change files to web-services in order to share some code.

author: Leonardo Santiago <[email protected]> 2024-10-28 08:05:42 -0300
committer: Leonardo Santiago <[email protected]> 2024-10-28 08:05:42 -0300
commit: 4842e81317e9815540d559d689be51d13191e1e4 (patch)
tree: d1b97123d3aaea731544e238d89af3e1ccfe9d29 /modules/web-services.nix
parent: fbbf34c7b6ba70a718abf655c0711b6ac5ff20e8 (diff)
1 files changed, 165 insertions, 0 deletions
diff --git a/modules/web-services.nix b/modules/web-services.nix
new file mode 100644
index 0000000..6c3bc76
--- /dev/null
+++ b/modules/web-services.nix
@@ -0,0 +1,165 @@
+{ config, lib, inputs, pkgs, ... }: with lib; let
+  cfg = config.santi-modules.services;
+  git-repo-path = "/server/git-repos";
+  cgit-config = mkIf cfg.cgit.enable {
+    environment.systemPackages = [
+      pkgs.git
+    ];
+    users.users = {
+      git = {
+        description = "git user";
+        isNormalUser = true;
+        home = git-repo-path;
+        openssh.authorizedKeys.keys = [ (builtins.readFile ../secrets/user-ssh-key.pub)] ++ builtins.attrValues (import ../secrets/host-pub-keys.nix);
+      };
+    };
+    systemd.tmpfiles.rules = [
+      "d ${git-repo-path} 0755 git users -"
+    ];
+    services.cgit.santi = let
+      org2html = pkgs.writeShellScript "org2md" ''
+        ${pkgs.pandoc}/bin/pandoc \
+          --from org \
+          --to html5 \
+          --sandbox=true \
+          --html-q-tags \
+          --ascii \
+          --standalone \
+          --wrap=auto \
+          --embed-resources \
+          -M document-css=false
+      '';
+    in {
+      enable = true;
+      scanPath = git-repo-path;
+      nginx.virtualHost = "git.santi.net.br";
+      settings = {
+        readme = ":README.org";
+        root-title = "index";
+        root-desc = "public repositories for santi.net.br";
+        about-filter = toString org2html;
+        source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+        enable-git-config = true;
+        enable-html-cache = false;
+        enable-blame = true;
+        enable-log-linecount = true;
+        enable-index-links = true;
+        enable-index-owner = false;
+        enable-commit-graph = true;
+        remove-suffix = true;
+      };
+    };
+  };
+  blog-config = let
+    blog-public-path = "/server/blog";
+    env = pkgs.buildEnv {
+      name = "post-receive-env";
+      paths = [
+        pkgs.git
+        pkgs.coreutils
+        pkgs.gnutar
+        pkgs.xz
+      ];
+    };
+    post-receive = pkgs.writeShellScript "post-receive" ''
+      export PATH=${env}/bin
+      set -ex
+      
+      GIT_DIR=$(${pkgs.git}/bin/git rev-parse --git-dir 2>/dev/null)
+      if [ -z "$GIT_DIR" ]; then
+              echo >&2 "fatal: post-receive: GIT_DIR not set"
+              exit 1
+      fi
+      
+      TMPDIR=$(mktemp -d)
+      function cleanup() {
+        rm -rf "$TMPDIR"
+      }
+      trap cleanup EXIT
+      
+      ${pkgs.git}/bin/git clone "$GIT_DIR" "$TMPDIR"
+      unset GIT_DIR
+      cd "$TMPDIR"
+      ${pkgs.hugo}/bin/hugo --destination ${blog-public-path}
+    '';
+  in mkIf cfg.blog.enable {
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    # TODO: enable SSL
+    services.nginx = {
+      enable = true;
+      virtualHosts.${cfg.blog.url} = {
+        addSSL = true;
+        enableACME = true;
+        root = blog-public-path;
+      };
+    };
+    security.acme = {
+      acceptTerms = true;
+      certs.${cfg.blog.url}.email = "[email protected]";
+    };
+    systemd.tmpfiles.rules = [
+      "d ${blog-public-path} 0755 git users -"
+    ];
+    systemd.services."blog-prepare-git-repo" = {
+      wantedBy = [ "multi-user.target" ];
+      path = [
+        pkgs.git
+      ];
+      script = ''
+        set -ex
+        cd ${git-repo-path}
+        chmod +rX ${blog-public-path}
+        test -e blog || git init --bare blog
+        ln -nsf ${post-receive} blog/hooks/post-receive
+      '';
+      serviceConfig = {
+        Kind = "one-shot";
+        User = "git";
+      };
+    };
+  };
+  
+  ddns-config = mkIf cfg.ddns.enable {
+    networking.enableIPv6 = true;
+    services.cloudflared = {
+      enable = true;
+      tunnels.iori = {
+        default = "http_status:404";
+        credentialsFile = "/var/lib/cloudflared/iori.json";
+        ingress = {
+          "santi.net.br" = "http://localhost:80";
+          "git.santi.net.br" = "http://localhost:80";
+        };
+      };
+    };
+    services.inadyn = {
+      enable = true;
+      user = "leonardo";
+      group = "users";
+      settings.provider."cloudflare.com" = {
+        hostname="santi.net.br";
+        username="santi.net.br";
+        proxied = false;
+        include = config.age.secrets.cloudflare.path;
+      };
+    };
+  };
+in {
+  options.santi-modules.services = {
+    blog = {
+      enable = mkEnableOption "Enable blog hosting";
+      url = mkOption {
+        type = types.str;
+        default = "santi.net.br";
+        description = "Url to serve blog on";
+      };
+    };
+    cgit.enable = mkEnableOption "Enable cgit instance";
+    ddns.enable = mkEnableOption "Enable ddns service";
+  };
+  config = mkMerge [
+    cgit-config
+    blog-config
+    ddns-config
+  ];
+}
author	Leonardo Santiago <[email protected]>	2024-10-28 08:05:42 -0300
committer	Leonardo Santiago <[email protected]>	2024-10-28 08:05:42 -0300
commit	4842e81317e9815540d559d689be51d13191e1e4 (patch)
tree	d1b97123d3aaea731544e238d89af3e1ccfe9d29 /modules/web-services.nix
parent	fbbf34c7b6ba70a718abf655c0711b6ac5ff20e8 (diff)