diff options
author | Emile <git@emile.space> | 2024-08-02 23:52:32 +0200 |
---|---|---|
committer | Emile <git@emile.space> | 2024-08-02 23:52:32 +0200 |
commit | 0e0b47b3cf1de2ea4c780ed488490a642a254f1e (patch) | |
tree | a9f0a391a7ed6bbb948a30acb14c189b2500f780 /nix/hosts/corrino | |
parent | 4b220f4c5802bca0c887a4e1e70e8dad091548e9 (diff) |
corrino ports
Diffstat (limited to 'nix/hosts/corrino')
24 files changed, 87 insertions, 1010 deletions
diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index 80df71b..bc38500 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -1,7 +1,6 @@ { config, pkgs, ... }: let - ports = import ./ports.nix; # keys = import ../../users/keys.nix # keys = key; keys = { @@ -16,23 +15,20 @@ in { [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./ports.nix + + ./www/git + # web ./www/emile.space.nix ./www/tmp.emile.space.nix - # ./www/git.emile.space.nix - ./www/cgit.emile.space.nix - # ./www/incus.emile.space.nix - # ./www/seafile.emile.space.nix ./www/hydra.emile.space.nix - # ./www/matrix.emile.space.nix ./www/netbox.emile.space.nix ./www/grafana.emile.space.nix ./www/photo.emile.space.nix - # ./www/events.emile.space.nix ./www/tickets.emile.space.nix ./www/talks.emile.space.nix ./www/stream.emile.space.nix - ./www/pgweb.emile.space.nix ./www/md.emile.space.nix ./www/social.emile.space.nix @@ -44,8 +40,6 @@ in { # general purpose modules ./modules/authelia.emile.space.nix - # ./modules/sftpgo.emile.space.nix - # ./modules/garage.emile.space.nix # r2wars ./www/r2wa.rs.nix @@ -80,7 +74,7 @@ in { enable = true; # ssh port during boot for luks decryption - port = ports.initrd_ssh; + port = config.emile.ports.initrd_ssh; authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; hostKeys = [ "/initrd_ssh_host_ecdsa_key" ]; }; @@ -135,6 +129,27 @@ in { }; }; + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "en_US.UTF-8"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + # LC_COLLATE # How to sort stuff + # LC_CTYPE # Character recognition of bytes + # LC_IDENTIFICATION # What to show as system locale + LC_MONETARY = "de_DE.UTF-8"; # Currency formats + # LC_MEASSAGES # General message lang + LC_MEASUREMENT = "de_DE.UTF-8"; # Units used for numbers + LC_NAME = "de_DE.UTF-8"; # Names of persons + # LC_NUMERIC # Punctiation of numbers + LC_PAPER = "de_DE.UTF-8"; # Paper size + LC_TELEPHONE = "de_DE.UTF-8"; # Phone number formats + LC_TIME = "de_DE.UTF-8"; # Time format + }; + console = { + keyMap = "de-latin1"; + }; + # The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner', # but the hostname for each machine may be different, and mdadm's HOMEHOST # setting defaults to '<system>' (using the system hostname). @@ -228,7 +243,7 @@ in { firewall = { enable = true; allowedTCPPorts = [ - ports.gitDaemon # gitDaemon + config.emile.ports.gitDaemon # gitDaemon 80 443 # normal web ]; allowedUDPPorts = [ diff --git a/nix/hosts/corrino/modules/authelia.emile.space.nix b/nix/hosts/corrino/modules/authelia.emile.space.nix index 4a4a72a..0f77197 100644 --- a/nix/hosts/corrino/modules/authelia.emile.space.nix +++ b/nix/hosts/corrino/modules/authelia.emile.space.nix @@ -1,7 +1,6 @@ { config, pkgs, ... }: let - ports = import ../ports.nix; authelia_port = config.services.authelia.instances.main.settings.server.port; in { @@ -106,7 +105,7 @@ in { server = { host = "127.0.0.1"; - port = ports.authelia; + port = config.emile.ports.authelia; }; # we're using a file to store the user information diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index 328d12a..3dcf72a 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -1,5 +1,5 @@ { - ports.emile = { + emile.ports = { stream_rtmp = 1935; initrd_ssh = 2222; photo = 2342; diff --git a/nix/hosts/corrino/secrets/garage_admin_token.age b/nix/hosts/corrino/secrets/garage_admin_token.age new file mode 100644 index 0000000..1bc8704 --- /dev/null +++ b/nix/hosts/corrino/secrets/garage_admin_token.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q +qdhwlgS4MaUdxNROnXkjbWLRHyQs3G4KGHXJHqYVUE +whoAbhOn+Z2HlQ57GVgEJJFqY9oQX9r4TzzJ2kkOD3Y +-> ssh-ed25519 m8VklA dsxnbEnyP966b0BiQeW5XqLFGvGDpOmdl3VpnUaOJSY +SbHtpAxMrQPJ92UZXwPCNE1GLTQ5lqIejHwRYy5K//4 +--- LYG1z15VGoP41kGq2Yphpi8b5/10xM3vq54tyxNOl/w + XZ ܮ0mlp-xYHQ3*P5Ua +dP*vxʂז)ڵ-I rzcY \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/garage_metrics_token.age b/nix/hosts/corrino/secrets/garage_metrics_token.age new file mode 100644 index 0000000..d5b31d9 --- /dev/null +++ b/nix/hosts/corrino/secrets/garage_metrics_token.age Binary files differdiff --git a/nix/hosts/corrino/secrets/garage_rpc_secret.age b/nix/hosts/corrino/secrets/garage_rpc_secret.age new file mode 100644 index 0000000..e228d0d --- /dev/null +++ b/nix/hosts/corrino/secrets/garage_rpc_secret.age Binary files differdiff --git a/nix/hosts/corrino/secrets/new.age b/nix/hosts/corrino/secrets/new.age new file mode 100644 index 0000000..9be87cc --- /dev/null +++ b/nix/hosts/corrino/secrets/new.