VEGAS: add blog service
This commit is contained in:
parent
8e7b305280
commit
40e4407466
4 changed files with 129 additions and 1 deletions
114
hosts/VEGAS/services/blog/default.nix
Normal file
114
hosts/VEGAS/services/blog/default.nix
Normal file
|
@ -0,0 +1,114 @@
|
|||
{ config, inputs, lib, pkgs, tools, ... }:
|
||||
|
||||
let
|
||||
inherit (tools.meta) domain;
|
||||
|
||||
flakePkgs = inputs.self.packages.${pkgs.system};
|
||||
|
||||
mapPaths = lib.mapAttrsRecursive (
|
||||
path: value: lib.nameValuePair
|
||||
(lib.concatStringsSep "__" path)
|
||||
(builtins.toString value)
|
||||
);
|
||||
|
||||
translateConfig = config: lib.listToAttrs (
|
||||
lib.collect
|
||||
(x: x ? name && x ? value)
|
||||
(mapPaths config)
|
||||
);
|
||||
|
||||
port = config.portsStr.ghost;
|
||||
|
||||
contentPath = "/srv/storage/private/ghost";
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
age.secrets.ghost-secrets = {
|
||||
file = ../../../../secrets/ghost-secrets.age;
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
reservePortsFor = [ "ghost" ];
|
||||
|
||||
users.users.ghost = {
|
||||
isSystemUser = true;
|
||||
home = "${contentPath}/.home";
|
||||
group = "ghost";
|
||||
};
|
||||
|
||||
users.groups.ghost = {};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${contentPath}' 0700 ghost ghost - -"
|
||||
"d '${contentPath}/data' 0755 ghost ghost - -"
|
||||
"d '${contentPath}/logs' 0755 ghost ghost - -"
|
||||
"d '${contentPath}/themes' 0755 ghost ghost - -"
|
||||
"L+ '${contentPath}/themes/casper' - - - - ${flakePkgs.ghost}/lib/node_modules/ghost/content/themes/casper"
|
||||
];
|
||||
|
||||
systemd.services.ghost = {
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
User = "ghost";
|
||||
Group = "ghost";
|
||||
|
||||
ProtectSystem = "strict";
|
||||
ReadWritePaths = [ contentPath ];
|
||||
ProtectHome = "tmpfs";
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_NETLINK"
|
||||
];
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
LockPersonality = true;
|
||||
SystemCallArchitectures = [ "native" ];
|
||||
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
|
||||
ExecStart = flakePkgs.ghost + /bin/ghost;
|
||||
EnvironmentFile = config.age.secrets.ghost-secrets.path;
|
||||
};
|
||||
|
||||
|
||||
environment = translateConfig {
|
||||
NODE_ENV = "production";
|
||||
url = "https://blog.${domain}";
|
||||
|
||||
database = {
|
||||
client = "mysql";
|
||||
|
||||
connection = {
|
||||
host = "127.0.0.1";
|
||||
database = "ghost";
|
||||
user = "ghost";
|
||||
# TODO: set password in secrets
|
||||
};
|
||||
};
|
||||
server = {
|
||||
host = "127.0.0.1";
|
||||
inherit port;
|
||||
};
|
||||
|
||||
privacy.useTinfoil = true;
|
||||
|
||||
paths = {
|
||||
inherit contentPath;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."blog.${domain}" = tools.nginx.vhosts.proxy "http://127.0.0.1:${port}";
|
||||
|
||||
}
|
|
@ -18,10 +18,10 @@
|
|||
./services/api
|
||||
./services/backbone-routing
|
||||
./services/bitwarden
|
||||
./services/blog
|
||||
./services/cdn-shield
|
||||
./services/dns
|
||||
./services/fbi
|
||||
./services/bitwarden
|
||||
./services/git
|
||||
./services/hydra
|
||||
./services/hyprspace
|
||||
|
|
13
secrets/ghost-secrets.age
Normal file
13
secrets/ghost-secrets.age
Normal file
|
@ -0,0 +1,13 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A o4wRZtz5LwvYgjprsAP5dyx4rmdC28lIT0RHnbQRo38
|
||||
ndrXGHnOS+eiA0RFfjyYXpssJP1e9nC9rqEfarxo3oU
|
||||
-> ssh-ed25519 5/zT0w YGbSNqtv+lBA60PhKRU/bCaNgDSXHgb+4pK/ZthsAgY
|
||||
rbZbvu9Zh/78ie8m0LnraFPa6jqRUPZzrUPa0JrAYPY
|
||||
-> ssh-ed25519 d3WGuA ks0xB6TgO6gzxoJkjX3xLmTTXeGHIKNOfPCP/e52kAg
|
||||
wCuHg+Qk8icD0aX89V9m9iTzUoznUrZpsaCjX9JSXWs
|
||||
-> q,M-grease
|
||||
vK7mhSJIyJVsPBaGRPwP502a3aLZoOPeK+Nr+ApbluoeZmRg7fhirBrlVjRcJVJR
|
||||
IaiNUg
|
||||
--- ob1Ht4CIcaJpGvQ28RR2Cu8LqtZgzMJ7dGozZXH0Gu8
|
||||
ú_–SD¬‘À
|
||||
Ðu+6Ê6´ÍЂ–>{šfÇõ9¤Ç¾€]Ðð<C390>»Ìëer<65>ù¨<C3B9>Ç5nyIƒŠmå‚ể-<2D>Q¹‹ìcµG΃³õx
pf[äF9[ÚcâEßK®d[öT¿ÿ3QÀ7Ý8£dÇYpNÁÍbêÏ™&ÂŽ€½g3¥’m<E28099>e(dC-;oÊ;EÂè-ȇwXEËx.xeAU c!««»¸bÎO>ùR騇íQ-£ÖvD•<44>>
|
|
@ -6,6 +6,7 @@ in with hosts;
|
|||
{
|
||||
"acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
|
|
Loading…
Reference in a new issue