Fixed fermi configuration for deployment

aftix · May 18, 2024 · 8c803e9 · 8c803e9
1 parent 1cece6e
commit 8c803e9
Show file tree

Hide file tree

Showing 6 changed files with 173 additions and 141 deletions.
diff --git a/host/fermi.nix b/host/fermi.nix
@@ -27,6 +27,9 @@ in {
       aftgraphs = true;
       blog = true;
       searx.enable = true;
+
+      ip = "170.130.165.174";
+      ipv6 = "2a0b:7140:8:1:5054:ff:fe84:ed8c";
     };
 
     znc.enable = true;

diff --git a/host/opt/www/blog.nix b/host/opt/www/blog.nix
@@ -29,34 +29,31 @@ in {
       forceSSL = true;
       useACMEHost = cfg.hostname;
 
-      locations =
-        {
-          "/".tryFiles = "$uri $uri/ =404";
+      locations = {
+        "/".tryFiles = "$uri $uri/ =404";
 
-          "/searx/${cfg.searx.subdomain}".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/static/?$args";
-          "/searx".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/?$args";
+        "/searx/".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/?$args";
 
-          "/advent2023/" = mkIf cfg.adventofcode {
-            alias = "${cfg.root}/advent2023/";
-            extraConfig = ''
-              fancyindex on;
-              fancyindex_exact_size off;
-              fancyindex_localtime on;
-            '';
-          };
+        "/advent2023/" = mkIf cfg.adventofcode {
+          alias = "${cfg.root}/advent2023/";
+          extraConfig = ''
+            fancyindex on;
+            fancyindex_exact_size off;
+            fancyindex_localtime on;
+          '';
+        };
 
-          "/aftgraphs/" = mkIf cfg.aftgraphs {
-            alias = "${cfg.root}/simulations/";
-            extraConfig = ''
-              fancyindex on;
-              fancyindex_exact_size off;
-              fancyindex_localtime on;
-              add_header "Cross-Origin-Opener-Policy" "same-origin";
-              add_header "Cross-Origin-Embedder-Policy" "require-corp";
-            '';
-          };
-        }
-        // cfg.acme-location-block;
+        "/aftgraphs/" = mkIf cfg.aftgraphs {
+          alias = "${cfg.root}/simulations/";
+          extraConfig = ''
+            fancyindex on;
+            fancyindex_exact_size off;
+            fancyindex_localtime on;
+            add_header "Cross-Origin-Opener-Policy" "same-origin";
+            add_header "Cross-Origin-Embedder-Policy" "require-corp";
+          '';
+        };
+      };
     };
   };
 }
diff --git a/host/opt/www/default.nix b/host/opt/www/default.nix
@@ -19,6 +19,15 @@ in {
       type = lib.types.str;
     };
 
+    ip = mkOption {
+      default = "";
+      type = lib.types.str;
+    };
+    ipv6 = mkOption {
+      default = "";
+      type = lib.types.str;
+    };
+
     root = mkOption {
       default = "/srv";
       type = lib.types.str;
@@ -34,26 +43,33 @@ in {
       type = lib.types.str;
     };
 
-    acme-location-block = mkOption {
-      default = {
-        "^~ /.well-known/acme-challenge".extraConfig = ''
-          location ^~ /.well-known/acme-challenge/ {
-            default_type "text/plain";
-            root ${cfg.root}/acme;
-          }
-        '';
-      };
-      readOnly = true;
+    keys = mkOption {
+      default = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmFgG1EuQDoJb8pQcxnhjqbncrpJGZ3iNon/gu0bXiE [email protected]"
+      ];
     };
   };
 
   config = {
+    sops.secrets = {
+      porkbun_api_key = {
+        inherit (cfg) group;
+        owner = cfg.user;
+      };
+      porkbun_secret_api_key = {
+        inherit (cfg) group;
+        owner = cfg.user;
+      };
+    };
+
     users = {
       users.${cfg.user} = {
         inherit (cfg) group;
         password = "";
-        shell = "/run/current-system/sw/bin/nologin";
+        shell = pkgs.bash;
         isSystemUser = true;
+        home = cfg.root;
+        openssh.authorizedKeys.keys = cfg.keys;
       };
 
       groups.${cfg.group} = {};
@@ -64,33 +80,46 @@ in {
       allowedUDPPorts = [80 443];
     };
 
