diff options
author | Emile <git@emile.space> | 2024-09-13 15:04:06 +0200 |
---|---|---|
committer | Emile <git@emile.space> | 2024-09-13 15:04:06 +0200 |
commit | 35d6c2c70824cf77ef2216889cc9730b622f5ac1 (patch) | |
tree | 2435a97f87409deb57c279fb41534e0d10c901ca /nix/hosts/corrino | |
parent | 902c97cf9aa16c5bb4a45b28f182e4d6033156e7 (diff) |
big push
Diffstat (limited to 'nix/hosts/corrino')
-rw-r--r-- | nix/hosts/corrino/configuration.nix | 14 | ||||
-rw-r--r-- | nix/hosts/corrino/ports.nix | 3 | ||||
-rw-r--r-- | nix/hosts/corrino/www/cs.emile.space.nix | 54 | ||||
-rw-r--r-- | nix/hosts/corrino/www/db.emile.space.nix | 23 | ||||
-rw-r--r-- | nix/hosts/corrino/www/emile.space.nix | 2 | ||||
-rw-r--r-- | nix/hosts/corrino/www/git/cgit.nix | 29 | ||||
-rw-r--r-- | nix/hosts/corrino/www/grafana.emile.space.nix | 24 | ||||
-rw-r--r-- | nix/hosts/corrino/www/hydra.emile.space.nix | 3 | ||||
-rw-r--r-- | nix/hosts/corrino/www/irc.emile.space.nix | 155 | ||||
-rw-r--r-- | nix/hosts/corrino/www/nix-cache/default.nix | 7 | ||||
-rw-r--r-- | nix/hosts/corrino/www/nix-cache/index.txt | 22 | ||||
-rw-r--r-- | nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix | 58 |
12 files changed, 380 insertions, 14 deletions
diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index 1f054ff..5f012b0 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -18,6 +18,9 @@ in { ./ports.nix ./www/git + ./www/nix-cache + + # screego # web ./www/emile.space.nix @@ -36,6 +39,9 @@ in { ./www/social.emile.space.nix ./www/sso.emile.space.nix ./www/s3.emile.space.nix + ./www/cs.emile.space.nix + ./www/irc.emile.space.nix + ./www/db.emile.space.nix # ./www/irc.emile.space.nix # ./www/irc @@ -456,10 +462,6 @@ in { }; }; - virtualisation.podman = { - enable = true; - autoPrune.enable = true; - }; virtualisation = { # docker.enable = true; libvirtd = { @@ -479,6 +481,10 @@ in { }; }; }; + podman = { + enable = true; + autoPrune.enable = true; + }; }; # programs.virt-manager.enable = true; diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index 2d7ba06..6f17be5 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -11,13 +11,16 @@ grafana = 3002; md = 3003; gotosocial = 3004; + harmonia = 5000; irc = { clear = 6667; ssl = 6697; }; + hound = 6080; stream = 8080; netbox = 8001; restic = 8002; + nocodb = 8003; r2wars-web = 8089; ctf = 8338; magic-hash = 8339; diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix new file mode 100644 index 0000000..4f1b91e --- /dev/null +++ b/nix/hosts/corrino/www/cs.emile.space.nix @@ -0,0 +1,54 @@ +{ config, lib, ... }: + +let + + # get's all repos configured in cgit and converts them into some JSON that is used by hound + repos = builtins.toJSON + (lib.mergeAttrsList + (map + (x: {"${x.name}" = { url = "file://${x.path}"; }; }) + (lib.mapAttrsToList + (name: value: value // { name = "${name}"; }) + config.services.cgit.main.repos))); +in { + services.nginx.virtualHosts."cs.emile.space" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${config.services.hound.listen}"; + }; + }; + }; + + # add hound user to git group so the local repos can be read + # users.users.hound.extraGroups = [ "git" ]; + + users.groups."git".members = [ "hound" ]; + + # The `.gitignore` of the user `hound` should contain the following: + # + # [safe] + # directory = /var/lib/git/repositories/* + # directory = /var/lib/git/repositories/faila.git + # directory = /var/lib/git/repositories/faila2.git + + services.hound = { + enable = true; + + config = '' + { + "dbpath": "/var/lib/hound/data", + "max-concurrent-indexers" : 6, + "vcs-config" : { + "git" : { + "detect-ref" : true + } + }, + "repos" : ${repos} + } + ''; + + listen = "127.0.0.1:${toString config.emile.ports.hound}"; + }; +} diff --git a/nix/hosts/corrino/www/db.emile.space.nix b/nix/hosts/corrino/www/db.emile.space.nix new file mode 100644 index 0000000..7cb365e --- /dev/null +++ b/nix/hosts/corrino/www/db.emile.space.nix @@ -0,0 +1,23 @@ +{ config, ... }: + +{ + services.nginx.virtualHosts."db.