nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Move kas.codes over to using mx.kaareskovgaard.net
Some checks failed
/ dev-shell (push) Successful in 43s
Details
/ terraform-providers (push) Successful in 47s
Details
/ check (push) Failing after 1m55s
Details
/ rust-packages (push) Successful in 48s
Details
/ systems (push) Successful in 4m9s
Details

Browse source
This commit is contained in:
Kaare Hoff Skovgaard 2025-08-01 02:04:06 +02:00
parent 6ac55b7e44
commit 1f88fa3c49
Signed by: khs
GPG key ID: C7D890804F01E9F0
9 changed files with 68 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

5
nix/modules/nixos/services/nginx/default.nix
View file

@ -226,7 +226,7 @@ in
serviceConfig = { serviceConfig = {
ExecStartPre = [ ExecStartPre = [
''${pkgs.uutils-coreutils-noprefix}/bin/touch /var/log/nginx/access.fail2ban.log'' ''${pkgs.uutils-coreutils-noprefix}/bin/touch /var/log/nginx/access.fail2ban.log''
''${pkgs.uutils-coreutils-noprefix}/bin/chmod 064 /var/log/nginx/access.fail2ban.log'' ''${pkgs.uutils-coreutils-noprefix}/bin/chmod 0640 /var/log/nginx/access.fail2ban.log''
]; ];
}; };
}; };
@ -352,7 +352,8 @@ in
"=/robots.txt" = { "=/robots.txt" = {
alias = value.robotsTxt; alias = value.robotsTxt;
}; };
} // value.locations; }
// value.locations;
forceSSL = true; forceSSL = true;
enableACME = value.acme == null && !dns01Enabled; enableACME = value.acme == null && !dns01Enabled;
useACMEHost = useACMEHost =

1
nix/systems/aarch64-linux/kas.codes/default.nix
View file

@ -5,7 +5,6 @@
{ {
imports = [ imports = [
"${inputs.self}/nix/profiles/nixos/hetzner-server.nix" "${inputs.self}/nix/profiles/nixos/hetzner-server.nix"
./mailserver
./forgejo ./forgejo
]; ];
khscodes.infrastructure.hetzner-instance = { khscodes.infrastructure.hetzner-instance = {

31
nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
View file

@ -40,28 +40,10 @@ let
''; '';
in in
{ {
imports = [ ./oauth.nix ]; imports = [
khscodes.services.vault-agent.templates = [ ./oauth.nix
{ ./smtp.nix
contents = ''
{{- with secret "forgejo/data/mailserver/users/forgejo" -}}
{{ .Data.data.password }}
{{- end -}}
'';
destination = "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd";
perms = "0600";
owner = "git";
group = "git";
restartUnits = [
"forgejo.service"
]; ];
}
];
systemd.services.forgejo = {
unitConfig = {
ConditionPathExists = [ "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd" ];
};
};
services.forgejo = { services.forgejo = {
enable = true; enable = true;
user = "git"; user = "git";
@ -87,12 +69,6 @@ in
repository = { repository = {
DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.packages,repo.actions"; DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.packages,repo.actions";
}; };
mailer = {
ENABLED = true;
SMTP_ADDR = "kas.codes";
FROM = "forgejo@kas.codes";
USER = "forgejo@kas.codes";
};
"ui.meta" = { "ui.meta" = {
AUTHOR = "Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>"; AUTHOR = "Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>";
DESCRIPTION = "A self-hosted software forge for KAS/KHS"; DESCRIPTION = "A self-hosted software forge for KAS/KHS";
@ -108,7 +84,6 @@ in
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
}; };
}; };
secrets.mailer.PASSWD = "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd";
lfs = { lfs = {
enable = true; enable = true;
}; };

54
nix/systems/aarch64-linux/kas.codes/forgejo/smtp.nix Normal file
View file

@ -0,0 +1,54 @@
let
secretFile = "/run/secret/mx.kaareskovgaard.net/forgejo.passwd";
in
{
khscodes.infrastructure.vault-server-approle.policy = {
"mx.kaareskovgaard.net/data/users/forgejo" = {
capabilities = [ "read" ];
};
};
khscodes.services.vault-agent.templates = [
{
contents = ''
{{- with secret "mx.kaareskovgaard.net/data/users/forgejo" -}}
{{ .Data.data.password }}
{{- end -}}
'';
destination = secretFile;
perms = "0600";
owner = "git";
group = "git";
restartUnits = [
"forgejo.service"
];
}
];
khscodes.infrastructure.hetzner-instance.extraFirewallRules = [
{
direction = "out";
protocol = "tcp";
port = 465;
destination_ips = [
"0.0.0.0/0"
"::/0"
];
description = "smtp";
}
];
services.forgejo = {
settings.mailer = {
ENABLED = true;
SMTP_ADDR = "mx.kaareskovgaard.net";
SMTP_PORT = 465;
PROTOCOL = "smtps";
FROM = "git@kas.codes";
USER = "forgejo";
};
secrets.mailer.PASSWD = secretFile;
};
systemd.services.forgejo = {
unitConfig = {
ConditionPathExists = [ secretFile ];
};
};
}

