From 92bccb771360815bd23700aae635009b69542189 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Sep 2023 17:41:09 +0200 Subject: [PATCH] savarcast: do not deploy stork search database as root but as stork user --- 2configs/bgt/login.nix | 2 -- 2configs/bgt/savarcast/comments.nix | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/2configs/bgt/login.nix b/2configs/bgt/login.nix index 687c30a..2740407 100644 --- a/2configs/bgt/login.nix +++ b/2configs/bgt/login.nix @@ -4,8 +4,6 @@ root.openssh.authorizedKeys.keys = [ # l33tname (bgt-comments-nixos.pub) "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjLMILyxqNEleJqdoJbf/BObcjVVTH8XZ2Vv0B8qtnl hi@l33t.name" - # GitHub deploy search (bgt_github_deploy.pub) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrj6cLVxv6LR0INj2OL/EVdEFMZSk0fOc0pCeXVTirz hi@l33t.name" # ingo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6Ge3TFE5CfSjihhSjq5cGiT/CjPHuTS9rX8vxS/LAoo3MGz0ZmjOvwzDm/1zQjpWuJC4JFBdJiRISrEb6yO9h+lBGIzRI0bbWOlpeDiyxGYnifBB2SlcFHDOKNzm1FSbXBz0IOg/FiPGjdTOwmrQjV6q9DgVe5ZrLmVeEHNKnUI1q4kH7u0jSW3wIpQH82FilY709qauAzxDohqpc0UGT7cy+2ZZTKu+CEOziUNNrCV2/rLdnynBGeqYnk5o73ml6yIUx9RFFtB+VSSSAoPVHNtr0v9/Jla/moC6Fh6WDxtPQuVbNPB/f7l2AuUbNKKp0BTOpxZlAhWd29LR6LSSDOFZTcVLE60kxTwNxCpQWSssf6/yf1m86O43zPGGecgYEprnmL5FI9JN2Z8IqPx6RFy0heKZpgES/wcCeURlqU6zIJqQ2KSeiS/YbMaJd40lh3UtFf1tkjKUyHny5D04B6WcK1Ke3soCArSY9GYj9IwrqfDSD5RuBZ7frat7SuxY6klwR3GpBIBkm8MgzXhdktazBlNDRmG1FQtjkPX6Tza75CvMYkQiil9g1R+5BqL7KDLaULGEWkt5HIyq2W6NFjDFOgqYHqIUVx9G2f5bALA88nLsATBUPcrNvwoskQohbIct9uTK00NcQaQ2CGd7uhUZv5lXpLtIWYGxh/92bOw==" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA5G4SzPWZAJHrxpN2hQ0TzfPz5KO4eZISZxL3j/pkPs+6/YLXwB22AuU5qvNBi5uVIIZNqJBoaAcj/NePkiu6i2iAVzntAVWhBQlCLIlN0YXwXZ7E19fVUxvG65XV8D86YXSKrKkeDqk6SmQhReeWexMxTIKtj9Ipa7i9lPHBsls=" diff --git a/2configs/bgt/savarcast/comments.nix b/2configs/bgt/savarcast/comments.nix index bef8a3e..c9cc5b4 100644 --- a/2configs/bgt/savarcast/comments.nix +++ b/2configs/bgt/savarcast/comments.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: let configFile = config.sops.secrets."isso.conf".path; + searchdir = "/var/www/search"; in { sops.secrets."isso.conf" = { @@ -12,8 +13,21 @@ in { group = "isso"; isSystemUser = true; }; + + users.users.stork = { + group = "stork"; + isNormalUser = true; + home = searchdir; + createHome = false; + openssh.authorizedKeys.keys = [ + # GitHub deploy search (bgt_github_deploy.pub) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrj6cLVxv6LR0INj2OL/EVdEFMZSk0fOc0pCeXVTirz hi@l33t.name" + ]; + }; + users.groups.isso = {}; + systemd.tmpfiles.rules = [ "d ${searchdir} 0770 stork nginx - -" ]; services.isso.enable = true; # override the startup to allow secrets in the configFile @@ -26,6 +40,12 @@ in { systemd.services.isso.serviceConfig.ExecStart = lib.mkForce "${pkgs.isso}/bin/isso -c ${configFile}" ; systemd.services.isso.serviceConfig.DynamicUser = lib.mkForce false; + services.nginx.virtualHosts."search.binaergewitter.de" = { + locations."/" = { + root = "/var/www/search/"; + tryFiles = "/bgt.st =404"; + }; + }; # savarcast is behind traefik, do not configure tls services.nginx.virtualHosts."comments.binaergewitter.de" = { locations."= /bgt.st".root = "/var/www/search/";