hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity

Merge branch 'parsons-init' into 'main'

Browse source 
init parsons

See merge request hacc/infra/haccfiles!75
This commit is contained in:
hexchen 2021-08-23 19:29:24 +00:00
parent cbeb0e86c1 e67b875f86
commit 15225932f0
34 changed files with 1624 additions and 753 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
.gitlab-ci.yml
View file

@ -1,16 +1,16 @@
stages:
- build
build-parsons:
tags:
- nix
stage: build
script:
- nix-build -A deploy.parsons
build-nixda:
tags:
- nix
stage: build
script:
- nix-build -A deploy.nixda
build-hainich:
tags:
- nix
stage: build
script:
- nix-build -A deploy.hainich

9
common/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modules, ... }:
let
sources = import ../nix/sources.nix;
@ -7,10 +7,10 @@ in {
../modules
./users.nix
(sources.home-manager + "/nixos")
(sources.pbb-nixfiles + "/modules/nftables")
modules.network.nftables
];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
boot.kernelParams = [ "quiet" ];
networking.domain = lib.mkDefault "hacc.space";
@ -77,7 +77,8 @@ in {
services.nginx.appendHttpConfig = ''
access_log off;
add_header Permissions-Policy "interest-cohort=()";
'';
petabyte.nftables.enable = true;
networking.nftables.enable = true;
}

6
default.nix
View file

@ -2,6 +2,10 @@ rec {
sources = import ./nix/sources.nix;
pkgs = import ./pkgs {};
inherit (pkgs) lib;
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") { inherit pkgs; hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs; }) hosts groups;
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") {
inherit pkgs sources;
inherit ((import sources.nix-hexchen) {}) modules;
hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs;
}) hosts groups;
deploy = import (sources.nix-hexchen + "/lib/deploy.nix") { inherit pkgs hosts groups; };
}

140
hosts/hainich/configuration.nix
View file

@ -1,140 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
../../common
./encboot.nix
./hardware.nix
./services/murmur.nix
./services/mail.nix
./services/hedgedoc_hacc.nix
./services/hedgedoc_i4f.nix
../../common
# ./wireguard.nix
./services/nginx.nix
# ./k8s.nix
./services/ghost_waszumfff.nix
./services/gitlab-runner.nix
./services/lantifa.nix
./services/syncthing.nix
./services/monitoring.nix
./services/workadventure.nix
./services/mattermost.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.supportedFilesystems = [ "zfs" ];
# stop *something* from loading ip_tables and breaking nftables
boot.blacklistedKernelModules = [ "ip_tables" "ip6_tables" "x_tables"];
# networking
networking.hostName = "hainich";
networking.hostId = "8a58cb2f";
networking.useDHCP = true;
networking.interfaces.enp6s0.ipv4.addresses = [
{
address = "46.4.63.148";
prefixLength = 27;
}
{
address = "46.4.63.158";
prefixLength = 27;
}
];
networking.interfaces.enp6s0.ipv6.addresses = [ {
address = "2a01:4f8:140:84c9::1";
prefixLength = 64;
} ];
networking.defaultGateway = "46.4.63.129";
networking.nameservers = [
"1.1.1.1" "1.0.0.1"
"2606:4700:4700::1111" "2606:4700:4700::1001"
];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp6s0";
};
hacc.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];
networking.nat.externalInterface = "enp6s0";
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# networking.firewall.enable = false;
# misc
time.timeZone = "UTC";
environment.systemPackages = with pkgs; [
wget vim git
];
services.openssh.enable = true;
services.openssh.ports = [ 22 62954 ];
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata"
];
initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/";
# shell = pkgs.fish;
};
# storage stuffs!
services.zfs = {
autoSnapshot = {
enable = true;
frequent = 12;
hourly = 18;
daily = 3;
weekly = 0;
monthly = 0;
};
autoScrub = {
enable = true;
};
};
boot.kernelPackages = pkgs.linuxPackages;
services.restic.backups.tardis = {
passwordFile = "/etc/restic/system";
s3CredentialsFile = "/etc/restic/system.s3creds";
paths = [
"/data"
"/home"
"/run/florinori"
"/var/lib/containers/codimd/var/lib/codimd"
"/var/lib/containers/codimd/var/backup/postgresql"
"/var/lib/containers/hedgedoc-i4f/var/lib/codimd"
"/var/lib/containers/hedgedoc-i4f/var/backup/postgresql"
"/var/lib/containers/lantifa/var/lib/mediawiki"
"/var/lib/containers/lantifa/var/backup/mysql"
"/var/lib/murmur"
"/var/lib/syncthing"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 3"
];
repository = "b2:tardis-hainich:system";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.03"; # Did you read the comment?
}

28
hosts/hainich/encboot.nix
View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.kernelModules = [ "r8169" ]; # add network card driver
boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
# TODO: Modify system config so that this works
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = [ /run/keys/ecdsa_host ];
};
# TODO: curl some webhook here to alert?
# possibly quite hard to do, we only have limited wget or netcat available
# how this all works:
# when someone logs in via ssh, they are prompted to unlock the zfs volume
# afterwards zfs is killed in order for the boot to progress
# timeout of 120s still applies afaik
postCommands = ''
zpool import zroot
zpool import dpool
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
'';
};
}

52
hosts/hainich/hardware.nix
View file

@ -1,52 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zroot/root/nixos";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "zroot/root/nixos/nix";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "dpool/home";
fsType = "zfs";
};
fileSystems."/var/lib/containers" =
{ device = "dpool/containers";
fsType = "zfs";
};
fileSystems."/var/lib/docker" =
{ device = "dpool/docker";
fsType = "zfs";
};
fileSystems."/var/lib/gitlab-runner" =
{ device = "dpool/gitlab-runner";
fsType = "zfs";
};
fileSystems."/data" =
{ device = "dpool/data";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335";
fsType = "ext2";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 12;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

125
hosts/hainich/k8s.nix
View file

@ -1,125 +0,0 @@
{ config, pkgs, ... }:
{
services.etcd = {
advertiseClientUrls = [
"https://[2a0d:eb04:8:10::1]:2379"
];
listenClientUrls = [
"https://[2a0d:eb04:8:10::1]:2379"
];
listenPeerUrls = [
"https://[::1]:2380"
];
};
services.kubernetes = {
roles = [ "master" "node" ];
flannel.enable = false;
addons.dns = {
enable = true;
clusterIp = "2a0d:eb04:8:11::53";
reconcileMode = "EnsureExists";
};
pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
apiserver = {
advertiseAddress = "2a0d:eb04:8:10::1";
extraSANs = [
"2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
];
bindAddress = "::";
insecureBindAddress = "::1";
etcd = {
servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
};
serviceClusterIpRange = "2a0d:eb04:8:11::/120";
extraOpts = "--allow-privileged=true";
};
controllerManager = {
bindAddress = "::";
clusterCidr = "2a0d:eb04:8:12::/64";
};
kubelet = {
address = "::";
clusterDns = "2a0d:eb04:8:11::53";
};
proxy = {
bindAddress = "::";
};
scheduler = {
address = "::1" ;
};
apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
clusterCidr = "2a0d:eb04:8:12::/64";
easyCerts = true;
masterAddress = "hainich.hacc.space";
};
networking.firewall = {
allowedTCPPorts = [ 80 443 6443 ];
trustedInterfaces = [
"cbr0" "tunnat64"
];
extraCommands = ''
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
iptables -A FORWARD -i tunnat64 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
ip6tables -A INPUT -i tunnat64 -j ACCEPT
'';
extraStopCommands = ''
iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
iptables -D FORWARD -i tunnat64 -j ACCEPT
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
ip6tables -A INPUT -i tunnat64 -j ACCEPT
'';
};
systemd.services.tayga = (let
config = pkgs.writeText "tayga.conf" ''
tun-device tunnat64
ipv4-addr 10.255.255.254
prefix 2a0d:eb04:8:10:64::/96
dynamic-pool 10.255.255.0/24
map 10.255.255.1 2a0d:eb04:8:10::1
map 10.255.255.2 2a0d:eb04:8:11::2
strict-frag-hdr 1
'';
startScript = pkgs.writeScriptBin "tayga-start" ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute}/bin/ip link set up tunnat64 || true
${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
${pkgs.tayga}/bin/tayga -d --config ${config}
'';
in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = ''${startScript}/bin/tayga-start'';
};
});
networking.interfaces.cbr0.ipv6.routes = [{
address = "2a0d:eb04:8:10::";
prefixLength = 60;
}];
networking.interfaces.tunnat64 = {
virtual = true;
};
# openebs expects some stuff to be there.
system.activationScripts.openebs = ''
mkdir -p /usr/lib /usr/sbin
ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
'';
}

