Merge branch 'parsons-init' into 'main'
init parsons See merge request hacc/infra/haccfiles!75
This commit is contained in:
commit
15225932f0
|
@ -1,16 +1,16 @@
|
|||
stages:
|
||||
- build
|
||||
|
||||
build-parsons:
|
||||
tags:
|
||||
- nix
|
||||
stage: build
|
||||
script:
|
||||
- nix-build -A deploy.parsons
|
||||
|
||||
build-nixda:
|
||||
tags:
|
||||
- nix
|
||||
stage: build
|
||||
script:
|
||||
- nix-build -A deploy.nixda
|
||||
|
||||
build-hainich:
|
||||
tags:
|
||||
- nix
|
||||
stage: build
|
||||
script:
|
||||
- nix-build -A deploy.hainich
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, modules, ... }:
|
||||
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
|
@ -7,10 +7,10 @@ in {
|
|||
../modules
|
||||
./users.nix
|
||||
(sources.home-manager + "/nixos")
|
||||
(sources.pbb-nixfiles + "/modules/nftables")
|
||||
modules.network.nftables
|
||||
];
|
||||
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
||||
boot.kernelParams = [ "quiet" ];
|
||||
|
||||
networking.domain = lib.mkDefault "hacc.space";
|
||||
|
@ -77,7 +77,8 @@ in {
|
|||
|
||||
services.nginx.appendHttpConfig = ''
|
||||
access_log off;
|
||||
add_header Permissions-Policy "interest-cohort=()";
|
||||
'';
|
||||
|
||||
petabyte.nftables.enable = true;
|
||||
networking.nftables.enable = true;
|
||||
}
|
||||
|
|
|
@ -2,6 +2,10 @@ rec {
|
|||
sources = import ./nix/sources.nix;
|
||||
pkgs = import ./pkgs {};
|
||||
inherit (pkgs) lib;
|
||||
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") { inherit pkgs; hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs; }) hosts groups;
|
||||
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") {
|
||||
inherit pkgs sources;
|
||||
inherit ((import sources.nix-hexchen) {}) modules;
|
||||
hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs;
|
||||
}) hosts groups;
|
||||
deploy = import (sources.nix-hexchen + "/lib/deploy.nix") { inherit pkgs hosts groups; };
|
||||
}
|
||||
|
|
|
@ -1,140 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../common
|
||||
./encboot.nix
|
||||
./hardware.nix
|
||||
./services/murmur.nix
|
||||
./services/mail.nix
|
||||
./services/hedgedoc_hacc.nix
|
||||
./services/hedgedoc_i4f.nix
|
||||
../../common
|
||||
# ./wireguard.nix
|
||||
./services/nginx.nix
|
||||
# ./k8s.nix
|
||||
./services/ghost_waszumfff.nix
|
||||
./services/gitlab-runner.nix
|
||||
./services/lantifa.nix
|
||||
./services/syncthing.nix
|
||||
./services/monitoring.nix
|
||||
./services/workadventure.nix
|
||||
./services/mattermost.nix
|
||||
];
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
# stop *something* from loading ip_tables and breaking nftables
|
||||
boot.blacklistedKernelModules = [ "ip_tables" "ip6_tables" "x_tables"];
|
||||
|
||||
|
||||
# networking
|
||||
networking.hostName = "hainich";
|
||||
networking.hostId = "8a58cb2f";
|
||||
networking.useDHCP = true;
|
||||
networking.interfaces.enp6s0.ipv4.addresses = [
|
||||
{
|
||||
address = "46.4.63.148";
|
||||
prefixLength = 27;
|
||||
}
|
||||
|
||||
{
|
||||
address = "46.4.63.158";
|
||||
prefixLength = 27;
|
||||
}
|
||||
];
|
||||
networking.interfaces.enp6s0.ipv6.addresses = [ {
|
||||
address = "2a01:4f8:140:84c9::1";
|
||||
prefixLength = 64;
|
||||
} ];
|
||||
networking.defaultGateway = "46.4.63.129";
|
||||
networking.nameservers = [
|
||||
"1.1.1.1" "1.0.0.1"
|
||||
"2606:4700:4700::1111" "2606:4700:4700::1001"
|
||||
];
|
||||
networking.defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "enp6s0";
|
||||
};
|
||||
|
||||
hacc.nftables.nat.enable = true;
|
||||
networking.nat.internalInterfaces = ["ve-+"];
|
||||
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];
|
||||
networking.nat.externalInterface = "enp6s0";
|
||||
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# misc
|
||||
time.timeZone = "UTC";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim git
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.ports = [ 22 62954 ];
|
||||
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata"
|
||||
];
|
||||
initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/";
|
||||
# shell = pkgs.fish;
|
||||
};
|
||||
|
||||
# storage stuffs!
|
||||
services.zfs = {
|
||||
autoSnapshot = {
|
||||
enable = true;
|
||||
frequent = 12;
|
||||
hourly = 18;
|
||||
daily = 3;
|
||||
weekly = 0;
|
||||
monthly = 0;
|
||||
};
|
||||
autoScrub = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages;
|
||||
|
||||
services.restic.backups.tardis = {
|
||||
passwordFile = "/etc/restic/system";
|
||||
s3CredentialsFile = "/etc/restic/system.s3creds";
|
||||
paths = [
|
||||
"/data"
|
||||
"/home"
|
||||
"/run/florinori"
|
||||
"/var/lib/containers/codimd/var/lib/codimd"
|
||||
"/var/lib/containers/codimd/var/backup/postgresql"
|
||||
"/var/lib/containers/hedgedoc-i4f/var/lib/codimd"
|
||||
"/var/lib/containers/hedgedoc-i4f/var/backup/postgresql"
|
||||
"/var/lib/containers/lantifa/var/lib/mediawiki"
|
||||
"/var/lib/containers/lantifa/var/backup/mysql"
|
||||
"/var/lib/murmur"
|
||||
"/var/lib/syncthing"
|
||||
];
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 5"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
repository = "b2:tardis-hainich:system";
|
||||
};
|
||||
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.03"; # Did you read the comment?
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.kernelModules = [ "r8169" ]; # add network card driver
|
||||
boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
# TODO: Modify system config so that this works
|
||||
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
|
||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
hostKeys = [ /run/keys/ecdsa_host ];
|
||||
};
|
||||
# TODO: curl some webhook here to alert?
|
||||
# possibly quite hard to do, we only have limited wget or netcat available
|
||||
# how this all works:
|
||||
# when someone logs in via ssh, they are prompted to unlock the zfs volume
|
||||
# afterwards zfs is killed in order for the boot to progress
|
||||
# timeout of 120s still applies afaik
|
||||
postCommands = ''
|
||||
zpool import zroot
|
||||
zpool import dpool
|
||||
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "zroot/root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{ device = "zroot/root/nixos/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "dpool/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers" =
|
||||
{ device = "dpool/containers";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/docker" =
|
||||
{ device = "dpool/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/gitlab-runner" =
|
||||
{ device = "dpool/gitlab-runner";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{ device = "dpool/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335";
|
||||
fsType = "ext2";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 12;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
|
@ -1,125 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
services.etcd = {
|
||||
advertiseClientUrls = [
|
||||
"https://[2a0d:eb04:8:10::1]:2379"
|
||||
];
|
||||
listenClientUrls = [
|
||||
"https://[2a0d:eb04:8:10::1]:2379"
|
||||
];
|
||||
listenPeerUrls = [
|
||||
"https://[::1]:2380"
|
||||
];
|
||||
};
|
||||
services.kubernetes = {
|
||||
roles = [ "master" "node" ];
|
||||
flannel.enable = false;
|
||||
addons.dns = {
|
||||
enable = true;
|
||||
clusterIp = "2a0d:eb04:8:11::53";
|
||||
reconcileMode = "EnsureExists";
|
||||
};
|
||||
pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
|
||||
apiserver = {
|
||||
advertiseAddress = "2a0d:eb04:8:10::1";
|
||||
extraSANs = [
|
||||
"2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
|
||||
];
|
||||
bindAddress = "::";
|
||||
insecureBindAddress = "::1";
|
||||
etcd = {
|
||||
servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
|
||||
};
|
||||
serviceClusterIpRange = "2a0d:eb04:8:11::/120";
|
||||
extraOpts = "--allow-privileged=true";
|
||||
};
|
||||
controllerManager = {
|
||||
bindAddress = "::";
|
||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
||||
};
|
||||
kubelet = {
|
||||
address = "::";
|
||||
clusterDns = "2a0d:eb04:8:11::53";
|
||||
};
|
||||
proxy = {
|
||||
bindAddress = "::";
|
||||
};
|
||||
scheduler = {
|
||||
address = "::1" ;
|
||||
};
|
||||
apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
|
||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
||||
easyCerts = true;
|
||||
masterAddress = "hainich.hacc.space";
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 80 443 6443 ];
|
||||
trustedInterfaces = [
|
||||
"cbr0" "tunnat64"
|
||||
];
|
||||
extraCommands = ''
|
||||
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
||||
iptables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
||||
|
||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
||||
iptables -D FORWARD -i tunnat64 -j ACCEPT
|
||||
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
||||
|
||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.tayga = (let
|
||||
config = pkgs.writeText "tayga.conf" ''
|
||||
tun-device tunnat64
|
||||
ipv4-addr 10.255.255.254
|
||||
prefix 2a0d:eb04:8:10:64::/96
|
||||
dynamic-pool 10.255.255.0/24
|
||||
map 10.255.255.1 2a0d:eb04:8:10::1
|
||||
map 10.255.255.2 2a0d:eb04:8:11::2
|
||||
strict-frag-hdr 1
|
||||
'';
|
||||
startScript = pkgs.writeScriptBin "tayga-start" ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
${pkgs.iproute}/bin/ip link set up tunnat64 || true
|
||||
${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
|
||||
${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
|
||||
${pkgs.tayga}/bin/tayga -d --config ${config}
|
||||
'';
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = ''${startScript}/bin/tayga-start'';
|
||||
};
|
||||
});
|
||||
|
||||
networking.interfaces.cbr0.ipv6.routes = [{
|
||||
address = "2a0d:eb04:8:10::";
|
||||
prefixLength = 60;
|
||||
}];
|
||||
|
||||
networking.interfaces.tunnat64 = {
|
||||
virtual = true;
|
||||
};
