diff --git a/flake.nix b/flake.nix index 4afb27a..30fb5cb 100644 --- a/flake.nix +++ b/flake.nix @@ -44,9 +44,24 @@ ./machines ./routers ./inventories + ./overlays + ./tests ./modules/clan/flake-module.nix ./modules/nixos/flake-module.nix ]; + perSystem = + { pkgs, system, ... }: + { + _module.args.pkgs = import inputs.nixpkgs { + inherit system; + overlays = [ + inputs.self.overlays.packagesOverlay + ]; + config = { }; + }; + packages.think = pkgs.think-gtcm; + packages.think-be = pkgs.think-backend-gtcm; + }; } ); } diff --git a/machines/b4l/configuration.nix b/machines/b4l/configuration.nix index 3b14865..a62ce37 100644 --- a/machines/b4l/configuration.nix +++ b/machines/b4l/configuration.nix @@ -19,4 +19,18 @@ services.nginx.virtualHosts."${config.networking.fqdn}" = { enableACME = true; }; + + clan.core.vars.generators.acme = { + share = true; + files.email.secret = false; + + prompts.email = { + type = "line"; + description = "Email for ACME registeration"; + }; + + script = '' + cat $prompts/email > $out/email + ''; + }; } diff --git a/machines/ramus/configuration.nix b/machines/ramus/configuration.nix index 511247b..4160d03 100644 --- a/machines/ramus/configuration.nix +++ b/machines/ramus/configuration.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ self, config, ... }: { system.stateVersion = "25.11"; nixpkgs.hostPlatform = { @@ -12,4 +12,24 @@ clan.core.sops.defaultGroups = [ "admins" ]; clan.core.networking.targetHost = "root@[${config.clan.core.vars.generators.zerotier.files.zerotier-ip.value}]"; + + clan.core.vars.generators.acme = { + share = true; + files.email.secret = false; + + prompts.email = { + type = "line"; + description = "Email for ACME registeration"; + }; + + script = '' + cat $prompts/email > $out/email + ''; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + + security.acme.acceptTerms = true; + + imports = [ ./think-greater-chiangmai.nix ]; } diff --git a/machines/ramus/think-greater-chiangmai.nix b/machines/ramus/think-greater-chiangmai.nix new file mode 100644 index 0000000..1bf97c8 --- /dev/null +++ b/machines/ramus/think-greater-chiangmai.nix @@ -0,0 +1,136 @@ +{ self, config, ... }: +let + commonSettings = { + APP_NAME = "Laravel"; + APP_ENV = "local"; + APP_KEY._secret = config.clan.core.vars.generators.greaterchiangmai.files.app_key.path; + APP_DEBUG = "false"; + APP_URL = "http://localhost"; + + DB_CONNECTION = "mysql"; + DB_HOST = "localhost"; + DB_PORT = 3306; + DB_DATABASE = "thinkgtcm"; + DB_USERNAME = "gtcm"; + + R2_ACCESS_KEY_ID = config.clan.core.vars.generators.greaterchiangmai-s3.files.access_key_id.value; + R2_SECRET_ACCESS_KEY._secret = + config.clan.core.vars.generators.greaterchiangmai-s3.files.secret_access_key.path; + R2_REGION = config.clan.core.vars.generators.greaterchiangmai-s3.files.region.value; + R2_BUCKET = config.clan.core.vars.generators.greaterchiangmai-s3.files.bucket.value; + R2_ENDPOINT = config.clan.core.vars.generators.greaterchiangmai-s3.files.endpoint.value; + + LOG_CHANNEL = "stack"; + LOG_LEVEL = "debug"; + + FILESYSTEM_DISK = "local"; + + BROADCAST_DRIVER = "log"; + CACHE_DRIVER = "file"; + QUEUE_CONNECTION = "sync"; + SESSION_DRIVER = "file"; + SESSION_LIFETIME = 120; + + MEMCACHED_HOST = "127.0.0.1"; + + REDIS_HOST = "127.0.0.1"; + REDIS_PORT = 6379; + + UPLOAD_MAX_FILESIZE = "5000M"; + POST_MAX_SIZE = "5000M"; + + TEST_LOCAL = true; + }; + + baseDomain = "greaterchiangmai.com"; + domain = "think.${baseDomain}"; + domainBackend = "think-backend.${baseDomain}"; +in +{ + imports = [ + self.nixosModules.think-gtcm + self.nixosModules.think-backend-gtcm + ]; + nixpkgs.overlays = [ self.overlays.packagesOverlay ]; + + clan.core.vars.generators.greaterchiangmai = { + files = { + app_key = { + secret = true; + owner = config.services.think-greaterchiangmai.user; + group = config.services.think-greaterchiangmai.group; + }; + }; + + prompts = { + app_key.persist = true; + }; + + script = '' + cat $prompts/app_key > $out/app_key + ''; + }; + + clan.core.vars.generators.greaterchiangmai-s3 = { + files = { + access_key_id.secret = false; + secret_access_key = { + secret = true; + owner = config.services.think-greaterchiangmai.user; + group = config.services.think-greaterchiangmai.group; + }; + endpoint.secret = false; + region.secret = false; + bucket.secret = false; + }; + + prompts = { + access_key_id.persist = true; + secret_access_key.persist = true; + endpoint.persist = true; + region.persist = true; + bucket.persist = true; + }; + + script = '' + cat $prompts/access_key_id > $out/access_key_id + cat $prompts/secret_access_key > $out/secret_access_key + cat $prompts/endpoint > $out/endpoint + cat $prompts/region > $out/region + cat $prompts/bucket > $out/bucket + ''; + }; + + services.think-greaterchiangmai = { + enable = true; + domain = domain; + settings = commonSettings; + }; + services.think-backend-greaterchiangmai = { + enable = true; + domain = domainBackend; + settings = commonSettings; + }; + + security.acme.certs = { + "${domain}" = { + email = config.clan.core.vars.generators.acme.files.email.value; + webroot = "/var/lib/acme/acme-challenge/${domain}"; + }; + "${domainBackend}" = { + email = config.clan.core.vars.generators.acme.files.email.value; + webroot = "/var/lib/acme/acme-challenge/${domainBackend}"; + }; + }; + + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + useACMEHost = domain; + acmeRoot = config.security.acme.certs.