-    services.nginx = {
-      inherit (cfg) user group;
-      enable = true;
-      enableReload = true;
+    services = {
+      nginx = {
+        inherit (cfg) user group;
+        enable = true;
+        enableReload = true;
 
-      additionalModules = with pkgs.nginxModules; [fancyindex];
+        additionalModules = with pkgs.nginxModules; [fancyindex];
 
-      appendHttpConfig = ''
-        limit_req_zone $binary_remote_addr zone=put_request_by_addr:20m rate=100r/s;
-      '';
+        appendHttpConfig = ''
+          limit_req_zone $binary_remote_addr zone=put_request_by_addr:20m rate=100r/s;
+        '';
+      };
+
+      openssh.settings.AllowUsers = [cfg.user];
     };
 
     systemd.tmpfiles.rules = [
       "d ${cfg.root} 0775 ${cfg.user} ${cfg.group} -"
-      "d ${cfg.root}/acme 0775 ${cfg.user} ${cfg.group} -"
     ];
 
     security.acme = {
       acceptTerms = true;
+
       defaults = {
         email = "[email protected]";
-        webroot = cfg.root + "/acme";
+        dnsProvider = "porkbun";
+        group = cfg.group;
+        credentialFiles = {
+          PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets.porkbun_secret_api_key.path;
+          PORKBUN_API_KEY_FILE = config.sops.secrets.porkbun_api_key.path;
+        };
       };
 
       certs.${cfg.hostname} = {
         inherit (cfg) group;
-        extraDomainNames = ["www.${cfg.hostname}"];
+        extraDomainNames = [
+          "www.${cfg.hostname}"
+          "auth.${cfg.hostname}"
+          "www.auth.${cfg.hostname}"
+        ];
       };
     };
   };

diff --git a/host/opt/www/searx.nix b/host/opt/www/searx.nix
@@ -7,7 +7,7 @@
   inherit (lib.options) mkOption mkEnableOption;
   wwwCfg = config.my.www;
   cfg = wwwCfg.searx;
-  socket = "/run/uwsgi/app/searx/socket";
+  socket = "/run/uwsgi/searx.socket";
 in {
   options.my.www.searx = {
     enable = mkEnableOption "searx";
@@ -35,9 +35,7 @@ in {
     systemd.tmpfiles.rules = let
       inherit (config.services.searx.uwsgiConfig) immediate-uid immediate-gid;
     in [
-      "d /run/uwsgi 0775 ${immediate-uid} ${immediate-gid} -"
-      "d /run/uwsgi/app 0775 ${immediate-uid} ${immediate-gid} -"
-      "d /run/uwsgi/app/searx 0775 ${immediate-uid} ${immediate-gid} -"
+      "d ${builtins.baseNameOf socket} 0775 ${immediate-uid} ${immediate-gid} -"
     ];
 
     environment.etc."nginx/uwsgi_params".text = ''
@@ -63,22 +61,19 @@ in {
 
     services = {
       nginx.virtualHosts."${cfg.subdomain}.${wwwCfg.hostname}" = {
-        root = "${config.services.searx.package}/share";
         serverName = "${cfg.subdomain}.${wwwCfg.hostname} www.${cfg.subdomain}.${wwwCfg.hostname}";
         kTLS = true;
         forceSSL = true;
         useACMEHost = wwwCfg.hostname;
 
-        locations =
-          {
-            "/".extraConfig = ''
-              include uwsgi_params;
-              uwsgi_pass unix:${socket};
-            '';
+        locations = {
+          "/".extraConfig = ''
+            include uwsgi_params;
+            uwsgi_pass unix:${socket};
+          '';
 
-            "/static/".alias = "${config.services.searx.package}/share/static";
-          }
-          // wwwCfg.acme-location-block;
+          "/static/".alias = "${config.services.searx.package}/share/static/";
+        };
       };
 
       redis.servers.searx.user = mkForce config.services.searx.uwsgiConfig.immediate-uid;
@@ -96,12 +91,11 @@ in {
         environmentFile = config.sops.templates."searx.env".path;
 
         settings = {
-          use_default_settings = mkForce false;
           instance_name = "searx";
           contact_url = "mailto:[email protected]";
           server = {
             secret_key = "@SEARX_SECRET_KEY@";
-            base_url = "${cfg.subdomain}.${wwwCfg.hostname}";
+            base_url = "/";
             image_proxy = true;
           };
         };