From 9305d44fdedc9e3bc9fe227ce6792472f05c2e20 Mon Sep 17 00:00:00 2001 From: colin Date: Thu, 13 Oct 2022 17:52:43 -0700 Subject: [PATCH] servo: add freshrss service --- machines/servo/services/default.nix | 1 + machines/servo/services/freshrss.nix | 15 +++++++++++++++ machines/servo/services/nginx.nix | 6 ++++++ modules/universal/allocations.nix | 3 +++ secrets/servo.yaml | 5 +++-- 5 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 machines/servo/services/freshrss.nix diff --git a/machines/servo/services/default.nix b/machines/servo/services/default.nix index 9bbcbe92..d51e5dea 100644 --- a/machines/servo/services/default.nix +++ b/machines/servo/services/default.nix @@ -2,6 +2,7 @@ { imports = [ ./ddns-he.nix + ./freshrss.nix ./gitea.nix ./ipfs.nix ./jackett.nix diff --git a/machines/servo/services/freshrss.nix b/machines/servo/services/freshrss.nix new file mode 100644 index 00000000..099eb8d7 --- /dev/null +++ b/machines/servo/services/freshrss.nix @@ -0,0 +1,15 @@ +{ config, lib, ... }: +{ + sops.secrets.freshrss_passwd = { + sopsFile = ../../../secrets/servo.yaml; + owner = config.users.users.freshrss.name; + mode = "400"; + }; + + users.users.freshrss.uid = config.sane.allocations.freshrss-uid; + users.groups.freshrss.gid = config.sane.allocations.freshrss-gid; + services.freshrss.enable = true; + services.freshrss.baseUrl = "https://rss.uninsane.org"; + services.freshrss.virtualHost = "rss.uninsane.org"; + services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path; +} diff --git a/machines/servo/services/nginx.nix b/machines/servo/services/nginx.nix index 511cc193..69d3f9fc 100644 --- a/machines/servo/services/nginx.nix +++ b/machines/servo/services/nginx.nix @@ -223,6 +223,12 @@ locations."/".proxyPass = "http://127.0.0.1:4533"; }; + services.nginx.virtualHosts."rss.uninsane.org" = { + addSSL = true; + enableACME = true; + # the routing is handled by freshrss.nix + }; + services.nginx.virtualHosts."ipfs.uninsane.org" = { # don't default to ssl upgrades, since this may be dnslink'd from a different domain. # ideally we'd disable ssl entirely, but some places assume it? diff --git a/modules/universal/allocations.nix b/modules/universal/allocations.nix index bf1dc2d1..4a51afcc 100644 --- a/modules/universal/allocations.nix +++ b/modules/universal/allocations.nix @@ -23,6 +23,9 @@ in sane.allocations.greeter-uid = mkId 999; sane.allocations.greeter-gid = mkId 999; + sane.allocations.freshrss-uid = mkId 2401; + sane.allocations.freshrss-gid = mkId 2401; + sane.allocations.colin-uid = mkId 1000; sane.allocations.guest-uid = mkId 1100; diff --git a/secrets/servo.yaml b/secrets/servo.yaml index 3cd9fb03..ff7fba6e 100644 --- a/secrets/servo.yaml +++ b/secrets/servo.yaml @@ -7,6 +7,7 @@ wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2H #ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment] #ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment] dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str] +freshrss_passwd: ENC[AES256_GCM,data:MilteAOk+MZjta+E7Zhxq80y,iv:VigZk0nNHvQNlm36jVN5YXY7bhxmx2CFBizbVFCA8O0=,tag:DKsxGsv53SsJsp3J7UIsgg==,type:str] #ENC[AES256_GCM,data:1zQ8X9W4ZGquYEjEsN8YNLhwBt6kaRCKYMjM8GiZbKzsaqwt/cFk+4cC85+QKWF0FNlX38Uba7bI2FvC8fTIO8eoZ5VymJ9Du3NcExE1976FSIze44FhtkSKQkm/vQw5cb2sPNKBGFLSNV/IpdPu,iv:xwv2+Fns0k2STkS760v9p1XZ5s2HAz3wLb8xyIOGTGA=,tag:OGtHxQgyWxGKtg5I9nJAag==,type:comment] nix_serve_privkey: ENC[AES256_GCM,data:JlLuslwyjKARo3Mo36SeRz6ctVuV+jzDMXACekaGs/UjP+Jm8PoxZsWjMcN+qq0tJB9xGMfi7TKHDi+XnK2k60h+7+yDyeqJQfjID6axMYmgxYUivq4CugutFVB27FmDPljUs2M7CRqe1IHrdjc=,iv:1iQVr9rP80hHCRSVD95KW7bpOWj3oZReJAvqa9TllJ8=,tag:6DDGtHF4suOyy2kcnqSDsQ==,type:str] #ENC[AES256_GCM,data:cyptbs4VfXY4P4+W5e2LRZOHkpqvWzn2JEpV80w8cIaQ0lTZa/Hg7IwDNQcsYobmBFO2yLrKawHDKlDos2fMy0KgIhUrw4f8WksxdC06oMqS0mDtgA==,iv:StB34bvA8GWR+7nwOOpsiJ3yqGgeSg5frAgRMhff8nw=,tag:b1LYFzII2Ik1nmGXxgMZuw==,type:comment] @@ -46,8 +47,8 @@ sops: U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-10T08:38:03Z" - mac: ENC[AES256_GCM,data:DroE9KGyV6hba0aPVYmwxpL8yXDa+AFsjyF5ttImW5bKzE9EM2I76APoGOyvOnnnbBRrOditWXA2HQzhf4M/7hq0CmLLph1J3I8xgEsaiJiExaKZQpQTBS/ZAHeygR/fvRcMmAY9VZRubv1iQ94rDkZ3C3UJ+8SMuwpdmdlaPYc=,iv:KkY0Kmd02QYx0Ds0LUY9tXz+AayKj6Y5p/rUO8sLYCc=,tag:gZDe+GOw2ULJ1yHONlt7bw==,type:str] + lastmodified: "2022-10-14T00:37:52Z" + mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3