Compare commits
23 commits
test-cloud
...
main
Author | SHA1 | Date | |
---|---|---|---|
1c98a3a704 | |||
3cac920bff | |||
8790efa9c7 | |||
e955cfc61c | |||
eb82809aac | |||
fd211eff84 | |||
3b5abde73d | |||
78afd3ecb7 | |||
e2ff429bcc | |||
2866526d20 | |||
525bce9cee | |||
2ddc256314 | |||
afc2be57f5 | |||
e76a4f04cc | |||
3295f6f128 | |||
15a3bd940b | |||
415e6d05f6 | |||
bf04053c50 | |||
ff14c25752 | |||
1b47c7a057 | |||
87e85c370b | |||
c047a5b4ed | |||
9d873d82c7 |
18 changed files with 64 additions and 143 deletions
14
.github/workflows/ci.yml
vendored
14
.github/workflows/ci.yml
vendored
|
@ -45,3 +45,17 @@ jobs:
|
|||
lfs: false
|
||||
- name: "Deploy profile"
|
||||
run: "auto-deploy ${{ matrix.profile }}"
|
||||
deploy-ci:
|
||||
needs: deploy
|
||||
if: success() && github.ref == 'refs/heads/main'
|
||||
runs-on: nix
|
||||
env:
|
||||
SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}"
|
||||
steps:
|
||||
- name: Initialize CI
|
||||
uses: https://git.qo.is/qo.is/actions-nix-init@main
|
||||
with:
|
||||
token: ${{ secrets.CI_TOKEN }}
|
||||
lfs: false
|
||||
- name: "Deploy profile"
|
||||
run: "auto-deploy system-ci"
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
},
|
||||
"lindberg-webapps": {
|
||||
"hostName": "lindberg-webapps",
|
||||
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJT99lj5OI+V1PlZl/T2ikBORwMiXjDfWpHYfq/GvUM5"
|
||||
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByESy+XiBT8/PoE8DUB388B5MA6LVcJBgH1ZgYxr9Mg"
|
||||
},
|
||||
"batzberg": {
|
||||
"hostName": "batzberg"
|
||||
|
|
59
flake.lock
generated
59
flake.lock
generated
|
@ -23,15 +23,15 @@
|
|||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs-nixos-stable"
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1749200714,
|
||||
"narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=",
|
||||
"lastModified": 1751854533,
|
||||
"narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6",
|
||||
"rev": "16b74a1e304197248a1bc663280f2548dbfcae3c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -81,11 +81,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1747372754,
|
||||
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
|
||||
"lastModified": 1750779888,
|
||||
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
|
||||
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -131,34 +131,18 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-nixos-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1748995628,
|
||||
"narHash": "sha256-bFufQGSAEYQgjtc4wMrobS5HWN0hDP+ZX+zthYcml9U=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8eb3b6a2366a7095939cd22f0dc0e9991313294b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-24.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1749143949,
|
||||
"narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=",
|
||||
"lastModified": 1751741127,
|
||||
"narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d",
|
||||
"rev": "29e290002bfff26af1db6f64d070698019460302",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"ref": "nixos-25.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -170,10 +154,10 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1747599024,
|
||||
"narHash": "sha256-qc94Cyt6uaQCVY2VlCtNxGb7hs3DbLvxuhEnSLFL8T8=",
|
||||
"rev": "bed7588246ec58aacac3d0ff5b191fa6cc9faa98",
|
||||
"revCount": 17,
|
||||
"lastModified": 1749920008,
|
||||
"narHash": "sha256-wn3U2q/+OQYErVyoY9kwZP/fXcDG4ewhJkHX7qHzq8g=",
|
||||
"rev": "5f8ba2025848dd30539c42ef1f7e6c6f917e70d9",
|
||||
"revCount": 19,
|
||||
"type": "git",
|
||||
"url": "file:./private"
|
||||
},
|
||||
|
@ -188,7 +172,6 @@
|
|||
"disko": "disko",
|
||||
"git-hooks-nix": "git-hooks-nix",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-nixos-stable": "nixpkgs-nixos-stable",
|
||||
"private": "private",
|
||||
"sops-nix": "sops-nix",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
|
@ -201,11 +184,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1747603214,
|
||||
"narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
|
||||
"lastModified": 1751606940,
|
||||
"narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
|
||||
"rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -236,11 +219,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1749194973,
|
||||
"narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
|
||||
"lastModified": 1750931469,
|
||||
"narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
|
||||
"rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -5,8 +5,7 @@
|
|||
extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
|
||||
};
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
|
||||
|
||||
treefmt-nix = {
|
||||
url = "github:numtide/treefmt-nix";
|
||||
|
@ -24,7 +23,7 @@
|
|||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
inputs.nixpkgs.follows = "nixpkgs-nixos-stable";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
private.url = "git+file:./private";
|
||||
private.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -59,7 +58,7 @@
|
|||
inherit (inputs)
|
||||
deploy-rs
|
||||
disko
|
||||
nixpkgs-nixos-stable
|
||||
nixpkgs
|
||||
sops-nix
|
||||
private
|
||||
git-hooks-nix
|
||||
|
|
|
@ -16,5 +16,5 @@
|
|||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.11"; # Did you read the comment?
