feat: add pds settings · wiro.world/dotfiles@624cf0d

+8 -1

README.md

··· 98 98 99 99 ## Deploy server 100 100 101 - nixos-anywhere --flake .#weird-row-server <user>@<ip> 101 + ```bash 102 + nixos-anywhere --flake .#weird-row-server user@ip 103 + 104 + nixos-rebuild switch \ 105 + --flake .#weird-row-server \ 106 + --target-host 2a01:4f8:c2c:76d2::1 \ 107 + --use-remote-sudo 108 + ``` 102 109 103 110 --- 104 111

+3 -3

flake.lock

··· 418 418 }, 419 419 "nixpkgs-unstable": { 420 420 "locked": { 421 - "lastModified": 1741379970, 422 - "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", 421 + "lastModified": 1743583204, 422 + "narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=", 423 423 "owner": "nixos", 424 424 "repo": "nixpkgs", 425 - "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f", 425 + "rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434", 426 426 "type": "github" 427 427 }, 428 428 "original": {

+53 -22

nixos/profiles/server.nix

··· 1 1 { self 2 + , config 3 + , upkgs 2 4 , ... 3 5 }: 4 6 5 7 let 6 - inherit (self.inputs) srvos; 8 + inherit (self.inputs) srvos nixpkgs-unstable agenix; 7 9 8 - ext-if = "eth0"; 10 + all-secrets = import ../../secrets; 9 11 12 + ext-if = "eth0"; 13 + external-ip = "91.99.55.74"; 14 + external-netmask = 27; 15 + external-gw = "144.x.x.255"; 10 16 external-ip6 = "2a01:4f8:c2c:76d2::1"; 11 17 external-netmask6 = 64; 12 18 external-gw6 = "fe80::1"; 19 + 20 + pds-port = 3001; 21 + pds-hostname = "pds.wiro.world"; 13 22 in 14 23 { 15 24 imports = [ 16 25 srvos.nixosModules.server 17 26 srvos.nixosModules.hardware-hetzner-cloud 18 27 srvos.nixosModules.mixins-terminfo 28 + 29 + agenix.nixosModules.default 30 + 31 + "${nixpkgs-unstable}/nixos/modules/services/web-apps/pds.nix" 19 32 ]; 20 33 21 34 config = { 35 + age.secrets = all-secrets.deploy; 36 + 22 37 boot.loader.grub.enable = true; 23 38 boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ]; 24 39 ··· 29 44 30 45 networking = { 31 46 interfaces.${ext-if} = { 32 - ipv6.addresses = [{ 33 - address = external-ip6; 34 - prefixLength = external-netmask6; 35 - }]; 36 - }; 37 - defaultGateway6 = { 38 - interface = ext-if; 39 - address = external-gw6; 47 + ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }]; 48 + ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }]; 40 49 }; 50 + defaultGateway = { interface = ext-if; address = external-gw; }; 51 + defaultGateway6 = { interface = ext-if; address = external-gw6; }; 41 52 42 - # # Rely on Hetzner firewall instead? 53 + # TODO: rely on Hetzner firewall instead? 43 54 # firewall.enable = false; 44 55 firewall.allowedTCPPorts = [ 22 80 443 ]; 45 56 }; ··· 66 77 }; 67 78 68 79 # TODO: switch to nightly channel 69 - # services.pds = { 70 - # enable = true; 71 - # pdsadmin.enable = true; 72 - # }; 80 + services.pds = { 81 + enable = true; 82 + # TODO: not possible with current unstable module import 83 + pdsadmin.enable = false; 84 + package = upkgs.pds; 85 + 86 + settings = { 87 + PDS_HOSTNAME = "pds.wiro.world"; 88 + PDS_PORT = pds-port; 89 + LOG_DESTINATION = "/etc/pds.log"; 90 + }; 91 + 92 + environmentFiles = [ 93 + config.age.secrets.pds-config.path 94 + ]; 95 + }; 73 96 74 97 services.caddy = { 75 98 enable = true; 76 99 100 + globalConfig = '' 101 + on_demand_tls { 102 + ask http://localhost:${toString pds-port}/tls-check 103 + } 104 + ''; 105 + 77 106 virtualHosts."ping.wiro.world".extraConfig = '' 78 - header Content-Type text/html 79 - respond <<HTML 80 - <html> 81 - <head><title>Foo</title></head> 82 - <body>Foo</body> 83 - </html> 84 - HTML 200 107 + respond "Hello, World! (from `weird-row-server`)" 85 108 ''; 109 + 110 + virtualHosts."${pds-hostname}" = { 111 + serverAliases = [ "*.${pds-hostname}" ]; 112 + extraConfig = '' 113 + tls { on_demand } 114 + reverse_proxy http://localhost:${toString pds-port} 115 + ''; 116 + }; 86 117 }; 87 118 88 119 security.sudo.wheelNeedsPassword = false;