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q VtbGsF2Tt1ULvk0uphKdtlYb9pDQ6qyLWgLLuRfGoSs +1ej6KBYHsYoP86FD1tTutTTtZLaB9Q7RPJOhs0qp4rI +-> ssh-ed25519 m8VklA VnK3k8GOgjTaVpmMNM9e+7H2CRJLvdildQ1xrR5GdCs +NSRA/5DEySGP+pAOj5bD4voFDTqHSDQLn3GmHJzbLfM +--- bQqJjZW7yq51fYLhXYhvIy/yrxqd9brNEkBbyKKIaNU +'Zff +cQ&ggN̛tgsqDmnl~Sbm}#>S^ڳZW u \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/sftpgo_env.age b/nix/hosts/corrino/secrets/sftpgo_env.age new file mode 100644 index 0000000..be9c764 --- /dev/null +++ b/nix/hosts/corrino/secrets/sftpgo_env.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q 225Pnl6irArV4XNAYOlqvnv4Dsl0n0B0Jjd2oWexNAE +z2pdhakikrjTNzi8MJEtau5yVx3xYY+ajZCIWI/wHR0 +-> ssh-ed25519 m8VklA jJUs+Msu9tH/dtd5jlMC89v74N0FNAyOloMwVVeO/mM +HvQiM6DAhCzey4M/Zz/ngGo9gLcGjLfSECgNKuxg/tQ +--- llg2DP4DjaGQ++v4WF97ODsyS4CEhAbuybFtKXgsFp8 +vezKM/CiXGrngDjEp U&Bd+tSݛt_O+]uo] ++SXF5a4CSmHy(ϳˍ?Q2B8F1IIY*9QKj۪;8l? ϱy@ \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/sftpgo_oidc_client_secret.age b/nix/hosts/corrino/secrets/sftpgo_oidc_client_secret.age new file mode 100644 index 0000000..65bee88 --- /dev/null +++ b/nix/hosts/corrino/secrets/sftpgo_oidc_client_secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q MAnFAHcV3K0GP/cB3W4dFlBsxdaff56HWA08ynwaFXM +sSbXNXBqdO2V/sZ/NfgRTk8knT/USLQ0NZH3VOp979M +-> ssh-ed25519 m8VklA eAjsv8y1tV9VaVE62lOlcIV+Knd+O3dStYGOq48i0EM +8jefmgs/E1b19fb9rbCk8NWP2PkkMqHEDNlFOjYKad0 +--- CKVUBmV52wAxPzwJ8yG7zXqaQAS4LrBFupBn2CmGf5A +6nBR۷B&V'ʈhJUB^4¬Ti;A~S f$Zg.^=\WBΔeY~⡨ \ No newline at end of file diff --git a/nix/hosts/corrino/www/cgit.emile.space.nix b/nix/hosts/corrino/www/cgit.emile.space.nix deleted file mode 100644 index f309056..0000000 --- a/nix/hosts/corrino/www/cgit.emile.space.nix +++ /dev/null @@ -1,574 +0,0 @@ -{ lib, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - md4c # used to get md2html for rendering the READMEs - ]; - - services = { - nginx.virtualHosts."git.emile.space" = { - forceSSL = true; - enableACME = true; - }; - - cgit.main = { - enable = true; - package = pkgs.cgit-pink; - nginx.virtualHost = "git.emile.space"; - nginx.location = "/"; - repos = { - - # ops - hefe = { - desc = "Yet another monorepo (the big nix config)"; - path = "/var/lib/git/repositories/hefe.git"; - section = "Infra"; - owner = "emile"; - }; - vokobe = { - desc = "A custom static site generator written in rust"; - path = "/var/lib/git/repositories/vokobe.git"; - section = "Infra"; - owner = "emile"; - }; - massscan-docker = { - desc = "A Dockerfile for massscan"; - path = "/var/lib/git/repositories/massscan-docker.git"; - section = "Infra"; - owner = "emile"; - }; - metrics-bundler = { - desc = "A super basic metrics bundler"; - path = "/var/lib/git/repositories/metrics-bundler.git"; - section = "Infra"; - owner = "emile"; - }; - - # matrix - matrix-sdk = { - desc = "A simpler matrix sdk"; - path = "/var/lib/git/repositories/matrix-sdk.git"; - section = "Matrix"; - owner = "emile"; - }; - matrix-weather-bot = { - desc = "A basic weather bot using matrix-sdk"; - path = "/var/lib/git/repositories/matrix-weather-bot.git"; - section = "Matrix"; - owner = "emile"; - }; - - - # radare2 - radare2-GoReSym = { - desc = "A script to load goresym symbols into radare2"; - path = "/var/lib/git/repositories/radare2-GoReSym.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars = { - desc = "A golang implementation of radare2"; - path = "/var/lib/git/repositories/r2wars.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars-rs = { - desc = "A rust implementation of radare2"; - path = "/var/lib/git/repositories/r2wars-rs.git"; - section = "Radare2"; - owner = "emile"; - }; - - # ctf - ctf_clusters = { - desc = "visualizing CTF clusters at DEFCON CTF Finals 2022"; - path = "/var/lib/git/repositories/ctf_clusters.git"; - section = "CTF"; - owner = "emile"; - }; - lambda = { - desc = "hacktm ctf 2023 / misc / know your lambda calculus"; - path = "/var/lib/git/repositories/lambda.git"; - section = "CTF"; - owner = "emile"; - }; - ctfdget = { - desc = "Simply fetch all challenges from a CTF from CTFd."; - path = "/var/lib/git/repositories/ctfdget.git"; - section = "CTF"; - owner = "emile"; - }; - - # keyboard - zmk-config = { - desc = "ferris sweep zmk config"; - path = "/var/lib/git/repositories/zmk-config.git"; - section = "Keyboard"; - owner = "emile"; - }; - - # chaosdorf - map = { - desc = "A map of the chaosdorf hackspace"; - path = "/var/lib/git/repositories/map.