Merge pull request #6 from nix-pizza/wastebin

Wastebin

Author: aciceri

.github/workflows/build.yaml

@@ -1,11 +1,13 @@
 name: "CI"
-on: pull_request_target
+on:
+  - pull_request_target
+  - workflow_dispatch
 jobs:
   nix-flake-check:
     # TODO idea: instead of using QEMU (which is slow) use the host as remote builder
     strategy:
       matrix:
-        system: ["aarch64-linux", "x86_64-linux"]
+        system: ["aarch64-linux"]
     runs-on: ubuntu-latest
     name: "Build checks for ${{ matrix.system }}"
     steps:
@@ -22,6 +24,7 @@ jobs:
           system = ${{ matrix.system }}
           trusted-public-keys = nix-pizza.cachix.org-1:TQe66aP2buN2KXWrZqpdko7GAL0WtbPA40d+wlnEiyo= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
           substituters = https://nix-pizza.cachix.org https://cache.nixos.org/
+          always-allow-substitutes = true
     - id: retrieve-cachix-auth-token
       run: |
         source "$(nix build .#inject-secrets --no-link --print-out-paths)"/bin/install-agenix-shell
@@ -30,4 +33,5 @@ jobs:
       with:
         name: nix-pizza
         authToken: ${{ steps.retrieve-cachix-auth-token.outputs.CACHIX_AUTH_TOKEN }}
-    - run: nix flake check -L
+        installCommand: nix profile install github:cachix/cachix/debug-daemon-stop -L --accept-flake-config
+    - run: nix build .#checks.aarch64-linux.nix-pizza-config -L -vvvv

.github/workflows/deploy.yaml

@@ -26,6 +26,7 @@ jobs:
           system = ${{ matrix.system }}
           trusted-public-keys = nix-pizza.cachix.org-1:TQe66aP2buN2KXWrZqpdko7GAL0WtbPA40d+wlnEiyo= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
           substituters = https://nix-pizza.cachix.org https://cache.nixos.org/
+          always-allow-substitutes = true
     - id: retrieve-cachix-auth-token
       run: |
         source "$(nix build .#inject-secrets --no-link --print-out-paths)"/bin/install-agenix-shell

flake.lock

@@ -1,4 +1,10 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, lib, ... }:
+let
+  user = "u382036-sub2";
+  host = "u382036.your-storagebox.de";
+  port = "23";
+in
+{
   age.secrets = {
     HETZNER_STORAGE_BOX_SSH_PASSWORD = {
       file = ../../secrets/HETZNER_STORAGE_BOX_SSH_PASSWORD.age;
@@ -10,21 +16,17 @@
     };
   };
 
-  services.restic.backups.nix-pizza =
-    let
-      user = "u382036-sub2";
-      host = "u382036.your-storagebox.de";
-      port = "23";
-    in
-    {
-      paths = [ "/persist" ];
-      passwordFile = config.age.secrets.NIX_PIZZA_RESTIC_PASSWORD.path;
-      extraOptions = [
-        "sftp.command='${lib.getExe pkgs.sshpass} -f ${config.age.secrets.HETZNER_STORAGE_BOX_SSH_PASSWORD.path} ssh -p${port} ${user}@${host} -s sftp'"
-      ];
-      repository = "sftp://${user}@${host}:${port}/";
-      initialize = true;
-      timerConfig.OnCalendar = "daily";
-      timerConfig.RandomizedDelaySec = "1h";
-    };
+  services.openssh.knownHosts."${host}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+
+  services.restic.backups.nix-pizza = {
+    paths = [ "/persist" ];
+    passwordFile = config.age.secrets.NIX_PIZZA_RESTIC_PASSWORD.path;
+    extraOptions = [
+      "sftp.command='${lib.getExe pkgs.sshpass} -f ${config.age.secrets.HETZNER_STORAGE_BOX_SSH_PASSWORD.path} ssh -p${port} ${user}@${host} -s sftp'"
+    ];
+    repository = "sftp://${user}@${host}:${port}/";
+    initialize = true;
+    timerConfig.OnCalendar = "daily";
+    timerConfig.RandomizedDelaySec = "1h";
+  };
 }

hosts/nix-pizza/backup.nix

@@ -6,6 +6,7 @@
     ./fail2ban.nix
     ./nginx.nix
     ./hedgedoc.nix
+    ./wastebin.nix
   ];
 
   boot.kernelParams = [ "console=tty" ];

hosts/nix-pizza/default.nix

@@ -5,7 +5,6 @@ in
 {
   services.nginx = {
     virtualHosts."${cfg.settings.domain}" = {
-      default = true;
       enableACME = true;
       forceSSL = true;
       locations."/".proxyPass = "http://${cfg.settings.host}:${builtins.toString cfg.settings.port}";

hosts/nix-pizza/hedgedoc.nix

@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.wastebin;
+  host = "marinara.nix.pizza";
+  port = 8088;
+in
+{
+  # contains WASTEBIN_PASSWORD_SALT and WASTEBIN_SIGNING_KEY
+  age.secrets.WASTEBIN_ENVIRONMENT = {
+    file = ../../secrets/WASTEBIN_ENVIRONMENT.age;
+    owner = "wastebin";
+    group = "wastebin";
+  };
+
+  users.groups.wastebin = { };
+  users.users.wastebin = {
+    description = "Wastebin service user";
+    group = "wastebin";
+    isSystemUser = true;
+  };
+
+  services.wastebin = {
+    enable = true;
+    stateDir = "/var/lib/wastebin";
+    secretFile = config.age.secrets.WASTEBIN_ENVIRONMENT.path;
+    settings = {
+      WASTEBIN_DATABASE_PATH = "${cfg.stateDir}/sqlite3.db";
+      WASTEBIN_BASE_URL = "https://${host}";
+      WASTEBIN_ADDRESS_PORT = "127.0.0.1:${builtins.toString port}";
+    };
+  };
+
+  systemd.services.wastebin.serviceConfig = {
+    User = "wastebin";
+    Group = "wastebin";
+    DynamicUser = lib.mkForce false;
+  };
+
+  environment.persistence."/persist".directories = [
+    cfg.stateDir
+  ];
+
+  services.nginx = {
+    virtualHosts."${host}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://${cfg.settings.WASTEBIN_ADDRESS_PORT}";
+    };
+  };
+}

hosts/nix-pizza/wastebin.nix

@@ -15,6 +15,7 @@ in
   "CACHIX_AUTH_TOKEN.age".publicKeys = coreKeys;
 
   "HEDGEDOC_ENVIRONMENT.age".publicKeys = coreKeys ++ [ nix-pizza.key ];
+  "WASTEBIN_ENVIRONMENT.age".publicKeys = coreKeys ++ [ nix-pizza.key ];
   "HETZNER_STORAGE_BOX_SSH_PASSWORD.age".publicKeys = coreKeys ++ [ nix-pizza.key ];
   "NIX_PIZZA_RESTIC_PASSWORD.age".publicKeys = coreKeys ++ [ nix-pizza.key ];
 }

secrets/WASTEBIN_ENVIRONMENT.age

@@ -20,6 +20,7 @@
         jq # FIXME report upstream: nixos-anywhere terraform module needs it in PATH
         inputs'.agenix.packages.agenix
         config.agenix-shell.agePackage
+        pkgs.age
       ];
       devshell.startup.terraform-init.text = ''
         tofu init