${domain}.webroot; + }; + services.nginx.virtualHosts.${domainBackend} = { + forceSSL = true; + useACMEHost = domainBackend; + acmeRoot = config.security.acme.certs.${domainBackend}.webroot; + }; +} diff --git a/modules/nixos/flake-module.nix b/modules/nixos/flake-module.nix index b8a1ffc..f0a8017 100644 --- a/modules/nixos/flake-module.nix +++ b/modules/nixos/flake-module.nix @@ -3,5 +3,11 @@ common = { imports = [ ./common.nix ]; }; + think-gtcm = { + imports = [ ./think-gtcm.nix ]; + }; + think-backend-gtcm = { + imports = [ ./think-backend-gtcm.nix ]; + }; }; } diff --git a/modules/nixos/think-backend-gtcm.nix b/modules/nixos/think-backend-gtcm.nix new file mode 100644 index 0000000..e83b5ae --- /dev/null +++ b/modules/nixos/think-backend-gtcm.nix @@ -0,0 +1,292 @@ +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.services.think-backend-greaterchiangmai; + think-backend-gtcm = pkgs.think-backend-gtcm.override { dataDir = cfg.dataDir; }; + defaultUser = "gtcm"; + defaultGroup = "gtcm"; + + php = pkgs.php83; + + artisan-be = pkgs.writeScriptBin "gtcm-be" '' + #! ${pkgs.runtimeShell} + cd ${think-backend-gtcm} + sudo() { + if [[ "$USER" != ${cfg.user} ]]; then + exec /run/wrappers/bin/sudo -u ${cfg.user} "$@" + else + exec "$@" + fi + } + sudo ${lib.getExe php} artisan "$@" + ''; + +in +{ + options.services.think-backend-greaterchiangmai = { + enable = lib.mkEnableOption "To enable think.greaterchiangmai.com"; + + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/think-backend.greaterchiangmai.com"; + description = ''A place where to store states''; + }; + + user = lib.mkOption { + type = lib.types.str; + default = defaultUser; + description = "User account under which this runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = defaultGroup; + defaultText = "${defaultGroup}"; + description = "Group under which the website runs."; + }; + + package = lib.mkPackageOption pkgs "think-backend-gtcm" { }; + + domain = lib.mkOption { + type = lib.types.str; + default = "think-backend.greaterchiangmai.com"; + example = "forum.example.com"; + description = "Domain to serve on."; + }; + + settings = lib.mkOption { + type = + with lib.types; + attrsOf ( + nullOr ( + either + (oneOf [ + bool + int + port + path + str + ]) + (submodule { + options = { + _secret = lib.mkOption { + type = nullOr str; + description = '' + The path to a file containing the value the + option should be set to in the final + configuration file. + ''; + }; + }; + }) + ) + ); + default = { }; + description = '' + Options for settings environment variables + ''; + example = lib.literalExpression '' + { + APP_NAME = "Laravel"; + APP_ENV = "local"; + APP_KEY = "key"; + APP_DEBUG = true; + APP_URL = "http://localhost"; + + LOG_CHANNEL = "stack"; + LOG_DEPRECATIONS_CHANNEL = "null"; + LOG_LEVEL = "debug"; + + DB_CONNECTION = "mysql"; + DB_HOST = "127.0.0.1"; + DB_PORT = "3306"; + DB_DATABASE = "laravel"; + DB_USERNAME = "root"; + DB_PASSWORD = ""; + } + ''; + }; + + }; + config = lib.mkIf cfg.enable { + users.users.${cfg.user} = lib.mkForce { + isSystemUser = true; + home = cfg.dataDir; + createHome = true; + homeMode = "755"; + group = cfg.group; + }; + users.groups.${cfg.group} = { }; + + services.phpfpm.pools.think-backend-gtcm = { + inherit (cfg) user group; + phpPackage = php; + settings = { + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + "listen.mode" = "0600"; + "pm" = lib.mkDefault "dynamic"; + "pm.max_children" = lib.mkDefault 10; + "pm.max_requests" = lib.mkDefault 500; + "pm.start_servers" = lib.mkDefault 2; + "pm.min_spare_servers" = lib.mkDefault 1; + "pm.max_spare_servers" = lib.mkDefault 3; + }; + phpOptions = '' + error_log = syslog + log_errors = on + ''; + }; + + environment.systemPackages = [ + artisan-be + ]; + + services.think-backend-greaterchiangmai.settings = { + APP_SERVICES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/services.php"; + APP_PACKAGES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/packages.php"; + APP_CONFIG_CACHE = lib.mkDefault "${cfg.dataDir}/cache/config.php"; + APP_ROUTES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/routes-v7.php"; + APP_EVENTS_CACHE = lib.mkDefault "${cfg.dataDir}/cache/events.php"; + }; + + systemd.services.think-backend-gtcm-setup = { + description = "think-backend.greaterchiangmai installation"; + requiredBy = [ "phpfpm-think-backend-gtcm.service" ]; + before = [ "phpfpm-think-backend-gtcm.service" ]; + requires = [ "mysql.service" ]; + after = [ "mysql.service" ]; + serviceConfig = { + type = "oneshot"; + RemainAfterExit = true; + User = cfg.user; + UMask = 77; + WorkingDirectory = "${think-backend-gtcm}"; + RuntimeDirectory = "think-backend-gtcm/cache"; + RuntimeDirectoryMode = 700; + }; + path = [ pkgs.replace-secret ]; + script = + let + isSecret = v: lib.isAttrs v && v ? _secret && lib.isString v._secret; + gtcmEnvVars = lib.generators.toKeyValue { + mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" { + mkValueString = + v: + with builtins; + if isInt v then + toString v + else if isString v then + v + else if true == v then + "true" + else if false == v then + "false" + else if isSecret v then + hashString "sha256" v._secret + else + throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}"; + }; + }; + secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.settings); + mkSecretReplacement = file: '' + replace-secret ${ + lib.escapeShellArgs [ + (builtins.hashString "sha256" file) + file + "${cfg.dataDir}/.env" + ] + } + ''; + secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; + filteredConfig = lib.converge (lib.filterAttrsRecursive ( + _: v: + !lib.elem v [ + { } + null + ] + )) cfg.settings; + gtcmEnv = pkgs.writeText "gtcm-be.env" (gtcmEnvVars filteredConfig); + in + '' + # error handling + set -euo pipefail + + # create .env file + install -T -m 0600 -o ${cfg.user} ${gtcmEnv} "${cfg.dataDir}/.env" + ${secretReplacements} + if ! grep 'APP_KEY=base64:' "${cfg.dataDir}/.env" >/dev/null; then + sed -i 's/APP_KEY=/APP_KEY=base64:/' "${cfg.dataDir}/.env" + fi + + # migrate & seed db + ${lib.getExe php} artisan key:generate --force + ${lib.getExe php} artisan migrate --force + ${lib.getExe php} artisan config:cache + ''; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0710 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/cache 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/public 0750 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/public/uploads 0750 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/app 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/fonts 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework/cache 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework/sessions 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework/views 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/logs 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/uploads 0700 ${cfg.user} ${cfg.group} - -" + ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + recommendedProxySettings = true; + virtualHosts."${cfg.domain}" = { + root = "${think-backend-gtcm}/public"; + locations = { + "/" = { + index = "index.php"; + tryFiles = "$uri $uri/ /index.php?$query_string"; + }; + "~ \\.php$".extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools."think-backend-gtcm".socket}; + ''; + "~ \\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + }; + }; + }; + + services.mysql = { + enable = true; + package = lib.mkForce pkgs.mariadb; + ensureDatabases = [ cfg.settings.DB_DATABASE ]; + ensureUsers = [ + { + name = cfg.settings.DB_USERNAME; + ensurePermissions = { + "${cfg.settings.DB_DATABASE}.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; + }; +} diff --git a/modules/nixos/think-gtcm.nix b/modules/nixos/think-gtcm.nix new file mode 100644 index 0000000..c2909d9 --- /dev/null +++ b/modules/nixos/think-gtcm.nix @@ -0,0 +1,295 @@ +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.services.think-greaterchiangmai; + think-gtcm = pkgs.think-gtcm.override { dataDir = cfg.dataDir; }; + defaultUser = "gtcm"; + defaultGroup = "gtcm"; + + php = pkgs.php83; + + artisan = pkgs.writeScriptBin "gtcm" '' + #! ${pkgs.runtimeShell} + cd ${think-gtcm} + sudo() { + if [[ "$USER" != ${cfg.user} ]]; then + exec /run/wrappers/bin/sudo -u ${cfg.user} "$@" + else + exec "$@" + fi + } + sudo ${lib.getExe php} artisan "$@" + ''; + +in +{ + options.services.think-greaterchiangmai = { + enable = lib.mkEnableOption "To enable think.greaterchiangmai.com"; + + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/think.greaterchiangmai.com"; + description = ''A place where to store states''; + }; + + user = lib.mkOption { + type = lib.types.str; + default = defaultUser; + description = "User account under which this runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = defaultGroup; + defaultText = "${defaultGroup}"; + description = "Group under which the website runs."; + }; + + package = lib.mkPackageOption pkgs "think-gtcm" { }; + + packageBackend = lib.mkPackageOption pkgs "think-backend-gtcm" { }; + + domain = lib.mkOption { + type = lib.types.str; + default = "think.greaterchiangmai.com"; + example = "forum.example.com"; + description = "Domain to serve on."; + }; + + settings = lib.mkOption { + type = + with lib.types; + attrsOf ( + nullOr ( + either + (oneOf [ + bool + int + port + path + str + ]) + (submodule { + options = { + _secret = lib.mkOption { + type = nullOr str; + description = '' + The path to a file containing the value the + option should be set to in the final + configuration file. + ''; + }; + }; + }) + ) + ); + default = { }; + description = '' + Options for settings environment variables + ''; + example = lib.literalExpression '' + { + APP_NAME = "Laravel"; + APP_ENV = "local"; + APP_KEY = "key"; + APP_DEBUG = true; + APP_URL = "http://localhost"; + + LOG_CHANNEL = "stack"; + LOG_DEPRECATIONS_CHANNEL = "null"; + LOG_LEVEL = "debug"; + + DB_CONNECTION = "mysql"; + DB_HOST = "127.0.0.1"; + DB_PORT = "3306"; + DB_DATABASE = "laravel"; + DB_USERNAME = "root"; + DB_PASSWORD = ""; + } + ''; + }; + + }; + config = lib.mkIf cfg.enable { + users.users.