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - freitagsfoo = { - desc = "A service to submit talks for freitagsfoo"; - path = "/var/lib/git/repositories/freitagsfoo.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - inventory = { - desc = "A common-lisp mapping and inventory system"; - path = "/var/lib/git/repositories/inventory.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - - # jugend forscht - SatelliteComputation = { - desc = "Estimating possible Satellite collisions"; - path = "/var/lib/git/repositories/SatelliteComputation.git"; - section = "Jugend Forscht 2017"; - owner = "emile"; - }; - GalaxyGeneration = { - desc = "Generating Galaxies"; - path = "/var/lib/git/repositories/GalaxyGeneration.git"; - section = "Jugend Forscht 2018"; - owner = "emile"; - }; - - brute-force = { - desc = "A simple benchmark showing how slow this can be"; - path = "/var/lib/git/repositories/galaxy-sim-brute-force.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - generatePointcloud = { - desc = "Generate pointclouds using the NFW profile"; - path = "/var/lib/git/repositories/generatePointcloud.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - quadtree = { - desc = "Simple quadtree implementation"; - path = "/var/lib/git/repositories/quadtree.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - viewer = { - desc = "A viewer for galaxies stored in trees"; - path = "/var/lib/git/repositories/viewer.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - structs = { - desc = "All of the structures used in the GalaxySimulator"; - path = "/var/lib/git/repositories/structs.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - simulator-container-rewrite = { - desc = "Clean rewrite of the simulator-container"; - path = "/var/lib/git/repositories/simulator-container-rewrite.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - simulator-container = { - desc = "Simulating the new position of a galaxye"; - path = "/var/lib/git/repositories/simulator-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - pres = { - desc = "Presentation material"; - path = "/var/lib/git/repositories/pres.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - manager-container = { - desc = "The overall manager"; - path = "/var/lib/git/repositories/manager-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - generator-container = { - desc = "Generates point clouds using the NFW profile"; - path = "/var/lib/git/repositories/generator-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - frontpage = { - desc = "Web page showing people what the project is about"; - path = "/var/lib/git/repositories/frontpage.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - distributor = { - desc = "Distributing tasks"; - path = "/var/lib/git/repositories/distributor-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-controller = { - desc = "Interaction with the Database"; - path = "/var/lib/git/repositories/db-controller.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-container = { - desc = "The main database"; - path = "/var/lib/git/repositories/db-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-actions = { - desc = "Actions to be performed on the batabase"; - path = "/var/lib/git/repositories/db-actions.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - Writeup = { - desc = "Writeups using LaTeX"; - path = "/var/lib/git/repositories/Writeup.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - Source = { - desc = "Code from the beginning"; - path = "/var/lib/git/repositories/Source.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - NFW-container = { - desc = "A container purely for generating galaxies"; - path = "/var/lib/git/repositories/NFW-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - - # games - "0h-gamejam-game" = { - desc = "Created a game in 0 hours"; - path = "/var/lib/git/repositories/0hour-gamejam-game.git"; - section = "Games"; - owner = "emile"; - }; - - # 3D - "3D" = { - desc = "3D models"; - path = "/var/lib/git/repositories/3D.git"; - section = "3D"; - owner = "emile"; - }; - - # http - faila = { - desc = "The caddy fileserver look, but int pure golang"; - path = "/var/lib/git/repositories/faila.git"; - section = "HTTP"; - owner = "emile"; - }; - faila2 = { - desc = "faila, but simpler"; - path = "/var/lib/git/repositories/faila2.git"; - section = "HTTP"; - owner = "emile"; - }; - gofuzz = { - desc = "wfuzz, but in go. Didn't know ffuf at the time"; - path = "/var/lib/git/repositories/gofuzz.git"; - section = "HTTP"; - owner = "emile"; - }; - graphClicker = { - desc = "A metrics bundler, but with a simple web interface"; - path = "/var/lib/git/repositories/graphClicker.git"; - section = "HTTP"; - owner = "emile"; - }; - randomHttp = { - desc = "A simple HTTP server returning random HTTP codes"; - path = "/var/lib/git/repositories/randomHTTP.git"; - section = "HTTP"; - owner = "emile"; - }; - redir = { - desc = "A webserver with the soul purpose of redirecting."; - path = "/var/lib/git/repositories/redir.git"; - section = "HTTP"; - owner = "emile"; - }; - reqlog = { - desc = "A simple request logger"; - path = "/var/lib/git/repositories/reqlog.git"; - section = "HTTP"; - owner = "emile"; - }; - - # honeypot - ssh-catch-test = { - desc = "A simple honeypot emulating an ssh server."; - path = "/var/lib/git/repositories/ssh-catch-test.git"; - section = "Honeypot"; - owner = "emile"; - }; - honeypot-monitoring = { - desc = "Grafana + Prometheus monitoring"; - path = "/var/lib/git/repositories/honeypot-monitoring.git"; - section = "Honeypot"; - owner = "emile"; - }; - ftp-grab-password = { - desc = "Grab ftp creds (made by twink0r)"; - path = "/var/lib/git/repositories/ftp-grab-password.git"; - section = "Honeypot"; - owner = "emile"; - }; - log-analyzer = { - desc = "Analyse the logs"; - path = "/var/lib/git/repositories/honeypot-log-analyzer.git"; - section = "Honeypot"; - owner = "emile"; - }; - http-grab-basicauth = { - desc = "Grab basicauth creds (made by maride)"; - path = "/var/lib/git/repositories/http-grab-basicauth.git"; - section = "Honeypot"; - owner = "emile"; - }; - http-grab-url = { - desc = "Grab urls (made by twink0r)"; - path = "/var/lib/git/repositories/http-grab-url.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-keypass = { - desc = "Grab keys from ssh logins (made by maride)"; - path = "/var/lib/git/repositories/ssh-grab-keypass.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-passwords = { - desc = "Grab passwords from ssh logins (made by maride)"; - path = "/var/lib/git/repositories/ssh-grab-passwords.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-passwords-map = { - desc = "A nice visual map of the login attempts"; - path = "/var/lib/git/repositories/ssh-grab-passwords-map.git"; - section = "Honeypot"; - owner = "emile"; - }; - - # fuzzing - stdin-to-tcp = { - desc = "Bending stdin to tcp"; - path = "/var/lib/git/repositories/stdin-to-tcp.git"; - section = "Fuzzing"; - owner = "emile"; - }; - - # firmware - firmware = { - desc = "Gathering firmware via nix"; - path = "/var/lib/git/repositories/firmware.git"; - section = "Firmware"; - owner = "emile"; - }; - - # crypto - Substitution-Cracker = { - desc = "Some code for cracking substitution ciphers"; - path = "/var/lib/git/repositories/Substitution-Cracker.git"; - section = "Crypto"; - owner = "emile"; - }; - - # fun - giff = { - desc = "A party service: give it gifs and it'll play them"; - path = "/var/lib/git/repositories/giff.git"; - section = "Fun"; - owner = "emile"; - }; - pixeltsunami = { - desc = "The obligatory pixelflut client"; - path = "/var/lib/git/repositories/pixeltsunami.git"; - section = "Fun"; - owner = "emile"; - }; - - # circus - companion = { - desc = "The companion spawned for one user."; - path = "/var/lib/git/repositories/companion.git"; - section = "Circus"; - owner = "emile"; - }; - compose = { - desc = "The docker-compose foo"; - path = "/var/lib/git/repositories/compose.git"; - section = "Circus"; - owner = "emile"; - }; - container-manager = { - desc = "The meta container managemer"; - path = "/var/lib/git/repositories/container-manager.git"; - section = "Circus"; - owner = "emile"; - }; - landingpage = { - desc = "The landing page"; - path = "/var/lib/git/repositories/landingpage.git"; - section = "Circus"; - owner = "emile"; - }; - manager = { - desc = "The manager"; - path = "/var/lib/git/repositories/manager.git"; - section = "Circus"; - owner = "emile"; - }; - register = { - desc = "The registration"; - path = "/var/lib/git/repositories/register.git"; - section = "Circus"; - owner = "emile"; - }; - scoreboard = { - desc = "The scoreboard"; - path = "/var/lib/git/repositories/scoreboard.git"; - section = "Circus"; - owner = "emile"; - }; - static = { - desc = "Some static files"; - path = "/var/lib/git/repositories/static.git"; - section = "Circus"; - owner = "emile"; - }; - vpn = { - desc = "The VPN stuff"; - path = "/var/lib/git/repositories/vpn.git"; - section = "Circus"; - owner = "emile"; - }; - - # articles - barnes-hut = { - desc = "A one pager compressing the JuFo19 project"; - path = "/var/lib/git/repositories/paged-out-barnes-hut.git"; - section = "Articles"; - owner = "emile"; - }; - - # satellite - tle = { - desc = "golang tle lib"; - path = "/var/lib/git/repositories/tle.git"; - section = "Satellite"; - owner = "emile"; - }; - tle2json = { - desc = "golang tle to json"; - path = "/var/lib/git/repositories/tle2json.git"; - section = "Satellite"; - owner = "emile"; - }; - }; - settings = { - css = "https://emile.space/cgit.css"; - root-title = "git.emile.space"; - root-desc = ""; - - enable-index-owner = 0; # why show this? I own 'em all! - enable-commit-graph = 1; - max-repo-count = 5000; # like: why not? - - readme = ":README.md"; - about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; - source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; - - summary-log = 50; - - # mobile friendly - head-include = builtins.toFile "cgit_head.html" '' - <meta name="viewport" content="width=device-width initial-scale=1.0"/> - ''; - - footer = builtins.toFile "cgit_footer.html" '' - <div class="footer"> - <div class="float-left"> - generated by <a href='https://git.causal.agency/cgit-pink/'>cgit-pink ${pkgs.cgit-pink.version}</a> - </div> - <div class="float-right"> - <a href="https://social.emile.space/@hanemile/feed.rss" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/rss.svg" alt="rss feed of @hanemile@chaos.social mastodon" height="32px"></a> - <a href="https://lieu.cblgh.org/" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/lieu.svg" alt="lieu webring search engine" height="32px"></a> - <a href="https://webring.xxiivv.com/#emile" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/webring.svg" alt="XXIIVV webring" height="32px"></a> - <a rel="me" href="https://social.emile.space/@hanemile" target="_blank" class="icon"><img class="webring" src="https://emile.space/activitypub.svg" alt="activitypub" height="32px"/></a> - </div> - ''; - - }; - }; - - # access control - gitolite = { - enable = true; - - dataDir = "/var/lib/git"; - - user = "git"; - group = "git"; - - description = "emile"; - - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"; - extraGitoliteRc = '' - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = '.*'; - ''; - }; - - # exposing stuff - gitDaemon = { - enable = true; - - user = "git"; - group = "git"; - - repositories = []; # use all repos under basePath - exportAll = true; - basePath = "/var/lib/git/repositories"; - - listenAddress = "git.emile.space"; - port = 9418; - - options = "--timeout=30"; # extra Config - }; - }; - - users.extraUsers.nginx.extraGroups = [ "git" ]; - - # Have to use lib.mkForce below, as the gitolite and gitDaemon user both - # configure the git user and group (differently) - - users.users.git = { - isSystemUser = true; - useDefaultShell = true; - description = lib.mkForce "cgit-pink, gitolite and gitDaemon"; - group = "git"; - extraGroups = [ "gitea" ]; - home = "/var/lib/git"; - uid = lib.mkForce 127; - }; - users.groups.git = { - gid = lib.mkForce 127; - }; -} diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix deleted file mode 100644 index b095162..0000000 --- a/nix/hosts/corrino/www/cs.emile.space.nix +++ /dev/null @@ -1,58 +0,0 @@ -# Run sourcegraph, including its entire machinery, in a container. -# Running it outside of a container is a futile endeavour for now. - -# adapted from https://cs.tvl.fyi/depot/-/blob/ops/modules/sourcegraph.nix - -{ config, ... }: - -let - ports = import ../ports.nix; -in { - services.nginx.virtualHosts."cs.emile.space" = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - proxyPass = "http://127.0.0.1:${toString ports.cs}"; - - extraConfig = '' - location = / { - return 301 https://cs.emile.space/hefe; - } - - location / { - proxy_set_header X-Sg-Auth "Anonymous"; - proxy_pass http://localhost:7080; - } - - location /users/Anonymous/settings { - return 301 https://cs.emile.space; - } - ''; - }; - }; - }; - - virtualisation.oci-containers.backend = "docker"; - virtualisation.oci-containers.containers.sourcegraph = { - image = "sourcegraph/server:5.1.1"; - - ports = [ - "127.0.0.1:${toString ports.cs}:7080" - ]; - - volumes = [ - "/var/lib/sourcegraph/etc:/etc/sourcegraph" - "/var/lib/sourcegraph/data:/var/opt/sourcegraph" - ]; - - # Sourcegraph needs a higher nofile limit, it logs warnings - # otherwise (unclear whether it actually affects the service). - extraOptions = [ - "--ulimit" - "nofile=10000:10000" - ]; - }; -} - diff --git a/nix/hosts/corrino/www/ctf.emile.space.nix b/nix/hosts/corrino/www/ctf.emile.space.nix index 5c9d49a..1d8b382 100644 --- a/nix/hosts/corrino/www/ctf.emile.space.nix +++ b/nix/hosts/corrino/www/ctf.emile.space.nix @@ -1,15 +1,13 @@ -{ ... }: +{ config, ... }: -let - ports = import ../ports.nix; -in { +{ services.nginx.virtualHosts."ctf.