pennyworth: host dk-stage.yori.cc with rsync deploy key
parent
d898d87210
commit
8b39e5e7bb
|
@ -17,6 +17,7 @@ in {
|
||||||
imports = [
|
imports = [
|
||||||
./hetznercloud.nix
|
./hetznercloud.nix
|
||||||
../../roles/server.nix
|
../../roles/server.nix
|
||||||
|
../../roles/datakami.nix
|
||||||
../../services/backup.nix
|
../../services/backup.nix
|
||||||
../../services/email.nix
|
../../services/email.nix
|
||||||
];
|
];
|
||||||
|
@ -110,5 +111,6 @@ in {
|
||||||
weechat
|
weechat
|
||||||
ripgrep
|
ripgrep
|
||||||
];
|
];
|
||||||
|
nix.settings.allowed-users = [ "@wheel" ];
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
{ lib, ... }: {
|
||||||
|
systemd.services.nginx.serviceConfig = {
|
||||||
|
ProtectHome = "tmpfs";
|
||||||
|
UMask = lib.mkForce "0022";
|
||||||
|
BindReadOnlyPaths = [ "/home/dk-stage/out" ];
|
||||||
|
};
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /home/dk-stage 755 dk-stage dk-stage"
|
||||||
|
"d /home/dk-stage/out 755 dk-stage dk-stage"
|
||||||
|
];
|
||||||
|
users.users.dk-stage = {
|
||||||
|
home = "/home/dk-stage";
|
||||||
|
group = "dk-stage";
|
||||||
|
useDefaultShell = true;
|
||||||
|
isSystemUser = true;
|
||||||
|
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [
|
||||||
|
''command="rsync --server -logDtprcze.iLsfxCIvu --log-format=X --delete --partial . out/" ${dk-stage-deploy}''
|
||||||
|
];
|
||||||
|
createHome = false; # sets wrong permissions
|
||||||
|
};
|
||||||
|
users.groups.dk-stage = { };
|
||||||
|
services.nginx.virtualHosts."dk-stage.yori.cc" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
root = "/home/dk-stage/out";
|
||||||
|
index = "index.html";
|
||||||
|
extraConfig = ''
|
||||||
|
error_page 404 /404.html;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -8,4 +8,5 @@
|
||||||
lars = [
|
lars = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ=="
|
||||||
];
|
];
|
||||||
|
dk-stage-deploy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHevKDi9QRssz0gUWGMg/s6SLU9mAdwvZDTbrD7EXoII";
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue