From 8adcc0d5126781fcb09d47d95e3bc3399c3fb5b0 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foo.dogsquared@gmail.com>
Date: Sat, 10 Dec 2022 18:45:36 +0800
Subject: [PATCH] hosts/plover: update config

In preparation of deploying it in a non-Google Compute Engine
environment, we'll update some of the settings.
---
 hosts/plover/README.adoc          | 26 ++++++++++++++---------
 hosts/plover/default.nix          | 34 +++++++++++++++++++++++++++----
 hosts/plover/secrets/secrets.yaml |  6 +++---
 3 files changed, 49 insertions(+), 17 deletions(-)

diff --git a/hosts/plover/README.adoc b/hosts/plover/README.adoc
index 48c08525..dd2f4d02 100644
--- a/hosts/plover/README.adoc
+++ b/hosts/plover/README.adoc
@@ -20,6 +20,19 @@ Some of the self-hosted services from this server:
 
 
 
+== General deployment guidelines
+
+If you want to deploy it anywhere else, you have to keep some things in mind.
+
+* This uses link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] to decrypt secrets.
+It mainly use the private key to the link:./files/age-key.pub[`./files/age-key.pub`] and move it to the appropriate location (i.e., `/var/lib/sops-nix/key.txt`).
+
+* Be sure to set the appropriate firewalls either in the NixOS configuration or in the VPS provider firewall settings.
+Take note some formats such as Google Compute image disable them entirely so it's safer to leave the firewall service and just configure the allowed ports and other settings.
+
+
+
+
 == Deploying it as a Google Compute instance
 
 Some documented guidelines to deploy this instance in Google Cloud Platform (GCP) so you won't have to re-read those documentation like a stuck rat the next time you visit them.
@@ -35,17 +48,10 @@ For this, you'll have to create a GCP keyring on their key management system (KM
 
 * Enable link:https://cloud.google.com/compute/docs/oslogin/set-up-oslogin[OS Login] for your Compute Engine instance.
 
+* Enable HTTP and HTTPS traffic in the firewall settings.
+
 * Don't forget to set the appropriate scopes for the instance.
-For example, since we're using a GCP KMS key, we may want to set the scope only to KMS API like in the following command.
-+
---
-[source, shell]
-----
-gcloud compute instances create "instance-1" \
-    --zone "us-east1-b" \
-    --scopes "https://www.googleapis.com/auth/cloudkms"
-----
---
+Use the least privileged scopes as much as possible.
 
 * Reserve a static IP address, pls.
 Just don't forget to immediately assign it to the instance since it will charge higher if you just leave it alone.
diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index 5fce5ff0..78671af5 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -4,6 +4,7 @@ let
   inherit (builtins) toString;
   domain = config.networking.domain;
   passwordManagerDomain = "pass.${domain}";
+  codeForgeDomain = "code.${domain}";
 
   # This should be set from service module from nixpkgs.
   vaultwardenUser = config.users.users.vaultwarden.name;
@@ -23,7 +24,17 @@ in
     "${modulesPath}/profiles/hardened.nix"
   ];
 
-  networking.domain = "foodogsquared.one";
+  networking = {
+    domain = "foodogsquared.one";
+    allowedTCPPorts = [
+      22 # Secure Shells.
+      80 # HTTP servers.
+      433 # HTTPS servers.
+
+      config.services.gitea.httpPort
+      config.services.vaultwarden.config.ROCKET_PORT
+    ];
+  };
 
   sops.secrets =
     let
@@ -120,7 +131,7 @@ in
       };
 
       # Gitea instance.
-      "code.${config.networking.domain}" = {
+      "${codeForgeDomain}" = {
         forceSSL = true;
         enableACME = true;
         locations."/" = {
@@ -170,6 +181,12 @@ in
           "SCHEMA ${vaultwardenDbName}" = "ALL PRIVILEGES";
         };
       }
+      {
+        name = config.services.gitea.user;
+        ensurePermissions = {
+          "SCHEMA ${config.services.gitea.user}" = "ALL PRIVILEGES";
+        };
+      }
     ];
   };
 
@@ -181,6 +198,9 @@ in
       type = "postgres";
       passwordFile = config.sops.secrets."plover/gitea/db/password".path;
     };
+    domain = codeForgeDomain;
+    rootUrl = "https://${codeForgeDomain}";
+    httpPort = 8432;
     lfs.enable = true;
     mailerPasswordFile = config.sops.secrets."plover/gitea/smtp/password".path;
 
@@ -226,7 +246,7 @@ in
         SMTP_PORT = 587;
         USER = "apikey";
         FROM = "Gitea";
-        ENVELOPE_FROM = "gitea@foodogsquared.one";
+        ENVELOPE_FROM = "bot+gitea@foodogsquared.one";
         SEND_AS_PLAIN_TEXT = true;
       };
 
