mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-02-07 12:19:07 +00:00
hosts/plover: update config
In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings.
This commit is contained in:
Gabriel Arazas
parent
8ecb1ca366
commit
8adcc0d512
@ -20,6 +20,19 @@ Some of the self-hosted services from this server:
|
||||
|
||||
|
||||
|
||||
== General deployment guidelines
|
||||
|
||||
If you want to deploy it anywhere else, you have to keep some things in mind.
|
||||
|
||||
* This uses link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] to decrypt secrets.
|
||||
It mainly use the private key to the link:./files/age-key.pub[`./files/age-key.pub`] and move it to the appropriate location (i.e., `/var/lib/sops-nix/key.txt`).
|
||||
|
||||
* Be sure to set the appropriate firewalls either in the NixOS configuration or in the VPS provider firewall settings.
|
||||
Take note some formats such as Google Compute image disable them entirely so it's safer to leave the firewall service and just configure the allowed ports and other settings.
|
||||
|
||||
|
||||
|
||||
|
||||
== Deploying it as a Google Compute instance
|
||||
|
||||
Some documented guidelines to deploy this instance in Google Cloud Platform (GCP) so you won't have to re-read those documentation like a stuck rat the next time you visit them.
|
||||
@ -35,17 +48,10 @@ For this, you'll have to create a GCP keyring on their key management system (KM
|
||||
|
||||
* Enable link:https://cloud.google.com/compute/docs/oslogin/set-up-oslogin[OS Login] for your Compute Engine instance.
|
||||
|
||||
* Enable HTTP and HTTPS traffic in the firewall settings.
|
||||
|
||||
* Don't forget to set the appropriate scopes for the instance.
|
||||
For example, since we're using a GCP KMS key, we may want to set the scope only to KMS API like in the following command.
|
||||
+
|
||||
--
|
||||
[source, shell]
|
||||
----
|
||||
gcloud compute instances create "instance-1" \
|
||||
--zone "us-east1-b" \
|
||||
--scopes "https://www.googleapis.com/auth/cloudkms"
|
||||
----
|
||||
--
|
||||
Use the least privileged scopes as much as possible.
|
||||
|
||||
* Reserve a static IP address, pls.
|
||||
Just don't forget to immediately assign it to the instance since it will charge higher if you just leave it alone.
|
||||
|
||||
@ -4,6 +4,7 @@ let
|
||||
inherit (builtins) toString;
|
||||
domain = config.networking.domain;
|
||||
passwordManagerDomain = "pass.${domain}";
|
||||
codeForgeDomain = "code.${domain}";
|
||||
|
||||
# This should be set from service module from nixpkgs.
|
||||
vaultwardenUser = config.users.users.vaultwarden.name;
|
||||
@ -23,7 +24,17 @@ in
|
||||
"${modulesPath}/profiles/hardened.nix"
|
||||
];
|
||||
|
||||
networking.domain = "foodogsquared.one";
|
||||
networking = {
|
||||
domain = "foodogsquared.one";
|
||||
allowedTCPPorts = [
|
||||
22 # Secure Shells.
|
||||
80 # HTTP servers.
|
||||
433 # HTTPS servers.
|
||||
|
||||
config.services.gitea.httpPort
|
||||
config.services.vaultwarden.config.ROCKET_PORT
|
||||
];
|
||||
};
|
||||
|
||||
sops.secrets =
|
||||
let
|
||||
@ -120,7 +131,7 @@ in
|
||||
};
|
||||
|
||||
# Gitea instance.
|
||||
"code.${config.networking.domain}" = {
|
||||
"${codeForgeDomain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
@ -170,6 +181,12 @@ in
|
||||
"SCHEMA ${vaultwardenDbName}" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = config.services.gitea.user;
|
||||
ensurePermissions = {
|
||||
"SCHEMA ${config.services.gitea.user}" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
@ -181,6 +198,9 @@ in
|
||||
type = "postgres";
|
||||
passwordFile = config.sops.secrets."plover/gitea/db/password".path;
|
||||
};
|
||||
domain = codeForgeDomain;
|
||||
rootUrl = "https://${codeForgeDomain}";
|
||||
httpPort = 8432;
|
||||
lfs.enable = true;
|
||||
mailerPasswordFile = config.sops.secrets."plover/gitea/smtp/password".path;
|
||||
|
||||
@ -226,7 +246,7 @@ in
|
||||
SMTP_PORT = 587;
|
||||
USER = "apikey";
|
||||
FROM = "Gitea";
|
||||
ENVELOPE_FROM = "gitea@foodogsquared.one";
|
||||
ENVELOPE_FROM = "bot+gitea@foodogsquared.one";
|
||||
SEND_AS_PLAIN_TEXT = true;
|
||||
};
