Configure pmd catalog machine

flake.nix

@@ -8,10 +8,11 @@
     collab.url = github:UM-LPM/QA/production;
     collab-dev.url = github:UM-LPM/QA;
     login.url = github:UM-LPM/login;
+    pmd-catalog.url = github:UM-LPM/short-courses-catalog;
     gc.url = github:Mir1001/gc_mv_backend;
   };
 
-  outputs = {self, nixpkgs, nixpkgs-23_11, nixpkgs-unstable, agenix, sso-test, collab, collab-dev, login, gc, ...}@inputs:
+  outputs = {self, nixpkgs, nixpkgs-23_11, nixpkgs-unstable, agenix, sso-test, collab, collab-dev, login, pmd-catalog, gc, ...}@inputs:
   let
     pkgs = import nixpkgs {
       system = "x86_64-linux";
@@ -74,6 +75,7 @@
         login.nixosModules.default
       ];
       "pmd-catalog.l" = mkSystem "pmd-catalog.l" [
+        pmd-catalog.nixosModules.default
       ];
       "gc.l" = mkSystem "gc.l" [
         gc.nixosModules.default

machines/gateway.l/configuration.nix

@@ -55,6 +55,9 @@
       "dev.collab.lpm.feri.um.si" = {
         inherit email;
       };
+      "catalog.pmd.lpm.feri.um.si" = {
+        inherit email;
+      };
       "gc.lpm.feri.um.si" = {
         inherit email;
       };
@@ -230,6 +233,18 @@
           proxyPass = "http://login.l:3000/";
         };
       };
+      "catalog.pmd.lpm.feri.um.si" = {
+        addSSL = true;
+        enableACME = true;
+
+        locations."/api/" = {
+          proxyPass = "http://pmd-catalog.l:8080/api/";
+        };
+        locations."/" = {
+          recommendedProxySettings = true;
+          proxyPass = "http://pmd-catalog.l/";
+        };
+      };
       "sso-test.lpm.feri.um.si" = {
         #forceSSL = true;
         addSSL = true;

machines/pmd-catalog.l/configuration.nix

@@ -6,8 +6,20 @@
     ../../modules/base.nix
     ../../users/root.nix
     ../../users/rescue.nix
-    ../../users/pmd-catalog.nix
+    ../../users/catalog.nix
   ];
 
-  networking.firewall.allowedTCPPorts = [22 9100];
+  networking.firewall.allowedTCPPorts = [22 80 8080 9100];
+
+  age.secrets."pmd-catalog-secrets" = {
+    file = ../../secrets/pmd-catalog-secrets.age;
+    mode = "600";
+    owner = "catalog";
+    group = "users";
+  };
+
+  noo.services.pmdCatalog = {
+    enable = true;
+    secrets = config.age.secrets."pmd-catalog-secrets".path;
+  };
 }

secrets/cache-priv-key.pem

@@ -0,0 +1 @@
+cache.lpm.feri.um.si:G0jRpIAc++km1A9F8FhK2leGBI88YTFMYxdXu3OinZ6ZGuoCnKJkgLJ5Z/KISgk/L4LPnRgAmE30al7j0GGaiw==