39
nix/systems/aarch64-linux/kas.codes/mailserver/default.nix
View file

@ -1,39 +0,0 @@
{ ... }:
{
imports = [
./forgejo-user.nix
];
khscodes.infrastructure.provisioning.pre.modules = [
{
khscodes.vault = {
enable = true;
mount.forgejo = {
path = "forgejo";
type = "kv";
options = {
version = "2";
};
description = "Secrets used for forgejo";
};
};
}
];
khscodes.infrastructure.mailserver = {
enable = true;
domains = [ "kas.codes" ];
dkim = {
vault = {
mount = "forgejo";
prefixPath = "mailserver/dkim";
};
};
};
mailserver = {
loginAccounts = {
"forgejo@kas.codes" = {
hashedPasswordFile = "/var/lib/vault-agent/mailserver/users/forgejo.passwd.hash";
sendOnly = true;
};
};
};
}

55
nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix
View file

@ -1,55 +0,0 @@
{
khscodes.infrastructure.vault-server-approle.policy = {
"forgejo/data/mailserver/users/*" = {
capabilities = [ "read" ];
};
};
khscodes.services.vault-agent.templates = [
{
contents = ''
{{- with secret "forgejo/data/mailserver/users/forgejo" -}}
{{ .Data.data.hashed_password }}
{{- end -}}
'';
destination = "/var/lib/vault-agent/mailserver/users/forgejo.passwd.hash";
perms = "0600";
owner = "rspamd";
group = "rspamd";
restartUnits = [
"rspamd.service"
"postfix.service"
];
}
];
khscodes.infrastructure.provisioning.pre.modules = [
(
{ config, ... }:
{
terraform.required_providers.random = {
source = "hashicorp/random";
version = "3.7.2";
};
provider.random = { };
resource.random_password.forgejo_mail_passwd = {
length = 48;
numeric = true;
lower = true;
upper = true;
special = false;
};
resource.vault_kv_secret_v2.forgejo_email_user_password = {
mount = config.khscodes.vault.output.mount.forgejo.path;
name = "mailserver/users/forgejo";
data_json = ''
{
"hashed_password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.bcrypt_hash) },
"password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.result) }
}
'';
};
}
)
];
}

1
nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix
View file

@ -41,6 +41,7 @@
"agerlinskovgaard.dk" "agerlinskovgaard.dk"
"k.agerlin-skovgaard.dk" "k.agerlin-skovgaard.dk"
"k.agerlinskovgaard.dk" "k.agerlinskovgaard.dk"
"kas.codes"
]; ];
accounts = import ./users.nix; accounts = import ./users.nix;
}; };

3
nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/accounts.nix
View file

@ -134,7 +134,7 @@ let
lib.concatStringsSep "\n" ( lib.concatStringsSep "\n" (
lib.lists.map (account: '' lib.lists.map (account: ''
{{- with secret "mx.kaareskovgaard.net/data/users/${account}" -}} {{- with secret "mx.kaareskovgaard.net/data/users/${account}" -}}
"${account}:{{ .Data.data.hashed_password }}::::::" ${account}:{{ .Data.data.hashed_password }}::::::
{{- end -}} {{- end -}}
'') systemAccounts '') systemAccounts
) )
@ -205,6 +205,7 @@ in
let let
tfName = lib.khscodes.sanitize-terraform-name account; tfName = lib.khscodes.sanitize-terraform-name account;
in in
{ config, ... }:
{ {
resource.random_password."${tfName}" = { resource.random_password."${tfName}" = {
length = 48; length = 48;

5
nix/systems/aarch64-linux/mx.kaareskovgaard.net/users.nix
View file

@ -10,4 +10,9 @@
]; ];
quota = "10G"; quota = "10G";
}; };
"forgejo" = {
name = "KAS: Codes";
addresses = [ "git@kas.codes" ];
sendOnly = true;
};
} }