|
||||
|
||||
# openebs expects some stuff to be there.
|
||||
system.activationScripts.openebs = ''
|
||||
mkdir -p /usr/lib /usr/sbin
|
||||
ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
|
||||
ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
|
||||
'';
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
virtualisation.oci-containers.containers."ghost-waszumfff" = {
|
||||
autoStart = true;
|
||||
environment = {
|
||||
url = "https://waszumfff.4future.dev";
|
||||
};
|
||||
image = "ghost:alpine";
|
||||
ports = [ "127.0.0.1:2368:2368" ];
|
||||
volumes = [ "/run/florinori:/var/lib/ghost/content" ];
|
||||
};
|
||||
|
||||
fileSystems."/run/florinori" =
|
||||
{ device = "dpool/k8s/florinori";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."waszumfff.4future.dev" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:2368";
|
||||
extraConfig = "
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
webExternalUrl = "https://stats.hacc.space";
|
||||
exporters = {
|
||||
dovecot = {
|
||||
enable = true;
|
||||
scopes = [ "user" "global" ];
|
||||
socketPath = "/var/run/dovecot2/old-stats";
|
||||
};
|
||||
nginx.enable = true;
|
||||
node.enable = true;
|
||||
postfix = {
|
||||
enable = true;
|
||||
systemd.enable = true;
|
||||
};
|
||||
rspamd.enable = true;
|
||||
};
|
||||
scrapeConfigs = (lib.mapAttrsToList (name: val:
|
||||
{
|
||||
job_name = "${name}-${config.networking.hostName}";
|
||||
static_configs = [{
|
||||
targets = [ "localhost:${toString val.port}" ];
|
||||
labels.host = config.networking.hostName;
|
||||
}];
|
||||
}
|
||||
) (lib.filterAttrs (_: val: val.enable) config.services.prometheus.exporters));
|
||||
};
|
||||
|
||||
services.dovecot2.extraConfig = ''
|
||||
mail_plugins = $mail_plugins old_stats
|
||||
service old-stats {
|
||||
unix_listener old-stats {
|
||||
user = dovecot-exporter
|
||||
group = dovecot-exporter
|
||||
}
|
||||
}
|
||||
'';
|
||||
services.nginx.statusPage = true;
|
||||
}
|
|
@ -1,56 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.email = "info+acme@hacc.space";
|
||||
services.nginx.enable = true;
|
||||
services.nginx.package = pkgs.nginx.override {
|
||||
modules = [ pkgs.nginxModules.rtmp ];
|
||||
};
|
||||
|
||||
# services.nginx.recommendedProxySettings = true;
|
||||
|
||||
services.nginx.virtualHosts = let
|
||||
in {
|
||||
# let all empty subdomains pointing to hainich return 404
|
||||
"hainich.hacc.space" = {
|
||||
default = true;
|
||||
locations."/".return = "404";
|
||||
};
|
||||
"hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".return = "301 https://hacc.earth";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 1935 ];
|
||||
services.nginx = {
|
||||
appendHttpConfig = ''
|
||||
add_header Permissions-Policy "interest-cohort=()";
|
||||
'';
|
||||
appendConfig = ''
|
||||
rtmp {
|
||||
server {
|
||||
listen 1935;
|
||||
application cutiestream {
|
||||
live on;
|
||||
allow publish all;
|
||||
allow play all;
|
||||
}
|
||||
application ingest {
|
||||
live on;
|
||||
|
||||
record all;
|
||||
record_path /data/ingest;
|
||||
record_unique on;
|
||||
|
||||
# include /var/secrets/ingest.conf;
|
||||
}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
|
||||
}
|
|
@ -1,102 +0,0 @@
|
|||
{pkgs, lib, config, ...}:
|
||||
|
||||
let
|
||||
sources = import ../../../nix/sources.nix {};
|
||||
# why the double outPath? Dunno, just niv things …
|
||||
workadventure-nix = sources.workadventure.outPath.outPath;
|
||||
haccmap = sources.haccmap.outPath.outPath;
|
||||
in
|
||||
{
|
||||
# not the most intuitive of container names, but "workadventure" is too long
|
||||
containers.wa-void = {
|
||||
|
||||
# we'll need the outer config to get the turn secret inside the container,
|
||||
# and I'm feeling haskelly so config' it is!
|
||||
config = let config' = config; in {config, pkgs, ...}: {
|
||||
imports = [ workadventure-nix ];
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
|
||||
services.workadventure."void.hacc.space" = {
|
||||
packageset = (
|
||||
import "${workadventure-nix}/wapkgs.nix" {
|
||||
inherit pkgs lib;
|
||||
}
|
||||
).workadventure-xce;
|
||||
|
||||
nginx = {
|
||||
default = true;
|
||||
domain = "void.hacc.space";
|
||||
maps = {
|
||||
serve = true;
|
||||
path = "${haccmap}/";
|
||||
};
|
||||
};
|
||||
|
||||
frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
|
||||
|
||||
commonConfig = {
|
||||
webrtc.stun.url = "stun:turn.hacc.space:3478";
|
||||
webrtc.turn = {
|
||||
url = "turn:46.4.63.148";
|
||||
user = "turn";
|
||||
password = config'.services.coturn.static-auth-secret;
|
||||
};
|
||||
jitsi.url = "meet.ffmuc.net";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
privateNetwork = true;
|
||||
hostAddress6 = "fd00::42:14";
|
||||
localAddress6 = "fd00::42:16";
|
||||
|
||||
autoStart = true;
|
||||
|
||||
};
|
||||
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
realm = "turn.hacc.space";
|
||||
# this is a static "secret" that is also compiled into workadventure,
|
||||
# so it seems ok to put it into the nix store
|
||||
static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
|
||||
use-auth-secret = true;
|
||||
no-cli = true;
|
||||
no-tcp-relay = true;
|
||||
|
||||
cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
|
||||
pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
|
||||
};
|
||||
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts."void.hacc.space" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://[${config.containers.wa-void.localAddress6}]";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
# this isn't actually needed, but acme requires a webserver to serve
|
||||
# challanges, so I guess it's easier to just define a virtualHost here
|
||||
virtualHosts."turn.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
networking.firewall = with config.services.coturn;
|
||||
let
|
||||
ports = [ listening-port tls-listening-port ];
|
||||
in {
|
||||
allowedTCPPorts = [ 80 ] ++ ports;
|
||||
allowedUDPPorts = ports;
|
||||
allowedUDPPortRanges = [
|
||||
{ from = min-port; to = max-port; }
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
systemd.services.wireguard-upstream = {
|
||||
wants = [ "wg-upstream-key.service" ];
|
||||
after = [ "wg-upstream-key.service" ];
|
||||
};
|
||||
networking.wireguard.interfaces.upstream = {
|
||||
ips = [ "2a0d:eb04:8:ffff:2::2/128" ];
|
||||
generatePrivateKeyFile = true;
|
||||
privateKeyFile = "/etc/wireguard/upstream.key";
|
||||
listenPort = 51820;
|
||||
peers = [
|
||||
{
|
||||
allowedIPs = [ "::/0" ];
|
||||
endpoint = "103.105.50.220:51823";
|
||||
publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY=";
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128
|
||||
${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128
|
||||
'';
|
||||
};
|
||||
networking.interfaces.lo.ipv6 = {
|
||||
addresses = [{
|
||||
address = "2a0d:eb04:8:10::1";
|
||||
prefixLength = 128;
|
||||
}];
|
||||
};
|
||||
networking.defaultGateway6 = {
|
||||
address = "2a0d:eb04:8:ffff:2::1";
|
||||
interface = "upstream";
|
||||
};
|
||||
}
|
95
hosts/parsons/configuration.nix
Normal file
95
hosts/parsons/configuration.nix
Normal file
|
@ -0,0 +1,95 @@
|
|||
{ config, lib, pkgs, sources, modules, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../common
|
||||
./hardware.nix
|
||||
modules.encboot
|
||||
modules.network.nftables modules.nftnat
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
|
||||
../../services/nextcloud
|
||||
../../services/mattermost.nix
|
||||
../../services/thelounge.nix
|
||||
../../services/murmur.nix
|
||||
../../services/hedgedoc-hacc.nix
|
||||
../../services/hedgedoc-i4f.nix
|
||||
../../services/mail.nix
|
||||
../../services/syncthing.nix
|
||||
../../services/gitlab.nix
|
||||
../../services/nginx-pages.nix
|
||||
../../services/gitlab-runner.nix
|
||||
../../services/unifi.nix
|
||||
../../services/lantifa.nix
|
||||
|
||||
./lxc.nix
|
||||
];
|
||||
|
||||
hexchen.encboot = {
|
||||
enable = true;
|
||||
dataset = "-a";
|
||||
networkDrivers = [ "igb" ];
|
||||
};
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
networking.hostId = "b2867696";
|
||||
networking.useDHCP = true;
|
||||
networking.nftables.enable = true;
|
||||
hexchen.nftables.nat.enable = true;
|
||||
networking.nat.internalInterfaces = ["ve-+"];
|
||||
networking.nat.externalInterface = "enp35s0";
|
||||
|
||||
networking.interfaces.enp35s0.ipv6.addresses = [{
|
||||
address = "2a01:4f9:3a:2ddb::1";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
networking.defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "enp35s0";
|
||||
};
|
||||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
||||
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
"parsons.hacc.space" = {
|
||||
default = true;
|
||||
locations."/".return = "404";
|
||||
};
|
||||
"hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".return = "302 https://hacc.earth";
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
services.restic.backups.tardis = {
|
||||
passwordFile = "/persist/restic/system";
|
||||
s3CredentialsFile = "/persist/restic/system.s3creds";
|
||||
paths = [
|
||||
"/home"
|
||||
"/persist"
|
||||
];
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 5"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
repository = "b2:tardis-parsons:system";
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
65
hosts/parsons/hardware.nix
Normal file
65
hosts/parsons/hardware.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "zroot/local/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/daf2a731-952f-45c7-9c25-49e1a2f56062";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{ device = "zroot/local/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/persist" =
|
||||
{ device = "zroot/safe/persist";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "zroot/safe/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/root" =
|
||||
{ device = "zroot/safe/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/cache/restic-backups-tardis" =
|
||||
{ device = "zroot/safe/restic-cache";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/tmp" =
|
||||
{ device = "zroot/local/tmp";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/persist/data" =
|
||||
{ device = "dpool/safe/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/docker" =
|
||||
{ device = "zroot/local/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
}
|
36
hosts/parsons/lxc.nix
Normal file
36
hosts/parsons/lxc.nix
Normal file
|
@ -0,0 +1,36 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.bridges.lxcbr0.interfaces = [];
|
||||
networking.interfaces.lxcbr0.ipv4.addresses = [
|
||||
{
|
||||
address = "10.1.2.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
networking.nat.internalInterfaces = [ "lxcbr0" ];
|
||||
|
||||
virtualisation.lxc.enable = true;
|
||||
virtualisation.lxc.systemConfig = ''
|
||||
lxc.bdev.zfs.root = zroot/safe/containers/lxc
|
||||
lxc.lxcpath = /persist/lxc
|
||||
'';
|
||||
|
||||
users.users.root.subUidRanges = [{ count = 65536; startUid = 100000; }];
|
||||
users.users.root.subGidRanges = [{ count = 65536; startGid = 100000; }];
|
||||
|
||||
environment.etc."lxc/share".source = "${pkgs.lxc}/share/lxc";
|
||||
|
||||
|
||||
services.nginx.virtualHosts."onlyoffice.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://10.1.2.233:80";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."auth.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://10.1.2.104:8080";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
}
|
|
@ -16,8 +16,6 @@ let
|
|||
[ { ServiceSettings.SiteURL = cfg.siteUrl;
|
||||
ServiceSettings.ListenAddress = cfg.listenAddress;
|
||||
TeamSettings.SiteName = cfg.siteName;
|
||||
SqlSettings.DriverName = "postgres";
|
||||
SqlSettings.DataSource = database;
|
||||
}
|
||||
cfg.extraConfig
|
||||
];
|
||||
|
|
746
modules/nextcloud.nix
Normal file
746
modules/nextcloud.nix
Normal file
|
@ -0,0 +1,746 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.nextcloud-patched;
|
||||
fpm = config.services.phpfpm.pools.nextcloud;
|
||||
|
||||
phpPackage =
|
||||
let
|
||||
base = pkgs.php74;
|
||||
in
|
||||
base.buildEnv {
|
||||
extensions = { enabled, all }: with all;
|
||||
enabled ++ [
|
||||
apcu redis memcached imagick
|
||||
];
|
||||
extraConfig = phpOptionsStr;
|
||||
};
|
||||
|
||||
toKeyValue = generators.toKeyValue {
|
||||
mkKeyValue = generators.mkKeyValueDefault {} " = ";
|
||||
};
|
||||
|
||||
phpOptions = {
|
||||
upload_max_filesize = cfg.maxUploadSize;
|
||||
post_max_size = cfg.maxUploadSize;
|
||||
memory_limit = cfg.maxUploadSize;
|
||||
} // cfg.phpOptions
|
||||
// optionalAttrs cfg.caching.apcu {
|
||||
"apc.enable_cli" = "1";
|
||||
};
|
||||
phpOptionsStr = toKeyValue phpOptions;
|
||||
|
||||
occ = pkgs.writeScriptBin "nextcloud-occ" ''
|
||||
#! ${pkgs.runtimeShell}
|
||||
cd ${cfg.package}
|
||||
sudo=exec
|
||||
if [[ "$USER" != nextcloud ]]; then
|
||||
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
|
||||
fi
|
||||
export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config"
|
||||
$sudo \
|
||||
${phpPackage}/bin/php \
|
||||
occ $*
|
||||
'';
|
||||
|
||||
inherit (config.system) stateVersion;
|
||||
|
||||
in {
|
||||
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "services" "nextcloud-patched" "nginx" "enable" ] ''
|
||||
The nextcloud module supports `nginx` as reverse-proxy by default and doesn't
|
||||
support other reverse-proxies officially.
|
||||
|
||||
However it's possible to use an alternative reverse-proxy by
|
||||
|
||||
* disabling nginx
|
||||
* setting `listen.owner` & `listen.group` in the phpfpm-pool to a different value
|
||||
|
||||
Further details about this can be found in the `Nextcloud`-section of the NixOS-manual
|
||||
(which can be openend e.g. by running `nixos-help`).
|
||||
'')
|
||||
];
|
||||
|
||||
options.services.nextcloud-patched = {
|
||||
enable = mkEnableOption "nextcloud";
|
||||
hostName = mkOption {
|
||||
type = types.str;
|
||||
description = "FQDN for the nextcloud instance.";
|
||||
};
|
||||
home = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/nextcloud";
|
||||
description = "Storage path of nextcloud.";
|
||||
};
|
||||
logLevel = mkOption {
|
||||
type = types.ints.between 0 4;
|
||||
default = 2;
|
||||
description = "Log level value between 0 (DEBUG) and 4 (FATAL).";
|
||||
};
|
||||
https = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Use https for generated links.";
|
||||
};
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
description = "Which package to use for the Nextcloud instance.";
|
||||
relatedPackages = [ "nextcloud18" "nextcloud19" "nextcloud20" "nextcloud21" ];
|
||||
};
|
||||
|
||||
maxUploadSize = mkOption {
|
||||
default = "512M";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Defines the upload limit for files. This changes the relevant options
|
||||
in php.ini and nginx if enabled.
|
||||
'';
|
||||
};
|
||||
|
||||
skeletonDirectory = mkOption {
|
||||
default = "";
|
||||
type = types.str;
|
||||
description = ''
|
||||
The directory where the skeleton files are located. These files will be
|
||||
copied to the data directory of new users. Leave empty to not copy any
|
||||
skeleton files.
|
||||
'';
|
||||
};
|
||||
|
||||
webfinger = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable this option if you plan on using the webfinger plugin.
|
||||
The appropriate nginx rewrite rules will be added to your configuration.
|
||||
'';
|
||||
};
|
||||
|
||||
phpOptions = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {
|
||||
short_open_tag = "Off";
|
||||
expose_php = "Off";
|
||||
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
|
||||
display_errors = "stderr";
|
||||
"opcache.enable_cli" = "1";
|
||||
"opcache.interned_strings_buffer" = "8";
|
||||
"opcache.max_accelerated_files" = "10000";
|
||||
"opcache.memory_consumption" = "128";
|
||||
"opcache.revalidate_freq" = "1";
|
||||
"opcache.fast_shutdown" = "1";
|
||||
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
||||
catch_workers_output = "yes";
|
||||
};
|
||||
description = ''
|
||||
Options for PHP's php.ini file for nextcloud.
|
||||
'';
|
||||
};
|
||||
|
||||
poolSettings = mkOption {
|
||||
type = with types; attrsOf (oneOf [ str int bool ]);
|
||||
default = {
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = "32";
|
||||
"pm.start_servers" = "2";
|
||||
"pm.min_spare_servers" = "2";
|
||||
"pm.max_spare_servers" = "4";
|
||||
"pm.max_requests" = "500";
|
||||
};
|
||||
description = ''
|
||||
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
|
||||
'';
|
||||
};
|
||||
|
||||
poolConfig = mkOption {
|
||||
type = types.nullOr types.lines;
|
||||
default = null;
|
||||
description = ''
|
||||
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
|
||||
'';
|
||||
};
|
||||
|
||||
config = {
|
||||
dbtype = mkOption {
|
||||
type = types.enum [ "sqlite" "pgsql" "mysql" ];
|
||||
default = "sqlite";
|
||||
description = "Database type.";
|
||||
};
|
||||
dbname = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "nextcloud";
|
||||
description = "Database name.";
|
||||
};
|
||||
dbuser = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "nextcloud";
|
||||
description = "Database user.";
|
||||
};
|
||||
dbpass = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Database password. Use <literal>dbpassFile</literal> to avoid this
|
||||
being world-readable in the <literal>/nix/store</literal>.
