From cf5062adfd93e8efd69d9ea6f640a9e6092edc3e Mon Sep 17 00:00:00 2001 From: hexchen Date: Thu, 29 Jul 2021 20:31:14 +0000 Subject: [PATCH 01/26] sources: update nixpkgs to 21.05 this caused various other changes related to nftables, we are now using hexchen's fork of pbb's module. --- common/default.nix | 8 ++++---- default.nix | 6 +++++- modules/nftnat/default.nix | 4 +--- nix/sources.json | 25 +++++++++++++------------ pkgs/default.nix | 8 +------- 5 files changed, 24 insertions(+), 27 deletions(-) diff --git a/common/default.nix b/common/default.nix index 9a0b251..3b1826a 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modules, ... }: let sources = import ../nix/sources.nix; @@ -7,10 +7,10 @@ in { ../modules ./users.nix (sources.home-manager + "/nixos") - (sources.pbb-nixfiles + "/modules/nftables") + modules.network.nftables ]; - boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages; boot.kernelParams = [ "quiet" ]; networking.domain = lib.mkDefault "hacc.space"; @@ -79,5 +79,5 @@ in { access_log off; ''; - petabyte.nftables.enable = true; + networking.nftables.enable = true; } diff --git a/default.nix b/default.nix index 4679968..1f8d586 100644 --- a/default.nix +++ b/default.nix @@ -2,6 +2,10 @@ rec { sources = import ./nix/sources.nix; pkgs = import ./pkgs {}; inherit (pkgs) lib; - inherit (import (sources.nix-hexchen + "/lib/hosts.nix") { inherit pkgs; hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs; }) hosts groups; + inherit (import (sources.nix-hexchen + "/lib/hosts.nix") { + inherit pkgs sources; + inherit ((import sources.nix-hexchen) {}) modules; + hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs; + }) hosts groups; deploy = import (sources.nix-hexchen + "/lib/deploy.nix") { inherit pkgs hosts groups; }; } diff --git a/modules/nftnat/default.nix b/modules/nftnat/default.nix index c489206..b3fc2c2 100644 --- a/modules/nftnat/default.nix +++ b/modules/nftnat/default.nix @@ -41,9 +41,7 @@ in { }; }; - petabyte.nftables = { - enable = true; - + networking.nftables = { extraConfig = '' table ip nat { chain prerouting { diff --git a/nix/sources.json b/nix/sources.json index b4e17f0..b9026e0 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -6,15 +6,15 @@ "type": "git" }, "home-manager": { - "branch": "release-20.09", + "branch": "release-21.05", "description": "Manage a user environment using Nix [maintainer=@rycee] ", "homepage": "https://nix-community.github.io/home-manager/", "owner": "nix-community", "repo": "home-manager", - "rev": "49706878e1580d796cc99b63574310405935113f", - "sha256": "07f903ij0czyhly8kvwjazvz3s6kflxzh5fs6j8781lkxsy47i9f", + "rev": "9c0abed5228d54aad120b4bc757b6f5935aeda1c", + "sha256": "05pfa26p9k1gpir9sniwg195cqqc9v6yp9b5f9hrjhlh3jm14bgq", "type": "tarball", - "url": "https://github.com/nix-community/home-manager/archive/49706878e1580d796cc99b63574310405935113f.tar.gz", + "url": "https://github.com/nix-community/home-manager/archive/9c0abed5228d54aad120b4bc757b6f5935aeda1c.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "mattermost-server": { @@ -57,11 +57,12 @@ }, "nix-hexchen": { "branch": "main", - "repo": "https://gitlab.com/hexchen/nixfiles.git", - "rev": "83b511d9a3754ded187891c711b3dbbef82887d3", - "sha256": "1024vl0bgmcb8g91pqcqc601xh90nxp82p0z9imp11fwb1fx7756", + "ref": "main", + "repo": "https://gitlab.com/hexchen/nixfiles", + "rev": "1ae89906c8fb5cf45384eb2821bd89c807c1564f", + "sha256": "03yicni5jfr5qjillj3dp899n3lq7dhqrg66dr0w1vy12d0lp43s", "type": "tarball", - "url": "https://gitlab.com/hexchen/nixfiles/-/archive/83b511d9a3754ded187891c711b3dbbef82887d3/nixfiles-83b511d9a3754ded187891c711b3dbbef82887d3.tar.gz", + "url": "https://gitlab.com/hexchen/nixfiles/-/archive/1ae89906c8fb5cf45384eb2821bd89c807c1564f.tar.gz", "url_template": "/-/archive/.tar.gz" }, "nixos-mailserver": { @@ -74,15 +75,15 @@ "url_template": "/-/archive/.tar.gz" }, "nixpkgs": { - "branch": "nixos-20.09", + "branch": "nixos-21.05", "description": "Nix Packages collection", "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "068984c00e0d4e54b6684d98f6ac47c92dcb642e", - "sha256": "00j4xv4lhhqwry7jd67brnws4pwb8vn660n43pvxpkalbpxszwfg", + "rev": "382039c05a16827a7f0731183e862366b66b422f", + "sha256": "08mvanp4400zfz1knyxsjhkc7ryjlaa9awcg763ghj235wk6mlld", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/068984c00e0d4e54b6684d98f6ac47c92dcb642e.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/382039c05a16827a7f0731183e862366b66b422f.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-unstable": { diff --git a/pkgs/default.nix b/pkgs/default.nix index f5b27d7..c077df3 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -10,13 +10,7 @@ let newpkgs = { alps = callPackage ./alps {}; - docker = (pkgs.callPackage (pkgs.path + "/pkgs/applications/virtualization/docker") { - iptables = pkgs.writeScriptBin "iptables" '' - #!${pkgs.runtimeShell} - echo docker tried to run the following iptables command: $@ - exit 0 - ''; - }).docker_19_03.overrideAttrs (super: { + docker = pkgs.docker.overrideAttrs (super: { extraPath = super.extraPath + ":${pkgs.zfs}/bin"; }); From 0b30d81d137436611f269793463a21335be5f80a Mon Sep 17 00:00:00 2001 From: hexchen Date: Thu, 29 Jul 2021 20:31:52 +0000 Subject: [PATCH 02/26] hosts/parsons: init minimal config --- hosts/parsons/configuration.nix | 26 +++++++++++++++++ hosts/parsons/hardware.nix | 50 +++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 hosts/parsons/configuration.nix create mode 100644 hosts/parsons/hardware.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix new file mode 100644 index 0000000..386aa60 --- /dev/null +++ b/hosts/parsons/configuration.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, sources, modules, ... }: + +{ + imports = [ + ../../common + ./hardware.nix + modules.encboot + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + hexchen.encboot = { + enable = true; + dataset = "-a"; + networkDrivers = [ "igb" ]; + }; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.supportedFilesystems = [ "zfs" ]; + + networking.hostId = "b2867696"; + networking.useDHCP = true; + + system.stateVersion = "21.05"; +} diff --git a/hosts/parsons/hardware.nix b/hosts/parsons/hardware.nix new file mode 100644 index 0000000..09b5f7a --- /dev/null +++ b/hosts/parsons/hardware.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zroot/local/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/daf2a731-952f-45c7-9c25-49e1a2f56062"; + fsType = "ext4"; + }; + + fileSystems."/nix" = + { device = "zroot/local/nix"; + fsType = "zfs"; + }; + + fileSystems."/persist" = + { device = "zroot/safe/persist"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "zroot/safe/home"; + fsType = "zfs"; + }; + + fileSystems."/tmp" = + { device = "zroot/local/tmp"; + fsType = "zfs"; + }; + + fileSystems."/persist/data" = + { device = "dpool/safe/data"; + fsType = "zfs"; + }; + + swapDevices = [ ]; + +} From 479d119b8b8b54d826fe1eae0d3064eb098a6ddc Mon Sep 17 00:00:00 2001 From: hexchen Date: Thu, 29 Jul 2021 20:35:07 +0000 Subject: [PATCH 03/26] ci: add parsons --- .gitlab-ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2fc6a56..a3f0205 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,13 @@ stages: - build +build-parsons: + tags: + - nix + stage: build + script: + - nix-build -A deploy.parsons + build-nixda: tags: - nix From 3541d14c76f433459289083244e36e955b2f1203 Mon Sep 17 00:00:00 2001 From: hexchen Date: Wed, 4 Aug 2021 13:59:35 +0000 Subject: [PATCH 04/26] parsons: add nftables --- hosts/parsons/configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 386aa60..675f004 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -5,6 +5,7 @@ ../../common ./hardware.nix modules.encboot + modules.network.nftables modules.nftnat ((import sources.nix-hexchen) {}).profiles.nopersist ]; @@ -21,6 +22,10 @@ networking.hostId = "b2867696"; networking.useDHCP = true; + networking.nftables.enable = true; + hexchen.nftables.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "enp35s0"; system.stateVersion = "21.05"; } From da7beff2fea69ec72c0cf7335cde135f5ca36946 Mon Sep 17 00:00:00 2001 From: hexchen Date: Fri, 6 Aug 2021 17:40:57 +0000 Subject: [PATCH 05/26] services/nextcloud: init on parsons --- hosts/parsons/configuration.nix | 6 + modules/nextcloud.nix | 746 ++++++++++++++++++++++++++++++++ services/nextcloud/default.nix | 140 ++++++ 3 files changed, 892 insertions(+) create mode 100644 modules/nextcloud.nix create mode 100644 services/nextcloud/default.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 675f004..2b7bf48 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -7,6 +7,8 @@ modules.encboot modules.network.nftables modules.nftnat ((import sources.nix-hexchen) {}).profiles.nopersist + + ../../services/nextcloud ]; hexchen.encboot = { @@ -27,5 +29,9 @@ networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "enp35s0"; + services.nginx.enable = true; + services.nginx.recommendedProxySettings = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + system.stateVersion = "21.05"; } diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix new file mode 100644 index 0000000..c4ec12f --- /dev/null +++ b/modules/nextcloud.nix @@ -0,0 +1,746 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nextcloud-patched; + fpm = config.services.phpfpm.pools.nextcloud; + + phpPackage = + let + base = pkgs.php74; + in + base.buildEnv { + extensions = { enabled, all }: with all; + enabled ++ [ + apcu redis memcached imagick + ]; + extraConfig = phpOptionsStr; + }; + + toKeyValue = generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault {} " = "; + }; + + phpOptions = { + upload_max_filesize = cfg.maxUploadSize; + post_max_size = cfg.maxUploadSize; + memory_limit = cfg.maxUploadSize; + } // cfg.phpOptions + // optionalAttrs cfg.caching.apcu { + "apc.enable_cli" = "1"; + }; + phpOptionsStr = toKeyValue phpOptions; + + occ = pkgs.writeScriptBin "nextcloud-occ" '' + #! ${pkgs.runtimeShell} + cd ${cfg.package} + sudo=exec + if [[ "$USER" != nextcloud ]]; then + sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS' + fi + export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" + $sudo \ + ${phpPackage}/bin/php \ + occ $* + ''; + + inherit (config.system) stateVersion; + +in { + + imports = [ + (mkRemovedOptionModule [ "services" "nextcloud-patched" "nginx" "enable" ] '' + The nextcloud module supports `nginx` as reverse-proxy by default and doesn't + support other reverse-proxies officially. + + However it's possible to use an alternative reverse-proxy by + + * disabling nginx + * setting `listen.owner` & `listen.group` in the phpfpm-pool to a different value + + Further details about this can be found in the `Nextcloud`-section of the NixOS-manual + (which can be openend e.g. by running `nixos-help`). + '') + ]; + + options.services.nextcloud-patched = { + enable = mkEnableOption "nextcloud"; + hostName = mkOption { + type = types.str; + description = "FQDN for the nextcloud instance."; + }; + home = mkOption { + type = types.str; + default = "/var/lib/nextcloud"; + description = "Storage path of nextcloud."; + }; + logLevel = mkOption { + type = types.ints.between 0 4; + default = 2; + description = "Log level value between 0 (DEBUG) and 4 (FATAL)."; + }; + https = mkOption { + type = types.bool; + default = false; + description = "Use https for generated links."; + }; + package = mkOption { + type = types.package; + description = "Which package to use for the Nextcloud instance."; + relatedPackages = [ "nextcloud18" "nextcloud19" "nextcloud20" "nextcloud21" ]; + }; + + maxUploadSize = mkOption { + default = "512M"; + type = types.str; + description = '' + Defines the upload limit for files. This changes the relevant options + in php.ini and nginx if enabled. + ''; + }; + + skeletonDirectory = mkOption { + default = ""; + type = types.str; + description = '' + The directory where the skeleton files are located. These files will be + copied to the data directory of new users. Leave empty to not copy any + skeleton files. + ''; + }; + + webfinger = mkOption { + type = types.bool; + default = false; + description = '' + Enable this option if you plan on using the webfinger plugin. + The appropriate nginx rewrite rules will be added to your configuration. + ''; + }; + + phpOptions = mkOption { + type = types.attrsOf types.str; + default = { + short_open_tag = "Off"; + expose_php = "Off"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + display_errors = "stderr"; + "opcache.enable_cli" = "1"; + "opcache.interned_strings_buffer" = "8"; + "opcache.max_accelerated_files" = "10000"; + "opcache.memory_consumption" = "128"; + "opcache.revalidate_freq" = "1"; + "opcache.fast_shutdown" = "1"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + catch_workers_output = "yes"; + }; + description = '' + Options for PHP's php.ini file for nextcloud. + ''; + }; + + poolSettings = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = "32"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "2"; + "pm.max_spare_servers" = "4"; + "pm.max_requests" = "500"; + }; + description = '' + Options for nextcloud's PHP pool. See the documentation on php-fpm.conf for details on configuration directives. + ''; + }; + + poolConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Options for nextcloud's PHP pool. See the documentation on php-fpm.conf for details on configuration directives. + ''; + }; + + config = { + dbtype = mkOption { + type = types.enum [ "sqlite" "pgsql" "mysql" ]; + default = "sqlite"; + description = "Database type."; + }; + dbname = mkOption { + type = types.nullOr types.str; + default = "nextcloud"; + description = "Database name."; + }; + dbuser = mkOption { + type = types.nullOr types.str; + default = "nextcloud"; + description = "Database user."; + }; + dbpass = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Database password. Use dbpassFile to avoid this + being world-readable in the /nix/store. + ''; + }; + dbpassFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The full path to a file that contains the database password. + ''; + }; + dbhost = mkOption { + type = types.nullOr types.str; + default = "localhost"; + description = '' + Database host. + + Note: for using Unix authentication with PostgreSQL, this should be + set to /run/postgresql. + ''; + }; + dbport = mkOption { + type = with types; nullOr (either int str); + default = null; + description = "Database port."; + }; + dbtableprefix = mkOption { + type = types.nullOr types.str; + default = null; + description = "Table prefix in Nextcloud database."; + }; + adminuser = mkOption { + type = types.str; + default = "root"; + description = "Admin username."; + }; + adminpass = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Admin password. Use adminpassFile to avoid this + being world-readable in the /nix/store. + ''; + }; + adminpassFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The full path to a file that contains the admin's password. Must be + readable by user nextcloud. + ''; + }; + + extraTrustedDomains = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Trusted domains, from which the nextcloud installation will be + acessible. You don't need to add + services.nextcloud.hostname here. + ''; + }; + + trustedProxies = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Trusted proxies, to provide if the nextcloud installation is being + proxied to secure against e.g. spoofing. + ''; + }; + + overwriteProtocol = mkOption { + type = types.nullOr (types.enum [ "http" "https" ]); + default = null; + example = "https"; + + description = '' + Force Nextcloud to always use HTTPS i.e. for link generation. Nextcloud + uses the currently used protocol by default, but when behind a reverse-proxy, + it may use http for everything although Nextcloud + may be served via HTTPS. + ''; + }; + + defaultPhoneRegion = mkOption { + default = null; + type = types.nullOr types.str; + example = "DE"; + description = '' + + This option exists since Nextcloud 21! If older versions are used, + this will throw an eval-error! + + + ISO 3611-1 + country codes for automatic phone-number detection without a country code. + + With e.g. DE set, the +49 can be omitted for + phone-numbers. + ''; + }; + }; + + caching = { + apcu = mkOption { + type = types.bool; + default = true; + description = '' + Whether to load the APCu module into PHP. + ''; + }; + redis = mkOption { + type = types.bool; + default = false; + description = '' + Whether to load the Redis module into PHP. + You still need to enable Redis in your config.php. + See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html + ''; + }; + memcached = mkOption { + type = types.bool; + default = false; + description = '' + Whether to load the Memcached module into PHP. + You still need to enable Memcached in your config.php. + See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html + ''; + }; + }; + autoUpdateApps = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Run regular auto update of all apps installed from the nextcloud app store. + ''; + }; + startAt = mkOption { + type = with types; either str (listOf str); + default = "05:00:00"; + example = "Sun 14:00:00"; + description = '' + When to run the update. See `systemd.services.