Add sops, setup parsedmarc and forward grafana
diff --git a/modules/caddy/Caddyfile b/modules/caddy/Caddyfile
deleted file mode 100644
index 49fd585..0000000
--- a/modules/caddy/Caddyfile
+++ /dev/null
@@ -1,27 +0,0 @@
-
-http://api.clicks.codes {
- handle_path /nucleus/* {
- reverse_proxy http://127.0.0.1:10000 {
- trusted_proxies 192.168.81.136
- }
- }
- respond 503
-}
-
-http://clicks.codes {
- reverse_proxy http://127.0.0.1:3000 {
- trusted_proxies 192.168.81.136
- }
-}
-
-http://www.clicks.codes {
- redir https://clicks.codes{uri} {
- trusted_proxies 192.168.81.136
- }
-}
-
-http://etherpad.clicks.codes {
- reverse_proxy http://127.0.0.1:9001 {
- trusted_proxies 192.168.81.136
- }
-}
diff --git a/modules/caddy/caddy.json b/modules/caddy/caddy.json
index 8b9726b..686a431 100755
--- a/modules/caddy/caddy.json
+++ b/modules/caddy/caddy.json
@@ -96,6 +96,33 @@
{
"match": [
{
+ "host": ["logs.clicks.codes"]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "handler": "reverse_proxy",
+ "upstreams": [
+ {
+ "dial": "127.0.0.1:9052"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ },
+ {
+ "match": [
+ {
"host": ["etherpad.clicks.codes"]
}
],
diff --git a/modules/dmarc.nix b/modules/dmarc.nix
new file mode 100644
index 0000000..7ab2e7a
--- /dev/null
+++ b/modules/dmarc.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, pkgs-unstable, ... }: {
+ users.users.parsedmarc = {
+ isSystemUser = true;
+ createHome = true;
+ home = "/services/parsedmarc";
+ group = config.users.groups.clicks.name;
+ shell = pkgs.bashInteractive;
+ };
+ sops.secrets = lib.pipe [
+ "imap_password"
+ "maxmind_license_key"
+ ] [
+ (map (name: {
+ inherit name;
+ value = {
+ mode = "0400";
+ owner = config.users.users.parsedmarc.name;
+ group = config.users.users.parsedmarc.group;
+ sopsFile = ../secrets/dmarc.json;
+ format = "json";
+ };
+ }))
+ builtins.listToAttrs
+ ];
+
+ services.parsedmarc = {
+ enable = true;
+ settings.imap = {
+ host = "mail.clicks.codes";
+ user = "dmarc@clicks.codes";
+ password = { _secret = config.sops.secrets.imap_password.path; };
+ watch = true;
+ delete = false;
+ };
+ };
+ services.geoipupdate.settings = {
+ AccountID = 863877;
+ LicenseKey = { _secret = config.sops.secrets.maxmind_license_key.path; };
+ };
+ systemd.services.geoipupdate-create-db-dir.script = lib.mkForce ''
+ set -o errexit -o pipefail -o nounset -o errtrace
+ shopt -s inherit_errexit
+
+ mkdir -p ${config.services.geoipupdate.settings.DatabaseDirectory}
+ chmod 0750 ${config.services.geoipupdate.settings.DatabaseDirectory}
+
+ chgrp clicks ${config.services.geoipupdate.settings.DatabaseDirectory}
+ # The license agreement does not allow us to let non-clicks users access the database
+ '';
+ services.elasticsearch.package = pkgs-unstable.elasticsearch;
+}