foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 18:19:09 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

hosts/plover: update config

Browse Source
This commit is contained in:
Gabriel Arazas 2022-12-04 08:55:55 +08:00
parent ac32593fda
commit cb11ceb3a9
2 changed files with 39 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
hosts/plover/default.nix
View File

@ -40,12 +40,13 @@ in
secrets; secrets;
in in
getSecrets (let getSecrets (let
giteaUserGroup = config.users.users."${config.services.gitea.user}".group; giteaUserGroup = config.users.users."${config.services.gitea.user}".name;
# It is hardcoded but as long as the module is stable that way. # It is hardcoded but as long as the module is stable that way.
vaultwardenUserGroup = config.users.groups.vaultwarden.name; vaultwardenUserGroup = config.users.groups.vaultwarden.name;
in { in {
"ssh-key" = {}; "ssh-key" = {};
"lego/env" = {};
"gitea/db/password".owner = giteaUserGroup; "gitea/db/password".owner = giteaUserGroup;
"gitea/smtp/password".owner = giteaUserGroup; "gitea/smtp/password".owner = giteaUserGroup;
"vaultwarden/env".owner = vaultwardenUserGroup; "vaultwarden/env".owner = vaultwardenUserGroup;
@ -77,11 +78,6 @@ in
type = "ed25519"; type = "ed25519";
}]; }];
# Some additional dependencies for this system.
environment.systemPackages = with pkgs; [
asciidoctor # This is needed for additional markup for Gitea.
];
# The main server where it will tie all of the services in one neat little # The main server where it will tie all of the services in one neat little
# place. # place.
services.nginx = { services.nginx = {
@ -140,6 +136,30 @@ in
package = pkgs.postgresql_15; package = pkgs.postgresql_15;
enableTCPIP = true; enableTCPIP = true;
# Create per-user schema as documented from Usage Patterns. This is to make
# use of the secure schema usage pattern they encouraged to do.
#
# Now, you just have to keep in mind about applications making use of them.
# Most of them should have the setting to set the schema to be used. If
# not, then screw them (or just file an issue and politely ask for the
# feature).
initialScript = let
perUserSchemas = lib.lists.map
(user: "CREATE SCHEMA ${user.name};")
config.services.postgresql.ensureUsers;
script = pkgs.writeText "plover-initial-postgresql-script" ''
${lib.concatStringsSep "\n" perUserSchemas}
'';
in script;
settings = {
log_connections = true;
log_disconnections = true;
# Still doing the secure schema usage pattern.
search_path = "\"$user\"";
};
# There's no database and user checks for Vaultwarden service. # There's no database and user checks for Vaultwarden service.
ensureDatabases = [ vaultwardenDbName ]; ensureDatabases = [ vaultwardenDbName ];
ensureUsers = [ ensureUsers = [
@ -147,7 +167,7 @@ in
name = vaultwardenUser; name = vaultwardenUser;
ensurePermissions = { ensurePermissions = {
"DATABASE ${vaultwardenDbName}" = "ALL PRIVILEGES"; "DATABASE ${vaultwardenDbName}" = "ALL PRIVILEGES";
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; "SCHEMA ${vaultwardenDbName}" = "ALL PRIVILEGES";
}; };
} }
]; ];
@ -177,10 +197,7 @@ in
"ui.meta" = { "ui.meta" = {
AUTHOR = "foodogsquared's code forge"; AUTHOR = "foodogsquared's code forge";
DESCRIPTION = '' DESCRIPTION = "foodogsquared's personal projects and some archived and mirrored codebases.";
foodogsquared's personal Git forge.
Mainly personal projects and some archived and mirrored codebases.
'';
KEYWORDS = "foodogsquared,gitea,self-hosted"; KEYWORDS = "foodogsquared,gitea,self-hosted";
}; };
@ -197,7 +214,7 @@ in
ENABLED = true; ENABLED = true;
NEED_POSTPROCESS = true; NEED_POSTPROCESS = true;
FILE_EXTENSIONS = ".adoc,.asciidoc"; FILE_EXTENSIONS = ".adoc,.asciidoc";
RENDER_COMMANDS = "asciidoc --out-file=- -"; RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor --out-file=- -";
IS_INPUT_FILE = false; IS_INPUT_FILE = false;
}; };
@ -219,6 +236,12 @@ in
# Enable mirroring feature... # Enable mirroring feature...
mirror.ENABLED = true; mirror.ENABLED = true;
# Session configuration.
session.COOKIE_SECURE = true;
# Some more database configuration.
database.SCHEMA = config.services.gitea.user;
other = { other = {
SHOW_FOOTER_VERSION = true; SHOW_FOOTER_VERSION = true;
ENABLE_SITEMAP = true; ENABLE_SITEMAP = true;
@ -262,7 +285,7 @@ in
# Configuring the database. Take note it is required to create a password # Configuring the database. Take note it is required to create a password
# for the user. # for the user.
DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}"; DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}?application_name=vaultwarden&options=-c%20search_path%3D${vaultwardenUser}";
}; };
}; };