32
hosts/hainich/services/ghost_waszumfff.nix
View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
{
virtualisation.oci-containers.containers."ghost-waszumfff" = {
autoStart = true;
environment = {
url = "https://waszumfff.4future.dev";
};
image = "ghost:alpine";
ports = [ "127.0.0.1:2368:2368" ];
volumes = [ "/run/florinori:/var/lib/ghost/content" ];
};
fileSystems."/run/florinori" =
{ device = "dpool/k8s/florinori";
fsType = "zfs";
};
services.nginx.virtualHosts."waszumfff.4future.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2368";
extraConfig = "
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
";
};
};
}

42
hosts/hainich/services/monitoring.nix
View file

@ -1,42 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.prometheus = {
enable = true;
webExternalUrl = "https://stats.hacc.space";
exporters = {
dovecot = {
enable = true;
scopes = [ "user" "global" ];
socketPath = "/var/run/dovecot2/old-stats";
};
nginx.enable = true;
node.enable = true;
postfix = {
enable = true;
systemd.enable = true;
};
rspamd.enable = true;
};
scrapeConfigs = (lib.mapAttrsToList (name: val:
{
job_name = "${name}-${config.networking.hostName}";
static_configs = [{
targets = [ "localhost:${toString val.port}" ];
labels.host = config.networking.hostName;
}];
}
) (lib.filterAttrs (_: val: val.enable) config.services.prometheus.exporters));
};
services.dovecot2.extraConfig = ''
mail_plugins = $mail_plugins old_stats
service old-stats {
unix_listener old-stats {
user = dovecot-exporter
group = dovecot-exporter
}
}
'';
services.nginx.statusPage = true;
}

56
hosts/hainich/services/nginx.nix
View file

@ -1,56 +0,0 @@
{ config, lib, pkgs, ... }:
{
security.acme.acceptTerms = true;
security.acme.email = "info+acme@hacc.space";
services.nginx.enable = true;
services.nginx.package = pkgs.nginx.override {
modules = [ pkgs.nginxModules.rtmp ];
};
# services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts = let
in {
# let all empty subdomains pointing to hainich return 404
"hainich.hacc.space" = {
default = true;
locations."/".return = "404";
};
"hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 https://hacc.earth";
};
};
networking.firewall.allowedTCPPorts = [ 1935 ];
services.nginx = {
appendHttpConfig = ''
add_header Permissions-Policy "interest-cohort=()";
'';
appendConfig = ''
rtmp {
server {
listen 1935;
application cutiestream {
live on;
allow publish all;
allow play all;
}
application ingest {
live on;
record all;
record_path /data/ingest;
record_unique on;
# include /var/secrets/ingest.conf;
}
}
}
'';
};
systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
}

102
hosts/hainich/services/workadventure.nix
View file

@ -1,102 +0,0 @@
{pkgs, lib, config, ...}:
let
sources = import ../../../nix/sources.nix {};
# why the double outPath? Dunno, just niv things …
workadventure-nix = sources.workadventure.outPath.outPath;
haccmap = sources.haccmap.outPath.outPath;
in
{
# not the most intuitive of container names, but "workadventure" is too long
containers.wa-void = {
# we'll need the outer config to get the turn secret inside the container,
# and I'm feeling haskelly so config' it is!
config = let config' = config; in {config, pkgs, ...}: {
imports = [ workadventure-nix ];
networking.firewall.allowedTCPPorts = [ 80 ];
services.workadventure."void.hacc.space" = {
packageset = (
import "${workadventure-nix}/wapkgs.nix" {
inherit pkgs lib;
}
).workadventure-xce;
nginx = {
default = true;
domain = "void.hacc.space";
maps = {
serve = true;
path = "${haccmap}/";
};
};
frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
commonConfig = {
webrtc.stun.url = "stun:turn.hacc.space:3478";
webrtc.turn = {
url = "turn:46.4.63.148";
user = "turn";
password = config'.services.coturn.static-auth-secret;
};
jitsi.url = "meet.ffmuc.net";
};
};
};
privateNetwork = true;
hostAddress6 = "fd00::42:14";
localAddress6 = "fd00::42:16";
autoStart = true;
};
services.coturn = {
enable = true;
realm = "turn.hacc.space";
# this is a static "secret" that is also compiled into workadventure,
# so it seems ok to put it into the nix store
static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
use-auth-secret = true;
no-cli = true;
no-tcp-relay = true;
cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
};
services.nginx = {
virtualHosts."void.hacc.space" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[${config.containers.wa-void.localAddress6}]";
proxyWebsockets = true;
};
};
# this isn't actually needed, but acme requires a webserver to serve
# challanges, so I guess it's easier to just define a virtualHost here
virtualHosts."turn.hacc.space" = {
enableACME = true;
forceSSL = true;
};
};
networking.firewall = with config.services.coturn;
let
ports = [ listening-port tls-listening-port ];
in {
allowedTCPPorts = [ 80 ] ++ ports;
allowedUDPPorts = ports;
allowedUDPPortRanges = [
{ from = min-port; to = max-port; }
];
};
}

34
hosts/hainich/wireguard.nix
View file

@ -1,34 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.services.wireguard-upstream = {
wants = [ "wg-upstream-key.service" ];
after = [ "wg-upstream-key.service" ];
};
networking.wireguard.interfaces.upstream = {
ips = [ "2a0d:eb04:8:ffff:2::2/128" ];
generatePrivateKeyFile = true;
privateKeyFile = "/etc/wireguard/upstream.key";
listenPort = 51820;
peers = [
{
allowedIPs = [ "::/0" ];
endpoint = "103.105.50.220:51823";
publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY=";
}
];
postSetup = ''
${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128
${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128
'';
};
networking.interfaces.lo.ipv6 = {
addresses = [{
address = "2a0d:eb04:8:10::1";
prefixLength = 128;
}];
};
networking.defaultGateway6 = {
address = "2a0d:eb04:8:ffff:2::1";
interface = "upstream";
};
}

