more generic approach, but stills limited to vogon, for the forgejo profile
This commit is contained in:
Sic mundus creatus est
parent
ea4d89eedc
commit
873479d893
2 changed files with 46 additions and 23 deletions
|
|
@ -7,8 +7,21 @@ let
|
||||||
domain = "federez.net";
|
domain = "federez.net";
|
||||||
fqdn = "git.${domain}";
|
fqdn = "git.${domain}";
|
||||||
|
|
||||||
sys-ip = "193.54.193.164";
|
hasValidLastOctet =
|
||||||
git-ip = "193.54.193.165";
|
config ? vogon.networking.last-octet &&
|
||||||
|
builtins.length config.vogon.networking.last-octet >= 2;
|
||||||
|
|
||||||
|
lastOctetValues =
|
||||||
|
if hasValidLastOctet
|
||||||
|
then config.vogon.networking.last-octet
|
||||||
|
else abort ''Forgejo can only be deploy on vogon for now,
|
||||||
|
and it requires two public ip address, the first one
|
||||||
|
for ssh access from wan, and the second for the
|
||||||
|
forgejo dedicated ssh server'';
|
||||||
|
|
||||||
|
sys-ip = "193.54.193.${toString (builtins.elemAt lastOctetValues 0)}";
|
||||||
|
git-ip = "193.54.193.${toString (builtins.elemAt lastOctetValues 1)}";
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
age.secrets = lib.mapAttrs
|
age.secrets = lib.mapAttrs
|
||||||
|
|
@ -24,13 +37,7 @@ in
|
||||||
postgresqlDatabases = [ cfg.database.name ];
|
postgresqlDatabases = [ cfg.database.name ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh.startWhenNeeded = false;
|
||||||
listenAddresses = [{
|
|
||||||
addr = "${sys-ip}";
|
|
||||||
port = 22;
|
|
||||||
}];
|
|
||||||
startWhenNeeded = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
@ -98,7 +105,7 @@ in
|
||||||
user = "wizard";
|
user = "wizard";
|
||||||
in ''
|
in ''
|
||||||
# || true -> avoid systemd to crash on that command if user already exist by forcing a 0 return value
|
# || true -> avoid systemd to crash on that command if user already exist by forcing a 0 return value
|
||||||
${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
|
${adminCmd} create --admin --email "admin@federez.net" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
|
||||||
${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
|
${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
@ -115,7 +122,7 @@ in
|
||||||
"git.federez.net" = {
|
"git.federez.net" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/".proxyPass = "http://localhost:3000";
|
locations."/".proxyPass = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 1G;
|
client_max_body_size 1G;
|
||||||
'';
|
'';
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, network, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
|
|
@ -17,25 +17,41 @@ in
|
||||||
};
|
};
|
||||||
wan-mac = mkOption {
|
wan-mac = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = '''
|
description = ''
|
||||||
Adresse MAC de l'interface réseau WAN
|
Adresse MAC de l'interface réseau WAN
|
||||||
qui portera l'IPv4 interne.
|
qui portera l'IPv4 interne.
|
||||||
'';
|
'';
|
||||||
example = "BC:24:11:B7:AE:80";
|
example = "BC:24:11:B7:AE:80";
|
||||||
};
|
};
|
||||||
|
ssh-octets = mkOption {
|
||||||
|
type = types.listOf (types.ints.between 161 174);
|
||||||
|
default = [ (builtins.head cfg.networking.last-octet) ];
|
||||||
|
defaultText = "[ (first element of last-octet) ]";
|
||||||
|
description = ''
|
||||||
|
Liste des octets à utiliser pour la configuration SSH.
|
||||||
|
Par défaut, utilise le premier élément de last-octet.
|
||||||
|
'';
|
||||||
|
example = [ 163 165 ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config.systemd.network = {
|
config = {
|
||||||
links."10-wan" = {
|
systemd.network = {
|
||||||
matchConfig.MACAddress = cfg.networking.wan-mac;
|
links."10-wan" = {
|
||||||
linkConfig.Name = "wan";
|
matchConfig.MACAddress = cfg.networking.wan-mac;
|
||||||
};
|
linkConfig.Name = "wan";
|
||||||
networks."10-wan" = {
|
};
|
||||||
matchConfig.Name = "wan";
|
networks."10-wan" = {
|
||||||
address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
|
matchConfig.Name = "wan";
|
||||||
routes = [ { Gateway = "193.54.193.174"; } ];
|
address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
|
||||||
linkConfig.RequiredForOnline = "routable";
|
routes = [ { Gateway = "193.54.193.174"; } ];
|
||||||
|
linkConfig.RequiredForOnline = "routable";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
services.openssh.listenAddresses = [
|
||||||
|
{ addr = network.infra.nodes.${config.networking.hostName}.ipv4; port = 22; }
|
||||||
|
{ addr = network.infra.nodes.${config.networking.hostName}.ipv6; port = 22; }
|
||||||
|
] ++ map (octet: { addr = "193.54.193.${toString octet}"; port = 22; }) cfg.networking.ssh-octets;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue