Affine

Author: rien

machines/chaos/default.nix

@@ -53,7 +53,10 @@
   custom = {
     sshd.enable = true;
     bash.enable = true;
-    docker.enable = true;
+    docker = {
+      enable = true;
+      storageDriver = "zfs";
+    };
     dwarffortress.enable = false;
     git.enable = true;
     gnupg.enable = true;

machines/space/default.nix

@@ -66,12 +66,20 @@ in
     autoupgrade.enable = true;
     autoupgrade.allowReboot = true;
 
+    docker.enable = true;
     bash.enable = true;
     neovim.enable = true;
     sshd.enable = true;
 
     tailscale.enable = true;
 
+    affine = {
+      enable = true;
+      hostname = "affine.rxn.be";
+      version = "v0.22.4";
+      hash = "sha256-0P4ARWXejLshpgIuTKR/BSAGKG0DDz4dxboCyGOaH7A=";
+    };
+
     actual = {
       enable = false;
       basicAuthFile = "/run/agenix/actual-auth";

machines/space/postfix-sasl.age

@@ -1,8 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 DBh0Pw joYkkNlATYOieN0I2iwLnvOTgfgcWhseGKiYUFPLWWY
-wOd5PL/6m2ehMIP3OQt+8f9cptJ3zC32Cd6iE5RF8Do
--> ssh-ed25519 Wam86A j7tveTvyPXjkPWhPfpm7DH8r4Li+UM3EMvrr70NALG8
-NfQdZselJCKQM7WvvgNiI6YZdUfxSvJ7LWJaYf/ptaI
---- 1BO5qeIjyRMYY7bcmDBDmU/w8D+TwbqAOJmzBZ5iEKs
-����`�[�6v���/���~������E��ķ/yF�sИ���[�~~@|���
-{
{�gE�
+-> ssh-ed25519 DBh0Pw +Up6vR3BunnB7By1jQadmQ9Cp6DHPy6p2oO1EHhWbTM
+iC1OkWG2E4JWdeAsHBECCHJGrdxKmXuKZmryWF0aLMQ
+-> ssh-ed25519 Wam86A EbsB3xUu2aWP+E28Ib3M0spyeBDlKUGxVxagQj32S0k
+ZR4CSETwhBd0c6wx3w7jwMD6M0YO62dkdzQAnSPq2E0
+--- l6taRi0o86nFepdsyHwsNuF3eeau5vCPiV3vMxTAJZk
+C������������whB�W:�����^���{�ٛ@�"��CD��7!�b����
+��)��

machines/space/static-sites.nix

@@ -25,21 +25,6 @@ in {
         locations."/" = {
           return = "200 \"\\n███████╗    ██████╗      █████╗      ██████╗    ███████╗\\n██╔════╝    ██╔══██╗    ██╔══██╗    ██╔════╝    ██╔════╝\\n███████╗    ██████╔╝    ███████║    ██║         █████╗\\n╚════██║    ██╔═══╝     ██╔══██║    ██║         ██╔══╝\\n███████║    ██║         ██║  ██║    ╚██████╗    ███████╗\\n╚══════╝    ╚═╝         ╚═╝  ╚═╝     ╚═════╝    ╚══════╝\\n\"";
         };
-        locations."/hupseflupse/" = {
-          basicAuthFile = "/run/agenix/static-sites-auth";
-          alias = "/srv/webhost/rxn.be/";
-        };
-        locations."/weday" = {
-          return = "302 https://ugent.qualtrics.com/jfe/form/SV_1zUwuxySVuSntfU";
-        };
-        locations."/iticse" = {
-          return = "302 https://drive.google.com/file/d/1_PJbr7Lq8MfSSTcYtjkxxf3M0QPoCdfW/view?usp=sharing
-";
-        };
-        locations."/wedaypres".return = "302 https://ugentbe-my.sharepoint.com/:p:/g/personal/rien_maertens_ugent_be/EXWlCsoB6rZEgaa5qeSYU3MBgb4lsNIhaYsCLgqmWWMgJQ?e=6AARfM";
-        locations."/brief" = {
-          return = "302 https://theatervolta.be/weekend/brief";
-        };
       };
       "rien.rxn.be" = {
         useACMEHost = "rxn.be";