|
||||
'';
|
||||
};
|
||||
dbpassFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
The full path to a file that contains the database password.
|
||||
'';
|
||||
};
|
||||
dbhost = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "localhost";
|
||||
description = ''
|
||||
Database host.
|
||||
|
||||
Note: for using Unix authentication with PostgreSQL, this should be
|
||||
set to <literal>/run/postgresql</literal>.
|
||||
'';
|
||||
};
|
||||
dbport = mkOption {
|
||||
type = with types; nullOr (either int str);
|
||||
default = null;
|
||||
description = "Database port.";
|
||||
};
|
||||
dbtableprefix = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = "Table prefix in Nextcloud database.";
|
||||
};
|
||||
adminuser = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = "Admin username.";
|
||||
};
|
||||
adminpass = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Admin password. Use <literal>adminpassFile</literal> to avoid this
|
||||
being world-readable in the <literal>/nix/store</literal>.
|
||||
'';
|
||||
};
|
||||
adminpassFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
The full path to a file that contains the admin's password. Must be
|
||||
readable by user <literal>nextcloud</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
extraTrustedDomains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Trusted domains, from which the nextcloud installation will be
|
||||
acessible. You don't need to add
|
||||
<literal>services.nextcloud.hostname</literal> here.
|
||||
'';
|
||||
};
|
||||
|
||||
trustedProxies = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Trusted proxies, to provide if the nextcloud installation is being
|
||||
proxied to secure against e.g. spoofing.
|
||||
'';
|
||||
};
|
||||
|
||||
overwriteProtocol = mkOption {
|
||||
type = types.nullOr (types.enum [ "http" "https" ]);
|
||||
default = null;
|
||||
example = "https";
|
||||
|
||||
description = ''
|
||||
Force Nextcloud to always use HTTPS i.e. for link generation. Nextcloud
|
||||
uses the currently used protocol by default, but when behind a reverse-proxy,
|
||||
it may use <literal>http</literal> for everything although Nextcloud
|
||||
may be served via HTTPS.
|
||||
'';
|
||||
};
|
||||
|
||||
defaultPhoneRegion = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.str;
|
||||
example = "DE";
|
||||
description = ''
|
||||
<warning>
|
||||
<para>This option exists since Nextcloud 21! If older versions are used,
|
||||
this will throw an eval-error!</para>
|
||||
</warning>
|
||||
|
||||
<link xlink:href="https://www.iso.org/iso-3166-country-codes.html">ISO 3611-1</link>
|
||||
country codes for automatic phone-number detection without a country code.
|
||||
|
||||
With e.g. <literal>DE</literal> set, the <literal>+49</literal> can be omitted for
|
||||
phone-numbers.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
caching = {
|
||||
apcu = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to load the APCu module into PHP.
|
||||
'';
|
||||
};
|
||||
redis = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to load the Redis module into PHP.
|
||||
You still need to enable Redis in your config.php.
|
||||
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
|
||||
'';
|
||||
};
|
||||
memcached = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to load the Memcached module into PHP.
|
||||
You still need to enable Memcached in your config.php.
|
||||
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
|
||||
'';
|
||||
};
|
||||
};
|
||||
autoUpdateApps = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Run regular auto update of all apps installed from the nextcloud app store.
|
||||
'';
|
||||
};
|
||||
startAt = mkOption {
|
||||
type = with types; either str (listOf str);
|
||||
default = "05:00:00";
|
||||
example = "Sun 14:00:00";
|
||||
description = ''
|
||||
When to run the update. See `systemd.services.<name>.startAt`.
|
||||
'';
|
||||
};
|
||||
};
|
||||
occ = mkOption {
|
||||
type = types.package;
|
||||
default = occ;
|
||||
internal = true;
|
||||
description = ''
|
||||
The nextcloud-occ program preconfigured to target this Nextcloud instance.
|
||||
'';
|
||||
};
|
||||
|
||||
extraOptions = mkOption {
|
||||
type = types.attrs;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra options which should be appended to nextcloud's config.php file
|
||||
'';
|
||||
};
|
||||
|
||||
secretFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Secret options which will be appended to nextcloud's config.php file (written in JSON, in the same
|
||||
form as the `extraOptions` option).
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{ assertions = let acfg = cfg.config; in [
|
||||
{ assertion = !(acfg.dbpass != null && acfg.dbpassFile != null);
|
||||
message = "Please specify no more than one of dbpass or dbpassFile";
|
||||
}
|
||||
{ assertion = ((acfg.adminpass != null || acfg.adminpassFile != null)
|
||||
&& !(acfg.adminpass != null && acfg.adminpassFile != null));
|
||||
message = "Please specify exactly one of adminpass or adminpassFile";
|
||||
}
|
||||
{ assertion = versionOlder cfg.package.version "21" -> cfg.config.defaultPhoneRegion == null;
|
||||
message = "The `defaultPhoneRegion'-setting is only supported for Nextcloud >=21!";
|
||||
}
|
||||
];
|
||||
|
||||
warnings = []
|
||||
++ (optional (cfg.poolConfig != null) ''
|
||||
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
|
||||
Please migrate your configuration to config.services.nextcloud.poolSettings.
|
||||
'')
|
||||
++ (optional (versionOlder cfg.package.version "18") ''
|
||||
A legacy Nextcloud install (from before NixOS 20.03) may be installed.
|
||||
|
||||
You're currently deploying an older version of Nextcloud. This may be needed
|
||||
since Nextcloud doesn't allow major version upgrades that skip multiple
|
||||
versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18).
|
||||
|
||||
It is assumed that Nextcloud will be upgraded from version 16 to 17.
|
||||
|
||||
* If this is a fresh install, there will be no upgrade to do now.
|
||||
|
||||
* If this server already had Nextcloud installed, first deploy this to your
|
||||
server, and wait until the upgrade to 17 is finished.
|
||||
|
||||
Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to
|
||||
Nextcloud version 18. Please note that Nextcloud 19 is already out and it's
|
||||
recommended to upgrade to nextcloud19 after that.
|
||||
'')
|
||||
++ (optional (versionOlder cfg.package.version "19") ''
|
||||
A legacy Nextcloud install (from before NixOS 20.09) may be installed.
|
||||
|
||||
If/After nextcloud18 is installed successfully, you can safely upgrade to
|
||||
nextcloud19. If not, please upgrade to nextcloud18 first since Nextcloud doesn't
|
||||
support upgrades that skip multiple versions (i.e. an upgrade from 17 to 19 isn't
|
||||
possible, but an upgrade from 18 to 19).
|
||||
'')
|
||||
++ (optional (versionOlder cfg.package.version "21") ''
|
||||
The latest Nextcloud release is v21 which can be installed by setting
|
||||
`services.nextcloud.package` to `pkgs.nextcloud21`. Please note that if you're
|
||||
on `pkgs.nextcloud19`, you'll have to install `pkgs.nextcloud20` first.
|
||||
'');
|
||||
|
||||
services.nextcloud-patched.package = with pkgs;
|
||||
mkDefault (
|
||||
if pkgs ? nextcloud
|
||||
then throw ''
|
||||
The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default
|
||||
nextcloud defined in an overlay, please set `services.nextcloud.package` to
|
||||
`pkgs.nextcloud`.
|
||||
''
|
||||
else if versionOlder stateVersion "20.03" then nextcloud17
|
||||
else if versionOlder stateVersion "20.09" then nextcloud18
|
||||
else nextcloud19
|
||||
);
|
||||
}
|
||||
|
||||
{ systemd.timers.nextcloud-cron = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnBootSec = "5m";
|
||||
timerConfig.OnUnitActiveSec = "15m";
|
||||
timerConfig.Unit = "nextcloud-cron.service";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
