forked from hacc/haccfiles
get rid of hainich. migration done.
This commit is contained in:
parent
95a0e9f04a
commit
fd9e8941c7
15 changed files with 0 additions and 1212 deletions
|
@ -1,130 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../common
|
||||
./encboot.nix
|
||||
./hardware.nix
|
||||
../../common
|
||||
./services/nginx.nix
|
||||
./services/ghost_waszumfff.nix
|
||||
./services/gitlab-runner.nix
|
||||
./services/lantifa.nix
|
||||
];
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
# stop *something* from loading ip_tables and breaking nftables
|
||||
boot.blacklistedKernelModules = [ "ip_tables" "ip6_tables" "x_tables"];
|
||||
|
||||
|
||||
# networking
|
||||
networking.hostName = "hainich";
|
||||
networking.hostId = "8a58cb2f";
|
||||
networking.useDHCP = true;
|
||||
networking.interfaces.enp6s0.ipv4.addresses = [
|
||||
{
|
||||
address = "46.4.63.148";
|
||||
prefixLength = 27;
|
||||
}
|
||||
|
||||
{
|
||||
address = "46.4.63.158";
|
||||
prefixLength = 27;
|
||||
}
|
||||
];
|
||||
networking.interfaces.enp6s0.ipv6.addresses = [ {
|
||||
address = "2a01:4f8:140:84c9::1";
|
||||
prefixLength = 64;
|
||||
} ];
|
||||
networking.defaultGateway = "46.4.63.129";
|
||||
networking.nameservers = [
|
||||
"1.1.1.1" "1.0.0.1"
|
||||
"2606:4700:4700::1111" "2606:4700:4700::1001"
|
||||
];
|
||||
networking.defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "enp6s0";
|
||||
};
|
||||
|
||||
hacc.nftables.nat.enable = true;
|
||||
networking.nat.internalInterfaces = ["ve-+"];
|
||||
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];
|
||||
networking.nat.externalInterface = "enp6s0";
|
||||
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# misc
|
||||
time.timeZone = "UTC";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim git
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.ports = [ 22 62954 ];
|
||||
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata"
|
||||
];
|
||||
initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/";
|
||||
# shell = pkgs.fish;
|
||||
};
|
||||
|
||||
# storage stuffs!
|
||||
services.zfs = {
|
||||
autoSnapshot = {
|
||||
enable = true;
|
||||
frequent = 12;
|
||||
hourly = 18;
|
||||
daily = 3;
|
||||
weekly = 0;
|
||||
monthly = 0;
|
||||
};
|
||||
autoScrub = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages;
|
||||
|
||||
services.restic.backups.tardis = {
|
||||
passwordFile = "/etc/restic/system";
|
||||
s3CredentialsFile = "/etc/restic/system.s3creds";
|
||||
paths = [
|
||||
"/data"
|
||||
"/home"
|
||||
"/run/florinori"
|
||||
"/var/lib/containers/codimd/var/lib/codimd"
|
||||
"/var/lib/containers/codimd/var/backup/postgresql"
|
||||
"/var/lib/containers/hedgedoc-i4f/var/lib/codimd"
|
||||
"/var/lib/containers/hedgedoc-i4f/var/backup/postgresql"
|
||||
"/var/lib/containers/lantifa/var/lib/mediawiki"
|
||||
"/var/lib/containers/lantifa/var/backup/mysql"
|
||||
"/var/lib/murmur"
|
||||
"/var/lib/syncthing"
|
||||
];
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 5"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
repository = "b2:tardis-hainich:system";
|
||||
};
|
||||
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.03"; # Did you read the comment?
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.kernelModules = [ "r8169" ]; # add network card driver
|
||||
boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
# TODO: Modify system config so that this works
|
||||
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
|
||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
hostKeys = [ /run/keys/ecdsa_host ];
|
||||
};
