diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6eba117..a9fa2c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,17 +45,3 @@ jobs: lfs: false - name: "Deploy profile" run: "auto-deploy ${{ matrix.profile }}" - deploy-ci: - needs: deploy - if: success() && github.ref == 'refs/heads/main' - runs-on: nix - env: - SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}" - steps: - - name: Initialize CI - uses: https://git.qo.is/qo.is/actions-nix-init@main - with: - token: ${{ secrets.CI_TOKEN }} - lfs: false - - name: "Deploy profile" - run: "auto-deploy system-ci" diff --git a/defaults/meta/hosts.json b/defaults/meta/hosts.json index 37532af..39d478d 100644 --- a/defaults/meta/hosts.json +++ b/defaults/meta/hosts.json @@ -17,7 +17,7 @@ }, "lindberg-webapps": { "hostName": "lindberg-webapps", - "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByESy+XiBT8/PoE8DUB388B5MA6LVcJBgH1ZgYxr9Mg" + "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJT99lj5OI+V1PlZl/T2ikBORwMiXjDfWpHYfq/GvUM5" }, "batzberg": { "hostName": "batzberg" diff --git a/flake.lock b/flake.lock index e0b4195..dd62963 100644 --- a/flake.lock +++ b/flake.lock @@ -23,15 +23,15 @@ "disko": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-nixos-stable" ] }, "locked": { - "lastModified": 1751854533, - "narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=", + "lastModified": 1749200714, + "narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=", "owner": "nix-community", "repo": "disko", - "rev": "16b74a1e304197248a1bc663280f2548dbfcae3c", + "rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6", "type": "github" }, "original": { @@ -81,11 +81,11 @@ ] }, "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", + "lastModified": 1747372754, + "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", "type": "github" }, "original": { @@ -131,18 +131,34 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-nixos-stable": { "locked": { - "lastModified": 1751741127, - "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", + "lastModified": 1748995628, + "narHash": "sha256-bFufQGSAEYQgjtc4wMrobS5HWN0hDP+ZX+zthYcml9U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "29e290002bfff26af1db6f64d070698019460302", + "rev": "8eb3b6a2366a7095939cd22f0dc0e9991313294b", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1749143949, + "narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -154,10 +170,10 @@ ] }, "locked": { - "lastModified": 1749920008, - "narHash": "sha256-wn3U2q/+OQYErVyoY9kwZP/fXcDG4ewhJkHX7qHzq8g=", - "rev": "5f8ba2025848dd30539c42ef1f7e6c6f917e70d9", - "revCount": 19, + "lastModified": 1747599024, + "narHash": "sha256-qc94Cyt6uaQCVY2VlCtNxGb7hs3DbLvxuhEnSLFL8T8=", + "rev": "bed7588246ec58aacac3d0ff5b191fa6cc9faa98", + "revCount": 17, "type": "git", "url": "file:./private" }, @@ -172,6 +188,7 @@ "disko": "disko", "git-hooks-nix": "git-hooks-nix", "nixpkgs": "nixpkgs_2", + "nixpkgs-nixos-stable": "nixpkgs-nixos-stable", "private": "private", "sops-nix": "sops-nix", "treefmt-nix": "treefmt-nix" @@ -184,11 +201,11 @@ ] }, "locked": { - "lastModified": 1751606940, - "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", + "lastModified": 1747603214, + "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", + "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", "type": "github" }, "original": { @@ -219,11 +236,11 @@ ] }, "locked": { - "lastModified": 1750931469, - "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=", + "lastModified": 1749194973, + "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1", + "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b645da8..df38c88 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,8 @@ extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="; }; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11"; treefmt-nix = { url = "github:numtide/treefmt-nix"; @@ -23,7 +24,7 @@ deploy-rs.url = "github:serokell/deploy-rs"; disko = { url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs-nixos-stable"; }; private.url = "git+file:./private"; private.inputs.nixpkgs.follows = "nixpkgs"; @@ -58,7 +59,7 @@ inherit (inputs) deploy-rs disko - nixpkgs + nixpkgs-nixos-stable sops-nix private git-hooks-nix diff --git a/nixos-configurations/calanda/default.nix b/nixos-configurations/calanda/default.nix index b0109d1..a397319 100644 --- a/nixos-configurations/calanda/default.nix +++ b/nixos-configurations/calanda/default.nix @@ -16,5 +16,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/cyprianspitz/default.nix b/nixos-configurations/cyprianspitz/default.nix index a6094df..fd20520 100644 --- a/nixos-configurations/cyprianspitz/default.nix +++ b/nixos-configurations/cyprianspitz/default.nix @@ -23,5 +23,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/default.nix b/nixos-configurations/default.nix index 96f9aa1..475d6d5 100644 --- a/nixos-configurations/default.nix +++ b/nixos-configurations/default.nix @@ -1,12 +1,12 @@ { self, pkgs, - nixpkgs, + nixpkgs-nixos-stable, ... }@inputs: let inherit (pkgs.lib) genAttrs; - inherit (nixpkgs.lib) nixosSystem; + inherit (nixpkgs-nixos-stable.lib) nixosSystem; configs = self.lib.foldersWithNix ./.; in genAttrs configs ( diff --git a/nixos-configurations/lindberg-build/default.nix b/nixos-configurations/lindberg-build/default.nix index cd093a4..dc3a626 100644 --- a/nixos-configurations/lindberg-build/default.nix +++ b/nixos-configurations/lindberg-build/default.nix @@ -19,5 +19,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/lindberg-nextcloud/default.nix b/nixos-configurations/lindberg-nextcloud/default.nix index eab10d4..3bfc14a 100644 --- a/nixos-configurations/lindberg-nextcloud/default.nix +++ b/nixos-configurations/lindberg-nextcloud/default.nix @@ -46,5 +46,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/lindberg-webapps/default.nix b/nixos-configurations/lindberg-webapps/default.nix index d3ba75b..00b64a7 100644 --- a/nixos-configurations/lindberg-webapps/default.nix +++ b/nixos-configurations/lindberg-webapps/default.nix @@ -19,5 +19,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/lindberg-webapps/disko-config.nix b/nixos-configurations/lindberg-webapps/disko-config.nix index 6024053..8a7d268 100644 --- a/nixos-configurations/lindberg-webapps/disko-config.nix +++ b/nixos-configurations/lindberg-webapps/disko-config.nix @@ -3,7 +3,7 @@ disko.devices.disk = { system = { type = "disk"; - device = "/dev/vdb"; + device = "/dev/vda"; content = { type = "gpt"; partitions = { diff --git a/nixos-configurations/lindberg/default.nix b/nixos-configurations/lindberg/default.nix index cb2e35c..2bf286c 100644 --- a/nixos-configurations/lindberg/default.nix +++ b/nixos-configurations/lindberg/default.nix @@ -24,5 +24,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-modules/cloud/default.nix b/nixos-modules/cloud/default.nix index e54f2d7..aaba0ef 100644 --- a/nixos-modules/cloud/default.nix +++ b/nixos-modules/cloud/default.nix @@ -3,6 +3,7 @@ config, lib, pkgs, + options, ... }: @@ -30,6 +31,10 @@ with lib; "nextcloud30" ]; }; + + adminpassFile = options.services.nextcloud.config.adminpassFile // { + default = config.sops.secrets."nextcloud/admin".path; + }; }; config = mkIf cfg.enable { @@ -59,7 +64,7 @@ with lib; database.createLocally = true; config = { - adminpassFile = config.sops.secrets."nextcloud/admin".path; + inherit (cfg) adminpassFile; adminuser = "root"; dbtype = "pgsql"; }; @@ -83,22 +88,16 @@ with lib; }; phpOptions = { - "opcache.interned_strings_buffer" = "64"; - "opcache.memory_consumption" = "512"; - "opcache.save_comments" = "1"; - "opcache.max_accelerated_files" = "50000"; - "opcache.fast_shutdown" = "1"; - "opcache.jit" = "1255"; - "opcache.jit_buffer_size" = "8M"; + "opcache.interned_strings_buffer" = "23"; }; poolSettings = { "pm" = "dynamic"; - "pm.max_children" = "480"; - "pm.max_requests" = "2000"; - "pm.max_spare_servers" = "72"; - "pm.min_spare_servers" = "24"; - "pm.start_servers" = "48"; + "pm.max_children" = "256"; + "pm.max_requests" = "500"; + "pm.max_spare_servers" = "16"; + "pm.min_spare_servers" = "2"; + "pm.start_servers" = "8"; }; configureRedis = true; @@ -122,6 +121,12 @@ with lib; }; }; + services.phpfpm.pools.nextcloud.settings = { + "pm.max_children" = lib.mkForce "256"; + "pm.max_spare_servers" = lib.mkForce "16"; + "pm.start_servers" = lib.mkForce "8"; + }; + users.users.nextcloud.extraGroups = [ "postdrop" ]; systemd.services.nextcloud-cron = { diff --git a/nixos-modules/cloud/test.nix b/nixos-modules/cloud/test.nix new file mode 100644 index 0000000..386dcba --- /dev/null +++ b/nixos-modules/cloud/test.nix @@ -0,0 +1,36 @@ +{ + ... +}: +{ + # Note: This extends the default configuration from ${self}/checks/nixos-modules + nodes.webserver = + { pkgs, lib, ... }: + let + inherit (pkgs) curl gnugrep; + inherit (lib) mkForce; + cloud-domain = "cloud.example.com"; + in + { + qois.cloud = { + enable = true; + domain = cloud-domain; + package = pkgs.nextcloud31; + adminpassFile = "${pkgs.writeText "adminpass" "insecure"}"; # Don't try this at home! + }; + + qois.postgresql.package = pkgs.postgresql; + sops.secrets = mkForce { }; + + # Disable TLS services + services.nginx.virtualHosts."${cloud-domain}" = { + forceSSL = mkForce false; + enableACME = mkForce false; + }; + + # Test environment + environment.systemPackages = [ + curl + gnugrep + ]; + }; +} diff --git a/nixos-modules/cloud/test.py b/nixos-modules/cloud/test.py new file mode 100644 index 0000000..5e484b9 --- /dev/null +++ b/nixos-modules/cloud/test.py @@ -0,0 +1,34 @@ +def test(subtest, webserver): + webserver.wait_for_unit("nginx") + webserver.wait_for_open_port(80) + webserver.wait_for_unit("nextcloud-setup.service") + webserver.wait_for_unit("phpfpm-nextcloud.service") + + # Helpers + def curl_variable_test(node, variable, expected, url): + value = node.succeed( + f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'" + ) + assert value == expected, ( + f"expected {variable} to be '{expected}' but got '{value}'" + ) + + def expect_http_code(node, code, url): + curl_variable_test(node, "http_code", code, url) + + def expect_http_content_contains(node, expectedContentSnippet, url): + content = node.succeed(f"curl --no-location --silent '{url}'") + assert expectedContentSnippet in content, f""" + expected in content: + {expectedContentSnippet} + at {url} but got following content: + {content} + """ + + # Tests + with subtest("website is successfully served on cloud.example.com"): + webserver.succeed("grep cloud.example.com /etc/hosts") + expect_http_code(webserver, "200", "http://cloud.example.com") + expect_http_content_contains( + webserver, "Log in to cloud.qoo.is", "http://docs.example.com" + ) diff --git a/nixos-modules/static-page/README.md b/nixos-modules/static-page/README.md index 19469d9..19fce35 100644 --- a/nixos-modules/static-page/README.md +++ b/nixos-modules/static-page/README.md @@ -1,5 +1,5 @@ # Static Pages -This module enables static nginx sites, with data served from "/var/lib/nginx-$domain/root". +This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root". To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs. diff --git a/packages/sops-config/default.nix b/packages/sops-config/default.nix index 74e5c79..9655950 100644 --- a/packages/sops-config/default.nix +++ b/packages/sops-config/default.nix @@ -75,7 +75,7 @@ writeText ".sops.yaml" ( # Secrets for all hosts { - path_regex = "private/nixos-modules/shared-secrets/default\.sops\.(yaml|json|env|ini)$"; + path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$"; pgp = toCommaList userPgpKeys; age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys); } diff --git a/private b/private index 5f8ba20..bed7588 160000 --- a/private +++ b/private @@ -1 +1 @@ -Subproject commit 5f8ba2025848dd30539c42ef1f7e6c6f917e70d9 +Subproject commit bed7588246ec58aacac3d0ff5b191fa6cc9faa98