|
||||
system.stateVersion = "25.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -23,5 +23,5 @@
|
|||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.11"; # Did you read the comment?
|
||||
system.stateVersion = "25.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
{
|
||||
self,
|
||||
pkgs,
|
||||
nixpkgs-nixos-stable,
|
||||
nixpkgs,
|
||||
...
|
||||
}@inputs:
|
||||
let
|
||||
inherit (pkgs.lib) genAttrs;
|
||||
inherit (nixpkgs-nixos-stable.lib) nixosSystem;
|
||||
inherit (nixpkgs.lib) nixosSystem;
|
||||
configs = self.lib.foldersWithNix ./.;
|
||||
in
|
||||
genAttrs configs (
|
||||
|
|
|
@ -19,5 +19,5 @@
|
|||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.11"; # Did you read the comment?
|
||||
system.stateVersion = "25.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -46,5 +46,5 @@
|
|||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.11"; # Did you read the comment?
|
||||
system.stateVersion = "25.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -19,5 +19,5 @@
|
|||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.11"; # Did you read the comment?
|
||||
system.stateVersion = "25.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
disko.devices.disk = {
|
||||
system = {
|
||||
type = "disk";
|
||||
device = "/dev/vda";
|
||||
device = "/dev/vdb";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
|
|
|
@ -24,5 +24,5 @@
|
|||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.11"; # Did you read the comment?
|
||||
system.stateVersion = "25.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
options,
|
||||
...
|
||||
}:
|
||||
|
||||
|
@ -31,10 +30,6 @@ with lib;
|
|||
"nextcloud30"
|
||||
];
|
||||
};
|
||||
|
||||
adminpassFile = options.services.nextcloud.config.adminpassFile // {
|
||||
default = config.sops.secrets."nextcloud/admin".path;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
@ -64,7 +59,7 @@ with lib;
|
|||
database.createLocally = true;
|
||||
|
||||
config = {
|
||||
inherit (cfg) adminpassFile;
|
||||
adminpassFile = config.sops.secrets."nextcloud/admin".path;
|
||||
adminuser = "root";
|
||||
dbtype = "pgsql";
|
||||
};
|
||||
|
@ -88,16 +83,22 @@ with lib;
|
|||
};
|
||||
|
||||
phpOptions = {
|
||||
"opcache.interned_strings_buffer" = "23";
|
||||
"opcache.interned_strings_buffer" = "64";
|
||||
"opcache.memory_consumption" = "512";
|
||||
"opcache.save_comments" = "1";
|
||||
"opcache.max_accelerated_files" = "50000";
|
||||
"opcache.fast_shutdown" = "1";
|
||||
"opcache.jit" = "1255";
|
||||
"opcache.jit_buffer_size" = "8M";
|
||||
};
|
||||
|
||||
poolSettings = {
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = "256";
|
||||
"pm.max_requests" = "500";
|
||||
"pm.max_spare_servers" = "16";
|
||||
"pm.min_spare_servers" = "2";
|
||||
"pm.start_servers" = "8";
|
||||
"pm.max_children" = "480";
|
||||
"pm.max_requests" = "2000";
|
||||
"pm.max_spare_servers" = "72";
|
||||
"pm.min_spare_servers" = "24";
|
||||
"pm.start_servers" = "48";
|
||||
};
|
||||
|
||||
configureRedis = true;
|
||||
|
@ -121,12 +122,6 @@ with lib;
|
|||
};
|
||||
};
|
||||
|
||||
services.phpfpm.pools.nextcloud.settings = {
|
||||
"pm.max_children" = lib.mkForce "256";
|
||||
"pm.max_spare_servers" = lib.mkForce "16";
|
||||
"pm.start_servers" = lib.mkForce "8";
|
||||
};
|
||||
|
||||
users.users.nextcloud.extraGroups = [ "postdrop" ];
|
||||
|
||||
systemd.services.nextcloud-cron = {
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
{
|
||||
...
