diff --git a/modules/nixos/suites/senfnvp/README.md b/modules/nixos/suites/senfnvp/README.md new file mode 100644 index 0000000..b450baf --- /dev/null +++ b/modules/nixos/suites/senfnvp/README.md @@ -0,0 +1,39 @@ +# Senfnvp Stack + +The Senfnvp Stack contains Web Infra-structure. + + +## Notes + +``` nix +senfnvp = { + enable = true; + hostname = "senfnvp.kb-one.de"; + + # Defaults + proxy.enable = true; + website.enable = true; + forgejo.enable = true; + forgejo.initializeDatabase = false; # Only use once! + forgejo.enableFail2Ban = true; + keycloak.enable = true; + keycloak.initializeDatabase = false; # Only use once! + docker-compose.enable = true; # Configuration for Docker-Compose support for Mailcow +}; +``` + +### The Database + +The Database Server is enabled when when you enable the Stack itself. +When you Activate a Service you might want to Edit the File at `./database/init-servicename.template.sql`. If you have a Database-Dump, place it there with the Naming-Sheme `./database/init-servicename.sql`. When creating a new Setup you can just run `cp init-servicename.template.sql init-servicename.sql` to use the template. The template only creates the Database, User and Password and lets it to the Service create its Tables. + +Basically the order is like this: +- Create Secrets `sops ./secrets.yaml` +- Apply Template `cp ./database/init-forgejo.template.sql ./database/init-forgejo.sql` +- Initialize ´forgejo.enable = true; forgejo.initializeDatabase = true;` +- Apply config `nixos-rebuild switch --flake .` +- Wait for Initialisation +- Wait! Dumps will take time! +- Enable Production `forgejo.enable = true; forgejo.initializeDatabase = false;` +- Apply config `nixos-rebuild switch --flake .` +- diff --git a/modules/nixos/suites/senfnvp/default.nix b/modules/nixos/suites/senfnvp/default.nix new file mode 100644 index 0000000..4a92d82 --- /dev/null +++ b/modules/nixos/suites/senfnvp/default.nix @@ -0,0 +1,84 @@ +{ + inputs, + config, + lib, + pkgs, + system, + ... +}: +let + cfg = config.suites.senfnvp; +in +{ + imports = [ + ./website.nix + ./forgejo.nix + ]; + options.suites.senfnvp.enable = lib.mkOption { + type = with lib.types; uniq bool; + default = false; + description = "Enables the senfnvp Stack"; + }; + options.suites.senfnvp.hostname = lib.mkOption { + type = with lib.types; string; + default = "kb-one.de"; + description = "Hostname of senfnvp Stack"; + }; + options.suites.senfnvp.database.enable = lib.mkOption { + type = with lib.types; uniq bool; + default = true; + description = "Enable senfnvp Database"; + }; + options.suites.senfnvp.proxy.enable = lib.mkOption { + type = with lib.types; uniq bool; + default = true; + description = "Enable senfnvp Proxy"; + }; + + config = lib.mkIf (cfg.enable) { + + containers.proxy = lib.mkIf (cfg.enable && cfg.proxy.enable) { + autoStart = true; + config = { config, pkgs, lib, ... }: { + services.traefik = { + enable = true; + staticConfigOptions = { + entryPoints = { + web = { + address = ":80"; + asDefault = true; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { + address = ":443"; + asDefault = true; + http.tls.certResolver = "letsencrypt"; + }; + git-ssh.address = ":9522"; + }; + certificatesResolvers.letsencrypt.acme = { + tlsChallenge = {}; + storage = "/var/secrets/traefik/acme.json"; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 9522]; + }; + }; + + # Core Container + # A Guide to Nix Containers: https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html + containers.core = { + autoStart = true; + privateNetwork = true; + config = { config, pkgs, lib, ... }: { + }; + }; + + }; +} + + diff --git a/modules/nixos/suites/senfnvp/forgejo.nix b/modules/nixos/suites/senfnvp/forgejo.nix new file mode 100644 index 0000000..3a559dc --- /dev/null +++ b/modules/nixos/suites/senfnvp/forgejo.nix @@ -0,0 +1,54 @@ +{ + inputs, + config, + lib, + pkgs, + system, + ... +}: +let + cfg = config.suites.senfnvp; +in +{ + options.suites.senfnvp.forgejo.enable = lib.mkOption { + type = with lib.types; uniq bool; + default = true; + description = "Enable Forgejo"; + }; + options.suites.senfnvp.forgejo.sshPort = lib.mkOption { + type = with lib.types; port; + default = 9522; + description = "Forgejo SSH Port"; + }; + options.suites.senfnvp.forgejo.httpPort = lib.mkOption { + type = with lib.types; port; + default = 3000; + description = "Forgejo http Port"; + }; + + config = lib.mkIf (cfg.enable && cfg.forgejo.enable) { + containers.forgejo = { + autoStart = true; + config = { + services.forgejo = { + enable = !cfg.forgejo.initializeDatabase; + settings.server = { + ROOT_URL = "git.${cfg.hostname}"; + SSH_PORT = cfg.forgejo.sshPort; + HTTP_PORT = cfg.forgejo.httpPort; + }; + database = { + type = "postgres"; + #host = "127.0.0.1"; # default Value + port = cfg.database.port; + #name = "forgejo"; # default Value + #user = "forgejo"; # default Value + passwordFile = ""; + }; + }; + }; + }; + }; +} + + diff --git a/modules/nixos/suites/senfnvp/website.nix b/modules/nixos/suites/senfnvp/website.nix new file mode 100644 index 0000000..e411027 --- /dev/null +++ b/modules/nixos/suites/senfnvp/website.nix @@ -0,0 +1,41 @@ +{ + inputs, + config, + lib, + pkgs, + system, + ... +}: +let + cfg = config.suites.senfnvp; +in +{ + options.suites.senfnvp.website.enable = lib.mkOption { + type = with lib.types; uniq bool; + default = true; + description = "Enable senfnvp Website (kb-one.de)"; + }; + options.suites.senfnvp.website.httpPort = lib.mkOption { + type = with lib.types; port; + default = 8080; + description = "Website HTTP Port"; + }; + + config = lib.mkIf (cfg.enable && cfg.website.enable) { + containers.website = { + autoStart = true; + config = { + services.nginx.enable = true; + services.nginx.virtualHosts."${cfg.hostname}" = { + root = "/var/www/${cfg.hostname}"; + listen = [{ + addr = "127.0.0.1"; + port = cfg.website.httpPort; + }]; + }; + }; + }; + }; +} + +