5 changed files with 222 additions and 0 deletions
Split View
Diff Options
-
+9 -0secrets.nix
-
+53 -0servers/README.rst
-
+50 -0servers/tt-rss_for_NixOps.nix
-
+46 -0servers/tt-rss_for_VM_testing.nix
-
+64 -0servers/tt-rss_vm.nix
+ 9
- 0
secrets.nix
View File
| @@ -14,5 +14,14 @@ | |||
| group = "wheel"; # Group to own the key file | |||
| permissions = "0640"; # Key file permissions | |||
| }; | |||
| # Database key for TT-RSS | |||
| tt-rss-dbpass = { | |||
| text = "vaetohH{u9Veegh3caechish"; # Password, generated using pwgen -yB 24 | |||
| user = "tt_rss"; # User to own the key file | |||
| group = "wheel"; # Group to own the key file | |||
| permissions = "0640"; # Key file permissions | |||
| }; | |||
| }; | |||
| } | |||
+ 53
- 0
servers/README.rst
View File
| @@ -0,0 +1,53 @@ | |||
| tt-rss_vm.nix | |||
| ------------ | |||
| A Nix configuration for a VM to run Tiny Tiny RSS (TT-RSS). | |||
| It is intended as an example of building a VM that builds TT-RSS for testing | |||
| and evaluation purposes. I does not represent a production or secure | |||
| deployment. | |||
| To use this file: | |||
| **Build with:** | |||
| .. code:: bash | |||
| $ nix-build '<nixpkgs/nixos>' -A vm --arg configuration ./tt-rss_vm.nix | |||
| **Export** these variables, adjusting to suit yourself: | |||
| .. code:: bash | |||
| $ export QEMU_OPTS="-m 4192" | |||
| $ export QEMU_NET_OPTS="hostfwd=tcp::18080-:80,hostfwd=tcp::10022-:22" | |||
| **Launch** the VM with: | |||
| .. code:: bash | |||
| $ ./result/bin/run-tt-rss-vm | |||
| You should now be able to: | |||
| * Login via the shell | |||
| * Login via ssh: :code:`ssh nixos@localhost -p 10022` | |||
| * Login via the web: `http://localhost:18080/`_ | |||
| The default user for TT-RSS is "admin" and the default password is "password". | |||
| .. _http://localhost:18080/: http://localhost:18080/ | |||
| tt-rss_for_VM_testing.nix | |||
| ------------------------ | |||
| This file describes the TT-RSS configuration to be deployed. As such it | |||
| represents a deployment only suitable to testing purposes and should not be | |||
| used as an example of a production deployment. | |||
| tt-rss_for_NixOps.nix | |||
| -------------------- | |||
| This provides an example of a production deployment of TT-RSS via NixOps. | |||
+ 50
- 0
servers/tt-rss_for_NixOps.nix
View File
| @@ -0,0 +1,50 @@ | |||
| # NixOps configuration for the hosts running Tiny Tiny RSS (TT-RSS) | |||
| # | |||
| # Will need to be used with an appropriate secrets file. See: ../secrets.nix | |||
| { config, pkgs, lib, ... }: | |||
| { | |||
| services.tt-rss = { | |||
| enable = true; # Enable TT-RSS | |||
| database = { # Configure the database | |||
| type = "pgsql"; # Database type | |||
| passwordFile = "/run/keys/tt-rss-dbpass"; # Where to find the password | |||
| }; | |||
| email = { | |||
| fromAddress = "news@mydomain"; # Address for outgoing email | |||
| fromName = "News at mydomain"; # Display name for outgoing email | |||
| }; | |||
| selfUrlPath = "https://news.mydomain/"; # Root web URL | |||
| virtualHost = "news.mydomain"; # Setup a virtualhost | |||
| }; | |||
| services.postgresql = { | |||
| enable = true; # Ensure postgresql is enabled | |||
| authentication = '' | |||
| local tt_rss all ident map=tt_rss-users | |||
| ''; | |||
| identMap = # Map the tt-rss user to postgresql | |||
| '' | |||
| tt_rss-users tt_rss tt_rss | |||
| ''; | |||
| }; | |||
| services.nginx = { | |||
| enable = true; # Enable Nginx | |||
| recommendedGzipSettings = true; | |||
| recommendedOptimisation = true; | |||
| recommendedProxySettings = true; | |||
| recommendedTlsSettings = true; | |||
| virtualHosts."news.mydomain" = { # TT-RSS hostname | |||
| enableACME = true; # Use ACME certs | |||
