diff --git a/lib/data/data.json b/lib/data/data.json index 325f342a7..ee74d2ca5 100644 --- a/lib/data/data.json +++ b/lib/data/data.json @@ -23,6 +23,7 @@ "minio_cache_test_key_id": "cache-test", "minio_metrics_key_id": "metrics", "minio_pastebin_key_id": "pastebin", + "minio_sicp_staging_key_id": "sicp-staging", "secure_boot_db_cert_pem": "-----BEGIN CERTIFICATE-----\nMIIChDCCAgqgAwIBAgIQP+inRvdtZIUHOJ1NhPDk0DAKBggqhkjOPQQDAzAlMRAw\nDgYDVQQKEwdZaW5mZW5nMREwDwYDVQQDEwhsaTdnLmNvbTAeFw0yNDA3MTYxNjM0\nNDlaFw0zNDA3MTQxNjM0NDlaMDUxMzAxBgNVBAMTKllpbmZlbmcgU2VjdXJlIEJv\nb3QgU2lnbmF0dXJlIERhdGFiYXNlIEtleTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAKNtM41GpI5ziBLN2FKxBi0Ng2XDqUHuIyJSgTkUh8Hsm8lWsvLL\nrDwXPn/cjDLLQIrVYZaCbH9iHeE7nvidH5+9qsbGmZqlwI8k5H+068h12pdzE7HQ\nr2ABvF5Y2L+RqAUNeg8iG9BIed4pJoiTcdov7/Kj/FdeKlJHDSeThvOut1gpITrc\nxKmQj57FF65Oe9YrVNOENYkL/g9WpsW1FqO6pqoZGy5ya2YpS0W/yDZhubSzkZ+9\n18a5X5czRtfI9uXQ/rK+w+T/MoLTfDTyeueyHXZkvS2U6zPYmlqLlQYoRvrQkFZg\nm1fLhM+vmpjSQ6dwOILvHoUX3MCJt2gMw7sCAwEAAaNBMD8wDgYDVR0PAQH/BAQD\nAgeAMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUF7pFDP6qoO7y80SCJNbwPAzK\nohwwCgYIKoZIzj0EAwMDaAAwZQIxANVDj3KiwalLTx56S5aW38os3KoSDSKMwp1m\n2WxI++/NzXWv6Ki0DVxp3xcQypbCwQIwVkFQH7yvJJTmM7vwF1xWlooplr8Hd5Oz\nVK3662b68LrWuehwFr63PwdemLBpiuw1\n-----END CERTIFICATE-----\n", "secure_boot_db_esl_base64": "oVnApeSUp0qHtasVXCvwcrQCAAAAAAAAmAIAAIQMU7LT8wtAtAEM/T3gdMowggKEMIICCqADAgEC\nAhA/6KdG921khQc4nU2E8OTQMAoGCCqGSM49BAMDMCUxEDAOBgNVBAoTB1lpbmZlbmcxETAPBgNV\nBAMTCGxpN2cuY29tMB4XDTI0MDcxNjE2MzQ0OVoXDTM0MDcxNDE2MzQ0OVowNTEzMDEGA1UEAxMq\nWWluZmVuZyBTZWN1cmUgQm9vdCBTaWduYXR1cmUgRGF0YWJhc2UgS2V5MIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEAo20zjUakjnOIEs3YUrEGLQ2DZcOpQe4jIlKBORSHweybyVay8sus\nPBc+f9yMMstAitVhloJsf2Id4Tue+J0fn72qxsaZmqXAjyTkf7TryHXal3MTsdCvYAG8XljYv5Go\nBQ16DyIb0Eh53ikmiJNx2i/v8qP8V14qUkcNJ5OG8663WCkhOtzEqZCPnsUXrk571itU04Q1iQv+\nD1amxbUWo7qmqhkbLnJrZilLRb/INmG5tLORn73XxrlflzNG18j25dD+sr7D5P8ygtN8NPJ657Id\ndmS9LZTrM9iaWouVBihG+tCQVmCbV8uEz6+amNJDp3A4gu8ehRfcwIm3aAzDuwIDAQABo0EwPzAO\nBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQXukUM/qqg7vLzRIIk1vA8\nDMqiHDAKBggqhkjOPQQDAwNoADBlAjEA1UOPcqLBqUtPHnpLlpbfyizcqhINIozCnWbZbEj7783N\nda/oqLQNXGnfFxDKlsLBAjBWQVAfvK8klOYzu/AXXFaWiimWvwd3k7NUrfrrZvrwuta56HAWvrc/\nB16YsGmK7DU=", "secure_boot_db_signed_esl_base64": "AAAAAAAAAAAAAAAAAAAAACoEAAAAAvEOndKvSt9o7kmKqTR9N1ZlpzCCBA4CAQExDzANBglghkgB\nZQMEAgEFADALBgkqhkiG9w0BBwGgggKBMIICfTCCAgSgAwIBAgIQNYH4M7+WBa1cAazRyjI+gzAK\nBggqhkjOPQQDAzAlMRAwDgYDVQQKEwdZaW5mZW5nMREwDwYDVQQDEwhsaTdnLmNvbTAeFw0yNDA3\nMTYxNjM0NDlaFw0zNDA3MTQxNjM0NDlaMC8xLTArBgNVBAMTJFlpbmZlbmcgU2VjdXJlIEJvb3Qg\nS2V5IEV4Y2hhbmdlIEtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJaH1l4yo4B\nAiI6QuS2yGZ8vbJ8XCAN8QyMouyBDQAxnh61ApvuHRW2ZChZkSC5h1qv423TgcA+et7yS1pm+Gff\nMPUONBPf+uBmyE8NcPcDXR2AaUyFCKkKAjoRHaEJ0Kt+NJXyD2gz3bq1z7tr5UUxy+l+HgvA3NH5\nNiU5uIP5ZZPsQ2RRUt9wSobgbjeN2g/gH/UxepJXakt8oQbcH8i62O8ohQ/agJWUK3HS5nA3etYt\n+gVnXEaKiUUNgZi1kT1dEPsHANaveXkEOVAvR+C0XkyKy2nq2oBVACemhN50OiwMzZ7B1TQm5IgS\nqFC3ZokNpxSAhvOSpB5U/BJwdaMCAwEAAaNBMD8wDgYDVR0PAQH/BAQDAgGGMAwGA1UdEwEB/wQC\nMAAwHwYDVR0jBBgwFoAUF7pFDP6qoO7y80SCJNbwPAzKohwwCgYIKoZIzj0EAwMDZwAwZAIwdwuT\nXzU9TE17j5747MzrNT0mUCOxTyXWyeJEdWazD/oT06WCK4PhI4ATBxCoaJx+AjBjKeMO3+I5DvgL\nV2+ZCSwXuy4hPjkJK3wRmE95QaP3y3LntU6bPexd06MSyVYx/gIxggFkMIIBYAIBATA5MCUxEDAO\nBgNVBAoTB1lpbmZlbmcxETAPBgNVBAMTCGxpN2cuY29tAhA1gfgzv5YFrVwBrNHKMj6DMA0GCWCG\nSAFlAwQCAQUAMA0GCSqGSIb3DQEBAQUABIIBADPBoxdCdLNFMSrepwAhSPuxWNK2mq2zebFjPnP2\nN8fE6WO7UoyHEv0T+RnR9KVSe5Q5F0lABk1aCYj2Ury8JmNUlpBUzaZKIwxRmB3o/dbTnhjav/g1\nKLK66joGhhfHKzUjUMoaXPanYMQg+yJNm2yAYKwWDqgGVVzBtjaiw5PQBsDbPK9b5Dpx0XFghbK4\nOBxydp882uArC+Hl83MOcrvMC7TBFlkoWwMV356XVnZ3kAHYtIbG7BSonMbs7WODSAc63OQxuBoj\ne4qy0Ta2RMeoUniW+ImeBF7z6kMIMzyXQ1BfOyI90XcnjFc61vwlFM1lgn8dqwsu3kg04Tkgegmh\nWcCl5JSnSoe1qxVcK/BytAIAAAAAAACYAgAAhAxTstPzC0C0AQz9PeB0yjCCAoQwggIKoAMCAQIC\nED/op0b3bWSFBzidTYTw5NAwCgYIKoZIzj0EAwMwJTEQMA4GA1UEChMHWWluZmVuZzERMA8GA1UE\nAxMIbGk3Zy5jb20wHhcNMjQwNzE2MTYzNDQ5WhcNMzQwNzE0MTYzNDQ5WjA1MTMwMQYDVQQDEypZ\naW5mZW5nIFNlY3VyZSBCb290IFNpZ25hdHVyZSBEYXRhYmFzZSBLZXkwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQCjbTONRqSOc4gSzdhSsQYtDYNlw6lB7iMiUoE5FIfB7JvJVrLyy6w8\nFz5/3Iwyy0CK1WGWgmx/Yh3hO574nR+fvarGxpmapcCPJOR/tOvIddqXcxOx0K9gAbxeWNi/kagF\nDXoPIhvQSHneKSaIk3HaL+/yo/xXXipSRw0nk4bzrrdYKSE63MSpkI+exReuTnvWK1TThDWJC/4P\nVqbFtRajuqaqGRsucmtmKUtFv8g2Ybm0s5GfvdfGuV+XM0bXyPbl0P6yvsPk/zKC03w08nrnsh12\nZL0tlOsz2Jpai5UGKEb60JBWYJtXy4TPr5qY0kOncDiC7x6FF9zAibdoDMO7AgMBAAGjQTA/MA4G\nA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFBe6RQz+qqDu8vNEgiTW8DwM\nyqIcMAoGCCqGSM49BAMDA2gAMGUCMQDVQ49yosGpS08eekuWlt/KLNyqEg0ijMKdZtlsSPvvzc11\nr+iotA1cad8XEMqWwsECMFZBUB+8rySU5jO78BdcVpaKKZa/B3eTs1St+utm+vC61rnocBa+tz8H\nXpiwaYrsNQ==", diff --git a/nixos/hosts/mtl0/default.nix b/nixos/hosts/mtl0/default.nix index 1db733fe2..332624304 100644 --- a/nixos/hosts/mtl0/default.nix +++ b/nixos/hosts/mtl0/default.nix @@ -44,6 +44,8 @@ in services.prebuilt-zip services.hledger-web services.sicp-staging + services.rabbitmq + services.mongodb i18n.input-method virtualization.podman users.yinfeng diff --git a/nixos/modules/misc/ports.nix b/nixos/modules/misc/ports.nix index 10d665cdb..9968b42b7 100644 --- a/nixos/modules/misc/ports.nix +++ b/nixos/modules/misc/ports.nix @@ -82,6 +82,10 @@ jellyfin-https = 3341; iperf = 3350; typhon = 3360; + rabbitmq = 3370; + rabbitmq-management = 3371; + sicp-staging = 3390; + sicp-staging-redis = 3391; ipsec-nat-traversal = 4500; babel = 6696; @@ -99,6 +103,7 @@ minecraft = 25565; minecraft-rcon = 25566; minecraft-map = 25567; + mongodb = 27017; # currently change is not supported in nixpkgs module teamspeak-voice = 9987; teamspeak-file-transfer = 30033; teamspeak-query = 10011; diff --git a/nixos/profiles/services/mongodb/default.nix b/nixos/profiles/services/mongodb/default.nix new file mode 100644 index 000000000..05604ba79 --- /dev/null +++ b/nixos/profiles/services/mongodb/default.nix @@ -0,0 +1,22 @@ +{ config, ... }: +{ + services.mongodb = { + enable = true; + enableAuth = true; + extraConfig = '' + net.port: ${toString config.ports.mongodb} + ''; + initialRootPassword = "temporary"; # will be replaced in initialScript + initialScript = config.sops.templates."mongodb-init.js".path; + }; + sops.templates."mongodb-init.js" = { + content = '' + db.changeUserPassword("root", "${config.sops.placeholder."mongodb_admin_password"}") + ''; + owner = config.services.mongodb.user; + }; + sops.secrets."mongodb_admin_password" = { + terraformOutput.enable = true; + restartUnits = [ ]; # needs manual rotation + }; +} diff --git a/nixos/profiles/services/rabbitmq/default.nix b/nixos/profiles/services/rabbitmq/default.nix new file mode 100644 index 000000000..b3aea333f --- /dev/null +++ b/nixos/profiles/services/rabbitmq/default.nix @@ -0,0 +1,12 @@ +{ config, ... }: +{ + services.rabbitmq = { + enable = true; + listenAddress = "127.0.0.1"; + port = config.ports.rabbitmq; + managementPlugin = { + enable = true; + port = config.ports.rabbitmq-management; + }; + }; +} diff --git a/nixos/profiles/services/sicp-staging/default.nix b/nixos/profiles/services/sicp-staging/default.nix index de7eee887..68497b788 100644 --- a/nixos/profiles/services/sicp-staging/default.nix +++ b/nixos/profiles/services/sicp-staging/default.nix @@ -1,25 +1,47 @@ { config, pkgs, - lib, ... }: let njuGitUser = "yinfeng"; ojRepoName = "online-judge"; - podmanCompose = lib.escapeShellArgs [ - "podman-compose" - "--podman-build-args" - "--network host --build-arg=VERSION=staging --build-arg=HOST=https://sicp-staging.li7g.com --build-arg=BASE=/2024/oj/web/" - ]; + ojBase = "2024/oj"; + version = "staging"; + buildTools = + let + python = pkgs.python3.withPackages ( + p: with p; [ + invoke + ] + ); + java = pkgs.openjdk17; + gradle = pkgs.gradle.override { + inherit java; + }; + in + [ + python + java + ] + ++ (with pkgs; [ + trunk-io + yarn + gradle + nodejs + ]); in { - systemd.services.sicp-staging = { - preStart = '' + systemd.services.sicp-staging-build = { + script = '' export TMPDIR="$PWD/tmp" - mkdir -p "$TMPDIR" + mkdir --parents "$TMPDIR" + export HOME="$PWD/home" + mkdir --parents "$HOME" + export GRADLE_USER_HOME="$PWD/gradle" + mkdir --parents "$GRADLE_USER_HOME" - token=$(cat "$CREDENTIALS_DIRECTORY/token") + token="$(cat "$CREDENTIALS_DIRECTORY/token")" # setup repository if [ ! -d "${ojRepoName}" ]; then @@ -29,55 +51,319 @@ in git remote set-url origin "https://${njuGitUser}:$token@git.nju.edu.cn/nju-sicp/online-judge.git" # update repository - git fetch origin - git reset --hard origin/master - sed -i 's^https://sicp.pascal-lab.net/2024/oj/api^https://sicp-staging.li7g.com/2024/oj/api^g' packages/web/src/config.ts + git fetch --all + git reset --hard origin/staging-yinfeng + sed -i 's^https://sicp.pascal-lab.net/2024/oj/api^https://sicp-staging.li7g.com/${ojBase}/api^g' packages/web/src/config.ts + + # build app + pushd packages/app + sed -i "s^0.0.0^${version}^g" build.gradle + sed -i "s^http://localhost:5173^https://sicp-staging.li7g.com^g" src/main/java/cn/edu/nju/sicp/security/SecurityConfig.java + gradle --refresh-dependencies clean bootJar + popd - # build image - pushd utils/docker - ${podmanCompose} \ - --profile all \ - --env-file vars/x86_64.env \ - build + # build web + pushd packages/web + sed -i "s^0.0.0^${version}^g" src/config.ts + yarn + yarn build --base="/${ojBase}/web/" popd popd # from oj repository ''; + path = + (with pkgs; [ + git + ]) + ++ buildTools; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + TimeoutStartSec = "5min"; + User = config.users.users.sicp-staging.name; + Group = config.users.groups.sicp-staging.name; + StateDirectory = "sicp-staging"; + WorkingDirectory = "/var/lib/sicp-staging"; + LoadCredential = [ + "token:${config.sops.secrets."nju-git/read-token".path}" + ]; + }; + }; + + systemd.services.sicp-staging-app = { script = '' - pushd "${ojRepoName}" - pushd utils/docker - ${podmanCompose} \ - --profile all \ - --env-file vars/x86_64.env \ - up + exec java --add-opens "java.base/java.io=ALL-UNNAMED" \ + -Dspring.profiles.active=prod -Dspring.config.location="$CREDENTIALS_DIRECTORY/application.yml" \ + -jar "${ojRepoName}/packages/app/build/libs/app-${version}.jar" ''; path = with pkgs; [ - git - podman - podman-compose + openjdk ]; serviceConfig = { - TimeoutStartSec = "5min"; + User = config.users.users.sicp-staging.name; + Group = config.users.groups.sicp-staging.name; + SupplementaryGroups = [ + config.users.groups.podman.name # root access + ]; StateDirectory = "sicp-staging"; WorkingDirectory = "/var/lib/sicp-staging"; LoadCredential = [ - "token:${config.sops.secrets."nju-git/read-token".path}" + "application.yml:${config.sops.templates."sicp-staging-application.yml".path}" ]; }; - requires = [ "podman.socket" ]; - after = [ "podman.socket" ]; + restartTriggers = [ + config.sops.templates."sicp-staging-application.yml".content + ]; + requires = [ + "sicp-staging-build.service" + "sicp-staging-mongodb-setup.service" + "sicp-staging-rabbitmq-setup.service" + ]; + after = [ + "sicp-staging-build.service" + "sicp-staging-mongodb-setup.service" + "sicp-staging-rabbitmq-setup.service" + ]; wantedBy = [ "multi-user.target" ]; }; - services.nginx.virtualHosts."sicp-staging.*" = { - forceSSL = true; - inherit (config.security.acme.tfCerts."li7g_com".nginxSettings) sslCertificate sslCertificateKey; - locations."/2024/oj/web/".proxyPass = "http://127.0.0.1:8080"; - locations."