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString config.emile.ports.nocodb}"; + }; + }; + }; + virtualisation.oci-containers = { + containers = { + "noco" = { + image = "nocodb/nocodb:latest"; + volumes = [ "nocodb:/usr/app/data" ]; + ports = [ "${toString config.emile.ports.nocodb}:8080" ]; + }; + }; + }; +} diff --git a/nix/hosts/corrino/www/emile.space.nix b/nix/hosts/corrino/www/emile.space.nix index c39ca31..8b67d84 100644 --- a/nix/hosts/corrino/www/emile.space.nix +++ b/nix/hosts/corrino/www/emile.space.nix @@ -13,6 +13,8 @@ ''; }; + # As the social.emile.space server actually uses redirects from emile.space, they have to be + # setup somewhere. Well... this is that place "/@hanemile".extraConfig = '' return 301 https://social.emile.space/@hanemile; ''; diff --git a/nix/hosts/corrino/www/git/cgit.nix b/nix/hosts/corrino/www/git/cgit.nix index 1e63dfc..b48157a 100644 --- a/nix/hosts/corrino/www/git/cgit.nix +++ b/nix/hosts/corrino/www/git/cgit.nix @@ -1,10 +1,33 @@ { config, lib, pkgs, ... }: +let + repodirs = builtins.concatStringsSep "\n" + (map + (x: "directory = ${x}") + (lib.lists.flatten + (map + (x: lib.attrValues (lib.getAttrs [ "path" ] x)) + (lib.mapAttrsToList + (name: value: value) + config.services.cgit.main.repos)))); +in { environment.systemPackages = with pkgs; [ - md4c # used to get md2html for rendering the READMEs + md4c # used to get md2html for rendering the READMEs within cgit-pink ]; + # set all the repos as safe + environment.etc = { + gitconfig = { + text = '' + [http] + sslCAinfo = /etc/ssl/certs/ca-certificates.crt + [safe] + ${repodirs} + ''; + }; + }; + services = { nginx.virtualHosts."git.emile.space" = { forceSSL = true; @@ -469,7 +492,7 @@ # articles barnes-hut = { desc = "A one pager compressing the JuFo19 project"; - path = "/var/lib/git/repositories/paged-out-barnes-hut.git"; + path = "/var/lib/git/repositories/barnes-hut.git"; section = "Articles"; owner = "emile"; }; @@ -544,7 +567,7 @@ # exposing stuff gitDaemon = { - enable = true; + enable = false; user = "git"; group = "git"; diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index 3464421..eaf88b5 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -2,12 +2,22 @@ { services = { - nginx.virtualHosts."grafana.emile.space" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; - proxyWebsockets = true; + nginx.virtualHosts = { + "grafana.emile.space" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; + proxyWebsockets = true; + }; + }; + "prometheus.emile.space" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/"; + proxyWebsockets = true; + }; }; }; @@ -47,6 +57,8 @@ prometheus = { enable = true; retentionTime = "356d"; + + listenAddress = "[::1]"; port = config.emile.ports.prometheus; exporters = { diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix index 97d5962..6628a67 100644 --- a/nix/hosts/corrino/www/hydra.emile.space.nix +++ b/nix/hosts/corrino/www/hydra.emile.space.nix @@ -57,7 +57,8 @@ <git-input> timeout = 3600 </git-input> - evaluator_restrict_eval = false + binary_cache_public_uri = https://nix-cache.emile.space ''; + # evaluator_restrict_eval = false }; } diff --git a/nix/hosts/corrino/www/irc.emile.space.nix b/nix/hosts/corrino/www/irc.emile.space.nix new file mode 100644 index 0000000..f738d62 --- /dev/null +++ b/nix/hosts/corrino/www/irc.emile.space.nix @@ -0,0 +1,155 @@ +{ config, ... }: + +{ + # Create a tls cert for the irc server + security.acme.certs = { + "irc.emile.space" = { + webroot = "/var/lib/acme/acme-challenge/"; + email = "acme@emile.space"; + postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; + }; + }; + + # Allow ergo to access the created cert + # The systemd server runs using a dynamic user, so the below inserts the .pem files + # into "/run/credentials/ergochat.service/key.pem" + systemd.services.ergochat.serviceConfig = { + LoadCredential = [ + "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" + "key.pem:/var/lib/acme/irc.emile.space/key.pem" + ]; + }; + + # allow connections to the port from the "outside" + networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ]; + + services.ergochat = { + enable = true; + + # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml + settings = { + accounts = { + authentication-enabled = true; + multiclient = { + allowed-by-default = true; + always-on = "opt-out"; + auto-away = "opt-out"; + enabled = true; + }; + registration = { + enabled = true; + allow-before-connect = true; + bcrypt-cost = 4; + email-verification = { + enabled = false; + }; + throttling = { + duration = "10m"; + enabled = true; + max-attempts = 30; + }; + }; + }; + channels = { + default-modes = "+ntC"; + registration = { + enabled = true; + }; + }; + datastore = { + autoupgrade = true; + path = "/var/lib/ergo/ircd.db"; + }; + history = { + enabled = true; + autoreplay-on-join = 0; + autoresize-window = "3d"; + channel-length = 2048; + chathistory-maxmessages = 100; + client-length = 256; + restrictions = { + expire-time = "1w"; + grace-period = "1h"; + query-cutoff = "none"; + }; + retention = { + allow-individual-delete = false; + enable-account-indexing = false; + }; + tagmsg-storage = { + default = false; + whitelist = [ + "+draft/react" + "+react" + ]; + }; + znc-maxmessages = 2048; + }; + limits = { + awaylen = 390; + channellen = 64; + identlen = 20; + kicklen = 390; + nicklen = 32; + topiclen = 390; + }; + network = { + name = "emilespace"; + }; + server = { + casemapping = "permissive"; + check-ident = false; + enforce-utf = true; + forward-confirm-hostnames = false; + ip-cloaking = { + enabled = false; + }; + ip-limits = { + count = false; + throttle = false; + }; + listeners = { + # sts only port + ":6667".sts-only = true; + + # loopback listeners + # "127.0.0.1:6668" = {}; + # "[::]:6668" = {}; + + ":${toString config.emile.ports.irc.ssl}" = { + tls = { + cert = "/run/credentials/ergochat.service/fullchain.pem"; + key = "/run/credentials/ergochat.service/key.pem"; + }; + + # for cloud load balancers setting a PROXY header, NOT reverse proxies... + proxy = false; + + min-tls-version = 1.2; + }; + }; + lookup-hostnames = false; + max-sendq = "1M"; + name = "emile.space"; + relaymsg = { + enabled = false; + }; + sts = { + enabled = true; # redirect from plain to tls if supported + + # how long clients should be forced to use TLS for. + # (Emile): no clue why, can I set something like \infty here? + duration = "12m"; + + }; + }; + logging = [ + { + method = "stderr"; + type = "* -userinput -useroutput"; + level = "debug"; + } + ]; + }; + }; +} diff --git a/nix/hosts/corrino/www/nix-cache/default.nix b/nix/hosts/corrino/www/nix-cache/default.nix new file mode 100644 index 0000000..da2537c --- /dev/null +++ b/nix/hosts/corrino/www/nix-cache/default.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + imports = [ + ./nix-cache.emile.space.nix + ]; +} diff --git a/nix/hosts/corrino/www/nix-cache/index.txt b/nix/hosts/corrino/www/nix-cache/index.txt new file mode 100644 index 0000000..514b288 --- /dev/null +++ b/nix/hosts/corrino/www/nix-cache/index.txt @@ -0,0 +1,22 @@ +Nix Cache by emile + +Public key: + + nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A= + +NixOS Configuration: + + nix.settings = { + substituters = [ + "https://nix-cache.emile.space" + ]; + trusted-public-keys = [ + "nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A=" + ]; + } + +Try: + + nix build --substituters "https://nix-cache.emile.space" \ + --trusted-public-keys "nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A=" \ + "git+https://git.emile.space/hefe.git#r2wars-web" diff --git a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix new file mode 100644 index 0000000..690e422 --- /dev/null +++ b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix @@ -0,0 +1,58 @@ +{ ... }: + +{ + services.nginx.virtualHosts."nix-cache.emile.space" = { + forceSSL = false; + enableACME = false; + }; + # locations = { + # "/" = { + # root = "/var/www/emile.space"; + # extraConfig = '' + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + # ''; + # }; + # }; + # locations."= /" = { + # index = "/index.txt"; + # }; + # locations."= /index.txt" = { + # root = ./index.txt; + # }; + # locations."= /nix/store/" = { + # extraConfig = '' + # return 404; + # ''; + # }; + # locations."/nix/store/" = { + # root = "/"; + # extraConfig = '' + # autoindex on; + # autoindex_exact_size off; + # ''; + # }; + # locations."/" = { + # proxyPass = "http://${config.services.harmonia.settings.bind}"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_redirect http:// https://; + # proxy_http_version 1.1; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection $connection_upgrade; + + # zstd on; + # zstd_types application/x-nix-archive; + # ''; + # }; + # }; + + # services.harmonia = { + # enable = true; + + # # TODO(emile): manage this using age + # signKeyPath = "/var/lib/secrets/harmonia.secret"; + + # settings.bind = "[::1]:${toString config.emile.ports.harmonia}"; + # }; +} |