From 27bc5c0d2f7b71eae964f78f679b4fc5f07689b5 Mon Sep 17 00:00:00 2001 From: Kalle Struik Date: Wed, 11 Jun 2025 23:39:50 +0200 Subject: [PATCH] Make ashers site work --- hosts/portainer.nix | 6 ++ roles/forgejo.nix | 10 +++- roles/freshrss.nix | 139 ++++++++++++++++++++++---------------------- roles/traefik.nix | 4 ++ utils.nix | 1 + 5 files changed, 88 insertions(+), 72 deletions(-) diff --git a/hosts/portainer.nix b/hosts/portainer.nix index 3685119..608d674 100644 --- a/hosts/portainer.nix +++ b/hosts/portainer.nix @@ -13,6 +13,12 @@ rec { target = "http://${ip}:80"; priority = 1; } + { + name = "${hostname}-asher-portfolio"; + rule = "Host(`asherdejong.nl`)"; + target = "http://${ip}:80"; + priority = 1; + } { name = "${hostname}-transmission"; rule = "Host(`transmission.kallestruik.nl`) && ClientIP(`192.168.10.0/24`)"; diff --git a/roles/forgejo.nix b/roles/forgejo.nix index fdaad25..6ed98c0 100644 --- a/roles/forgejo.nix +++ b/roles/forgejo.nix @@ -1,3 +1,7 @@ +let + appDataInCeph = "/appdata/forgejo"; + appDir = "/cephfs${appDataInCeph}"; +in { name = "Forgejo"; description = '' @@ -21,6 +25,8 @@ } ]; + cephBackupPaths = [ appDataInCeph ]; + nixosModule = { pkgs, @@ -77,7 +83,7 @@ echo "No arguments supplied" exit 1 fi - sudo -u forgejo -- ${lib.getExe pkgs.forgejo} --config /cephfs/appdata/forgejo/custom/conf/app.ini $@ + sudo -u forgejo -- ${lib.getExe pkgs.forgejo} --config ${appDir}/custom/conf/app.ini $@ ''; in [ @@ -92,7 +98,7 @@ services.forgejo = { enable = true; package = pkgs.forgejo; - stateDir = "/cephfs/appdata/forgejo"; + stateDir = appDir; lfs.enable = true; database = { diff --git a/roles/freshrss.nix b/roles/freshrss.nix index 9865ffc..2877fb3 100644 --- a/roles/freshrss.nix +++ b/roles/freshrss.nix @@ -1,3 +1,8 @@ +let + appDataInCeph = "/appdata/freshrss"; + appDir = "/cephfs${appDataInCeph}"; + dataDir = "${appDir}/data"; +in { name = "FreshRSS"; description = '' @@ -21,6 +26,8 @@ } ]; + cephBackupPaths = [ appDataInCeph ]; + nixosModule = { lib, @@ -34,82 +41,74 @@ domain = lib.mkOption { type = lib.types.str; }; - adminUser = lib.mkOption { - type = lib.types.str; - }; }; - config = - let - appDir = "/cephfs/appdata/freshrss"; - dataDir = "${appDir}/data"; - in - { - networking.firewall.allowedTCPPorts = [ - 1342 # Freshrss - ]; + config = { + networking.firewall.allowedTCPPorts = [ + 1342 # Freshrss + ]; - sops.secrets = { - "freshrss/client_id" = { - owner = "freshrss"; - }; - "freshrss/client_secret" = { - owner = "freshrss"; - }; - }; - - sops.templates."freshrss-secret.env" = { + sops.secrets = { + "freshrss/client_id" = { owner = "freshrss"; - content = '' - OIDC_CLIENT_ID=${config.sops.placeholder."freshrss/client_id"} - OIDC_CLIENT_SECRET=${config.sops.placeholder."freshrss/client_secret"} - ''; }; - - # Set up user to run freshrss - users.users."freshrss" = { - isSystemUser = true; - group = "freshrss"; - }; - users.groups."freshrss" = { }; - systemd.tmpfiles.rules = [ - "d '${appDir}' 0750 freshrss freshrss - -" - "d '${dataDir}' 0750 freshrss freshrss - -" - "d '${appDir}/extensions' 0750 freshrss freshrss - -" - ]; - - # Create the database - postgres.databases = [ "freshrss" ]; - - # Make sure that ceph is mounted before trying to start freshrss - systemd.services.podman-freshrss = { - after = [ "cephfs.mount" ]; - }; - - podman.containers = { - "freshrss" = { - imageMetadata = dockerImages.freshrss; - autoStart = true; - environment = { - TZ = "Europe/Amsterdam"; - CRON_MIN = "3,33"; - OIDC_ENABLED = "1"; - OIDC_PROVIDER_METADATA_URL = "https://auth.kallestruik.nl/application/o/freshrss/.well-known/openid-configuration"; - OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host"; - OIDC_SCOPES = "openid email profile"; - }; - environmentFiles = [ - config.sops.templates."freshrss-secret.env".path - ]; - volumes = [ - "${dataDir}:/var/www/FreshRSS/data" - "${appDir}/extensions:/var/www/FreshRSS/extensions" - ]; - ports = [ - "1342:80" - ]; - }; + "freshrss/client_secret" = { + owner = "freshrss"; }; }; + + sops.templates."freshrss-secret.env" = { + owner = "freshrss"; + content = '' + OIDC_CLIENT_ID=${config.sops.placeholder."freshrss/client_id"} + OIDC_CLIENT_SECRET=${config.sops.placeholder."freshrss/client_secret"} + ''; + }; + + # Set up user to run freshrss + users.users."freshrss" = { + isSystemUser = true; + group = "freshrss"; + }; + users.groups."freshrss" = { }; + systemd.tmpfiles.rules = [ + "d '${appDir}' 0750 freshrss freshrss - -" + "d '${dataDir}' 0750 freshrss freshrss - -" + "d '${appDir}/extensions' 0750 freshrss freshrss - -" + ]; + + # Create the database + postgres.databases = [ "freshrss" ]; + + # Make sure that ceph is mounted before trying to start freshrss + systemd.services.podman-freshrss = { + after = [ "cephfs.mount" ]; + }; + + podman.containers = { + "freshrss" = { + imageMetadata = dockerImages.freshrss; + autoStart = true; + environment = { + TZ = "Europe/Amsterdam"; + CRON_MIN = "3,33"; + OIDC_ENABLED = "1"; + OIDC_PROVIDER_METADATA_URL = "https://auth.kallestruik.nl/application/o/freshrss/.well-known/openid-configuration"; + OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host"; + OIDC_SCOPES = "openid email profile"; + }; + environmentFiles = [ + config.sops.templates."freshrss-secret.env".path + ]; + volumes = [ + "${dataDir}:/var/www/FreshRSS/data" + "${appDir}/extensions:/var/www/FreshRSS/extensions" + ]; + ports = [ + "1342:80" + ]; + }; + }; + }; }; } diff --git a/roles/traefik.nix b/roles/traefik.nix index c802be4..1402f68 100644 --- a/roles/traefik.nix +++ b/roles/traefik.nix @@ -115,6 +115,9 @@ dnsChallenge = { provider = "cloudflare"; }; + httpChallenge = { + entryPoint = "web"; + }; }; }; }; @@ -130,6 +133,7 @@ service = route.name; rule = route.rule; priority = route.priority or "0"; + tls.certresolver = "letsencrypt"; }; }) routes ); diff --git a/utils.nix b/utils.nix index 9de628f..90db577 100644 --- a/utils.nix +++ b/utils.nix @@ -49,6 +49,7 @@ mkRole = cfg: { inherit (cfg) name description nixosModule; traefikRoutes = cfg.traefikRoutes or ({ ... }: [ ]); + cephBackupPaths = cfg.cephBackupPaths or [ ]; }; mkHost = cfg: {