95
hosts/parsons/configuration.nix Normal file
View file

@ -0,0 +1,95 @@
{ config, lib, pkgs, sources, modules, ... }:
{
imports = [
../../common
./hardware.nix
modules.encboot
modules.network.nftables modules.nftnat
((import sources.nix-hexchen) {}).profiles.nopersist
../../services/nextcloud
../../services/mattermost.nix
../../services/thelounge.nix
../../services/murmur.nix
../../services/hedgedoc-hacc.nix
../../services/hedgedoc-i4f.nix
../../services/mail.nix
../../services/syncthing.nix
../../services/gitlab.nix
../../services/nginx-pages.nix
../../services/gitlab-runner.nix
../../services/unifi.nix
../../services/lantifa.nix
./lxc.nix
];
hexchen.encboot = {
enable = true;
dataset = "-a";
networkDrivers = [ "igb" ];
};
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "b2867696";
networking.useDHCP = true;
networking.nftables.enable = true;
hexchen.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "enp35s0";
networking.interfaces.enp35s0.ipv6.addresses = [{
address = "2a01:4f9:3a:2ddb::1";
prefixLength = 64;
}];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp35s0";
};
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"parsons.hacc.space" = {
default = true;
locations."/".return = "404";
};
"hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/".return = "302 https://hacc.earth";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.restic.backups.tardis = {
passwordFile = "/persist/restic/system";
s3CredentialsFile = "/persist/restic/system.s3creds";
paths = [
"/home"
"/persist"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 3"
];
repository = "b2:tardis-parsons:system";
};
system.stateVersion = "21.05";
}

65
hosts/parsons/hardware.nix Normal file
View file

@ -0,0 +1,65 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zroot/local/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/daf2a731-952f-45c7-9c25-49e1a2f56062";
fsType = "ext4";
};
fileSystems."/nix" =
{ device = "zroot/local/nix";
fsType = "zfs";
};
fileSystems."/persist" =
{ device = "zroot/safe/persist";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "zroot/safe/home";
fsType = "zfs";
};
fileSystems."/root" =
{ device = "zroot/safe/root";
fsType = "zfs";
};
fileSystems."/var/cache/restic-backups-tardis" =
{ device = "zroot/safe/restic-cache";
fsType = "zfs";
};
fileSystems."/tmp" =
{ device = "zroot/local/tmp";
fsType = "zfs";
};
fileSystems."/persist/data" =
{ device = "dpool/safe/data";
fsType = "zfs";
};
fileSystems."/var/lib/docker" =
{ device = "zroot/local/docker";
fsType = "zfs";
};
swapDevices = [ ];
}

36
hosts/parsons/lxc.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
{
networking.bridges.lxcbr0.interfaces = [];
networking.interfaces.lxcbr0.ipv4.addresses = [
{
address = "10.1.2.1";
prefixLength = 24;
}
];
networking.nat.internalInterfaces = [ "lxcbr0" ];
virtualisation.lxc.enable = true;
virtualisation.lxc.systemConfig = ''
lxc.bdev.zfs.root = zroot/safe/containers/lxc
lxc.lxcpath = /persist/lxc
'';
users.users.root.subUidRanges = [{ count = 65536; startUid = 100000; }];
users.users.root.subGidRanges = [{ count = 65536; startGid = 100000; }];
environment.etc."lxc/share".source = "${pkgs.lxc}/share/lxc";
services.nginx.virtualHosts."onlyoffice.infra4future.de" = {
locations."/".proxyPass = "http://10.1.2.233:80";
enableACME = true;
forceSSL = true;
};
services.nginx.virtualHosts."auth.infra4future.de" = {
locations."/".proxyPass = "http://10.1.2.104:8080";
enableACME = true;
forceSSL = true;
};
}

2
modules/mattermost.nix
View file

@ -16,8 +16,6 @@ let
[ { ServiceSettings.SiteURL = cfg.siteUrl;
ServiceSettings.ListenAddress = cfg.listenAddress;
TeamSettings.SiteName = cfg.siteName;
SqlSettings.DriverName = "postgres";
SqlSettings.DataSource = database;
}
cfg.extraConfig
];