<name>.startAt`. + ''; + }; + }; + occ = mkOption { + type = types.package; + default = occ; + internal = true; + description = '' + The nextcloud-occ program preconfigured to target this Nextcloud instance. + ''; + }; + + extraOptions = mkOption { + type = types.attrs; + default = ""; + description = '' + Extra options which should be appended to nextcloud's config.php file + ''; + }; + + secretFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Secret options which will be appended to nextcloud's config.php file (written in JSON, in the same + form as the `extraOptions` option). + ''; + }; + }; + + config = mkIf cfg.enable (mkMerge [ + { assertions = let acfg = cfg.config; in [ + { assertion = !(acfg.dbpass != null && acfg.dbpassFile != null); + message = "Please specify no more than one of dbpass or dbpassFile"; + } + { assertion = ((acfg.adminpass != null || acfg.adminpassFile != null) + && !(acfg.adminpass != null && acfg.adminpassFile != null)); + message = "Please specify exactly one of adminpass or adminpassFile"; + } + { assertion = versionOlder cfg.package.version "21" -> cfg.config.defaultPhoneRegion == null; + message = "The `defaultPhoneRegion'-setting is only supported for Nextcloud >=21!"; + } + ]; + + warnings = [] + ++ (optional (cfg.poolConfig != null) '' + Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release. + Please migrate your configuration to config.services.nextcloud.poolSettings. + '') + ++ (optional (versionOlder cfg.package.version "18") '' + A legacy Nextcloud install (from before NixOS 20.03) may be installed. + + You're currently deploying an older version of Nextcloud. This may be needed + since Nextcloud doesn't allow major version upgrades that skip multiple + versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18). + + It is assumed that Nextcloud will be upgraded from version 16 to 17. + + * If this is a fresh install, there will be no upgrade to do now. + + * If this server already had Nextcloud installed, first deploy this to your + server, and wait until the upgrade to 17 is finished. + + Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to + Nextcloud version 18. Please note that Nextcloud 19 is already out and it's + recommended to upgrade to nextcloud19 after that. + '') + ++ (optional (versionOlder cfg.package.version "19") '' + A legacy Nextcloud install (from before NixOS 20.09) may be installed. + + If/After nextcloud18 is installed successfully, you can safely upgrade to + nextcloud19. If not, please upgrade to nextcloud18 first since Nextcloud doesn't + support upgrades that skip multiple versions (i.e. an upgrade from 17 to 19 isn't + possible, but an upgrade from 18 to 19). + '') + ++ (optional (versionOlder cfg.package.version "21") '' + The latest Nextcloud release is v21 which can be installed by setting + `services.nextcloud.package` to `pkgs.nextcloud21`. Please note that if you're + on `pkgs.nextcloud19`, you'll have to install `pkgs.nextcloud20` first. + ''); + + services.nextcloud-patched.package = with pkgs; + mkDefault ( + if pkgs ? nextcloud + then throw '' + The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default + nextcloud defined in an overlay, please set `services.nextcloud.package` to + `pkgs.nextcloud`. + '' + else if versionOlder stateVersion "20.03" then nextcloud17 + else if versionOlder stateVersion "20.09" then nextcloud18 + else nextcloud19 + ); + } + + { systemd.timers.nextcloud-cron = { + wantedBy = [ "timers.target" ]; + timerConfig.OnBootSec = "5m"; + timerConfig.OnUnitActiveSec = "15m"; + timerConfig.Unit = "nextcloud-cron.service"; + }; + + systemd.services = { + # When upgrading the Nextcloud package, Nextcloud can report errors such as + # "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly" + # Restarting phpfpm on Nextcloud package update fixes these issues (but this is a workaround). + phpfpm-nextcloud.restartTriggers = [ cfg.package ]; + + nextcloud-setup = let + c = cfg.config; + writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]"; + overrideConfig = pkgs.writeText "nextcloud-config.php" '' + [ + [ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ], + [ 'path' => '${cfg.home}/store-apps', 'url' => '/store-apps', 'writable' => true ], + ], + 'datadirectory' => '${cfg.home}/data', + 'skeletondirectory' => '${cfg.skeletonDirectory}', + ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} + 'log_type' => 'syslog', + 'log_level' => '${builtins.toString cfg.logLevel}', + ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"} + ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} + ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"} + ${optionalString (c.dbport != null) "'dbport' => '${toString c.dbport}',"} + ${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"} + ${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"} + ${optionalString (c.dbpass != null) "'dbpassword' => '${c.dbpass}',"} + ${optionalString (c.dbpassFile != null) "'dbpassword' => nix_read_pwd(),"} + 'dbtype' => '${c.dbtype}', + 'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)}, + 'trusted_proxies' => ${writePhpArrary (c.trustedProxies)}, + ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"} + ]; + + $EXTRACONFIG = json_decode('${builtins.toJSON cfg.extraOptions}', true); + + array_push($CONFIG, $EXTRACONFIG); + ${optionalString (cfg.secretFile != null) "array_push($CONFIG, nix_read_secrets());"} + ''; + occInstallCmd = let + dbpass = if c.dbpassFile != null + then ''"$(<"${toString c.dbpassFile}")"'' + else if c.dbpass != null + then ''"${toString c.dbpass}"'' + else ''""''; + adminpass = if c.adminpassFile != null + then ''"$(<"${toString c.adminpassFile}")"'' + else ''"${toString c.adminpass}"''; + installFlags = concatStringsSep " \\\n " + (mapAttrsToList (k: v: "${k} ${toString v}") { + "--database" = ''"${c.dbtype}"''; + # The following attributes are optional depending on the type of + # database. Those that evaluate to null on the left hand side + # will be omitted. + ${if c.dbname != null then "--database-name" else null} = ''"${c.dbname}"''; + ${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"''; + ${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"''; + ${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"''; + "--database-pass" = dbpass; + ${if c.dbtableprefix != null + then "--database-table-prefix" else null} = ''"${toString c.dbtableprefix}"''; + "--admin-user" = ''"${c.adminuser}"''; + "--admin-pass" = adminpass; + "--data-dir" = ''"${cfg.home}/data"''; + }); + in '' + ${occ}/bin/nextcloud-occ maintenance:install \ + ${installFlags} + ''; + occSetTrustedDomainsCmd = concatStringsSep "\n" (imap0 + (i: v: '' + ${occ}/bin/nextcloud-occ config:system:set trusted_domains \ + ${toString i} --value="${toString v}" + '') ([ cfg.hostName ] ++ cfg.config.extraTrustedDomains)); + + in { + wantedBy = [ "multi-user.target" ]; + before = [ "phpfpm-nextcloud.service" ]; + path = [ occ ]; + script = '' + chmod og+x ${cfg.home} + + ${optionalString (c.dbpassFile != null) '' + if [ ! -r "${c.dbpassFile}" ]; then + echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..." + exit 1 + fi + if [ -z "$(<${c.dbpassFile})" ]; then + echo "dbpassFile ${c.dbpassFile} is empty!" + exit 1 + fi + ''} + ${optionalString (c.adminpassFile != null) '' + if [ ! -r "${c.adminpassFile}" ]; then + echo "adminpassFile ${c.adminpassFile} is not readable by nextcloud:nextcloud! Aborting..." + exit 1 + fi + if [ -z "$(<${c.adminpassFile})" ]; then + echo "adminpassFile ${c.adminpassFile} is empty!" + exit 1 + fi + ''} + + ln -sf ${cfg.package}/apps ${cfg.home}/ + + # create nextcloud directories. + # if the directories exist already with wrong permissions, we fix that + for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do + if [ ! -e $dir ]; then + install -o nextcloud -g nextcloud -d $dir + elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then + chgrp -R nextcloud $dir + fi + done + + ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php + + # Do not install if already installed + if [[ ! -e ${cfg.home}/config/config.php ]]; then + ${occInstallCmd} + fi + + ${occ}/bin/nextcloud-occ upgrade + + ${occ}/bin/nextcloud-occ config:system:delete trusted_domains + ${occSetTrustedDomainsCmd} + ''; + serviceConfig.Type = "oneshot"; + serviceConfig.User = "nextcloud"; + }; + nextcloud-cron = { + environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; + serviceConfig.Type = "oneshot"; + serviceConfig.User = "nextcloud"; + serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php"; + }; + nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { + serviceConfig.Type = "oneshot"; + serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; + serviceConfig.User = "nextcloud"; + startAt = cfg.autoUpdateApps.startAt; + }; + }; + + services.phpfpm = { + pools.nextcloud = { + user = "nextcloud"; + group = "nextcloud"; + phpOptions = phpOptionsStr; + phpPackage = phpPackage; + phpEnv = { + NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; + PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin"; + }; + settings = mapAttrs (name: mkDefault) { + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + } // cfg.poolSettings; + extraConfig = cfg.poolConfig; + }; + }; + + users.users.nextcloud = { + home = "${cfg.home}"; + group = "nextcloud"; + createHome = true; + isSystemUser = true; + }; + users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ]; + + environment.systemPackages = [ occ ]; + + services.nginx.enable = mkDefault true; + + services.nginx.virtualHosts.${cfg.hostName} = let + major = toInt (versions.major cfg.package.version); + in { + root = cfg.package; + locations = { + "= /robots.txt" = { + priority = 100; + extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + }; + "= /" = { + priority = 100; + extraConfig = '' + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + ''; + }; + "/" = { + priority = 900; + extraConfig = "rewrite ^ /index.php;"; + }; + "~ ^/store-apps" = { + priority = 201; + extraConfig = "root ${cfg.home};"; + }; + "^~ /.well-known" = { + priority = 210; + extraConfig = '' + absolute_redirect off; + location = /.well-known/carddav { + return 301 /remote.php/dav; + } + location = /.well-known/caldav { + return 301 /remote.php/dav; + } + location ~ ^/\.well-known/(?!acme-challenge|pki-validation) { + return 301 /index.php$request_uri; + } + try_files $uri $uri/ =404; + ''; + }; + "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = '' + return 404; + ''; + "~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = '' + return 404; + ''; + "~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = { + priority = 500; + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+?\.php)(\\/.*)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + fastcgi_param PATH_INFO $path_info; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass unix:${fpm.socket}; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_read_timeout 120s; + ''; + }; + "~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = '' + try_files $uri /index.php$request_uri; + expires 6M; + access_log off; + ''; + "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' + try_files $uri/ =404; + index index.php; + ''; + "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' + try_files $uri /index.php$request_uri; + access_log off; + ''; + }; + extraConfig = '' + index index.php index.html /index.php$request_uri; + expires 1m; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options sameorigin; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + client_max_body_size ${cfg.maxUploadSize}; + fastcgi_buffers 64 4K; + fastcgi_hide_header X-Powered-By; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + ${optionalString cfg.webfinger '' + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''} + ''; + }; + } + ]); +} diff --git a/services/nextcloud/default.nix b/services/nextcloud/default.nix new file mode 100644 index 0000000..063e1f5 --- /dev/null +++ b/services/nextcloud/default.nix @@ -0,0 +1,140 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, ... }: + +{ + containers.nextcloud = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.2"; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/nextcloud"; + isReadOnly = false; + }; + }; + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ + ((import sources.nix-hexchen) {}).profiles.nopersist + ../../modules/nextcloud.nix + ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + + environment.systemPackages = [ pkgs.htop ]; + + services.nextcloud-patched = { + enable = true; + + # must be set manually; may not be incremented by more than one at + # a time, otherwise nextcloud WILL break + package = pkgs.nextcloud21; + + home = "/persist/nextcloud"; + https = true; + + hostName = "cloud.infra4future.de"; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + # there's also a adminpassFile option, but for testing this seems + # enough (less fiddling with getting the file into a nixos + # container for ad-hoc setups) + adminpass = "lushfjwebrwhjebr"; + adminuser = "root"; + }; + + caching.redis = true; + + # multiple pools may be doable using services.phpfpm.pools, + # but i have not tried this yet. The nextcloud module defines a + # pool "nextcloud" + poolSettings = { + pm = "dynamic"; + "pm.max_children" = "32"; + "pm.max_requests" = "500"; + "pm.max_spare_servers" = "4"; + "pm.min_spare_servers" = "2"; + "pm.start_servers" = "2"; + }; + + extraOptions = { + instanceid = "ocxlphb7fbju"; + redis = { + host = "/run/redis/redis.sock"; + port = 0; + dbindex = 0; + password = "secret"; + timeout = 1.5; + }; + datadirectory = "/persist/data/ncdata"; + mail_smtpmode = "smtp"; + mail_smtpsecure = "ssl"; + mail_sendmailmode = "smtp"; + mail_from_address = "noreply"; + mail_domain = "infra4future.de"; + mail_smtpauthtype = "PLAIN"; + mail_smtpauth = 1; + mail_smtphost = "mail.hacc.space"; + mail_smtpport = 465; + mail_smtpname = "noreply@infra4future.de"; + loglevel = 0; + "overwrite.cli.url" = "https://cloud.infra4future.de"; + }; + + # passwordsalt, secret, and mail_smtppassword go in here + secretFile = "/persist/secrets.json"; + + }; + + services.redis = { + enable = true; + unixSocket = "/var/run/redis/redis.sock"; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { # by default, postgres has unix sockets enabled, and allows a + # system user `nextcloud` to log in without other authentication + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + # ensure that postgres is running *before* running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."cloud.infra4future.de" = { + locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80"; + enableACME = true; + forceSSL = true; + }; + +} From 1c65805589d1a0f4d0ab41e06278495f7510be7f Mon Sep 17 00:00:00 2001 From: hexchen Date: Fri, 6 Aug 2021 18:49:27 +0000 Subject: [PATCH 06/26] parsons: init backups --- hosts/parsons/configuration.