@@ -285,7 +305,13 @@ in
 
       # Configuring the database. Take note it is required to create a password
       # for the user.
-      DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}?application_name=vaultwarden&options=-c%20search_path%3D${vaultwardenUser}";
+      DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}";
+
+      # Mailer service configuration (except the user and password).
+      SMTP_HOST = "smtp.sendgrid.net";
+      SMTP_PORT = 587;
+      SMTP_FROM_NAME = "Vaultwarden";
+      SMTP_FROM = "bot+vaultwarden@foodogsquared.one";
     };
   };
 
diff --git a/hosts/plover/secrets/secrets.yaml b/hosts/plover/secrets/secrets.yaml
index 5073dfe0..556cf2fb 100644
--- a/hosts/plover/secrets/secrets.yaml
+++ b/hosts/plover/secrets/secrets.yaml
@@ -14,7 +14,7 @@ gitea:
     smtp:
         password: ENC[AES256_GCM,data:XmpnfRtKJ/jA174CFKqCMWkbqbRZRPOq27RVKVZdc5sn5Q6xLg5mTWWN0cKwuy/o+Ikrrx4D4HOgQdyzubxl+n+P87LA,iv:Ou3TlnoiK/8kr4Kl/iNpvMWm7Wv5Y5NqLk4FkxhG3ag=,tag:xSDTgo9w3sZxF2WMM2+yjg==,type:str]
 vaultwarden:
-    env: ENC[AES256_GCM,data:g0zlOfYTrmrT1FYSocTVa1Me7HRJV/0id4E1PSiYCWpZdFz2dgKh52P4Xqsy8fuuv9sa58rwua9ZtJ3ycTQt18/xEeZh/bPGKiTm88NhmHZ2LbbdhJMCF9cXaA13yfWuylB6ugFUsmgUJEsrZmfhbRA1ofP+07k+QuJ0xOzO36uZKLW9hcAerZV44bDXg2EUBvcG/4K1fMCBLsiv3luKSpQsnnypcuI5CfwF8qc5X8QumYSAl9H8hcm7be3ksc7Sp/y3IndKEdvuiqVojPYIio4MfSz9QQ==,iv:27TdCZYTYazXvi8gjNUkEvYDSRCzUE2IhbvT8k5Mqro=,tag:2uzyluBVfcMdU20G2soiYg==,type:str]
+    env: ENC[AES256_GCM,data:9RebpDWaKhPHpUzWDOuOYSDDtJ/pAvL30ipZuZz5OxUsUKoepHHLeBhjQzxyvwIDd2lT1Jx3UdLVSoKmh2qxGboFdBt9XF+grEzsQoP18wiSopiPjlAyaRgZ2f/6d46G+NYy13J4+N6zbPSHS3W76vpa6Vy8Fn7MWy3bXVoE4m9vORagPT/OZO+tcbJGjjVWUbz6JwNv0o+VvVPAHtXB9esnkqYMK1LvvDKLoT6eBtbu0MUmcnQ=,iv:UxbyYnNJPV+tznBBf3wFsu5eNayuJHuMfn6QfFi52ss=,tag:FMIhzv6UrR6rkqlOZ56oVg==,type:str]
 borg:
     password: ENC[AES256_GCM,data:Fxz36DGpjl5brWRPlzkqmhgwuDAw4BrqlHazjFkV,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:74IJEGAQ+PiHsw1RKb+iJg==,type:str]
     patterns:
@@ -34,8 +34,8 @@ sops:
             ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
             miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-03T14:59:16Z"
-    mac: ENC[AES256_GCM,data:3fTcf7rb7XpWGQvwJhf40XUwqT/pHQB1RyU4dh9XE0XHdJ2ASa3CAqVLVNj07JS2uuzcvAnSjRGTNge4xtqDcuRFZ5UT5lzzl/YJBfXhKdfZISuUqsqSqggpkhO64R+A65oMyA+98COJ/FtVtNpV7P21pn1EjOdJEMkXobOfnls=,iv:/ULWDXcvFpR/Rlqd3uqhvflM4dN0vl9C8X+JXvH+yUo=,tag:QYWpV+QFGWMcGgSTGF5teA==,type:str]
+    lastmodified: "2022-12-10T09:43:52Z"
+    mac: ENC[AES256_GCM,data:H+DilMaPkqCnIgB3PlgKPxQFm4P/newJw6kma+XwRLimq98AXT2uk2XtJ+o0bZYcGo6e9rmkyOGyvmEvkQwylWKuKT94QRtsWyCogPNssPW5J8euLN4dlqtpFbG14lrDmtslf64cPMPfyVB+26qKsxx/8qUOE6GYwKEinG3Y1uQ=,iv:VFo9g+lTb7grDj4azdHnFnyAg4gKHlXq+2Lcw1rJJBE=,tag:0s+uRK045P6RWrgkXQ5w4Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3