add adam site option

2024-05-25 22:33:37 +02:00
parent ba7aba817e
commit 9386f6a7a9
6 changed files with 107 additions and 55 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -44,31 +44,35 @@
        , system ? "x86_64-linux", minimal ? false }:
        nixpkgs-unstable.lib.nixosSystem {
          inherit system;
-          modules = modules ++ [ ./modules agenix.nixosModules.default ]
+          modules = modules ++ [
-            ++ (if !minimal then [
+            ./modules
-              ({ outputs, ... }: {
+            agenix.nixosModules.default
-                nixpkgs.overlays = with outputs.overlays; [
+            ({ outputs, ... }: {
-                  additions
+              nixpkgs.overlays = with outputs.overlays; [
-                  modifications
+                additions
-                  unstable-packages
+                modifications
-                  nur.overlay
+                unstable-packages
-                ];
+              ];
-                # stylix compains if image is not set...
+            })
-                stylix.autoEnable = true;
+          ] ++ (if !minimal then [
-                stylix.image = ./yuyukowallpaper1809.png;
+            ({ ... }: {
-              })
+              # stylix compains if image is not set...
-              home-manager-unstable.nixosModules.home-manager
+              stylix.autoEnable = true;
-              nixos-cosmic.nixosModules.default
+              stylix.image = ./yuyukowallpaper1809.png;
-              stylix.nixosModules.stylix
+            })
-              #todo: check how to actually do this
+            home-manager-unstable.nixosModules.home-manager
-              ./modules/graphical/stylix.nix
+            nixos-cosmic.nixosModules.default
-              ./modules/graphical/cosmic.nix
+            stylix.nixosModules.stylix
-            ] else
+            #todo: check how to actually do this
-              [ ]);
+            ./modules/graphical/stylix.nix
            ./modules/graphical/cosmic.nix
          ] else
            [ ]);
          specialArgs = specialArgs // { inherit inputs outputs; };
        };
    in flake-utils.lib.eachDefaultSystem (system: {
-      packages = import ./pkgs { pkgs = nixpkgs-unstable.legacyPackages.${system}; };
+      packages =
        import ./pkgs { pkgs = nixpkgs-unstable.legacyPackages.${system}; };
    }) // {
      overlays = import ./overlays.nix { inherit inputs; };
@@ -141,7 +145,7 @@
          ];
        };
        #initial install done with nix run github:nix-community/nixos-anywhere/73a6d3fef4c5b4ab9e4ac868f468ec8f9436afa7 -- --flake .#adam-site root@<ip>
-        #build with nixos-rebuild switch --flake .#adam-site --target-host "root@<ip>"
+        #update with nixos-rebuild switch --flake .#adam-site --target-host "root@<ip>"
        "adam-site" = mkHost {
          minimal = true;
          system = "aarch64-linux";
--- a/modules/services/adam-site.nix
+++ b/modules/services/adam-site.nix
@@ -0,0 +1,46 @@
 { config, pkgs, lib, inputs, ... }:
 with lib;
 let cfg = config.custom.services.adam-site;
 in {
  options.custom.services.adam-site = {
    enable = mkEnableOption "Enables adams website";
  };
  config = lib.mkIf cfg.enable {
    systemd.services.adam-site = {
      description = "Adams Website";
      wants = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        if [ ! -d "$STATE_DIRECTORY/data" ]; then
          mkdir -p "$STATE_DIRECTORY/data"
          chmod 700 "$STATE_DIRECTORY/data"
        fi
      '';
      serviceConfig = {
        Type = "simple";
        ExecStart = "${pkgs.nodejs_20}/bin/node ${pkgs.adam-site}/server/server.mjs";
        DynamicUser = true;
        StateDirectory = "adam-site";
        WorkingDirectory = "/var/lib/private/adam-site";
        Restart = "on-failure";
        RestartSec = "5s";
        PrivateMounts = mkDefault true;
        PrivateTmp = mkDefault true;
        PrivateUsers = mkDefault true;
        ProtectClock = mkDefault true;
        ProtectControlGroups = mkDefault true;
        ProtectHome = mkDefault true;
        ProtectHostname = mkDefault true;
        ProtectKernelLogs = mkDefault true;
        ProtectKernelModules = mkDefault true;
        ProtectKernelTunables = mkDefault true;
        ProtectSystem = mkDefault "strict";
        # Needs network access
        PrivateNetwork = mkDefault false;