746
modules/nextcloud.nix Normal file
View file

@ -0,0 +1,746 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.nextcloud-patched;
fpm = config.services.phpfpm.pools.nextcloud;
phpPackage =
let
base = pkgs.php74;
in
base.buildEnv {
extensions = { enabled, all }: with all;
enabled ++ [
apcu redis memcached imagick
];
extraConfig = phpOptionsStr;
};
toKeyValue = generators.toKeyValue {
mkKeyValue = generators.mkKeyValueDefault {} " = ";
};
phpOptions = {
upload_max_filesize = cfg.maxUploadSize;
post_max_size = cfg.maxUploadSize;
memory_limit = cfg.maxUploadSize;
} // cfg.phpOptions
// optionalAttrs cfg.caching.apcu {
"apc.enable_cli" = "1";
};
phpOptionsStr = toKeyValue phpOptions;
occ = pkgs.writeScriptBin "nextcloud-occ" ''
#! ${pkgs.runtimeShell}
cd ${cfg.package}
sudo=exec
if [[ "$USER" != nextcloud ]]; then
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
fi
export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config"
$sudo \
${phpPackage}/bin/php \
occ $*
'';
inherit (config.system) stateVersion;
in {
imports = [
(mkRemovedOptionModule [ "services" "nextcloud-patched" "nginx" "enable" ] ''
The nextcloud module supports `nginx` as reverse-proxy by default and doesn't
support other reverse-proxies officially.
However it's possible to use an alternative reverse-proxy by
* disabling nginx
* setting `listen.owner` & `listen.group` in the phpfpm-pool to a different value
Further details about this can be found in the `Nextcloud`-section of the NixOS-manual
(which can be openend e.g. by running `nixos-help`).
'')
];
options.services.nextcloud-patched = {
enable = mkEnableOption "nextcloud";
hostName = mkOption {
type = types.str;
description = "FQDN for the nextcloud instance.";
};
home = mkOption {
type = types.str;
default = "/var/lib/nextcloud";
description = "Storage path of nextcloud.";
};
logLevel = mkOption {
type = types.ints.between 0 4;
default = 2;
description = "Log level value between 0 (DEBUG) and 4 (FATAL).";
};
https = mkOption {
type = types.bool;
default = false;
description = "Use https for generated links.";
};
package = mkOption {
type = types.package;
description = "Which package to use for the Nextcloud instance.";
relatedPackages = [ "nextcloud18" "nextcloud19" "nextcloud20" "nextcloud21" ];
};
maxUploadSize = mkOption {
default = "512M";
type = types.str;
description = ''
Defines the upload limit for files. This changes the relevant options
in php.ini and nginx if enabled.
'';
};
skeletonDirectory = mkOption {
default = "";
type = types.str;
description = ''
The directory where the skeleton files are located. These files will be
copied to the data directory of new users. Leave empty to not copy any
skeleton files.
'';
};
webfinger = mkOption {
type = types.bool;
default = false;
description = ''
Enable this option if you plan on using the webfinger plugin.
The appropriate nginx rewrite rules will be added to your configuration.
'';
};
phpOptions = mkOption {
type = types.attrsOf types.str;
default = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "8";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
description = ''
Options for PHP's php.ini file for nextcloud.
'';
};
poolSettings = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = "32";
"pm.start_servers" = "2";
"pm.min_spare_servers" = "2";
"pm.max_spare_servers" = "4";
"pm.max_requests" = "500";
};
description = ''
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
'';
};
poolConfig = mkOption {
type = types.nullOr types.lines;
default = null;
description = ''
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
'';
};
config = {
dbtype = mkOption {
type = types.enum [ "sqlite" "pgsql" "mysql" ];
default = "sqlite";
description = "Database type.";
};
dbname = mkOption {
type = types.nullOr types.str;
default = "nextcloud";
description = "Database name.";
};
dbuser = mkOption {
type = types.nullOr types.str;
default = "nextcloud";
description = "Database user.";
};
dbpass = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Database password. Use <literal>dbpassFile</literal> to avoid this
being world-readable in the <literal>/nix/store</literal>.
'';
};
dbpassFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The full path to a file that contains the database password.
'';
};
dbhost = mkOption {
type = types.nullOr types.str;
default = "localhost";
description = ''
Database host.
Note: for using Unix authentication with PostgreSQL, this should be
set to <literal>/run/postgresql</literal>.
'';
};
dbport = mkOption {
type = with types; nullOr (either int str);
default = null;
description = "Database port.";
};
dbtableprefix = mkOption {
type = types.nullOr types.str;
default = null;
description = "Table prefix in Nextcloud database.";
};
adminuser = mkOption {
type = types.str;
default = "root";
description = "Admin username.";
};
adminpass = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Admin password. Use <literal>adminpassFile</literal> to avoid this
being world-readable in the <literal>/nix/store</literal>.
'';
};
adminpassFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The full path to a file that contains the admin's password. Must be
readable by user <literal>nextcloud</literal>.
'';
};
extraTrustedDomains = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Trusted domains, from which the nextcloud installation will be
acessible. You don't need to add
<literal>services.nextcloud.hostname</literal> here.
'';
};
trustedProxies = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Trusted proxies, to provide if the nextcloud installation is being
proxied to secure against e.g. spoofing.
'';
};
overwriteProtocol = mkOption {
type = types.nullOr (types.enum [ "http" "https" ]);
default = null;
example = "https";
description = ''
Force Nextcloud to always use HTTPS i.e. for link generation. Nextcloud
uses the currently used protocol by default, but when behind a reverse-proxy,
it may use <literal>http</literal> for everything although Nextcloud
may be served via HTTPS.
'';
};
defaultPhoneRegion = mkOption {
default = null;
type = types.nullOr types.str;
example = "DE";
description = ''
<warning>
<para>This option exists since Nextcloud 21! If older versions are used,
this will throw an eval-error!</para>
</warning>
<link xlink:href="https://www.iso.org/iso-3166-country-codes.html">ISO 3611-1</link>
country codes for automatic phone-number detection without a country code.
With e.g. <literal>DE</literal> set, the <literal>+49</literal> can be omitted for
phone-numbers.
'';
};
};
caching = {
apcu = mkOption {
type = types.bool;
default = true;
description = ''
Whether to load the APCu module into PHP.
'';
};
redis = mkOption {
type = types.bool;
default = false;
description = ''
Whether to load the Redis module into PHP.
You still need to enable Redis in your config.php.
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
'';
};
memcached = mkOption {
type = types.bool;
default = false;
description = ''
Whether to load the Memcached module into PHP.
You still need to enable Memcached in your config.php.
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
'';
};
};
autoUpdateApps = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Run regular auto update of all apps installed from the nextcloud app store.
'';
};
startAt = mkOption {
type = with types; either str (listOf str);
default = "05:00:00";
example = "Sun 14:00:00";
description = ''
When to run the update. See `systemd.services.&lt;name&gt;.startAt`.
'';
};
};
occ = mkOption {
type = types.package;
default = occ;
internal = true;
description = ''
The nextcloud-occ program preconfigured to target this Nextcloud instance.
'';
};
extraOptions = mkOption {
type = types.attrs;
default = "";
description = ''
Extra options which should be appended to nextcloud's config.php file
'';
};
secretFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Secret options which will be appended to nextcloud's config.php file (written in JSON, in the same
form as the `extraOptions` option).
'';
};
};
config = mkIf cfg.enable (mkMerge [
{ assertions = let acfg = cfg.config; in [
{ assertion = !(acfg.dbpass != null && acfg.dbpassFile != null);
message = "Please specify no more than one of dbpass or dbpassFile";
}
{ assertion = ((acfg.adminpass != null || acfg.adminpassFile != null)
&& !(acfg.adminpass != null && acfg.adminpassFile != null));
message = "Please specify exactly one of adminpass or adminpassFile";
}
{ assertion = versionOlder cfg.package.version "21" -> cfg.config.defaultPhoneRegion == null;
message = "The `defaultPhoneRegion'-setting is only supported for Nextcloud >=21!";
}
];
warnings = []
++ (optional (cfg.poolConfig != null) ''
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
Please migrate your configuration to config.services.nextcloud.poolSettings.
'')
++ (optional (versionOlder cfg.package.version "18") ''
A legacy Nextcloud install (from before NixOS 20.03) may be installed.
You're currently deploying an older version of Nextcloud. This may be needed
since Nextcloud doesn't allow major version upgrades that skip multiple
versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18).
It is assumed that Nextcloud will be upgraded from version 16 to 17.
* If this is a fresh install, there will be no upgrade to do now.
* If this server already had Nextcloud installed, first deploy this to your
