Create Pulumi-provisioned web server

PulumiWebServer/Nix/flake.lock

@@ -0,0 +1,64 @@
+{
+  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1672349765,
+        "narHash": "sha256-Ul3lSGglgHXhgU3YNqsNeTlRH1pqxbR64h+2hM+HtnM=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "dd99675ee81fef051809bc87d67eb07f5ba022e8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1672262501,
+        "narHash": "sha256-ZNXqX9lwYo1tOFAqrVtKTLcJ2QMKCr3WuIvpN8emp7I=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e182da8622a354d44c39b3d7a542dc12cd7baa5f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

PulumiWebServer/Nix/flake.nix

@@ -0,0 +1,23 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    home-manager,
+  }: {
+    nixosConfigurations.nixos-server = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+      ];
+    };
+    nix.registry.nixpkgs.flake = nixpkgs;
+  };
+}

PulumiWebServer/Nix/gitea.nix

@@ -0,0 +1,115 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  port = 3001;
+in {
+  services.gitea = {
+    enable = true;
+    appName = "Gitea";
+    lfs.enable = true;
+    stateDir = "/preserve/gitea";
+    database = {
+      type = "postgres";
+      passwordFile = "/preserve/gitea/gitea-db-pass";
+    };
+    domain = "@@GITEA_SUBDOMAIN@@.@@DOMAIN@@";
+    rootUrl = "https://@@GITEA_SUBDOMAIN@@.@@DOMAIN@@/";
+    httpPort = port;
+    settings = let
+      docutils = pkgs.python37.withPackages (ps:
+        with ps; [
+          docutils
+          pygments
+        ]);
+    in {
+      mailer = {
+        ENABLED = true;
+        FROM = "gitea@" + "@@DOMAIN@@";
+      };
+      service = {
+        REGISTER_EMAIL_CONFIRM = true;
+        DISABLE_REGISTRATION = true;
+        COOKIE_SECURE = true;
+      };
+      "markup.restructuredtext" = {
+        ENABLED = true;
+        FILE_EXTENSIONS = ".rst";
+        RENDER_COMMAND = ''${docutils}/bin/rst2html.py'';
+        IS_INPUT_FILE = false;
+      };
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    # TODO: make this use the /preserve mount
+    # dataDir = "/preserve/postgresql/data";
+    authentication = ''
+      local gitea all ident map=gitea-users
+    '';
+    identMap = ''
+      gitea-users gitea gitea
+    '';
+  };
+
+  services.nginx.virtualHosts."@@GITEA_SUBDOMAIN@@.@@DOMAIN@@" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString port}/";
+    };
+  };
+
+  systemd.services.gitea-supply-password = {
+    description = "gitea-supply-password";
+    wantedBy = ["gitea.service"];
+    path = [pkgs.gitea];
+    script = ''
+      mkdir -p /preserve/gitea && \
+      chown -R gitea /preserve/gitea && \
+      ln -f /preserve/keys/gitea-admin-pass /preserve/gitea/gitea-admin-pass && \
+      chown gitea /preserve/gitea/gitea-admin-pass && \
+      ln -f /preserve/keys/gitea-db-pass /preserve/gitea/gitea-db-pass && \
+      chown gitea /preserve/gitea/gitea-db-pass
+    '';
+    serviceConfig = {
+      Restart = "no";
+      Type = "oneshot";
+      User = "root";
+      Group = "root";
+    };
+  };
+
+  # The Gitea module does not allow adding users declaratively
+  systemd.services.gitea-add-user = {
+    description = "gitea-add-user";
+    after = ["gitea-supply-password.service"];
+    wantedBy = ["multi-user.target"];
+    path = [pkgs.gitea];
+    script = ''      TMPFILE=$(mktemp)
+      PASSWORD=$(cat /preserve/gitea/gitea-admin-pass)
+      set +e
+      ${pkgs.gitea} migrate -c /preserve/gitea/data/custom/conf/app.ini
+      ${pkgs.gitea}/bin/gitea admin user create --admin --username @@GITEA_ADMIN_USERNAME@@ --password "$PASSWORD" --email @@GITEA_ADMIN_EMAIL@@ 2>"$TMPFILE" 1>"$TMPFILE"
+      EXITCODE=$?
+      if [ $EXITCODE -eq 1 ]; then
+        if grep 'already exists' "$TMPFILE" 2>/dev/null 1>/dev/null; then
+          EXITCODE=0
+        fi
+      fi
+      cat "$TMPFILE"
+      rm "$TMPFILE"
+      exit $EXITCODE
+    '';
+    serviceConfig = {
+      Restart = "no";
+      Type = "oneshot";
+      User = "gitea";
+      Group = "gitea";
+      WorkingDirectory = config.services.gitea.stateDir;
+    };
+    environment = {GITEA_WORK_DIR = config.services.gitea.stateDir;};
+  };
+}

PulumiWebServer/Nix/nginx.nix

@@ -0,0 +1,39 @@
+{...}: let
+  domain = "@@DOMAIN@@";
+in {
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "@@ACME_EMAIL@@";
+  security.acme.certs = "@@DOMAINS@@";
+
+  networking.firewall.allowedTCPPorts = [
+    80 # required for the ACME challenge
+    443
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts."${domain}" = {
+      globalRedirect = "@@WEBROOT_SUBDOMAIN@@.${domain}";
+      addSSL = true;
+      enableACME = true;
+      root = "/preserve/www/html";
+    };
+
+    virtualHosts."@@WEBROOT_SUBDOMAIN@@.${domain}" = {
+      addSSL = true;
+      enableACME = true;
+      root = "/preserve/www/html";
+      extraConfig = ''
+        location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2)$ {
+            expires 30d;
+            add_header Pragma public;
+            add_header Cache-Control "public";
+        }
+      '';
+    };
+  };
+}

PulumiWebServer/Nix/radicale.nix

@@ -0,0 +1,32 @@
+{pkgs, ...}: let
+  port = 5232;
+  enableGit = true;
+  storage =
+    if enableGit
+    then {
+      hook = "${pkgs.git}/bin/git add -A && (${pkgs.git}/bin/git diff --cached --quiet || ${pkgs.git}/bin/git commit -m 'Changes by '%(user)s)";
+      filesystem_folder = "/preserve/radicale/data";
+    }
+    else {};
+in {
+  services.radicale = {
+    enable = true;
+    settings = {
+      server.hosts = ["0.0.0.0:${toString port}"];
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "/preserve/keys/radicale-users";
+        htpasswd_encryption = "bcrypt";
+      };
+      storage = storage;
+    };
+  };
+
+  services.nginx.virtualHosts."@@RADICALE_SUBDOMAIN@@.@@DOMAIN@@" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString port}/";
+    };
+  };
+}

PulumiWebServer/Nix/userconfig.nix

@@ -0,0 +1,34 @@
+{pkgs, ...}: {
+  users.mutableUsers = false;
+  users.users."@@USER@@" = {
+    isNormalUser = true;
+    home = "/home/@@USER@@";
+    extraGroups = ["wheel"];
+    openssh.authorizedKeys.keys = ["@@AUTHORIZED_KEYS@@"];
+  };
+
+  security.sudo = {
+    enable = true;
+    extraRules = [
+      {
+        users = ["@@USER@@"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
+  };
+
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  environment.systemPackages = [
+    pkgs.vim
+    pkgs.git
+    pkgs.home-manager
+  ];
+}