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 2b7bf48..e879b4c 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -33,5 +33,20 @@ services.nginx.recommendedProxySettings = true; networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.restic.backups.tardis = { + passwordFile = "/persist/restic/system"; + s3CredentialsFile = "/persist/restic/system.s3creds"; + paths = [ + "/home" + "/persist" + ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 3" + ]; + repository = "b2:tardis-parsons:system"; + }; + system.stateVersion = "21.05"; } From b23582a52fb21a8864205028d8889ccac1fde46c Mon Sep 17 00:00:00 2001 From: schweby Date: Fri, 6 Aug 2021 20:54:40 +0200 Subject: [PATCH 07/26] services/mattermost: init on parsons --- hosts/parsons/configuration.nix | 3 +- modules/mattermost.nix | 2 - nix/sources.json | 20 +-- services/mattermost.nix | 241 ++++++++++++++++++++++++++++++++ 4 files changed, 253 insertions(+), 13 deletions(-) create mode 100644 services/mattermost.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index e879b4c..dfd7b0f 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -2,13 +2,14 @@ { imports = [ - ../../common + ../../common ./hardware.nix modules.encboot modules.network.nftables modules.nftnat ((import sources.nix-hexchen) {}).profiles.nopersist ../../services/nextcloud + ../../services/mattermost.nix ]; hexchen.encboot = { diff --git a/modules/mattermost.nix b/modules/mattermost.nix index 0d35f08..de6ca00 100644 --- a/modules/mattermost.nix +++ b/modules/mattermost.nix @@ -16,8 +16,6 @@ let [ { ServiceSettings.SiteURL = cfg.siteUrl; ServiceSettings.ListenAddress = cfg.listenAddress; TeamSettings.SiteName = cfg.siteName; - SqlSettings.DriverName = "postgres"; - SqlSettings.DataSource = database; } cfg.extraConfig ]; diff --git a/nix/sources.json b/nix/sources.json index b9026e0..0ae1fe7 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -11,10 +11,10 @@ "homepage": "https://nix-community.github.io/home-manager/", "owner": "nix-community", "repo": "home-manager", - "rev": "9c0abed5228d54aad120b4bc757b6f5935aeda1c", - "sha256": "05pfa26p9k1gpir9sniwg195cqqc9v6yp9b5f9hrjhlh3jm14bgq", + "rev": "b39647e52ed3c0b989e9d5c965e598ae4c38d7ef", + "sha256": "0xw1vgwfdn75rgamcsi5j1iqfl0j06x8xp92k24wr9hayfr5m400", "type": "tarball", - "url": "https://github.com/nix-community/home-manager/archive/9c0abed5228d54aad120b4bc757b6f5935aeda1c.tar.gz", + "url": "https://github.com/nix-community/home-manager/archive/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "mattermost-server": { @@ -23,7 +23,7 @@ "homepage": "https://mattermost.com", "owner": "mattermost", "repo": "mattermost-server", - "rev": "37b1e6d048fc8302c727c3bc7ce73ac32c2ba93c", + "rev": "a5463c865195d0f286de63d57782ef997c270e93", "sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79", "type": "tarball", "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz", @@ -80,10 +80,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "382039c05a16827a7f0731183e862366b66b422f", - "sha256": "08mvanp4400zfz1knyxsjhkc7ryjlaa9awcg763ghj235wk6mlld", + "rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf", + "sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/382039c05a16827a7f0731183e862366b66b422f.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-unstable": { @@ -92,10 +92,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "8ecc61c91a596df7d3293603a9c2384190c1b89a", - "sha256": "0vhajylsmipjkm5v44n2h0pglcmpvk4mkyvxp7qfvkjdxw21dyml", + "rev": "c464dc811babfe316ed4ab7bbc12351122e69dd7", + "sha256": "0aij4q6pc99xjqh0inv6z74wiqfdgxnbg7jli6gnjqxg2lcirrc2", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/8ecc61c91a596df7d3293603a9c2384190c1b89a.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/c464dc811babfe316ed4ab7bbc12351122e69dd7.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "pbb-nixfiles": { diff --git a/services/mattermost.nix b/services/mattermost.nix new file mode 100644 index 0000000..8a554e7 --- /dev/null +++ b/services/mattermost.nix @@ -0,0 +1,241 @@ +{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: + +{ + containers.mattermost = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.3"; + + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/mattermost"; + isReadOnly = false; + }; + }; + + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ + ../modules/mattermost.nix + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + + # couldn't figure out how to actually overwrite modules, so now + # there's two mattermost modules ... + services.mattermost-patched = { + enable = true; + siteUrl = "https://mattermost.infra4future.de"; + siteName = "Mattermost - Blabla for Future"; + listenAddress = "0.0.0.0:3000"; + mutableConfig = false; + + secretConfig = "/persist/mattermost/secrets.json"; + statePath = "/persist/mattermost"; + + extraConfig = { + ServiceSettings = { + TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ]; + ReadTimeout = 300; + WriteTimeout = 600; + IdleTimeout = 60; + MaximumLoginAttempts = 10; + AllowCorsFrom = "*.infra4future.de/*"; + WebserverMode = "gzip"; + EnableCustomEmoji = true; + EnableEmojiPicker = true; + EnableGifPicker = false; + RestrictCustomEmojiCreation = "all"; + RestrictPostDelete = "all"; + AllowEditPost = "always"; + PostEditTimeout = -1; + EnableTutorial = false; + ExperimentalChannelSidebarOrganization = "default_on"; + ExperimentalChannelOrganization = true; + ExperimentalDataPrefetch = true; + EnableEmailInvitations = true; + DisableLegacyMFA = true; + EnableSVGs = true; + EnableLaTeX = true; + ThreadAutoFollow = true; + EnableSecurityFixAlert = false; + }; + TeamSettings = { + EnableTeamCreation = true; + EnableUserCreation = true; + EnableOpenServer = false; + EnableUserDeactivation = true; + ExperimentalViewArchivedChannels = true; + ExperimentalEnableAutomaticReplies = true; + }; + LogSettings = { + EnableConsole = true; + ConsoleLevel = "ERROR"; + EnableDiagnostics = false; + EnableWebhookDebugging = false; + }; + NotificationLogSettings = { + EnableConsole = true; + ConsoleLevel = "INFO"; + }; + PasswordSettings = { + MinimumLength = 10; + # turn of all the bullshit requirements + Lowercase = false; + Number = false; + Uppercase = false; + Symbol = false; + }; + FileSettings = { + EnableFileAttachments = true; + MaxFileSize = 52428800; + DriverName = "local"; + Directory = "/persist/mattermost/upload-storage"; + EnablePublicLink = true; + PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu"; + }; + EmailSettings = { + EnableSignUpWithEmail = false; + EnableSignInWithEmail = false; + EnableSignInWithUsername = false; + SendEmailNotifications = true; + FeedbackName = "mattermost"; + FeedbackEmail = "mattermost@infra4future.de"; + ReplyToAddress = "mattermost@infra4future.de"; + FeedbackOrganization = "∆infra4future.de"; + EnableSMTPAuth = true; + SMTPUsername = "noreply@infra4future.de"; + SMTPServer = "mail.hacc.space"; + }; + RateLimitSettings.Enable = false; + PrivacySettings = { + ShowEmailAddress = false; + ShowFullName = true; + }; + SupportSettings = { + TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; + PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; + AboutLink = "https://infra4future.de"; + SupportEmail = "info@infra4future.de"; + CustomTermsOfServiceEnabled = false; + EnableAskCommunityLink = true; + }; + AnnouncementSettings.EnableBanner = false; + GitLabSettings = { + Enable = true; + Id = "mattermost"; + Scope = ""; + AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; + TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; + UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; + }; + # for some reason, these don't appear to be working; the startup + # process complaines and sets these back to en + LocalizationSettings = { + DefaultServerLocale = "de"; + DefaultClientLocale = "de"; + AvailableLocales = "de,en"; + }; + MessageExportSettings.EnableExport = false; + # plugins appear to have trouble with the read-only filesystem; it may + # be necessary to manually change their paths etc. + PluginSettings = { + Enable = true; + EnableUploads = true; + Plugins = { + bigbluebutton = { + adminonly = false; + base_url = "https://bbb.infra4future.de/bigbluebutton/api"; + salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc"; + }; + "com.github.matterpoll.matterpoll" = { + experimentalui = true; + trigger = "poll"; + }; + }; + PluginStates = { + bigbluebutton.Enable = true; + "com.github.matterpoll.matterpoll".Enable = true; + }; + }; + ComplianceSettings.Enable = false; + ClusterSettings.Enable = false; + MetricsSettings.Enable = false; + GuestAccountsSettings.Enable = false; + # this is just the general allow-this-at-all switch; users + # still have to turn it on for themselves + FeatureFlags.CollapsedThreads = true; + }; + + # turn of the weirder parts of this module (which insist on passwords + # in nix files, instead of just using socket-based authentication) + # + # It will still attempt to use its default password, but postgres will + # just let it in regardless of that. + localDatabaseCreate = false; + }; + + services.mysql = { + enable = true; + ensureDatabases = [ "mattermost" ]; + ensureUsers = [ { + name = "mattermost"; + ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; }; + } ]; + package = pkgs.mysql80; + dataDir = "/persist/mysql"; + }; + + services.postgresql = { + enable = lib.mkForce true; # mattermost sets this to false. wtf. + ensureDatabases = [ "mattermost" ]; + ensureUsers = [ { + name = "mattermost"; + ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; }; + } ]; + + authentication = lib.mkForce '' + # Generated file; do not edit! + local all all trust + host mattermost mattermost ::1/128 trust + ''; + }; + + networking.firewall.allowedTCPPorts = [ 3000 ]; + + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."mattermost.infra4future.de" = { + locations."/" = { + proxyPass = "http://${config.containers.mattermost.localAddress}:3000"; + proxyWebsockets = true; + extraConfig = '' + # Mattermost CSR Patch + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_redirect off; + ''; + }; + forceSSL = true; + enableACME = true; + }; +} From 84ac81435e3d45e7fc44ac8418716004faa82a72 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 5 Aug 2021 19:11:43 +0200 Subject: [PATCH 08/26] hainich: hacky version of thelounge as webchat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Intended for KontraIAA; requirements were that it should be a simple and non-confusing as possible. I tried both KiwiIRC and thelounge, and found both horrible to package (a fact not helped by the somewhat opaque structure of nixpkgs.nodePackages, which does contain a version of thelounge but will apparently ignore overrides of the src attribute). Instead, this now contains a very hacky version of thelounge, which merely takes the already-built version from nixpkgs and glues some extra css to it which hides potentially confusing fields. Things hidden on the "connect" screen: - the "name" field (since thelounge offers "nick" "name" and "realname" by default, which seems too much for something embedded on a website) - the "I have a password" checkbox Things hidden on the general view: - the button to open the side panel (the panel itself is not hidden, and will appear by itself on wider layouts), so that users will only see that one channel - the "channel options" menu (which includes a "leave channel" option which would effectively break the webchat) Things not addressed: - thelounge has autocompletion for /join /leave, etc. Do we want to disable that as well? - It would probably useful to suppress all the "x joined the channel" messages. Thelounge supports this, but apparently doesn't support setting it as default? Misc: - for now, users will be connected to #thelounge on libera.chat, which appears to be okay with being used as an experimental channel - I allowed prefetching link previews, but only on the server's side (i.e. users' browsers won't fetch content from arbitrary sites) - not yet tested on hainich, but should work (tested in a NixOS container) - currently assumes a "webchat.voc.hacc.space" domain (I think we had a voc domain? but I forgot where it is …) --- hosts/hainich/configuration.nix | 1 + hosts/hainich/services/thelounge.nix | 69 ++++++++++++++++++++++++++++ pkgs/default.nix | 20 ++++++++ pkgs/thelounge/css-patch.css | 24 ++++++++++ 4 files changed, 114 insertions(+) create mode 100644 hosts/hainich/services/thelounge.nix create mode 100644 pkgs/thelounge/css-patch.css diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index b36b0ab..56bf605 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -20,6 +20,7 @@ ./services/monitoring.nix ./services/workadventure.nix ./services/mattermost.nix + ./services/thelounge.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/hainich/services/thelounge.nix b/hosts/hainich/services/thelounge.nix new file mode 100644 index 0000000..1ce4c72 --- /dev/null +++ b/hosts/hainich/services/thelounge.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +let + # necessary since overlays won't propagate into the + # container's config + thelounge = pkgs.thelounge-hacked; +in +{ + containers.thelounge = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.70"; + localAddress = "192.168.100.71"; + + config = {pkgs, config, ...}: { + + services.thelounge = { + enable = true; + + extraConfig = { + public = true; + # respect X-Forwarded-For + reverseProxy = true; + defaults = { + name = "libera chat"; + host = "irc.eu.libera.chat"; + port = 6697; + # encrypt things! + tls = true; + # yes, please do actually check the cert … + rejectUnauthorized = true; + nick = "Guest%%%%"; + join = "#thelounge"; + }; + lockNetwork = true; + + # don't log messages (default is text / sqlite) + messageStorage = []; + + # darker theme + #theme = "morning"; + + # these three should result in having link previews + # which are fetched only by the server, then proxied + # (i.e. clients won't directly connect to arbitrary + # domains to get previews) + prefetch = true; + prefetchStorage = true; + disableMediaPreview = true; + + leaveMessage = "happy haccing"; + }; + }; + + # override the package we use + systemd.services.thelounge.serviceConfig.ExecStart = + pkgs.lib.mkForce "${thelounge}/bin/thelounge start"; + + networking.firewall.allowedTCPPorts = [ 9000 ]; + }; + }; + + services.nginx.virtualHosts."webchat.voc.hacc.space" = { + locations."