From 40e4407466226621ce39a718449aa9f157335421 Mon Sep 17 00:00:00 2001 From: Max Date: Fri, 14 Jan 2022 22:28:48 +0100 Subject: [PATCH] VEGAS: add blog service --- hosts/VEGAS/services/blog/default.nix | 114 ++++++++++++++++++++++++++ hosts/VEGAS/system.nix | 2 +- secrets/ghost-secrets.age | 13 +++ secrets/secrets.nix | 1 + 4 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 hosts/VEGAS/services/blog/default.nix create mode 100644 secrets/ghost-secrets.age diff --git a/hosts/VEGAS/services/blog/default.nix b/hosts/VEGAS/services/blog/default.nix new file mode 100644 index 0000000..7c3e68e --- /dev/null +++ b/hosts/VEGAS/services/blog/default.nix @@ -0,0 +1,114 @@ +{ config, inputs, lib, pkgs, tools, ... }: + +let + inherit (tools.meta) domain; + + flakePkgs = inputs.self.packages.${pkgs.system}; + + mapPaths = lib.mapAttrsRecursive ( + path: value: lib.nameValuePair + (lib.concatStringsSep "__" path) + (builtins.toString value) + ); + + translateConfig = config: lib.listToAttrs ( + lib.collect + (x: x ? name && x ? value) + (mapPaths config) + ); + + port = config.portsStr.ghost; + + contentPath = "/srv/storage/private/ghost"; +in + +{ + + age.secrets.ghost-secrets = { + file = ../../../../secrets/ghost-secrets.age; + mode = "0400"; + }; + + reservePortsFor = [ "ghost" ]; + + users.users.ghost = { + isSystemUser = true; + home = "${contentPath}/.home"; + group = "ghost"; + }; + + users.groups.ghost = {}; + + systemd.tmpfiles.rules = [ + "d '${contentPath}' 0700 ghost ghost - -" + "d '${contentPath}/data' 0755 ghost ghost - -" + "d '${contentPath}/logs' 0755 ghost ghost - -" + "d '${contentPath}/themes' 0755 ghost ghost - -" + "L+ '${contentPath}/themes/casper' - - - - ${flakePkgs.ghost}/lib/node_modules/ghost/content/themes/casper" + ]; + + systemd.services.ghost = { + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "ghost"; + Group = "ghost"; + + ProtectSystem = "strict"; + ReadWritePaths = [ contentPath ]; + ProtectHome = "tmpfs"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + LockPersonality = true; + SystemCallArchitectures = [ "native" ]; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + ExecStart = flakePkgs.ghost + /bin/ghost; + EnvironmentFile = config.age.secrets.ghost-secrets.path; + }; + + + environment = translateConfig { + NODE_ENV = "production"; + url = "https://blog.${domain}"; + + database = { + client = "mysql"; + + connection = { + host = "127.0.0.1"; + database = "ghost"; + user = "ghost"; + # TODO: set password in secrets + }; + }; + server = { + host = "127.0.0.1"; + inherit port; + }; + + privacy.useTinfoil = true; + + paths = { + inherit contentPath; + }; + }; + }; + + services.nginx.virtualHosts."blog.${domain}" = tools.nginx.vhosts.proxy "http://127.0.0.1:${port}"; + +} diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index 4c177ed..664689b 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -18,10 +18,10 @@ ./services/api ./services/backbone-routing ./services/bitwarden + ./services/blog ./services/cdn-shield ./services/dns ./services/fbi - ./services/bitwarden ./services/git ./services/hydra ./services/hyprspace diff --git a/secrets/ghost-secrets.age b/secrets/ghost-secrets.age new file mode 100644 index 0000000..f25dcb6 --- /dev/null +++ b/secrets/ghost-secrets.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A o4wRZtz5LwvYgjprsAP5dyx4rmdC28lIT0RHnbQRo38 +ndrXGHnOS+eiA0RFfjyYXpssJP1e9nC9rqEfarxo3oU +-> ssh-ed25519 5/zT0w YGbSNqtv+lBA60PhKRU/bCaNgDSXHgb+4pK/ZthsAgY +rbZbvu9Zh/78ie8m0LnraFPa6jqRUPZzrUPa0JrAYPY +-> ssh-ed25519 d3WGuA ks0xB6TgO6gzxoJkjX3xLmTTXeGHIKNOfPCP/e52kAg +wCuHg+Qk8icD0aX89V9m9iTzUoznUrZpsaCjX9JSXWs +-> q,M-grease +vK7mhSJIyJVsPBaGRPwP502a3aLZoOPeK+Nr+ApbluoeZmRg7fhirBrlVjRcJVJR +IaiNUg +--- ob1Ht4CIcaJpGvQ28RR2Cu8LqtZgzMJ7dGozZXH0Gu8 +_SD +u+66Ђ>{f9Ǿ]er5nyIm̉-QcG΃x pf[F9[cEKd [T3Q78dYpNbϙ&Žg3me(dC-;o;E-ȇwXEËx.xeAU c!bO>R騇Q-vD> \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5a56cab..8375dd0 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,6 +6,7 @@ in with hosts; { "acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "ghost-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "hydra-bincache.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "hydra-builder-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];