|
||||
}:
|
||||
{
|
||||
# Note: This extends the default configuration from ${self}/checks/nixos-modules
|
||||
nodes.webserver =
|
||||
{ pkgs, lib, ... }:
|
||||
let
|
||||
inherit (pkgs) curl gnugrep;
|
||||
inherit (lib) mkForce;
|
||||
cloud-domain = "cloud.example.com";
|
||||
in
|
||||
{
|
||||
qois.cloud = {
|
||||
enable = true;
|
||||
domain = cloud-domain;
|
||||
package = pkgs.nextcloud31;
|
||||
adminpassFile = "${pkgs.writeText "adminpass" "insecure"}"; # Don't try this at home!
|
||||
};
|
||||
|
||||
qois.postgresql.package = pkgs.postgresql;
|
||||
sops.secrets = mkForce { };
|
||||
|
||||
# Disable TLS services
|
||||
services.nginx.virtualHosts."${cloud-domain}" = {
|
||||
forceSSL = mkForce false;
|
||||
enableACME = mkForce false;
|
||||
};
|
||||
|
||||
# Test environment
|
||||
environment.systemPackages = [
|
||||
curl
|
||||
gnugrep
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
def test(subtest, webserver):
|
||||
webserver.wait_for_unit("nginx")
|
||||
webserver.wait_for_open_port(80)
|
||||
webserver.wait_for_unit("nextcloud-setup.service")
|
||||
webserver.wait_for_unit("phpfpm-nextcloud.service")
|
||||
|
||||
# Helpers
|
||||
def curl_variable_test(node, variable, expected, url):
|
||||
value = node.succeed(
|
||||
f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'"
|
||||
)
|
||||
assert value == expected, (
|
||||
f"expected {variable} to be '{expected}' but got '{value}'"
|
||||
)
|
||||
|
||||
def expect_http_code(node, code, url):
|
||||
curl_variable_test(node, "http_code", code, url)
|
||||
|
||||
def expect_http_content_contains(node, expectedContentSnippet, url):
|
||||
content = node.succeed(f"curl --no-location --silent '{url}'")
|
||||
assert expectedContentSnippet in content, f"""
|
||||
expected in content:
|
||||
{expectedContentSnippet}
|
||||
at {url} but got following content:
|
||||
{content}
|
||||
"""
|
||||
|
||||
# Tests
|
||||
with subtest("website is successfully served on cloud.example.com"):
|
||||
webserver.succeed("grep cloud.example.com /etc/hosts")
|
||||
expect_http_code(webserver, "200", "http://cloud.example.com")
|
||||
expect_http_content_contains(
|
||||
webserver, "Log in to cloud.qoo.is", "http://docs.example.com"
|
||||
)
|
|
@ -1,5 +1,5 @@
|
|||
# Static Pages
|
||||
|
||||
This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root".
|
||||
This module enables static nginx sites, with data served from "/var/lib/nginx-$domain/root".
|
||||
|
||||
To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs.
|
||||
|
|
|
@ -75,7 +75,7 @@ writeText ".sops.yaml" (
|
|||
|
||||
# Secrets for all hosts
|
||||
{
|
||||
path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
|
||||
path_regex = "private/nixos-modules/shared-secrets/default\.sops\.(yaml|json|env|ini)$";
|
||||
pgp = toCommaList userPgpKeys;
|
||||
age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
|
||||
}
|
||||
|
|
2
private
2
private
|
@ -1 +1 @@
|
|||
Subproject commit bed7588246ec58aacac3d0ff5b191fa6cc9faa98
|
||||
Subproject commit 5f8ba2025848dd30539c42ef1f7e6c6f917e70d9
|
Loading…
Add table
Add a link
Reference in a new issue