readd lotte-test.chir.rs

2024-10-04 10:14:05 +02:00 · 2024-10-04 10:14:05 +02:00 · d134d2fdbf
commit d134d2fdbf
parent 29273a44ab
5 changed files with 307 additions and 7 deletions
--- a/config/instance-20221213-1915.nix
+++ b/config/instance-20221213-1915.nix
@ -24,6 +24,7 @@
    ./zfs.nix
    #./services/kubernetes.nix
    ./services/gitea.nix
+    ./services/chir-rs.nix
  ];

  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];
--- a/config/services/chir-rs.nix
+++ b/config/services/chir-rs.nix
@ -0,0 +1,98 @@
+{
+  lib,
+  pkgs,
+  config,
+  chir-rs,
+  system,
+  ...
+}: let
+  staticDir = pkgs.stdenvNoCC.mkDerivation {
+    name = "static";
+    buildPhase = "true";
+    src = pkgs.emptyDirectory;
+    installPhase = ''
+      mkdir $out
+      for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do
+        ln -sv $f $out
+      done
+      ln -sv ${chir-rs.packages.${system}.art-assets} $out/img
+    '';
+  };
+  auxCfg = pkgs.writeText "config.dhall" ''
+    ${./chir-rs.dhall} {
+        staticDir = "${staticDir}",
+        connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ "@nixos-8gb-fsn1-1.int.chir.rs/chir_rs",
+        signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text,
+        nodeName = "${config.networking.hostName}"
+      }
+  '';
+in {
+  systemd.services.chir-rs = {
+    enable = true;
+    wantedBy = ["multi-user.target"];
+    after = ["network.target"];
+    serviceConfig = {
+      Restart = "always";
+      PrivateTmp = true;
+      WorkingDirectory = "/tmp";
+      User = "chir-rs";
+      CapabilityBoundingSet = [""];
+      DeviceAllow = [""];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      ExecStart = ''
+        ${chir-rs.packages.${system}.chir-rs}/bin/chir-rs
+      '';
+    };
+    environment = {
+      CHIR_RS_CONFIG = "${auxCfg}";
+    };
+  };
+  sops.secrets."services/chir-rs/database-password".owner = "chir-rs";
+  sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs";
+  services.postgresql.ensureDatabases = [
+    "chir_rs"
+  ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "chir_rs";
+      ensurePermissions = {
+        "DATABASE chir_rs" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+  services.caddy.virtualHosts."lotte-test.chir.rs" = {
+    useACMEHost = "chir.rs";
+    logFormat = lib.mkForce "";
+    extraConfig = ''
+      import baseConfig
+
+      reverse_proxy http://127.0.0.1:62936 {
+        trusted_proxies private_ranges
+      }
+    '';
+  };
+  users.users.chir-rs = {
+    description = "Chir.rs domain server";
+    isSystemUser = true;
+    group = "chir-rs";
+  };
+  users.groups.chir-rs = {};
+}
--- a/flake.lock
+++ b/flake.lock
@ -143,6 +143,36 @@
        "type": "github"
      }
    },
+    "chir-rs": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "haskell-flake": "haskell-flake",
+        "microformats2-parser": "microformats2-parser",
+        "nix-packages": "nix-packages",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": [
+          "systems"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1728028592,
+        "narHash": "sha256-hyUdAVbjOLBCdNkr0SlLny1HcwUmcIDEhP450aRZLcU=",
+        "owner": "DarkKirb",
+        "repo": "chir.rs",
+        "rev": "c43046950758567cd8d7f78b7b9455fe04773230",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DarkKirb",
+        "repo": "chir.rs",
+        "type": "github"
+      }
+    },
    "colorpickle": {
      "inputs": {
        "naersk": [
@ -242,6 +272,23 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696267196,
+        "narHash": "sha256-AAQ/2sD+0D18bb8hKuEEVpHUYD1GmO2Uh/taFamn6XQ=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "4f910c9827911b1ec2bf26b5a062cd09f8d89f85",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "4f910c9827911b1ec2bf26b5a062cd09f8d89f85",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -257,7 +304,7 @@
        "type": "github"
      }
    },
-    "flake-compat_2": {
+    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -337,6 +384,21 @@
      }
    },
    "flake-utils": {
+      "locked": {
+        "lastModified": 1677835344,
+        "narHash": "sha256-+SF1dfj02xAizhtY2/pEPyA0DP0pMvZZjC2aMyprYhA=",
+        "owner": "DarkKirb",
+        "repo": "flake-utils",
+        "rev": "17cffe5284b6da6b50cc82f4d2b4c3ff8185f83c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DarkKirb",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
      "inputs": {
        "systems": [
          "systems"
@ -392,6 +454,33 @@
      }
    },
    "gomod2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "chir-rs",
+          "nix-packages",
+          "nixpkgs"
+        ],
+        "utils": [
+          "chir-rs",
+          "nix-packages",
+          "flake-utils"
+        ]
+      },
+      "locked": {
+        "lastModified": 1692555015,
+        "narHash": "sha256-QS7fNVS9ToprIt93R/S+BVerAttNkYI3/SVQI3jciLs=",
+        "owner": "DarkKirb",
+        "repo": "gomod2nix",
+        "rev": "de2e02108ef1e6ab52a71676f7735a3fc1bea741",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DarkKirb",
+        "repo": "gomod2nix",
+        "type": "github"
+      }
+    },
+    "gomod2nix_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -414,6 +503,21 @@
        "type": "github"
      }
    },
+    "haskell-flake": {
+      "locked": {
+        "lastModified": 1727626046,
+        "narHash": "sha256-DFaptqqL4zxUnk4GIGC4HWT8/SzuY6O3A+VCM7nHFfs=",
+        "owner": "srid",
+        "repo": "haskell-flake",
+        "rev": "867c3dddf7dd8eb26cbf69c1a7e31f1a38b04126",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "repo": "haskell-flake",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -494,7 +598,7 @@
    },
    "lix": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
        "nix2container": "nix2container",
        "nixpkgs": [
          "hydra",
@ -576,6 +680,49 @@
        "url": "https://git.lix.systems/lix-project/lix"
      }
    },
+    "mautrix-cleanup": {
+      "inputs": {
+        "flake-utils": [
+          "chir-rs",
+          "nix-packages",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "chir-rs",
+          "nix-packages",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1678395415,
+        "narHash": "sha256-l7upZ8y8SobYtv+RYD7DodRU74DGvDRjvaKfj8VmAow=",
+        "owner": "DarkKirb",
+        "repo": "mautrix-cleanup",
+        "rev": "5f5f51ce8b7560d18ddae1824bc253a9e896ab0b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DarkKirb",
+        "repo": "mautrix-cleanup",
+        "type": "github"
+      }
+    },
+    "microformats2-parser": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1695821315,
+        "narHash": "sha256-Et4yYDiIcIeMsEkZI9Y0Unh51fnuMQzScE4dxgXCGzo=",
+        "owner": "darkkirb",
+        "repo": "microformats2-parser",
+        "rev": "4e6b3aac8f5af3306261ef2782f7df990e96f429",
+        "type": "github"
+      },
+      "original": {
+        "owner": "darkkirb",
+        "repo": "microformats2-parser",
+        "type": "github"
+      }
+    },
    "naersk": {
      "inputs": {
        "nixpkgs": [
@ -609,7 +756,7 @@
          "hydra",
          "nixpkgs"
        ],
-        "treefmt-nix": "treefmt-nix"
+        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
        "lastModified": 1723579251,
@ -671,6 +818,31 @@
        "type": "github"
      }
    },
+    "nix-packages": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "gomod2nix": "gomod2nix",
+        "mautrix-cleanup": "mautrix-cleanup",
+        "nixpkgs": [
+          "chir-rs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1714119256,
+        "narHash": "sha256-5SkfU2tPui7qbloT/ztngsRxaCmMDWGDbtdmgQ8pAn4=",
+        "owner": "DarkKirb",
+        "repo": "nix-packages",
+        "rev": "139141e509332117281c83e869defa11085eadcf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "DarkKirb",
+        "repo": "nix-packages",
+        "type": "github"
+      }
+    },
    "nix2container": {
      "flake": false,
      "locked": {
@ -914,16 +1086,17 @@
        "akkoma-fe": "akkoma-fe",
        "attic": "attic",
        "cargo2nix": "cargo2nix",
+        "chir-rs": "chir-rs",
        "colorpickle": "colorpickle",
        "crane": "crane",
        "devshell": "devshell",
        "dns": "dns",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "flake-parts": "flake-parts_2",
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "flakey-profile": "flakey-profile",
        "gitignore": "gitignore",
-        "gomod2nix": "gomod2nix",
+        "gomod2nix": "gomod2nix_2",
        "home-manager": "home-manager",
        "hydra": "hydra",
        "impermanence": "impermanence",
@ -1002,6 +1175,27 @@
      }
    },
    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "chir-rs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727941393,
+        "narHash": "sha256-GFOQZDSvF0l6Jp8DdCW8qW8oR5hR0XjdvHFkmSan1Vo=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "a10a0cbe2196120aa90e4f86d459376e1d108d58",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "hydra",
--- a/flake.nix
+++ b/flake.nix
@ -38,6 +38,12 @@ rec {
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.rust-overlay.follows = "rust-overlay";
    };
+    chir-rs = {
+      url = "github:DarkKirb/chir.rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.systems.follows = "systems";
+      inputs.flake-parts.follows = "flake-parts";
+    };
    colorpickle = {
      url = "github:AgathaSorceress/colorpickle";
      inputs.naersk.follows = "naersk";
--- a/zones/chir.rs.nix
+++ b/zones/chir.rs.nix
@ -144,7 +144,7 @@ with dns.lib.combinators; let
    SOA = {
      nameServer = "ns1.chir.rs.";
      adminEmail = "lotte@chir.rs";
-      serial = 54;
+      serial = 55;
    };
    NS = [
      "ns1.chir.rs."
@ -245,6 +245,7 @@ with dns.lib.combinators; let
      cache.CNAME = ["cache-chir-rs.b-cdn.net."];
      attic = createZone oracleBase;
      lotte.CNAME = ["lotte-chir-rs.b-cdn.net."];
+      lotte-test = createZone oracleBase;
      status = createZone oracleBase;
      weblate = createFullZone {};