${cfg.user} = { + isSystemUser = true; + home = cfg.dataDir; + createHome = true; + homeMode = "755"; + group = cfg.group; + }; + users.groups.${cfg.group} = { }; + + services.phpfpm.pools.think-gtcm = { + inherit (cfg) user group; + phpPackage = php; + settings = { + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + "listen.mode" = "0600"; + "pm" = lib.mkDefault "dynamic"; + "pm.max_children" = lib.mkDefault 10; + "pm.max_requests" = lib.mkDefault 500; + "pm.start_servers" = lib.mkDefault 2; + "pm.min_spare_servers" = lib.mkDefault 1; + "pm.max_spare_servers" = lib.mkDefault 3; + }; + phpOptions = '' + error_log = syslog + log_errors = on + ''; + }; + + environment.systemPackages = [ + artisan + ]; + + services.think-greaterchiangmai.settings = { + APP_SERVICES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/services.php"; + APP_PACKAGES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/packages.php"; + APP_CONFIG_CACHE = lib.mkDefault "${cfg.dataDir}/cache/config.php"; + APP_ROUTES_CACHE = lib.mkDefault "${cfg.dataDir}/cache/routes-v7.php"; + APP_EVENTS_CACHE = lib.mkDefault "${cfg.dataDir}/cache/events.php"; + }; + + systemd.services.think-gtcm-setup = { + description = "think.greaterchiangmai installation"; + requiredBy = [ "phpfpm-think-gtcm.service" ]; + before = [ "phpfpm-think-gtcm.service" ]; + requires = [ "mysql.service" ]; + after = [ "mysql.service" ]; + serviceConfig = { + type = "oneshot"; + RemainAfterExit = true; + User = cfg.user; + UMask = 77; + WorkingDirectory = "${think-gtcm}"; + RuntimeDirectory = "think-gtcm/cache"; + RuntimeDirectoryMode = 700; + }; + path = [ pkgs.replace-secret ]; + script = + let + isSecret = v: lib.isAttrs v && v ? _secret && lib.isString v._secret; + gtcmEnvVars = lib.generators.toKeyValue { + mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" { + mkValueString = + v: + with builtins; + if isInt v then + toString v + else if isString v then + v + else if true == v then + "true" + else if false == v then + "false" + else if isSecret v then + hashString "sha256" v._secret + else + throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}"; + }; + }; + secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.settings); + mkSecretReplacement = file: '' + replace-secret ${ + lib.escapeShellArgs [ + (builtins.hashString "sha256" file) + file + "${cfg.dataDir}/.env" + ] + } + ''; + secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; + filteredConfig = lib.converge (lib.filterAttrsRecursive ( + _: v: + !lib.elem v [ + { } + null + ] + )) cfg.settings; + gtcmEnv = pkgs.writeText "gtcm.env" (gtcmEnvVars filteredConfig); + in + '' + # error handling + set -euo pipefail + + # create .env file + install -T -m 0600 -o ${cfg.user} ${gtcmEnv} "${cfg.dataDir}/.env" + ${secretReplacements} + if ! grep 'APP_KEY=base64:' "${cfg.dataDir}/.env" >/dev/null; then + sed -i 's/APP_KEY=/APP_KEY=base64:/' "${cfg.dataDir}/.env" + fi + + # migrate & seed db + ${lib.getExe php} artisan key:generate --force + ${lib.getExe php} artisan migrate --force + ${lib.getExe php} artisan config:cache + ''; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0710 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/cache 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/public 0750 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/public/uploads 0750 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/app 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/fonts 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework/cache 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework/sessions 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/framework/views 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/logs 0700 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/storage/uploads 0700 ${cfg.user} ${cfg.group} - -" + ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + recommendedProxySettings = true; + virtualHosts."${cfg.domain}" = { + root = "${think-gtcm}/public"; + locations = { + "/" = { + index = "index.php"; + tryFiles = "$uri $uri/ /index.php?$query_string"; + }; + + "~ \\.php$".extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools."think-gtcm".socket}; + ''; + "~ \\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + }; + }; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureDatabases = [ cfg.settings.DB_DATABASE ]; + ensureUsers = [ + { + name = cfg.settings.DB_USERNAME; + ensurePermissions = { + "${cfg.settings.DB_DATABASE}.