From 866d0b3f71fb58eee543683ac59118793e20c9d9 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 6 Sep 2023 20:41:18 +0200 Subject: [PATCH] bgt/savarcast: add config without tls --- 2configs/bgt/{ => savarcast}/comments.nix | 16 +++-- 2configs/bgt/savarcast/download.nix | 72 +++++++++++++++++++++++ 2 files changed, 84 insertions(+), 4 deletions(-) rename 2configs/bgt/{ => savarcast}/comments.nix (61%) create mode 100644 2configs/bgt/savarcast/download.nix diff --git a/2configs/bgt/comments.nix b/2configs/bgt/savarcast/comments.nix similarity index 61% rename from 2configs/bgt/comments.nix rename to 2configs/bgt/savarcast/comments.nix index e2b820a..d770c8d 100644 --- a/2configs/bgt/comments.nix +++ b/2configs/bgt/savarcast/comments.nix @@ -1,11 +1,20 @@ +{ config, pkgs, lib, ... }: let configFile = config.sops.secrets."isso.conf".path; in { + sops.secrets."isso.conf" = { owner = "isso"; group = "isso"; }; + users.users.isso = { + group = "isso"; + isSystemUser = true; + }; + users.groups.isso = {}; + + services.isso.enable = true; # override the startup to allow secrets in the configFile # following relevant config is inside: @@ -14,12 +23,11 @@ in { # host = https://blog.binaergewitter.de # listen = http://localhost:9292 # public-endpoint = https://comments.binaergewitter.de - systemd.services.isso.serviceConfig.ExecStart = "${pkgs.isso}/bin/isso -c ${configFile}" ; + systemd.services.isso.serviceConfig.ExecStart = lib.mkForce "${pkgs.isso}/bin/isso -c ${configFile}" ; + systemd.services.isso.serviceConfig.DynamicUser = lib.mkForce false; + # savarcast is behind traefik, do not configure tls services.nginx.virtualHosts."comments.binaergewitter.de" = { - forceSSL = true; - enableAcme = true; - useACMEHost = "download.binaergewitter.de"; locations."/".proxyPass = "http://localhost:9292"; }; diff --git a/2configs/bgt/savarcast/download.nix b/2configs/bgt/savarcast/download.nix new file mode 100644 index 0000000..8cf98cd --- /dev/null +++ b/2configs/bgt/savarcast/download.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + + +let + stockholm = pkgs.stockholm; + ident = (builtins.readFile ../auphonic.pub); + nginxlogs = "/var/log/nginx"; + bgtaccess = "${nginxlogs}/binaergewitter.access.log"; + bgterror = "${nginxlogs}/binaergewitter.error.log"; + + # TODO: only when the data is stored somewhere else +in { + state = [ bgtaccess bgterror ]; + + services.openssh = { + allowSFTP = true; + sftpFlags = [ "-l VERBOSE" ]; + extraConfig = '' + HostkeyAlgorithms +ssh-rsa + + Match User auphonic + ForceCommand internal-sftp + AllowTcpForwarding no + X11Forwarding no + PasswordAuthentication no + PubkeyAcceptedAlgorithms +ssh-rsa + + ''; + }; + + users.users.auphonic = { + uid = stockholm.lib.genid "auphonic"; + group = "nginx"; + # for storedir + extraGroups = [ "download" ]; + useDefaultShell = true; + isSystemUser = true; + openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ]; + }; + + services.logrotate = { + enable = true; + settings.bgt = { + files = [ bgtaccess bgterror ]; + rotate = 5; + frequency = "weekly"; + create = "600 nginx nginx"; + postrotate = "${pkgs.systemd}/bin/systemctl reload nginx"; + }; + }; + + # 20.09 unharden nginx to write logs + systemd.services.nginx.serviceConfig.ReadWritePaths = [ nginxlogs ]; + systemd.tmpfiles.rules = [ "d ${nginxlogs} 0700 nginx root - -" ]; + + services.nginx = { + enable = lib.mkDefault true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + + # using letsencrypt certificate without cloudflare + virtualHosts."podcast.savar.de" = { + serverAliases = [ "download.binaergewitter.de" "dl.binaergewitter.de" "dl1.binaergewitter.de" "dl2.binaergewitter.de" "binaergewitter.jit.computer" ]; + root = "/var/www/binaergewitter"; + extraConfig = '' + access_log ${bgtaccess} combined; + error_log ${bgterror} error; + autoindex on; + ''; + }; + }; +}