daniel/dotfiles
1
0
Fork 0
Code Actions Activity

webserver: rename to weewx

Browse source
This commit is contained in:
Daniel Kempkens 2023-03-17 21:58:31 +01:00
parent 5497d30b02
commit 6be487f012
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
14 changed files with 90 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
agenix/hosts/sail/config.nix
View file

@ -54,6 +54,14 @@
group = "matrix-synapse"; group = "matrix-synapse";
}; };
mosquitto-password-weewx-proxy = {
file = ./mosquitto/passwordWeewxProxy.age;
};
mosquitto-password-weewx = {
file = ./mosquitto/passwordWeewx.age;
};
atuin-environment = { atuin-environment = {
file = ./atuin/environment.age; file = ./atuin/environment.age;
owner = "atuin"; owner = "atuin";

13
agenix/hosts/sail/mosquitto/passwordWeewx.age Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyAyU1ZF
UWtzZ3h0R3B1RWVYMWFMWllieHI5WTlVVXFteGhWckhFOVRwQlFFCnZJUUxVdFgr
OHUzc3lrSWpwVytMWDc0Z0FoTWhLREtEaVE0bkcxZEdGU2MKLT4gc3NoLWVkMjU1
MTkgTmJWNGh3IG5DM2oyTVpnNitSSzU2am8rWDJSMXVmZGgvOGZNdWp3YktvVkNZ
TmE2U2MKYlJOUEFKZTF0UjNiVm5SNmpwaEIzaWhWWG9YZldiLzIyUWNxRE5NaHZY
YwotPiBRcmVHKS1ncmVhc2UgMyA1TCdCRm5fCllvNXk4RzVVekxGeXRDSWlacFI4
U1RvRUQ1dDcvS0ZVZm5FNUt5TUlTNkFXdjVzCi0tLSBxeUowYnpuVG5BYUpOZlFT
c2NzOWhlQ1dVUFg0bDA5T2ROeHFvU2lJeE5JCqSG2JIv7FpYbfZ4ERbSW0G5vQeF
teqNb71repTGwOW5BiAadvWpiv0o5Oq2Plpq9etsm8Jgm21F8UFR71DlefpTXVOH
rIxfm4YTTY68aVGLx90/dxmw8qOZsGZvQ1EoKZQh+p+SO9BwC2//0uKhBFbSbwrK
sbRurKBcA+xr0LB1dxZZhEqe8CXLaVlvsMklT7A=
-----END AGE ENCRYPTED FILE-----

12
agenix/hosts/sail/mosquitto/passwordWeewxProxy.age Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBzVjZz
TG9memlGMXZwZFFVK3pNOXVrYjlkak90NkpLUEVBajVaNTNGdkNNCjdPNVYrdjVk
ZUVSeVJmS2QzaitIa014TGFKM01QVWN3bHhEbktjY0UvS1UKLT4gc3NoLWVkMjU1
MTkgTmJWNGh3IGFab21mL2FVV3VVYXhYMjI2SGlZWVl3UW9RTzNEbU1qVVFMWHlo
eWM4UUEKODl1Zis5VlFtWTR0NWcvSFpHdk1EaG5BekttRk5GNktzNXU0c0xrQkFD
TQotPiByW1t4NkssLWdyZWFzZQpvYVBsK3ptYkRsRDEKLS0tIHRQVmhMY3JFYmE1
dmdLai9CVkltM0VKcXJzNkEzMjN3TVVGeERvb3lZbTgK6mbrGDx3FqUB8YD+VHR5
VcDitTAadwkqAqq6/0Zc0a45M5rJ5P6ThNKsrXpCc50YvtpEQM0kVBWyJIz2qXuE
z4/i7DY7MxpndiQhjaD4e2KToDRLa3uGYbnnKYE9ZhsmdDQqyM0lx9dMvo6aV/nt
WMRO84wxSi+jPoPYh7659IPOHbwGW1wZiJv1mGZA6bN3Dg==
-----END AGE ENCRYPTED FILE-----

2
container/proxitok/default.nix
View file

@ -1,4 +1,4 @@
{ config, secret, ... }: { config, ... }:
{ {
virtualisation.arion.projects.proxitok.settings = { virtualisation.arion.projects.proxitok.settings = {

33
container/webserver/config.nix
View file

@ -1,33 +0,0 @@
{ secret, ... }:
{
systemd.tmpfiles.rules = [
"d /etc/container-webserver/weewx 0755 421 421"
"d /etc/container-webserver/weewx/html 0755 421 421"
];
# mosquitto
environment.etc."container-webserver/mosquitto/mosquitto.conf" = {
text = ''
listener 1883
password_file /mosquitto/config/users.conf
'';
mode = "0644";
};
environment.etc."container-webserver/mosquitto/users.conf" = {
text = secret.container.webserver.mosquitto.users;
mode = "0644";
};
# weewx
environment.etc."container-webserver/weewx/weewx.conf" = {
source = ../../secret/container/webserver/config/weewx.conf;
mode = "0644";
uid = 421;
gid = 421;
};
}

