about summary refs log tree commit diff
path: root/nix/hosts/corrino/www
diff options
context:
space:
mode:
authorEmile <git@emile.space>2024-09-13 15:04:06 +0200
committerEmile <git@emile.space>2024-09-13 15:04:06 +0200
commit35d6c2c70824cf77ef2216889cc9730b622f5ac1 (patch)
tree2435a97f87409deb57c279fb41534e0d10c901ca /nix/hosts/corrino/www
parent902c97cf9aa16c5bb4a45b28f182e4d6033156e7 (diff)
big push
Diffstat (limited to 'nix/hosts/corrino/www')
-rw-r--r--nix/hosts/corrino/www/cs.emile.space.nix54
-rw-r--r--nix/hosts/corrino/www/db.emile.space.nix23
-rw-r--r--nix/hosts/corrino/www/emile.space.nix2
-rw-r--r--nix/hosts/corrino/www/git/cgit.nix29
-rw-r--r--nix/hosts/corrino/www/grafana.emile.space.nix24
-rw-r--r--nix/hosts/corrino/www/hydra.emile.space.nix3
-rw-r--r--nix/hosts/corrino/www/irc.emile.space.nix155
-rw-r--r--nix/hosts/corrino/www/nix-cache/default.nix7
-rw-r--r--nix/hosts/corrino/www/nix-cache/index.txt22
-rw-r--r--nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix58
10 files changed, 367 insertions, 10 deletions
diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix
new file mode 100644
index 0000000..4f1b91e
--- /dev/null
+++ b/nix/hosts/corrino/www/cs.emile.space.nix
@@ -0,0 +1,54 @@
+{ config, lib, ... }:
+
+let
+
+	# get's all repos configured in cgit and converts them into some JSON that is used by hound
+	repos = builtins.toJSON
+		(lib.mergeAttrsList
+			(map
+				(x: {"${x.name}" = { url = "file://${x.path}"; }; })
+				(lib.mapAttrsToList
+					(name: value: value // { name = "${name}"; })
+					config.services.cgit.main.repos)));
+in {
+	services.nginx.virtualHosts."cs.emile.space" = {
+		forceSSL = true;
+		enableACME = true;
+		locations = {
+			"/" = {
+        proxyPass = "http://${config.services.hound.listen}";
+			};
+		};
+	};
+
+	# add hound user to git group so the local repos can be read
+  # users.users.hound.extraGroups = [ "git" ];
+
+	users.groups."git".members = [ "hound" ];
+
+	# The `.gitignore` of the user `hound` should contain the following:
+	#
+	# [safe]
+  #       directory = /var/lib/git/repositories/*
+  #       directory = /var/lib/git/repositories/faila.git
+  #       directory = /var/lib/git/repositories/faila2.git
+
+	services.hound = {
+		enable = true;
+
+		config = ''
+			{
+			  "dbpath": "/var/lib/hound/data",
+			  "max-concurrent-indexers" : 6,
+		    "vcs-config" : {
+	        "git" : {
+            "detect-ref" : true
+	        }
+		    },
+			  "repos" : ${repos}
+			}
+		'';
+
+		listen = "127.0.0.1:${toString config.emile.ports.hound}";
+	};
+}
diff --git a/nix/hosts/corrino/www/db.emile.space.nix b/nix/hosts/corrino/www/db.emile.space.nix
new file mode 100644
index 0000000..7cb365e
--- /dev/null
+++ b/nix/hosts/corrino/www/db.emile.space.nix
@@ -0,0 +1,23 @@
+{ config, ... }:
+
+{
+  services.nginx.virtualHosts."db.emile.space" = {
+    forceSSL = true;
+    enableACME = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString config.emile.ports.nocodb}";
+      };
+    };
+  };
+  virtualisation.oci-containers = {
+    containers = {
+      "noco" = {
+        image = "nocodb/nocodb:latest";
+				volumes = [ "nocodb:/usr/app/data" ];
+        ports = [ "${toString config.emile.ports.nocodb}:8080" ];
+      };
+    };
+  };
+}
diff --git a/nix/hosts/corrino/www/emile.space.nix b/nix/hosts/corrino/www/emile.space.nix
index c39ca31..8b67d84 100644
--- a/nix/hosts/corrino/www/emile.space.nix
+++ b/nix/hosts/corrino/www/emile.space.nix
@@ -13,6 +13,8 @@
         ''; 
       };
 
+      # As the social.emile.space server actually uses redirects from emile.space, they have to be
+      # setup somewhere. Well... this is that place
       "/@hanemile".extraConfig = ''
         return 301 https://social.emile.space/@hanemile;
       '';
diff --git a/nix/hosts/corrino/www/git/cgit.nix b/nix/hosts/corrino/www/git/cgit.nix
index 1e63dfc..b48157a 100644
--- a/nix/hosts/corrino/www/git/cgit.nix
+++ b/nix/hosts/corrino/www/git/cgit.nix
@@ -1,10 +1,33 @@
 { config, lib, pkgs, ... }:
 
