teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(madoka): hosted license-servers

Browse source
This commit is contained in:
alina 🌸 2025-01-05 03:45:52 +03:00
parent 113a602bb4
commit 327f2452c5
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
5 changed files with 83 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
flake.lock
View file

@ -52,17 +52,17 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722725362, "lastModified": 1736029622,
"narHash": "sha256-JKonFnKwiN7VRXhn3pUhoN6TGDoyHepWbMfVd35wTew=", "narHash": "sha256-4+LgwpKEgSztPFzKIKwJrOH/4FTCsLCkWGc7LhXPcSY=",
"owner": "teidesu", "owner": "teidesu",
"repo": "desu-deploy", "repo": "desu-deploy",
"rev": "a77b8e790324df51471cf40924acff9643972dfa", "rev": "d373e8ab554a95d222e3ced87e751dabbd3cfc57",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "teidesu", "owner": "teidesu",
"repo": "desu-deploy", "repo": "desu-deploy",
"rev": "a77b8e790324df51471cf40924acff9643972dfa", "rev": "d373e8ab554a95d222e3ced87e751dabbd3cfc57",
"type": "github" "type": "github"
} }
}, },

5
flake.nix
View file

@ -45,7 +45,7 @@
disko.url = "github:nix-community/disko"; disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs"; disko.inputs.nixpkgs.follows = "nixpkgs";
desu-deploy.url = "github:teidesu/desu-deploy/a77b8e790324df51471cf40924acff9643972dfa"; desu-deploy.url = "github:teidesu/desu-deploy/d373e8ab554a95d222e3ced87e751dabbd3cfc57";
desu-deploy.inputs.nixpkgs.follows = "nixpkgs"; desu-deploy.inputs.nixpkgs.follows = "nixpkgs";
}; };
@ -121,9 +121,10 @@
]; ];
}; };
madoka = mkNixosSystem { madoka = mkNixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
desu-deploy.nixosModules.${system}.default
./hosts/madoka/configuration.nix ./hosts/madoka/configuration.nix
]; ];
}; };

3
hosts/homura/configuration.nix
View file

@ -19,9 +19,6 @@
(abs "ssh/teidesu.pub") (abs "ssh/teidesu.pub")
]; ];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
networking.hostName = "homura"; networking.hostName = "homura";

10
hosts/madoka/configuration.nix
View file

@ -4,7 +4,9 @@
imports = [ imports = [
(modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
(abs "lib/desu")
./hardware-configuration.nix ./hardware-configuration.nix
./services/license-servers.nix
]; ];
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
@ -21,5 +23,13 @@
system.stateVersion = "23.11"; system.stateVersion = "23.11";
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
services.desu-deploy = {
enable = true;
key = builtins.readFile (abs "ssh/desu-deploy.pub");
};
networking.hostName = "madoka"; networking.hostName = "madoka";
} }

66
hosts/madoka/services/license-servers.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, ... }:
let
UID = 1100;
in {
desu.secrets.license-servers-env.owner = "license-servers";
desu.secrets.forgejo-packages-token = {};
desu.secrets.cloudflare-email.owner = "acme";
desu.secrets.cloudflare-token.owner = "acme";
users.groups.acme.gid = 993;
users.users.license-servers = {
isNormalUser = true;
extraGroups = [ "acme" ];
uid = UID;
};
virtualisation.oci-containers.containers.license-servers = {
image = "git.stupid.fish/zachem/license-servers:latest";
login = {
registry = "https://git.stupid.fish";
username = "teidesu";
passwordFile = config.desu.secrets.forgejo-packages-token.path;
};
environment = {
PUBLIC_HOSTNAME = "license.stupid.fish";
TLS_KEY_FILE = "/mnt/acme/key.pem";
TLS_CERT_FILE = "/mnt/acme/cert.pem";
};
environmentFiles = [
config.desu.secrets.license-servers-env.path
];
user = builtins.toString UID;
extraOptions = [
"--group-add=${builtins.toString config.users.groups.acme.gid}"
"--mount=type=bind,source=/srv/license-servers/certs,target=/app/certs"
"--mount=type=bind,source=/var/lib/acme/license.stupid.fish,target=/mnt/acme"
];
ports = [
"80:80"
"443:443"
];
};
systemd.services.docker-license-servers.requires = [ "acme-finished-license.stupid.fish.target" ];
systemd.tmpfiles.rules = [
"d /srv/license-servers/certs 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
security.acme.acceptTerms = true;
security.acme.defaults = {
email = "alina@tei.su";
dnsProvider = "cloudflare";
credentialFiles = {
"CLOUDFLARE_EMAIL_FILE" = config.desu.secrets.cloudflare-email.path;
"CLOUDFLARE_API_KEY_FILE" = config.desu.secrets.cloudflare-token.path;
};
};
security.acme.certs = {
"license.stupid.fish" = {};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}