|
||||
# TODO: curl some webhook here to alert?
|
||||
# possibly quite hard to do, we only have limited wget or netcat available
|
||||
# how this all works:
|
||||
# when someone logs in via ssh, they are prompted to unlock the zfs volume
|
||||
# afterwards zfs is killed in order for the boot to progress
|
||||
# timeout of 120s still applies afaik
|
||||
postCommands = ''
|
||||
zpool import zroot
|
||||
zpool import dpool
|
||||
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "zroot/root/nixos";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{ device = "zroot/root/nixos/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "dpool/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers" =
|
||||
{ device = "dpool/containers";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/docker" =
|
||||
{ device = "dpool/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/gitlab-runner" =
|
||||
{ device = "dpool/gitlab-runner";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{ device = "dpool/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335";
|
||||
fsType = "ext2";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 12;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
|
@ -1,125 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
services.etcd = {
|
||||
advertiseClientUrls = [
|
||||
"https://[2a0d:eb04:8:10::1]:2379"
|
||||
];
|
||||
listenClientUrls = [
|
||||
"https://[2a0d:eb04:8:10::1]:2379"
|
||||
];
|
||||
listenPeerUrls = [
|
||||
"https://[::1]:2380"
|
||||
];
|
||||
};
|
||||
services.kubernetes = {
|
||||
roles = [ "master" "node" ];
|
||||
flannel.enable = false;
|
||||
addons.dns = {
|
||||
enable = true;
|
||||
clusterIp = "2a0d:eb04:8:11::53";
|
||||
reconcileMode = "EnsureExists";
|
||||
};
|
||||
pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
|
||||
apiserver = {
|
||||
advertiseAddress = "2a0d:eb04:8:10::1";
|
||||
extraSANs = [
|
||||
"2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
|
||||
];
|
||||
bindAddress = "::";
|
||||
insecureBindAddress = "::1";
|
||||
etcd = {
|
||||
servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
|
||||
};
|
||||
serviceClusterIpRange = "2a0d:eb04:8:11::/120";
|
||||
extraOpts = "--allow-privileged=true";
|
||||
};
|
||||
controllerManager = {
|
||||
bindAddress = "::";
|
||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
||||
};
|
||||
kubelet = {
|
||||
address = "::";
|
||||
clusterDns = "2a0d:eb04:8:11::53";
|
||||
};
|
||||
proxy = {
|
||||
bindAddress = "::";
|
||||
};
|
||||
scheduler = {
|
||||
address = "::1" ;
|
||||
};
|
||||
apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
|
||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
||||
easyCerts = true;
|
||||
masterAddress = "hainich.hacc.space";
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 80 443 6443 ];
|
||||
trustedInterfaces = [
|
||||
"cbr0" "tunnat64"
|
||||
];
|
||||
extraCommands = ''
|
||||
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
||||
iptables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
||||
|
||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
||||
iptables -D FORWARD -i tunnat64 -j ACCEPT
|
||||
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
||||
|
||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.tayga = (let
|
||||
config = pkgs.writeText "tayga.conf" ''
|
||||
tun-device tunnat64
|
||||
ipv4-addr 10.255.255.254
|
||||
prefix 2a0d:eb04:8:10:64::/96
|
||||
dynamic-pool 10.255.255.0/24
|
||||
map 10.255.255.1 2a0d:eb04:8:10::1
|
||||
map 10.255.255.2 2a0d:eb04:8:11::2
|
||||
strict-frag-hdr 1
|
||||
'';
|
||||
startScript = pkgs.writeScriptBin "tayga-start" ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
${pkgs.iproute}/bin/ip link set up tunnat64 || true
|
||||
${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
|
||||
${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
|
||||
${pkgs.tayga}/bin/tayga -d --config ${config}
|
||||
'';
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = ''${startScript}/bin/tayga-start'';
|
||||
};
|
||||
});
|
||||
|
||||
networking.interfaces.cbr0.ipv6.routes = [{
|
||||
address = "2a0d:eb04:8:10::";
|
||||
prefixLength = 60;
|
||||
}];
|
||||
|
||||
networking.interfaces.tunnat64 = {
|
||||
virtual = true;
|
||||
};