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..583c8e9 --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + flake.overlays = { + packagesOverlay = import ../pkgs/overlay.nix; + }; +} diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix new file mode 100644 index 0000000..d327dd3 --- /dev/null +++ b/pkgs/overlay.nix @@ -0,0 +1,4 @@ +final: prev: { + think-gtcm = final.callPackage ./think-gtcm.nix { }; + think-backend-gtcm = final.callPackage ./think-backend-gtcm.nix { php = final.php83; }; +} diff --git a/pkgs/think-backend-gtcm.nix b/pkgs/think-backend-gtcm.nix new file mode 100644 index 0000000..bc08098 --- /dev/null +++ b/pkgs/think-backend-gtcm.nix @@ -0,0 +1,32 @@ +{ + fetchgit, + php, + dataDir ? "/var/lib/think-backend-gtcm", +}: +let + repoSrc = fetchgit { + url = "https://git.b4l.co.th/newedge/think-greaterchiangmai"; + rev = "7c17aa78436538241c09fc7d633904d3c063011e"; + hash = "sha256-GDx0+PmuCXC+UPtsvsocCZQiTPcnOZEzJI17sxrVv7Q="; + }; + src = "${repoSrc}/think-backend.greaterchiangmai.com"; +in +php.buildComposerProject2 (finalAttrs: { + pname = "think-backend-gtcm"; + version = "1.0.0"; + + inherit src; + + installPhase = '' + runHook preInstall + mkdir -p $out + cp -R * $out + rm -rf $out/storage + ln -s ${dataDir}/.env $out/.env + ln -s ${dataDir}/storage $out/storage + runHook postInstall + ''; + + composerStrictValidation = false; + vendorHash = "sha256-eXm1x3E9KHWojaT2RU4inMdZqQVcWdLCKlvzhOlIZrc="; +}) diff --git a/pkgs/think-gtcm.nix b/pkgs/think-gtcm.nix new file mode 100644 index 0000000..0af8b9a --- /dev/null +++ b/pkgs/think-gtcm.nix @@ -0,0 +1,32 @@ +{ + fetchgit, + php, + dataDir ? "/var/lib/think-gtcm", +}: +let + repoSrc = fetchgit { + url = "https://git.b4l.co.th/newedge/think-greaterchiangmai"; + rev = "7c17aa78436538241c09fc7d633904d3c063011e"; + hash = "sha256-GDx0+PmuCXC+UPtsvsocCZQiTPcnOZEzJI17sxrVv7Q="; + }; + src = "${repoSrc}/think.greaterchiangmai.com"; +in +php.buildComposerProject2 (finalAttrs: { + pname = "think-gtcm"; + version = "1.0.0"; + + inherit src; + + installPhase = '' + runHook preInstall + mkdir -p $out + cp -R * $out + rm -rf $out/storage + ln -s ${dataDir}/.env $out/.env + ln -s ${dataDir}/storage $out/storage + runHook postInstall + ''; + + composerStrictValidation = false; + vendorHash = "sha256-QV3hR3U3GwCqrCRxfkazmJwDpO1vFyMfA6YqUb4bjMI="; +}) diff --git a/tests/default.nix b/tests/default.nix new file mode 100644 index 0000000..8770e48 --- /dev/null +++ b/tests/default.nix @@ -0,0 +1,16 @@ +{ self, ... }: +{ + perSystem = + { pkgs, ... }: + { + checks = + let + checkArgs = { + inherit pkgs self; + }; + in + { + think-gtcm = import ./tests/think-gtcm.nix checkArgs; + }; + }; +} diff --git a/tests/lib.nix b/tests/lib.nix new file mode 100644 index 0000000..08b33c9 --- /dev/null +++ b/tests/lib.nix @@ -0,0 +1,18 @@ +test: +# These arguments are provided by `flake.nix` on import, see checkArgs +{ pkgs, self }: +let + inherit (pkgs) lib; + # this imports the nixos library that contains our testing framework + nixos-lib = import (pkgs.path + "/nixos/lib") { }; +in +(nixos-lib.runTest { + hostPkgs = pkgs; + # This speeds up the evaluation by skipping evaluating documentation (optional) + defaults.documentation.enable = lib.mkDefault false; + # This makes `self` available in the NixOS configuration of our virtual machines. + # This is useful for referencing modules or packages from your own flake + # as well as importing from other flakes. + node.specialArgs = { inherit self; }; + imports = [ test ]; +}).config.result diff --git a/tests/tests/think-gtcm.nix b/tests/tests/think-gtcm.nix new file mode 100644 index 0000000..a2fa948 --- /dev/null +++ b/tests/tests/think-gtcm.nix @@ -0,0 +1,102 @@ +(import ../lib.nix) { + name = "think-gtcm"; + nodes = + let + settings = { + + DB_CONNECTION = "mysql"; + DB_HOST = "localhost"; + DB_PORT = 3306; + DB_DATABASE = "thinkgtcm"; + DB_USERNAME = "gtcm"; + DB_PASSWORD = ""; + + APP_NAME = "Laravel"; + APP_ENV = "local"; + APP_DEBUG = "false"; + APP_URL = "http://localhost"; + + LOG_CHANNEL = "stack"; + LOG_LEVEL = "debug"; + + BROADCAST_DRIVER = "log"; + CACHE_DRIVER = "file"; + FILESYSTEM_DISK = "local"; + QUEUE_CONNECTION = "sync"; + SESSION_DRIVER = "file"; + SESSION_LIFETIME = "120"; + + MEMCACHED_HOST = "127.0.0.1"; + + REDIS_HOST = "127.0.0.1"; + REDIS_PASSWORD = "null"; + REDIS_PORT = "6379"; + + MAIL_MAILER = "smtp"; + MAIL_HOST = "mailpit"; + MAIL_PORT = "1025"; + MAIL_USERNAME = "null"; + MAIL_PASSWORD = "null"; + MAIL_ENCRYPTION = "null"; + MAIL_FROM_ADDRESS = "hello@example.com"; + + AWS_DEFAULT_REGION = "us-east-1"; + AWS_USE_PATH_STYLE_ENDPOINT = "false"; + + PUSHER_PORT = 443; + PUSHER_SCHEME = "https"; + PUSHER_APP_CLUSTER = "mt1"; + + UPLOAD_MAX_FILESIZE = "5000M"; + POST_MAX_SIZE = "5000M"; + + TEST_LOCAL = "false"; + }; + in + { + gtcm1 = + { self, ... }: + { + nixpkgs.overlays = [ self.overlays.packagesOverlay ]; + imports = [ self.nixosModules.think-gtcm ]; + services.think-greaterchiangmai = { + enable = true; + settings = settings // { + APP_SERVICES_CACHE = "/run/think-gtcm/cache/services.php"; + APP_PACKAGES_CACHE = "/run/think-gtcm/cache/packages.php"; + APP_CONFIG_CACHE = "/run/think-gtcm/cache/config.php"; + APP_ROUTES_CACHE = "/run/think-gtcm/cache/routes-v7.php"; + APP_EVENTS_CACHE = "/run/think-gtcm/cache/events.php"; + }; + }; + }; + backend1 = + { self, ... }: + { + nixpkgs.overlays = [ self.overlays.packagesOverlay ]; + imports = [ self.nixosModules.think-backend-gtcm ]; + services.think-backend-greaterchiangmai = { + enable = true; + settings = settings // { + APP_SERVICES_CACHE = "/run/think-backend-gtcm/cache/services.php"; + APP_PACKAGES_CACHE = "/run/think-backend-gtcm/cache/packages.php"; + APP_CONFIG_CACHE = "/run/think-backend-gtcm/cache/config.php"; + APP_ROUTES_CACHE = "/run/think-backend-gtcm/cache/routes-v7.php"; + APP_EVENTS_CACHE = "/run/think-backend-gtcm/cache/events.php"; + }; + }; + }; + }; + # This is the test code that will check if our service is running correctly: + testScript = '' + start_all() + + gtcm1.wait_for_unit("phpfpm-think-gtcm") + gtcm1.wait_for_open_port(80) + output = gtcm1.succeed("curl localhost") + + backend1.wait_for_unit("phpfpm-think-backend-gtcm") + backend1.wait_for_open_port(80) + output = backend1.succeed("curl localhost") + ''; +} diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/access_key_id/value b/vars/per-machine/ramus/greaterchiangmai-s3/access_key_id/value new file mode 100644 index 0000000..2acfffb --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/access_key_id/value @@ -0,0 +1 @@ +OR2B5S75FZ59MD19SRR0 \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/bucket/value b/vars/per-machine/ramus/greaterchiangmai-s3/bucket/value new file mode 100644 index 0000000..2822f3a --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/bucket/value @@ -0,0 +1 @@ +greaterchiangmai \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/endpoint/value b/vars/per-machine/ramus/greaterchiangmai-s3/endpoint/value new file mode 100644 index 0000000..f79b7e2 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/endpoint/value @@ -0,0 +1 @@ +fsn1.your-objectstorage.com \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/region/value b/vars/per-machine/ramus/greaterchiangmai-s3/region/value new file mode 100644 index 0000000..40551d5 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/region/value @@ -0,0 +1 @@ +fsn1 \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/groups/admins b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/groups/admins new file mode 120000 index 0000000..6765aa1 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/groups/admins @@ -0,0 +1 @@ +../../../../../../sops/groups/admins \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/machines/ramus b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/machines/ramus new file mode 120000 index 0000000..21115e2 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/machines/ramus @@ -0,0 +1 @@ +../../../../../../sops/machines/ramus \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/secret b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/secret new file mode 100644 index 0000000..704f856 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/secret @@ -0,0 +1,50 @@ +{ + "data": "ENC[AES256_GCM,data:S1TJMu2gZ7hYElZJls8de+apoI+uRPgYjCvN2VDZFX6iCp7WovmJcA==,iv:h4MzIeuoxnn8HTGyr30YoApGLW7UBYCO7sCvMKq7DiY=,tag:J0feK8Mf57vQgaIaJN4ccQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age134vt63pjqpd0m7702fyn8vhdlzyj2deqc2q78sp9uw9052kxsgwq6d25ez", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dFVYa1lBNXAzTURmb2pU\nRmhQZ2JjcllyZkQvR3EzVXFUNllsZDRSQlI0CnhDbFVmU2Z3Nm1vOW1MSFRpNFNR\nOHFUYmVyT3k4eExKZktjMDQxZXMwWUEKLS0tIHVud3hOeFdhRzJPQnNRYVNER0M2\neW1Oa1ZCMzg5dTJOY042VTlrS1cwUzQKri7DRDV8MDkmpQ6ji6q6d+3XvcLlzqGW\nYWuQTXctNtgkAbNvJXaR5MIl6Y7yR6L2T38IPQfqups+miT9jxmDBw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17d4qt0n9edq57tgcqyk8eu5mrendl59yt6z2y3a4vkq7el8krqtq6lq28g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEV1lpeFAzZjVmNGYxWEps\nWDBScUZCRVVyWlRwZzFvRWhvaU9XRGs3aGd3Cmc3V3NrbjZrL3Vzclpubkp4cUZi\nT0k3ODk0VXpoN3dJRHRsYUFPQU1IQ28KLS0tICtqT3E2WFpUQUpYVFJ3UFBscjVj\nM1UzQTNNcDJ5akloNWduZEROaEo0MUkKkXa5n45LJnwcC4+ww9XdYvHZHNDw1R9W\npYzwhAz+lNt5BAagxgPXyqjk1Z3tUrCDsAq+heeoYiX3UddPTmAY3g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1egztkqupggjcpy4g9tfwq6kqeh3ljw7enzhx4l53hjge73wmdscqy5qwfp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNmhNaHRlWEErbW8zQjJu\nTE1SVFAxMGhvU1ZlU2hHck9RaFVCTnIvdkNrClFEMk5wU1JjNW1oZjZCU0dXeXc4\nNHJkOHJGWFIyWGhYN1NzeDRIMHp4ZWsKLS0tIGNwOGp4ZTJiWHVjdG9ma2tXSGwx\nTUdCZFhhdzRibWdtSXg0RVZ0SkMzYXcK48wgvcKMHljIqYQp7RpkJDg9Rl4csJS9\n/fW3j3Ie6EipdlJqtvS1+LdtYZSBuJm7zORiuol/iGlXMCEvfw1Jog==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1fido2-hmac1qqpf43tgcfjm048lsqskvq34w2t4uvrm5qy6m2eg6zjj82ctca8wctgpczxvj0q4y6337uhvsxdh5j86k9h9ymautpvv2759ucwnef75ez7pa7fpkddklp40mxk2tedsp74359g0kefn5rsq0x0yss6cu4yd0h06up0rp08t6yc4l0hfa9y8jn5fkx6nk0hjhz06ykwv0fyxe7z42q683jy0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIHNqYkVDaXNC\ndXlGNGlIT0h4STVYeldhSzVuVmpZMjMvOUNqYnZrc3lJRDAgQVEgd0l6SlBCVW1v\neDl5N0lHYmVrajZzVzVTYjd4WVdNVjZoZVlkUEtmVXlMdyBIdmtoczF0dmhxL1py\nS1hsc0ErckdoVVB0bE02RGdCNW5raERXT1ZJMTkzNjRGNHd2T3ZSTVYrKzZlbEll\nVTZKc2JVN1B2SzRuNkpaekhwSWJQaFZVQQpadUxyK1A1d3dQUXRPS2x4U3l4SlpB\nT2s0TklUd2ZVZnB4U2ZQWWtVTS9NCi0tLSBQSGU4Q3docmRsU2RFaXh4NkFDRGta\najNud3hBd2ttNm5ZWVl2WlE4eUhVCttjnItGsd5GHFDDPL2ItUNoKbOkjdnE7OKA\nUArOm9TjFvUScNml5eoXnQ2mAZjJYnGxdxg+gWQX29ZnWQtMf4g=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1fido2-hmac1qqprw0vfpc8wzsu78quc777kmee54ln6nnsjrnrhl7nr33eh4kvkksqp05qqxj4kgfzrmrugrsvg7skx6ghh3q9xc0x0agthtkvy25d9eq7eklta5wf7s30hexkuyl5546rdz9ffa5tawlp5yweqkgccntw0ny540n2am3cqw3luhxkfmrp63kwr6mwplhr9u26wll48x0n3k5f60c7hg9a3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIGJMdmZPSkMy\nV2d1K3NsOEhMZG5DbnRQVzhuNlFqL0RwVldMVXo5ZVlEQ2MgQVEgZlFBRFNyWkNS\nRDJQaUJ3WWowTEcwaTk0Z0tiRHpQNmhkMTJZUlZHbHlEMCBtMzE5bzVQb1JmZkpy\nY0orbEs2RzBSVXA3UmZYZkRRanNnc2pHSnJjK1pLVmZOWGR4d0IwZjh1YXlkakRx\nTm5EMXR3ZjNHWGl0Ty8rcHpQbkcxRTZmZwpVbzhtWWYyVkVKMU8yU2l4Qmd2S0Fo\neHNTQ0RBSGZCY0x0TnVsQTliMlJzCi0tLSBrM2h3K00zRDBoVXZmcWdacEpKRVlG\ncU85UVUzT3V2a2JySmMvZ2hsMVQ0Cuftyp9Ufwnu/ukn+FtpneEDkGL+t/p8nyk7\nbQeAgazV1ugIQkTabP29CLiIbxz9DWdqwbBh+/kO0EvX6Z1kyZ0=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1fido2-hmac1qqpyewum3q8dfcumfgec8nn958aec9f4q9aqy0k06kw5kq27d6fdqdgp0p7y4ru3n5xk90u747xevxa2af3v37e85j9g3axrmw5hdwdfh0wz22hut5vrafxsx26a7vh8fjwkymz3ramfgvvu4detztu075kmpr8l9ydqda0rnjwatdwmfgswg849p37astvld98s3nleeq575azlwc2hhpuh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIDJiMk53aVND\nTVc1eWJTQ0g0VlVvQ2RSM01NTlp5eGJMcWR5Ym1Zdzc5Z3cgQVEgZUh4S2o1R2RE\nV0svbnErTmxodXE2bUxJK3lla2lvajB3OXVwZHJtcHU5dyBKU3I4WFJnK3BOQXl0\nZDh5NTB5ZFlteFJIM2FVTVp5cmNyRXZqL1V0c0l6L0tSb0c5ZU9jbmRXMTIwb2c1\nQjZsREgzWUxaOXBUd2pQK2NncDZuUmZkZwpDQlJ3UnRnZG9ueDRXTlY1RTZ6VWRV\ndXg0YnBQT0VMQlJDbW4zeUVFcFhRCi0tLSBvMUw0WXRwRzJMT3lIVEkzMVl3RzBO\nd0pqdmdTVWpqTnd1a0JnT2RFaHZnClM3hxods/5D8p/URVeUBaQWzfJk83LNbfC0\nw0J1xYwjS/eLpcM8mLl/iis0xvrpNyGhh4iHS9U0xraio+37KJA=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBseUlWZjdnWGFsNUdRR0xx\ncm5XSi9zRDk4ck8zNWxwT3R0MjRxY0dNUFFNCm5NSXV4LzVEaGU0VTBBek9WaXBR\nangxU0xoY1RIaXhiM3ZEZ0lVMUR0UzgKLS0tIE1RMGtlamhkbFYzbGl0Rjc5VXQv\nTkRmVDR4aUl4SVpSMWxjaGNKK1NXaEkKtbiv7giW8dhpjluM3JBWFYZJn2TqEQNY\nCgHXR7o4qaG67UmGpUTqxxNIpWBtI5JFiqoy2wIdOolQZ70qxfQ7Yg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwekdoekt3akovTVZVVzV5\nQ3lNU05ET2dmUmRsb0dhSXlXemhPVCtGbVRRCndUWnRyVytPdzRMOVhjZzZiSlNw\nU1pLZmZhMDZGVVFhL3NJMTZjVTc1V2sKLS0tIEdtaHIra0ttdEJzUS9oTkQ4alNK\nUjRwZUdneDBSd2I5eTdSaE9TaGxla0kKk8PiulG3FCWt3YDRBB4Z5ORQF2qWnpuL\nsq5wtcFl8UpJj2/2ODLdH3mzYxc4jAg47LS4R3ThgJlhrsmr2vgAeQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1swlyyk2rzvevqawyeekv75nx2dz34zpe3xqhkqme26gcgeavy4dqrfpcd8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMa2UrOEkrbWNseEJKNEVt\nZ0dFREhTbC9ta1V3bEZDT2tJZ2x4TlVpbFhJClBJUmJJVmZxSkdsakJsMG8zNUVW\nMEdCR1YyMWtqL25zRjd4VDlIdi9DaXcKLS0tIGpBc1FxMWlDMklIeGNUSDhDYkd5\nZXduYXVkaUg5SjhCb21QaUhEK1JyMTgK40uiFSmA/D1e5XomI+H8/RjrcDS+ovK+\nYf8q1xOzNy1Mpmwke4p4Q4M30CNeutw6Ga1w2saC1oi7et+q59R+RQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VTVwejViQmowSW5YdlMv\nc2NHUEdLbmhoNlkzckVublJUR2ZuNHZRRGtZCmwrQTBuN1p6NjIzM25idWY2bTdM\nQlRsWFNiUkoyWFdWQ21VdGlqbTBudEEKLS0tIGQ4TFJsSnFlblcvM3dXalM5dG95\nWjRzeHd2LzJtUWkzSzNMTlV0SGZxZjgK+5TtNMzFyLJvKpFm1H6PeRlZ2dUSZMZf\nNWEliC0jv2AnHFow9cttBKQKl/dWFjFY+UukUjyIPr9l8rHQQrJPBw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-11-27T05:03:18Z", + "mac": "ENC[AES256_GCM,data:vqadLc/VzXgsKF2dGZYY/OvKiZ7FsaUFVcAPMEHU3El33ojbWvJHNpAKXD9RgP4yLto5lkUCNkyOoTM0OEz++iDVQg3FfRu+sRa3wiKBh5jMJTrjhdziyQGbFGtF97AUvrhLUEGPTL15gUEuFZbeDiPBBhwhyuu5covBLzY23Go=,iv:r/VJsUMA/jOM7pBFoTJzQAJ6ZXZaVGTi/RduN5kXbKs=,tag:IzgzqaVYpPaPWGkPKsOdQA==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/users/kurogeek b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/users/kurogeek new file mode 120000 index 0000000..970aefa --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai-s3/secret_access_key/users/kurogeek @@ -0,0 +1 @@ +../../../../../../sops/users/kurogeek \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai/app_key/groups/admins b/vars/per-machine/ramus/greaterchiangmai/app_key/groups/admins new file mode 120000 index 0000000..6765aa1 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai/app_key/groups/admins @@ -0,0 +1 @@ +../../../../../../sops/groups/admins \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai/app_key/machines/ramus b/vars/per-machine/ramus/greaterchiangmai/app_key/machines/ramus new file mode 120000 index 0000000..21115e2 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai/app_key/machines/ramus @@ -0,0 +1 @@ +../../../../../../sops/machines/ramus \ No newline at end of file diff --git a/vars/per-machine/ramus/greaterchiangmai/app_key/secret b/vars/per-machine/ramus/greaterchiangmai/app_key/secret new file mode 100644 index 0000000..46b7ce4 --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai/app_key/secret @@ -0,0 +1,50 @@ +{ + "data": "ENC[AES256_GCM,data:FrklrOhsZqUqWEJ5BA7daE4ZEXQ3DJkTcH3bcP8sdPKGPF2fWcoe906xs+XYhR6sNhmS,iv:j+TrVt+SvKzsUChUoaDdcCyeIhtgCRQdAkUXLwoqzZo=,tag:GU6yx9aqElKYqQWeg+iHRg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age134vt63pjqpd0m7702fyn8vhdlzyj2deqc2q78sp9uw9052kxsgwq6d25ez", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaHdaWUZiZ1NmZno4VUhq\nOU0rdkl5R3VWL2NJR1VOV0xYbXV1ZWdrNFU4CmxvdWdkcHV4ZmNNWVdBd0E2MU1S\nUWdCeGRqamZnN0Exa1Z1R1dEMS9xUmcKLS0tIHV0QTZ2VzBjemZaWFFOOHFEY1gz\nbEo5ckZUc3NGUXJYNzRGaytXMGRkTUkKP/hLrBUxP2BAXaS0JmcGKOWb/jUDg9BK\nj2RP5jl9wyL90Dz+ndMsAtGfGuuq352FG4J9wnn8fdTQdiHrh9pjtg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17d4qt0n9edq57tgcqyk8eu5mrendl59yt6z2y3a4vkq7el8krqtq6lq28g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbytVemhiaVBkL0o2TXNp\nUmRuR2RVYjNTVFZ4VXM1YzZOMFVEN0ZKcHhjCkVycTdsSGwvN2tZTE5lSnVnLzd1\nd252UUV6Mzk0Q3lQd1hFeXN5TmpyRFEKLS0tIDVId0hCVEQ4aVJsR3FMaENmajFm\nbW5SSGhNd0ZEYjVnQzIwMStuUU9IT2MKIFCX5CRNi5bbHytTfmXUXls8IG2x9nBn\nOw6atFk/O7kZNq5Quwk74wFykT3h/1S/Tlz2eZA7rUgF7Pqai0XpLg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