take ghost to titan

2024-12-28 22:46:25 -05:00 · 2024-12-28 22:46:25 -05:00 · bfb5a13e34
commit bfb5a13e34
parent b6a16534ea
5 changed files with 108 additions and 16 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,6 +2,7 @@ keys:
  - &chunk age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
  - &yt age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
  - &cy age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+  - &titan age12w2xgh4nxhrrggrtcnu75wgukqnayzhfd2azkhukl6u8xqxsqvtsa4lmhl
 creation_rules:
  - path_regex: secrets/de3911/yt.yaml
    key_groups:
@ -49,6 +50,7 @@ creation_rules:
      - age:
          - *chunk
          - *cy
+          - *titan
  - path_regex: secrets/services/hedgedoc.yaml
    key_groups:
      - age:
--- a/hosts/chunk/Caddyfile
+++ b/hosts/chunk/Caddyfile
@ -46,21 +46,6 @@ ntfy.cything.io {
  reverse_proxy localhost:8083
 }

-cything.io {
-  import common
-  uri strip_prefix /blog
-  reverse_proxy /_matrix/* localhost:8448
-  reverse_proxy localhost:8084
-
-  respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
-  respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
-}
-
-www.cything.io {
-  import common
-  redir https://cything.io{uri} permanent
-}
-
 pad.cything.io {
  import common
  reverse_proxy localhost:8085
--- a/hosts/titan/Caddyfile
+++ b/hosts/titan/Caddyfile
@ -0,0 +1,25 @@
+{
+  acme_ca https://acme.zerossl.com/v2/DV90
+  acme_eab {
+    key_id {$EAB_KEY_ID}
+    mac_key {$EAB_MAC_KEY}
+  }
+}
+
+(common) {
+  encode zstd gzip
+  header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+}
+
+cything.io {
+  import common
+  reverse_proxy localhost:8084
+
+  respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
+  respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
+}
+
+www.cything.io {
+  import common
+  redir https://cything.io{uri} permanent
+}
--- a/hosts/titan/default.nix
+++ b/hosts/titan/default.nix
@ -1,4 +1,4 @@
-{ modulesPath, lib, pkgs, ...}:
+{ modulesPath, config, lib, pkgs, ...}:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
@ -8,6 +8,13 @@
    ./hardware-configuration.nix
  ];

+  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
+  sops.secrets = {
+    "caddy/env" = {
+      sopsFile = ../../secrets/services/caddy.yaml;
+    };
+  };
+
  boot = {
    loader = {
      systemd-boot.enable = true;
@ -62,4 +69,25 @@
      443
    ];
  };
+
+  # container stuff
+  virtualisation.containers.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    # create 'docker' alias for podman, to use as
+    # drop-in replacement
+    dockerCompat = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
+  };
+  virtualisation.oci-containers.backend = "podman";
+
+  services.caddy = {
+    enable = true;
+    configFile = ./Caddyfile;
+    environmentFile = config.sops.secrets."caddy/env".path;
+    logFormat = lib.mkForce "level INFO";
+  };
 }
--- a/hosts/titan/ghost.nix
+++ b/hosts/titan/ghost.nix
@ -0,0 +1,52 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers.ghost = {
+    image = "ghost:5-alpine";
+    autoStart = true;
+    ports = [ "127.0.0.1:8084:2368" ];
+    pull = "newer";
+    environment = {
+      database__client = "mysql";
+      database__connection__host = "ghost-db";
+      database__connection__user = "root";
+      database__connection__password = "example";
+      database__connection__databse = "ghost";
+      url = "https://cything.io";
+      NODE_ENV = "production";
+    };
+    volumes = [
+      "/opt/ghost/data:/var/lib/ghost/content"
+    ];
+    networks = [ "ghost-net" ];
+    dependsOn = [ "ghost-db" ];
+  };
+
+  virtualisation.oci-containers.containers.ghost-db = {
+    image = "mysql:8.0";
+    autoStart = true;
+    pull = "newer";
+    environment = {
+      MYSQL_ROOT_PASSWORD = "example";
+    };
+    volumes = [
+      "/opt/ghost/db:/var/lib/mysql"
+    ];
+    networks = [ "ghost-net" ];
+  };
+
+  systemd.services.create-ghost-net = {
+    serviceConfig.Type = "oneshot";
+    wantedBy = with config.virtualisation.oci-containers; [
+      "${backend}-ghost.service"
+      "${backend}-ghost-db.service"
+    ];
+    script = ''
+      ${pkgs.podman}/bin/podman network exists ghost-net || \
+      ${pkgs.podman}/bin/podman network create ghost-net
+    '';
+  };
+}