From 5e40d3915177125971146b6942b2c6c31ac84b12 Mon Sep 17 00:00:00 2001 From: Michael Walker Date: Wed, 11 Dec 2024 18:10:30 +0000 Subject: [PATCH] Refactor: transform host templates into a module Also move bookdb & bookmarks remote sync into the template, and add systemd-tmpfiles rules to create all the needed directories. --- flake.nix | 17 +- hosts/_templates/barrucadu-website-mirror.nix | 228 --------------- hosts/carcosa/configuration.nix | 30 +- hosts/yuggoth/configuration.nix | 18 +- scripts/documentation.sh | 8 +- shared/default.nix | 1 + shared/host-templates/default.nix | 12 + .../host-templates/website-mirror/default.nix | 261 ++++++++++++++++++ .../host-templates/website-mirror/options.nix | 49 ++++ .../resources}/memo-barrucadu-co-uk.caddyfile | 0 .../resources}/www-barrucadu-co-uk.caddyfile | 0 11 files changed, 356 insertions(+), 268 deletions(-) delete mode 100644 hosts/_templates/barrucadu-website-mirror.nix create mode 100644 shared/host-templates/default.nix create mode 100644 shared/host-templates/website-mirror/default.nix create mode 100644 shared/host-templates/website-mirror/options.nix rename {hosts/_templates/barrucadu-website-mirror => shared/host-templates/website-mirror/resources}/memo-barrucadu-co-uk.caddyfile (100%) rename {hosts/_templates/barrucadu-website-mirror => shared/host-templates/website-mirror/resources}/www-barrucadu-co-uk.caddyfile (100%) diff --git a/flake.nix b/flake.nix index a60807a0..2ca11b4a 100644 --- a/flake.nix +++ b/flake.nix @@ -121,19 +121,22 @@ modules = [ { config._module.args = { inherit pkgs; }; } ./shared/options.nix + # modules + ./shared/bookdb/options.nix ./shared/bookmarks/options.nix - ./shared/umami/options.nix ./shared/concourse/options.nix - ./shared/torrents/options.nix + ./shared/erase-your-darlings/options.nix + ./shared/finder/options.nix + ./shared/foundryvtt/options.nix + ./shared/minecraft/options.nix ./shared/oci-containers/options.nix ./shared/pleroma/options.nix ./shared/resolved/options.nix - ./shared/bookdb/options.nix - ./shared/minecraft/options.nix - ./shared/erase-your-darlings/options.nix - ./shared/foundryvtt/options.nix - ./shared/finder/options.nix ./shared/restic-backups/options.nix + ./shared/torrents/options.nix + ./shared/umami/options.nix + # host templates + ./shared/host-templates/website-mirror/options.nix ]; }; optionsDoc = pkgs.nixosOptionsDoc { diff --git a/hosts/_templates/barrucadu-website-mirror.nix b/hosts/_templates/barrucadu-website-mirror.nix deleted file mode 100644 index 3f301ad7..00000000 --- a/hosts/_templates/barrucadu-website-mirror.nix +++ /dev/null @@ -1,228 +0,0 @@ -# Configures a webserver for the following domains: -# -# - {www,bookdb,bookmarks,memos,weeknotes,}barrucadu.co.uk -# - {www,}barrucadu.com -# - {www,}barrucadu.dev -# - {www,}barrucadu.uk -# -# The state of each website (static files, databases) needs to be synchronised -# to this machine for the sites to work. -{ config, lib, pkgs, ... }: - -with lib; -let - httpDir = - if config.nixfiles.eraseYourDarlings.enable - then "${toString config.nixfiles.eraseYourDarlings.persistDir}/srv/http" - else "/srv/http"; - - certDirFor = domain: - if config.nixfiles.eraseYourDarlings.enable - then "${toString config.nixfiles.eraseYourDarlings.persistDir}/var/lib/acme/${domain}" - else "/var/lib/acme/${domain}"; - - copyCertsFor = domain: '' - mkdir -p ${toString config.nixfiles.eraseYourDarlings.persistDir}/var/lib/acme || true - rm -r ${toString config.nixfiles.eraseYourDarlings.persistDir}/var/lib/acme/${domain} || true - cp -a /var/lib/acme/${domain} ${toString config.nixfiles.eraseYourDarlings.persistDir}/var/lib/acme/${domain} - ''; - - caddyConfigWithTlsCert = certDomain: '' - encode gzip - - header Permissions-Policy "interest-cohort=()" - header Referrer-Policy "strict-origin-when-cross-origin" - header Strict-Transport-Security "max-age=31536000; includeSubDomains" - header X-Content-Type-Options "nosniff" - header X-Frame-Options "SAMEORIGIN" - - header -Server - - tls ${certDirFor certDomain}/cert.pem ${certDirFor certDomain}/key.pem { - protocols tls1.3 - } - ''; -in -{ - ############################################################################### - ## Certificates - ############################################################################### - - # Provision certificates via DNS challenge - security.acme = { - acceptTerms = true; - - defaults = { - email = "mike@barrucadu.co.uk"; - dnsProvider = "route53"; - dnsPropagationCheck = true; - environmentFile = config.sops.secrets."services/acme/env".path; - reloadServices = [ "caddy" ]; - }; - - certs."barrucadu.co.uk" = { - group = config.services.caddy.group; - domain = "barrucadu.co.uk"; - extraDomainNames = [ "*.barrucadu.co.uk" ]; - postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.co.uk" else ""; - }; - - certs."barrucadu.com" = { - group = config.services.caddy.group; - domain = "barrucadu.com"; - extraDomainNames = [ "*.barrucadu.com" ]; - postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.com" else ""; - }; - - certs."barrucadu.dev" = { - group = config.services.caddy.group; - domain = "barrucadu.dev"; - extraDomainNames = [ "*.barrucadu.dev" ]; - postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.dev" else ""; - }; - - certs."barrucadu.uk" = { - group = config.services.caddy.group; - domain = "barrucadu.uk"; - extraDomainNames = [ "*.barrucadu.uk" ]; - postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.uk" else ""; - }; - }; - sops.secrets."services/acme/env" = { }; - - - ############################################################################### - ## HTTP - ############################################################################### - - # http - services.caddy.enable = true; - - # redirects - services.caddy.virtualHosts."barrucadu.co.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.co.uk"} - - redir https://www.barrucadu.co.uk{uri} - ''; - - services.caddy.virtualHosts."barrucadu.com".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.com"} - - redir https://www.barrucadu.co.uk{uri} - ''; - - services.caddy.virtualHosts."www.barrucadu.com".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.com"} - - redir https://www.barrucadu.co.uk{uri} - ''; - - services.caddy.virtualHosts."barrucadu.dev".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.dev"} - - redir https://www.barrucadu.co.uk - ''; - - services.caddy.virtualHosts."www.barrucadu.dev".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.dev"} - - redir https://www.barrucadu.co.uk - ''; - - services.caddy.virtualHosts."barrucadu.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.uk"} - - redir https://www.barrucadu.co.uk{uri} - ''; - - services.caddy.virtualHosts."www.barrucadu.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.uk"} - - redir https://www.barrucadu.co.uk{uri} - ''; - - # real sites - services.caddy.virtualHosts."www.barrucadu.co.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.co.uk"} - - header /fonts/* Cache-Control "public, immutable, max-age=31536000" - header /*.css Cache-Control "public, immutable, max-age=31536000" - - file_server { - root ${httpDir}/barrucadu.co.uk/www - } - - ${fileContents ./barrucadu-website-mirror/www-barrucadu-co-uk.caddyfile} - ''; - - services.caddy.virtualHosts."bookdb.barrucadu.co.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.co.uk"} - - reverse_proxy http://127.0.0.1:${toString config.nixfiles.bookdb.port} - ''; - - services.caddy.virtualHosts."bookmarks.barrucadu.co.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.co.uk"} - - reverse_proxy http://127.0.0.1:${toString config.nixfiles.bookmarks.port} - ''; - - services.caddy.virtualHosts."memo.barrucadu.co.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.co.uk"} - - header /fonts/* Cache-Control "public, immutable, max-age=31536000" - header /mathjax/* Cache-Control "public, immutable, max-age=7776000" - header /*.css Cache-Control "public, immutable, max-age=31536000" - - root * ${httpDir}/barrucadu.co.uk/memo - file_server - - handle_errors { - @410 { - expression {http.error.status_code} == 410 - } - rewrite @410 /410.html - file_server - } - - ${fileContents ./barrucadu-website-mirror/memo-barrucadu-co-uk.caddyfile} - ''; - - services.caddy.virtualHosts."weeknotes.barrucadu.co.uk".extraConfig = '' - ${caddyConfigWithTlsCert "barrucadu.co.uk"} - - header /fonts/* Cache-Control "public, immutable, max-age=31536000" - header /*.css