1egztkqupggjcpy4g9tfwq6kqeh3ljw7enzhx4l53hjge73wmdscqy5qwfp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bTVxQ1ZkWlhBZkxiWE9m\nQm9xekc0cUF2OW9MaFZVSlJRUEpTOU1lZEQwClA3WUdzengyNWQrUml6ZlNrelBX\nK25Pc2dpNUVvNGo1eGhOVTZhSnlocmsKLS0tIEpYU0dweHdJVHk3YU1aZnVtZTFl\nNTdDbEhzL1pyUDR2OUhxUDV0T01kQ1EKihsOo/CvahfHQJnA4q3VOYsQI2OnhdBZ\nDW1Lwm/n50Ju8OPH8FLbJs+YhXUGicnolWvCjP4MYX9/eY+lXMek4w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1fido2-hmac1qqpf43tgcfjm048lsqskvq34w2t4uvrm5qy6m2eg6zjj82ctca8wctgpczxvj0q4y6337uhvsxdh5j86k9h9ymautpvv2759ucwnef75ez7pa7fpkddklp40mxk2tedsp74359g0kefn5rsq0x0yss6cu4yd0h06up0rp08t6yc4l0hfa9y8jn5fkx6nk0hjhz06ykwv0fyxe7z42q683jy0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIHp6bzZ0QWVz\nY2hGV0lqR1p1OHJWbHVjb3M1V1phSEhNanhHM2s3V3FIaEUgQVEgd0l6SlBCVW1v\neDl5N0lHYmVrajZzVzVTYjd4WVdNVjZoZVlkUEtmVXlMdyBIdmtoczF0dmhxL1py\nS1hsc0ErckdoVVB0bE02RGdCNW5raERXT1ZJMTkzNjRGNHd2T3ZSTVYrKzZlbEll\nVTZKc2JVN1B2SzRuNkpaekhwSWJQaFZVQQo5aFo1VTBGdXhXSHJlMnlzUjRWd0xa\nY0VQWGdqdFR5TExURHdhOHVFamdVCi0tLSBJa0RMMWNLQmJ6Y1BZTlllN1l3YVBE\nbmlCNC9mVVk1aE5td0NHQ2tER0Q4CnqBm+ck8LH3L0xQZ8N7SiZNv8DVk/nodLKS\ncGY2yJ3Mp1YkP0zSPEnDSN72aEJLKk5lUb++vPJM/mPlNW9LnU8=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1fido2-hmac1qqprw0vfpc8wzsu78quc777kmee54ln6nnsjrnrhl7nr33eh4kvkksqp05qqxj4kgfzrmrugrsvg7skx6ghh3q9xc0x0agthtkvy25d9eq7eklta5wf7s30hexkuyl5546rdz9ffa5tawlp5yweqkgccntw0ny540n2am3cqw3luhxkfmrp63kwr6mwplhr9u26wll48x0n3k5f60c7hg9a3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIFBaV0prTU1C\nMDdhZkJ1bDBwT3pyM085cHY5OGpRbXRwenFiTnA4d2JEWEUgQVEgZlFBRFNyWkNS\nRDJQaUJ3WWowTEcwaTk0Z0tiRHpQNmhkMTJZUlZHbHlEMCBtMzE5bzVQb1JmZkpy\nY0orbEs2RzBSVXA3UmZYZkRRanNnc2pHSnJjK1pLVmZOWGR4d0IwZjh1YXlkakRx\nTm5EMXR3ZjNHWGl0Ty8rcHpQbkcxRTZmZwpjS0ZnbndqQ1lUOXV5RVJDU002K3RX\ndnlNNHFMZXZkMS9WZ1ZsM3VGY0JRCi0tLSBodVRjUURKSThxN1B5RVhiWFFjeUh4\nYTZ4Z1Byb3VzWDR3b1kzajYrcTFNCqG/9SHNfZUi1Qq+dAzUIHfyXnnwzsZ552yF\noHndHC0dXLOkRWMfDagvMSnKlMSZi8Y8dV52YQrcRPjFeLi/1Wo=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1fido2-hmac1qqpyewum3q8dfcumfgec8nn958aec9f4q9aqy0k06kw5kq27d6fdqdgp0p7y4ru3n5xk90u747xevxa2af3v37e85j9g3axrmw5hdwdfh0wz22hut5vrafxsx26a7vh8fjwkymz3ramfgvvu4detztu075kmpr8l9ydqda0rnjwatdwmfgswg849p37astvld98s3nleeq575azlwc2hhpuh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IGZpZG8yLWhtYWMgQUFJIHhQcDUvK1NY\nQkdHMGxZZUpTTUZTOU1sTmk0RzcydTljbjJwVDdUalRwWEUgQVEgZUh4S2o1R2RE\nV0svbnErTmxodXE2bUxJK3lla2lvajB3OXVwZHJtcHU5dyBKU3I4WFJnK3BOQXl0\nZDh5NTB5ZFlteFJIM2FVTVp5cmNyRXZqL1V0c0l6L0tSb0c5ZU9jbmRXMTIwb2c1\nQjZsREgzWUxaOXBUd2pQK2NncDZuUmZkZwp3T1o4a291ZlFBS0JKeHpxUHdhaFlr\nSytONTNNVEJ2SlJuS1FYRUh5T0NJCi0tLSBybzZXWmdDSjZaamxXU0VWK01MRmpr\ncU5wMWdkbjdON0dNd2Vkcis1VWw0CmjgMsd3l/GgRk68+2LeziHjZwEx9SsMZb+O\nn6ZhyW5lRGxdl18/OKeVIkkwColYLSX9juElDh9SsXkeKjC8Z+g=\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTazVRNG4xdzN3YmRrZzFG\nangyWWxlWmFpODBPN1BnL2J0d0x1N015Z0NrClR1NVkza21OczdkMGkwSFBTWVJG\nR3Z5N2FZcDlxVDVPR1JjcTV2Rklob0UKLS0tIEErNjg2eE96UVZBek5QL1p4VmN2\nSWxWbTZNN0JkUW1XOVYyZSs0R3JFRTAKYpp5LGQIkDS3GWz7AZ3gLLd6YMhfUsll\n9iT4zKQ2ib40bQtRfYvCo5eFXHj1BJrPFtishfspdzByX03eYwg5PA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNzFEODdNWDRMUi90MHZX\nd2ErbFplVkdMNDV5ZHVJQlZSNHg1Y3FqL1F3CnVMVktDWllVeGJZNnJHM3VIRlMy\nTjNPZjNGdk5TY3hYdmNrVVZob2srSlkKLS0tIFlMVU5ZSDhIZ1VqN1REbTB6dG1n\naUZ1U0UyRi9yY2dNTWl4WVZnZXk5STQKyimXHdozwSCJnYvdciMqiYHhVappCaAn\nCGzPUGikDK+WZj+wBrecl8wkLrCy/RwN/LZQTkj3owj3WUAGkLqg2Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1swlyyk2rzvevqawyeekv75nx2dz34zpe3xqhkqme26gcgeavy4dqrfpcd8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRkNuNmc1S0ZIWUpkdmJP\nSkhaTFdoSHpVOGR4TmZET2w0cjJRbkl3TW5RCk9Uc0RPQ3pZcmFiM3lwQWd5YS9K\naFZHOG9ZZU03WEdYNmIxU2lZUTRjZjQKLS0tIFpZQjRvVTBsRVpJQVZHaWY0cTZF\nTG1PdjlkbWRsQ0txT05XSFJDMmVTV2MKaXkWVtyJowmWVYqsSg/Y9MD1FXBI3tfI\nWAwqsreW6FeDbNbYwGZ/+848CDAtKnCepO+0VNhx6QfF6YKP9Fji7w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxU29QdkJZTG9HeUlUOG5x\nZFZ6ZFZiWHlnZlRVZlV5TnVTU2pMMlg1T2lzCnh4dHJmbkl5Y0lkMU1qVUdINzEx\nc1pFK09yMHlPZDVWc29ZQjNDclZBU1kKLS0tIFc5c1lIRWhwYy9VK3kvS2F4ZENK\nWVY1dWs3ZmdJcTJFQmFqQ1NvQ3pHczQKGg8HfFSUbGamKeDgA69ACvxCyPgIcywV\nbQvu04Bkxxf4chOna+cxYDbMAa49IDHQwFHF9XKyIZKshJcyp6WmVg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-11-27T05:03:17Z", + "mac": "ENC[AES256_GCM,data:J8XJzKU9uID+klDDCsDMPrV8aDEdC5ENXlZEAy8pSKcnNYM5bQk8QylnEIydlmbwOMISScGfBA2EqnKtDSX3dOn2Yray2iUj82z23+/ewyOYXfMH5NY2ne4Cf9J3TJG/UwTSz+i09v0p9dTsQBCzRWU3SyQS1I5TPkXJFjJbnto=,iv:FqowVcZ1GEqEnyzKcKB+1LgBZhAffJH4V+KjyMHsxyo=,tag:BVfAoPoaufX37fhYmoATRQ==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/ramus/greaterchiangmai/app_key/users/kurogeek b/vars/per-machine/ramus/greaterchiangmai/app_key/users/kurogeek new file mode 120000 index 0000000..970aefa --- /dev/null +++ b/vars/per-machine/ramus/greaterchiangmai/app_key/users/kurogeek @@ -0,0 +1 @@ +../../../../../../sops/users/kurogeek \ No newline at end of file diff --git a/vars/shared/acme/email/value b/vars/shared/acme/email/value new file mode 100644 index 0000000..558e1cb --- /dev/null +++ b/vars/shared/acme/email/value @@ -0,0 +1 @@ +contact@lmvhaus.com \ No newline at end of file