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:${toString ports.ctf}"; + proxyPass = "http://127.0.0.1:${toString config.emile.ports.ctf}"; }; }; }; @@ -20,7 +18,7 @@ in { "ctfd" = { image = "ctfd/ctfd"; ports = [ - "${toString ports.ctf}:8000" + "${toString config.emile.ports.ctf}:8000" ]; }; }; diff --git a/nix/hosts/corrino/www/events.emile.space.nix b/nix/hosts/corrino/www/events.emile.space.nix deleted file mode 100644 index d7f5d50..0000000 --- a/nix/hosts/corrino/www/events.emile.space.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ ... }: - -let - ports = import ../ports.nix; -in { - services.nginx.virtualHosts."events.emile.space" = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - extraConfig = '' - proxyPass = "http://[::1]:${toString ports.events}"; - ''; - }; - }; - }; - - # Create users: - # - # go into the mobilizon-launchers directory within the nix store (systemctl - # status mobilizon..., you'll find it there somehow) - # - # ; sudo -u mobilizon ./bin/mobilizon_ctl users.new emile@emile.space --moderator --admin - - services = { - mobilizon = { - enable = true; - settings.":mobilizon" = { - "Mobilizon.Web.Endpoint" = { - url.host = "events.emile.space"; - http.port = ports.events; - - # The IP address to listen on. Defaults to [::1] notated as a byte - # tuple. - # (Yes, this is an elexir application and they've mapped the type system - # into nix) - http.ip = { - _elixirType = "tuple"; - value = [ 0 0 0 0 0 0 0 1 ]; - }; - - has_reverse_proxy = true; - }; - - "Mobilizon.Storage.Repo" = { - username = "mobilizon"; - socket_dir = "/var/run/postgresql"; - database = "mobilizon_prod"; - }; - - ":instance" = rec { - name = "events.emile.space"; - hostname = "emile.space"; - email_reply_to = email_from; - email_from = "noreply@$emile.space"; - }; - }; - }; - }; -} diff --git a/nix/hosts/corrino/www/git.emile.space.nix b/nix/hosts/corrino/www/git.emile.space.nix deleted file mode 100644 index 2d3dca7..0000000 --- a/nix/hosts/corrino/www/git.emile.space.nix +++ /dev/null @@ -1,172 +0,0 @@ -{ lib, pkgs, config, ... }: - -let - cfg = config.services.gitea; - ports = import ../ports.nix; - authelia-location = '' - set $upstream_authelia http://127.0.0.1:9091/api/authz/auth-request; - - ## Virtual endpoint created by nginx to forward auth requests. - location /internal/authelia/authz { - ## Essential Proxy Configuration - internal; - proxy_pass $upstream_authelia; - - ## Headers - ## The headers starting with X-* are required. - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Content-Length ""; - proxy_set_header Connection ""; - - ## Basic Proxy Configuration - proxy_pass_request_body off; - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; - client_body_buffer_size 128k; - - ## Advanced Proxy Configuration - send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; - } - ''; - - authelia-authrequest = '' - ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. - auth_request /internal/authelia/authz; - - ## Save the upstream metadata response headers from Authelia to variables. - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - auth_request_set $name $upstream_http_remote_name; - auth_request_set $email $upstream_http_remote_email; - - ## Inject the metadata response headers from the variables into the request made to the backend. - proxy_set_header Remote-User $user; - proxy_set_header Remote-Groups $groups; - proxy_set_header Remote-Email $email; - proxy_set_header Remote-Name $name; - - ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' - ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url - ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. - - ## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint. - auth_request_set $redirection_url $upstream_http_location; - - ## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url. - error_page 401 =302 $redirection_url; - - ## Legacy Method: Set $target_url to the original requested URL. - ## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module. - # set_escape_uri $target_url $scheme://$http_host$request_uri; - - ## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd' - ## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL. - # error_page 401 =302 https://auth.example.com/?rd=$target_url; - ''; -in { - services.nginx.virtualHosts."git.emile.space" = { - forceSSL = true; - enableACME = true; - - # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia - # extraConfig = authelia-location; - - locations = { - "/" = { - # proxyPass = "http://127.0.0.1:3000"; - proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"; - - # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia - # extraConfig = authelia-authrequest; - }; - }; - }; - - # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "git"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ - "https://git.emile.space/user/oauth2/authelia/callback" - ]; - scopes = [ - "openid" - "email" - "profile" - ]; - } - ]; - - services.gitea = rec { - enable = true; - - appName = "git.emile.space"; - - # unstable in order to use the 1.20... version - #package = pkgs.forgejo; - package = pkgs.unstable.forgejo; - - stateDir = "/var/lib/gitea"; - repositoryRoot = "${stateDir}/repositories"; - - settings = { - service.DISABLE_REGISTRATION = true; - - DEFAULT = { - WORK_PATH = "/var/lib/gitea"; - }; - - server = { - DOMAIN = pkgs.lib.mkForce "git.emile.space"; - ROOT_URL = pkgs.lib.mkForce "https://git.emile.space"; - HTTP_PORT = ports.git; - - #START_SSH_SERVER = true; - BUILTIN_SSH_SERVER_USER = "git"; - SSH_USER = "gitea"; - SSH_DOMAIN = "git.emile.space"; - - REPO_INDEXER_ENABLED = true; - }; - - indexer = { - REPO_INDEXER_ENABLED = true; - ISSUE_INDEXER_PATH = "${stateDir}/indexers/issues.bleve"; - REPO_INDEXER_PATH = "${stateDir}/indexers/repos.bleve"; - MAX_FILE_SIZE = 1048576; - REPO_INDEXER_INCLUDE = ""; - REPO_INDEXER_EXCLUDE = "resources/bin/**"; - }; - - #federation = { - # enable = true; - # share_user_statistics = true; - # max_size = 4; - #}; - }; - }; - - users.users.git = { - isSystemUser = true; - useDefaultShell = true; - group = "git"; - extraGroups = [ "gitea" ]; - home = cfg.stateDir; - uid = 127; - }; - users.groups.git = { }; -} diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index 7627ad2..3464421 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -1,8 +1,6 @@ { config, ... }: -let - ports = import ../ports.nix; -in { +{ services = { nginx.virtualHosts."grafana.emile.space" = { addSSL = true; @@ -18,7 +16,7 @@ in { settings = { server = { http_addr = "127.0.0.1"; - http_port = ports.grafana; + http_port = config.emile.ports.grafana; domain = "grafana.emile.space"; root_url = "https://grafana.emile.space/"; }; @@ -49,21 +47,21 @@ in { prometheus = { enable = true; retentionTime = "356d"; - port = ports.prometheus; + port = config.emile.ports.prometheus; exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; - port = ports.prometheus_node_exporter; + port = config.emile.ports.prometheus_node_exporter; }; systemd = { enable = true; - port = ports.prometheus_systemd_exporter; + port = config.emile.ports.prometheus_systemd_exporter; }; smartctl = { enable = true; - port = ports.prometheus_smartctl_exporter; + port = config.emile.ports.prometheus_smartctl_exporter; }; }; scrapeConfigs = [ diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix index 00405f4..97d5962 100644 --- a/nix/hosts/corrino/www/hydra.emile.space.nix +++ b/nix/hosts/corrino/www/hydra.emile.space.nix @@ -1,8 +1,6 @@ { config, pkgs, ... }: -let - ports = import ../ports.nix; -in { +{ services.nginx.virtualHosts."hydra.emile.space" = { forceSSL = true; enableACME = true; @@ -30,7 +28,7 @@ in { }); listenHost = "*"; - port = ports.hydra; + port = config.emile.ports.hydra; hydraURL = "https://hydra.emile.space"; # externally visible URL # Directory that holds Hydra garbage collector roots. diff --git a/nix/hosts/corrino/www/jupyter.emile.space.nix b/nix/hosts/corrino/www/jupyter.emile.space.nix deleted file mode 100644 index 18e56a0..0000000 --- a/nix/hosts/corrino/www/jupyter.emile.space.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ pkgs, config, ... }: - -let - ports = import ../ports.nix; -in { - services.nginx.virtualHosts."jupyter.emile.space" = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - proxyPass = "http://127.0.0.1:${toString config.services.jupyter.port}"; - }; - }; - }; - - services.jupyter = { - enable = true; - - ip = "127.0.0.1"; - port = ports.jupyter; - - # ; python3 - # >>> from notebook.auth import passwd - # >>> passwd("the_password_here") - password = "'argon2:$argon2id$v=19$m=10240,t=10,p=8$WdU+DaBjTaiV1IQDRJUczg$N734yZ45++Kgl26lFEZau58ru8e7P/IgL9N6sf+kw9E'"; - - notebookConfig = '' - c.NotebookApp.allow_remote_access = True - c.NotebookApp.allow_origin = '*' - ''; - - kernels = { - python3 = let - env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ - ipykernel - ])); - in { - displayName = "Python 3"; - argv = [ - "${env.interpreter}" - "-m" - "ipykernel_launcher" - "-f" - "{connection_file}" - ]; - language = "python"; - #logo32 = "${env.sitePackages}/ipykernel/resources/logo-32x32.png"; - #logo64 = "${env.sitePackages}/ipykernel/resources/logo-64x64.png"; - extraPaths = { - "cool.txt" = pkgs.writeText "cool" "cool content"; - }; - }; - }; - - group = "jupyter"; - user = "jupyter"; - }; - - users.users.jupyter.group = "jupyter"; - users.groups.jupyter = {}; -} diff --git a/nix/hosts/corrino/www/magic-hash.emile.space.nix b/nix/hosts/corrino/www/magic-hash.emile.space.nix index 4f57d12..f41fb80 100644 --- a/nix/hosts/corrino/www/magic-hash.emile.space.nix +++ b/nix/hosts/corrino/www/magic-hash.emile.space.nix @@ -1,15 +1,13 @@ { config, ... }: -let - ports = import ../ports.nix; -in { +{ services.nginx.virtualHosts."magic-hash.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:${toString ports.magic-hash}"; + proxyPass = "http://127.0.0.1:${toString config.emile.ports.magic-hash}"; }; }; }; @@ -20,7 +18,7 @@ in { "ctfd" = { image = "magic-hash"; ports = [ - "${toString ports.magic-hash}:80" + "${toString config.emile.ports.magic-hash}:80" ]; environment = { diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix index d7bdd00..7ad7a94 100644 --- a/nix/hosts/corrino/www/md.emile.space.nix +++ b/nix/hosts/corrino/www/md.emile.space.nix @@ -1,8 +1,6 @@ { config, pkgs, ... }: -let - ports = import ../ports.nix; -in { +{ services.nginx.virtualHosts."md.emile.space" = { forceSSL = true; enableACME = true; @@ -61,7 +59,7 @@ in { settings = { host = "127.0.0.1"; - port = ports.md; + port = config.emile.ports.md; domain = "md.emile.space"; diff --git a/nix/hosts/corrino/www/netbox.emile.space.nix b/nix/hosts/corrino/www/netbox.emile.space.nix index e87d118..fdfadc0 100644 --- a/nix/hosts/corrino/www/netbox.emile.space.nix +++ b/nix/hosts/corrino/www/netbox.emile.space.nix @@ -1,8 +1,6 @@ { config, pkgs, ... }: -let - ports = import ../ports.nix; -in { +{ services.nginx.virtualHosts."netbox.emile.space" = { forceSSL = true; enableACME = true; @@ -27,7 +25,7 @@ in { enableLdap = false; settings = {}; secretKeyFile = config.age.secrets.netbox_secret.path; - port = ports.netbox; + port = config.emile.ports.netbox; listenAddress = "[::1]"; }; diff --git a/nix/hosts/corrino/www/pgweb.emile.space.nix b/nix/hosts/corrino/www/pgweb.emile.space.nix deleted file mode 100644 index 1ce8063..0000000 --- a/nix/hosts/corrino/www/pgweb.emile.space.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: - -let - ports = import ../ports.nix; -in { - services.nginx.virtualHosts."pgweb.emile.space" = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - proxyPass = "http://127.0.0.1:${toString ports.pgweb}"; - }; - }; - }; - - environment.systemPackages = with pkgs; [ pgweb ]; - - # systemd.services.pgweb = { - # wantedBy = [ "multi-user.target" ]; - # serviceConfig.ExecStart = "${pkgs.pgweb}/bin/pwgeb"; - # }; -} diff --git a/nix/hosts/corrino/www/photo.emile.space.nix b/nix/hosts/corrino/www/photo.emile.space.nix index 6ebf94d..9c1e97a 100644 --- a/nix/hosts/corrino/www/photo.emile.space.nix +++ b/nix/hosts/corrino/www/photo.emile.space.nix @@ -1,8 +1,6 @@ { config, ... }: -let - ports = import ../ports.nix; -in { +{ services.nginx.virtualHosts."photo.emile.space" = { forceSSL = true; enableACME = true; @@ -19,7 +17,7 @@ in { enable = true; address = "127.0.0.1"; - port = ports.photo; + port = config.emile.ports.photo; passwordFile = config.age.secrets.photoprism_password.path; diff --git a/nix/hosts/corrino/www/social.emile.space.nix b/nix/hosts/corrino/www/social.emile.space.nix index ddfa5ef..62e1933 100644 --- a/nix/hosts/corrino/www/social.emile.space.nix +++ b/nix/hosts/corrino/www/social.emile.space.nix @@ -1,8 +1,6 @@ { config, pkgs, ... }: -let - ports = import ../ports.nix; -in { +{ # the reverse proxy to gotosocial services.nginx.virtualHosts."social.emile.space" = { @@ -10,7 +8,7 @@ in { enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:${toString ports.gotosocial}"; + proxyPass = "http://127.0.0.1:${toString config.emile.ports.gotosocial}"; proxyWebsockets = true; extraConfig = '' client_max_body_size 40M; @@ -79,7 +77,7 @@ in { package = pkgs.gotosocial; settings = { host = "social.emile.space"; - port = ports.gotosocial; + port = config.emile.ports.gotosocial; bind-address = "127.0.0.1"; account-domain = "emile.space"; db-type = "sqlite"; diff --git a/nix/hosts/corrino/www/stream.emile.space.nix b/nix/hosts/corrino/www/stream.emile.space.nix index 21ee627..3104ab6 100644 --- a/nix/hosts/corrino/www/stream.emile.space.nix +++ b/nix/hosts/corrino/www/stream.emile.space.nix @@ -1,8 +1,6 @@ { config, ... }: -let - ports = import ../ports.nix; -in { +{ services.nginx.virtualHosts."stream.emile.space" = { forceSSL = true; enableACME = true; @@ -20,7 +18,7 @@ in { openFirewall = true; listen = "0.0.0.0"; dataDir = "/var/lib/owncast"; - rtmp-port = ports.stream_rtmp; - port = ports.stream; # web interface + rtmp-port = config.emile.ports.stream_rtmp; + port = config.emile.ports.stream; # web interface }; } |