From 79a41f7e49f38b0ac7e72399cbf2d914642b6353 Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Fri, 3 Jan 2025 11:44:53 +0100 Subject: [PATCH 1/7] Update flake nixpkgs commit --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index d052ebf..119d99f 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1729256560, - "narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=", + "lastModified": 1735471104, + "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0", + "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", "type": "github" }, "original": { From 8bb4549fa47b57d77d63e3330aa5f066ecdb944f Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Fri, 3 Jan 2025 15:58:12 +0100 Subject: [PATCH 2/7] Update dev vm and module --- nix/dev-vm.nix | 26 +++++++++++++------------- nix/module.nix | 4 ++-- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/nix/dev-vm.nix b/nix/dev-vm.nix index a244d77..683a630 100644 --- a/nix/dev-vm.nix +++ b/nix/dev-vm.nix @@ -20,9 +20,20 @@ password = "dev"; }; - systemd.tmpfiles.rules = [ "d /var/www/archtika-websites 0777 root root -" ]; + systemd.tmpfiles.settings = { + "10-archtika" = { + "/var/www/archtika-websites" = { + d = { + mode = "0777"; + user = "root"; + group = "root"; + }; + }; + }; + }; virtualisation = { + msize = 65536; graphics = false; memorySize = 2048; cores = 2; @@ -51,23 +62,13 @@ services = { postgresql = { enable = true; - package = pkgs.postgresql_16; - /* - PL/Perl: - overrideAttrs ( - finalAttrs: previousAttrs: { - buildInputs = previousAttrs.buildInputs ++ [ pkgs.perl ]; - configureFlags = previousAttrs.configureFlags ++ [ "--with-perl" ]; - } - ); - */ ensureDatabases = [ "archtika" ]; authentication = lib.mkForce '' local all all trust host all all all trust ''; enableTCPIP = true; - extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ]; + extensions = ps: with ps; [ pgjwt ]; }; nginx = { enable = true; @@ -105,7 +106,6 @@ systemd.services.postgresql = { path = with pkgs; [ - # Tar and gzip are needed for tar.gz exports gnutar gzip ]; diff --git a/nix/module.nix b/nix/module.nix index f2ad9e3..929f230 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -177,14 +177,14 @@ in "postgres://${user}@127.0.0.1:${toString config.services.postgresql.settings.port}/${cfg.databaseName}"; in '' - JWT_SECRET=$(tr -dc "A-Za-z0-9" < /dev/urandom | head -c64) + JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64) psql ${dbUrl "postgres"} \ -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" \ -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}" \ -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}" - dbmate --url ${dbUrl "postgres"}?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up + ${pkgs.dbmate} --url ${dbUrl "postgres"}?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" \ PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} \ From dd59e995e8a3f4af33521bd654c3005d6023ab76 Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Fri, 3 Jan 2025 16:02:16 +0100 Subject: [PATCH 3/7] Update module --- nix/module.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/module.nix b/nix/module.nix index 929f230..b95dabc 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -184,7 +184,7 @@ in -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}" \ -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}" - ${pkgs.dbmate} --url ${dbUrl "postgres"}?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up + ${pkgs.dbmate}/bin/dbmate --url ${dbUrl "postgres"}?