diff --git a/flake.lock b/flake.lock index ead3dcd..b4f7f49 100644 --- a/flake.lock +++ b/flake.lock @@ -511,11 +511,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1757861884, - "narHash": "sha256-s0cInWk/yrj0eY7Iee722ME9/bfjpUj9aKMlnb6q/t4=", + "lastModified": 1757873556, + "narHash": "sha256-WYrV46if1XsiQKOQEMNtHdAPeFDeu7YBdcoNSXc3sf8=", "ref": "refs/heads/main", - "rev": "383cf08fa55a46c8aa1c5faf57160bf594e5feaa", - "revCount": 41, + "rev": "21ab0b0a59264b1da501f90725bf2c03e07ae941", + "revCount": 43, "type": "git", "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git" }, diff --git a/hosts/jupiter/users/storm/configs/console/podman/blog/default.nix b/hosts/jupiter/users/storm/configs/console/podman/blog/default.nix new file mode 100644 index 0000000..4d48631 --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/blog/default.nix @@ -0,0 +1,60 @@ +{ user, home }: +{ + config, + inputs, + lib, + pkgs, + ... +}: +let + hmConfig = config.home-manager.users.${user}; + inherit (hmConfig.virtualisation.quadlet) volumes networks; +in +{ + home-manager.users.${user} = { + sops = { + secrets."blog/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + + templates.blog-receiver-env.content = '' + AUTH_KEY=${hmConfig.sops.placeholder."blog/apiKey"} + ''; + }; + + virtualisation.quadlet = { + volumes.blog = { }; + + containers = { + blog.containerConfig = { + image = "docker-archive:${pkgs.dockerImages.nginx}"; + networks = [ networks.traefik.ref ]; + volumes = [ + "${volumes.blog.ref}:/var/www/nginx:ro" + ]; + labels = [ + "traefik.enable=true" + "traefik.http.routers.blog.rule=Host(`blog.karaolidis.com`)" + ]; + }; + + blog-receiver = { + containerConfig = { + image = "docker-archive:${pkgs.dockerImages.nginx-receiver}"; + networks = [ networks.traefik.ref ]; + volumes = [ "${volumes.blog.ref}:/var/www/nginx" ]; + environments = { + TARGET_DIR = "/var/www/nginx"; + SUBPATH = "/upload"; + }; + environmentFiles = [ hmConfig.sops.templates.blog-receiver-env.path ]; + labels = [ + "traefik.enable=true" + "traefik.http.routers.blog-receiver.rule=Host(`blog.karaolidis.com`) && PathPrefix(`/upload`)" + ]; + }; + + unitConfig.After = [ "sops-nix.service" ]; + }; + }; + }; + }; +} diff --git a/hosts/jupiter/users/storm/configs/console/podman/default.nix b/hosts/jupiter/users/storm/configs/console/podman/default.nix index c8f1d86..c30c810 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix @@ -12,6 +12,7 @@ in imports = [ (import ./attic { inherit user home; }) (import ./authelia { inherit user home; }) + (import ./blog { inherit user home; }) (import ./comentario { inherit user home; }) (import ./gitea { inherit user home; }) (import ./grafana { inherit user home; }) diff --git a/packages/docker/gitea-act-runner-worker/default.nix b/packages/docker/gitea-act-runner-worker/default.nix index 28b732d..ac10cfc 100644 --- a/packages/docker/gitea-act-runner-worker/default.nix +++ b/packages/docker/gitea-act-runner-worker/default.nix @@ -17,6 +17,7 @@ pkgs.dockerTools.buildImage { name = "root"; paths = with pkgs; [ git + git-lfs curl jq nix diff --git a/packages/docker/nginx-receiver/package/main.go b/packages/docker/nginx-receiver/package/main.go index 2d861e4..cca20ac 100644 --- a/packages/docker/nginx-receiver/package/main.go +++ b/packages/docker/nginx-receiver/package/main.go @@ -27,11 +27,14 @@ var ( maxUploadSize int64 = 1 << 30 // 1GB deployLock sync.Mutex + + infoLog = log.New(os.Stdout, "", log.LstdFlags) + errorLog = log.New(os.Stderr, "", log.LstdFlags) ) func main() { if authenticationKey == "" || targetDirectory == "" { - log.Fatal("AUTH_KEY and TARGET_DIR must be set") + errorLog.Fatal("AUTH_KEY and TARGET_DIR must be set") } if port == "" { @@ -43,15 +46,15 @@ func main() { basePath = "/" + subPath } - log.Printf("starting server on :%s, endpoint %q, target directory %q", port, basePath, targetDirectory) + infoLog.Printf("starting server on :%s, endpoint %q, target directory %q", port, basePath, targetDirectory) http.HandleFunc(basePath, withRecovery(handle)) - log.Fatal(http.ListenAndServe(":"+port, nil)) + errorLog.Fatal(http.ListenAndServe(":"+port, nil)) } func handle(w http.ResponseWriter, r *http.Request) { remoteIP := realIP(r) - log.Printf("incoming %q request on %q from %s", r.Method, r.URL.Path, remoteIP) + infoLog.Printf("incoming %q request on %q from %s", r.Method, r.URL.Path, remoteIP) if r.Method != http.MethodPost { http.Error(w, "method not allowed", http.StatusMethodNotAllowed) @@ -60,7 +63,7 @@ func handle(w http.ResponseWriter, r *http.Request) { auth := r.Header.Get("Authorization") if subtle.ConstantTimeCompare([]byte(auth), []byte(authenticationKey)) != 1 { - log.Printf("unauthorized request from %s", remoteIP) + errorLog.Printf("unauthorized request from %s", remoteIP) http.Error(w, "unauthorized", http.StatusUnauthorized) return } @@ -112,7 +115,7 @@ func handle(w http.ResponseWriter, r *http.Request) { defer os.RemoveAll(extractDir) if err := extractor.Extract(ctx, archiveStream, extract(extractDir)); err != nil { - log.Printf("failed to extract archive: %v", err) + errorLog.Printf("failed to extract archive: %v", err) http.Error(w, "bad archive", http.StatusBadRequest) return } @@ -131,7 +134,7 @@ func handle(w http.ResponseWriter, r *http.Request) { } w.WriteHeader(http.StatusOK) - log.Printf("upload successful from %s", remoteIP) + infoLog.Printf("upload successful from %s", remoteIP) } func realIP(r *http.Request) string { @@ -235,7 +238,7 @@ func withRecovery(next http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { defer func() { if v := recover(); v != nil { - log.Printf("panic: %v", v) + errorLog.Printf("panic: %v", v) http.Error(w, "internal error", http.StatusInternalServerError) } }() diff --git a/submodules/secrets b/submodules/secrets index 383cf08..21ab0b0 160000 --- a/submodules/secrets +++ b/submodules/secrets @@ -1 +1 @@ -Subproject commit 383cf08fa55a46c8aa1c5faf57160bf594e5feaa +Subproject commit 21ab0b0a59264b1da501f90725bf2c03e07ae941