|
||||
|
||||
@ -285,7 +305,13 @@ in
|
||||
|
||||
# Configuring the database. Take note it is required to create a password
|
||||
# for the user.
|
||||
DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}?application_name=vaultwarden&options=-c%20search_path%3D${vaultwardenUser}";
|
||||
DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}";
|
||||
|
||||
# Mailer service configuration (except the user and password).
|
||||
SMTP_HOST = "smtp.sendgrid.net";
|
||||
SMTP_PORT = 587;
|
||||
SMTP_FROM_NAME = "Vaultwarden";
|
||||
SMTP_FROM = "bot+vaultwarden@foodogsquared.one";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ gitea:
|
||||
smtp:
|
||||
password: ENC[AES256_GCM,data:XmpnfRtKJ/jA174CFKqCMWkbqbRZRPOq27RVKVZdc5sn5Q6xLg5mTWWN0cKwuy/o+Ikrrx4D4HOgQdyzubxl+n+P87LA,iv:Ou3TlnoiK/8kr4Kl/iNpvMWm7Wv5Y5NqLk4FkxhG3ag=,tag:xSDTgo9w3sZxF2WMM2+yjg==,type:str]
|
||||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:g0zlOfYTrmrT1FYSocTVa1Me7HRJV/0id4E1PSiYCWpZdFz2dgKh52P4Xqsy8fuuv9sa58rwua9ZtJ3ycTQt18/xEeZh/bPGKiTm88NhmHZ2LbbdhJMCF9cXaA13yfWuylB6ugFUsmgUJEsrZmfhbRA1ofP+07k+QuJ0xOzO36uZKLW9hcAerZV44bDXg2EUBvcG/4K1fMCBLsiv3luKSpQsnnypcuI5CfwF8qc5X8QumYSAl9H8hcm7be3ksc7Sp/y3IndKEdvuiqVojPYIio4MfSz9QQ==,iv:27TdCZYTYazXvi8gjNUkEvYDSRCzUE2IhbvT8k5Mqro=,tag:2uzyluBVfcMdU20G2soiYg==,type:str]
|
||||
env: ENC[AES256_GCM,data:9RebpDWaKhPHpUzWDOuOYSDDtJ/pAvL30ipZuZz5OxUsUKoepHHLeBhjQzxyvwIDd2lT1Jx3UdLVSoKmh2qxGboFdBt9XF+grEzsQoP18wiSopiPjlAyaRgZ2f/6d46G+NYy13J4+N6zbPSHS3W76vpa6Vy8Fn7MWy3bXVoE4m9vORagPT/OZO+tcbJGjjVWUbz6JwNv0o+VvVPAHtXB9esnkqYMK1LvvDKLoT6eBtbu0MUmcnQ=,iv:UxbyYnNJPV+tznBBf3wFsu5eNayuJHuMfn6QfFi52ss=,tag:FMIhzv6UrR6rkqlOZ56oVg==,type:str]
|
||||
borg:
|
||||
password: ENC[AES256_GCM,data:Fxz36DGpjl5brWRPlzkqmhgwuDAw4BrqlHazjFkV,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:74IJEGAQ+PiHsw1RKb+iJg==,type:str]
|
||||
patterns:
|
||||
@ -34,8 +34,8 @@ sops:
|
||||
ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
|
||||
miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-12-03T14:59:16Z"
|
||||
mac: ENC[AES256_GCM,data:3fTcf7rb7XpWGQvwJhf40XUwqT/pHQB1RyU4dh9XE0XHdJ2ASa3CAqVLVNj07JS2uuzcvAnSjRGTNge4xtqDcuRFZ5UT5lzzl/YJBfXhKdfZISuUqsqSqggpkhO64R+A65oMyA+98COJ/FtVtNpV7P21pn1EjOdJEMkXobOfnls=,iv:/ULWDXcvFpR/Rlqd3uqhvflM4dN0vl9C8X+JXvH+yUo=,tag:QYWpV+QFGWMcGgSTGF5teA==,type:str]
|
||||
lastmodified: "2022-12-10T09:43:52Z"
|
||||
mac: ENC[AES256_GCM,data:H+DilMaPkqCnIgB3PlgKPxQFm4P/newJw6kma+XwRLimq98AXT2uk2XtJ+o0bZYcGo6e9rmkyOGyvmEvkQwylWKuKT94QRtsWyCogPNssPW5J8euLN4dlqtpFbG14lrDmtslf64cPMPfyVB+26qKsxx/8qUOE6GYwKEinG3Y1uQ=,iv:VFo9g+lTb7grDj4azdHnFnyAg4gKHlXq+2Lcw1rJJBE=,tag:0s+uRK045P6RWrgkXQ5w4Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
Loading…
Reference in New Issue
Block a user