secrets/cache-pub-key.pem

@@ -0,0 +1 @@
+cache.lpm.feri.um.si:mRrqApyiZICyeWfyiEoJPy+Cz50YAJhN9Gpe49Bhmos=

secrets/cert.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSTCCAzGgAwIBAgIUUKw5VTI4BHjAIK42VGNfoJqq6C4wDQYJKoZIhvcNAQEL
+BQAwNDELMAkGA1UEBhMCU0kxDDAKBgNVBAoMA0xQTTEXMBUGA1UEAwwObHBtLmZl
+cmkudW0uc2kwHhcNMjMxMjE1MTcwMjE0WhcNNDMwOTAxMTcwMjE0WjA0MQswCQYD
+VQQGEwJTSTEMMAoGA1UECgwDTFBNMRcwFQYDVQQDDA5scG0uZmVyaS51bS5zaTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMv06b9Ep68czObhgr4ne0WO
+SMp1oNKfrxZuJfq6ehJPqboDDyY/kAsa0SsI1HN8y6GpRWkbj2Ry9voadJKQDIuv
+tSpwks3HBK1ex3cGzgHJgMicElsER98GlIAI9LCQDQAq1QyGvR9NdOWHoZ+lrmaY
+BfufeZF37lYxP963aonPoQZg6WdzJOi+0uRpkqumEICb1RsKMuio3qvLvyX5UtCy
+n3CkYhobu8LFwJcRRjzERUZqHMtGkvudnVJGWOYKvRwDStKGnUpIVELqVo2bLB3V
+deHiPH4hxK/xqhReQlRCwaP/rm76XmvCPH1Ij8nC2C6deLli4t96HFaK3/M+xXpb
+1pfpb+7A24SFB37xS04AJHpR//6+GdpQpMErWuwChn7XWLEvmOXFdUDrejbMe6T6
+6M8oIr2CSjluv26dAJe7jOOLXJ1zYdd9fO6hnBS6ghZNVGFQdki+2zOFP0AKdLw7
+bi3ER/R+9FgQFjwli2lzyTpK/XI8LZJn2xVXIEfCcfLAbZAG2IqvED6OXvpJOc8l
+9N+3lUFuGfXogEeYlU2vsW91+6kbBwV5gA1+XYJRsRtOnT1TzlNJ+xH3C612cp1V
+gGrncOoCM3E5o/tRaZZNhV2xJX+RiPTwtDkknx85ubtXRiFgKxyUjQZGe6hosc/N
+vgclrh0ot2QdWiChuBdBAgMBAAGjUzBRMB0GA1UdDgQWBBRIibUjCr0eNoayv/av
+p9Ux8Bc5YzAfBgNVHSMEGDAWgBRIibUjCr0eNoayv/avp9Ux8Bc5YzAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCRsJLrLCpR+sQiLd1yHKmp5LOt
+dnmMvSRW2aSMzEa8LPQ5oWZqgYlJ3rRdt4/1RUJl2z5s0SX6NYCB2RU8S+lJ0MSQ
+UUMzsL9Pybhwe09r1f7z1Ogi+Z4ezO5P+RdqwvHqIod24WAMzfuP9F5IIbyWs4Fg
+Q4Us76um727qqjKeNMcHRmRkzjl4OqSn7rj/bEhzP2ZfZhWgNIZCvyvGc37+2mpK
+TWA91pbiO5X/3VOKpD2sHzIMeRZlSQUQn7BStt9bv5LM/aaCXdnzmna3vxb90ovC
+7Hm2ZElcVCjdO6Wy5+Vljkyx8lK7S7qgkiyqoIxohkzD35bB5cvVCQw1gQwlCmEd
+RWv0RYsxztUT5dLsqJwvbgGBZV/PI1bQwg7R5osvzdPab7qCvXE4Dnt6QDBUJIVD
+BNn/psr0DarRAfAOaO0XtpDleHY4X0P1RfLIxQcJC6fl6VZYoCrTONHUus6q7IXD
+AFIwvM04ixSnKcaFVm2MdgzPU9uJj0BwtOYo8zACGSDmPqjVFMS2iHfzZC0FTTqh
+psUMZYTjQRjFPu+fkZ43RUf5vKPPapz7wObiVrqZNKC6SwVpiwU0eWmrLdtvcpuS
+SOhYFaw0X99EI6arsB4o3D1CkfDDTwFnfSB7UljmdOdFKD6O2/nSe3tTaC+9mhON
+w/7oUGWf/MBifNI4yg==
+-----END CERTIFICATE-----