server, and wait until the upgrade to 17 is finished.
Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to
Nextcloud version 18. Please note that Nextcloud 19 is already out and it's
recommended to upgrade to nextcloud19 after that.
'')
++ (optional (versionOlder cfg.package.version "19") ''
A legacy Nextcloud install (from before NixOS 20.09) may be installed.
If/After nextcloud18 is installed successfully, you can safely upgrade to
nextcloud19. If not, please upgrade to nextcloud18 first since Nextcloud doesn't
support upgrades that skip multiple versions (i.e. an upgrade from 17 to 19 isn't
possible, but an upgrade from 18 to 19).
'')
++ (optional (versionOlder cfg.package.version "21") ''
The latest Nextcloud release is v21 which can be installed by setting
`services.nextcloud.package` to `pkgs.nextcloud21`. Please note that if you're
on `pkgs.nextcloud19`, you'll have to install `pkgs.nextcloud20` first.
'');
services.nextcloud-patched.package = with pkgs;
mkDefault (
if pkgs ? nextcloud
then throw ''
The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default
nextcloud defined in an overlay, please set `services.nextcloud.package` to
`pkgs.nextcloud`.
''
else if versionOlder stateVersion "20.03" then nextcloud17
else if versionOlder stateVersion "20.09" then nextcloud18
else nextcloud19
);
}
{ systemd.timers.nextcloud-cron = {
wantedBy = [ "timers.target" ];
timerConfig.OnBootSec = "5m";
timerConfig.OnUnitActiveSec = "15m";
timerConfig.Unit = "nextcloud-cron.service";
};
systemd.services = {
# When upgrading the Nextcloud package, Nextcloud can report errors such as
# "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly"
# Restarting phpfpm on Nextcloud package update fixes these issues (but this is a workaround).
phpfpm-nextcloud.restartTriggers = [ cfg.package ];
nextcloud-setup = let
c = cfg.config;
writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]";
overrideConfig = pkgs.writeText "nextcloud-config.php" ''
<?php
${optionalString (c.dbpassFile != null) ''
function nix_read_pwd() {
$file = "${c.dbpassFile}";
if (!file_exists($file)) {
throw new \RuntimeException(sprintf(
"Cannot start Nextcloud, dbpass file %s set by NixOS doesn't exist!",
$file
));
}
return trim(file_get_contents($file));
}
''}
${optionalString (cfg.secretFile != null) ''
function nix_read_secrets() {
$file = "${cfg.secretFile}";
if (!file_exists($file)) {
throw new \RuntimeException(sprintf(
"Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!",
$file
));
}
return json_decode(file_get_contents($file));
}
''}
$CONFIG = [
'apps_paths' => [
[ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ],
[ 'path' => '${cfg.home}/store-apps', 'url' => '/store-apps', 'writable' => true ],
],
'datadirectory' => '${cfg.home}/data',
'skeletondirectory' => '${cfg.skeletonDirectory}',
${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
'log_type' => 'syslog',
'log_level' => '${builtins.toString cfg.logLevel}',
${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"}
${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"}
${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"}
${optionalString (c.dbport != null) "'dbport' => '${toString c.dbport}',"}
${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"}
${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"}
${optionalString (c.dbpass != null) "'dbpassword' => '${c.dbpass}',"}
${optionalString (c.dbpassFile != null) "'dbpassword' => nix_read_pwd(),"}
'dbtype' => '${c.dbtype}',
'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)},
'trusted_proxies' => ${writePhpArrary (c.trustedProxies)},
${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"}
];
$EXTRACONFIG = json_decode('${builtins.toJSON cfg.extraOptions}', true);
array_push($CONFIG, $EXTRACONFIG);
${optionalString (cfg.secretFile != null) "array_push($CONFIG, nix_read_secrets());"}
'';
occInstallCmd = let
dbpass = if c.dbpassFile != null
then ''"$(<"${toString c.dbpassFile}")"''
else if c.dbpass != null
then ''"${toString c.dbpass}"''
else ''""'';
adminpass = if c.adminpassFile != null
then ''"$(<"${toString c.adminpassFile}")"''
else ''"${toString c.adminpass}"'';
installFlags = concatStringsSep " \\\n "
(mapAttrsToList (k: v: "${k} ${toString v}") {
"--database" = ''"${c.dbtype}"'';
# The following attributes are optional depending on the type of
# database. Those that evaluate to null on the left hand side
# will be omitted.
${if c.dbname != null then "--database-name" else null} = ''"${c.dbname}"'';
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
"--database-pass" = dbpass;
${if c.dbtableprefix != null
then "--database-table-prefix" else null} = ''"${toString c.dbtableprefix}"'';
"--admin-user" = ''"${c.adminuser}"'';
"--admin-pass" = adminpass;
"--data-dir" = ''"${cfg.home}/data"'';
});
in ''
${occ}/bin/nextcloud-occ maintenance:install \
${installFlags}
'';
occSetTrustedDomainsCmd = concatStringsSep "\n" (imap0
(i: v: ''
${occ}/bin/nextcloud-occ config:system:set trusted_domains \
${toString i} --value="${toString v}"
'') ([ cfg.hostName ] ++ cfg.config.extraTrustedDomains));
in {
wantedBy = [ "multi-user.target" ];
before = [ "phpfpm-nextcloud.service" ];
path = [ occ ];
script = ''
chmod og+x ${cfg.home}
${optionalString (c.dbpassFile != null) ''
if [ ! -r "${c.dbpassFile}" ]; then
echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..."
exit 1
fi
if [ -z "$(<${c.dbpassFile})" ]; then
echo "dbpassFile ${c.dbpassFile} is empty!"
exit 1
fi
''}
${optionalString (c.adminpassFile != null) ''
if [ ! -r "${c.adminpassFile}" ]; then
echo "adminpassFile ${c.adminpassFile} is not readable by nextcloud:nextcloud! Aborting..."
exit 1
fi
if [ -z "$(<${c.adminpassFile})" ]; then
echo "adminpassFile ${c.adminpassFile} is empty!"
exit 1
fi
''}
ln -sf ${cfg.package}/apps ${cfg.home}/
# create nextcloud directories.
# if the directories exist already with wrong permissions, we fix that
for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do
if [ ! -e $dir ]; then
install -o nextcloud -g nextcloud -d $dir
elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then
chgrp -R nextcloud $dir
fi
done
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
# Do not install if already installed
if [[ ! -e ${cfg.home}/config/config.php ]]; then
${occInstallCmd}
fi
${occ}/bin/nextcloud-occ upgrade
${occ}/bin/nextcloud-occ config:system:delete trusted_domains
${occSetTrustedDomainsCmd}
'';
serviceConfig.Type = "oneshot";
serviceConfig.User = "nextcloud";
};
nextcloud-cron = {
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
serviceConfig.Type = "oneshot";
serviceConfig.User = "nextcloud";
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php";
};
nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable {
serviceConfig.Type = "oneshot";
serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all";
serviceConfig.User = "nextcloud";
startAt = cfg.autoUpdateApps.startAt;
};
};
services.phpfpm = {
pools.nextcloud = {
user = "nextcloud";
group = "nextcloud";
phpOptions = phpOptionsStr;
phpPackage = phpPackage;
phpEnv = {
NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
};
settings = mapAttrs (name: mkDefault) {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
} // cfg.poolSettings;
extraConfig = cfg.poolConfig;
};
};
users.users.nextcloud = {
home = "${cfg.home}";
group = "nextcloud";
createHome = true;
isSystemUser = true;
};
users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
environment.systemPackages = [ occ ];
services.nginx.enable = mkDefault true;
services.nginx.virtualHosts.${cfg.hostName} = let
major = toInt (versions.major cfg.package.version);
in {
root = cfg.package;
locations = {
"= /robots.txt" = {
priority = 100;
extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
};
"= /" = {
priority = 100;
extraConfig = ''
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
'';
};
"/" = {
priority = 900;
extraConfig = "rewrite ^ /index.php;";
};
"~ ^/store-apps" = {
priority = 201;
extraConfig = "root ${cfg.home};";
};
"^~ /.well-known" = {
priority = 210;
extraConfig = ''
absolute_redirect off;
location = /.well-known/carddav {
return 301 /remote.php/dav;
}
location = /.well-known/caldav {
return 301 /remote.php/dav;
}
location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
return 301 /index.php$request_uri;
}
try_files $uri $uri/ =404;
'';
};
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = ''
return 404;
'';
"~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = ''
return 404;
'';
"~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = {
priority = 500;
extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
fastcgi_param PATH_INFO $path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:${fpm.socket};
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 120s;
'';
};
"~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = ''
try_files $uri /index.php$request_uri;
expires 6M;
access_log off;
'';
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
try_files $uri/ =404;
index index.php;
'';
"~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
try_files $uri /index.php$request_uri;
access_log off;
'';
};
extraConfig = ''
index index.php index.html /index.php$request_uri;
expires 1m;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
${optionalString cfg.webfinger ''
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
''}
'';
};
}
]);
}

8
modules/nftnat/default.nix
View file

@ -36,14 +36,12 @@ in {
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = mkOverride 98 true;
"net.ipv4.conf.default.forwarding" = mkOverride 98 true;
"net.ipv4.conf.all.forwarding" = mkOverride 90 true;
"net.ipv4.conf.default.forwarding" = mkOverride 90 true;
};
};
petabyte.nftables = {
enable = true;
networking.nftables = {
extraConfig = ''
table ip nat {
chain prerouting {

54
nix/sources.json
View file

@ -6,15 +6,15 @@
"type": "git"
},
"home-manager": {
"branch": "release-20.09",
"branch": "release-21.05",
"description": "Manage a user environment using Nix [maintainer=@rycee] ",
"homepage": "https://nix-community.github.io/home-manager/",
"owner": "nix-community",
"repo": "home-manager",
"rev": "49706878e1580d796cc99b63574310405935113f",
"sha256": "07f903ij0czyhly8kvwjazvz3s6kflxzh5fs6j8781lkxsy47i9f",
"rev": "b39647e52ed3c0b989e9d5c965e598ae4c38d7ef",
"sha256": "0xw1vgwfdn75rgamcsi5j1iqfl0j06x8xp92k24wr9hayfr5m400",
"type": "tarball",
"url": "https://github.com/nix-community/home-manager/archive/49706878e1580d796cc99b63574310405935113f.tar.gz",
"url": "https://github.com/nix-community/home-manager/archive/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"mattermost-server": {
@ -23,19 +23,19 @@
"homepage": "https://mattermost.com",
"owner": "mattermost",
"repo": "mattermost-server",
"rev": "37b1e6d048fc8302c727c3bc7ce73ac32c2ba93c",
"sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79",
"rev": "868b8d91db6e8a0525a9e93c50a388625d426a4a",
"sha256": "1vihpmy7253yl87arlz8y9rahk1q69blykwm3172dk1hxajr7c13",
"type": "tarball",
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz",
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.1.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/refs/tags/v<version>.tar.gz",
"version": "5.37.0"
"version": "5.37.1"
},
"mattermost-webapp": {
"sha256": "0na9drwnsr5fbrv6qq38dgvd0laj3wjs734ik5s673c0azqlm4kn",
"sha256": "00q1kcfda2z69ijpw71a6cbj76p5f57nj7pym44pp4cadi2wz180",
"type": "tarball",
"url": "https://releases.mattermost.com/5.37.0/mattermost-5.37.0-linux-amd64.tar.gz",
"url": "https://releases.mattermost.com/5.37.1/mattermost-5.37.1-linux-amd64.tar.gz",
"url_template": "https://releases.mattermost.com/<version>/mattermost-<version>-linux-amd64.tar.gz",
"version": "5.37.0"
"version": "5.37.1"
},
"mumble-website": {
"branch": "master",
@ -57,32 +57,34 @@
},
"nix-hexchen": {
"branch": "main",
"repo": "https://gitlab.com/hexchen/nixfiles.git",
"rev": "83b511d9a3754ded187891c711b3dbbef82887d3",
"sha256": "1024vl0bgmcb8g91pqcqc601xh90nxp82p0z9imp11fwb1fx7756",
"ref": "main",
"repo": "https://gitlab.com/hexchen/nixfiles",
"rev": "ef358992030e9a6fa975a24bf4d9aa133bc72424",
"sha256": "01hcdrpfc8g1bbc96h7gi04zmyxi9vd7392ncadwfkx5xfd2fp17",
"type": "tarball",
"url": "https://gitlab.com/hexchen/nixfiles/-/archive/83b511d9a3754ded187891c711b3dbbef82887d3/nixfiles-83b511d9a3754ded187891c711b3dbbef82887d3.tar.gz",
"url": "https://gitlab.com/hexchen/nixfiles/-/archive/ef358992030e9a6fa975a24bf4d9aa133bc72424.tar.gz",
"url_template": "<repo>/-/archive/<rev>.tar.gz"
},
"nixos-mailserver": {
"ref": "nixos-20.09",
"branch": "nixos-21.05",
"ref": "nixos-21.05",
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver",
"rev": "fb1cc04c0a517d4200237b02c3472bcaf9104afb",
"sha256": "0vsvgxxg5cgmzwj98171j7h5l028f1yq784alb3lxgbk8znfk51y",
"rev": "5675b122a947b40e551438df6a623efad19fd2e7",
"sha256": "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi",
"type": "tarball",
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/fb1cc04c0a517d4200237b02c3472bcaf9104afb/nixos-mailserver-fb1cc04c0a517d4200237b02c3472bcaf9104afb.tar.gz",
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7.tar.gz",
"url_template": "<repo>/-/archive/<rev>.tar.gz"
},
"nixpkgs": {
"branch": "nixos-20.09",
"branch": "nixos-21.05",
"description": "Nix Packages collection",
"homepage": "",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "068984c00e0d4e54b6684d98f6ac47c92dcb642e",
"sha256": "00j4xv4lhhqwry7jd67brnws4pwb8vn660n43pvxpkalbpxszwfg",
"rev": "2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2",
"sha256": "1aafqly1mcqxh0r15mrlsrs4znldhm7cizsmfp3d25lqssay6gjd",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/068984c00e0d4e54b6684d98f6ac47c92dcb642e.tar.gz",
"url": "https://github.com/nixos/nixpkgs/archive/2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-unstable": {
@ -91,10 +93,10 @@
"homepage": "",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8ecc61c91a596df7d3293603a9c2384190c1b89a",
"sha256": "0vhajylsmipjkm5v44n2h0pglcmpvk4mkyvxp7qfvkjdxw21dyml",
"rev": "fe01052444c1d66ed6ef76df2af798c9769e9e79",
"sha256": "0z99hwxgrvlf0psicwd97kdqqcc3qngfzmcz7k68q6q868y8582y",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/8ecc61c91a596df7d3293603a9c2384190c1b89a.tar.gz",
"url": "https://github.com/nixos/nixpkgs/archive/fe01052444c1d66ed6ef76df2af798c9769e9e79.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"pbb-nixfiles": {

32
pkgs/default.nix
View file

@ -10,14 +10,10 @@ let
newpkgs = {
alps = callPackage ./alps {};
docker = (pkgs.callPackage (pkgs.path + "/pkgs/applications/virtualization/docker") {
iptables = pkgs.writeScriptBin "iptables" ''
#!${pkgs.runtimeShell}
echo docker tried to run the following iptables command: $@
exit 0
'';
}).docker_19_03.overrideAttrs (super: {
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
docker = pkgs.docker.overrideAttrs (super: {
moby = super.moby.overrideAttrs (super: {
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
});
});
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
@ -41,6 +37,26 @@ let
});
mattermost = callPackage ./mattermost {};
# a version of the lounge with some extra css that
# hides things the hacc-voc doesn't need
thelounge-hacked = pkgs.stdenv.mkDerivation {
name = "thelounge-hacked";
src = pkgs.thelounge;
phases = [ "buildPhase" "installPhase" ];
buildPhase = ''
cp $src/* -r .
chmod 777 lib/node_modules/thelounge/public/css/style.css
cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
'';
installPhase = ''
mkdir -p $out
cp * -r $out
'';
};
inherit (unstable) bottom;
};

24
pkgs/thelounge/css-patch.css Normal file
View file

@ -0,0 +1,24 @@
/* Hides extra fields on connect screen */
.connect-row:nth-of-type(4) {
display: none !important;
}
.connect-row:nth-of-type(2) {
display: none !important;
}
.connect-row:nth-of-type(5) {
display: none !important;
}
/* Hides side panel button */
.header > button:first-child {
display: none !important;
}
/* Hides channel options button (includes leave option) */
.header > button:nth-last-child(2) {
display: none !important;
}

8
hosts/hainich/services/gitlab-runner.nix → services/gitlab-runner.nix
View file

@ -6,14 +6,14 @@
concurrent = 4;
services = {
infra4future = {
buildsDir = "/var/lib/gitlab-runner/builds";
buildsDir = "/persist/var/lib/gitlab-runner/builds";
dockerImage = "nixos/nix";
executor = "docker";
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
};
nix = {
limit = 1; # don't run multiple jobs
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
@ -54,7 +54,7 @@
};
users.users.gitlab-runner = {
home = "/var/lib/gitlab-runner";
home = "/persist/var/lib/gitlab-runner";
extraGroups = [ "docker" ];
isSystemUser = true;
};

