VEGAS: add blog service

This commit is contained in:
Max Headroom 2022-01-14 22:28:48 +01:00
parent 8e7b305280
commit 40e4407466
4 changed files with 129 additions and 1 deletions

View file

@ -0,0 +1,114 @@
{ config, inputs, lib, pkgs, tools, ... }:
let
inherit (tools.meta) domain;
flakePkgs = inputs.self.packages.${pkgs.system};
mapPaths = lib.mapAttrsRecursive (
path: value: lib.nameValuePair
(lib.concatStringsSep "__" path)
(builtins.toString value)
);
translateConfig = config: lib.listToAttrs (
lib.collect
(x: x ? name && x ? value)
(mapPaths config)
);
port = config.portsStr.ghost;
contentPath = "/srv/storage/private/ghost";
in
{
age.secrets.ghost-secrets = {
file = ../../../../secrets/ghost-secrets.age;
mode = "0400";
};
reservePortsFor = [ "ghost" ];
users.users.ghost = {
isSystemUser = true;
home = "${contentPath}/.home";
group = "ghost";
};
users.groups.ghost = {};
systemd.tmpfiles.rules = [
"d '${contentPath}' 0700 ghost ghost - -"
"d '${contentPath}/data' 0755 ghost ghost - -"
"d '${contentPath}/logs' 0755 ghost ghost - -"
"d '${contentPath}/themes' 0755 ghost ghost - -"
"L+ '${contentPath}/themes/casper' - - - - ${flakePkgs.ghost}/lib/node_modules/ghost/content/themes/casper"
];
systemd.services.ghost = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "ghost";
Group = "ghost";
ProtectSystem = "strict";
ReadWritePaths = [ contentPath ];
ProtectHome = "tmpfs";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
LockPersonality = true;
SystemCallArchitectures = [ "native" ];
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ExecStart = flakePkgs.ghost + /bin/ghost;
EnvironmentFile = config.age.secrets.ghost-secrets.path;
};
environment = translateConfig {
NODE_ENV = "production";
url = "https://blog.${domain}";
database = {
client = "mysql";
connection = {
host = "127.0.0.1";
database = "ghost";
user = "ghost";
# TODO: set password in secrets
};
};
server = {
host = "127.0.0.1";
inherit port;
};
privacy.useTinfoil = true;
paths = {
inherit contentPath;
};
};
};
services.nginx.virtualHosts."blog.${domain}" = tools.nginx.vhosts.proxy "http://127.0.0.1:${port}";
}

View file

@ -18,10 +18,10 @@
./services/api
./services/backbone-routing
./services/bitwarden
./services/blog
./services/cdn-shield
./services/dns
./services/fbi
./services/bitwarden
./services/git
./services/hydra
./services/hyprspace

13
secrets/ghost-secrets.age Normal file
View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A o4wRZtz5LwvYgjprsAP5dyx4rmdC28lIT0RHnbQRo38
ndrXGHnOS+eiA0RFfjyYXpssJP1e9nC9rqEfarxo3oU
-> ssh-ed25519 5/zT0w YGbSNqtv+lBA60PhKRU/bCaNgDSXHgb+4pK/ZthsAgY
rbZbvu9Zh/78ie8m0LnraFPa6jqRUPZzrUPa0JrAYPY
-> ssh-ed25519 d3WGuA ks0xB6TgO6gzxoJkjX3xLmTTXeGHIKNOfPCP/e52kAg
wCuHg+Qk8icD0aX89V9m9iTzUoznUrZpsaCjX9JSXWs
-> q,M-grease
vK7mhSJIyJVsPBaGRPwP502a3aLZoOPeK+Nr+ApbluoeZmRg7fhirBrlVjRcJVJR
IaiNUg
--- ob1Ht4CIcaJpGvQ28RR2Cu8LqtZgzMJ7dGozZXH0Gu8
ú_SD¬À
Ðu+6Ê6´ÍЂ–>{šfÇõ9­¤Ç¾€]Ðð<C390>»Ìëer<65>ù¨<C3B9>Ç5nyIƒŠmåể-<2D>ìcµG΃³õx pf[äF9[ÚcâEßK®d [öT¿ÿ3QÀ7Ý8£dÇYpNÁÍbêÏ™&ÂŽ€½g3¥m<E28099>e(dC-;oÊ;EÂè-ȇwXEÃx.xeAU c!««»¸bÎO>ùR騇íQ-£ÖvD•<44>>

View file

@ -6,6 +6,7 @@ in with hosts;
{
"acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];