Cache-Control "public, immutable, max-age=31536000" - - file_server { - root ${httpDir}/barrucadu.co.uk/weeknotes - } - ''; - - - ############################################################################### - ## Miscellaneous - ############################################################################### - - # bookdb - nixfiles.bookdb.enable = true; - nixfiles.bookdb.readOnly = true; - - # bookmarks - nixfiles.bookmarks.enable = true; - nixfiles.bookmarks.readOnly = true; - - # Firewall - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - # Concourse access - users.extraUsers.concourse-deploy-robot = { - home = "/var/lib/concourse-deploy-robot"; - createHome = true; - isSystemUser = true; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFilTWek5xNpl82V48oQ99briJhn9BqwCACeRq1dQnZn concourse-worker@cd.barrucadu.dev" ]; - shell = pkgs.bashInteractive; - group = "nogroup"; - }; -} diff --git a/hosts/carcosa/configuration.nix b/hosts/carcosa/configuration.nix index bc83b5e5..3107cf8f 100644 --- a/hosts/carcosa/configuration.nix +++ b/hosts/carcosa/configuration.nix @@ -24,10 +24,6 @@ let httpdir = "${toString config.nixfiles.eraseYourDarlings.persistDir}/srv/http"; in { - imports = [ - ../_templates/barrucadu-website-mirror.nix - ]; - ############################################################################### ## General ############################################################################### @@ -97,11 +93,22 @@ in sops.secrets."nixfiles/restic-backups/env" = { }; + ############################################################################### + ## Website Mirror + ############################################################################### + + nixfiles.hostTemplates.websiteMirror = { + enable = true; + acmeEnvironmentFile = config.sops.secrets."services/acme/env".path; + }; + sops.secrets."services/acme/env" = { }; + + ############################################################################### ## Services ############################################################################### - # WWW - there are more websites, see barrucadu-website-mirror + # WWW - there are more websites, see website-mirror services.caddy.enable = true; services.caddy.extraConfig = '' (common_config) { @@ -322,19 +329,6 @@ in sops.secrets."nixfiles/pleroma/exc".owner = config.users.users.pleroma.name; - ############################################################################### - ## Nyarlathotep Sync - ############################################################################### - - nixfiles.bookdb.remoteSync.receive.enable = true; - nixfiles.bookdb.remoteSync.receive.authorizedKeys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIChVw9DPLafA3lCLCI4Df9rYuxedFQTXAwDOOHUfZ0Ac remote-sync@nyarlathotep" ]; - - nixfiles.bookmarks.remoteSync.receive.enable = true; - nixfiles.bookmarks.remoteSync.receive.authorizedKeys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIChVw9DPLafA3lCLCI4Df9rYuxedFQTXAwDOOHUfZ0Ac remote-sync@nyarlathotep" ]; - - ############################################################################### ## Remote Builds ############################################################################### diff --git a/hosts/yuggoth/configuration.nix b/hosts/yuggoth/configuration.nix index 61335eec..492e8393 100644 --- a/hosts/yuggoth/configuration.nix +++ b/hosts/yuggoth/configuration.nix @@ -13,10 +13,6 @@ with lib; { - imports = [ - ../_templates/barrucadu-website-mirror.nix - ]; - ############################################################################### ## General ############################################################################### @@ -38,16 +34,14 @@ with lib; sops.secrets."users/barrucadu".neededForUsers = true; ############################################################################### - ## Nyarlathotep Sync + ## Website Mirror ############################################################################### - nixfiles.bookdb.remoteSync.receive.enable = true; - nixfiles.bookdb.remoteSync.receive.authorizedKeys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIChVw9DPLafA3lCLCI4Df9rYuxedFQTXAwDOOHUfZ0Ac remote-sync@nyarlathotep" ]; - - nixfiles.bookmarks.remoteSync.receive.enable = true; - nixfiles.bookmarks.remoteSync.receive.authorizedKeys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIChVw9DPLafA3lCLCI4Df9rYuxedFQTXAwDOOHUfZ0Ac remote-sync@nyarlathotep" ]; + nixfiles.hostTemplates.websiteMirror = { + enable = true; + acmeEnvironmentFile = config.sops.secrets."services/acme/env".path; + }; + sops.secrets."services/acme/env" = { }; ############################################################################### ## Remote Builds diff --git a/scripts/documentation.sh b/scripts/documentation.sh index 766c37bd..390a4e62 100644 --- a/scripts/documentation.sh +++ b/scripts/documentation.sh @@ -41,14 +41,14 @@ import os print("# Host Templates") print("") -templates = sorted([name for name in os.listdir("hosts/_templates")]) +templates = sorted([name for name in os.listdir("shared/host-templates") if name not in [".", ".."]]) for template in templates: - source_file = f"hosts/_templates/{template}" + source_file = f"shared/host-templates/{template}/default.nix" if not os.path.isfile(source_file): continue - print(f"## {template.replace('.nix','')}") + print(f"## {template}") has_doc = False with open(source_file, "r") as f: @@ -78,6 +78,8 @@ with open(os.getenv("NIXOS_OPTIONS_JSON"), "r") as f: modules = {} for key, defn in options.items(): module_name = defn["declarations"][0].split("/shared/")[1].replace("/options.nix", "") + if module_name.startswith("host-templates/"): + continue if module_name == "options.nix": # this is the top-level `shared` file module_name = "" diff --git a/shared/default.nix b/shared/default.nix index 6a66f2a9..68dd4587 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -30,6 +30,7 @@ in ./erase-your-darlings ./finder ./foundryvtt + ./host-templates ./minecraft ./oci-containers ./pleroma diff --git a/shared/host-templates/default.nix b/shared/host-templates/default.nix new file mode 100644 index 00000000..6bcb0987 --- /dev/null +++ b/shared/host-templates/default.nix @@ -0,0 +1,12 @@ +# Template configuration for a variety of functionality. +# +# See [the documentation for each template][]. +# +# [the documentation for each template]: host-templates.html +{ ... }: + +{ + imports = [ + ./website-mirror + ]; +} diff --git a/shared/host-templates/website-mirror/default.nix b/shared/host-templates/website-mirror/default.nix new file mode 100644 index 00000000..9775a332 --- /dev/null +++ b/shared/host-templates/website-mirror/default.nix @@ -0,0 +1,261 @@ +# Configures a webserver for the following domains: +# +# - {www,bookdb,bookmarks,memos,weeknotes,}barrucadu.co.uk +# - {www,}barrucadu.com +# - {www,}barrucadu.dev +# - {www,}barrucadu.uk +# +# Access is configured for push-based updates: +# +# - Remote sync (defaulting to the nyarlathotep SSH key) for bookdb and bookmarks +# - SSH and file ownership (defaulting to the concourse SSH key) for static websites +# +# Push needs to be configured in the appropriate places. +{ config, lib, pkgs, ... }: + +with lib; +let + baseDir = + if config.nixfiles.eraseYourDarlings.enable + then toString config.nixfiles.eraseYourDarlings.persistDir + else ""; + + httpDir = "${baseDir}/srv/http"; + certDir = "${baseDir}/var/lib/acme"; + + copyCertsFor = domain: '' + mkdir -p ${toString config.nixfiles.eraseYourDarlings.persistDir}/var/lib/acme || true + rm -r ${toString config.nixfiles.eraseYourDarlings.persistDir}/var/lib/acme/${domain} || true + cp -a /var/lib/acme/${domain} ${toString config.nixfiles.eraseYourDarlings.persistDir}/var/lib/acme/${domain} + ''; + + caddyConfigWithTlsCert = certDomain: '' + encode gzip + + header Permissions-Policy "interest-cohort=()" + header Referrer-Policy "strict-origin-when-cross-origin" + header Strict-Transport-Security "max-age=31536000; includeSubDomains" + header X-Content-Type-Options "nosniff" + header X-Frame-Options "SAMEORIGIN" + + header -Server + + tls ${certDir}/${certDomain}/cert.pem ${certDir}/${certDomain}/key.pem { + protocols tls1.3 + } + ''; + + cfg = config.nixfiles.hostTemplates.websiteMirror; +in +{ + imports = [ + ./options.nix + ]; + + config = mkIf cfg.enable { + ############################################################################### + ## Certificates + ############################################################################### + + # Provision