# When upgrading the Nextcloud package, Nextcloud can report errors such as
|
||||
# "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly"
|
||||
# Restarting phpfpm on Nextcloud package update fixes these issues (but this is a workaround).
|
||||
phpfpm-nextcloud.restartTriggers = [ cfg.package ];
|
||||
|
||||
nextcloud-setup = let
|
||||
c = cfg.config;
|
||||
writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]";
|
||||
overrideConfig = pkgs.writeText "nextcloud-config.php" ''
|
||||
<?php
|
||||
${optionalString (c.dbpassFile != null) ''
|
||||
function nix_read_pwd() {
|
||||
$file = "${c.dbpassFile}";
|
||||
if (!file_exists($file)) {
|
||||
throw new \RuntimeException(sprintf(
|
||||
"Cannot start Nextcloud, dbpass file %s set by NixOS doesn't exist!",
|
||||
$file
|
||||
));
|
||||
}
|
||||
|
||||
return trim(file_get_contents($file));
|
||||
}
|
||||
''}
|
||||
${optionalString (cfg.secretFile != null) ''
|
||||
function nix_read_secrets() {
|
||||
$file = "${cfg.secretFile}";
|
||||
if (!file_exists($file)) {
|
||||
throw new \RuntimeException(sprintf(
|
||||
"Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!",
|
||||
$file
|
||||
));
|
||||
}
|
||||
|
||||
return json_decode(file_get_contents($file));
|
||||
}
|
||||
''}
|
||||
$CONFIG = [
|
||||
'apps_paths' => [
|
||||
[ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ],
|
||||
[ 'path' => '${cfg.home}/store-apps', 'url' => '/store-apps', 'writable' => true ],
|
||||
],
|
||||
'datadirectory' => '${cfg.home}/data',
|
||||
'skeletondirectory' => '${cfg.skeletonDirectory}',
|
||||
${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
|
||||
'log_type' => 'syslog',
|
||||
'log_level' => '${builtins.toString cfg.logLevel}',
|
||||
${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"}
|
||||
${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"}
|
||||
${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"}
|
||||
${optionalString (c.dbport != null) "'dbport' => '${toString c.dbport}',"}
|
||||
${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"}
|
||||
${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"}
|
||||
${optionalString (c.dbpass != null) "'dbpassword' => '${c.dbpass}',"}
|
||||
${optionalString (c.dbpassFile != null) "'dbpassword' => nix_read_pwd(),"}
|
||||
'dbtype' => '${c.dbtype}',
|
||||
'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)},
|
||||
'trusted_proxies' => ${writePhpArrary (c.trustedProxies)},
|
||||
${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"}
|
||||
];
|
||||
|
||||
$EXTRACONFIG = json_decode('${builtins.toJSON cfg.extraOptions}', true);
|
||||
|
||||
array_push($CONFIG, $EXTRACONFIG);
|
||||
${optionalString (cfg.secretFile != null) "array_push($CONFIG, nix_read_secrets());"}
|
||||
'';
|
||||
occInstallCmd = let
|
||||
dbpass = if c.dbpassFile != null
|
||||
then ''"$(<"${toString c.dbpassFile}")"''
|
||||
else if c.dbpass != null
|
||||
then ''"${toString c.dbpass}"''
|
||||
else ''""'';
|
||||
adminpass = if c.adminpassFile != null
|
||||
then ''"$(<"${toString c.adminpassFile}")"''
|
||||
else ''"${toString c.adminpass}"'';
|
||||
installFlags = concatStringsSep " \\\n "
|
||||
(mapAttrsToList (k: v: "${k} ${toString v}") {
|
||||
"--database" = ''"${c.dbtype}"'';
|
||||
# The following attributes are optional depending on the type of
|
||||
# database. Those that evaluate to null on the left hand side
|
||||
# will be omitted.
|
||||
${if c.dbname != null then "--database-name" else null} = ''"${c.dbname}"'';
|
||||
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
|
||||
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
|
||||
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
|
||||
"--database-pass" = dbpass;
|
||||
${if c.dbtableprefix != null
|
||||
then "--database-table-prefix" else null} = ''"${toString c.dbtableprefix}"'';
|
||||
"--admin-user" = ''"${c.adminuser}"'';
|
||||
"--admin-pass" = adminpass;
|
||||
"--data-dir" = ''"${cfg.home}/data"'';
|
||||
});
|
||||
in ''
|
||||
${occ}/bin/nextcloud-occ maintenance:install \
|
||||
${installFlags}
|
||||
'';
|
||||
occSetTrustedDomainsCmd = concatStringsSep "\n" (imap0
|
||||
(i: v: ''
|
||||
${occ}/bin/nextcloud-occ config:system:set trusted_domains \
|
||||
${toString i} --value="${toString v}"
|
||||
'') ([ cfg.hostName ] ++ cfg.config.extraTrustedDomains));
|
||||
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
before = [ "phpfpm-nextcloud.service" ];
|
||||
path = [ occ ];
|
||||
script = ''
|
||||
chmod og+x ${cfg.home}
|
||||
|
||||
${optionalString (c.dbpassFile != null) ''
|
||||
if [ ! -r "${c.dbpassFile}" ]; then
|
||||
echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..."
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$(<${c.dbpassFile})" ]; then
|
||||
echo "dbpassFile ${c.dbpassFile} is empty!"
|
||||
exit 1
|
||||
fi
|
||||
''}
|
||||
${optionalString (c.adminpassFile != null) ''
|
||||
if [ ! -r "${c.adminpassFile}" ]; then
|
||||
echo "adminpassFile ${c.adminpassFile} is not readable by nextcloud:nextcloud! Aborting..."
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$(<${c.adminpassFile})" ]; then
|
||||
echo "adminpassFile ${c.adminpassFile} is empty!"
|
||||
exit 1
|
||||
fi
|
||||
''}
|
||||
|
||||
ln -sf ${cfg.package}/apps ${cfg.home}/
|
||||
|
||||
# create nextcloud directories.
|
||||
# if the directories exist already with wrong permissions, we fix that
|
||||
for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do
|
||||
if [ ! -e $dir ]; then
|
||||
install -o nextcloud -g nextcloud -d $dir
|
||||
elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then
|
||||
chgrp -R nextcloud $dir
|
||||
fi
|
||||
done
|
||||
|
||||
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
|
||||
|
||||
# Do not install if already installed
|
||||
if [[ ! -e ${cfg.home}/config/config.php ]]; then
|
||||
${occInstallCmd}
|
||||
fi
|
||||
|
||||
${occ}/bin/nextcloud-occ upgrade
|
||||
|
||||
${occ}/bin/nextcloud-occ config:system:delete trusted_domains
|
||||
${occSetTrustedDomainsCmd}
|
||||
'';
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "nextcloud";
|
||||
};
|
||||
nextcloud-cron = {
|
||||
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "nextcloud";
|
||||
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php";
|
||||
};
|
||||
nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable {
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all";
|
||||
serviceConfig.User = "nextcloud";
|
||||
startAt = cfg.autoUpdateApps.startAt;
|
||||
};
|
||||
};
|
||||
|
||||
services.phpfpm = {
|
||||
pools.nextcloud = {
|
||||
user = "nextcloud";
|
||||
group = "nextcloud";
|
||||
phpOptions = phpOptionsStr;
|
||||
phpPackage = phpPackage;
|
||||
phpEnv = {
|
||||
NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
||||
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
|
||||
};
|
||||
settings = mapAttrs (name: mkDefault) {
|
||||
"listen.owner" = config.services.nginx.user;
|
||||
"listen.group" = config.services.nginx.group;
|
||||
} // cfg.poolSettings;
|
||||
extraConfig = cfg.poolConfig;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nextcloud = {
|
||||
home = "${cfg.home}";
|
||||
group = "nextcloud";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
|
||||
|
||||
environment.systemPackages = [ occ ];
|
||||
|
||||
services.nginx.enable = mkDefault true;
|
||||
|
||||
services.nginx.virtualHosts.${cfg.hostName} = let
|
||||
major = toInt (versions.major cfg.package.version);
|
||||
in {
|
||||
root = cfg.package;
|
||||
locations = {
|
||||
"= /robots.txt" = {
|
||||
priority = 100;
|
||||
extraConfig = ''
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
"= /" = {
|
||||
priority = 100;
|
||||
extraConfig = ''
|
||||
if ( $http_user_agent ~ ^DavClnt ) {
|
||||
return 302 /remote.php/webdav/$is_args$args;
|
||||
}
|
||||
'';
|
||||
};
|
||||
"/" = {
|
||||
priority = 900;
|
||||
extraConfig = "rewrite ^ /index.php;";
|
||||
};
|
||||
"~ ^/store-apps" = {
|
||||
priority = 201;
|
||||
extraConfig = "root ${cfg.home};";
|
||||
};
|
||||
"^~ /.well-known" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
absolute_redirect off;
|
||||
location = /.well-known/carddav {
|
||||
return 301 /remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 /remote.php/dav;
|
||||
}
|
||||
location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
|
||||