66
container/webserver/default.nix → container/weewx/default.nix
View file

@ -1,26 +1,12 @@
{ config, ... }:
let let
secret = import ../../secret/container/webserver; secret = import ../../secret/container/weewx;
custom-config = import ./config.nix { inherit secret; }; data-dir = "/etc/container-weewx";
in in
{ {
virtualisation.arion.projects.webserver.settings = { virtualisation.arion.projects.weewx.settings = {
services = { services = {
mosquitto = {
service = {
image = "eclipse-mosquitto:2";
container_name = "mosquitto";
restart = "unless-stopped";
ports = [ "1883:1883" ];
user = "nobody";
volumes = [
"/etc/container-webserver/mosquitto:/mosquitto/config:ro"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
};
};
};
weewx = { weewx = {
service = { service = {
image = "ghcr.io/nifoc/weewx-docker:master"; image = "ghcr.io/nifoc/weewx-docker:master";
@ -32,7 +18,7 @@ in
"TZ" = "Europe/Berlin"; "TZ" = "Europe/Berlin";
}; };
volumes = [ volumes = [
"/etc/container-webserver/weewx:/data" "${data-dir}:/data"
]; ];
labels = { labels = {
"com.centurylinklabs.watchtower.enable" = "true"; "com.centurylinklabs.watchtower.enable" = "true";
@ -42,11 +28,45 @@ in
}; };
}; };
services.nginx.virtualHosts."${secret.container.webserver.hostname}" = { systemd.tmpfiles.rules = [
"d ${data-dir} 0755 421 421"
"d ${data-dir}/html 0755 421 421"
];
environment.etc."container-weewx/weewx.conf" = {
source = ../../secret/container/weewx/config/weewx.conf;
mode = "0644";
uid = 421;
gid = 421;
};
services.mosquitto.listeners = {
weewx-private = {
address = "0.0.0.0";
port = 1883;
users = {
weewx-proxy = {
hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path;
acl = [ "write weewx/+" ];
};
weewx = {
hashedPasswordFile = config.age.secrets.mosquitto-password-weewx.path;
acl = [ "read weewx/+" ];
};
};
};
};
networking.firewall.interfaces."enp7s0".allowedTCPPorts = [ 1883 ];
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1883 ];
services.nginx.virtualHosts."${secret.container.weewx.hostname}" = {
http3 = true; http3 = true;
kTLS = true; kTLS = true;
root = "/etc/container-webserver/weewx/html/wdc"; root = "${data-dir}/html/wdc";
forceSSL = true; forceSSL = true;
useACMEHost = "kempkens.io"; useACMEHost = "kempkens.io";
@ -72,4 +92,4 @@ in
expires modified 1h; expires modified 1h;
''; '';
}; };
} // custom-config }

BIN
secret/container/webserver/config/weewx.conf
View file

Binary file not shown.

BIN
secret/container/webserver/default.nix
View file

Binary file not shown.

BIN
secret/container/weewx/config/weewx.conf Normal file
View file

Binary file not shown.

BIN
secret/container/weewx/default.nix Normal file
View file

Binary file not shown.

3
secrets.nix
View file

@ -19,6 +19,9 @@ in
"agenix/hosts/sail/synapse/extraConfig.age".publicKeys = sail; "agenix/hosts/sail/synapse/extraConfig.age".publicKeys = sail;
"agenix/hosts/sail/mosquitto/passwordWeewxProxy.age".publicKeys = sail;
"agenix/hosts/sail/mosquitto/passwordWeewx.age".publicKeys = sail;
"agenix/hosts/sail/atuin/environment.age".publicKeys = sail; "agenix/hosts/sail/atuin/environment.age".publicKeys = sail;
"agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail; "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail;

2
system/hosts/sail.nix
View file

@ -40,7 +40,7 @@ in
(import ../nixos/tailscale.nix (args // { inherit secret; })) (import ../nixos/tailscale.nix (args // { inherit secret; }))
(import ../nixos/arion.nix (args // { inherit secret; })) (import ../nixos/arion.nix (args // { inherit secret; }))
../../container/webserver ../../container/weewx
../../container/matrix ../../container/matrix
../../container/proxitok ../../container/proxitok
]; ];

5
system/nixos/arion.nix
View file

@ -19,6 +19,7 @@
autoPrune = { autoPrune = {
enable = true; enable = true;
dates = "weekly"; dates = "weekly";
flags = [ "--all" ];
}; };
}; };
@ -32,7 +33,7 @@
}; };
networking.firewall.interfaces."podman+" = { networking.firewall.interfaces."podman+" = {
allowedUDPPorts = [ 53 443 ]; allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 443 ]; allowedTCPPorts = [ 53 ];
}; };
} }

6
system/nixos/mosquitto.nix Normal file
View file

@ -0,0 +1,6 @@
{
services.mosquitto = {
enable = true;
persistence = true;
};
}