feat: add amzebs-01 host

2025-11-14 20:06:01 +01:00
parent 865311bf49
commit 20c5af7a69
11 changed files with 228 additions and 207 deletions
--- a/hosts/amzebs-01/modules/laravel-storage.nix
+++ b/hosts/amzebs-01/modules/laravel-storage.nix
@@ -0,0 +1,27 @@
+{ ... }:
+{
+  # Create Laravel storage directories for all API instances
+  # These directories are required for Laravel to function properly
+  systemd.tmpfiles.rules = [
+    # api.ebs.cloonar.dev
+    "d /var/www/api.ebs.cloonar.dev/storage/framework/cache 0775 api_ebs_cloonar_dev nginx -"
+    "d /var/www/api.ebs.cloonar.dev/storage/framework/sessions 0775 api_ebs_cloonar_dev nginx -"
+    "d /var/www/api.ebs.cloonar.dev/storage/framework/views 0775 api_ebs_cloonar_dev nginx -"
+    "d /var/www/api.ebs.cloonar.dev/storage/logs 0775 api_ebs_cloonar_dev nginx -"
+    "d /var/www/api.ebs.cloonar.dev/bootstrap/cache 0775 api_ebs_cloonar_dev nginx -"
+
+    # api.ebs.amz.at
+    "d /var/www/api.ebs.amz.at/storage/framework/cache 0775 api_ebs_amz_at nginx -"
+    "d /var/www/api.ebs.amz.at/storage/framework/sessions 0775 api_ebs_amz_at nginx -"
+    "d /var/www/api.ebs.amz.at/storage/framework/views 0775 api_ebs_amz_at nginx -"
+    "d /var/www/api.ebs.amz.at/storage/logs 0775 api_ebs_amz_at nginx -"
+    "d /var/www/api.ebs.amz.at/bootstrap/cache 0775 api_ebs_amz_at nginx -"
+
+    # api.stage.ebs.amz.at
+    "d /var/www/api.stage.ebs.amz.at/storage/framework/cache 0775 api_stage_ebs_amz_at nginx -"
+    "d /var/www/api.stage.ebs.amz.at/storage/framework/sessions 0775 api_stage_ebs_amz_at nginx -"
+    "d /var/www/api.stage.ebs.amz.at/storage/framework/views 0775 api_stage_ebs_amz_at nginx -"
+    "d /var/www/api.stage.ebs.amz.at/storage/logs 0775 api_stage_ebs_amz_at nginx -"
+    "d /var/www/api.stage.ebs.amz.at/bootstrap/cache 0775 api_stage_ebs_amz_at nginx -"
+  ];
+}
--- a/hosts/amzebs-01/modules/mysql.nix
+++ b/hosts/amzebs-01/modules/mysql.nix
@@ -13,17 +13,31 @@
        bind-address = "0.0.0.0";
      };
    };
+  };

-    # Create read-only user for remote access on initial MySQL setup
-    initialScript = pkgs.writeShellScript "mysql-init.sql" ''
+  # Create read-only user for remote access after MySQL starts
+  systemd.services.mysql-setup-readonly-user = {
+    description = "Setup MySQL read-only user";
+    after = [ "mysql.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      User = "root";
+    };
+    script = ''
      PASSWORD=$(cat ${config.sops.secrets.mysql-readonly-password.path})
      ${pkgs.mariadb}/bin/mysql -u root <<EOF
-        CREATE USER IF NOT EXISTS 'api_ebs_amz_at_ro'@'%' IDENTIFIED BY '$PASSWORD';
-        GRANT SELECT ON api_ebs_amz_at.* TO 'api_ebs_amz_at_ro'@'%';
-        FLUSH PRIVILEGES;
-      EOF
+CREATE USER IF NOT EXISTS 'api_ebs_amz_at_ro'@'%' IDENTIFIED BY '$PASSWORD';
+GRANT SELECT ON api_ebs_amz_at.* TO 'api_ebs_amz_at_ro'@'%';
+FLUSH PRIVILEGES;
+EOF
    '';
  };

  services.mysqlBackup.enable = true;
+
+  sops.secrets.mysql-readonly-password = {
+    owner = "mysql";
+  };
 }