certificates via DNS challenge + security.acme = { + acceptTerms = true; + + defaults = { + email = "mike@barrucadu.co.uk"; + dnsProvider = "route53"; + dnsPropagationCheck = true; + environmentFile = cfg.acmeEnvironmentFile; + reloadServices = [ "caddy" ]; + }; + + certs."barrucadu.co.uk" = { + group = config.services.caddy.group; + domain = "barrucadu.co.uk"; + extraDomainNames = [ "*.barrucadu.co.uk" ]; + postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.co.uk" else ""; + }; + + certs."barrucadu.com" = { + group = config.services.caddy.group; + domain = "barrucadu.com"; + extraDomainNames = [ "*.barrucadu.com" ]; + postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.com" else ""; + }; + + certs."barrucadu.dev" = { + group = config.services.caddy.group; + domain = "barrucadu.dev"; + extraDomainNames = [ "*.barrucadu.dev" ]; + postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.dev" else ""; + }; + + certs."barrucadu.uk" = { + group = config.services.caddy.group; + domain = "barrucadu.uk"; + extraDomainNames = [ "*.barrucadu.uk" ]; + postRun = if config.nixfiles.eraseYourDarlings.enable then copyCertsFor "barrucadu.uk" else ""; + }; + }; + + + ############################################################################### + ## Websites + ############################################################################### + + services.caddy.enable = true; + + # redirects + services.caddy.virtualHosts."barrucadu.co.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.co.uk"} + + redir https://www.barrucadu.co.uk{uri} + ''; + + services.caddy.virtualHosts."barrucadu.com".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.com"} + + redir https://www.barrucadu.co.uk{uri} + ''; + + services.caddy.virtualHosts."www.barrucadu.com".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.com"} + + redir https://www.barrucadu.co.uk{uri} + ''; + + services.caddy.virtualHosts."barrucadu.dev".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.dev"} + + redir https://www.barrucadu.co.uk + ''; + + services.caddy.virtualHosts."www.barrucadu.dev".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.dev"} + + redir https://www.barrucadu.co.uk + ''; + + services.caddy.virtualHosts."barrucadu.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.uk"} + + redir https://www.barrucadu.co.uk{uri} + ''; + + services.caddy.virtualHosts."www.barrucadu.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.uk"} + + redir https://www.barrucadu.co.uk{uri} + ''; + + # real sites + services.caddy.virtualHosts."www.barrucadu.co.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.co.uk"} + + header /fonts/* Cache-Control "public, immutable, max-age=31536000" + header /*.css Cache-Control "public, immutable, max-age=31536000" + + file_server { + root ${httpDir}/barrucadu.co.uk/www + } + + ${fileContents ./resources/www-barrucadu-co-uk.caddyfile} + ''; + + services.caddy.virtualHosts."bookdb.barrucadu.co.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.co.uk"} + + reverse_proxy http://127.0.0.1:${toString config.nixfiles.bookdb.port} + ''; + + services.caddy.virtualHosts."bookmarks.barrucadu.co.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.co.uk"} + + reverse_proxy http://127.0.0.1:${toString config.nixfiles.bookmarks.port} + ''; + + services.caddy.virtualHosts."memo.barrucadu.co.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.co.uk"} + + header /fonts/* Cache-Control "public, immutable, max-age=31536000" + header /mathjax/* Cache-Control "public, immutable, max-age=7776000" + header /*.css Cache-Control "public, immutable, max-age=31536000" + + root * ${httpDir}/barrucadu.co.uk/memo + file_server + + handle_errors { + @410 { + expression {http.error.status_code} == 410 + } + rewrite @410 /410.html + file_server + } + + ${fileContents ./resources/memo-barrucadu-co-uk.caddyfile} + ''; + + services.caddy.virtualHosts."weeknotes.barrucadu.co.uk".extraConfig = '' + ${caddyConfigWithTlsCert "barrucadu.co.uk"} + + header /fonts/* Cache-Control "public, immutable, max-age=31536000" + header /*.css Cache-Control "public, immutable, max-age=31536000" + + file_server { + root ${httpDir}/barrucadu.co.uk/weeknotes + } + ''; + + + ############################################################################### + ## Services + ############################################################################### + + nixfiles.bookdb.enable = true; + nixfiles.bookdb.readOnly = true; + + nixfiles.bookmarks.enable = true; + nixfiles.bookmarks.readOnly = true; + + nixfiles.bookdb.remoteSync.receive.enable = config.nixfiles.bookdb.enable; + nixfiles.bookdb.remoteSync.receive.authorizedKeys = cfg.bookdbRemoteSyncAuthorizedKeys; + + nixfiles.bookmarks.remoteSync.receive.enable = config.nixfiles.bookmarks.enable; + nixfiles.bookmarks.remoteSync.receive.authorizedKeys = cfg.bookmarksRemoteSyncAuthorizedKeys; + + + ############################################################################### + ## Miscellaneous + ############################################################################### + + # Firewall + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # Concourse access + users.extraUsers.concourse-deploy-robot = { + home = "/var/lib/concourse-deploy-robot"; + createHome = true; + isSystemUser = true; + openssh.authorizedKeys.keys = cfg.concourseDeployRobotAuthorizedKeys; + shell = pkgs.bashInteractive; + group = "nogroup"; + }; + + # Create needed directories if they don't already exist + systemd.tmpfiles.rules = [ + # acme & caddy services + "d ${certDir} - root root -" + "d ${baseDir}/var/lib/caddy 700 caddy caddy -" + # static websites (for rsync - seems to want to traverse from /) + "d ${baseDir}/srv - root root -" + "d ${httpDir} - root root -" + "d ${httpDir}/barrucadu.co.uk - root root -" + "d ${httpDir}/barrucadu.co.uk/memo - concourse-deploy-robot nogroup -" + "d ${httpDir}/barrucadu.co.uk/weeknotes - concourse-deploy-robot nogroup -" + "d ${httpDir}/barrucadu.co.uk/www - concourse-deploy-robot nogroup -" + # docker volumes + "d ${config.nixfiles.oci-containers.volumeBaseDir}/bookdb/esdata - 1000 100 -" + "d ${config.nixfiles.oci-containers.volumeBaseDir}/bookmarks/esdata - 1000 100 -" + ]; + }; +} diff --git a/shared/host-templates/website-mirror/options.nix b/shared/host-templates/website-mirror/options.nix new file mode 100644 index 00000000..0744c927 --- /dev/null +++ b/shared/host-templates/website-mirror/options.nix @@ -0,0 +1,49 @@ +{ lib, ... }: + +with lib; + +{ + options.nixfiles.hostTemplates.websiteMirror = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the website-mirror template. + ''; + }; + + acmeEnvironmentFile = mkOption { + type = types.path; + description = '' + Environment file with AWS Route53 credentials for the ACME DNS-01 challenge. + ''; + }; + + concourseDeployRobotAuthorizedKeys = mkOption { + type = types.listOf types.str; + default = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFilTWek5xNpl82V48oQ99briJhn9BqwCACeRq1dQnZn concourse-worker@cd.barrucadu.dev" ]; + description = '' + SSH public keys to allow Concourse deployments from. + ''; + }; + + bookdbRemoteSyncAuthorizedKeys = mkOption { + type = types.listOf types.str; + default = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIChVw9DPLafA3lCLCI4Df9rYuxedFQTXAwDOOHUfZ0Ac remote-sync@nyarlathotep" ]; + description = '' + SSH public keys to allow bookdb remots sync from. + ''; + }; + + bookmarksRemoteSyncAuthorizedKeys = mkOption { + type = types.listOf types.str; + default = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIChVw9DPLafA3lCLCI4Df9rYuxedFQTXAwDOOHUfZ0Ac remote-sync@nyarlathotep" ]; + description = '' + SSH public keys to allow bookdb remots sync from. + ''; + }; + }; +} diff --git a/hosts/_templates/barrucadu-website-mirror/memo-barrucadu-co-uk.caddyfile b/shared/host-templates/website-mirror/resources/memo-barrucadu-co-uk.caddyfile similarity index 100% rename from hosts/_templates/barrucadu-website-mirror/memo-barrucadu-co-uk.caddyfile rename to shared/host-templates/website-mirror/resources/memo-barrucadu-co-uk.caddyfile diff --git a/hosts/_templates/barrucadu-website-mirror/www-barrucadu-co-uk.caddyfile b/shared/host-templates/website-mirror/resources/www-barrucadu-co-uk.caddyfile similarity index 100% rename from hosts/_templates/barrucadu-website-mirror/www-barrucadu-co-uk.caddyfile rename to shared/host-templates/website-mirror/resources/www-barrucadu-co-uk.caddyfile