/".proxyPass = + "http://${config.containers.thelounge.localAddress}:9000"; + enableACME = true; + forceSSL = true; + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix index c077df3..ea59e11 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -35,6 +35,26 @@ let }); mattermost = callPackage ./mattermost {}; + + # a version of the lounge with some extra css that + # hides things the hacc-voc doesn't need + thelounge-hacked = pkgs.stdenv.mkDerivation { + name = "thelounge-hacked"; + src = pkgs.thelounge; + + phases = [ "buildPhase" "installPhase" ]; + buildPhase = '' + cp $src/* -r . + chmod 777 lib/node_modules/thelounge/public/css/style.css + cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css + ''; + + installPhase = '' + mkdir -p $out + cp * -r $out + ''; + }; + inherit (unstable) bottom; }; diff --git a/pkgs/thelounge/css-patch.css b/pkgs/thelounge/css-patch.css new file mode 100644 index 0000000..0d058b6 --- /dev/null +++ b/pkgs/thelounge/css-patch.css @@ -0,0 +1,24 @@ + +/* Hides extra fields on connect screen */ +.connect-row:nth-of-type(4) { + display: none !important; +} + +.connect-row:nth-of-type(2) { + display: none !important; +} + +.connect-row:nth-of-type(5) { + display: none !important; +} + + +/* Hides side panel button */ +.header > button:first-child { + display: none !important; +} + +/* Hides channel options button (includes leave option) */ +.header > button:nth-last-child(2) { + display: none !important; +} From 4b11dbf1d46213030467c18ae829948bad10ac7c Mon Sep 17 00:00:00 2001 From: hexchen Date: Sat, 7 Aug 2021 12:27:49 +0000 Subject: [PATCH 09/26] services/thelounge: move to parsons --- hosts/hainich/configuration.nix | 1 - hosts/parsons/configuration.nix | 3 ++- .../services => services}/thelounge.nix | 24 ++++++++++++------- 3 files changed, 18 insertions(+), 10 deletions(-) rename {hosts/hainich/services => services}/thelounge.nix (73%) diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index 56bf605..b36b0ab 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -20,7 +20,6 @@ ./services/monitoring.nix ./services/workadventure.nix ./services/mattermost.nix - ./services/thelounge.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index dfd7b0f..9524b3d 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -9,7 +9,8 @@ ((import sources.nix-hexchen) {}).profiles.nopersist ../../services/nextcloud - ../../services/mattermost.nix + ../../services/mattermost.nix + ../../services/thelounge.nix ]; hexchen.encboot = { diff --git a/hosts/hainich/services/thelounge.nix b/services/thelounge.nix similarity index 73% rename from hosts/hainich/services/thelounge.nix rename to services/thelounge.nix index 1ce4c72..0cfb051 100644 --- a/hosts/hainich/services/thelounge.nix +++ b/services/thelounge.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, evalConfig, ... }: let # necessary since overlays won't propagate into the @@ -9,10 +9,20 @@ in containers.thelounge = { autoStart = true; privateNetwork = true; - hostAddress = "192.168.100.70"; - localAddress = "192.168.100.71"; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.4"; - config = {pkgs, config, ...}: { + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; services.thelounge = { enable = true; @@ -30,7 +40,7 @@ in # yes, please do actually check the cert … rejectUnauthorized = true; nick = "Guest%%%%"; - join = "#thelounge"; + join = "#hacc-webchat"; }; lockNetwork = true; @@ -55,9 +65,7 @@ in # override the package we use systemd.services.thelounge.serviceConfig.ExecStart = pkgs.lib.mkForce "${thelounge}/bin/thelounge start"; - - networking.firewall.allowedTCPPorts = [ 9000 ]; - }; + })).config.system.build.toplevel; }; services.nginx.virtualHosts."webchat.voc.hacc.space" = { From 172d0869b3f9595c9bb662073c53e30f80c01c98 Mon Sep 17 00:00:00 2001 From: hexchen Date: Sat, 7 Aug 2021 13:14:15 +0000 Subject: [PATCH 10/26] services/murmur: migrate to parsons --- hosts/hainich/configuration.nix | 1 - hosts/parsons/configuration.nix | 1 + {hosts/hainich/services => services}/murmur.nix | 8 +++----- 3 files changed, 4 insertions(+), 6 deletions(-) rename {hosts/hainich/services => services}/murmur.nix (92%) diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index b36b0ab..0e9a02c 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -5,7 +5,6 @@ ../../common ./encboot.nix ./hardware.nix - ./services/murmur.nix ./services/mail.nix ./services/hedgedoc_hacc.nix ./services/hedgedoc_i4f.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 9524b3d..d3ca58a 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -11,6 +11,7 @@ ../../services/nextcloud ../../services/mattermost.nix ../../services/thelounge.nix + ../../services/murmur.nix ]; hexchen.encboot = { diff --git a/hosts/hainich/services/murmur.nix b/services/murmur.nix similarity index 92% rename from hosts/hainich/services/murmur.nix rename to services/murmur.nix index 3896667..68e51c8 100644 --- a/hosts/hainich/services/murmur.nix +++ b/services/murmur.nix @@ -1,8 +1,4 @@ -{ config, lib, pkgs, ... }: - -let - sources = import ../../../nix/sources.nix; -in +{ config, lib, pkgs, sources, ... }: let mumblesite = pkgs.stdenv.mkDerivation { @@ -18,6 +14,8 @@ let }; in { + hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur"; + services.murmur = { enable = true; logDays = -1; From 76c9b07d565d84c27bc1b82fc11b069ca543618f Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 7 Aug 2021 19:38:40 +0200 Subject: [PATCH 11/26] parsons: init hegedocs --- hosts/parsons/configuration.nix | 2 + services/hedgedoc_hacc.nix | 110 ++++++++++++++++++++++++++++++++ services/hedgedoc_i4f.nix | 96 ++++++++++++++++++++++++++++ 3 files changed, 208 insertions(+) create mode 100644 services/hedgedoc_hacc.nix create mode 100644 services/hedgedoc_i4f.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index d3ca58a..7ad9e55 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -12,6 +12,8 @@ ../../services/mattermost.nix ../../services/thelounge.nix ../../services/murmur.nix + ../../services/hedgedoc_hacc.nix + ../../services/hedgedoc_i4f.nix ]; hexchen.encboot = { diff --git a/services/hedgedoc_hacc.nix b/services/hedgedoc_hacc.nix new file mode 100644 index 0000000..696ef6d --- /dev/null +++ b/services/hedgedoc_hacc.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: + +{ + containers.hedgedoc = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.5"; + autoStart = true; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/pad-hacc"; + isReadOnly = false; + }; + }; + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ + ../modules/mattermost.nix + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + services.hedgedoc = { + enable = true; + configuration = { + allowAnonymous = true; + allowFreeURL = true; + allowGravatar = false; + allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ]; + dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc"; + defaultPermission = "limited"; + domain = "pad.hacc.space"; + host = "0.0.0.0"; + protocolUseSSL = true; + hsts.preload = false; + email = false; + oauth2 = { + authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; + tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; + clientID = "hedgedoc"; + clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62"; + }; + }; + }; + systemd.services.hedgedoc.environment = { + "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; + "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name"; + "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name"; + "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email"; + "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future"; + }; + services.postgresql = { + enable = true; + ensureDatabases = [ "hedgedoc" ]; + ensureUsers = [{ + name = "hedgedoc"; + ensurePermissions = { + "DATABASE hedgedoc" = "ALL PRIVILEGES"; + }; + }]; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "hedgedoc" ]; + startAt = "*-*-* 23:45:00"; + }; + })).config.system.build.toplevel; + }; + services.nginx.virtualHosts."pad.hacc.earth" = { + enableACME = true; + forceSSL = true; + globalRedirect = "pad.hacc.space"; + }; + + services.nginx.virtualHosts."pad.hacc.space" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.100.3:3000"; + extraConfig = '' + proxy_pass_request_headers on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + add_header Access-Control-Allow-Origin "*"; + proxy_buffering off; + ''; + }; + }; +} diff --git a/services/hedgedoc_i4f.nix b/services/hedgedoc_i4f.nix new file mode 100644 index 0000000..95b1016 --- /dev/null +++ b/services/hedgedoc_i4f.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, modules, evalConfig, sources, ... }: + +{ + containers.pad-i4f = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.6"; + autoStart = true; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/pad-i4f"; + isReadOnly = false; + }; + }; + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ + ../modules/mattermost.nix + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + services.hedgedoc = { + enable = true; + configuration = { + allowAnonymous = true; + allowFreeURL = true; + allowGravatar = false; + allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ]; + dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc"; + defaultPermission = "freely"; + domain = "pad.infra4future.de"; + host = "0.0.0.0"; + protocolUseSSL = true; + hsts.preload = false; + email = false; + }; + }; + services.postgresql = { + enable = true; + authentication = '' + local all all trust + host hedgedoc hedgedoc 127.0.0.1/32 trust + ''; + ensureDatabases = [ "hedgedoc" ]; + ensureUsers = [{ + name = "hedgedoc"; + ensurePermissions = { + "DATABASE hedgedoc" = "ALL PRIVILEGES"; + }; + }]; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "hedgedoc" ]; + startAt = "*-*-* 23:45:00"; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."pad.infra4future.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.100.41:3000"; + extraConfig = '' + proxy_pass_request_headers on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + add_header Access-Control-Allow-Origin "*"; + proxy_buffering off; + ''; + }; + }; +} From 632bf212004d48e58238ae34fb3f28c49c0b9cd6 Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 7 Aug 2021 20:27:04 +0200 Subject: [PATCH 12/26] parsons: fix hegedocs --- hosts/parsons/configuration.nix | 4 ++-- .../{hedgedoc_hacc.nix => hedgedoc-hacc.nix} | 23 +++++++------------ .../{hedgedoc_i4f.nix => hedgedoc-i4f.nix} | 11 ++------- 3 files changed, 12 insertions(+), 26 deletions(-) rename services/{hedgedoc_hacc.nix => hedgedoc-hacc.nix} (80%) rename services/{hedgedoc_i4f.nix => hedgedoc-i4f.nix} (84%) diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 7ad9e55..f20b716 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -12,8 +12,8 @@ ../../services/mattermost.nix ../../services/thelounge.nix ../../services/murmur.nix - ../../services/hedgedoc_hacc.nix - ../../services/hedgedoc_i4f.nix + ../../services/hedgedoc-hacc.nix + ../../services/hedgedoc-i4f.nix ]; hexchen.encboot = { diff --git a/services/hedgedoc_hacc.nix b/services/hedgedoc-hacc.nix similarity index 80% rename from services/hedgedoc_hacc.nix rename to services/hedgedoc-hacc.nix index 696ef6d..087e5d7 100644 --- a/services/hedgedoc_hacc.nix +++ b/services/hedgedoc-hacc.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: { - containers.hedgedoc = { + containers.pad-hacc = { privateNetwork = true; hostAddress = "192.168.100.1"; localAddress = "192.168.100.5"; @@ -43,7 +43,7 @@ allowFreeURL = true; allowGravatar = false; allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ]; - dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc"; + dbURL = "postgres://codimd:codimd@localhost:5432/codimd"; defaultPermission = "limited"; domain = "pad.hacc.space"; host = "0.0.0.0"; @@ -67,18 +67,19 @@ }; services.postgresql = { enable = true; - ensureDatabases = [ "hedgedoc" ]; + ensureDatabases = [ "codimd" ]; ensureUsers = [{ - name = "hedgedoc"; + name = "codimd"; ensurePermissions = { - "DATABASE hedgedoc" = "ALL PRIVILEGES"; + "DATABASE codimd" = "ALL PRIVILEGES"; }; }]; }; services.postgresqlBackup = { enable = true; - databases = [ "hedgedoc" ]; + databases = [ "codimd" ]; startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; }; })).config.system.build.toplevel; }; @@ -92,16 +93,8 @@ forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://192.168.100.3:3000"; + proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000"; extraConfig = '' - proxy_pass_request_headers on; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; add_header Access-Control-Allow-Origin "*"; proxy_buffering off; ''; diff --git a/services/hedgedoc_i4f.nix b/services/hedgedoc-i4f.nix similarity index 84% rename from services/hedgedoc_i4f.nix rename to services/hedgedoc-i4f.nix index 95b1016..b904cb4 100644 --- a/services/hedgedoc_i4f.nix +++ b/services/hedgedoc-i4f.nix @@ -70,6 +70,7 @@ enable = true; databases = [ "hedgedoc" ]; startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; }; })).config.system.build.toplevel; }; @@ -78,16 +79,8 @@ forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://192.168.100.41:3000"; + proxyPass = "http://${config.containers.pad-i4f.localAddress}:3000"; extraConfig = '' - proxy_pass_request_headers on; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; add_header Access-Control-Allow-Origin "*"; proxy_buffering off; ''; From a5063ae9601b4426777083d8b691b0d948208bfe Mon Sep 17 00:00:00 2001 From: hexchen Date: Sat, 7 Aug 2021 19:19:06 +0000 Subject: [PATCH 13/26] parsons: small fixes --- hosts/parsons/configuration.nix | 9 +++++++++ hosts/parsons/hardware.nix | 10 ++++++++++ services/thelounge.nix | 1 + 3 files changed, 20 insertions(+) diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index f20b716..7f6bf78 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -34,6 +34,15 @@ networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "enp35s0"; + networking.interfaces.enp35s0.ipv6.addresses = [{ + address = "2a01:4f9:3a:2ddb::1"; + prefixLength = 64; + }]; + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "enp35s0"; + }; + services.nginx.enable = true; services.nginx.recommendedProxySettings = true; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/hosts/parsons/hardware.nix b/hosts/parsons/hardware.nix index 09b5f7a..36c90bb 100644 --- a/hosts/parsons/hardware.nix +++ b/hosts/parsons/hardware.nix @@ -35,6 +35,16 @@ fsType = "zfs"; }; + fileSystems."/root" = + { device = "zroot/safe/root"; + fsType = "zfs"; + }; + + fileSystems."/var/cache/restic-backups-tardis" = + { device = "zroot/safe/restic-cache"; + fsType = "zfs"; + }; + fileSystems."/tmp" = { device = "zroot/local/tmp"; fsType = "zfs"; diff --git a/services/thelounge.nix b/services/thelounge.nix index 0cfb051..677e398 100644 --- a/services/thelounge.nix +++ b/services/thelounge.nix @@ -23,6 +23,7 @@ in address = "192.168.100.1"; interface = "eth0"; }; + networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; services.thelounge = { enable = true; From f5579bc98ed682a78cd0e29008d7cfe217627cbc Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 7 Aug 2021 21:24:59 +0200 Subject: [PATCH 14/26] parsons: config nginx --- common/default.nix | 1 + hosts/parsons/configuration.nix | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/common/default.nix b/common/default.nix index 3b1826a..e5cd2e3 100644 --- a/common/default.nix +++ b/common/default.nix @@ -77,6 +77,7 @@ in { services.nginx.appendHttpConfig = '' access_log off; + add_header Permissions-Policy "interest-cohort=()"; ''; networking.nftables.enable = true; diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 7f6bf78..2a6253e 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -43,8 +43,21 @@ interface = "enp35s0"; }; - services.nginx.enable = true; - services.nginx.recommendedProxySettings = true; + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "parsons.hacc.space" = { + default = true; + locations."/".return = "404"; + }; + "hacc.space" = { + enableACME = true; + forceSSL = true; + locations."