secrets/cert.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDL9Om/RKevHMzm
+4YK+J3tFjkjKdaDSn68WbiX6unoST6m6Aw8mP5ALGtErCNRzfMuhqUVpG49kcvb6
+GnSSkAyLr7UqcJLNxwStXsd3Bs4ByYDInBJbBEffBpSACPSwkA0AKtUMhr0fTXTl
+h6Gfpa5mmAX7n3mRd+5WMT/et2qJz6EGYOlncyTovtLkaZKrphCAm9UbCjLoqN6r
+y78l+VLQsp9wpGIaG7vCxcCXEUY8xEVGahzLRpL7nZ1SRljmCr0cA0rShp1KSFRC
+6laNmywd1XXh4jx+IcSv8aoUXkJUQsGj/65u+l5rwjx9SI/JwtgunXi5YuLfehxW
+it/zPsV6W9aX6W/uwNuEhQd+8UtOACR6Uf/+vhnaUKTBK1rsAoZ+11ixL5jlxXVA
+63o2zHuk+ujPKCK9gko5br9unQCXu4zji1ydc2HXfXzuoZwUuoIWTVRhUHZIvtsz
+hT9ACnS8O24txEf0fvRYEBY8JYtpc8k6Sv1yPC2SZ9sVVyBHwnHywG2QBtiKrxA+
+jl76STnPJfTft5VBbhn16IBHmJVNr7FvdfupGwcFeYANfl2CUbEbTp09U85TSfsR
+9wutdnKdVYBq53DqAjNxOaP7UWmWTYVdsSV/kYj08LQ5JJ8fObm7V0YhYCsclI0G
+RnuoaLHPzb4HJa4dKLdkHVogobgXQQIDAQABAoICAAWgXnmb+S6mxVgHU2HPqnvG
+ZyNDesnSjcU5PM3IO9Qhn2axqOkhAghT28tWMTja6VjIaPvZx0CPRtDM8NVjj4UK
+LciGIuWPjXy+5RL5dBUEZ9h+xkD9dhu10cKGL+yJZ3N57jcScuKlDCwrwVtWCxPz
+Mpva4SDMRZViukrv+/3QmLYAAK44PWw4rlr1A7Df3diLOD+3cj5ZybcJA/B0CqmN
+elMPHVI9D+NqpDloyKcuwzGssKaG7lnlr4w45YUxfbZx67052EDXv23+NaAdw65l
+rdheIhm/Vv/Hjz7ZiG47kozltvxgXg4OS+MpKThwQ8y7RiukZ7dK7p2ZGfgWnsBe
+CNOkTUCcL28YpbxNk4VmE/yOnLli91ySgAqCGfXfy/6wjcFg8eChau3dobSSzAvc
+JI6BB65hQGSjJkOQPpK6o5Dm2j5F4IBL6RRQ4LmBwrb9iIcUJyy5Zyt8ShiaIa8M
+8jpB/ujBGksc7Rt9zPqKyOSnYyiDYWFZpT6UHjvch9zN5t3r7TdXOlf3BOrVCH8K
+PzGI49pX2zCx+QhSMOcyJTGQqniKnQpp4P3pfOQBwkRRSWeqaiOhCUF1pixHO7gw
+Aavrigq3RHRajcpiMtAyLFJAl9Aa8ncCPxjlc3bSl0mSMsJm4t0TxCTF6vteXygl
+nikD+WE/UFY3KcbVrnNFAoIBAQDl41fNhjua0B3z23WuysMKa0qiBL5mG3Y02tCA
+1jbPaJt6kULjeEZ6ghCvaIc1zf20/OJUCMj/FMZpirv3DKWdsVKFXwnpw9FX43EZ
+Yd7jzEAXWTprhdYNTdMN5lp2BFN4NUYRD91mt3h6xgjLf+ZDkDFZ9FYrznGxnwls
+il66JWPjHyLRJd+kit6IdcGsfekh1Pa4Xh6518P65qCpxAcjiLb67N/usJ5ejZ2y
+62naTxX2ZmrDVXIjtJFhHeXLN9DFRHXWosWzQ3hQmiIztPdjJKjuemt+xzvJY/My
+wtMFU0pNsU7JLeK8KcMUUMIp0txCBoxybg48jD+mwyprwy8HAoIBAQDjH4p8i4Vt
+C4fcBCtNklmW5Hj6ksLzUyQ6xy62jc+xqtnas1o0XmZ4Wh5SxEJiDsNF+dLLlEtl
+sbGdZmup9uKkmTQAD4XLguNb+gc6bXiTdSIjbxJoZDLCrBwmnrq/SLK9GBxCDJHs
+tpRYPAGWme42owx4WFVt6FPL/BtbGQOhK3PCGZkFaY5ihFtKHxGAGoEG5S2HLf44
+8gnaBc9yDBZ93ltFug/Y2CZoA24EpqS1IzdMK5/GaTP/UuvJ91y+FNkLQXib2b69
+Gt02Z/j3vSLleKbF8bGS5dix/6fEoVg7k+jMZuNeER73OZDSH4pYdD6868pVuHhm
+XraKZUoYPy13AoIBAAK5vEvCgKhoOUKv4mhNHRzdgsgC+GLrhm4//eLZJ1M0MUu1
+ty5NOcCwFBSQT7ISnCRuLxzB8egcTfHoZCwcqUYCWTEdnFd6K9w35Rpg76yRulzM
+gQXPU2da+dqbVY06peax8v+2yXAzUqlZ+ba38HnylrMzU2Y3j1+EvC7eQRtB4DpM
+HzSNl2YzA0po4v/xijcNeFNdQk3/weISo+r/WPpR36F/93O0AlyqnykE439kGqWO
+N0vTkoPb2zFkklnjcoU0N5Vw3pkufpmuCiPEzH4PbDVPnECnigzsM3DxoGDayPG8
+3WtDMQH8GMT/5B1s05Gw1C9zIJYVL5gBjloyuTcCggEAFg0q6fq14qd68l6pQafS
+8PaP1GxJZ0yMOPS70Velca+P5U8ClBESS98cEJcjhte+F94wnDlytJXzE8As9dyV
+lruVM+hN6jt0DasR5pdYXKDDxsLy+5W24/XH6ewBX68UQ43CuJr11BDKCGMTGGcr
+nLxp6olRChHDiQuaMFcWZiCM5ayMkdz0yRXmsySfE1v/aQb5S6WoiCjf0f48bOtF
+h8T+AaAWB8y8td6XYPY5Cak4pjmaEq6GMOUBJaPRqlbl19Tse91BSqUAE1c28f64
+E6WKM6/KuON+DZIv3MR5h5dNxAK9UpXA9uns6KnNSddHfBo8k+QMNIw/luJMtlvz
+8wKCAQEA2x8xnUhJHE/mgEuViIw6z1PnazDq9nXxYzYzP4OFMkYKfy08vime8+0j
++5daCTFDfJuZsTkEi/rZfdONe3aZqcXRcGSegNh+0gy4WISL82fDF5V4UsIhMiTg
+009QV8nVB5Z0LN5yqcxXfV5WAPPWZ/cfAP+7sryqV2GThq7+/N5sgz0xaDDmgiJ1
+TZgIPD3zf/+WC9/UqUSxKg6cClRrGv4j5VMfiJJMIFJYsjttcyVapT+wG/9JFruP
+Q3t+eeMmrndA+b6MivaQg6Yadwx5iizNXPwEv9sPnRw/AndjWSSoWRh6kuM6lqGs
+wNlANW+4bSIIfkqmDNdXue4jKhHHqQ==
+-----END PRIVATE KEY-----