      };
    };
  };
 }
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -11,5 +11,6 @@
    ./fileshelter.nix
    ./wireguard.nix
    ./kop-monitor.nix
    ./adam-site.nix
  ];
 }
--- a/pkgs/adam-site/default.nix
+++ b/pkgs/adam-site/default.nix
@@ -6,7 +6,7 @@ buildNpmPackage rec {
  src = fetchGit {
    url = "git@github.com:oberprofis/adams.git";
    ref = "main";
-    rev = "0d1d5003bd5681c5dbe2ad12ed1ef7e56bb4c197";
+    rev = "4f5ef5db79878e0bc244b71a979bb14e6b6177d6";
  };
  npmDepsHash="sha256-ndpuIqMAitnx0rswYD60l5JhDMdaKH77Qdu7zNgwj/o=";
  installPhase = ''
--- a/systems/adam-site/configuration.nix
+++ b/systems/adam-site/configuration.nix
@@ -4,39 +4,21 @@
    (modulesPath + "/profiles/qemu-guest.nix")
    ./disk-config.nix
  ];
-  boot.loader.grub = {
+
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  services.openssh.enable = true;
  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
  custom = {
-    services.acme.enable = true;
+    services = {
      acme.enable = true;
      adam-site.enable = true;
    };
    nftables.enable = true;
    nix = { settings.enable = true; };
  };
  environment.systemPackages = map lib.lowPrio [ pkgs.curl pkgs.gitMinimal ];
  users.users.root.openssh.authorizedKeys.keys = [
    # change this to your ssh key
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeP6qtVqE/gu72ZUZE8cdRi3INiUW9NqDR7SjXIzTw2"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMypKJQvn68s8iNk9J9zghFlW4nrd03FwqfvGQ9sAmWojXe6pKrkat++8grIfB60aiIwNjHeXigVdZrpIb0QiR7+maPLPtxySTmgD7GeyAbwJrAymgKAzJcQvq5tKHtjH60KhLe4QzGXXpjoGIhl/8FhepRT6306JE8OfMwBUwOa3wcEdeJ7eK4JZdELCne3Gj16eWHy8iNIQswNtvJ70M7RACyDJARuazde3zFqkRYCP9Rqinegg/DVd+ykC2qHqM/yCersCOGn+I3hPCS1tz/AhDTQ7T9A7j5CLjv6ZbRS+B7a7u7z5qOAla468sELaiAEo2+fovlh8kib5zzWM2pK3rSEfUzFVGAAfHtrdR8pYynl3DBNC5XGzDT8xqa4B/qJIRoPmr8CMroLBOGGZQm9TJbmhfl8vT96RUwOA6qUmLQl6b0qJRRMkvlgCvKZyZ3d6pPfizQigTn1evBveqO9dgGcCAyAi0Ob6JZisTWUn5nAqe7CR1h2EKC0lqdCc="
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJTpEPKK38MQHcLHkJ6TCqrhSQ9B2ruVx6ONRVQYJC6"
  ];
  system.stateVersion = "23.11";
  systemd.tmpfiles.rules = [
    "d /data 0770 github-actions-runner nginx -"
    "d /data/website 0770 github-actions-runner nginx -"
  ];
  services.nginx = {
    enable = true;
    # Use recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
@@ -46,14 +28,23 @@
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    virtualHosts = {
      #discord bot for tracking useractivity public version 
      "imbissaggsbachdorf.at" = {
        forceSSL = true;
        enableACME = true;
-        locations."/".extraConfig = ''
+        locations."/".proxyPass = "http://127.0.0.1:4000";
          return 200 "Hello, world!";
        '';
      };
    };
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeP6qtVqE/gu72ZUZE8cdRi3INiUW9NqDR7SjXIzTw2"
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMypKJQvn68s8iNk9J9zghFlW4nrd03FwqfvGQ9sAmWojXe6pKrkat++8grIfB60aiIwNjHeXigVdZrpIb0QiR7+maPLPtxySTmgD7GeyAbwJrAymgKAzJcQvq5tKHtjH60KhLe4QzGXXpjoGIhl/8FhepRT6306JE8OfMwBUwOa3wcEdeJ7eK4JZdELCne3Gj16eWHy8iNIQswNtvJ70M7RACyDJARuazde3zFqkRYCP9Rqinegg/DVd+ykC2qHqM/yCersCOGn+I3hPCS1tz/AhDTQ7T9A7j5CLjv6ZbRS+B7a7u7z5qOAla468sELaiAEo2+fovlh8kib5zzWM2pK3rSEfUzFVGAAfHtrdR8pYynl3DBNC5XGzDT8xqa4B/qJIRoPmr8CMroLBOGGZQm9TJbmhfl8vT96RUwOA6qUmLQl6b0qJRRMkvlgCvKZyZ3d6pPfizQigTn1evBveqO9dgGcCAyAi0Ob6JZisTWUn5nAqe7CR1h2EKC0lqdCc="
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJTpEPKK38MQHcLHkJ6TCqrhSQ9B2ruVx6ONRVQYJC6"
  ];
  environment.systemPackages = map lib.lowPrio [ pkgs.curl pkgs.gitMinimal ];
  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  system.stateVersion = "23.11";
 }
--- a/systems/vm/configuration.nix
+++ b/systems/vm/configuration.nix
@@ -1,5 +1,4 @@
-{pkgs, config, ...}:
+{ pkgs, config, ... }: {
 {
  age.identityPaths = [ /home/kopatz/.ssh/id_rsa ];
  mainUser.layout = "de";
@@ -16,8 +15,19 @@
      ld.enable = true;
      settings.enable = true;
    };
-    graphical = {
+    services = { adam-site.enable = true; };
-      lxqt.enable = true;
+    graphical = { lxqt.enable = true; };
  };
  environment.systemPackages = [ pkgs.firefox ];
  services.nginx = {
    enable = true;
    virtualHosts = {
      "localhost" = {
        forceSSL = false;
        enableACME = false;
        locations."/".proxyPass = "http://127.0.0.1:4000";
      };
    };
  };
 }