.nix @@ -1,5 +1,5 @@ { ... }: { - imports = [ ./hardware.nix ../vm-shared.nix ./ddns.nix ]; + imports = [ ./hardware.nix ../vm-shared.nix ./ddns.nix ./web.nix ./git.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix new file mode 100644 index 0000000..a6e7f88 --- /dev/null +++ b/nix/machines/vm-synology/git.nix @@ -0,0 +1,94 @@ +{ pkgs, lib, ... }: { + + services.gitolite = { + enable = true; + adminPubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; + user = "git"; + group = "git"; + extraGitoliteRc = '' + # Make dirs/files group readable, needed for webserver/cgit. (Default + # setting is 0077.) + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; + $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; + push( @{$RC{ENABLE}}, 'symbolic-ref' ); + ''; + }; + + # let's make sure the default branch is `main'. + systemd.tmpfiles.rules = [ + "C /var/lib/gitolite/.gitconfig - git git 0644 ${ + pkgs.writeText "gitolite-gitconfig" '' + [init] + defaultBranch = main + '' + }" + ]; + + services.cgit.main = { + enable = true; + package = pkgs.cgit-pink; + user = "git"; + group = "git"; + nginx.virtualHost = "git.fcuny.net"; + scanPath = "/var/lib/gitolite/repositories"; + settings = { + css = "/cgit.css"; + logo = "/cgit.png"; + favicon = "/favicon.ico"; + robots = "noindex, nofollow"; + # TODO readme.org + readme = ":README.md"; + project-list = "/var/lib/gitolite/projects.list"; + about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; + source-filter = + "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; + clone-url = + (lib.concatStringsSep " " [ "https://git.fcuny.net/$CGIT_REPO_URL" ]); + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + enable-blame = 1; + enable-commit-graph = 1; + enable-follow-links = 1; + enable-index-links = 1; + enable-remote-branches = 1; + enable-subject-links = 1; + enable-tree-linenumbers = 1; + max-atom-items = 108; + max-commit-count = 250; + max-repo-count = 500; + repository-sort = "age"; + snapshots = "tar.gz"; + root-title = "¯\\_(ツ)_/¯"; + root-desc = "source code of my various projects"; + }; + }; + + # TODO also rsync the backups to the nas + # TODO need the ssh key for the nas for rsync ? + age.secrets.restic = { + file = ../../../secrets/restic-backups.age; + owner = "root"; + group = "root"; + path = "/etc/restic/secret"; + mode = "600"; + }; + + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix + services.restic.backups.git = { + passwordFile = "/etc/restic/secret"; + repository = "/srv/backups/git"; + initialize = true; + paths = [ "/var/lib/gitolite" ]; + exclude = [ + "/var/lib/gitolite/.bash_history" + "/var/lib/gitolite/.ssh" + "/var/lib/gitolite/.viminfo" + ]; + extraBackupArgs = [ "--exclude-caches" "--compression=max" ]; + timerConfig = { OnCalendar = "daily"; }; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 3" ]; + }; +} diff --git a/nix/machines/vm-synology/web.nix b/nix/machines/vm-synology/web.nix new file mode 100644 index 0000000..f9c34cc --- /dev/null +++ b/nix/machines/vm-synology/web.nix @@ -0,0 +1,60 @@ +{ ... }: { + # container for excalidraw + virtualisation.oci-containers.containers.excalidraw = { + autoStart = true; + image = "excalidraw/excalidraw:latest"; + environment = { TZ = "America/Los_Angeles"; }; + ports = [ "127.0.0.1:3030:80" ]; + extraOptions = [ "--pull=always" ]; + }; + + security.acme = { + defaults.email = "acme@fcuny.net"; + acceptTerms = true; + }; + + services.nginx = { + enable = true; + + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts = { + "test.fcuny.net" = { + # make it the default site: if a request goes through nginx + # without a host header, this will be the default site we serve + # for that request. + default = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { root = "/srv/www/fcuny.net"; }; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "git.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + "draw.fcuny.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://127.0.0.1:3030"; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenges"; + }; + }; + }; + }; + }; +} |