modules/affine/default.nix

@@ -0,0 +1,87 @@
+{ config, pkgs, lib, util, ... }:
+
+let cfg = config.custom.affine;
+in {
+  options.custom.affine = {
+    enable = lib.mkEnableOption "Affine Server";
+
+    hostname = lib.mkOption {
+      example = "example.com";
+    };
+
+    version = lib.mkOption {
+      example = "v0.22.4";
+    };
+
+    hash = lib.mkOption {
+      example = "";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 3010;
+    };
+
+    backupLocation = lib.mkOption {
+      example = "/data/affine-backups";
+    };
+
+    stateDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/affine";
+      description = "Directory for user files";
+    };
+  };
+
+  config = let
+    compose-file = pkgs.fetchurl {
+      url = "https://github.com/toeverything/affine/releases/download/${cfg.version}/docker-compose.yml";
+      hash = cfg.hash;
+    };
+    env-file = pkgs.writeTextFile {
+      name = ".env";
+      text = ''
+        PORT="${toString cfg.port}"
+        DB_DATA_LOCATION="${cfg.stateDir}/postgres"
+        UPLOAD_LOCATION="${cfg.stateDir}/storage"
+        CONFIG_LOCATION="${cfg.stateDir}/compose"
+        DB_USERNAME="affine"
+        DB_PASSWORD="affine"
+        DB_DATABASE="affine"
+      '';
+    };
+  in lib.mkIf cfg.enable {
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.stateDir}/postgres   - - - - -"
+      "d ${cfg.stateDir}/storage    - - - - -"
+      "d ${cfg.stateDir}/compose    - - - - -"
+      "L+ ${cfg.stateDir}/compose/.env   - - - - ${env-file}"
+      "L+ ${cfg.stateDir}/compose/docker-compose.yml   - - - - ${compose-file}"
+    ];
+
+    systemd.services.affine-server = {
+      description = "Affine Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+      };
+      serviceConfig = {
+        WorkingDirectory = "${cfg.stateDir}/compose";
+        ExecStart = "${pkgs.docker}/bin/docker compose up --pull always";
+        Restart = "always";
+        StateDirectory = "affine";
+        DynamicUser = true;
+        SupplementaryGroups="docker";
+      };
+    };
+
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      forceSSL = true;
+      useACMEHost = util.baseDomain cfg.hostname;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString cfg.port}";
+      };
+    };
+  };
+}

modules/default.nix

@@ -6,6 +6,7 @@ in {
   imports = [
     ./autoupgrade.nix
     ./actual.nix
+    ./affine
     ./bash.nix
     ./docker.nix
     ./dodona-mailer

modules/docker.nix

@@ -3,16 +3,21 @@ with lib;
 let
   cfg = config.custom.docker;
 in {
-  options.custom.docker.enable = mkOption {
-    default = false;
-    example = true;
+  options.custom.docker = {
+    enable = mkOption {
+      default = false;
+      example = true;
+    };
+    storageDriver = mkOption {
+      default = "overlay2";
+    };
   };
 
+
   config = mkIf cfg.enable {
     virtualisation.docker = {
       enable = true;
-      extraOptions = "--experimental";
-      storageDriver = "zfs";
+      storageDriver = cfg.storageDriver;
     };
     programs.criu.enable = true;
     systemd.services.docker.path = [ pkgs.gzip pkgs.gnutar pkgs.criu ];

modules/postfix/default.nix

@@ -74,11 +74,12 @@ in
       domain = host;
       networksStyle = "host";
 
-      sslCert = "/var/lib/acme/${ util.baseDomain host }/fullchain.pem";
-      sslKey = "/var/lib/acme/${ util.baseDomain host }/key.pem";
-
       config = {
         smtp_tls_security_level = "may";
+        smtpd_tls_chain_files = [
+          "/var/lib/acme/${ util.baseDomain host }/key.pem"
+          "/var/lib/acme/${ util.baseDomain host }/fullchain.pem"
+        ];
       };
 
       enableSmtp = true;        # Receiving mail from other mail servers

rebuild.sh

@@ -4,7 +4,7 @@ if [[ -n "$1" && ! "$1" =~ ^-.* ]]; then
     shift
 fi
 if [ -z "$host" ]; then
-    sudo nixos-rebuild switch -v --flake '.#' "$@"
+    sudo nixos-rebuild switch --flake '.#' "$@"
 else
-    nixos-rebuild -v --flake ".#$host" --target-host "root@$host" switch "$@"
+    nixos-rebuild --flake ".#$host" --target-host "root@$host" switch "$@"
 fi