/".return = "302 https://hacc.earth"; + }; + }; + }; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.restic.backups.tardis = { From cdeb52f8080eee519cd4a64541f03a0d5ac73080 Mon Sep 17 00:00:00 2001 From: hexchen Date: Sat, 7 Aug 2021 21:26:56 +0000 Subject: [PATCH 15/26] services/mail: migrate to parsons --- hosts/hainich/configuration.nix | 6 ------ hosts/parsons/configuration.nix | 1 + nix/sources.json | 15 ++++++++------- {hosts/hainich/services => services}/mail.nix | 10 +++++----- 4 files changed, 14 insertions(+), 18 deletions(-) rename {hosts/hainich/services => services}/mail.nix (97%) diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index 0e9a02c..8980ae0 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -5,9 +5,6 @@ ../../common ./encboot.nix ./hardware.nix - ./services/mail.nix - ./services/hedgedoc_hacc.nix - ./services/hedgedoc_i4f.nix ../../common # ./wireguard.nix ./services/nginx.nix @@ -16,9 +13,6 @@ ./services/gitlab-runner.nix ./services/lantifa.nix ./services/syncthing.nix - ./services/monitoring.nix - ./services/workadventure.nix - ./services/mattermost.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 2a6253e..310b4c5 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -14,6 +14,7 @@ ../../services/murmur.nix ../../services/hedgedoc-hacc.nix ../../services/hedgedoc-i4f.nix + ../../services/mail.nix ]; hexchen.encboot = { diff --git a/nix/sources.json b/nix/sources.json index 0ae1fe7..1c11518 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -59,19 +59,20 @@ "branch": "main", "ref": "main", "repo": "https://gitlab.com/hexchen/nixfiles", - "rev": "1ae89906c8fb5cf45384eb2821bd89c807c1564f", - "sha256": "03yicni5jfr5qjillj3dp899n3lq7dhqrg66dr0w1vy12d0lp43s", + "rev": "ef358992030e9a6fa975a24bf4d9aa133bc72424", + "sha256": "01hcdrpfc8g1bbc96h7gi04zmyxi9vd7392ncadwfkx5xfd2fp17", "type": "tarball", - "url": "https://gitlab.com/hexchen/nixfiles/-/archive/1ae89906c8fb5cf45384eb2821bd89c807c1564f.tar.gz", + "url": "https://gitlab.com/hexchen/nixfiles/-/archive/ef358992030e9a6fa975a24bf4d9aa133bc72424.tar.gz", "url_template": "/-/archive/.tar.gz" }, "nixos-mailserver": { - "ref": "nixos-20.09", + "branch": "nixos-21.05", + "ref": "nixos-21.05", "repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver", - "rev": "fb1cc04c0a517d4200237b02c3472bcaf9104afb", - "sha256": "0vsvgxxg5cgmzwj98171j7h5l028f1yq784alb3lxgbk8znfk51y", + "rev": "5675b122a947b40e551438df6a623efad19fd2e7", + "sha256": "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi", "type": "tarball", - "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/fb1cc04c0a517d4200237b02c3472bcaf9104afb/nixos-mailserver-fb1cc04c0a517d4200237b02c3472bcaf9104afb.tar.gz", + "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7.tar.gz", "url_template": "/-/archive/.tar.gz" }, "nixpkgs": { diff --git a/hosts/hainich/services/mail.nix b/services/mail.nix similarity index 97% rename from hosts/hainich/services/mail.nix rename to services/mail.nix index ecd083c..6c0dfd7 100644 --- a/hosts/hainich/services/mail.nix +++ b/services/mail.nix @@ -1,14 +1,12 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, sources, ... }: -let - sources = import ../../../nix/sources.nix; -in { +{ imports = [ sources.nixos-mailserver.outPath ]; mailserver = { - mailDirectory = "/data/mail"; + mailDirectory = "/persist/mail"; enable = true; fqdn = "mail.hacc.space"; domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ]; @@ -145,6 +143,8 @@ in { enable = true; script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465"; serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps"; + serviceConfig.Restart = "always"; + requiredBy = [ "multi-user.target" ]; }; services.nginx.virtualHosts."mail.hacc.space" = { From 7881b444ba11b3c3098013a5836a8f3cad476bbb Mon Sep 17 00:00:00 2001 From: schweby Date: Sun, 8 Aug 2021 12:27:08 +0200 Subject: [PATCH 16/26] parsons: init syncthing --- hosts/hainich/configuration.nix | 3 -- hosts/parsons/configuration.nix | 1 + services/syncthing.nix | 55 +++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 services/syncthing.nix diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index 8980ae0..6d0176a 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -6,13 +6,10 @@ ./encboot.nix ./hardware.nix ../../common -# ./wireguard.nix ./services/nginx.nix -# ./k8s.nix ./services/ghost_waszumfff.nix ./services/gitlab-runner.nix ./services/lantifa.nix - ./services/syncthing.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 310b4c5..c154b16 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -15,6 +15,7 @@ ../../services/hedgedoc-hacc.nix ../../services/hedgedoc-i4f.nix ../../services/mail.nix + ../../services/syncthing.nix ]; hexchen.encboot = { diff --git a/services/syncthing.nix b/services/syncthing.nix new file mode 100644 index 0000000..d7d2be6 --- /dev/null +++ b/services/syncthing.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: +{ + services.syncthing = { + enable = true; + relay.enable = false; + openDefaultPorts = true; + configDir = "/persist/var/lib/syncthing/"; + dataDir = "/persist/data/syncthing/"; + declarative = { + devices = { + # schweby + txsbcct = { + addresses = []; # empty = dynamic + id = "AQHOPTO-X3LWJXZ-2SPLSEW-MCVMX3R-VSLPPYE-NIOTDMW-QOYRSDZ-2LR7RAD"; + }; + octycs = { + addresses = []; # empty = dynamic + id = "KIJVGWZ-GRXPAUX-ZOTZDLS-KUKANCC-A2IBZRM-BT3RZK7-5M43O6R-OZD5IQE"; + }; + stuebinm-desktop = { + addresses = []; # empty = dynamic + id = "CWZTKG7-F45LE2O-TIT6IBC-RQD6MLH-K5ECUGJ-LOHJXF3-I2F4R6I-JVMRLAJ"; + }; + raphael-laptop = { + addresses = []; # empty = dynamic + id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG"; + }; + # zauberberg + conway = { + addresses = []; # empty = dynamic + id = "HV7IU2N-Q4W3A7F-BSASR43-OB575SM-47FY2UW-7N5GMFM-PX3LWRN-HXBXMQF"; + }; + # hexchen + storah = { + addresses = [ "tcp://46.4.62.95:22000" "quic://46.4.62.95:22000" ]; + id = "SGHQ2JA-7FJ6CKM-N3I54R4-UOJC5KO-7W22O62-YLTF26F-S7DLZG4-ZLP7HAM"; + }; + }; + + folders = { + "/persist/data/syncthing/hacc/" = { + id = "qt2ly-xvvvs"; + devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ]; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "10"; + }; + }; + }; + + }; + + }; +} From 373926e33b9e11f8007689312dd6bc50e227885a Mon Sep 17 00:00:00 2001 From: hexchen Date: Sun, 8 Aug 2021 22:09:37 +0000 Subject: [PATCH 17/26] services/gitlab: init on parsons --- hosts/parsons/configuration.nix | 2 + nix/sources.json | 6 +- services/gitlab.nix | 150 ++++++++++++++++++++++++++++++++ services/nginx-pages.nix | 24 +++++ 4 files changed, 179 insertions(+), 3 deletions(-) create mode 100644 services/gitlab.nix create mode 100644 services/nginx-pages.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index c154b16..6c858b1 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -16,6 +16,8 @@ ../../services/hedgedoc-i4f.nix ../../services/mail.nix ../../services/syncthing.nix + ../../services/gitlab.nix + ../../services/nginx-pages.nix ]; hexchen.encboot = { diff --git a/nix/sources.json b/nix/sources.json index 1c11518..70693fe 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -81,10 +81,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "d4590d21006387dcb190c516724cb1e41c0f8fdf", - "sha256": "17q39hlx1x87xf2rdygyimj8whdbx33nzszf4rxkc6b85wz0l38n", + "rev": "733682c32929293341f113f297b64ea6319e9089", + "sha256": "0f6zi45av9s176a2pi15jyf08xk0nsg181hhjhnz3asr0whyarf1", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/d4590d21006387dcb190c516724cb1e41c0f8fdf.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/733682c32929293341f113f297b64ea6319e9089.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-unstable": { diff --git a/services/gitlab.nix b/services/gitlab.nix new file mode 100644 index 0000000..550847c --- /dev/null +++ b/services/gitlab.nix @@ -0,0 +1,150 @@ +{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: + +{ + containers.gitlab = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.7"; + + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/gitlab"; + isReadOnly = false; + }; + }; + + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ + ../modules/mattermost.nix + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + + services.gitlab = { + enable = true; + + databaseCreateLocally = true; + + host = "gitlab.infra4future.de"; + https = true; + port = 443; + + statePath = "/persist/gitlab"; + + initialRootPasswordFile = "/persist/secrets/gitlab-root"; + secrets.secretFile = "/persist/secrets/gitlab-secret"; + secrets.dbFile = "/persist/secrets/gitlab-db"; + secrets.otpFile = "/persist/secrets/gitlab-otp"; + secrets.jwsFile = "/persist/secrets/gitlab-jws"; + + smtp = { + enable = true; + address = "mail.hacc.space"; + port = 587; + authentication = "plain"; + domain = "gitlab.infra4future.de"; + enableStartTLSAuto = true; + username = "noreply@infra4future.de"; + passwordFile = "/persist/secrets/noreply-pass"; + }; + + pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ]; + extraConfig = { + pages = { + enabled = true; + host = "4future.dev"; + port = 443; + https = true; + }; + omniauth = { + enabled = true; + auto_sign_in_with_provider = "openid_connect"; + allow_single_sign_on = ["openid_connect"]; + block_auto_created_users = false; + providers = [ + { + name = "openid_connect"; + label = "infra4future Login"; + args = { + name = "openid_connect"; + scope = ["openid" "profile" "email"]; + response_type = "code"; + issuer = "https://auth.infra4future.de/auth/realms/forfuture"; + discovery = true; + client_auth_method = "query"; + uid_field = "username"; + client_options = { + identifier = "gitlab"; + secret = { _secret = "/persist/secrets/oidc-clientsecret"; }; + redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback"; + }; + }; + } + ]; + }; + }; + }; + + services.redis.enable = true; + services.postgresql.package = pkgs.postgresql_13; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts."gitlab.infra4future.de" = { + default = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + locations."/".extraConfig = '' + proxy_redirect off; + ''; + }; + }; + + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."gitlab.infra4future.de" = { + locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; + locations."/".extraConfig = '' + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + ''; + enableACME = true; + forceSSL = true; + }; + + services.nginx.virtualHosts."4future.dev" = { + locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090"; + serverName = "~^((.*)\.)?4future\.dev$"; + useACMEHost = "4future.dev"; + forceSSL = true; + }; + + security.acme.certs."4future.dev" = { + dnsProvider = "cloudflare"; + credentialsFile = "/var/lib/acme/cloudflare.pass"; + extraDomainNames = [ "*.4future.dev" ]; + group = config.services.nginx.group; + }; +} diff --git a/services/nginx-pages.nix b/services/nginx-pages.nix new file mode 100644 index 0000000..e977e18 --- /dev/null +++ b/services/nginx-pages.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ]; +in { + + services.nginx.virtualHosts = + listToAttrs (map (host: nameValuePair host { + useACMEHost = "infra4future.de"; + forceSSL = true; + locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090"; + }) domains) // { + "infra4future.de" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090"; + }; + }; + + security.acme.certs."infra4future.de" = { + extraDomainNames = domains; + }; +} From 69e49a0020bde6cda39fd05777ea15fb77511db9 Mon Sep 17 00:00:00 2001 From: hexchen Date: Sun, 8 Aug 2021 22:40:54 +0000 Subject: [PATCH 18/26] services/gitlab: init ssh --- services/gitlab.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/services/gitlab.nix b/services/gitlab.nix index 550847c..a735117 100644 --- a/services/gitlab.nix +++ b/services/gitlab.nix @@ -41,6 +41,8 @@ port = 443; statePath = "/persist/gitlab"; + user = "git"; + databaseUsername = "git"; initialRootPasswordFile = "/persist/secrets/gitlab-root"; secrets.secretFile = "/persist/secrets/gitlab-secret"; @@ -113,6 +115,16 @@ }; }; + services.openssh.enable = true; + services.openssh.passwordAuthentication = false; + + users.users.git = { + isSystemUser = true; + group = "gitlab"; + home = "/persist/gitlab/home"; + uid = 165; + }; + services.coredns = { enable = true; config = '' @@ -124,6 +136,12 @@ })).config.system.build.toplevel; }; + hexchen.nftables.nat.forwardPorts = [{ + ports = [ 22 ]; + destination = "${config.containers.gitlab.localAddress}:22"; + proto = "tcp"; + }]; + services.nginx.virtualHosts."gitlab.infra4future.de" = { locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; locations."/".extraConfig = '' From 275d3a16f066979c1c38b8de5d01134e04f4160e Mon Sep 17 00:00:00 2001 From: hexchen Date: Wed, 11 Aug 2021 20:31:25 +0000 Subject: [PATCH 19/26] parsons: init lxc --- hosts/parsons/configuration.nix | 2 ++ hosts/parsons/lxc.nix | 36 +++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 hosts/parsons/lxc.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 6c858b1..a5cab21 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -18,6 +18,8 @@ ../../services/syncthing.nix ../../services/gitlab.nix ../../services/nginx-pages.nix + + ./lxc.nix ]; hexchen.encboot = { diff --git a/hosts/parsons/lxc.nix b/hosts/parsons/lxc.nix new file mode 100644 index 0000000..2fdd8d7 --- /dev/null +++ b/hosts/parsons/lxc.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +{ + networking.bridges.lxcbr0.interfaces = []; + networking.interfaces.lxcbr0.ipv4.addresses = [ + { + address = "10.1.2.1"; + prefixLength = 24; + } + ]; + networking.nat.internalInterfaces = [ "lxcbr0" ]; + + virtualisation.lxc.enable = true; + virtualisation.lxc.systemConfig = '' + lxc.bdev.zfs.root = zroot/safe/containers/lxc + lxc.lxcpath = /persist/lxc + ''; + + users.users.root.subUidRanges = [{ count = 65536; startUid = 100000; }]; + users.users.root.subGidRanges = [{ count = 65536; startGid = 100000; }]; + + environment.etc."lxc/share".source = "${pkgs.lxc}/share/lxc"; + + + services.nginx.virtualHosts."onlyoffice.infra4future.de" = { + locations."/".proxyPass = "http://10.1.2.233:80"; + enableACME = true; + forceSSL = true; + }; + + services.nginx.virtualHosts."auth.infra4future.de" = { + locations."/".proxyPass = "http://10.1.2.104:8080"; + enableACME = true; + forceSSL = true; + }; +} From 6121acabd7d85b4b35b390f8ba8b657fadcc738d Mon Sep 17 00:00:00 2001 From: hexchen Date: Wed, 11 Aug 2021 20:31:35 +0000 Subject: [PATCH 20/26] maintenance: update sources, fix mattermost --- nix/sources.json | 26 +++++++++++++------------- services/mail.nix | 2 ++ services/mattermost.nix | 11 +++++++---- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/nix/sources.json b/nix/sources.json index 70693fe..5d10d89 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -23,19 +23,19 @@ "homepage": "https://mattermost.com", "owner": "mattermost", "repo": "mattermost-server", - "rev": "a5463c865195d0f286de63d57782ef997c270e93", - "sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79", + "rev": "868b8d91db6e8a0525a9e93c50a388625d426a4a", + "sha256": "1vihpmy7253yl87arlz8y9rahk1q69blykwm3172dk1hxajr7c13", "type": "tarball", - "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz", + "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.1.tar.gz", "url_template": "https://github.com///archive/refs/tags/v.tar.gz", - "version": "5.37.0" + "version": "5.37.1" }, "mattermost-webapp": { - "sha256": "0na9drwnsr5fbrv6qq38dgvd0laj3wjs734ik5s673c0azqlm4kn", + "sha256": "00q1kcfda2z69ijpw71a6cbj76p5f57nj7pym44pp4cadi2wz180", "type": "tarball", - "url": "https://releases.mattermost.com/5.37.0/mattermost-5.37.0-linux-amd64.tar.gz", + "url": "https://releases.mattermost.com/5.37.1/mattermost-5.37.1-linux-amd64.tar.gz", "url_template": "https://releases.mattermost.com//mattermost--linux-amd64.tar.gz", - "version": "5.37.0" + "version": "5.37.1" }, "mumble-website": { "branch": "master", @@ -81,10 +81,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "733682c32929293341f113f297b64ea6319e9089", - "sha256": "0f6zi45av9s176a2pi15jyf08xk0nsg181hhjhnz3asr0whyarf1", + "rev": "2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2", + "sha256": "1aafqly1mcqxh0r15mrlsrs4znldhm7cizsmfp3d25lqssay6gjd", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/733682c32929293341f113f297b64ea6319e9089.