168
services/gitlab.nix Normal file
View file

@ -0,0 +1,168 @@
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
{
containers.gitlab = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.7";
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/gitlab";
isReadOnly = false;
};
};
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
imports = [
../modules/mattermost.nix
((import sources.nix-hexchen) {}).profiles.nopersist
];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.gitlab = {
enable = true;
databaseCreateLocally = true;
host = "gitlab.infra4future.de";
https = true;
port = 443;
statePath = "/persist/gitlab";
user = "git";
databaseUsername = "git";
initialRootPasswordFile = "/persist/secrets/gitlab-root";
secrets.secretFile = "/persist/secrets/gitlab-secret";
secrets.dbFile = "/persist/secrets/gitlab-db";
secrets.otpFile = "/persist/secrets/gitlab-otp";
secrets.jwsFile = "/persist/secrets/gitlab-jws";
smtp = {
enable = true;
address = "mail.hacc.space";
port = 587;
authentication = "plain";
domain = "gitlab.infra4future.de";
enableStartTLSAuto = true;
username = "noreply@infra4future.de";
passwordFile = "/persist/secrets/noreply-pass";
};
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
extraConfig = {
pages = {
enabled = true;
host = "4future.dev";
port = 443;
https = true;
};
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = ["openid_connect"];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "infra4future Login";
args = {
name = "openid_connect";
scope = ["openid" "profile" "email"];
response_type = "code";
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
discovery = true;
client_auth_method = "query";
uid_field = "username";
client_options = {
identifier = "gitlab";
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.redis.enable = true;
services.postgresql.package = pkgs.postgresql_13;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."gitlab.infra4future.de" = {
default = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
locations."/".extraConfig = ''
proxy_redirect off;
'';
};
};
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
users.users.git = {
isSystemUser = true;
group = "gitlab";
home = "/persist/gitlab/home";
uid = 165;
};
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
})).config.system.build.toplevel;
};
hexchen.nftables.nat.forwardPorts = [{
ports = [ 22 ];
destination = "${config.containers.gitlab.localAddress}:22";
proto = "tcp";
}];
services.nginx.virtualHosts."gitlab.infra4future.de" = {
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
locations."/".extraConfig = ''
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
'';
enableACME = true;
forceSSL = true;
};
services.nginx.virtualHosts."4future.dev" = {
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
serverName = "~^((.*)\.)?4future\.dev$";
useACMEHost = "4future.dev";
forceSSL = true;
};
security.acme.certs."4future.dev" = {
dnsProvider = "cloudflare";
credentialsFile = "/var/lib/acme/cloudflare.pass";
extraDomainNames = [ "*.4future.dev" ];
group = config.services.nginx.group;
};
}

44
hosts/hainich/services/hedgedoc_hacc.nix → services/hedgedoc-hacc.nix
View file

@ -1,13 +1,33 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
{
containers.codimd = {
containers.pad-hacc = {
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.3";
localAddress = "192.168.100.5";
autoStart = true;
config = { config, lib, pkgs, ... }: {
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/pad-hacc";
isReadOnly = false;
};
};
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
imports = [
../modules/mattermost.nix
((import sources.nix-hexchen) {}).profiles.nopersist
];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.coredns = {
enable = true;
config = ''
@ -33,7 +53,7 @@
oauth2 = {
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
clientID = "codimd";
clientID = "hedgedoc";
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
};
};
@ -59,10 +79,10 @@
enable = true;
databases = [ "codimd" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."pad.hacc.earth" = {
enableACME = true;
forceSSL = true;
@ -73,16 +93,8 @@
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.100.3:3000";
proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
extraConfig = ''
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
add_header Access-Control-Allow-Origin "*";
proxy_buffering off;
'';

39
hosts/hainich/services/hedgedoc_i4f.nix → services/hedgedoc-i4f.nix
View file

@ -1,13 +1,33 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modules, evalConfig, sources, ... }:
{
containers.pad-i4f = {
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.41";
localAddress = "192.168.100.6";
autoStart = true;
config = { config, lib, pkgs, ... }: {
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/pad-i4f";
isReadOnly = false;
};
};
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
imports = [
../modules/mattermost.nix
((import sources.nix-hexchen) {}).profiles.nopersist
];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.coredns = {
enable = true;
config = ''
@ -50,24 +70,17 @@
enable = true;
databases = [ "hedgedoc" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."pad.infra4future.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.100.41:3000";
proxyPass = "http://${config.containers.pad-i4f.localAddress}:3000";
extraConfig = ''
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
add_header Access-Control-Allow-Origin "*";
proxy_buffering off;
'';

43
hosts/hainich/services/lantifa.nix → services/lantifa.nix
View file

@ -1,18 +1,38 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
let
unstable = import (import ../../../nix/sources.nix).nixpkgs-unstable {};
unstable = import (import ../nix/sources.nix).nixpkgs-unstable {};
in {
containers.lantifa = {
autoStart = true;
privateNetwork = true;
hostAddress6 = "fd00::42:14";
localAddress6 = "fd00::42:15";
hostAddress = "192.168.100.1";
localAddress = "192.168.100.8";
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/lantifa";
isReadOnly = false;
};
};
config = {config, pkgs, ... }: {
networking.hosts."::1" = [ "wiki.lantifa.org" ];
networking.firewall.enable = false;
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
hexchen.bindmounts."/var/lib/mediawiki" = "/persist/var/lib/mediawiki";
imports = [
((import sources.nix-hexchen) {}).profiles.nopersist
];
networking.hosts."127.0.0.1" = [ "wiki.lantifa.org" ];
users.users.mediawiki.extraGroups = [ "keys" ];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.mediawiki = {
enable = true;
@ -60,8 +80,8 @@ in {
sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i";
};
intersection = pkgs.fetchzip { # This is the DynamicPageList extension
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_35-1adb683.tar.gz";
sha256 = "0jh3b22vq1ml3kdj0hhhbfjsilpw39bcjbnkajgx1pcvr7haxld7";
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-789511a.tar.gz";
sha256 = "0b5viv0d2pm1g68hynm8xbvcyw2cr3lgaxbqzdykk2yvvhc4w8j5";
};
PageForms = pkgs.fetchzip {
url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip";
@ -81,16 +101,17 @@ in {
};
};
services.mysql.dataDir = "/persist/mysql";
services.mysqlBackup = {
enable = true;
databases = [ "mediawiki" ];
calendar = "*-*-* 23:45:00";
};
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."wiki.lantifa.org" = {
locations."/".proxyPass = "http://[" + config.containers.lantifa.localAddress6 + "]";
locations."/".proxyPass = "http://" + config.containers.lantifa.localAddress + "";
forceSSL = true;
enableACME = true;
};

12
hosts/hainich/services/mail.nix → services/mail.nix
View file

@ -1,14 +1,12 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, sources, ... }:
let
sources = import ../../../nix/sources.nix;
in {
{
imports = [
sources.nixos-mailserver.outPath
];
mailserver = {
mailDirectory = "/data/mail";
mailDirectory = "/persist/mail";
enable = true;
fqdn = "mail.hacc.space";
domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];
@ -32,6 +30,8 @@ in {
"lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
"finance@muc.hacc.space".hashedPassword = "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";
# service accounts
"noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
"newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
@ -145,6 +145,8 @@ in {
enable = true;
script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465";
serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps";
serviceConfig.Restart = "always";
requiredBy = [ "multi-user.target" ];
};
services.nginx.virtualHosts."mail.hacc.space" = {