| forceSSL = true; # Force SSL | |||
| }; | |||
| }; | |||
| security.acme.certs = { | |||
| "news.mydomain".email = "email@mydomain"; | |||
| }; | |||
| } | |||
+ 46
- 0
servers/tt-rss_for_VM_testing.nix
View File
| @@ -0,0 +1,46 @@ | |||
| # Nix configuration for the VMs running Tiny Tiny RSS (TT-RSS) | |||
| # | |||
| # This file is intended to be imported into a file that defines the host, such | |||
| # as tt-rss_vm.nix in this directory. It is for playing with / testing TT-RSS | |||
| # and should not be used as an example of a production deployment. | |||
| # | |||
| # This is very basic TT-RSS setup. | |||
| { config, pkgs, lib, ... }: | |||
| { | |||
| services.tt-rss = { | |||
| enable = true; # Enable TT-RSS | |||
| database = { # Configure the database | |||
| type = "pgsql"; # Database type | |||
| password = "tt-rss"; # Set the database password | |||
| }; | |||
| email = { | |||
| fromAddress = "news@mydomain"; # Address for outgoing email | |||
| fromName = "News at mydomain"; # Display name for outgoing email | |||
| }; | |||
| selfUrlPath = "http://localhost:18080/"; # Root web URL | |||
| virtualHost = "news.mydomain"; # Setup an Nginx virtualhost | |||
| }; | |||
| services.postgresql = { | |||
| enable = true; # Ensure postgresql is enabled | |||
| authentication = '' | |||
| local tt_rss all ident map=tt_rss-users | |||
| ''; | |||
| identMap = # Map the tt-rss user to postgresql | |||
| '' | |||
| tt_rss-users tt_rss tt_rss | |||
| ''; | |||
| }; | |||
| services.nginx = { | |||
| enable = true; # Enable Nginx | |||
| recommendedGzipSettings = true; | |||
| recommendedOptimisation = true; | |||
| recommendedProxySettings = true; | |||
| recommendedTlsSettings = true; | |||
| }; | |||
| } | |||
+ 64
- 0
servers/tt-rss_vm.nix
View File
| @@ -0,0 +1,64 @@ | |||
| # Nix configuration for a VM to run Tiny Tiny RSS (TT-RSS) | |||
| # | |||
| # It is intended as an example of building a VM that builds TT-RSS for testing | |||
| # and evaluation purposes. I does not represent a production or secure | |||
| # deployment. | |||
| { config, pkgs, lib, ... }: | |||
| { | |||
| imports = | |||
| [ | |||
| ./tt-rss_for_VM_testing.nix | |||
| ]; | |||
| networking.hostName = "tt-rss"; # Define your hostname. | |||
| system.stateVersion = "19.03"; # The version of NixOS originally installed | |||
| # Set security options: | |||
| security = { | |||
| sudo = { | |||
| enable = true; # Enable sudo | |||
| wheelNeedsPassword = false; # Allow wheel members to run sudo without a passowrd | |||
| }; | |||
| }; | |||
| networking.firewall.allowedTCPPorts = [ 80 ]; | |||
| # List services that you want to enable: | |||
| services.openssh = { | |||
| enable = true; # Enable the OpenSSH daemon. | |||
| #permitRootLogin = "yes"; # Probably want to change this in production | |||
| #challengeResponseAuthentication = true; # Probably want to change this in production | |||
| #passwordAuthentication = true; # Probably want to change this in production | |||
| openFirewall = true; | |||
| hostKeys = [ | |||
| { | |||
| path = "/etc/ssh/ssh_host_ed25519_key"; # Generate a key for the vm | |||
| type = "ed25519"; # Use the current best key type | |||
| } | |||
| ]; | |||
| }; | |||
| # Users of the TT-RSS VM: | |||
| users.mutableUsers = false; # Remove any users not defined in here | |||
| users.users.root = { | |||
| password = "123456"; # Probably want to change this in production | |||
| }; | |||
| # Misc groups: | |||
| users.groups.nixos.gid = 1000; | |||
| # NixOS users | |||
| users.users.nixos = { | |||
| isNormalUser = true; | |||
| uid = 1000; | |||
| group = "nixos"; | |||
| extraGroups = [ "wheel" ]; | |||
| password = "123456"; # Probably want to change this in production | |||
| }; | |||
| } | |||