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-unstable": { @@ -93,10 +93,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "c464dc811babfe316ed4ab7bbc12351122e69dd7", - "sha256": "0aij4q6pc99xjqh0inv6z74wiqfdgxnbg7jli6gnjqxg2lcirrc2", + "rev": "fe01052444c1d66ed6ef76df2af798c9769e9e79", + "sha256": "0z99hwxgrvlf0psicwd97kdqqcc3qngfzmcz7k68q6q868y8582y", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/c464dc811babfe316ed4ab7bbc12351122e69dd7.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/fe01052444c1d66ed6ef76df2af798c9769e9e79.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "pbb-nixfiles": { diff --git a/services/mail.nix b/services/mail.nix index 6c0dfd7..4fe190c 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -30,6 +30,8 @@ "lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/"; "lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ]; + "finance@muc.hacc.space".hashedPassword = "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m."; + # service accounts "noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; "newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1"; diff --git a/services/mattermost.nix b/services/mattermost.nix index 8a554e7..4045812 100644 --- a/services/mattermost.nix +++ b/services/mattermost.nix @@ -1,6 +1,8 @@ {config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: -{ +let + mattermost = pkgs.mattermost; +in { containers.mattermost = { autoStart = true; privateNetwork = true; @@ -24,6 +26,8 @@ ((import sources.nix-hexchen) {}).profiles.nopersist ]; + nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ]; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { @@ -36,7 +40,7 @@ services.mattermost-patched = { enable = true; siteUrl = "https://mattermost.infra4future.de"; - siteName = "Mattermost - Blabla for Future"; + siteName = "Mattermost for Future"; listenAddress = "0.0.0.0:3000"; mutableConfig = false; @@ -69,6 +73,7 @@ EnableLaTeX = true; ThreadAutoFollow = true; EnableSecurityFixAlert = false; + CollapsedThreads = "default_on"; }; TeamSettings = { EnableTeamCreation = true; @@ -172,8 +177,6 @@ ClusterSettings.Enable = false; MetricsSettings.Enable = false; GuestAccountsSettings.Enable = false; - # this is just the general allow-this-at-all switch; users - # still have to turn it on for themselves FeatureFlags.CollapsedThreads = true; }; From 35cd963f8c805e645a96460826ce972a60e3d8f1 Mon Sep 17 00:00:00 2001 From: hexchen Date: Wed, 18 Aug 2021 17:08:24 +0000 Subject: [PATCH 21/26] services/gitlab-runner: init on parsons also disable ci for hainich --- .gitlab-ci.yml | 7 ---- hosts/parsons/configuration.nix | 8 +++++ hosts/parsons/hardware.nix | 5 +++ modules/nftnat/default.nix | 4 +-- pkgs/default.nix | 4 ++- services/gitlab-runner.nix | 63 +++++++++++++++++++++++++++++++++ 6 files changed, 81 insertions(+), 10 deletions(-) create mode 100644 services/gitlab-runner.nix diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a3f0205..6e67dcc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,10 +14,3 @@ build-nixda: stage: build script: - nix-build -A deploy.nixda - -build-hainich: - tags: - - nix - stage: build - script: - - nix-build -A deploy.hainich diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index a5cab21..f7efc33 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -18,6 +18,7 @@ ../../services/syncthing.nix ../../services/gitlab.nix ../../services/nginx-pages.nix + ../../services/gitlab-runner.nix ./lxc.nix ]; @@ -48,6 +49,13 @@ address = "fe80::1"; interface = "enp35s0"; }; + boot = { + kernelModules = [ "nf_nat_ftp" ]; + kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true; + "net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true; + }; + }; services.nginx = { enable = true; diff --git a/hosts/parsons/hardware.nix b/hosts/parsons/hardware.nix index 36c90bb..e71bcca 100644 --- a/hosts/parsons/hardware.nix +++ b/hosts/parsons/hardware.nix @@ -55,6 +55,11 @@ fsType = "zfs"; }; + fileSystems."/var/lib/docker" = + { device = "zroot/local/docker"; + fsType = "zfs"; + }; + swapDevices = [ ]; } diff --git a/modules/nftnat/default.nix b/modules/nftnat/default.nix index b3fc2c2..e5481f5 100644 --- a/modules/nftnat/default.nix +++ b/modules/nftnat/default.nix @@ -36,8 +36,8 @@ in { boot = { kernelModules = [ "nf_nat_ftp" ]; kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = mkOverride 98 true; - "net.ipv4.conf.default.forwarding" = mkOverride 98 true; + "net.ipv4.conf.all.forwarding" = mkOverride 90 true; + "net.ipv4.conf.default.forwarding" = mkOverride 90 true; }; }; diff --git a/pkgs/default.nix b/pkgs/default.nix index ea59e11..703ea98 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -11,7 +11,9 @@ let alps = callPackage ./alps {}; docker = pkgs.docker.overrideAttrs (super: { - extraPath = super.extraPath + ":${pkgs.zfs}/bin"; + moby = super.moby.overrideAttrs (super: { + extraPath = super.extraPath + ":${pkgs.zfs}/bin"; + }); }); linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: { diff --git a/services/gitlab-runner.nix b/services/gitlab-runner.nix new file mode 100644 index 0000000..6968d1c --- /dev/null +++ b/services/gitlab-runner.nix @@ -0,0 +1,63 @@ +{config, pkgs, lib, ...}: + +{ + services.gitlab-runner = { + enable = true; + concurrent = 4; + services = { + infra4future = { + buildsDir = "/persist/var/lib/gitlab-runner/builds"; + dockerImage = "nixos/nix"; + executor = "docker"; + registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env"; + }; + nix = { + limit = 1; # don't run multiple jobs + registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env"; + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + . ${pkgs.nix}/etc/profile.d/nix.sh + ${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} + ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable + ${pkgs.nix}/bin/nix-channel --update nixpkgs + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = [ "nix" ]; + }; + }; + }; + + systemd.services.gitlab-runner.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "gitlab-runner"; + }; + + users.users.gitlab-runner = { + home = "/persist/var/lib/gitlab-runner"; + extraGroups = [ "docker" ]; + isSystemUser = true; + }; + + virtualisation.docker.storageDriver = "zfs"; +} From 7dbc22929b7cc9f7eea5797c0875de2baa39356b Mon Sep 17 00:00:00 2001 From: hexchen Date: Wed, 18 Aug 2021 18:56:05 +0000 Subject: [PATCH 22/26] parsons/nginx-pages: add muc.hacc.earth hacc --- services/nginx-pages.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/services/nginx-pages.nix b/services/nginx-pages.nix index e977e18..87899e0 100644 --- a/services/nginx-pages.nix +++ b/services/nginx-pages.nix @@ -16,6 +16,14 @@ in { forceSSL = true; locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090"; }; + "muc.hacc.earth" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + proxy_pass "http://${config.containers.gitlab.localAddress}:8090/infra4future/muc.hacc.earth/"; + proxy_set_header Host 'hacc.4future.dev'; + ''; + }; }; security.acme.certs."infra4future.de" = { From d367269e873fa4967651edeace845afd364e408f Mon Sep 17 00:00:00 2001 From: hexchen Date: Wed, 18 Aug 2021 20:00:11 +0000 Subject: [PATCH 23/26] thelounge: foo --- services/thelounge.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/services/thelounge.nix b/services/thelounge.nix index 677e398..f71beeb 100644 --- a/services/thelounge.nix +++ b/services/thelounge.nix @@ -23,7 +23,6 @@ in address = "192.168.100.1"; interface = "eth0"; }; - networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; services.thelounge = { enable = true; @@ -40,7 +39,7 @@ in tls = true; # yes, please do actually check the cert … rejectUnauthorized = true; - nick = "Guest%%%%"; + nick = "haccGuest%%%%"; join = "#hacc-webchat"; }; lockNetwork = true; @@ -66,6 +65,15 @@ in # override the package we use systemd.services.thelounge.serviceConfig.ExecStart = pkgs.lib.mkForce "${thelounge}/bin/thelounge start"; + + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; })).config.system.build.toplevel; }; From 41acbdd3e0e21445e19ed783b19e9455644fcf93 Mon Sep 17 00:00:00 2001 From: hexchen Date: Mon, 23 Aug 2021 18:43:23 +0000 Subject: [PATCH 24/26] parsons: deploy unifi controller --- hosts/parsons/configuration.nix | 1 + services/unifi.nix | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 services/unifi.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index f7efc33..f3d704e 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -19,6 +19,7 @@ ../../services/gitlab.nix ../../services/nginx-pages.nix ../../services/gitlab-runner.nix + ../../services/unifi.nix ./lxc.nix ]; diff --git a/services/unifi.nix b/services/unifi.nix new file mode 100644 index 0000000..bf7ea5e --- /dev/null +++ b/services/unifi.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +{ + nixpkgs.config.allowUnfree = true; + services.unifi = { + enable = true; + openPorts = true; + dataDir = "/persist/var/lib/unifi"; + }; +} From 95a0e9f04ab79b051f7db8a50f6bed238f84f155 Mon Sep 17 00:00:00 2001 From: schweby Date: Mon, 23 Aug 2021 20:33:42 +0200 Subject: [PATCH 25/26] parsons: init lantifa wiki --- hosts/parsons/configuration.nix | 1 + services/lantifa.nix | 118 ++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 services/lantifa.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index f3d704e..c41dfa0 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -20,6 +20,7 @@ ../../services/nginx-pages.nix ../../services/gitlab-runner.nix ../../services/unifi.nix + ../../services/lantifa.nix ./lxc.nix ]; diff --git a/services/lantifa.nix b/services/lantifa.nix new file mode 100644 index 0000000..3e96b10 --- /dev/null +++ b/services/lantifa.nix @@ -0,0 +1,118 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, ... }: + +let + unstable = import (import ../nix/sources.nix).nixpkgs-unstable {}; +in { + containers.lantifa = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.8"; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/lantifa"; + isReadOnly = false; + }; + }; + + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + hexchen.bindmounts."/var/lib/mediawiki" = "/persist/var/lib/mediawiki"; + + imports = [ + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + networking.hosts."127.0.0.1" = [ "wiki.lantifa.org" ]; + users.users.mediawiki.extraGroups = [ "keys" ]; + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + + services.mediawiki = { + enable = true; + name = "LANtifa"; + package = unstable.mediawiki; + database.createLocally = true; + passwordFile = "/var/lib/mediawiki/mediawiki-password"; + extraConfig = let + wikidb = pkgs.fetchzip { + url = "http://www.kennel17.co.uk/uploads/testwiki/archive/e/e9/20210407232657%21WikiDB.zip"; + sha256 = "0d4f2ygglz4w515a7lgw59500q3xmr92xxhsmh8p204yaa769x8v"; + }; + in '' + // Configure short URLs + $wgScriptPath = ""; + $wgArticlePath = "/wiki/$1"; + $wgUsePathInfo = true; + + require_once('${wikidb}/WikiDB.php'); + $wgExtraNamespaces = array( 100 => "Table", 101 => "Table_Talk",); + $wgWikiDBNamespaces = 100; + $wgGroupPermissions['user']['writeapi'] = true; + $wgDefaultUserOptions['visualeditor-enable'] = 1; + $wgLogo = "images/c/c5/LantifaLogoFem0.3.png"; + + // PageForms config + $wgGroupPermissions['*']['viewedittab'] = false; + $wgGroupPermissions['user']['viewedittab'] = true; + + // Moderation setting + $wgModerationNotificationEnable = true; + $wgModerationEmail = "wiki_mod@lantifa.org"; + $wgLogRestrictions["newusers"] = 'moderation'; + + // intersection / DynamicPageList config + $wgDLPMaxCacheTime = 5 * 60; + ''; + + extensions = { + TemplateData = null; + VisualEditor = null; + InputBox = null; + Moderation = pkgs.fetchzip { + url = "https://github.com/edwardspec/mediawiki-moderation/archive/v1.4.20.tar.gz"; + sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i"; + }; + intersection = pkgs.fetchzip { # This is the DynamicPageList extension + url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-789511a.tar.gz"; + sha256 = "0b5viv0d2pm1g68hynm8xbvcyw2cr3lgaxbqzdykk2yvvhc4w8j5"; + }; + PageForms = pkgs.fetchzip { + url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip"; + sha256 = "172m7p941fbkl29h5bhanx3dn42jfmzgyvgmgm2lgdbmkawwly96"; + }; + }; + + virtualHost = { + hostName = "wiki.lantifa.org"; + listen = [ { port = 80; } ]; + adminAddr = "admin@hacc.space"; + extraConfig = '' + RewriteEngine On + RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L] + RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L] + ''; + }; + }; + + services.mysql.dataDir = "/persist/mysql"; + services.mysqlBackup = { + enable = true; + databases = [ "mediawiki" ]; + calendar = "*-*-* 23:45:00"; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."wiki.lantifa.org" = { + locations."/".proxyPass = "http://" + config.containers.lantifa.localAddress + ""; + forceSSL = true; + enableACME = true; + }; +} From fd9e8941c77dea75114f839693f63a813b2d391b Mon Sep 17 00:00:00 2001 From: hexchen Date: Mon, 23 Aug 2021 21:26:11 +0200 Subject: [PATCH 26/26] get rid of hainich. migration done. --- hosts/hainich/configuration.nix | 130 ------------ hosts/hainich/encboot.nix | 28 --- hosts/hainich/hardware.nix | 52 ----- hosts/hainich/k8s.nix | 125 ----------- hosts/hainich/services/ghost_waszumfff.nix | 32 --- hosts/hainich/services/gitlab-runner.nix | 63 ------ hosts/hainich/services/hedgedoc_hacc.nix | 91 -------- hosts/hainich/services/hedgedoc_i4f.nix | 76 ------- hosts/hainich/services/lantifa.nix | 97 --------- hosts/hainich/services/mattermost.nix | 231 --------------------- hosts/hainich/services/monitoring.nix | 42 ---- hosts/hainich/services/nginx.nix | 56 ----- hosts/hainich/services/syncthing.nix | 53 ----- hosts/hainich/services/workadventure.nix | 102 --------- hosts/hainich/wireguard.nix | 34 --- 15 files changed, 1212 deletions(-) delete mode 100644 hosts/hainich/configuration.nix delete mode 100644 hosts/hainich/encboot.nix delete mode 100644 hosts/hainich/hardware.nix delete mode 100644 hosts/hainich/k8s.nix delete mode 100644 hosts/hainich/services/ghost_waszumfff.nix delete mode 100644 hosts/hainich/services/gitlab-runner.nix delete mode 100644 hosts/hainich/services/hedgedoc_hacc.nix delete mode 100644 hosts/hainich/services/hedgedoc_i4f.nix delete mode 100644 hosts/hainich/services/lantifa.nix delete mode 100644 hosts/hainich/services/mattermost.nix delete mode 100644 hosts/hainich/services/monitoring.nix delete mode 100644 hosts/hainich/services/nginx.nix delete mode 100644 hosts/hainich/services/syncthing.nix delete mode 100644 hosts/hainich/services/workadventure.nix delete mode 100644 hosts/hainich/wireguard.nix diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix deleted file mode 100644 index 6d0176a..0000000 --- a/hosts/hainich/configuration.nix +++ /dev/null @@ -1,130 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ../../common - ./encboot.nix - ./hardware.nix - ../../common - ./services/nginx.nix - ./services/ghost_waszumfff.nix - ./services/gitlab-runner.nix - ./services/lantifa.nix - ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; - boot.supportedFilesystems = [ "zfs" ]; - - # stop *something* from loading ip_tables and breaking nftables - boot.blacklistedKernelModules = [ "ip_tables" "ip6_tables" "x_tables"]; - - - # networking - networking.hostName = "hainich"; - networking.hostId = "8a58cb2f"; - networking.useDHCP = true; - networking.interfaces.enp6s0.ipv4.addresses = [ - { - address = "46.4.63.148"; - prefixLength = 27; - } - - { - address = "46.4.63.158"; - prefixLength = 27; - } - ]; - networking.interfaces.enp6s0.ipv6.addresses = [ { - address = "2a01:4f8:140:84c9::1"; - prefixLength = 64; - } ]; - networking.defaultGateway = "46.4.63.129"; - networking.nameservers = [ - "1.1.1.1" "1.0.0.1" - "2606:4700:4700::1111" "2606:4700:4700::1001" - ]; - networking.defaultGateway6 = { - address = "fe80::1"; - interface = "enp6s0"; - }; - - hacc.nftables.nat.enable = true; - networking.nat.internalInterfaces = ["ve-+"]; - networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ]; - networking.nat.externalInterface = "enp6s0"; - - - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # networking.firewall.enable = false; - - # misc - time.timeZone = "UTC"; - - environment.systemPackages = with pkgs; [ - wget vim git - ]; - - services.openssh.enable = true; - services.openssh.ports = [ 22 62954 ]; - - users.users.root = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata" - ]; - initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/"; -# shell = pkgs.fish; - }; - - # storage stuffs! - services.zfs = { - autoSnapshot = { - enable = true; - frequent = 12; - hourly = 18; - daily = 3; - weekly = 0; - monthly = 0; - }; - autoScrub = { - enable = true; - }; - }; - - boot.kernelPackages = pkgs.linuxPackages; - - services.restic.backups.tardis = { - passwordFile = "/etc/restic/system"; - s3CredentialsFile = "/etc/restic/system.s3creds"; - paths = [ - "/data" - "/home" - "/run/florinori" - "/var/lib/containers/codimd/var/lib/codimd" - "/var/lib/containers/codimd/var/backup/postgresql" - "/var/lib/containers/hedgedoc-i4f/var/lib/codimd" - "/var/lib/containers/hedgedoc-i4f/var/backup/postgresql" - "/var/lib/containers/lantifa/var/lib/mediawiki" - "/var/lib/containers/lantifa/var/backup/mysql" - "/var/lib/murmur" - "/var/lib/syncthing" - ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 3" - ]; - repository = "b2:tardis-hainich:system"; - }; - - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.03"; # Did you read the comment? -} diff --git a/hosts/hainich/encboot.nix b/hosts/hainich/encboot.nix deleted file mode 100644 index 505ebfb..0000000 --- a/hosts/hainich/encboot.