AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add blog (with webhooks)

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-04-25 17:27:42 +03:00
parent cfd65f1753
commit 4877390098
6 changed files with 130 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
flake.nix
View File

@ -108,6 +108,7 @@
"ivpn.patch"
"ivpn-ui.patch"
"vaultwarden.patch"
"webhooks.patch"
];
channelsConfig = { allowUnfree = true; };
channels.unstable.input = nixpkgs;

1
machines/Home-Hypervisor/default.nix
View File

@ -32,6 +32,7 @@ in {
nixosProfiles.cocalc
# nixosProfiles.neko-browser
nixosProfiles.openbooks
nixosProfiles.webhooks
nixosProfiles.yandex-db
nixosProfiles.it-tools

28
patches/webhooks.patch Normal file
View File

@ -0,0 +1,28 @@
diff --git a/nixos/modules/services/networking/webhook.nix b/nixos/modules/services/networking/webhook.nix
index 2a78491941c..9e3c816021f 100644
--- a/nixos/modules/services/networking/webhook.nix
+++ b/nixos/modules/services/networking/webhook.nix
@@ -158,6 +158,11 @@ in {
default = {};
description = mdDoc "Extra environment variables passed to webhook.";
};
+ environmentFiles = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ description = mdDoc "Extra environment variables from files passed to webhook.";
+ };
};
};
@@ -201,7 +206,11 @@ in {
++ optional cfg.enableTemplates "-template"
++ optional cfg.verbose "-verbose"
++ cfg.extraArgs;
+ envFiles = concatMapStringsSep "\n" (envFile: "source " + envFile) cfg.environmentFiles;
in ''
+ set -a
+ ${envFiles}
+ set +a
${cfg.package}/bin/webhook ${escapeShellArgs args}
'';
serviceConfig = {

5
profiles/servers/gitea.nix
View File

@ -67,7 +67,7 @@ in {
security = {
INSTALL_LOCK = true;
DISABLE_GIT_HOOKS = true;
DISABLE_WEBHOOKS = true;
DISABLE_WEBHOOKS = false;
IMPORT_LOCAL_PATHS = false;
PASSWORD_HASH_ALGO = "argon2";
SECRET_KEY_URI = "file:${config.secrets.gitea-secretkey.decrypted}";
@ -95,6 +95,9 @@ in {
ui = {
DEFAULT_THEME = "arc-green";
};
webhook = {
ALLOWED_HOST_LIST = "loopback, private, ataraxiadev.com, *.ataraxiadev.com";
};
};
};

27
profiles/servers/nginx.nix
View File

@ -23,7 +23,6 @@ let
proxy_set_header X-authentik-uid $authentik_uid;
'' + rootExtraConfig;
} // root;
# all requests to /outpost.goauthentik.io must be accessible without authentication
"/outpost.goauthentik.io" = {
extraConfig = ''
proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io;
@ -35,7 +34,6 @@ let
proxy_set_header Content-Length "";
'';
};
# Special location for when the /auth endpoint returns a 401, redirect to the /start URL which initiates SSO
"@goauthentik_proxy_signin" = {
extraConfig = ''
internal;
@ -128,14 +126,6 @@ in {
add_header Referrer-Policy "strict-origin-when-cross-origin";
'';
in {
# "ataraxiadev.com" = default // authentik {
# root = { proxyPass = "http://127.0.0.1:3000"; };
# rootExtraConfig = ''
# if ($http_origin ~* "^https?://\w*\.?ataraxiadev\.com$") {
# add_header Access-Control-Allow-Origin "$http_origin";
# }
# '' + proxySettings;
# };
"ataraxiadev.com" = {
locations."/" = {
root = "/srv/http/ataraxiadev.com/docroot";
@ -143,6 +133,9 @@ in {
try_files $uri $uri/ =404;
'';
};
locations."/hooks" = {
proxyPass = "http://127.0.0.1:9010/hooks";
};
locations."/.well-known/matrix" = {
proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
extraConfig = ''
@ -222,12 +215,6 @@ in {
extraConfig = proxySettings;
};
} // default;
# "bathist.ataraxiadev.com" = {
# locations."/" = {
# proxyPass = "http://127.0.0.1:9999";
# extraConfig = proxySettings;
# };
# } // default;
"bathist.ataraxiadev.com" = default // authentik {
root = { proxyPass = "http://127.0.0.1:9999"; };
rootExtraConfig = proxySettings;
@ -318,14 +305,6 @@ in {
'' + proxySettings;
};
} // default;
# "microbin.ataraxiadev.com" = {
# locations."/" = {
# proxyPass = "http://127.0.0.1:9988";
# extraConfig = ''
# client_max_body_size 40M;
# '' + proxySettings;
# };
# } // default;
"joplin.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://127.0.0.1:22300";

93
profiles/servers/webhooks.nix Normal file
View File

@ -0,0 +1,93 @@
{ config, pkgs, lib, ... }:
let
blog-hook = pkgs.writeShellApplication {
name = "blog-hook";
runtimeInputs = with pkgs; [ git hugo openssh go ];
text = ''
git pull
hugo -d ../docroot
'';
};
in {
secrets.webhook-blog.owner = "webhook";
persist.state.directories = [ "/var/lib/webhook" ];
users.users.webhook = {
description = "Webhook daemon user";
isSystemUser = true;
group = "webhook";
createHome = true;
home = "/var/lib/webhook";
};
services.webhook = {
enable = true;
port = 9010;
group = "webhook";
user = "webhook";
environmentFiles = [
config.secrets.webhook-blog.decrypted
];
hooksTemplated = {
publish-ataraxiadev-blog = ''
{
"id": "ataraxiadev-blog",
"execute-command": "${blog-hook}/bin/blog-hook",
"command-working-directory": "/srv/http/ataraxiadev.com/gitrepo",
"trigger-rule":
{
"and":
[
{
"match":
{
"type": "payload-hmac-sha256",
"secret": "{{ getenv "HOOK_BLOG_SECRET" | js }}",
"parameter":
{
"source": "header",
"name": "X-Gitea-Signature"
}
}
},
{
"match":
{
"type": "value",
"value": "refs/heads/master",
"parameter":
{
"source": "payload",
"name": "ref"
}
}
}
]
}
}
'';
};
};
# services.caddy = {
# enable = true;
# email = "needed@for.acme";
# virtualHosts = {
# "${config.networking.hostName}.${config.networking.domain}" = {
# extraConfig = ''
# route /hooks/* {
# # no uri manipulation, path /hooks/ on webhook service as well
# reverse_proxy http://localhost:9000;
# }
# '';
# };
# "hugo.site" = {
# extraConfig = ''
# root * /srv/http/ataraxiadev.com/docroot
# file_server
# '';
# };
# };
# };
}