81
hosts/hainich/services/mattermost.nix → services/mattermost.nix
View file

@ -1,34 +1,51 @@
{config, pkgs, lib, ...}:
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
{
let
mattermost = pkgs.mattermost;
in {
containers.mattermost = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.30";
localAddress = "192.168.100.31";
hostAddress = "192.168.100.1";
localAddress = "192.168.100.3";
bindMounts."/secrets" = {
hostPath = "/var/lib/mattermost/";
isReadOnly = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/mattermost";
isReadOnly = false;
};
};
config = {pkgs, config, ...}: {
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
# have to import these here, since container's dont
# inherit imports of their environment.
imports = [ ../../../modules/mattermost.nix ];
imports = [
../modules/mattermost.nix
((import sources.nix-hexchen) {}).profiles.nopersist
];
nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
# couldn't figure out how to actually overwrite modules, so now
# there's two mattermost modules ...
services.mattermost-patched = {
enable = true;
siteUrl = "https://mattermost-beta.infra4future.de";
siteName = "Mattermost - Blabla for Future";
siteUrl = "https://mattermost.infra4future.de";
siteName = "Mattermost for Future";
listenAddress = "0.0.0.0:3000";
mutableConfig = false;
secretConfig = "/secrets/secrets.json";
secretConfig = "/persist/mattermost/secrets.json";
statePath = "/persist/mattermost";
extraConfig = {
ServiceSettings = {
@ -56,6 +73,7 @@
EnableLaTeX = true;
ThreadAutoFollow = true;
EnableSecurityFixAlert = false;
CollapsedThreads = "default_on";
};
TeamSettings = {
EnableTeamCreation = true;
@ -87,7 +105,7 @@
EnableFileAttachments = true;
MaxFileSize = 52428800;
DriverName = "local";
Directory = "/var/lib/mattermost/uploads-storage";
Directory = "/persist/mattermost/upload-storage";
EnablePublicLink = true;
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
};
@ -120,7 +138,7 @@
AnnouncementSettings.EnableBanner = false;
GitLabSettings = {
Enable = true;
Id = "mattermost-beta";
Id = "mattermost";
Scope = "";
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
@ -159,8 +177,6 @@
ClusterSettings.Enable = false;
MetricsSettings.Enable = false;
GuestAccountsSettings.Enable = false;
# this is just the general allow-this-at-all switch; users
# still have to turn it on for themselves
FeatureFlags.CollapsedThreads = true;
};
@ -172,6 +188,17 @@
localDatabaseCreate = false;
};
services.mysql = {
enable = true;
ensureDatabases = [ "mattermost" ];
ensureUsers = [ {
name = "mattermost";
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
} ];
package = pkgs.mysql80;
dataDir = "/persist/mysql";
};
services.postgresql = {
enable = lib.mkForce true; # mattermost sets this to false. wtf.
ensureDatabases = [ "mattermost" ];
@ -197,21 +224,14 @@
}
'';
};
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."mattermost-beta.infra4future.de" = {
services.nginx.virtualHosts."mattermost.infra4future.de" = {
locations."/" = {
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
# Mattermost CSR Patch
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
@ -221,11 +241,4 @@
forceSSL = true;
enableACME = true;
};
networking.nat = {
enable = true;
internalInterfaces = [ "ve-mattermost" ];
externalInterface = "enp6s0";
};
}

8
hosts/hainich/services/murmur.nix → services/murmur.nix
View file

@ -1,8 +1,4 @@
{ config, lib, pkgs, ... }:
let
sources = import ../../../nix/sources.nix;
in
{ config, lib, pkgs, sources, ... }:
let
mumblesite = pkgs.stdenv.mkDerivation {
@ -18,6 +14,8 @@ let
};
in
{
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
services.murmur = {
enable = true;
logDays = -1;

140
services/nextcloud/default.nix Normal file
View file

@ -0,0 +1,140 @@
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
{
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.2";
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/nextcloud";
isReadOnly = false;
};
};
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
imports = [
((import sources.nix-hexchen) {}).profiles.nopersist
../../modules/nextcloud.nix
];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
environment.systemPackages = [ pkgs.htop ];
services.nextcloud-patched = {
enable = true;
# must be set manually; may not be incremented by more than one at
# a time, otherwise nextcloud WILL break
package = pkgs.nextcloud21;
home = "/persist/nextcloud";
https = true;
hostName = "cloud.infra4future.de";
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
# there's also a adminpassFile option, but for testing this seems
# enough (less fiddling with getting the file into a nixos
# container for ad-hoc setups)
adminpass = "lushfjwebrwhjebr";
adminuser = "root";
};
caching.redis = true;
# multiple pools may be doable using services.phpfpm.pools,
# but i have not tried this yet. The nextcloud module defines a
# pool "nextcloud"
poolSettings = {
pm = "dynamic";
"pm.max_children" = "32";
"pm.max_requests" = "500";
"pm.max_spare_servers" = "4";
"pm.min_spare_servers" = "2";
"pm.start_servers" = "2";
};
extraOptions = {
instanceid = "ocxlphb7fbju";
redis = {
host = "/run/redis/redis.sock";
port = 0;
dbindex = 0;
password = "secret";
timeout = 1.5;
};
datadirectory = "/persist/data/ncdata";
mail_smtpmode = "smtp";
mail_smtpsecure = "ssl";
mail_sendmailmode = "smtp";
mail_from_address = "noreply";
mail_domain = "infra4future.de";
mail_smtpauthtype = "PLAIN";
mail_smtpauth = 1;
mail_smtphost = "mail.hacc.space";
mail_smtpport = 465;
mail_smtpname = "noreply@infra4future.de";
loglevel = 0;
"overwrite.cli.url" = "https://cloud.infra4future.de";
};
# passwordsalt, secret, and mail_smtppassword go in here
secretFile = "/persist/secrets.json";
};
services.redis = {
enable = true;
unixSocket = "/var/run/redis/redis.sock";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{ # by default, postgres has unix sockets enabled, and allows a
# system user `nextcloud` to log in without other authentication
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."cloud.infra4future.de" = {
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
enableACME = true;
forceSSL = true;
};
}

32
services/nginx-pages.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
with lib;
let
domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
in {
services.nginx.virtualHosts =
listToAttrs (map (host: nameValuePair host {
useACMEHost = "infra4future.de";
forceSSL = true;
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
}) domains) // {
"infra4future.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
};
"muc.hacc.earth" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass "http://${config.containers.gitlab.localAddress}:8090/infra4future/muc.hacc.earth/";
proxy_set_header Host 'hacc.4future.dev';
'';
};
};
security.acme.certs."infra4future.de" = {
extraDomainNames = domains;
};
}

4
hosts/hainich/services/syncthing.nix → services/syncthing.nix
View file

@ -4,6 +4,8 @@
enable = true;
relay.enable = false;
openDefaultPorts = true;
configDir = "/persist/var/lib/syncthing/";
dataDir = "/persist/data/syncthing/";
declarative = {
devices = {
# schweby
@ -36,7 +38,7 @@
};
folders = {
"/var/lib/syncthing/hacc" = {
"/persist/data/syncthing/hacc/" = {
id = "qt2ly-xvvvs";
devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
type = "receiveonly";

86
services/thelounge.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, lib, pkgs, evalConfig, ... }:
let
# necessary since overlays won't propagate into the
# container's config
thelounge = pkgs.thelounge-hacked;
in
{
containers.thelounge = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.4";
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.thelounge = {
enable = true;
extraConfig = {
public = true;
# respect X-Forwarded-For
reverseProxy = true;
defaults = {
name = "libera chat";
host = "irc.eu.libera.chat";
port = 6697;
# encrypt things!
tls = true;
# yes, please do actually check the cert …
rejectUnauthorized = true;
nick = "haccGuest%%%%";
join = "#hacc-webchat";
};
lockNetwork = true;
# don't log messages (default is text / sqlite)
messageStorage = [];
# darker theme
#theme = "morning";
# these three should result in having link previews
# which are fetched only by the server, then proxied
# (i.e. clients won't directly connect to arbitrary
# domains to get previews)
prefetch = true;
prefetchStorage = true;
disableMediaPreview = true;
leaveMessage = "happy haccing";
};
};
# override the package we use
systemd.services.thelounge.serviceConfig.ExecStart =
pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."webchat.voc.hacc.space" = {
locations."/".proxyPass =
"http://${config.containers.thelounge.localAddress}:9000";
enableACME = true;
forceSSL = true;
};
}

10
services/unifi.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, lib, pkgs, ... }:
{
nixpkgs.config.allowUnfree = true;
services.unifi = {
enable = true;
openPorts = true;
dataDir = "/persist/var/lib/unifi";
};
}