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - boot.initrd.kernelModules = [ "r8169" ]; # add network card driver - boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 2222; - # TODO: Modify system config so that this works -# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; - hostKeys = [ /run/keys/ecdsa_host ]; - }; - # TODO: curl some webhook here to alert? - # possibly quite hard to do, we only have limited wget or netcat available - # how this all works: - # when someone logs in via ssh, they are prompted to unlock the zfs volume - # afterwards zfs is killed in order for the boot to progress - # timeout of 120s still applies afaik - postCommands = '' - zpool import zroot - zpool import dpool - echo "zfs load-key -a; killall zfs && exit" >> /root/.profile - ''; - }; -} diff --git a/hosts/hainich/hardware.nix b/hosts/hainich/hardware.nix deleted file mode 100644 index 587dc81..0000000 --- a/hosts/hainich/hardware.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "zroot/root/nixos"; - fsType = "zfs"; - }; - - fileSystems."/nix" = - { device = "zroot/root/nixos/nix"; - fsType = "zfs"; - }; - - fileSystems."/home" = - { device = "dpool/home"; - fsType = "zfs"; - }; - - fileSystems."/var/lib/containers" = - { device = "dpool/containers"; - fsType = "zfs"; - }; - - fileSystems."/var/lib/docker" = - { device = "dpool/docker"; - fsType = "zfs"; - }; - - fileSystems."/var/lib/gitlab-runner" = - { device = "dpool/gitlab-runner"; - fsType = "zfs"; - }; - - fileSystems."/data" = - { device = "dpool/data"; - fsType = "zfs"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335"; - fsType = "ext2"; - }; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 12; - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; -} diff --git a/hosts/hainich/k8s.nix b/hosts/hainich/k8s.nix deleted file mode 100644 index 025770b..0000000 --- a/hosts/hainich/k8s.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ config, pkgs, ... }: -{ - services.etcd = { - advertiseClientUrls = [ - "https://[2a0d:eb04:8:10::1]:2379" - ]; - listenClientUrls = [ - "https://[2a0d:eb04:8:10::1]:2379" - ]; - listenPeerUrls = [ - "https://[::1]:2380" - ]; - }; - services.kubernetes = { - roles = [ "master" "node" ]; - flannel.enable = false; - addons.dns = { - enable = true; - clusterIp = "2a0d:eb04:8:11::53"; - reconcileMode = "EnsureExists"; - }; - pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ]; - apiserver = { - advertiseAddress = "2a0d:eb04:8:10::1"; - extraSANs = [ - "2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space" - ]; - bindAddress = "::"; - insecureBindAddress = "::1"; - etcd = { - servers = [ "https://[2a0d:eb04:8:10::1]:2379" ]; - }; - serviceClusterIpRange = "2a0d:eb04:8:11::/120"; - extraOpts = "--allow-privileged=true"; - }; - controllerManager = { - bindAddress = "::"; - clusterCidr = "2a0d:eb04:8:12::/64"; - }; - kubelet = { - address = "::"; - clusterDns = "2a0d:eb04:8:11::53"; - }; - proxy = { - bindAddress = "::"; - }; - scheduler = { - address = "::1" ; - }; - apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443"; - clusterCidr = "2a0d:eb04:8:12::/64"; - easyCerts = true; - masterAddress = "hainich.hacc.space"; - }; - - networking.firewall = { - allowedTCPPorts = [ 80 443 6443 ]; - trustedInterfaces = [ - "cbr0" "tunnat64" - ]; - extraCommands = '' - iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158 - iptables -A FORWARD -i tunnat64 -j ACCEPT - - iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80 - iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443 - iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443 - - ip6tables -A FORWARD -i tunnat64 -j ACCEPT - ip6tables -A INPUT -i tunnat64 -j ACCEPT - ''; - extraStopCommands = '' - iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158 - iptables -D FORWARD -i tunnat64 -j ACCEPT - - iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80 - iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443 - iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443 - - ip6tables -A FORWARD -i tunnat64 -j ACCEPT - ip6tables -A INPUT -i tunnat64 -j ACCEPT - ''; - }; - - systemd.services.tayga = (let - config = pkgs.writeText "tayga.conf" '' - tun-device tunnat64 - ipv4-addr 10.255.255.254 - prefix 2a0d:eb04:8:10:64::/96 - dynamic-pool 10.255.255.0/24 - map 10.255.255.1 2a0d:eb04:8:10::1 - map 10.255.255.2 2a0d:eb04:8:11::2 - strict-frag-hdr 1 - ''; - startScript = pkgs.writeScriptBin "tayga-start" '' - #! ${pkgs.runtimeShell} -e - ${pkgs.iproute}/bin/ip link set up tunnat64 || true - ${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true - ${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true - ${pkgs.tayga}/bin/tayga -d --config ${config} - ''; - in { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = ''${startScript}/bin/tayga-start''; - }; - }); - - networking.interfaces.cbr0.ipv6.routes = [{ - address = "2a0d:eb04:8:10::"; - prefixLength = 60; - }]; - - networking.interfaces.tunnat64 = { - virtual = true; - }; - - # openebs expects some stuff to be there. - system.activationScripts.openebs = '' - mkdir -p /usr/lib /usr/sbin - ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/ - ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/ - ''; -} diff --git a/hosts/hainich/services/ghost_waszumfff.nix b/hosts/hainich/services/ghost_waszumfff.nix deleted file mode 100644 index bd58791..0000000 --- a/hosts/hainich/services/ghost_waszumfff.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - virtualisation.oci-containers.containers."ghost-waszumfff" = { - autoStart = true; - environment = { - url = "https://waszumfff.4future.dev"; - }; - image = "ghost:alpine"; - ports = [ "127.0.0.1:2368:2368" ]; - volumes = [ "/run/florinori:/var/lib/ghost/content" ]; - }; - - fileSystems."/run/florinori" = - { device = "dpool/k8s/florinori"; - fsType = "zfs"; - }; - - services.nginx.virtualHosts."waszumfff.4future.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:2368"; - extraConfig = " - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - "; - }; - }; -} diff --git a/hosts/hainich/services/gitlab-runner.nix b/hosts/hainich/services/gitlab-runner.nix deleted file mode 100644 index 51c848d..0000000 --- a/hosts/hainich/services/gitlab-runner.nix +++ /dev/null @@ -1,63 +0,0 @@ -{config, pkgs, lib, ...}: - -{ - services.gitlab-runner = { - enable = true; - concurrent = 4; - services = { - infra4future = { - buildsDir = "/var/lib/gitlab-runner/builds"; - dockerImage = "nixos/nix"; - executor = "docker"; - registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env"; - }; - nix = { - limit = 1; # don't run multiple jobs - registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env"; - dockerImage = "alpine"; - dockerVolumes = [ - "/nix/store:/nix/store:ro" - "/nix/var/nix/db:/nix/var/nix/db:ro" - "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" - ]; - dockerDisableCache = true; - preBuildScript = pkgs.writeScript "setup-container" '' - mkdir -p -m 0755 /nix/var/log/nix/drvs - mkdir -p -m 0755 /nix/var/nix/gcroots - mkdir -p -m 0755 /nix/var/nix/profiles - mkdir -p -m 0755 /nix/var/nix/temproots - mkdir -p -m 0755 /nix/var/nix/userpool - mkdir -p -m 1777 /nix/var/nix/gcroots/per-user - mkdir -p -m 1777 /nix/var/nix/profiles/per-user - mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root - mkdir -p -m 0700 "$HOME/.nix-defexpr" - . ${pkgs.nix}/etc/profile.d/nix.sh - ${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} - ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable - ${pkgs.nix}/bin/nix-channel --update nixpkgs - ''; - environmentVariables = { - ENV = "/etc/profile"; - USER = "root"; - NIX_REMOTE = "daemon"; - PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; - NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; - }; - tagList = [ "nix" ]; - }; - }; - }; - - systemd.services.gitlab-runner.serviceConfig = { - DynamicUser = lib.mkForce false; - User = "gitlab-runner"; - }; - - users.users.gitlab-runner = { - home = "/var/lib/gitlab-runner"; - extraGroups = [ "docker" ]; - isSystemUser = true; - }; - - virtualisation.docker.storageDriver = "zfs"; -} diff --git a/hosts/hainich/services/hedgedoc_hacc.nix b/hosts/hainich/services/hedgedoc_hacc.nix deleted file mode 100644 index d22c167..0000000 --- a/hosts/hainich/services/hedgedoc_hacc.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - containers.codimd = { - privateNetwork = true; - hostAddress = "192.168.100.1"; - localAddress = "192.168.100.3"; - autoStart = true; - config = { config, lib, pkgs, ... }: { - networking.firewall.enable = false; - services.coredns = { - enable = true; - config = '' - .:53 { - forward . 1.1.1.1 - } - ''; - }; - services.hedgedoc = { - enable = true; - configuration = { - allowAnonymous = true; - allowFreeURL = true; - allowGravatar = false; - allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ]; - dbURL = "postgres://codimd:codimd@localhost:5432/codimd"; - defaultPermission = "limited"; - domain = "pad.hacc.space"; - host = "0.0.0.0"; - protocolUseSSL = true; - hsts.preload = false; - email = false; - oauth2 = { - authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; - tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; - clientID = "codimd"; - clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62"; - }; - }; - }; - systemd.services.hedgedoc.environment = { - "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; - "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name"; - "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name"; - "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email"; - "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future"; - }; - services.postgresql = { - enable = true; - ensureDatabases = [ "codimd" ]; - ensureUsers = [{ - name = "codimd"; - ensurePermissions = { - "DATABASE codimd" = "ALL PRIVILEGES"; - }; - }]; - }; - services.postgresqlBackup = { - enable = true; - databases = [ "codimd" ]; - startAt = "*-*-* 23:45:00"; - }; - }; - }; - - services.nginx.virtualHosts."pad.hacc.earth" = { - enableACME = true; - forceSSL = true; - globalRedirect = "pad.hacc.space"; - }; - - services.nginx.virtualHosts."pad.hacc.space" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://192.168.100.3:3000"; - extraConfig = '' - proxy_pass_request_headers on; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - add_header Access-Control-Allow-Origin "*"; - proxy_buffering off; - ''; - }; - }; -} diff --git a/hosts/hainich/services/hedgedoc_i4f.nix b/hosts/hainich/services/hedgedoc_i4f.nix deleted file mode 100644 index dfe7da7..0000000 --- a/hosts/hainich/services/hedgedoc_i4f.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - containers.pad-i4f = { - privateNetwork = true; - hostAddress = "192.168.100.1"; - localAddress = "192.168.100.41"; - autoStart = true; - config = { config, lib, pkgs, ... }: { - networking.firewall.enable = false; - services.coredns = { - enable = true; - config = '' - .:53 { - forward . 1.1.1.1 - } - ''; - }; - services.hedgedoc = { - enable = true; - configuration = { - allowAnonymous = true; - allowFreeURL = true; - allowGravatar = false; - allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ]; - dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc"; - defaultPermission = "freely"; - domain = "pad.infra4future.de"; - host = "0.0.0.0"; - protocolUseSSL = true; - hsts.preload = false; - email = false; - }; - }; - services.postgresql = { - enable = true; - authentication = '' - local all all trust - host hedgedoc hedgedoc 127.0.0.1/32 trust - ''; - ensureDatabases = [ "hedgedoc" ]; - ensureUsers = [{ - name = "hedgedoc"; - ensurePermissions = { - "DATABASE hedgedoc" = "ALL PRIVILEGES"; - }; - }]; - }; - services.postgresqlBackup = { - enable = true; - databases = [ "hedgedoc" ]; - startAt = "*-*-* 23:45:00"; - }; - }; - }; - - services.nginx.virtualHosts."pad.infra4future.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://192.168.100.41:3000"; - extraConfig = '' - proxy_pass_request_headers on; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - add_header Access-Control-Allow-Origin "*"; - proxy_buffering off; - ''; - }; - }; -} diff --git a/hosts/hainich/services/lantifa.nix b/hosts/hainich/services/lantifa.nix deleted file mode 100644 index bf4da19..0000000 --- a/hosts/hainich/services/lantifa.