+let
+	repodirs = builtins.concatStringsSep "\n"
+		(map
+			(x: "directory = ${x}")
+			(lib.lists.flatten
+				(map
+					(x: lib.attrValues (lib.getAttrs [ "path" ] x))
+					(lib.mapAttrsToList
+						(name: value: value)
+						config.services.cgit.main.repos))));
+in
 {
   environment.systemPackages = with pkgs; [
-	  md4c # used to get md2html for rendering the READMEs
+	  md4c # used to get md2html for rendering the READMEs within cgit-pink
 	];
 
+	# set all the repos as safe
+	environment.etc = {
+	  gitconfig = {
+	    text = ''
+				[http]
+					sslCAinfo = /etc/ssl/certs/ca-certificates.crt
+				[safe]
+					${repodirs}
+	    '';
+		};
+	};
+	
   services = {
 	  nginx.virtualHosts."git.emile.space" = {
 	    forceSSL = true;
@@ -469,7 +492,7 @@
 				# articles
 				barnes-hut = {
 					desc = "A one pager compressing the JuFo19 project";
-					path = "/var/lib/git/repositories/paged-out-barnes-hut.git";
+					path = "/var/lib/git/repositories/barnes-hut.git";
 					section = "Articles";
 					owner = "emile";
 				};
@@ -544,7 +567,7 @@
 
 		# exposing stuff
 		gitDaemon = {
-			enable = true;
+			enable = false;
 
 			user = "git";
 			group = "git";
diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix
index 3464421..eaf88b5 100644
--- a/nix/hosts/corrino/www/grafana.emile.space.nix
+++ b/nix/hosts/corrino/www/grafana.emile.space.nix
@@ -2,12 +2,22 @@
 
 {
   services = {
-    nginx.virtualHosts."grafana.emile.space" = {
-      addSSL = true;
-      enableACME = true;
-      locations."/" = {
-          proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/";
-          proxyWebsockets = true;
+    nginx.virtualHosts = {
+      "grafana.emile.space" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/" = {
+            proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/";
+            proxyWebsockets = true;
+        };
+      };
+      "prometheus.emile.space" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/" = {
+            proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/";
+            proxyWebsockets = true;
+        };
       };
     };
 
@@ -47,6 +57,8 @@
     prometheus = {
       enable = true;
       retentionTime = "356d";
+
+      listenAddress = "[::1]";
       port = config.emile.ports.prometheus;
 