return 301 /index.php$request_uri;
|
||||
}
|
||||
try_files $uri $uri/ =404;
|
||||
'';
|
||||
};
|
||||
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
"~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
"~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = {
|
||||
priority = 500;
|
||||
extraConfig = ''
|
||||
include ${config.services.nginx.package}/conf/fastcgi.conf;
|
||||
fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
try_files $fastcgi_script_name =404;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
|
||||
fastcgi_param modHeadersAvailable true;
|
||||
fastcgi_param front_controller_active true;
|
||||
fastcgi_pass unix:${fpm.socket};
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
fastcgi_read_timeout 120s;
|
||||
'';
|
||||
};
|
||||
"~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = ''
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 6M;
|
||||
access_log off;
|
||||
'';
|
||||
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
'';
|
||||
"~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
|
||||
try_files $uri /index.php$request_uri;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
extraConfig = ''
|
||||
index index.php index.html /index.php$request_uri;
|
||||
expires 1m;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Frame-Options sameorigin;
|
||||
add_header Referrer-Policy no-referrer;
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
client_max_body_size ${cfg.maxUploadSize};
|
||||
fastcgi_buffers 64 4K;
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
${optionalString cfg.webfinger ''
|
||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||||
''}
|
||||
'';
|
||||
};
|
||||
}
|
||||
]);
|
||||
}
|
|
@ -36,14 +36,12 @@ in {
|
|||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = mkOverride 98 true;
|
||||
"net.ipv4.conf.default.forwarding" = mkOverride 98 true;
|
||||
"net.ipv4.conf.all.forwarding" = mkOverride 90 true;
|
||||
"net.ipv4.conf.default.forwarding" = mkOverride 90 true;
|
||||
};
|
||||
};
|
||||
|
||||
petabyte.nftables = {
|
||||
enable = true;
|
||||
|
||||
networking.nftables = {
|
||||
extraConfig = ''
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
|
|
|
@ -6,15 +6,15 @@
|
|||
"type": "git"
|
||||
},
|
||||
"home-manager": {
|
||||
"branch": "release-20.09",
|
||||
"branch": "release-21.05",
|
||||
"description": "Manage a user environment using Nix [maintainer=@rycee] ",
|
||||
"homepage": "https://nix-community.github.io/home-manager/",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "49706878e1580d796cc99b63574310405935113f",
|
||||
"sha256": "07f903ij0czyhly8kvwjazvz3s6kflxzh5fs6j8781lkxsy47i9f",
|
||||
"rev": "b39647e52ed3c0b989e9d5c965e598ae4c38d7ef",
|
||||
"sha256": "0xw1vgwfdn75rgamcsi5j1iqfl0j06x8xp92k24wr9hayfr5m400",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nix-community/home-manager/archive/49706878e1580d796cc99b63574310405935113f.tar.gz",
|
||||
"url": "https://github.com/nix-community/home-manager/archive/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"mattermost-server": {
|
||||
|
@ -23,19 +23,19 @@
|
|||
"homepage": "https://mattermost.com",
|
||||
"owner": "mattermost",
|
||||
"repo": "mattermost-server",
|
||||
"rev": "37b1e6d048fc8302c727c3bc7ce73ac32c2ba93c",
|
||||
"sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79",
|
||||
"rev": "868b8d91db6e8a0525a9e93c50a388625d426a4a",
|
||||
"sha256": "1vihpmy7253yl87arlz8y9rahk1q69blykwm3172dk1hxajr7c13",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz",
|
||||
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.1.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/refs/tags/v<version>.tar.gz",
|
||||
"version": "5.37.0"
|
||||
"version": "5.37.1"
|
||||
},
|
||||
"mattermost-webapp": {
|
||||
"sha256": "0na9drwnsr5fbrv6qq38dgvd0laj3wjs734ik5s673c0azqlm4kn",
|
||||
"sha256": "00q1kcfda2z69ijpw71a6cbj76p5f57nj7pym44pp4cadi2wz180",
|
||||
"type": "tarball",
|
||||
"url": "https://releases.mattermost.com/5.37.0/mattermost-5.37.0-linux-amd64.tar.gz",
|
||||
"url": "https://releases.mattermost.com/5.37.1/mattermost-5.37.1-linux-amd64.tar.gz",
|
||||
"url_template": "https://releases.mattermost.com/<version>/mattermost-<version>-linux-amd64.tar.gz",
|
||||
"version": "5.37.0"
|
||||
"version": "5.37.1"
|
||||
},
|
||||
"mumble-website": {
|
||||
"branch": "master",
|
||||
|
@ -57,32 +57,34 @@
|
|||
},
|
||||
"nix-hexchen": {
|
||||
"branch": "main",
|
||||
"repo": "https://gitlab.com/hexchen/nixfiles.git",
|
||||
"rev": "83b511d9a3754ded187891c711b3dbbef82887d3",
|
||||
"sha256": "1024vl0bgmcb8g91pqcqc601xh90nxp82p0z9imp11fwb1fx7756",
|
||||
"ref": "main",
|
||||
"repo": "https://gitlab.com/hexchen/nixfiles",
|
||||
"rev": "ef358992030e9a6fa975a24bf4d9aa133bc72424",
|
||||
"sha256": "01hcdrpfc8g1bbc96h7gi04zmyxi9vd7392ncadwfkx5xfd2fp17",
|
||||
"type": "tarball",
|
||||
"url": "https://gitlab.com/hexchen/nixfiles/-/archive/83b511d9a3754ded187891c711b3dbbef82887d3/nixfiles-83b511d9a3754ded187891c711b3dbbef82887d3.tar.gz",
|
||||
"url": "https://gitlab.com/hexchen/nixfiles/-/archive/ef358992030e9a6fa975a24bf4d9aa133bc72424.tar.gz",
|
||||
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"ref": "nixos-20.09",
|
||||
"branch": "nixos-21.05",
|
||||
"ref": "nixos-21.05",
|
||||
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver",
|
||||
"rev": "fb1cc04c0a517d4200237b02c3472bcaf9104afb",
|
||||
"sha256": "0vsvgxxg5cgmzwj98171j7h5l028f1yq784alb3lxgbk8znfk51y",
|
||||
"rev": "5675b122a947b40e551438df6a623efad19fd2e7",
|
||||
"sha256": "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi",
|
||||
"type": "tarball",
|
||||
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/fb1cc04c0a517d4200237b02c3472bcaf9104afb/nixos-mailserver-fb1cc04c0a517d4200237b02c3472bcaf9104afb.tar.gz",
|
||||
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7.tar.gz",
|
||||
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"branch": "nixos-20.09",
|
||||
"branch": "nixos-21.05",
|
||||
"description": "Nix Packages collection",
|
||||
"homepage": "",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "068984c00e0d4e54b6684d98f6ac47c92dcb642e",
|
||||
"sha256": "00j4xv4lhhqwry7jd67brnws4pwb8vn660n43pvxpkalbpxszwfg",
|
||||
"rev": "2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2",
|
||||
"sha256": "1aafqly1mcqxh0r15mrlsrs4znldhm7cizsmfp3d25lqssay6gjd",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixpkgs/archive/068984c00e0d4e54b6684d98f6ac47c92dcb642e.tar.gz",
|
||||
"url": "https://github.com/nixos/nixpkgs/archive/2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
|
@ -91,10 +93,10 @@
|
|||
"homepage": "",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8ecc61c91a596df7d3293603a9c2384190c1b89a",
|
||||
"sha256": "0vhajylsmipjkm5v44n2h0pglcmpvk4mkyvxp7qfvkjdxw21dyml",
|
||||
"rev": "fe01052444c1d66ed6ef76df2af798c9769e9e79",
|
||||
"sha256": "0z99hwxgrvlf0psicwd97kdqqcc3qngfzmcz7k68q6q868y8582y",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixpkgs/archive/8ecc61c91a596df7d3293603a9c2384190c1b89a.tar.gz",
|
||||
"url": "https://github.com/nixos/nixpkgs/archive/fe01052444c1d66ed6ef76df2af798c9769e9e79.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"pbb-nixfiles": {
|
||||
|
|
|
@ -10,14 +10,10 @@ let
|
|||
newpkgs = {
|
||||
alps = callPackage ./alps {};
|
||||
|
||||
docker = (pkgs.callPackage (pkgs.path + "/pkgs/applications/virtualization/docker") {
|
||||
iptables = pkgs.writeScriptBin "iptables" ''
|
||||
#!${pkgs.runtimeShell}
|
||||
echo docker tried to run the following iptables command: $@
|
||||
exit 0
|
||||
'';
|
||||
}).docker_19_03.overrideAttrs (super: {
|
||||
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
|
||||
docker = pkgs.docker.overrideAttrs (super: {
|
||||
moby = super.moby.overrideAttrs (super: {
|
||||
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
|
||||
});
|
||||
});
|
||||
|
||||
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
|
||||
|
@ -41,6 +37,26 @@ let
|
|||
});
|
||||
|
||||
mattermost = callPackage ./mattermost {};
|
||||
|
||||
# a version of the lounge with some extra css that
|
||||
# hides things the hacc-voc doesn't need
|
||||
thelounge-hacked = pkgs.stdenv.mkDerivation {
|
||||
name = "thelounge-hacked";
|
||||
src = pkgs.thelounge;
|
||||
|
||||
phases = [ "buildPhase" "installPhase" ];
|
||||
buildPhase = ''
|
||||
cp $src/* -r .
|
||||
chmod 777 lib/node_modules/thelounge/public/css/style.css
|
||||
cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp * -r $out
|
||||
'';
|
||||
};
|
||||
|
||||
inherit (unstable) bottom;
|
||||
};
|
||||
|
||||
|
|
24
pkgs/thelounge/css-patch.css
Normal file
24
pkgs/thelounge/css-patch.css
Normal file
|
@ -0,0 +1,24 @@
|
|||
|
||||
/* Hides extra fields on connect screen */
|
||||
.connect-row:nth-of-type(4) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
.connect-row:nth-of-type(2) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
.connect-row:nth-of-type(5) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
|
||||
/* Hides side panel button */
|
||||
.header > button:first-child {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
/* Hides channel options button (includes leave option) */
|
||||
.header > button:nth-last-child(2) {
|
||||
display: none !important;
|
||||
}
|
|
@ -6,14 +6,14 @@
|
|||
concurrent = 4;
|
||||
services = {
|
||||
infra4future = {
|
||||
buildsDir = "/var/lib/gitlab-runner/builds";
|
||||
buildsDir = "/persist/var/lib/gitlab-runner/builds";
|
||||
dockerImage = "nixos/nix";
|
||||
executor = "docker";
|
||||
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
|
||||
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
|
||||
};
|
||||
nix = {
|
||||
limit = 1; # don't run multiple jobs
|
||||
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
|
||||
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
|
||||
dockerImage = "alpine";
|
||||
dockerVolumes = [
|
||||
"/nix/store:/nix/store:ro"
|
||||
|
@ -54,7 +54,7 @@
|
|||
};
|
||||
|
||||
users.users.gitlab-runner = {
|
||||
home = "/var/lib/gitlab-runner";
|
||||
home = "/persist/var/lib/gitlab-runner";
|
||||
extraGroups = [ "docker" ];
|
||||
isSystemUser = true;
|
||||
};
|
168
services/gitlab.nix
Normal file
168
services/gitlab.nix
Normal file
|
@ -0,0 +1,168 @@
|
|||
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||
|
||||
{
|
||||
containers.gitlab = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.7";
|
||||
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/gitlab";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
services.gitlab = {
|
||||
enable = true;
|
||||
|
||||
databaseCreateLocally = true;
|
||||
|
||||
host = "gitlab.infra4future.de";
|
||||
https = true;
|
||||
port = 443;
|
||||
|
||||
statePath = "/persist/gitlab";
|
||||
user = "git";
|
||||
databaseUsername = "git";
|
||||
|
||||
initialRootPasswordFile = "/persist/secrets/gitlab-root";
|
||||
secrets.secretFile = "/persist/secrets/gitlab-secret";
|
||||
secrets.dbFile = "/persist/secrets/gitlab-db";
|
||||
secrets.otpFile = "/persist/secrets/gitlab-otp";
|
||||
secrets.jwsFile = "/persist/secrets/gitlab-jws";
|
||||
|
||||
smtp = {
|
||||
enable = true;
|
||||
address = "mail.hacc.space";
|
||||
port = 587;
|
||||
authentication = "plain";
|
||||
domain = "gitlab.infra4future.de";
|
||||
enableStartTLSAuto = true;
|
||||
username = "noreply@infra4future.de";
|
||||
passwordFile = "/persist/secrets/noreply-pass";
|
||||
};
|
||||
|
||||
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
|
||||
extraConfig = {
|
||||
pages = {
|
||||
enabled = true;
|
||||
host = "4future.dev";
|
||||
port = 443;
|
||||
https = true;
|
||||
};
|
||||
omniauth = {
|
||||
enabled = true;
|
||||
auto_sign_in_with_provider = "openid_connect";
|
||||
allow_single_sign_on = ["openid_connect"];
|
||||
block_auto_created_users = false;
|
||||
providers = [
|
||||
{
|
||||
name = "openid_connect";
|
||||
label = "infra4future Login";
|
||||
args = {
|
||||
name = "openid_connect";
|
||||
scope = ["openid" "profile" "email"];
|
||||
response_type = "code";
|
||||
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
|
||||
discovery = true;
|
||||
client_auth_method = "query";
|
||||
uid_field = "username";
|
||||
client_options = {
|
||||
identifier = "gitlab";
|
||||
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
||||
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.redis.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql_13;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
virtualHosts."gitlab.infra4future.de" = {
|
||||
default = true;
|
||||
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
locations."/".extraConfig = ''
|
||||
proxy_redirect off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.passwordAuthentication = false;
|
||||
|
||||
users.users.git = {
|
||||
isSystemUser = true;
|
||||
group = "gitlab";
|
||||
home = "/persist/gitlab/home";
|
||||
uid = 165;
|
||||
};
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
hexchen.nftables.nat.forwardPorts = [{
|
||||
ports = [ 22 ];
|
||||
destination = "${config.containers.gitlab.localAddress}:22";
|
||||
proto = "tcp";
|
||||
}];
|
||||
|
||||
services.nginx.virtualHosts."gitlab.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
|
||||
locations."/".extraConfig = ''
|
||||
proxy_set_header X-Nginx-Proxy true;
|
||||
proxy_redirect off;
|
||||
'';
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."4future.dev" = {
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||
serverName = "~^((.*)\.)?4future\.dev$";
|
||||
useACMEHost = "4future.dev";
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
security.acme.certs."4future.dev" = {
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = "/var/lib/acme/cloudflare.pass";
|
||||
extraDomainNames = [ "*.4future.dev" ];
|
||||
group = config.services.nginx.group;
|
||||
};
|
||||
}
|
|
@ -1,13 +1,33 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||
|
||||
{
|
||||
containers.codimd = {
|
||||
containers.pad-hacc = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.3";
|
||||
localAddress = "192.168.100.5";
|
||||
autoStart = true;
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/pad-hacc";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
|
@ -33,7 +53,7 @@
|
|||
oauth2 = {
|
||||
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
clientID = "codimd";
|
||||
clientID = "hedgedoc";
|
||||
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
||||
};
|
||||
};
|
||||
|
@ -59,10 +79,10 @@
|
|||
enable = true;
|
||||
databases = [ "codimd" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.hacc.earth" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -73,16 +93,8 @@
|
|||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.100.3:3000";
|
||||
proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_headers on;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
proxy_buffering off;
|
||||
'';
|
|
@ -1,13 +1,33 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, modules, evalConfig, sources, ... }:
|
||||
|
||||
{
|
||||
containers.pad-i4f = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.41";
|
||||
localAddress = "192.168.100.6";
|
||||
autoStart = true;
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/pad-i4f";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
|
@ -50,24 +70,17 @@
|
|||
enable = true;
|
||||
databases = [ "hedgedoc" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.infra4future.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.100.41:3000";
|
||||
proxyPass = "http://${config.containers.pad-i4f.localAddress}:3000";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_headers on;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
proxy_buffering off;
|
||||
'';
|
|
@ -1,18 +1,38 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
|
||||
|
||||
let
|
||||
unstable = import (import ../../../nix/sources.nix).nixpkgs-unstable {};
|
||||
unstable = import (import ../nix/sources.nix).nixpkgs-unstable {};
|
||||
in {
|
||||
containers.lantifa = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress6 = "fd00::42:14";
|
||||
localAddress6 = "fd00::42:15";
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.8";
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/lantifa";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = {config, pkgs, ... }: {
|
||||
networking.hosts."::1" = [ "wiki.lantifa.org" ];
|
||||
networking.firewall.enable = false;
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
hexchen.bindmounts."/var/lib/mediawiki" = "/persist/var/lib/mediawiki";
|
||||
|
||||
imports = [
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
networking.hosts."127.0.0.1" = [ "wiki.lantifa.org" ];
|
||||
users.users.mediawiki.extraGroups = [ "keys" ];
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
services.mediawiki = {
|
||||
enable = true;
|
||||
|
@ -60,8 +80,8 @@ in {
|
|||
sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i";
|
||||
};
|
||||
intersection = pkgs.fetchzip { # This is the DynamicPageList extension
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_35-1adb683.tar.gz";
|
||||
sha256 = "0jh3b22vq1ml3kdj0hhhbfjsilpw39bcjbnkajgx1pcvr7haxld7";
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-789511a.tar.gz";
|
||||
sha256 = "0b5viv0d2pm1g68hynm8xbvcyw2cr3lgaxbqzdykk2yvvhc4w8j5";
|
||||
};
|
||||
PageForms = pkgs.fetchzip {
|
||||
url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip";
|
||||
|
@ -81,16 +101,17 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.mysql.dataDir = "/persist/mysql";
|
||||
services.mysqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "mediawiki" ];
|
||||
calendar = "*-*-* 23:45:00";
|
||||
};
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."wiki.lantifa.org" = {
|
||||
locations."/".proxyPass = "http://[" + config.containers.lantifa.localAddress6 + "]";
|
||||
locations."/".proxyPass = "http://" + config.containers.lantifa.localAddress + "";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
|
@ -1,14 +1,12 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, sources, ... }:
|
||||
|
||||
let
|
||||
sources = import ../../../nix/sources.nix;
|
||||
in {
|
||||
{
|
||||
imports = [
|
||||
sources.nixos-mailserver.outPath
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
mailDirectory = "/data/mail";
|
||||
mailDirectory = "/persist/mail";
|
||||
enable = true;
|
||||
fqdn = "mail.hacc.space";
|
||||
domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];
|
||||
|
@ -32,6 +30,8 @@ in {
|
|||
"lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
|
||||
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
|
||||
|
||||
"finance@muc.hacc.space".hashedPassword = "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";
|
||||
|
||||
# service accounts
|
||||
"noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
||||
"newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
|
||||
|
@ -145,6 +145,8 @@ in {
|
|||
enable = true;
|
||||
script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465";
|
||||
serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps";
|
||||
serviceConfig.Restart = "always";
|
||||
requiredBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."mail.hacc.space" = {
|
|
@ -1,34 +1,51 @@
|
|||
{config, pkgs, lib, ...}:
|
||||
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||
|
||||
{
|
||||
let
|
||||
mattermost = pkgs.mattermost;
|
||||
in {
|
||||
containers.mattermost = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.30";
|
||||
localAddress = "192.168.100.31";
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.3";
|
||||
|
||||
bindMounts."/secrets" = {
|
||||
hostPath = "/var/lib/mattermost/";
|
||||
isReadOnly = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/mattermost";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = {pkgs, config, ...}: {
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
# have to import these here, since container's dont
|
||||
# inherit imports of their environment.
|
||||
imports = [ ../../../modules/mattermost.nix ];
