diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/attic.nix | 78 | ||||
| -rw-r--r-- | modules/buildbot.nix | 27 | ||||
| -rw-r--r-- | modules/keycloak.nix | 67 | ||||
| -rw-r--r-- | modules/postgres.nix | 13 |
4 files changed, 185 insertions, 0 deletions
diff --git a/modules/attic.nix b/modules/attic.nix new file mode 100644 index 0000000..7476d57 --- /dev/null +++ b/modules/attic.nix @@ -0,0 +1,78 @@ +{ + inputs, + config, + pkgs, + ... +}: +let + atticdPort = 3215; +in +{ + imports = [ + inputs.attic.nixosModules.atticd + ]; + + sops.secrets = { + attic_server_token_rs256_secret_base64 = { }; + }; + + systemd.services.atticd-env = + let + createEnvScript = pkgs.writeShellScript "atticd-env" '' + set -euo pipefail + umask 077 + value="$(<${config.sops.secrets.attic_server_token_rs256_secret_base64.path})" + printf "ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=\"%s\"\n" "$value" > /etc/atticd.env + ''; + in + { + description = "Create /etc/atticd.env if missing"; + before = [ "atticd.service" ]; + wantedBy = [ "atticd.service" ]; + unitConfig.ConditionPathExists = "!/etc/atticd.env"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = createEnvScript; + }; + }; + + services.atticd = { + enable = true; + environmentFile = "/etc/atticd.env"; + mode = "monolithic"; + + settings = { + api-endpoint = "https://attic.kjtsanaktsidis.id.au"; + allowed-hosts = [ "attic.kjtsanaktsidis.id.au" ]; + listen = "[::]:${builtins.toString atticdPort}"; + jwt = { }; + chunking = { + nar-size-threshold = 64 * 1024; # 64 KiB + min-size = 16 * 1024; # 16 KiB + avg-size = 64 * 1024; # 64 KiB + max-size = 256 * 1024; # 256 KiB + }; + database = { + url = "sqlite:///var/lib/atticd/server.db"; + }; + storage = { + type = "local"; + path = "/var/lib/atticd/storage"; + }; + }; + }; + + + services.nginx = { + virtualHosts."attic.kjtsanaktsidis.id.au" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:${builtins.toString atticdPort}"; + }; + }; + }; + }; +} diff --git a/modules/buildbot.nix b/modules/buildbot.nix new file mode 100644 index 0000000..6ace501 --- /dev/null +++ b/modules/buildbot.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + ... +}: +{ + services.buildbot-master = { + enable = true; + home = "/var/lib/buildbot"; + title = "KJ's NixOS buildbot"; + port = 3214; + listenAddress = "::1"; + buildbotUrl = "https://buildbot.kjtsanaktsidis.id.au/"; + }; + + services.nginx = { + virtualHosts."buildbot.kjtsanaktsidis.id.au" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:${builtins.toString config.services.buildbot-master.port}"; + }; + }; + }; + }; +} diff --git a/modules/keycloak.nix b/modules/keycloak.nix new file mode 100644 index 0000000..8e2025d --- /dev/null +++ b/modules/keycloak.nix @@ -0,0 +1,67 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + sops.secrets = { + keycloak_bootstrap_password = {}; + }; + + services.nginx = { + virtualHosts."keycloak.kjtsanaktsidis.id.au" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${builtins.toString config.services.keycloak.settings.http-port}"; + }; + }; + }; + }; + + services.keycloak = { + enable = true; + database = { + type = "postgresql"; + createLocally = false; + passwordFile = "/dev/null"; + }; + settings = lib.mkOverride 10 { + db = "postgres"; + db-url = "jdbc:postgresql://localhost/keycloak?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=/var/run/postgresql/.s.PGSQL.5432"; + db-username = "keycloak"; + http-host = "127.0.0.1"; + http-port = 3256; + hostname = "https://keycloak.kjtsanaktsidis.id.au"; + http-enabled = true; + proxy-headers = "xforwarded"; + + vault = "file"; + vault-dir = "\${CREDENTIALS_DIRECTORY}"; + + bootstrap-admin-username = "admin"; + bootstrap-admin-password = { _secret = config.sops.secrets.keycloak_bootstrap_password.path; }; + }; + plugins = [ + "${pkgs.junixsocket-common}/share/java/junixsocket-common-${pkgs.junixsocket-common.version}.jar" + "${pkgs.junixsocket-native-common}/share/java/junixsocket-native-common-${pkgs.junixsocket-native-common.version}.jar" + ]; + }; + + + + services.postgresql = { + enable = true; + ensureUsers = [{ + name = "keycloak"; + ensureDBOwnership = true; + }]; + ensureDatabases = [ "keycloak" ]; + authentication = lib.mkAfter '' + #type database DBuser auth-method + local keycloak keycloak peer + ''; + }; +} diff --git a/modules/postgres.nix b/modules/postgres.nix new file mode 100644 index 0000000..8853aaa --- /dev/null +++ b/modules/postgres.nix @@ -0,0 +1,13 @@ +{ + lib, + ... +}: +{ + services.postgresql = { + enable = true; + authentication = lib.mkBefore '' + #type database DBuser auth-method + local all postgres peer + ''; + }; +} |