bgt/savarcast: add config without tls

2023-09-06 20:41:18 +02:00 · 2023-09-06 20:41:18 +02:00 · 866d0b3f71
parent dd53f3b23f
commit 866d0b3f71
2 changed files with 84 additions and 4 deletions
--- a/2configs/bgt/savarcast/comments.nix
+++ b/2configs/bgt/savarcast/comments.nix
@ -1,11 +1,20 @@
+{ config, pkgs, lib, ... }:
 let
  configFile = config.sops.secrets."isso.conf".path;
 in {
+
  sops.secrets."isso.conf" = {
    owner = "isso";
    group = "isso";
  };

+  users.users.isso = {
+    group = "isso";
+    isSystemUser = true;
+  };
+  users.groups.isso = {};
+
+
  services.isso.enable = true;
  # override the startup to allow secrets in the configFile
  # following relevant config is inside:
@ -14,12 +23,11 @@ in {
  # host = https://blog.binaergewitter.de
  # listen = http://localhost:9292
  # public-endpoint = https://comments.binaergewitter.de
-  systemd.services.isso.serviceConfig.ExecStart = "${pkgs.isso}/bin/isso -c ${configFile}" ;
+  systemd.services.isso.serviceConfig.ExecStart = lib.mkForce "${pkgs.isso}/bin/isso -c ${configFile}" ;
+  systemd.services.isso.serviceConfig.DynamicUser = lib.mkForce false;

+  # savarcast is behind traefik, do not configure tls
  services.nginx.virtualHosts."comments.binaergewitter.de" = {
-    forceSSL = true;
-    enableAcme = true;
-    useACMEHost = "download.binaergewitter.de";
    locations."/".proxyPass = "http://localhost:9292";
  };

--- a/2configs/bgt/savarcast/download.nix
+++ b/2configs/bgt/savarcast/download.nix
@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+
+let
+  stockholm = pkgs.stockholm;
+  ident = (builtins.readFile ../auphonic.pub);
+  nginxlogs = "/var/log/nginx";
+  bgtaccess = "${nginxlogs}/binaergewitter.access.log";
+  bgterror =  "${nginxlogs}/binaergewitter.error.log";
+
+  # TODO: only when the data is stored somewhere else
+in {
+  state = [ bgtaccess bgterror ];
+
+  services.openssh = {
+    allowSFTP = true;
+    sftpFlags = [ "-l VERBOSE" ];
+    extraConfig = ''
+      HostkeyAlgorithms +ssh-rsa
+
+      Match User auphonic
+        ForceCommand internal-sftp
+        AllowTcpForwarding no
+        X11Forwarding no
+        PasswordAuthentication no
+        PubkeyAcceptedAlgorithms +ssh-rsa
+
+    '';
+  };
+
+  users.users.auphonic = {
+    uid = stockholm.lib.genid "auphonic";
+    group = "nginx";
+    # for storedir
+    extraGroups = [ "download" ];
+    useDefaultShell = true;
+    isSystemUser = true;
+    openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ];
+  };
+
+  services.logrotate = {
+    enable = true;
+    settings.bgt = {
+      files = [ bgtaccess bgterror ];
+      rotate = 5;
+      frequency = "weekly";
+      create = "600 nginx nginx";
+      postrotate = "${pkgs.systemd}/bin/systemctl reload nginx";
+    };
+  };
+
+  # 20.09 unharden nginx to write logs
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [ nginxlogs ];
+  systemd.tmpfiles.rules = [ "d ${nginxlogs} 0700 nginx root - -" ];
+
+  services.nginx = {
+    enable = lib.mkDefault true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    # using letsencrypt certificate without cloudflare
+    virtualHosts."podcast.savar.de" = {
+      serverAliases = [ "download.binaergewitter.de" "dl.binaergewitter.de" "dl1.binaergewitter.de" "dl2.binaergewitter.de" "binaergewitter.jit.computer" ];
+      root = "/var/www/binaergewitter";
+      extraConfig = ''
+        access_log ${bgtaccess} combined;
+        error_log ${bgterror} error;
+        autoindex on;
+      '';
+    };
+  };
+}