6
hosts/plover/secrets/secrets.yaml
View File

@ -6,7 +6,7 @@ sourcehut:
service-key: ENC[AES256_GCM,data:glZuT+e9c2UOXieP313ny6Dl15HRXpeHtGr4XPWjhNSAvFgcwp/1AgFYrHDWZBf771MkN0pgVE/d/fx0oBOgSg==,iv:S4BzMYPZtVFhXV0g5qBxjItqCyEQ25Ct6swBut7FefQ=,tag:w3t59DqroYuAmgHlu/BhEQ==,type:str] service-key: ENC[AES256_GCM,data:glZuT+e9c2UOXieP313ny6Dl15HRXpeHtGr4XPWjhNSAvFgcwp/1AgFYrHDWZBf771MkN0pgVE/d/fx0oBOgSg==,iv:S4BzMYPZtVFhXV0g5qBxjItqCyEQ25Ct6swBut7FefQ=,tag:w3t59DqroYuAmgHlu/BhEQ==,type:str]
webhook-key: ENC[AES256_GCM,data:DDCHLYgYLnecG48XJJXqnsFP/Kl1W+R6eTGC4Ria0Rf5Z0dw8p0r+XaY4TY=,iv:nUCkIgw5lNzEha6HVjBHtGD8ZzBwOlP8yMRQ/usD/64=,tag:LenhvQyDDVulA9PCa2RWDQ==,type:str] webhook-key: ENC[AES256_GCM,data:DDCHLYgYLnecG48XJJXqnsFP/Kl1W+R6eTGC4Ria0Rf5Z0dw8p0r+XaY4TY=,iv:nUCkIgw5lNzEha6HVjBHtGD8ZzBwOlP8yMRQ/usD/64=,tag:LenhvQyDDVulA9PCa2RWDQ==,type:str]
smtp: smtp:
user: ENC[AES256_GCM,data:9edqw3E=,iv:kF7GXxsJupbGZlvvgfL6gKGZl1+W2rsr++XsVykVYOI=,tag:0jNo1SDorCRJ8uNLERU8MA==,type:str] user: ENC[AES256_GCM,data:AEiA29Tn,iv:TSEsNvMk0r0zpu/NuzRv90Oa2Z3GXJwtu39vF7d8SQI=,tag:fv3dZ9V1+SgViEEfNhhq/Q==,type:str]
password: ENC[AES256_GCM,data:1VvHDAkAI7cBEziZNN8uZNmeojiHxtsR08MpFEEuOLdwWeKj+OFtKGK6TTu/V6sUQKWsTV5cvBAvk0siE/G+mB/rmY63,iv:O180YVKBJXRA/PvEotdBua6U6O6OQqncQsOepCNDGlM=,tag:h0XPBWnJIj3JTR6M4GVLtQ==,type:str] password: ENC[AES256_GCM,data:1VvHDAkAI7cBEziZNN8uZNmeojiHxtsR08MpFEEuOLdwWeKj+OFtKGK6TTu/V6sUQKWsTV5cvBAvk0siE/G+mB/rmY63,iv:O180YVKBJXRA/PvEotdBua6U6O6OQqncQsOepCNDGlM=,tag:h0XPBWnJIj3JTR6M4GVLtQ==,type:str]
gitea: gitea:
db: db:
@ -34,8 +34,8 @@ sops:
ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA== miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-03T04:34:10Z" lastmodified: "2022-12-03T14:59:16Z"
mac: ENC[AES256_GCM,data:AfTha4YswSgi7Z/RlIZdTY0KnG7SyeVp1/eLXm8Gbg34j1UAyezfQI4C26Ily1/O+l4YX9T1RSIO2jdwiRmgLy7LVMTtlmHt12fLb720UJ6L2P4yWBWdxnMAuarC7eFQSX+q8XT0IS9rWZEntVQkGjRw+bJJquJvMTZs5+UrR+I=,iv:uzR3Cr7+s8DjKw3OrmDTPt9RLYtZ7EixPoZMHwGOJzg=,tag:+AhzAFQGWt5GvjPeZoIDCA==,type:str] mac: ENC[AES256_GCM,data:3fTcf7rb7XpWGQvwJhf40XUwqT/pHQB1RyU4dh9XE0XHdJ2ASa3CAqVLVNj07JS2uuzcvAnSjRGTNge4xtqDcuRFZ5UT5lzzl/YJBfXhKdfZISuUqsqSqggpkhO64R+A65oMyA+98COJ/FtVtNpV7P21pn1EjOdJEMkXobOfnls=,iv:/ULWDXcvFpR/Rlqd3uqhvflM4dN0vl9C8X+JXvH+yUo=,tag:QYWpV+QFGWMcGgSTGF5teA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3