diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..fbfad60a --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.envrc +.direnv +result diff --git a/server/README.md b/server/README.md new file mode 100644 index 00000000..8b544140 --- /dev/null +++ b/server/README.md @@ -0,0 +1,15 @@ +# fediversity.eu webserver + +This directory contains the configuration for the server hosting https://fediversity.eu + +Build the configuration: + +```bash +nix-build -A machine +``` + +Deploy via SSH: + +```bash +env SSH_OPTS="..." nix-shell --run deploy-webserver +``` diff --git a/server/configuration.nix b/server/configuration.nix index 11319fdc..1717d55d 100644 --- a/server/configuration.nix +++ b/server/configuration.nix @@ -53,7 +53,7 @@ services.nginx.virtualHosts."www.fediversity.eu" = { enableACME = true; forceSSL = true; - root = "/var/www/www.fediversity.eu/fediversity.eu/public"; + root = "${(import ../website { }).build}"; locations."/.well-known/matrix/client" = { extraConfig = '' return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; @@ -197,6 +197,7 @@ # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; + security.sudo.wheelNeedsPassword = false; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.procolix = { isNormalUser = true; @@ -245,24 +246,17 @@ }) wget git - hugo - go - nodejs ]; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; # Enable xe-guest-utilities services.xe-guest-utilities.enable = true; - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - system.copySystemConfiguration = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/server/default.nix b/server/default.nix new file mode 100644 index 00000000..cfdae5bd --- /dev/null +++ b/server/default.nix @@ -0,0 +1,46 @@ +{ sources ? import ../website/npins +, system ? builtins.currentSystem +, pkgs ? import sources.nixpkgs { + inherit system; + config = { }; + overlays = [ ]; + } +, lib ? import "${sources.nixpkgs}/lib" +}: +let + # TODO: don't hard code target hosts; wire all of it up with NixOps4 + host = "vm02117.procolix.com"; + deploy = pkgs.writeShellApplication { + name = "deploy-webserver"; + text = '' + # HACK: decouple system evaluation from shell evaluation + # the structured way for using this hack is encoded in https://github.com/fricklerhandwerk/lazy-drv + result="$(nix-build ${toString ./.} -A machine --no-out-link --eval-store auto --store ssh-ng://${host})" + # shellcheck disable=SC2087 + ssh ${host} << EOF + sudo nix-env -p /nix/var/nix/profiles/system --set "$result" + sudo "$result"/bin/switch-to-configuration switch + EOF + ''; + }; + nixos-configuration = config: + import "${pkgs.path}/nixos/lib/eval-config.nix" { + modules = [ + config + ]; + system = null; + }; +in +rec { + nixos = nixos-configuration ./configuration.nix; + machine = nixos.config.system.build.toplevel; + shell = pkgs.mkShellNoCC { + packages = with pkgs; [ + deploy + ]; + env = { + # TODO: reusing other pins for now; wire up the whole repo to use the same dependencies + NPINS_DIRECTORY = toString ../website/npins; + }; + }; +} diff --git a/server/shell.nix b/server/shell.nix new file mode 100644 index 00000000..a6bdf202 --- /dev/null +++ b/server/shell.nix @@ -0,0 +1 @@ +(import ./. { }).shell diff --git a/services/README.md b/services/README.md index 66114e72..6ef0b938 100644 --- a/services/README.md +++ b/services/README.md @@ -57,16 +57,6 @@ nix build .#installers.peertube Upload the image in `./result` to Proxmox when creating a VM. Booting the image will format the disk and install NixOS with the desired configuration. -# Deploying an updated machine configuration - -> TODO: There is currently no way to specify an actual target machine by name. - -Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name: - -```bash -nix run .#deploy.peertube -``` - ## debugging notes - it is sometimes useful to `cat result/bin/run-nixos-vm` to see what's really going on (e.g. which ports are getting forwarded) diff --git a/services/deploy.nix b/services/deploy.nix deleted file mode 100644 index 232b7e34..00000000 --- a/services/deploy.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ writeShellApplication }: -name: _config: -writeShellApplication { - name = "deploy"; - text = '' - result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})" - # shellcheck disable=SC2087 - ssh ${name} << EOF - nix-env -p /nix/var/nix/profiles/system --set "$result" - "$result"/bin/switch-to-configuration switch - EOF - ''; -} diff --git a/services/flake.nix b/services/flake.nix index 7836171d..aec006b7 100644 --- a/services/flake.nix +++ b/services/flake.nix @@ -114,12 +114,6 @@ mkInstaller = import ./installer.nix; installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations; - deploy = - let - deployCommand = (pkgs.callPackage ./deploy.nix { }); - in - lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations; - checks.${system} = { mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; }; pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };