From bfb5a13e3498c479f30da1584ac27ee1279e7978 Mon Sep 17 00:00:00 2001
From: cy <hi@cything.io>
Date: Sat, 28 Dec 2024 22:46:25 -0500
Subject: [PATCH] take ghost to titan

---
 .sops.yaml              |  2 ++
 hosts/chunk/Caddyfile   | 15 ------------
 hosts/titan/Caddyfile   | 25 ++++++++++++++++++++
 hosts/titan/default.nix | 30 +++++++++++++++++++++++-
 hosts/titan/ghost.nix   | 52 +++++++++++++++++++++++++++++++++++++++++
 5 files changed, 108 insertions(+), 16 deletions(-)
 create mode 100644 hosts/titan/Caddyfile
 create mode 100644 hosts/titan/ghost.nix

diff --git a/.sops.yaml b/.sops.yaml
index 72b601e..11878a5 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &chunk age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
   - &yt age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
   - &cy age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+  - &titan age12w2xgh4nxhrrggrtcnu75wgukqnayzhfd2azkhukl6u8xqxsqvtsa4lmhl
 creation_rules:
   - path_regex: secrets/de3911/yt.yaml
     key_groups:
@@ -49,6 +50,7 @@ creation_rules:
       - age:
           - *chunk
           - *cy
+          - *titan
   - path_regex: secrets/services/hedgedoc.yaml
     key_groups:
       - age:
diff --git a/hosts/chunk/Caddyfile b/hosts/chunk/Caddyfile
index 4ea845b..c1b1478 100644
--- a/hosts/chunk/Caddyfile
+++ b/hosts/chunk/Caddyfile
@@ -46,21 +46,6 @@ ntfy.cything.io {
   reverse_proxy localhost:8083
 }
 
-cything.io {
-  import common
-  uri strip_prefix /blog
-  reverse_proxy /_matrix/* localhost:8448
-  reverse_proxy localhost:8084
-
-  respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
-  respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
-}
-
-www.cything.io {
-  import common
-  redir https://cything.io{uri} permanent
-}
-
 pad.cything.io {
   import common
   reverse_proxy localhost:8085
diff --git a/hosts/titan/Caddyfile b/hosts/titan/Caddyfile
new file mode 100644
index 0000000..fe10284
--- /dev/null
+++ b/hosts/titan/Caddyfile
@@ -0,0 +1,25 @@
+{
+  acme_ca https://acme.zerossl.com/v2/DV90
+  acme_eab {
+    key_id {$EAB_KEY_ID}
+    mac_key {$EAB_MAC_KEY}
+  }
+}
+
+(common) {
+  encode zstd gzip
+  header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+}
+
+cything.io {
+  import common
+  reverse_proxy localhost:8084
+
+  respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
+  respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
+}
+
+www.cything.io {
+  import common
+  redir https://cything.io{uri} permanent
+}
diff --git a/hosts/titan/default.nix b/hosts/titan/default.nix
index ef0f900..0f1e88b 100644
--- a/hosts/titan/default.nix
+++ b/hosts/titan/default.nix
@@ -1,4 +1,4 @@
-{ modulesPath, lib, pkgs, ...}:
+{ modulesPath, config, lib, pkgs, ...}:
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
@@ -8,6 +8,13 @@
     ./hardware-configuration.nix
   ];
 
+  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
+  sops.secrets = {
+    "caddy/env" = {
+      sopsFile = ../../secrets/services/caddy.yaml;
+    };
+  };
+
   boot = {
     loader = {
       systemd-boot.enable = true;
@@ -62,4 +69,25 @@
       443
     ];
   };
+
+  # container stuff
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    # create 'docker' alias for podman, to use as
+    # drop-in replacement
+    dockerCompat = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
+  };
+  virtualisation.oci-containers.backend = "podman";
+
+  services.caddy = {
+    enable = true;
+    configFile = ./Caddyfile;
+    environmentFile = config.sops.secrets."caddy/env".path;
+    logFormat = lib.mkForce "level INFO";
+  };
 }
diff --git a/hosts/titan/ghost.nix b/hosts/titan/ghost.nix
new file mode 100644
index 0000000..b190cd0
--- /dev/null
+++ b/hosts/titan/ghost.nix
@@ -0,0 +1,52 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers.ghost = {
+    image = "ghost:5-alpine";
+    autoStart = true;
+    ports = [ "127.0.0.1:8084:2368" ];
+    pull = "newer";
+    environment = {
+      database__client = "mysql";
+      database__connection__host = "ghost-db";
+      database__connection__user = "root";
+      database__connection__password = "example";
+      database__connection__databse = "ghost";
+      url = "https://cything.io";
+      NODE_ENV = "production";
+    };
+    volumes = [
+      "/opt/ghost/data:/var/lib/ghost/content"
+    ];
+    networks = [ "ghost-net" ];
+    dependsOn = [ "ghost-db" ];
+  };
+
+  virtualisation.oci-containers.containers.ghost-db = {
+    image = "mysql:8.0";
+    autoStart = true;
+    pull = "newer";
+    environment = {
+      MYSQL_ROOT_PASSWORD = "example";
+    };
+    volumes = [
+      "/opt/ghost/db:/var/lib/mysql"
+    ];
+    networks = [ "ghost-net" ];
+  };
+
+  systemd.services.create-ghost-net = {
+    serviceConfig.Type = "oneshot";
+    wantedBy = with config.virtualisation.oci-containers; [
+      "${backend}-ghost.service"
+      "${backend}-ghost-db.service"
+    ];
+    script = ''
+      ${pkgs.podman}/bin/podman network exists ghost-net || \
+      ${pkgs.podman}/bin/podman network create ghost-net
+    '';
+  };
+}