architect: Enable runas and lezzo nix modules

hosts/architect/default.nix

@@ -37,6 +37,8 @@ in {
     ../../cachix.nix
     ./docker.nix
     ./keycloak.nix
+    ./lezzo.nix
+    ./runas.nix
   ];
 
   time.timeZone = "Europe/Rome";

hosts/architect/jellyfin.nix

@@ -19,7 +19,7 @@ in
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      extraConfig = auth_block { access_role = "jellyfin"; } +
+      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = [ network.giuliopc-wg ]; } +
         ''
           # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
           #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

hosts/architect/lezzo.nix

@@ -0,0 +1,45 @@
+{ services, pkgs, lib, makeBinPath, ... }:
+let
+  domain = "lezzo.org";
+  lezzo_root = "/var/lib/lezzo.org";
+  service_name = "lezzo-pull";
+  network = import ./network.nix;
+  mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
+    set -euo pipefail
+    cd ${lezzo_root}
+    git pull origin master --rebase
+  '';
+in
+{
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+
+    root = lezzo_root;
+    
+    locations."/.git" = { return = "404"; };
+  };
+
+  systemd = {
+    services.${service_name} = {
+      path = [ pkgs.git ];
+      enable = true;
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = mkStartScript "${service_name}";
+      };
+    };
+    timers.${service_name} = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Unit = "${service_name}.service";
+      };
+    };
+  };
+
+  networking.extraHosts = ''
+    ${network.architect-lan} ${domain}
+    ${network.architect-wg} ${domain}
+  '';
+}

hosts/architect/matrix.nix

@@ -97,9 +97,9 @@ in
             return 200 '${builtins.toJSON client}';
           '';
 
-        locations."/".extraConfig = ''
+#        locations."/".extraConfig = ''
-          return 404;
+#          return 404;
-        '';
+#        '';
 
         # forward all Matrix API calls to the synapse Matrix homeserver
         locations."/_matrix" = {

hosts/architect/nginx.nix

@@ -1,24 +1,6 @@
 { services, pkgs, lib, ... }:
-let
-  serviceSkeleton = { default ? false }: {
-    inherit default;
 
-    enableACME = true;
+{
-    forceSSL = true;
-    root = "/var/lib/nginx/error_pages";
-    extraConfig = "error_page 404 /index.htm;";
-
-    locations = {
-      "/" = { return = "404"; };
-
-      "/index.htm" = { };
-
-      "/style.css" = { };
-
-      "/wat.jpg" = { };
-    };
-  };
-in {
   services.nginx = {
     enable = true;
     package = pkgs.openresty;
@@ -27,9 +9,24 @@ in {
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; };
+    virtualHosts."architect.devs.giugl.io" = {
-    virtualHosts."runas.rocks" = serviceSkeleton {};
+      default = true;
-    
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/lib/nginx/error_pages";
+      extraConfig = "error_page 404 /index.htm;";
+
+      locations = {
+        "/" = { return = "404"; };
+
+        "/index.htm" = { };
+
+        "/style.css" = { };
+
+        "/wat.jpg" = { };
+      };
+    };
+
     appendHttpConfig =
       let
         extraPureLuaPackages = with pkgs.luajitPackages; [

hosts/architect/runas.nix

@@ -0,0 +1,45 @@
+{ services, pkgs, lib, makeBinPath, ... }:
+let
+  domain = "runas.rocks";
+  runas_root = "/var/lib/runas.rocks/dist";
+  service_name = "runas.rocks-pull";
+  network = import ./network.nix;
+  mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
+    set -euo pipefail
+    cd ${runas_root}
+    git pull origin master --rebase
+  '';
+in
+{
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/".root = runas_root;
+    
+    locations."/.git" = { return = "404"; };
+  };
+
+  systemd = {
+    services.${service_name} = {
+      path = [ pkgs.git ];
+      enable = true;
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = mkStartScript "${service_name}";
+      };
+    };
+    timers.${service_name} = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Unit = "${service_name}.service";
+      };
+    };
+  };
+
+  networking.extraHosts = ''
+    ${network.architect-lan} ${domain}
+    ${network.architect-wg} ${domain}
+  '';
+}

hosts/architect/wireguard.nix

@@ -153,7 +153,7 @@ with import ./network.nix; {
           {
             # germano
             allowedIPs = [ germano-wg ];
-            publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4=";
+            publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
           }
 
           {

roles/home/helix.nix

@@ -33,7 +33,9 @@
       rnix-lsp
       python310Packages.python-lsp-server
       texlab
+      nodePackages.vscode-langservers-extracted
       nodePackages.typescript
+      nodePackages.svelte-language-server
     ];
   };
 }