       exporters = {
diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix
index 97d5962..6628a67 100644
--- a/nix/hosts/corrino/www/hydra.emile.space.nix
+++ b/nix/hosts/corrino/www/hydra.emile.space.nix
@@ -57,7 +57,8 @@
       <git-input>
         timeout = 3600
       </git-input>
-      evaluator_restrict_eval = false
+      binary_cache_public_uri = https://nix-cache.emile.space
     '';
+      # evaluator_restrict_eval = false
   };
 }
diff --git a/nix/hosts/corrino/www/irc.emile.space.nix b/nix/hosts/corrino/www/irc.emile.space.nix
new file mode 100644
index 0000000..f738d62
--- /dev/null
+++ b/nix/hosts/corrino/www/irc.emile.space.nix
@@ -0,0 +1,155 @@
+{ config, ... }:
+
+{
+	# Create a tls cert for the irc server
+	security.acme.certs = {
+		"irc.emile.space" = {
+			webroot = "/var/lib/acme/acme-challenge/";
+			email = "acme@emile.space";
+			postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service";
+		};
+	};
+
+	# Allow ergo to access the created cert
+	# The systemd server runs using a dynamic user, so the below inserts the .pem files
+	#   into "/run/credentials/ergochat.service/key.pem"
+	systemd.services.ergochat.serviceConfig = {
+		LoadCredential = [
+			"fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem"
+			"key.pem:/var/lib/acme/irc.emile.space/key.pem"
+		];
+	};
+
+	# allow connections to the port from the "outside"
+  networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ];
+
+	services.ergochat = {
+		enable = true;
+
+		# https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml
+		settings = {
+		  accounts = {
+		    authentication-enabled = true;
+		    multiclient = {
+		      allowed-by-default = true;
+		      always-on = "opt-out";
+		      auto-away = "opt-out";
+		      enabled = true;
+		    };
+		    registration = {
+		      enabled = true;
+		      allow-before-connect = true;
+		      bcrypt-cost = 4;
+		      email-verification = {
+		        enabled = false;
+		      };
+		      throttling = {
+		        duration = "10m";
+		        enabled = true;
+		        max-attempts = 30;
+		      };
+		    };
+		  };
+		  channels = {
+		    default-modes = "+ntC";
+		    registration = {
+		      enabled = true;
+		    };
+		  };
+		  datastore = {
+		    autoupgrade = true;
+		    path = "/var/lib/ergo/ircd.db";
+		  };
+		  history = {
+		    enabled = true;
+		    autoreplay-on-join = 0;
+		    autoresize-window = "3d";
+		    channel-length = 2048;
+		    chathistory-maxmessages = 100;
+		    client-length = 256;
+		    restrictions = {
+		      expire-time = "1w";
+		      grace-period = "1h";
+		      query-cutoff = "none";
+		    };
+		    retention = {
+		      allow-individual-delete = false;
+		      enable-account-indexing = false;
+		    };
+		    tagmsg-storage = {
+		      default = false;
+		      whitelist = [
+		        "+draft/react"
+		        "+react"
+		      ];
+		    };
+		    znc-maxmessages = 2048;
+		  };
+		  limits = {
+		    awaylen = 390;
+		    channellen = 64;
+		    identlen = 20;
+		    kicklen = 390;
+		    nicklen = 32;
+		    topiclen = 390;
+		  };
+		  network = {
+		    name = "emilespace";
+		  };
+		  server = {
+		    casemapping = "permissive";
+		    check-ident = false;
+		    enforce-utf = true;
+		    forward-confirm-hostnames = false;
+		    ip-cloaking = {
+		      enabled = false;
+		    };
+		    ip-limits = {
+		      count = false;
+		      throttle = false;
+		    };
+		    listeners = {
+					# sts only port
+		      ":6667".sts-only = true;
+
+					# loopback listeners
+		      # "127.0.0.1:6668" = {};
+		      # "[::]:6668" = {};
+
+		      ":${toString config.emile.ports.irc.ssl}" = {
+						tls = {
+							cert = "/run/credentials/ergochat.service/fullchain.pem";
+							key = "/run/credentials/ergochat.service/key.pem";
+						};
+
+						# for cloud load balancers setting a PROXY header, NOT reverse proxies...
+						proxy = false;
+
+						min-tls-version = 1.2;
+					};
+		    };
+		    lookup-hostnames = false;
+		    max-sendq = "1M";
+		    name = "emile.space";
+		    relaymsg = {
+		      enabled = false;
+		    };
+				sts = {
+					enabled = true; # redirect from plain to tls if supported
+
+					# how long clients should be forced to use TLS for.
+					# (Emile): no clue why, can I set something like \infty here?
+					duration = "12m";
+
+				};
+		  };
+			logging = [
+				{
+					method = "stderr";
+					type = "* -userinput -useroutput";
+					level = "debug";
+				}
+			];
+		};
+	};
+}
diff --git a/nix/hosts/corrino/www/nix-cache/default.nix b/nix/hosts/corrino/www/nix-cache/default.nix
new file mode 100644
index 0000000..da2537c
--- /dev/null
+++ b/nix/hosts/corrino/www/nix-cache/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+	imports = [
+		./nix-cache.emile.space.nix
+	];
+}
diff --git a/nix/hosts/corrino/www/nix-cache/index.txt b/nix/hosts/corrino/www/nix-cache/index.txt
new file mode 100644
index 0000000..514b288
--- /dev/null
+++ b/nix/hosts/corrino/www/nix-cache/index.txt
@@ -0,0 +1,22 @@
+Nix Cache by emile
+
+Public key:
+
+	nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A=
+
+NixOS Configuration:
+
+  nix.settings = {
+    substituters = [
+      "https://nix-cache.emile.space"
+    ];
+    trusted-public-keys = [
+			"nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A="
+    ];
+  }
+
+Try:
+
+  nix build --substituters "https://nix-cache.emile.space" \
+  --trusted-public-keys "nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A=" \
+  "git+https://git.emile.space/hefe.git#r2wars-web"
diff --git a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix
new file mode 100644
index 0000000..690e422
--- /dev/null
+++ b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix
@@ -0,0 +1,58 @@
+{ ... }:
+
+{
+	services.nginx.virtualHosts."nix-cache.emile.space" = {
+		forceSSL = false;
+		enableACME = false;
+	};
+  #   locations = {
+  #     "/" = {
+  #       root = "/var/www/emile.space";
+  #       extraConfig = ''
+  #         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  #       ''; 
+  #     };
+		# };
+		# locations."= /" = {
+		# 	index = "/index.txt";
+		# };
+  #   locations."= /index.txt" = {
+  #     root = ./index.txt;
+  #   };
+  #   locations."= /nix/store/" = {
+  #     extraConfig = ''
+  #       return 404;
+  #     '';
+  #   };
+  #   locations."/nix/store/" = {
+  #     root = "/";
+  #     extraConfig = ''
+  #       autoindex on;
+  #       autoindex_exact_size off;
+  #     '';
+  #   };
+  #   locations."/" = {
+		# 	proxyPass = "http://${config.services.harmonia.settings.bind}";
+		# 	extraConfig = ''
+	 #      proxy_set_header Host $host;
+	 #      proxy_redirect http:// https://;
+	 #      proxy_http_version 1.1;
+	 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	 #      proxy_set_header Upgrade $http_upgrade;
+	 #      proxy_set_header Connection $connection_upgrade;
+
+	 #      zstd on;
+	 #      zstd_types application/x-nix-archive;
+		# 	'';
+		# };
+	# };
+
+ #  services.harmonia = {
+	# 	enable = true;
+
+	# 	# TODO(emile): manage this using age
+	# 	signKeyPath = "/var/lib/secrets/harmonia.secret";
+
+ #    settings.bind = "[::1]:${toString config.emile.ports.harmonia}";
+	# };
+}