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
# couldn't figure out how to actually overwrite modules, so now
|
||||
# there's two mattermost modules ...
|
||||
services.mattermost-patched = {
|
||||
enable = true;
|
||||
siteUrl = "https://mattermost-beta.infra4future.de";
|
||||
siteName = "Mattermost - Blabla for Future";
|
||||
siteUrl = "https://mattermost.infra4future.de";
|
||||
siteName = "Mattermost for Future";
|
||||
listenAddress = "0.0.0.0:3000";
|
||||
mutableConfig = false;
|
||||
|
||||
secretConfig = "/secrets/secrets.json";
|
||||
secretConfig = "/persist/mattermost/secrets.json";
|
||||
statePath = "/persist/mattermost";
|
||||
|
||||
extraConfig = {
|
||||
ServiceSettings = {
|
||||
|
@ -56,6 +73,7 @@
|
|||
EnableLaTeX = true;
|
||||
ThreadAutoFollow = true;
|
||||
EnableSecurityFixAlert = false;
|
||||
CollapsedThreads = "default_on";
|
||||
};
|
||||
TeamSettings = {
|
||||
EnableTeamCreation = true;
|
||||
|
@ -87,7 +105,7 @@
|
|||
EnableFileAttachments = true;
|
||||
MaxFileSize = 52428800;
|
||||
DriverName = "local";
|
||||
Directory = "/var/lib/mattermost/uploads-storage";
|
||||
Directory = "/persist/mattermost/upload-storage";
|
||||
EnablePublicLink = true;
|
||||
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
||||
};
|
||||
|
@ -120,7 +138,7 @@
|
|||
AnnouncementSettings.EnableBanner = false;
|
||||
GitLabSettings = {
|
||||
Enable = true;
|
||||
Id = "mattermost-beta";
|
||||
Id = "mattermost";
|
||||
Scope = "";
|
||||
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
|
@ -159,8 +177,6 @@
|
|||
ClusterSettings.Enable = false;
|
||||
MetricsSettings.Enable = false;
|
||||
GuestAccountsSettings.Enable = false;
|
||||
# this is just the general allow-this-at-all switch; users
|
||||
# still have to turn it on for themselves
|
||||
FeatureFlags.CollapsedThreads = true;
|
||||
};
|
||||
|
||||
|
@ -172,6 +188,17 @@
|
|||
localDatabaseCreate = false;
|
||||
};
|
||||
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "mattermost" ];
|
||||
ensureUsers = [ {
|
||||
name = "mattermost";
|
||||
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
|
||||
} ];
|
||||
package = pkgs.mysql80;
|
||||
dataDir = "/persist/mysql";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||
ensureDatabases = [ "mattermost" ];
|
||||
|
@ -197,21 +224,14 @@
|
|||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."mattermost-beta.infra4future.de" = {
|
||||
services.nginx.virtualHosts."mattermost.infra4future.de" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
|
||||
# Mattermost CSR Patch
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
|
@ -221,11 +241,4 @@
|
|||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
internalInterfaces = [ "ve-mattermost" ];
|
||||
externalInterface = "enp6s0";
|
||||
};
|
||||
|
||||
}
|
|
@ -1,8 +1,4 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
sources = import ../../../nix/sources.nix;
|
||||
in
|
||||
{ config, lib, pkgs, sources, ... }:
|
||||
|
||||
let
|
||||
mumblesite = pkgs.stdenv.mkDerivation {
|
||||
|
@ -18,6 +14,8 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
|
||||
|
||||
services.murmur = {
|
||||
enable = true;
|
||||
logDays = -1;
|
140
services/nextcloud/default.nix
Normal file
140
services/nextcloud/default.nix
Normal file
|
@ -0,0 +1,140 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
|
||||
|
||||
{
|
||||
containers.nextcloud = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.2";
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/nextcloud";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
../../modules/nextcloud.nix
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.htop ];
|
||||
|
||||
services.nextcloud-patched = {
|
||||
enable = true;
|
||||
|
||||
# must be set manually; may not be incremented by more than one at
|
||||
# a time, otherwise nextcloud WILL break
|
||||
package = pkgs.nextcloud21;
|
||||
|
||||
home = "/persist/nextcloud";
|
||||
https = true;
|
||||
|
||||
hostName = "cloud.infra4future.de";
|
||||
config = {
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||||
dbname = "nextcloud";
|
||||
# there's also a adminpassFile option, but for testing this seems
|
||||
# enough (less fiddling with getting the file into a nixos
|
||||
# container for ad-hoc setups)
|
||||
adminpass = "lushfjwebrwhjebr";
|
||||
adminuser = "root";
|
||||
};
|
||||
|
||||
caching.redis = true;
|
||||
|
||||
# multiple pools may be doable using services.phpfpm.pools,
|
||||
# but i have not tried this yet. The nextcloud module defines a
|
||||
# pool "nextcloud"
|
||||
poolSettings = {
|
||||
pm = "dynamic";
|
||||
"pm.max_children" = "32";
|
||||
"pm.max_requests" = "500";
|
||||
"pm.max_spare_servers" = "4";
|
||||
"pm.min_spare_servers" = "2";
|
||||
"pm.start_servers" = "2";
|
||||
};
|
||||
|
||||
extraOptions = {
|
||||
instanceid = "ocxlphb7fbju";
|
||||
redis = {
|
||||
host = "/run/redis/redis.sock";
|
||||
port = 0;
|
||||
dbindex = 0;
|
||||
password = "secret";
|
||||
timeout = 1.5;
|
||||
};
|
||||
datadirectory = "/persist/data/ncdata";
|
||||
mail_smtpmode = "smtp";
|
||||
mail_smtpsecure = "ssl";
|
||||
mail_sendmailmode = "smtp";
|
||||
mail_from_address = "noreply";
|
||||
mail_domain = "infra4future.de";
|
||||
mail_smtpauthtype = "PLAIN";
|
||||
mail_smtpauth = 1;
|
||||
mail_smtphost = "mail.hacc.space";
|
||||
mail_smtpport = 465;
|
||||
mail_smtpname = "noreply@infra4future.de";
|
||||
loglevel = 0;
|
||||
"overwrite.cli.url" = "https://cloud.infra4future.de";
|
||||
};
|
||||
|
||||
# passwordsalt, secret, and mail_smtppassword go in here
|
||||
secretFile = "/persist/secrets.json";
|
||||
|
||||
};
|
||||
|
||||
services.redis = {
|
||||
enable = true;
|
||||
unixSocket = "/var/run/redis/redis.sock";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{ # by default, postgres has unix sockets enabled, and allows a
|
||||
# system user `nextcloud` to log in without other authentication
|
||||
name = "nextcloud";
|
||||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
# ensure that postgres is running *before* running the setup
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = ["postgresql.service"];
|
||||
after = ["postgresql.service"];
|
||||
};
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."cloud.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
}
|
32
services/nginx-pages.nix
Normal file
32
services/nginx-pages.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
|
||||
in {
|
||||
|
||||
services.nginx.virtualHosts =
|
||||
listToAttrs (map (host: nameValuePair host {
|
||||
useACMEHost = "infra4future.de";
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||
}) domains) // {
|
||||
"infra4future.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||
};
|
||||
"muc.hacc.earth" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass "http://${config.containers.gitlab.localAddress}:8090/infra4future/muc.hacc.earth/";
|
||||
proxy_set_header Host 'hacc.4future.dev';
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs."infra4future.de" = {
|
||||
extraDomainNames = domains;
|
||||
};
|
||||
}
|
|
@ -4,6 +4,8 @@
|
|||
enable = true;
|
||||
relay.enable = false;
|
||||
openDefaultPorts = true;
|
||||
configDir = "/persist/var/lib/syncthing/";
|
||||
dataDir = "/persist/data/syncthing/";
|
||||
declarative = {
|
||||
devices = {
|
||||
# schweby
|
||||
|
@ -36,7 +38,7 @@
|
|||
};
|
||||
|
||||
folders = {
|
||||
"/var/lib/syncthing/hacc" = {
|
||||
"/persist/data/syncthing/hacc/" = {
|
||||
id = "qt2ly-xvvvs";
|
||||
devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
|
||||
type = "receiveonly";
|
86
services/thelounge.nix
Normal file
86
services/thelounge.nix
Normal file
|
@ -0,0 +1,86 @@
|
|||
{ config, lib, pkgs, evalConfig, ... }:
|
||||
|
||||
let
|
||||
# necessary since overlays won't propagate into the
|
||||
# container's config
|
||||
thelounge = pkgs.thelounge-hacked;
|
||||
in
|
||||
{
|
||||
containers.thelounge = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.4";
|
||||
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
services.thelounge = {
|
||||
enable = true;
|
||||
|
||||
extraConfig = {
|
||||
public = true;
|
||||
# respect X-Forwarded-For
|
||||
reverseProxy = true;
|
||||
defaults = {
|
||||
name = "libera chat";
|
||||
host = "irc.eu.libera.chat";
|
||||
port = 6697;
|
||||
# encrypt things!
|
||||
tls = true;
|
||||
# yes, please do actually check the cert …
|
||||
rejectUnauthorized = true;
|
||||
nick = "haccGuest%%%%";
|
||||
join = "#hacc-webchat";
|
||||
};
|
||||
lockNetwork = true;
|
||||
|
||||
# don't log messages (default is text / sqlite)
|
||||
messageStorage = [];
|
||||
|
||||
# darker theme
|
||||
#theme = "morning";
|
||||
|
||||
# these three should result in having link previews
|
||||
# which are fetched only by the server, then proxied
|
||||
# (i.e. clients won't directly connect to arbitrary
|
||||
# domains to get previews)
|
||||
prefetch = true;
|
||||
prefetchStorage = true;
|
||||
disableMediaPreview = true;
|
||||
|
||||
leaveMessage = "happy haccing";
|
||||
};
|
||||
};
|
||||
|
||||
# override the package we use
|
||||
systemd.services.thelounge.serviceConfig.ExecStart =
|
||||
pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."webchat.voc.hacc.space" = {
|
||||
locations."/".proxyPass =
|
||||
"http://${config.containers.thelounge.localAddress}:9000";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
}
|
10
services/unifi.nix
Normal file
10
services/unifi.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
services.unifi = {
|
||||
enable = true;
|
||||
openPorts = true;
|
||||
dataDir = "/persist/var/lib/unifi";
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue