feat: add blog

config/basic/users.nix

@@ -47,5 +47,7 @@
       family = uidGid 2003;
       printer = uidGid 2005;
       pr-tracker = uidGid 2006;
+      blog = uidGid 2007;
+      signald = uidGid 2008;
     };
 }

config/services/blog.nix

@@ -0,0 +1,83 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+let
+  prestart = pkgs.writeShellScript "pr-tracker-pre" ''
+    if [ ! -f ./ssh_key ]; then
+      ssh-keygen -t ed25519 -N "" -f ssh_key
+    fi
+    ${lib.getExe pkgs.git} config core.sshCommand 'ssh -i ~/ssh_key'
+    if [ ! -d ./blog ]; then
+      ${lib.getExe pkgs.git} clone ssh://git@forge.lel.lol:9922/patrick/blog.git |\
+      echo "failed to clone the repository did you forget to add the ssh key?"
+    fi
+  '';
+in
+{
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [ 3000 ];
+  };
+  services.nginx = {
+    enable = true;
+    user = "blog";
+    virtualHosts."blog.lel.lol" = {
+      root = "/var/lib/blog/blog/public";
+    };
+  };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/blog";
+      user = "blog";
+      group = "blog";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/signald";
+      user = "signald";
+      group = "signald";
+      mode = "0700";
+    }
+  ];
+  systemd.timers.blog-update = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "1m";
+      OnUnitActiveSec = "1m";
+    };
+  };
+  users.groups.blog = { };
+  users.users.blog = {
+    isSystemUser = true;
+    group = "blog";
+    home = "/var/lib/blog";
+  };
+
+  systemd.services.blog-update = {
+    script = ''
+      ${lib.getExe pkgs.git} -C blog pull
+      ${lib.getExe pkgs.zola} -r blog/public build
+    '';
+    path = [ pkgs.openssh ];
+    serviceConfig = {
+      Requires = "blog";
+      Type = "oneshot";
+      User = "blog";
+      Group = "blog";
+      StateDirectory = "blog";
+      WorkingDirectory = "/var/lib/blog";
+      LimitNOFILE = "1048576";
+      PrivateTmp = true;
+      PrivateDevices = true;
+      StateDirectoryMode = "0700";
+      ExecStartPre = prestart;
+    };
+  };
+
+  services.signald = {
+    enable = true;
+    group = "blog";
+  };
+}

hosts/elisabeth/blog.nix

@@ -1,7 +0,0 @@
-{
-  services.nginx.virtualHosts."blog.lel.lol" = {
-    root = "/persist/blog";
-    forceSSL = true;
-    useACMEHost = "web";
-  };
-}

hosts/elisabeth/default.nix

@@ -19,7 +19,6 @@
 
     ../../config/hardware/physical.nix
 
-    ./blog.nix
     ./net.nix
     ./fs.nix
   ] ++ lib.lists.optionals (!minimal) [ ./guests.nix ];

hosts/elisabeth/guests.nix

@@ -31,6 +31,7 @@ let
         octoprint = "print";
         pr-tracker = "tracker";
         invidious = "yt";
+        blog = "blog";
       };
     in
     "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
@@ -183,6 +184,7 @@ in
       (proxyProtect "ttrss" { port = 80; } true)
       (proxyProtect "invidious" { } true)
       (blockOf "yourspotify" { port = 80; })
+      (blockOf "blog" { port = 80; })
       #(blockOf "homebox" {})
       (blockOf "pr-tracker" { })
       {
@@ -317,6 +319,7 @@ in
     // mkContainer "firefly" { }
     // mkContainer "yourspotify" { }
     // mkContainer "netbird" { }
+    // mkContainer "blog" { }
     // mkContainer "kanidm" { }
     // mkContainer "nextcloud" { enablePanzer = true; }
     // mkContainer "paperless" { enableSharedPaperless = true; }

hosts/elisabeth/secrets/blog/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBnyvnrDWPq468Zijt46VTUUGWz3QDgj7h6wJ42IAV6

secrets/wireguard/elisabeth/keys/elisabeth-blog.age

@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 eVtVzXtvsEgbNOdIy4VDn1FbpMAoSZ89cHEoFF+zDls
+0naCdMLWG6MRREA/+OC+xbjxDnPXXfcwdvhGY9bmF3I
+-> piv-p256 ZFgiIw A0b4W+z9JJLdoeLsceIWTgfq9AGhGCYzghM8A/xxi73q
+9z6A/Xk39YcMlY6vflm/HEvMjjrfC8hcp9SVIZ601Xs
+-> piv-p256 XTQkUA As6ZR0tijPVbIGJJQE7ebHDJVuMdvEF7uSecCAFZBr8q
+f6KhqssOYi6Lm7xpNaQEtHKZ6qyd3/lRLDI7Id0+1I8
+-> piv-p256 ZFgiIw AuJ8buC0fCg9gT9DpLSAfVFpYue6nKwq1Q4RLZU0eIfy
++UP/GGc/qW8wznHYVsW7xFuK4/pLgvesoODaafsZDhs
+-> piv-p256 5vmPtQ AyrqpWUElWE9Ai+DeV1lUq+nHAqaZFZkMTPPIu0DiesF
+S5T0MFAArqnNXtwrYGzAi5rK+BkWn/Gs8U6vtqijIwc
+-> 0Skk=zN=-grease E: ]pN}4
+zV/hyZHiaSckbVGuS+oNFItTxcLKTyL8G4G+Btzcym1Afm0CCrXL5fc/ss7tQ7Mx
+ac7JEfvv9cCnAezvog
+--- rvFVqJgSmwEk/Qy4x/LoIlAuJ6JtWxFvInGyO7lv96k
+4ËñNÕࣅ
+/ýLÒ©—C³I*³Ë¨¢2ã•‘¸.!Ûøšï.Ñ1þ	»¡•Øèöa³
@ý‚3‹Tô9ˆ‰)]t•mIý-&5t

secrets/wireguard/elisabeth/keys/elisabeth-blog.pub

@@ -0,0 +1 @@
+DVpnYaoXKKk37IbTyG08bTWogBAD9N/s2PVodeHFaXo=

secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-blog.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 8xUsd8+0vzcdMZ+9/Q7c4uHrINfL/YnGb2oi5TPPUwk
+GrQDEqwQpunmU/Fwa0o2YV1VEMwb7F3uuUqPC2b9kNg
+-> piv-p256 ZFgiIw AtzJHfEspGUDVtaXot1EE/u3Z5cTVL+PeBN2f5ZWbL6M
+fOV0Hp6+cZB3NbypVXQtPULDonweA/62/G5gnunWVG4
+-> piv-p256 XTQkUA AmPo/XlWsLPW+JYoTGCLTxWccJuh4EcKafN+D+URuGoF
+3rHV1yeANXzWRpWb/0EA1IjCOitoTsLGN4dU1raTr0k
+-> piv-p256 ZFgiIw AuduWmro6APJsPTCZrtRpkwECkOfsDL109rvrE9UxkkV
+cnJb8UKLM1Oy9nZr+HQp3p6OhT/+9Htc3GoAqADa2nI
+-> piv-p256 5vmPtQ A3ge8G2tligkbgdXvrngnObz6/kk3R5HN1Gl31Diz5hc
+1d0ebykK0ccq7R4UegjAL+dl0EX6dves6Qsg4n7I0sA
+-> :/-grease 4$+ P= _VV%:"P|
+4Ny9m7mh1lEg
+--- CsASon+mZ54A0BLZmBl9NaSa9n6M9mYbpY6igzdGF+U
+“]lS"qùv¢½Öö˜P2­Õb¥“ç]•áÍÞ
nóƒ7ÆÏ¥C@dD-y+å=ÊÇ<C38A>äY§†Dë`v	 Æp
ñÙ~‹ìãþž