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" \ PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} \ From f0ebb94d82b2f77e8e17598f0072438e1bbe4ece Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Fri, 3 Jan 2025 17:28:02 +0100 Subject: [PATCH 4/7] Give read permissions to restricted postgres service in module --- nix/dev-vm.nix | 4 ++++ nix/module.nix | 11 +++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/nix/dev-vm.nix b/nix/dev-vm.nix index 683a630..d5f13a8 100644 --- a/nix/dev-vm.nix +++ b/nix/dev-vm.nix @@ -109,6 +109,10 @@ gnutar gzip ]; + + serviceConfig = { + ReadWritePaths = [ "/var/www/archtika-websites" ]; + }; }; services.getty.autologinUser = "dev"; diff --git a/nix/module.nix b/nix/module.nix index b95dabc..f5e17d6 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -162,7 +162,6 @@ in Group = cfg.group; Restart = "always"; WorkingDirectory = "${cfg.package}/rest-api"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" @@ -208,7 +207,6 @@ in Group = cfg.group; Restart = "always"; WorkingDirectory = "${cfg.package}/web-app"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" @@ -236,8 +234,13 @@ in extensions = ps: with ps; [ pgjwt ]; }; - systemd.services.postgresql.path = builtins.attrValues { - inherit (pkgs) gnutar gzip; + systemd.services.postgresql = { + path = builtins.attrValues { + inherit (pkgs) gnutar gzip; + }; + serviceConfig = { + ReadWritePaths = [ "/var/www/archtika-websites" ]; + }; }; services.nginx = { From 4af15717f42cb4ca41aff9e45625ae2183f54ce4 Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Sat, 4 Jan 2025 20:33:00 +0100 Subject: [PATCH 5/7] Refactor flake api package and adjust prod nix config --- .github/workflows/test.yml | 6 +-- flake.nix | 43 +++++++++++++------ nix/deploy/prod/default.nix | 24 ++++++++--- nix/deploy/qs/default.nix | 2 - nix/docker.nix | 2 +- web-app/package.json | 2 +- web-app/playwright.config.ts | 4 +- web-app/src/lib/db-schema.ts | 2 +- web-app/src/lib/server/utils.ts | 4 +- .../[websiteId]/publish/+page.server.ts | 8 ++-- 10 files changed, 60 insertions(+), 37 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9f0ea99..44eea8f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,7 +23,7 @@ jobs: run: | wait_for_postgres() { echo "Waiting for PostgreSQL to be ready..." - while ! nix shell nixpkgs#postgresql_16 -c pg_isready -h localhost -p 15432 -U postgres; do + while ! nix shell nixpkgs#postgresql_16 -c pg_isready -h 127.0.0.1 -p 15432 -U postgres; do sleep 1 done echo "PostgreSQL is ready." @@ -31,10 +31,10 @@ jobs: wait_for_postgrest() { echo "Waiting for PostgREST to be live and ready..." - while ! curl -s -I "http://localhost:3001/live" | grep "OK"; do + while ! curl -s -I "http://127.0.0.1:3001/live" | grep "OK"; do sleep 1 done - while ! curl -s -I "http://localhost:3001/ready" | grep "OK"; do + while ! curl -s -I "http://127.0.0.1:3001/ready" | grep "OK"; do sleep 1 done echo "PostgREST is live and ready." diff --git a/flake.nix b/flake.nix index 16c72e7..5936647 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,8 @@ ]; forAllSystems = nixpkgs.lib.genAttrs allSystems; + + dbUrl = user: "postgres://${user}@127.0.0.1:15432/archtika"; in { devShells = forAllSystems ( @@ -24,13 +26,13 @@ { api = pkgs.mkShell { packages = with pkgs; [ - postgresql_16 + postgresql postgrest ]; shellHook = '' - alias dbmate="${pkgs.dbmate}/bin/dbmate --no-dump-schema --url postgres://postgres@localhost:15432/archtika?sslmode=disable" + alias dbmate="${pkgs.dbmate}/bin/dbmate --no-dump-schema --url ${dbUrl "postgres"}?sslmode=disable" alias formatsql="${pkgs.pgformatter}/bin/pg_format -s 2 -f 2 -U 2 -i db/migrations/*.sql" - alias dbconnect="${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika" + alias dbconnect="${pkgs.postgresql_16}/bin/psql ${dbUrl "postgres"}" ''; }; web = pkgs.mkShell { @@ -65,19 +67,32 @@ { api = { type = "app"; - program = "${pkgs.writeShellScriptBin "api-setup" '' - JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64) - WEBSITE_MAX_STORAGE_SIZE=100 - WEBSITE_MAX_NUMBER_USER=3 + program = + let + settings = { + maxStorage = 100; + maxWebsites = 3; + }; + jwtSecret = "BMlgCY9fEzmf7jhQpNnxlS6TM8E6xk2vS08C3ukm5LM2aTooaF5PfxT3o2K9uKzq"; + in + "${pkgs.writeShellScriptBin "api-setup" '' + psql ${dbUrl "postgres"} \ + -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '${jwtSecret}'" \ + -c "ALTER DATABASE archtika SET \"app.website_max_storage_size\" TO ${toString settings.maxStorage}" \ + -c "ALTER DATABASE archtika SET \"app.website_max_number_user\" TO ${toString settings.maxWebsites}" - ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '$JWT_SECRET'" - ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.website_max_storage_size\" TO $WEBSITE_MAX_STORAGE_SIZE" - ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.website_max_number_user\" TO $WEBSITE_MAX_NUMBER_USER" + ${pkgs.dbmate}/bin/dbmate --no-dump-schema \ + --url ${dbUrl "postgres"}?sslmode=disable \ + --migrations-dir ${self.outPath}/rest-api/db/migrations up - ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable --migrations-dir ${self.outPath}/rest-api/db/migrations up - - PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest - ''}/bin/api-setup"; + PGRST_ADMIN_SERVER_PORT=3001 \ + PGRST_DB_SCHEMAS="api" \ + PGRST_DB_ANON_ROLE="anon" \ + PGRST_OPENAPI_MODE="ignore-privileges" \ + PGRST_DB_URI="${dbUrl "authenticator"}" \ + PGRST_JWT_SECRET="${jwtSecret}" \ + ${pkgs.postgrest}/bin/postgrest + ''}/bin/api-setup"; }; } ); diff --git a/nix/deploy/prod/default.nix b/nix/deploy/prod/default.nix index 0ac3906..69984d4 100644 --- a/nix/deploy/prod/default.nix +++ b/nix/deploy/prod/default.nix @@ -1,4 +1,7 @@ { pkgs, localArchtikaPackage, ... }: +let + domain = "demo.archtika.com"; +in { imports = [ ./hardware-configuration.nix @@ -6,19 +9,26 @@ ../../module.nix ]; - networking.hostName = "archtika-demo"; + networking.hostName = "archtika-qs"; services.archtika = { enable = true; package = localArchtikaPackage; - domain = "demo.archtika.com"; - acmeEmail = "thilo.hohlt@tutanota.com"; - dnsProvider = "porkbun"; - dnsEnvironmentFile = /var/lib/porkbun.env; + inherit domain; settings = { disableRegistration = true; - maxWebsiteStorageSize = 50; - maxUserWebsites = 2; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "thilo.hohlt@tutanota.com"; + certs."${domain}" = { + inherit domain; + extraDomainNames = [ "*.${domain}" ]; + dnsProvider = "porkbun"; + environmentFile = /var/lib/porkbun.env; + group = "nginx"; }; }; } diff --git a/nix/deploy/qs/default.nix b/nix/deploy/qs/default.nix index 8b2dcc4..06202df 100644 --- a/nix/deploy/qs/default.nix +++ b/nix/deploy/qs/default.nix @@ -17,8 +17,6 @@ in inherit domain; settings = { disableRegistration = true; - maxWebsiteStorageSize = 50; - maxUserWebsites = 2; }; }; diff --git a/nix/docker.nix b/nix/docker.nix index 4393df0..e7f8c31 100644 --- a/nix/docker.nix +++ b/nix/docker.nix @@ -26,7 +26,7 @@ pkgs.dockerTools.buildLayeredImage { contents = [ archtika entrypoint - pkgs.postgresql_16 + pkgs.postgresql pkgs.nginx pkgs.acme-sh pkgs.bash diff --git a/web-app/package.json b/web-app/package.json index 7f171a0..440c02c 100644 --- a/web-app/package.json +++ b/web-app/package.json @@ -11,7 +11,7 @@ "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch", "lint": "prettier --check . && eslint .", "format": "prettier --write .", - "gents": "pg-to-ts generate -c postgres://postgres@localhost:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings" + "gents": "pg-to-ts generate -c postgres://postgres@127.0.0.1:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings" }, "devDependencies": { "@playwright/test": "1.47.0", diff --git a/web-app/playwright.config.ts b/web-app/playwright.config.ts index 1204801..b058fc4 100644 --- a/web-app/playwright.config.ts +++ b/web-app/playwright.config.ts @@ -3,10 +3,10 @@ import { type PlaywrightTestConfig, devices } from "@playwright/test"; const config: PlaywrightTestConfig = { webServer: { command: "npm run build && npm run preview", - url: "http://localhost:4173" + url: "http://127.0.0.1:4173" }, use: { - baseURL: "http://localhost:4173", + baseURL: "http://127.0.0.1:4173", video: "retain-on-failure" }, testDir: "./tests", diff --git a/web-app/src/lib/db-schema.ts b/web-app/src/lib/db-schema.ts index 798c35b..31619ff 100644 --- a/web-app/src/lib/db-schema.ts +++ b/web-app/src/lib/db-schema.ts @@ -5,7 +5,7 @@ * AUTO-GENERATED FILE - DO NOT EDIT! * * This file was automatically generated by pg-to-ts v.4.1.1 - * $ pg-to-ts generate -c postgres://username:password@localhost:15432/archtika -t article -t change_log -t collab -t docs_category -t footer -t header -t home -t media -t settings -t user -t website -s internal + * $ pg-to-ts generate -c postgres://username:password@127.0.0.1:15432/archtika -t article -t change_log -t collab -t docs_category -t footer -t header -t home -t media -t settings -t user -t website -s internal * */ diff --git a/web-app/src/lib/server/utils.ts b/web-app/src/lib/server/utils.ts index c5b41d4..ab555be 100644 --- a/web-app/src/lib/server/utils.ts +++ b/web-app/src/lib/server/utils.ts @@ -1,8 +1,8 @@ import { dev } from "$app/environment"; export const API_BASE_PREFIX = dev - ? "http://localhost:3000" - : `${process.env.ORIGIN ? `${process.env.ORIGIN}/api` : "http://localhost:3000"}`; + ? "http://127.0.0.1:3000" + : `${process.env.ORIGIN ? `${process.env.ORIGIN}/api` : "http://127.0.0.1:3000"}`; export const REGISTRATION_IS_DISABLED = dev ? false diff --git a/web-app/src/routes/(authenticated)/website/[websiteId]/publish/+page.server.ts b/web-app/src/routes/(authenticated)/website/[websiteId]/publish/+page.server.ts index f606e7e..51bd655 100644 --- a/web-app/src/routes/(authenticated)/website/[websiteId]/publish/+page.server.ts +++ b/web-app/src/routes/(authenticated)/website/[websiteId]/publish/+page.server.ts @@ -98,17 +98,17 @@ const generateStaticFiles = async ( ) => { const websitePreviewUrl = `${ dev - ? "http://localhost:18000" + ? "http://127.0.0.1:18000" : process.env.ORIGIN ? process.env.ORIGIN - : "http://localhost:18000" + : "http://127.0.0.1:18000" }/previews/${websiteData.id}/`; const websiteProdUrl = dev - ? `http://localhost:18000/${websiteData.user.username}/${websiteData.slug}` + ? `http://127.0.0.1:18000/${websiteData.user.username}/${websiteData.slug}` : process.env.ORIGIN ? `${process.env.ORIGIN.replace("//", `//${websiteData.user.username}.`)}/${websiteData.slug}` - : `http://localhost:18000/${websiteData.user.username}/${websiteData.slug}`; + : `http://127.0.0.1:18000/${websiteData.user.username}/${websiteData.slug}`; const fileContents = (head: string, body: string) => { return ` From 32a3e7f69481d80091830cbf0508372c9d45645d Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Sat, 4 Jan 2025 20:47:29 +0100 Subject: [PATCH 6/7] Adjust playwright config options back to localhost --- web-app/playwright.config.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web-app/playwright.config.ts b/web-app/playwright.config.ts index b058fc4..1204801 100644 --- a/web-app/playwright.config.ts +++ b/web-app/playwright.config.ts @@ -3,10 +3,10 @@ import { type PlaywrightTestConfig, devices } from "@playwright/test"; const config: PlaywrightTestConfig = { webServer: { command: "npm run build && npm run preview", - url: "http://127.0.0.1:4173" + url: "http://localhost:4173" }, use: { - baseURL: "http://127.0.0.1:4173", + baseURL: "http://localhost:4173", video: "retain-on-failure" }, testDir: "./tests", From d570fb6906c283cd4b6898539c24546567e65bb7 Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Tue, 7 Jan 2025 19:33:26 +0100 Subject: [PATCH 7/7] Update SSH public keys for servers --- nix/deploy/shared.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nix/deploy/shared.nix b/nix/deploy/shared.nix index cf3f334..29a57cd 100644 --- a/nix/deploy/shared.nix +++ b/nix/deploy/shared.nix @@ -32,7 +32,7 @@ users = { root = { openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE42q8e7egSSTs4YJo8vQFDbRWqrGTQkR1weq8nT0Zx thiloho@pc" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlDyJt72c/mxyN9cujc081J3uzWCyKtr4k2faBtgldD thiloho@pc" ]; hashedPassword = "$y$j9T$MuWDs5Ind6VPEM78u5VTy/$XAuRCaOPtS/8Vj8XgpxB/XX2ygftNLql2VrFWcC/sq7"; }; @@ -44,8 +44,7 @@ ]; hashedPassword = "$y$j9T$Y0ffzVb7wrZSdCKbiYHin0$oahgfFqH/Eep6j6f4iKPETEfGZSOkgu74UT2eyG2uI1"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj6+r+vMXJyy5wvQTLyfd2rIw62WCg9eIpwsciHg4ym thiloho@pc" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgfOa8N46PBUO2gj8UeyrV0R+MRZFnJqUzG132UjaFS thiloho@laptop" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlDyJt72c/mxyN9cujc081J3uzWCyKtr4k2faBtgldD thiloho@pc" ]; }; };