secrets/gencert.sh

@@ -0,0 +1 @@
+openssl req -x509 -newkey rsa:4096 -nodes -keyout cert.key -out cert.crt -sha256 -days 7200 -subj "/C=SI/O=LPM/CN=lpm.feri.um.si"

secrets/secrets.nix

@@ -12,4 +12,5 @@ in
   "mqtt-passwords.age".publicKeys = [systems."student-mqtt.l"] ++ (with users; [mario ziga matej]);
   "login-secrets.age".publicKeys = [systems."login.l"] ++ (with users; [mario ziga matej marko]);
   "gc-secrets.age".publicKeys = [systems."gc.l"] ++ (with users; [mario ziga matej marko]);
+  "pmd-catalog-secrets.age".publicKeys = [systems."pmd-catalog.l"] ++ (with users; [mario ziga marko matej cvetanka]);
 }

users/bastion.nix

@@ -5,7 +5,7 @@
     description = "Bastion user";
     shell = "${pkgs.shadow}/bin/nologin";
     openssh.authorizedKeys.keys = with import ../ssh/users.nix; [
-      mario ziga matej miha dragana bostjan marko server-actions bioma-actions bass-actions matej-actions dragana-actions matej-extra
+      mario ziga matej miha dragana bostjan marko cvetanka server-actions bioma-actions bass-actions matej-actions dragana-actions matej-extra
     ];
   };
 }

users/pmd-catalog.nix → users/catalog.nix

@@ -1,8 +1,8 @@
 {config, lib, ...}:
 {
-  users.users."pmd-catalog" = {
+  users.users.catalog = {
     isNormalUser = true;
     description = "PMD catalog user";
-    openssh.authorizedKeys.keys = with import ../ssh/users.nix; [mario ziga matej marko];
+    openssh.authorizedKeys.keys = with import ../ssh/users.nix; [mario ziga matej marko cvetanka];
   };
 }