/2024/oj/api/".proxyPass = "http://127.0.0.1:3000"; + users.users.sicp-staging = { + isSystemUser = true; + group = config.users.groups.sicp-staging.name; + }; + users.groups.sicp-staging = { }; + users.users.nginx.extraGroups = [ config.users.groups.sicp-staging.name ]; + + systemd.services.sicp-staging-mongodb-setup = { + script = '' + mongodb_admin_password="$(cat "$CREDENTIALS_DIRECTORY/mongodb-admin-password")" + mongo --username root --password "$mongodb_admin_password" admin "$CREDENTIALS_DIRECTORY/mongodb-init.js" + ''; + after = [ + "mongodb.service" + ]; + path = [ + config.services.mongodb.package + ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + LoadCredential = [ + "mongodb-admin-password:${config.sops.secrets."mongodb_admin_password".path}" + "mongodb-init.js:${config.sops.templates."sicp-staging-mongodb-init.js".path}" + ]; + }; + restartTriggers = [ + config.sops.templates."sicp-staging-mongodb-init.js".content + ]; + }; + systemd.services.sicp-staging-rabbitmq-setup = { + script = '' + # initialize rabbitmq + export RABBITMQ_ERLANG_COOKIE="$(cat /var/lib/rabbitmq/.erlang.cookie)" + rabbitmq_sicp_staging_password="$(cat "$CREDENTIALS_DIRECTORY/rabbitmq-sicp-staging-password")" + rabbitmqctl await_startup --timeout 300 + rabbitmqctl add_vhost sicp_staging + rabbitmqctl add_user sicp_staging changeit || true + rabbitmqctl change_password sicp_staging "$rabbitmq_sicp_staging_password" + rabbitmqctl set_permissions -p sicp_staging "sicp_staging" ".*" ".*" ".*" + ''; + after = [ + "rabbitmq.service" + ]; + path = [ + config.services.rabbitmq.package + ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = config.users.users.rabbitmq.name; + Group = config.users.groups.rabbitmq.name; + LoadCredential = [ + "rabbitmq-sicp-staging-password:${config.sops.secrets."rabbitmq_sicp_staging_password".path}" + ]; + }; + }; + sops.templates."sicp-staging-mongodb-init.js".content = '' + db = db.getSiblingDB("sicp_staging"); + if (db.getUser("sicp_staging") == null) { + db.createUser({ + user: "sicp_staging", + pwd: "temporary" + }); + }; + db.updateUser("sicp_staging", { + roles: [ { role: "dbOwner", db: "sicp_staging" } ] + }); + db.changeUserPassword("sicp_staging", "${config.sops.placeholder."mongodb_sicp_staging_password"}"); + ''; + + services.redis.servers.sicp-staging = { + enable = true; + port = config.ports.sicp-staging-redis; + requirePassFile = config.sops.secrets."sicp_staging_redis_password".path; }; + sops.templates."sicp-staging-application.yml".content = builtins.toJSON { + sicp = { + admin = { + username = "YINFENGLIN"; + password = config.sops.placeholder."sicp_staging_admin_password"; + fullName = "Lin Yinfeng"; + }; + jwt = { + issuer = "sicp"; + audience = "sicp-user"; + secret = config.sops.placeholder."sicp_staging_jwt_secret"; + }; + docker = { + host = "unix:///run/docker.sock"; + tls-verify = false; + }; + s3 = { + endpoint = "https://minio.li7g.com"; + access-key = config.sops.placeholder."minio_sicp_staging_key_id"; + secret-key = config.sops.placeholder."minio_sicp_staging_access_key"; + region = "us-east-1"; + bucket = "sicp-staging"; + }; + oauth2 = { + gitlab = { + endpoint = "https://git.nju.edu.cn"; + redirectUri = "https://sicp-staging.li7g.com/${ojBase}/web/auth/callback"; + scope = "read_user"; + clientId = "824e65daa58165919d7e3137616a67818400e0610cad26a10db97234029fa508"; + clientSecret = config.sops.placeholder."nju-git/sicp-staging-oauth2"; + }; + }; + }; + spring = { + application = { + name = "SICP Online Judge (Staging)"; + }; + main = { + banner-mode = "off"; + }; + data = { + mongodb = { + host = "localhost"; + port = config.ports.mongodb; + database = "sicp_staging"; + username = "sicp_staging"; + password = config.sops.placeholder."mongodb_sicp_staging_password"; + # authentication-database = "sicp_staging"; + }; + redis = { + host = "localhost"; + inherit (config.services.redis.servers.sicp-staging) port; + database = 0; + password = config.sops.placeholder."sicp_staging_redis_password"; + }; + }; + rabbitmq = { + host = "localhost"; + inherit (config.services.rabbitmq) port; + virtual-host = "sicp_staging"; + username = "sicp_staging"; + password = config.sops.placeholder."rabbitmq_sicp_staging_password"; + }; + servlet = { + multipart = { + max-file-size = "1MB"; + max-request-size = "1MB"; + }; + }; + }; + logging = { + level = { + root = "ERROR"; + "cn.edu.nju.sicp" = "INFO"; + }; + }; + server = { + port = config.ports.sicp-staging; + error = { + include-message = "always"; + whitelabel = { + enabled = false; + }; + }; + }; + }; + + services.nginx.virtualHosts."sicp-staging.