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - unstable = import (import ../../../nix/sources.nix).nixpkgs-unstable {}; -in { - containers.lantifa = { - autoStart = true; - privateNetwork = true; - hostAddress6 = "fd00::42:14"; - localAddress6 = "fd00::42:15"; - - config = {config, pkgs, ... }: { - networking.hosts."::1" = [ "wiki.lantifa.org" ]; - networking.firewall.enable = false; - users.users.mediawiki.extraGroups = [ "keys" ]; - - services.mediawiki = { - enable = true; - name = "LANtifa"; - package = unstable.mediawiki; - database.createLocally = true; - passwordFile = "/var/lib/mediawiki/mediawiki-password"; - extraConfig = let - wikidb = pkgs.fetchzip { - url = "http://www.kennel17.co.uk/uploads/testwiki/archive/e/e9/20210407232657%21WikiDB.zip"; - sha256 = "0d4f2ygglz4w515a7lgw59500q3xmr92xxhsmh8p204yaa769x8v"; - }; - in '' - // Configure short URLs - $wgScriptPath = ""; - $wgArticlePath = "/wiki/$1"; - $wgUsePathInfo = true; - - require_once('${wikidb}/WikiDB.php'); - $wgExtraNamespaces = array( 100 => "Table", 101 => "Table_Talk",); - $wgWikiDBNamespaces = 100; - $wgGroupPermissions['user']['writeapi'] = true; - $wgDefaultUserOptions['visualeditor-enable'] = 1; - $wgLogo = "images/c/c5/LantifaLogoFem0.3.png"; - - // PageForms config - $wgGroupPermissions['*']['viewedittab'] = false; - $wgGroupPermissions['user']['viewedittab'] = true; - - // Moderation setting - $wgModerationNotificationEnable = true; - $wgModerationEmail = "wiki_mod@lantifa.org"; - $wgLogRestrictions["newusers"] = 'moderation'; - - // intersection / DynamicPageList config - $wgDLPMaxCacheTime = 5 * 60; - ''; - - extensions = { - TemplateData = null; - VisualEditor = null; - InputBox = null; - Moderation = pkgs.fetchzip { - url = "https://github.com/edwardspec/mediawiki-moderation/archive/v1.4.20.tar.gz"; - sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i"; - }; - intersection = pkgs.fetchzip { # This is the DynamicPageList extension - url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_35-1adb683.tar.gz"; - sha256 = "0jh3b22vq1ml3kdj0hhhbfjsilpw39bcjbnkajgx1pcvr7haxld7"; - }; - PageForms = pkgs.fetchzip { - url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip"; - sha256 = "172m7p941fbkl29h5bhanx3dn42jfmzgyvgmgm2lgdbmkawwly96"; - }; - }; - - virtualHost = { - hostName = "wiki.lantifa.org"; - listen = [ { port = 80; } ]; - adminAddr = "admin@hacc.space"; - extraConfig = '' - RewriteEngine On - RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L] - RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L] - ''; - }; - }; - - services.mysqlBackup = { - enable = true; - databases = [ "mediawiki" ]; - calendar = "*-*-* 23:45:00"; - }; - }; - }; - - services.nginx.virtualHosts."wiki.lantifa.org" = { - locations."/".proxyPass = "http://[" + config.containers.lantifa.localAddress6 + "]"; - forceSSL = true; - enableACME = true; - }; -} diff --git a/hosts/hainich/services/mattermost.nix b/hosts/hainich/services/mattermost.nix deleted file mode 100644 index 68e2c14..0000000 --- a/hosts/hainich/services/mattermost.nix +++ /dev/null @@ -1,231 +0,0 @@ -{config, pkgs, lib, ...}: - -{ - containers.mattermost = { - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.30"; - localAddress = "192.168.100.31"; - - bindMounts."/secrets" = { - hostPath = "/var/lib/mattermost/"; - isReadOnly = true; - }; - - config = {pkgs, config, ...}: { - - # have to import these here, since container's dont - # inherit imports of their environment. - imports = [ ../../../modules/mattermost.nix ]; - networking.firewall.enable = false; - - # couldn't figure out how to actually overwrite modules, so now - # there's two mattermost modules ... - services.mattermost-patched = { - enable = true; - siteUrl = "https://mattermost-beta.infra4future.de"; - siteName = "Mattermost - Blabla for Future"; - listenAddress = "0.0.0.0:3000"; - mutableConfig = false; - - secretConfig = "/secrets/secrets.json"; - - extraConfig = { - ServiceSettings = { - TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ]; - ReadTimeout = 300; - WriteTimeout = 600; - IdleTimeout = 60; - MaximumLoginAttempts = 10; - AllowCorsFrom = "*.infra4future.de/*"; - WebserverMode = "gzip"; - EnableCustomEmoji = true; - EnableEmojiPicker = true; - EnableGifPicker = false; - RestrictCustomEmojiCreation = "all"; - RestrictPostDelete = "all"; - AllowEditPost = "always"; - PostEditTimeout = -1; - EnableTutorial = false; - ExperimentalChannelSidebarOrganization = "default_on"; - ExperimentalChannelOrganization = true; - ExperimentalDataPrefetch = true; - EnableEmailInvitations = true; - DisableLegacyMFA = true; - EnableSVGs = true; - EnableLaTeX = true; - ThreadAutoFollow = true; - EnableSecurityFixAlert = false; - }; - TeamSettings = { - EnableTeamCreation = true; - EnableUserCreation = true; - EnableOpenServer = false; - EnableUserDeactivation = true; - ExperimentalViewArchivedChannels = true; - ExperimentalEnableAutomaticReplies = true; - }; - LogSettings = { - EnableConsole = true; - ConsoleLevel = "ERROR"; - EnableDiagnostics = false; - EnableWebhookDebugging = false; - }; - NotificationLogSettings = { - EnableConsole = true; - ConsoleLevel = "INFO"; - }; - PasswordSettings = { - MinimumLength = 10; - # turn of all the bullshit requirements - Lowercase = false; - Number = false; - Uppercase = false; - Symbol = false; - }; - FileSettings = { - EnableFileAttachments = true; - MaxFileSize = 52428800; - DriverName = "local"; - Directory = "/var/lib/mattermost/uploads-storage"; - EnablePublicLink = true; - PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu"; - }; - EmailSettings = { - EnableSignUpWithEmail = false; - EnableSignInWithEmail = false; - EnableSignInWithUsername = false; - SendEmailNotifications = true; - FeedbackName = "mattermost"; - FeedbackEmail = "mattermost@infra4future.de"; - ReplyToAddress = "mattermost@infra4future.de"; - FeedbackOrganization = "∆infra4future.de"; - EnableSMTPAuth = true; - SMTPUsername = "noreply@infra4future.de"; - SMTPServer = "mail.hacc.space"; - }; - RateLimitSettings.Enable = false; - PrivacySettings = { - ShowEmailAddress = false; - ShowFullName = true; - }; - SupportSettings = { - TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; - PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; - AboutLink = "https://infra4future.de"; - SupportEmail = "info@infra4future.de"; - CustomTermsOfServiceEnabled = false; - EnableAskCommunityLink = true; - }; - AnnouncementSettings.EnableBanner = false; - GitLabSettings = { - Enable = true; - Id = "mattermost-beta"; - Scope = ""; - AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; - TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; - UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; - }; - # for some reason, these don't appear to be working; the startup - # process complaines and sets these back to en - LocalizationSettings = { - DefaultServerLocale = "de"; - DefaultClientLocale = "de"; - AvailableLocales = "de,en"; - }; - MessageExportSettings.EnableExport = false; - # plugins appear to have trouble with the read-only filesystem; it may - # be necessary to manually change their paths etc. - PluginSettings = { - Enable = true; - EnableUploads = true; - Plugins = { - bigbluebutton = { - adminonly = false; - base_url = "https://bbb.infra4future.de/bigbluebutton/api"; - salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc"; - }; - "com.github.matterpoll.matterpoll" = { - experimentalui = true; - trigger = "poll"; - }; - }; - PluginStates = { - bigbluebutton.Enable = true; - "com.github.matterpoll.matterpoll".Enable = true; - }; - }; - ComplianceSettings.Enable = false; - ClusterSettings.Enable = false; - MetricsSettings.Enable = false; - GuestAccountsSettings.Enable = false; - # this is just the general allow-this-at-all switch; users - # still have to turn it on for themselves - FeatureFlags.CollapsedThreads = true; - }; - - # turn of the weirder parts of this module (which insist on passwords - # in nix files, instead of just using socket-based authentication) - # - # It will still attempt to use its default password, but postgres will - # just let it in regardless of that. - localDatabaseCreate = false; - }; - - services.postgresql = { - enable = lib.mkForce true; # mattermost sets this to false. wtf. - ensureDatabases = [ "mattermost" ]; - ensureUsers = [ { - name = "mattermost"; - ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; }; - } ]; - - authentication = lib.mkForce '' - # Generated file; do not edit! - local all all trust - host mattermost mattermost ::1/128 trust - ''; - }; - - networking.firewall.allowedTCPPorts = [ 3000 ]; - - services.coredns = { - enable = true; - config = '' - .:53 { - forward . 1.1.1.1 - } - ''; - }; - }; - }; - - services.nginx.virtualHosts."mattermost-beta.infra4future.de" = { - locations."/" = { - proxyPass = "http://${config.containers.mattermost.localAddress}:3000"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - - # Mattermost CSR Patch - proxy_hide_header Content-Security-Policy; - proxy_hide_header X-Frame-Options; - proxy_redirect off; - ''; - }; - forceSSL = true; - enableACME = true; - }; - - networking.nat = { - enable = true; - internalInterfaces = [ "ve-mattermost" ]; - externalInterface = "enp6s0"; - }; - -} diff --git a/hosts/hainich/services/monitoring.nix b/hosts/hainich/services/monitoring.nix deleted file mode 100644 index c1c60d6..0000000 --- a/hosts/hainich/services/monitoring.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.prometheus = { - enable = true; - webExternalUrl = "https://stats.hacc.space"; - exporters = { - dovecot = { - enable = true; - scopes = [ "user" "global" ]; - socketPath = "/var/run/dovecot2/old-stats"; - }; - nginx.enable = true; - node.enable = true; - postfix = { - enable = true; - systemd.enable = true; - }; - rspamd.enable = true; - }; - scrapeConfigs = (lib.mapAttrsToList (name: val: - { - job_name = "${name}-${config.networking.hostName}"; - static_configs = [{ - targets = [ "localhost:${toString val.port}" ]; - labels.host = config.networking.hostName; - }]; - } - ) (lib.filterAttrs (_: val: val.enable) config.services.prometheus.exporters)); - }; - - services.dovecot2.extraConfig = '' - mail_plugins = $mail_plugins old_stats - service old-stats { - unix_listener old-stats { - user = dovecot-exporter - group = dovecot-exporter - } - } - ''; - services.nginx.statusPage = true; -} diff --git a/hosts/hainich/services/nginx.nix b/hosts/hainich/services/nginx.nix deleted file mode 100644 index 98d0c58..0000000 --- a/hosts/hainich/services/nginx.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - security.acme.acceptTerms = true; - security.acme.email = "info+acme@hacc.space"; - services.nginx.enable = true; - services.nginx.package = pkgs.nginx.override { - modules = [ pkgs.nginxModules.rtmp ]; - }; - -# services.nginx.recommendedProxySettings = true; - - services.nginx.virtualHosts = let - in { - # let all empty subdomains pointing to hainich return 404 - "hainich.hacc.space" = { - default = true; - locations."/".return = "404"; - }; - "hacc.space" = { - enableACME = true; - forceSSL = true; - locations."/".return = "301 https://hacc.earth"; - }; - }; - - networking.firewall.allowedTCPPorts = [ 1935 ]; - services.nginx = { - appendHttpConfig = '' - add_header Permissions-Policy "interest-cohort=()"; - ''; - appendConfig = '' - rtmp { - server { - listen 1935; - application cutiestream { - live on; - allow publish all; - allow play all; - } - application ingest { - live on; - - record all; - record_path /data/ingest; - record_unique on; - - # include /var/secrets/ingest.conf; - } - } - } - ''; - }; - - systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets"; -} diff --git a/hosts/hainich/services/syncthing.nix b/hosts/hainich/services/syncthing.nix deleted file mode 100644 index 6e56632..0000000 --- a/hosts/hainich/services/syncthing.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.syncthing = { - enable = true; - relay.enable = false; - openDefaultPorts = true; - declarative = { - devices = { - # schweby - txsbcct = { - addresses = []; # empty = dynamic - id = "AQHOPTO-X3LWJXZ-2SPLSEW-MCVMX3R-VSLPPYE-NIOTDMW-QOYRSDZ-2LR7RAD"; - }; - octycs = { - addresses = []; # empty = dynamic - id = "KIJVGWZ-GRXPAUX-ZOTZDLS-KUKANCC-A2IBZRM-BT3RZK7-5M43O6R-OZD5IQE"; - }; - stuebinm-desktop = { - addresses = []; # empty = dynamic - id = "CWZTKG7-F45LE2O-TIT6IBC-RQD6MLH-K5ECUGJ-LOHJXF3-I2F4R6I-JVMRLAJ"; - }; - raphael-laptop = { - addresses = []; # empty = dynamic - id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG"; - }; - # zauberberg - conway = { - addresses = []; # empty = dynamic - id = "HV7IU2N-Q4W3A7F-BSASR43-OB575SM-47FY2UW-7N5GMFM-PX3LWRN-HXBXMQF"; - }; - # hexchen - storah = { - addresses = [ "tcp://46.4.62.95:22000" "quic://46.4.62.95:22000" ]; - id = "SGHQ2JA-7FJ6CKM-N3I54R4-UOJC5KO-7W22O62-YLTF26F-S7DLZG4-ZLP7HAM"; - }; - }; - - folders = { - "/var/lib/syncthing/hacc" = { - id = "qt2ly-xvvvs"; - devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ]; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "10"; - }; - }; - }; - - }; - - }; -} diff --git a/hosts/hainich/services/workadventure.nix b/hosts/hainich/services/workadventure.nix deleted file mode 100644 index 9f5019d..0000000 --- a/hosts/hainich/services/workadventure.nix +++ /dev/null @@ -1,102 +0,0 @@ -{pkgs, lib, config, ...}: - -let - sources = import ../../../nix/sources.nix {}; - # why the double outPath? Dunno, just niv things … - workadventure-nix = sources.workadventure.outPath.outPath; - haccmap = sources.haccmap.outPath.outPath; -in -{ - # not the most intuitive of container names, but "workadventure" is too long - containers.wa-void = { - - # we'll need the outer config to get the turn secret inside the container, - # and I'm feeling haskelly so config' it is! - config = let config' = config; in {config, pkgs, ...}: { - imports = [ workadventure-nix ]; - networking.firewall.allowedTCPPorts = [ 80 ]; - - services.workadventure."void.hacc.space" = { - packageset = ( - import "${workadventure-nix}/wapkgs.nix" { - inherit pkgs lib; - } - ).workadventure-xce; - - nginx = { - default = true; - domain = "void.hacc.space"; - maps = { - serve = true; - path = "${haccmap}/"; - }; - }; - - frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json"; - - commonConfig = { - webrtc.stun.url = "stun:turn.hacc.space:3478"; - webrtc.turn = { - url = "turn:46.4.63.148"; - user = "turn"; - password = config'.services.coturn.static-auth-secret; - }; - jitsi.url = "meet.ffmuc.net"; - }; - }; - }; - - privateNetwork = true; - hostAddress6 = "fd00::42:14"; - localAddress6 = "fd00::42:16"; - - autoStart = true; - - }; - - services.coturn = { - enable = true; - realm = "turn.hacc.space"; - # this is a static "secret" that is also compiled into workadventure, - # so it seems ok to put it into the nix store - static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f"; - use-auth-secret = true; - no-cli = true; - no-tcp-relay = true; - - cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem"; - pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem"; - }; - - - services.nginx = { - virtualHosts."void.hacc.space" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://[${config.containers.wa-void.localAddress6}]"; - proxyWebsockets = true; - }; - }; - # this isn't actually needed, but acme requires a webserver to serve - # challanges, so I guess it's easier to just define a virtualHost here - virtualHosts."turn.hacc.space" = { - enableACME = true; - forceSSL = true; - }; - }; - - - networking.firewall = with config.services.coturn; - let - ports = [ listening-port tls-listening-port ]; - in { - allowedTCPPorts = [ 80 ] ++ ports; - allowedUDPPorts = ports; - allowedUDPPortRanges = [ - { from = min-port; to = max-port; } - ]; - }; - -} - diff --git a/hosts/hainich/wireguard.nix b/hosts/hainich/wireguard.nix deleted file mode 100644 index d8422d9..0000000 --- a/hosts/hainich/wireguard.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.services.wireguard-upstream = { - wants = [ "wg-upstream-key.service" ]; - after = [ "wg-upstream-key.service" ]; - }; - networking.wireguard.interfaces.upstream = { - ips = [ "2a0d:eb04:8:ffff:2::2/128" ]; - generatePrivateKeyFile = true; - privateKeyFile = "/etc/wireguard/upstream.key"; - listenPort = 51820; - peers = [ - { - allowedIPs = [ "::/0" ]; - endpoint = "103.105.50.220:51823"; - publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY="; - } - ]; - postSetup = '' - ${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128 - ${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128 - ''; - }; - networking.interfaces.lo.ipv6 = { - addresses = [{ - address = "2a0d:eb04:8:10::1"; - prefixLength = 128; - }]; - }; - networking.defaultGateway6 = { - address = "2a0d:eb04:8:ffff:2::1"; - interface = "upstream"; - }; -}