Add pallas as staging server

Author: jhh

nix/hosts/pallas/configuration.nix

@@ -0,0 +1,23 @@
+{
+  flake,
+  inputs,
+  pkgs,
+  perSystem,
+  ...
+}:
+{
+  imports = [
+    inputs.staging.nixosModules.hardware-proxmox-lxc
+    inputs.staging.nixosModules.server-j3ff
+    inputs.srvos.nixosModules.mixins-nginx
+    flake.nixosModules.strykeforce-website
+    ./postgresql.nix
+    ./strykeforce-sync.nix
+    ./strykeforce-website.nix
+  ];
+
+  networking.hostName = "pallas";
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  system.stateVersion = "21.11";
+}

nix/hosts/pallas/postgresql.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+let
+  backupDir = "/mnt/backup/postgres";
+in
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+    settings = {
+      unix_socket_directories = "/run/postgresql";
+    };
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    databases = [ "strykeforce" ];
+    pgdumpOptions = "--clean";
+  };
+
+  age.secrets.pgadmin_passwd = pkgs.lib.mkIf config.services.pgadmin.enable {
+    file = ../../secrets/pgadmin_passwd.age;
+    owner = "pgadmin";
+    group = "pgadmin";
+  };
+
+  services.pgadmin = {
+    enable = false;
+    initialEmail = "[email protected]";
+    initialPasswordFile = "${config.age.secrets.pgadmin_passwd.path}";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+
+    virtualHosts."pgadmin.j3ff.io" = {
+
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:5050";
+        };
+
+      };
+    };
+  };
+
+}

nix/hosts/pallas/strykeforce-sync.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+{
+  age.secrets.aws_credentials = {
+    file = ../../secrets/aws_secret.age;
+    path = "/root/.aws/credentials";
+  };
+
+  systemd.services.copy-aws-config =
+    let
+      aws-config = (pkgs.formats.ini { }).generate "aws-config-root" {
+        default = {
+          region = "us-east-2";
+          output = "json";
+        };
+      };
+    in
+    {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.coreutils}/bin/ln -sf ${aws-config} /root/.aws/config";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+  environment.systemPackages =
+    let
+      sync-script = pkgs.writeShellApplication {
+        name = "strykeforce-sync";
+        runtimeInputs = with pkgs; [
+          awscli2
+          gzip
+          postgresql_15
+          rclone
+        ];
+
+        text = ''
+          if [ "$EUID" -ne 0 ]
+            then echo "Please run as root"
+            exit
+          fi
+          systemctl stop strykeforce-website.service
+
+          STRYKEFORCE_DIR=/var/lib/strykeforce
+          SQL_FILE=$(mktemp -t XXXXXXXXXX.sql.gz)
+
+          aws s3 cp s3://www.strykeforce.org/sql/strykeforce.sql.gz "$SQL_FILE"
+          rclone -v sync s3://www.strykeforce.org/media/ $STRYKEFORCE_DIR/media
+          chown -R strykeforce:strykeforce $STRYKEFORCE_DIR/media
+
+
+          sudo -u postgres -H -- psql -tAc 'DROP DATABASE IF EXISTS "strykeforce"'
+          sudo -u postgres -H -- psql -tAc 'CREATE DATABASE "strykeforce"'
+          sudo -u postgres -H -- psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='strykeforce'" | grep -q 1 || psql -tAc 'CREATE USER "strykeforce"'
+          sudo -u postgres -H -- psql -tAc 'GRANT ALL PRIVILEGES ON DATABASE strykeforce TO "strykeforce"'
+
+          zcat "$SQL_FILE" | sudo -u postgres -H -- psql -d strykeforce
+          systemctl start strykeforce-website.service
+          systemctl start redis.service
+        '';
+      };
+    in
+    [ sync-script ];
+}

nix/hosts/pallas/strykeforce-website.nix

@@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+{
+  age.secrets.stryker_website_secrets = {
+    file = ../../secrets/strykeforce_website_secrets.age;
+  };
+  strykeforce.services.website = {
+    enable = true;
+    ssl = false;
+    settingsModule = "website.settings.production";
+    secrets = [ config.age.secrets.stryker_website_secrets.path ];
+    allowedHosts = "*";
+  };
+
+  services.nginx.virtualHosts."strykeforce.j3ff.io" = {
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:8000";
+      };
+
+      "/media/" = {
+        alias = "/var/lib/strykeforce/media/";
+        extraConfig = ''
+          expires max;
+          add_header Cache-Control public;
+        '';
+      };
+    };
+  };
+}