*" = + let + webDist = "/var/lib/sicp-staging/online-judge/packages/web/dist/"; + in + { + forceSSL = true; + inherit (config.security.acme.tfCerts."li7g_com".nginxSettings) sslCertificate sslCertificateKey; + locations."= /${ojBase}/web".extraConfig = '' + return 302 https://$host$request_uri/; + ''; + locations."/${ojBase}/web/" = { + alias = webDist; + index = "no-such-file"; # use @index as index + extraConfig = '' + try_files $uri @index; + ''; + }; + locations."@index" = { + root = webDist; + extraConfig = '' + add_header Cache-Control no-cache; + expires 0; + try_files /index.html =404; + ''; + }; + locations."/${ojBase}/api/" = { + proxyPass = "http://127.0.0.1:${toString config.ports.sicp-staging}"; + extraConfig = '' + rewrite /${ojBase}/api/(.*) /$1 break; + ''; + }; + }; + sops.secrets."sicp_staging_jwt_secret" = { + terraformOutput.enable = true; + restartUnits = [ "sicp-staging-app.service" ]; + }; + sops.secrets."minio_sicp_staging_key_id" = { + terraformOutput.enable = true; + restartUnits = [ "sicp-staging-app.service" ]; + }; + sops.secrets."minio_sicp_staging_access_key" = { + terraformOutput.enable = true; + restartUnits = [ "sicp-staging-app.service" ]; + }; + sops.secrets."mongodb_sicp_staging_password" = { + terraformOutput.enable = true; + restartUnits = [ + "sicp-staging-mongodb-setup.service" + ]; + }; + sops.secrets."rabbitmq_sicp_staging_password" = { + terraformOutput.enable = true; + restartUnits = [ + "sicp-staging-rabbitmq-setup.service" + ]; + }; + sops.secrets."sicp_staging_admin_password" = { + terraformOutput.enable = true; + restartUnits = [ "sicp-staging-app.service" ]; + }; + sops.secrets."sicp_staging_redis_password" = { + terraformOutput.enable = true; + restartUnits = [ + "sicp-staging-app.service" + "redis-sicp-staging.service" + ]; + }; sops.secrets."nju-git/read-token" = { sopsFile = config.sops-file.host; restartUnits = [ "sicp-staging-build.service" ]; }; + sops.secrets."nju-git/sicp-staging-oauth2" = { + sopsFile = config.sops-file.host; + restartUnits = [ "sicp-staging-app.service" ]; + }; } diff --git a/nixos/profiles/virtualization/podman/default.nix b/nixos/profiles/virtualization/podman/default.nix index dcb2826a0..47ec2c8dd 100644 --- a/nixos/profiles/virtualization/podman/default.nix +++ b/nixos/profiles/virtualization/podman/default.nix @@ -9,6 +9,7 @@ lib.mkMerge [ virtualisation.podman = { enable = true; dockerCompat = true; + dockerSocket.enable = true; autoPrune.enable = true; defaultNetwork.settings = { network_interface = "podman0"; diff --git a/secrets/hosts/mtl0.yaml b/secrets/hosts/mtl0.yaml index 800aed526..0b9615dfb 100644 --- a/secrets/hosts/mtl0.yaml +++ b/secrets/hosts/mtl0.yaml @@ -7,6 +7,7 @@ hledger: repo-token: ENC[AES256_GCM,data:O7hG//HYSDZqgELMDALFK1Uaj38sqfR5m4WTKTUQIdPOOvpMfsxZ6LbGT9LxJkWuIl4qbxD2JLkT00m3UEFcoWjZIWbODT00jzAuX6+l4lXWwh8hNuvYgJipqYqF,iv:rzQBQBWE1WxOodjdcU/G9sV/XAoVxEBo/F7Il9s5dqE=,tag:spMO2sQhbcecEcfTaEh7cA==,type:str] nju-git: read-token: ENC[AES256_GCM,data:lZUbQt8Dn5gtxxmNuJ070uttOwURT0l+Dfg=,iv:tg7kB1Ry3A7/j0E8yhFiX40eO2YNUFKKZlzZ1AcyVLY=,tag:duA+bL94W6TWsl2rfCRfCg==,type:str] + sicp-staging-oauth2: ENC[AES256_GCM,data:4RH2GubwmR8nsRSzqVl8KUNJUvV7EDla6U3mVgcetSwlEyK6yh/jCfEWcpkE8u3yM4x/QF7GFWW7i2YGw6Chr+fSRjeX+A==,iv:iRPbJMa7r5jjIMKjk/P5OY784trptTYswAjXXyCOPLw=,tag:Bh2YLZzf7QbYttjSXsbR/A==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +32,8 @@ sops: NVVEZ0dhOUpYT3BKcVFlUWI1Mklpa2MKAzwQw2ba9N2VUXGF3N59FO4madR42orJ lvOGOtdy/0nLA8OFVkHXyuXshtysUlakyizWFjmiZjJTVkImxwn7Vg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-21T08:43:17Z" - mac: ENC[AES256_GCM,data:Oh87LzAO1WQR+Voe2ecMmrMHlRp3OlmZeMZtvE3PLB6smtoPwbhlfOZ8Em2Iba1XnwBoZU2gXhh3m36FF+euYgZzMuVDuKtQJweT+Vost4D3iAtCkPQig3+S2DQGngwbjyAOKg+6aQc3Zw1likjgMdPUQMxSkwKX6+PgaqEmR38=,iv:qZSUlas7DqGdCuaY31TMxliE9u6f5h2dmOYt9dVYfGw=,tag:7URjIwmzNchD37omBSBUWA==,type:str] + lastmodified: "2024-09-22T12:41:30Z" + mac: ENC[AES256_GCM,data:Rbj1hfamvsYXPi4jexBFv/B857sOCo4wZpAIOmpCWtiKi+WUgS3SYfVsQNqwVb0yKR5XBBW74/qftvMwYg3FU+pAEIc3mqNRC2jaSkwqlWSr9cCQc5jRHgf6b9l/zn/3HamPMi4q5A/4tHVYJInVfpSWDRpZTKe2pQpEJVlyaMA=,iv:wLTdP2qMYHASW0xGM3qvqL8BbO6qSN73w7NxPqTkv64=,tag:WiSz0VX8O+Qg6jw2kNjQKA==,type:str] pgp: - created_at: "2022-07-08T07:03:14Z" enc: |- diff --git a/secrets/terraform/hosts/mtl0.yaml b/secrets/terraform/hosts/mtl0.yaml index 7fdc7c8ba..7d6559d06 100644 --- a/secrets/terraform/hosts/mtl0.yaml +++ b/secrets/terraform/hosts/mtl0.yaml @@ -21,7 +21,15 @@ minio_backup_key_id: ENC[AES256_GCM,data:2bgDnvDcvnAecTA=,iv:C/AriNvdoG5SoDaRvEt minio_metrics_bearer_token: ENC[AES256_GCM,data:7vgKSTApCgNph0YI46UeBROUx2d+OfMTWh4qKTcsQfs4j5NBkylntO8OncDCbeiHpq1abKVr98ghzBNqHn48BHWRGdmyG99l/Hx/jTrQ1AoZyItCa+HsXNqS8tNnqtc7fM7Q295UKIPY38CnIFKmGRnvq5doR5alitA0EL1yH5y/g0YaySi7hjeiWfCNtC3aafo4pUEc5NLjbME7qKZg3ovY3u2WMuwagACE1RzvkPnUv1gMf9Vbi6Y0267zutXSAbhR,iv:CDEJGqnBYJVr1H7DEezADQBSJM4R3E1gUNwrVbKrpy8=,tag:kuQQ2QEDn9ywouQlKOQNHg==,type:str] minio_pastebin_access_key: ENC[AES256_GCM,data:C7oObdpNFwbj/QxddALK76I9qMWKYCXOb5l+zM3UkeQm8+O6c8B0olWBJFnRhYiIOwTWEhY9/8o=,iv:gRz5/N9bMk5PmkncqkKrnjxIPkNw2OVXPz0mbcoBhgk=,tag:HqnJ6YEbFy7/av/DokzIjQ==,type:str] minio_pastebin_key_id: ENC[AES256_GCM,data:MbjOoxOlKYU=,iv:L8Eh5WMfnUbTBmFmN2qKdDS+Rf8I6gdEV09+dKponY8=,tag:rbbUY+CZFrPvlb+bj5Y6cg==,type:str] +minio_sicp_staging_access_key: ENC[AES256_GCM,data:OFbTlTwBfwooV0uxRd2Mxnf2Ve4L1KrfjWEMo/ujHwN8iDp5Q3pYiPke+9sKOhYe3kbS0pMbUME=,iv:vo6cFNIjZN58wrsfPEtGgQJl8s1WiFsNi/j3gMxjMcg=,tag:kcfJmQ/x/zwI9wo8vJ7zdg==,type:str] +minio_sicp_staging_key_id: ENC[AES256_GCM,data:PiHXEg6I6z+zhSPV,iv:/904fBXuoRnUkw0osCnl/LJ4a0y9HKZ4rzWUpiB76qg=,tag:SxU0lHZ3DI32kg67O2xyDw==,type:str] +mongodb_admin_password: ENC[AES256_GCM,data:Jb/tl1qrfFuZvw5Syk6pS6rCzN3G/jEry2/5iEkMfdiXvJaeyKHGXv0kFwr9Yd1/RT3uufbG4rqYUfenrR982A==,iv:E7fjypvS39MucA4k+WtcR4OjytRkhD0VxkkJ49SFzMo=,tag:pNlkjTxy6hVEFjacTXv73Q==,type:str] +mongodb_sicp_staging_password: ENC[AES256_GCM,data:3AIHGpGpPqK42eWi+I5gsxMPxUgVtnCvz+LwTKrh8buItjO/eOjFVZc7XQ2pR5/6uipwOPIIHo2D1J+kTi70YA==,iv:cAOUn0wK78PXl9+RWIV7Q6GNUNmVBcKEV9EYWVVqNvY=,tag:fMojF//ywGWdvN5fjAsNqg==,type:str] +rabbitmq_sicp_staging_password: ENC[AES256_GCM,data:vDYZ7rVu6OHprYTk7cHcmWi/2F9knEXYPU5bnefIey8=,iv:b6Yn4iToOvuT6xXSgouTJJImyjRKCz0cym3BJcVct/8=,tag:03Awa2oS3V0QqEAFEGkRdg==,type:str] restic_password: ENC[AES256_GCM,data:vaWjEKDxLcRDf++2yshq5WynYCkuSGYX/RxDx4mCc2I=,iv:/a41CRAQzBjq6z31UeJ01Zmqr8FfSmmAHrAZibY4Q8Y=,tag:I1TcOu83wfuRETUY3QksFg==,type:str] +sicp_staging_admin_password: ENC[AES256_GCM,data:5DeVhCDpYWsk54678PoFbCKR+z7d7t/rYl3yxkvhN70=,iv:89u2palzXXb6TyUXJHE4NOl8sWEg/jkBlufEnapGj9c=,tag:J3a79Q33/8yL1zYAnfOHQg==,type:str] +sicp_staging_jwt_secret: ENC[AES256_GCM,data:0fUtwBHKIvKg2dYZSdoPet5Kfz9BSbY3IUxUC4LQxOcMGCh+6VQ1hC3KThiA0tDAop6UfGX+usV7Oh8/oErI3g==,iv:5qIaueMtHeuz4l4ddeTMFNJabyfrIqa74QWNRBA9Xg0=,tag:hzs/b+jnLsc1tj/xxQ7osQ==,type:str] +sicp_staging_redis_password: ENC[AES256_GCM,data:wAIAbXV7p9bw5kTNw+aYlAYC8b+qNIpp9ca0UhzNIH4=,iv:25Z1mXr3nphEowOyhx3DsCGNENKfm0zGeXlkI5p9u+A=,tag:lXSIiavNh9E2PU5wMd7Eww==,type:str] ssh_host_ed25519_key: ENC[AES256_GCM,data:46LB05MINFH6FzeKWsplS7vQSW1JYuKwVZ7eNhbmXwIfIvJLbw9ejJVUQ3jKS/THhQAUjjbLpJ1BLqYF4rCi1ekLCI7JEF9YfLXB9Vseh0+YS/S6KeN8SJMSBTJOuYDN1L8K0poh4PsnQSpwH6w9V9h9u/xNyJDsoNfzh6FdGooY3pMcAsrKEf5z2eMRD8zqV2CI0wSyrxyMOO0ezkyuN4cVu7TgkIRdc7xGRnHUBuJtdyDPEpi+5dgaHjN0yKDLwqex4L/TfVLlOLttM2eWm4WTmWfgdXFUEWEf8ZPFVsCg4nhJ3GHMC93xIZpQPCwQmikyDVhJNH38nF3nMmGAqTf+og3i/hQiKGPVLHxMgtlMMfFJFhowwNbIl9/hyuUDEcNvdSpPUa3OvNDwdG7h5JMLg7jIlAmN5M01imKqksOizQRczx1fLu7GNHNEj9liTzJUA9OnPNhtgAjKm5NQV4iEKFev3pBdGKXvTU47m3FoKkE6FOPR1KFXBgGG4grat/8O,iv:gmFsiO4qTIUJE6qKwKD+5Rb40Nu2S26CS3D6WhKEwN0=,tag:28Me+FMeZtHVTYuvdTLZ0g==,type:str] ssh_host_rsa_key: ENC[AES256_GCM,data:u0TruExsl3GnEOKQXqL2MwuVoChOdXTDcQGkTZco3i8uoyGPq1Hu2GK1Yln6GzwBALDOaw/u79gqoR/hJKDPMe7Zq6GAij//f06fb33kLR9Pvi9hYAelyc7/zMdASYED6TMK6KnAY8tPqKOl9p19mrS4b3aykJ9zlS/ePuau2TspTWWfiBHeugN6iuHVHWztTMDzuJADQGYk17Bvc3CXDxdnjhC6v72FIJrdRPOkzP+JAeauT7qln0x55I7WJFDU7ss/4RKTSMHKpGHkbbc3wlp+K2+CJUKhpc7A5cMvUGhFeKdgYumCjm8OWV+mSTc2+t2OaFhmBS+qo8nDWNaTHvmRxEaPw16OEcWFyZXn7Sb8q/tQ3R0c3jE43qdk6AAOOZd0q20S99QcxGC2k2g+Ky2FKlXSvexF+V2J1Ou9j9lrYnP4OYttegRSiDJDXo84uy7vxFEgwLPkvIjUDMmF1NRGobRDILQDaZpB7zOUdEpjWW2lu8Vaa9Bb1Ha6b6XOINs6BNtcGswRbnjpJd4IsgmnJhGMMtXrRn6Skcgb/O3xZ37sCG6x3OHKXJu6C/kXNxxExqUw0PWRm8m2EXHsT4rvM9tfAIEk4cGO3hviGPtA7WLDYEOrb9M8uWjGjlwehGGA4lwXuldbCr4Ay8FOLrPDLxLxoOmDnOw8a+lqQ+9rAJBRj3Ep4qEQkoJomeKoVu281bYdy+U7MQR2XJogz2oHTFuKaFHZvIkKKAVeYVNIUhZ0UGvwlL2eb4kXvFXJii9oebDEGv+5bULfM4lze9T5xLmfX2X18ZLx1UXcRGdsBm4VHrsR9WKOA8tTINV4UU6Q1b7yE9qr0QisqZncDwAPYP5nw5on6VuSnihoGSLoEKotXo8eFE71ApYWdGcaZeQYXOVqF9bvYW6j2e1+ZouNBCXpdw+ndIjpFGlCu6R5PjO2t1Z5Cawo6Jo5CnQXG+um71+RnTJsU/PWfCKx+q4n+aQYdFj3UFhhTbCdyElUQGlAr0LVs838Ii43Sb3zJFyczqP34KY2KTrMFa7WFSwX4NmHkldOpfngCganrA5vDCQGGccYn4IDwPY8hDfmTkC4vUBqs3ZCOuy9Fe0KvcdBZXhLy/WEPWTPXXBD0hs0cU8CfaUED2PxOFmKRNQIaCheB9+hqQrR3LqL21RNd2NixBSEDy+xtY3dtAJJmfmWgCXIU+u5QOt9/I82Xyl49XfvUgbAbEJTpOoBaRDNdG2AkE06C75fLhBmcmHWJ14hOo84FyOlBkdK917xfY60Vfa2uoEyhFQJ0XIpegdI9hWwmHtDfcJu+KwAJuyLc4MdpDN7AVQ5Xfqf4hCkbvQsAA1BaXESjBmQM0Xo4uFQtyi63EOZWPt0VskI2/7duwIZ+/KqpP2gBviIY1+zN4NJJqYrvj/3hfhwaWBao6rel+A+2hI+E3UnDk2DnMye1drEZsBXewRHNfQVum4QkN6QI9PpSaO1C9MbPxn00BZXWmTtHZ/O7DmbmQRgF/yV3/xv9jLRtDdLAcL7iPNke7/0RZ5cgBNPlqFi7ELFgrmWPlz7E9h0L/z9pcfeyzQSSfzI1bkJQdmtApdPAo1TDMwFsXoXWp+3fVCqF1YKgHplXyOU2/+mkF64OaWz9kZXfgxmSzQznxPR12HUQDI9Nnr4duxnSS3+7Xqe38jgAuov1thgP7B00//LWYQcdFrHgE+SEb9+fne227L1/QfTqF4Q8M86hHL29Qf64jgt5quPVORKIZKgWd5eNWVcOqE3FiAVNxoj0Mhp3Wz3KvfKnhHoR8sglEj8ZjbYmnjVfkEiiJo5Tkp0J8nG495fYIyxPYyuVcl1Vy+ofsTIqy+6QELibD1RFYT+s9vNn2fJ0KMXNQgpJsopjg/3mx5lSMDgLPcuNeRDOe8sibhQKsjznq7wSp1j/hEn9KxjJoU5jH2CN6k61O+S/YqyIN59fJe/9jL4mvvDzyHiYIqDxUJRCDFYKR/rwigLLLb2RMO8do0dv1SHRHZh7MCWsK9rt27twFWEui1JEAwhm22b/I0sTxHkv4eZfDI1D4jU9V+TpSkXU0WNS8LbFCWu8ZOvqYYRUxrxqz41lJ2kuwKNdZws4G+1acvlc+BagNyFqA9uuSXPKLGw5NW7DHrkSyUqL69EKWhUbl7gNdCcev6lTPrsq+agpetRMPRNPUsR6MQfu/6EztHaLeM37GCejlOkRhWwHrRRtBhir/EJatUAq9238cejzYpgj/gQQY/w/2Y1vAyZK+VRmETLgmDdnlwZIhA8E6GkK9cLFXFfOGjxMQOQpDz7XeTJu/29yTsIChgVvzuOa/femmQaFlCcb8v7t80dAG/ejmzP4lHWKnVP0de6IQqMGiTNdwjbqWppYbjKEft884Ab9WAWm/0LvVL5NAey2SaT6ap4JWcdzI6Mrw7n7c+KmYRG2HAonvPRvbna6R2mwScI5aSBqOdJ5l6T0ZG1Yqoli4i2624voCWNes0sbsrR2YTIbMC1eh2xbuYReGU/S0+KNJ93Tww8bySK2Ej1ENoB6VhAbPAmhuBuCEgoLBNWv6entItRfWdXrBGplmMPohDbfrqy74R46l6zVOHEv+alKEcQ39TFBPrn4+hVeCnr7Ljxw8Q8e2ZjDwMWwrRZydVjsetVzVW8KW3UJisyr5J5jbmJUqf5f4LcHMrsYvIinPtpVPObyx3M/edcssq8QF1j2e278svddp3+0fSrq1mRCJ0aygUkavGxBb10RWFhmJ06jIldNh+77GWe0eLVpzWwT7a8vIRUeV0qahRg5OMfgIwG2okRUnubkoE7Hr/nT/dX0VYMrexqs7PdM3PpPwiUcwXLY6JYTglKW25xOtdbxKxadlQlrzKcQXaUuZ/Vuiwn//cIJfLITBdEKd2abCnEYg08QG1lNKAUhC1wnhMXLKMXLoyURyqji0SN5fgEMYswLkhhj2rPKjPIKcpAO9BegtT+BiZ/ahkZPlwavRuoBC3oCEuO09JmtsaEHryfcAF0QFhhcZ95Qt7q6xCYMt3aSZK8oUlgYsIi0Mf9DIHiHPLKXtlGCxDGdZ8B5XsYslsNEY75g/VC5BfVjaCRhJd2N9W2sTpVNAtunTeVP1oxv8fnjYth0xey/BTDlTSecLf58RS2/ZH0yu9SLwD5YLqkISxBIt5f3E8qRwj1Dsqx4jOStI5Pk80X/PAMIc2FYHnSztu3Lt8EMb6Wo4Qmi9hS6EpBboWqvwtYF+D6kuaKFXvB6+6F4m59xc+3xX8cRmpMhoe7EFIVO3HEYjbLHspM1Ia5ofuPKaNrdSJsJROJviXpgf79sNYiHGGTdqR9VUefwmMiS3NbBWqF9mBoX20PQIyAkIezkpfVSvlB2dFfwhMsbmqQSTK4/vBXikuvZL+VGoCVwa8IV96aIMsynIS5RPIlU4vyAm03KFGR7U1hfHODTGpnLyn81fSUQWzpGvoQCQqXmbDcfYzI2L1cvnB9e1djP0BmpnsestGp3RsplbYrqu+YlHXPIDVo5kzQRtvwYN0S0QB+eYUS4PO5zYoCqozTQV+B6zfkdEUKrOXNEeVLXRvn35sElacFy1omy/eZo9MBos6QA9jIkY+x6RT/uvlpc1BHWEKl+SJR2RybWp2c8nCeP3ve6Qm9WPm4d/34qTyMJV54UKDZBSCbrH5nELQmvJ0R6PiYJGF7N7h/nmE3a3Nqu1wgoDToAr3Gd6LiKSg/pMhL8c3n0KfCnQDojTP1ilLZ1gDdlkgAFqer2/WMmz6xafNkyEmlNXNUJttVpavY/KYz3twNqyNo2x3joQvTVsahbTMPmocwVcT0HxM5Fdrs40TmKy56fEglqc6LnFJik6jFhNmR/yisP/wsVRSrsyCcgpDzx4B8JoaDdgqsmVbwIPya3GjeXGJ4y3cPIgnGMthgwCDjU+vVFZnbEEBNcpH0h0ohXhM6G3kNBX7c4ahM7bBB46kP9ezn8DbTgwteT8L/hKS6S7RmJi3D/zW39VEwTbtf9m8UnznHmJ88Y2YWU9TbwAwXS22pHBNKFnwEwutcou0CYF6YC6UODCSBOMDGMcyUNUDvDasROEhkgE3TjnHQ7qwWRejY1u9NQG6D7Aln3xuGIJbzJsoOno3MKwAPSTeT6OR71yM1xf3UbhpCxv/V2OtI/n7mJ61RUVLJsp6yrUjK9NF8AZ7eMliEjJ+BnfJNJ19UAImxxiZbKrPbicHwt63+kEo+apgilMgzlNk7SEJd7si6hiux+f+uUCthGWEPJ6fuanxcnjKPecwEU6qZZ+Td4wSJlF0CR01k9BxFDJeVex+SQABU27ImCOuD9Bom5QU5IB3ZjeQnxF1GLJbelWhjjQnzMZyVLpSa0Mp6yTKgWPN8VnbxaR7h4jlNtV3Niww/VM+HZS1x5y0q/I1ngAZx5uVH3UQ6hJmFZOwFrz5tL/A7vVAzecC1Kxk/+k2Y1UqS8f1+pHTFoL8jt2z0AkwL8/mc5g==,iv:z2bkh5GbipZxbZYpzsUeIM43WJUxK9hI20MsO8B6bCU=,tag:iSw5gFu1M+ykCs0wblatlg==,type:str] tailscale_tailnet_key: ENC[AES256_GCM,data:p/yz1B000jQWmlIFwkuSQaeU+ojnr3TzFj71gptmfFFxODecxC6BBlSibTDgIrmYvM8PVXwqAO7/FyP52A==,iv:E9qBC9MiSzhFZoD6wcnu7u65I/+gw54dEe1t6dHJ/Hw=,tag:H2wXBu+v76qwfuNR5jOWkg==,type:str] @@ -56,8 +64,8 @@ sops: V2hRNEhCdHYzMUhvMGFYMG5vcFVmTDAKJfGXQKrLecTN7vTSpNmTXzyJWLEFs5g8 l8iDsxeSySYsd23aJ0MNwxDOx7xHE90iOuFqnhdGQl2B2wF6HDfm1w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-21T02:02:27Z" - mac: ENC[AES256_GCM,data:5qlTsKAH+i+6bi7wbeCId76WfQ2U+81zLeUH+GBMM0XNJml4BxZLZ+5I2xhjbPZtp5afnfn2uAnUZ2d3hqkuAKqDj7v+H906+lLTNnNjbCIoTsxVGuynPyUgNGwqRegov29672UIR7oLlIIvL2DqS6ArJ2xDdUGTsphsroHUBlk=,iv:exe9VsffuMa7Eol3Q2cXzU+qaBVieGMV3q05Vhg8RUU=,tag:PoLRQlVcr9zEJkPUod79aA==,type:str] + lastmodified: "2024-09-22T11:13:00Z" + mac: ENC[AES256_GCM,data:3d9LuSAoo+ASUs9qgXjlT4+GO6uBsZZHd24QxVHrF7WiY3rik/kNwVW1MRVZEeT3j/qoOg4V1QVdT1nU6QMyvRvOaeiSOIm96uSGF6r1UoVDE87DB1ryyxo/em6DSFglraLdFv+FGGXClysIEsbgbq3g7g4rTTo2jdMQ1Gh3Ank=,iv:nqJtyXP8ZO5epaNWLD4IOeWazStuorShqId+3GfhavI=,tag:Ma2y782z7/zvp2QfYLJWow==,type:str] pgp: - created_at: "2023-05-11T12:18:58Z" enc: |- diff --git a/terraform/minio.tf b/terraform/minio.tf index dd2ea6727..1f5b93fc6 100644 --- a/terraform/minio.tf +++ b/terraform/minio.tf @@ -157,3 +157,44 @@ output "minio_metrics_bearer_token" { value = shell_sensitive_script.minio_metrics_generate_prometheus_config.output.bearerToken sensitive = true } + +# SICP staging + +resource "minio_s3_bucket" "sicp_staging" { + bucket = "sicp-staging" + acl = "private" +} + +resource "minio_iam_user" "sicp_staging" { + name = "sicp-staging" +} + +output "minio_sicp_staging_key_id" { + value = minio_iam_user.sicp_staging.id + sensitive = false +} +output "minio_sicp_staging_access_key" { + value = minio_iam_user.sicp_staging.secret + sensitive = true +} + +data "minio_iam_policy_document" "sicp_staging" { + statement { + actions = [ + "s3:*", + ] + resources = [ + "arn:aws:s3:::sicp-staging/*", + ] + } +} + +resource "minio_iam_policy" "sicp_staging" { + name = "sicp-staging" + policy = data.minio_iam_policy_document.sicp_staging.json +} + +resource "minio_iam_user_policy_attachment" "sicp_staging" { + policy_name = minio_iam_policy.sicp_staging.name + user_name = minio_iam_user.sicp_staging.name +} diff --git a/terraform/passwords.tf b/terraform/passwords.tf index a31c64c85..8b0cbe18d 100644 --- a/terraform/passwords.tf +++ b/terraform/passwords.tf @@ -343,3 +343,58 @@ output "gnome_remote_desktop_password" { value = random_password.gnome_remote_desktop.result sensitive = true } + +# SICP staging + +resource "random_password" "mongodb_admin" { + length = 64 + special = false +} +output "mongodb_admin_password" { + value = random_password.mongodb_admin.result + sensitive = true +} + +resource "random_password" "mongodb_sicp_staging" { + length = 64 + special = false +} +output "mongodb_sicp_staging_password" { + value = random_password.mongodb_sicp_staging.result + sensitive = true +} + +resource "random_password" "rabbitmq_sicp_staging" { + length = 32 + special = false +} +output "rabbitmq_sicp_staging_password" { + value = random_password.rabbitmq_sicp_staging.result + sensitive = true +} + +resource "random_password" "sicp_staging_jwt_secret" { + length = 64 + special = false +} +output "sicp_staging_jwt_secret" { + value = random_password.sicp_staging_jwt_secret.result + sensitive = true +} + +resource "random_password" "sicp_staging_admin" { + length = 32 + special = false +} +output "sicp_staging_admin_password" { + value = random_password.sicp_staging_admin.result + sensitive = true +} +resource "random_password" "sicp_staging_redis" { + length = 32 + special = false +} +output "sicp_staging_redis_password" { + value = random_password.sicp_staging_redis.result + sensitive = true +}