|
||||
|
||||
# openebs expects some stuff to be there.
|
||||
system.activationScripts.openebs = ''
|
||||
mkdir -p /usr/lib /usr/sbin
|
||||
ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
|
||||
ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
|
||||
'';
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
virtualisation.oci-containers.containers."ghost-waszumfff" = {
|
||||
autoStart = true;
|
||||
environment = {
|
||||
url = "https://waszumfff.4future.dev";
|
||||
};
|
||||
image = "ghost:alpine";
|
||||
ports = [ "127.0.0.1:2368:2368" ];
|
||||
volumes = [ "/run/florinori:/var/lib/ghost/content" ];
|
||||
};
|
||||
|
||||
fileSystems."/run/florinori" =
|
||||
{ device = "dpool/k8s/florinori";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."waszumfff.4future.dev" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:2368";
|
||||
extraConfig = "
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
{config, pkgs, lib, ...}:
|
||||
|
||||
{
|
||||
services.gitlab-runner = {
|
||||
enable = true;
|
||||
concurrent = 4;
|
||||
services = {
|
||||
infra4future = {
|
||||
buildsDir = "/var/lib/gitlab-runner/builds";
|
||||
dockerImage = "nixos/nix";
|
||||
executor = "docker";
|
||||
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
|
||||
};
|
||||
nix = {
|
||||
limit = 1; # don't run multiple jobs
|
||||
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
|
||||
dockerImage = "alpine";
|
||||
dockerVolumes = [
|
||||
"/nix/store:/nix/store:ro"
|
||||
"/nix/var/nix/db:/nix/var/nix/db:ro"
|
||||
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
|
||||
];
|
||||
dockerDisableCache = true;
|
||||
preBuildScript = pkgs.writeScript "setup-container" ''
|
||||
mkdir -p -m 0755 /nix/var/log/nix/drvs
|
||||
mkdir -p -m 0755 /nix/var/nix/gcroots
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles
|
||||
mkdir -p -m 0755 /nix/var/nix/temproots
|
||||
mkdir -p -m 0755 /nix/var/nix/userpool
|
||||
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
|
||||
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
|
||||
mkdir -p -m 0700 "$HOME/.nix-defexpr"
|
||||
. ${pkgs.nix}/etc/profile.d/nix.sh
|
||||
${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
|
||||
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
|
||||
${pkgs.nix}/bin/nix-channel --update nixpkgs
|
||||
'';
|
||||
environmentVariables = {
|
||||
ENV = "/etc/profile";
|
||||
USER = "root";
|
||||
NIX_REMOTE = "daemon";
|
||||
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
|
||||
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
|
||||
};
|
||||
tagList = [ "nix" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gitlab-runner.serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
User = "gitlab-runner";
|
||||
};
|
||||
|
||||
users.users.gitlab-runner = {
|
||||
home = "/var/lib/gitlab-runner";
|
||||
extraGroups = [ "docker" ];
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
virtualisation.docker.storageDriver = "zfs";
|
||||
}
|
|
@ -1,91 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.codimd = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.3";
|
||||
autoStart = true;
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
networking.firewall.enable = false;
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
configuration = {
|
||||
allowAnonymous = true;
|
||||
allowFreeURL = true;
|
||||
allowGravatar = false;
|
||||
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
|
||||
dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
|
||||
defaultPermission = "limited";
|
||||
domain = "pad.hacc.space";
|
||||
host = "0.0.0.0";
|
||||
protocolUseSSL = true;
|
||||
hsts.preload = false;
|
||||
email = false;
|
||||
oauth2 = {
|
||||
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
clientID = "codimd";
|
||||
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.hedgedoc.environment = {
|
||||
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
|
||||
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
|
||||
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
||||
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "codimd" ];
|
||||
ensureUsers = [{
|
||||
name = "codimd";
|
||||
ensurePermissions = {
|
||||
"DATABASE codimd" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "codimd" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.hacc.earth" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "pad.hacc.space";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.hacc.space" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.100.3:3000";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_headers on;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,76 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.pad-i4f = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.41";
|
||||
autoStart = true;
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
networking.firewall.enable = false;
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
configuration = {
|
||||
allowAnonymous = true;
|
||||
allowFreeURL = true;
|
||||
allowGravatar = false;
|
||||
allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ];
|
||||
dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc";
|
||||
defaultPermission = "freely";
|
||||
domain = "pad.infra4future.de";
|
||||
host = "0.0.0.0";
|
||||
protocolUseSSL = true;
|
||||
hsts.preload = false;
|
||||
email = false;
|
||||
};
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host hedgedoc hedgedoc 127.0.0.1/32 trust
|
||||
'';
|
||||
ensureDatabases = [ "hedgedoc" ];
|
||||
ensureUsers = [{
|
||||
name = "hedgedoc";
|
||||
ensurePermissions = {
|
||||
"DATABASE hedgedoc" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "hedgedoc" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.infra4future.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.100.41:3000";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_headers on;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,97 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
unstable = import (import ../../../nix/sources.nix).nixpkgs-unstable {};
|
||||
in {
|
||||
containers.lantifa = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress6 = "fd00::42:14";
|
||||
localAddress6 = "fd00::42:15";
|
||||
|
||||
config = {config, pkgs, ... }: {
|
||||
networking.hosts."::1" = [ "wiki.lantifa.org" ];
|
||||
networking.firewall.enable = false;
|
||||
users.users.mediawiki.extraGroups = [ "keys" ];
|
||||
|
||||
services.mediawiki = {
|
||||
enable = true;
|
||||
name = "LANtifa";
|
||||
package = unstable.mediawiki;
|
||||
database.createLocally = true;
|
||||
passwordFile = "/var/lib/mediawiki/mediawiki-password";
|
||||
extraConfig = let
|
||||
wikidb = pkgs.fetchzip {
|
||||
url = "http://www.kennel17.co.uk/uploads/testwiki/archive/e/e9/20210407232657%21WikiDB.zip";
|
||||
sha256 = "0d4f2ygglz4w515a7lgw59500q3xmr92xxhsmh8p204yaa769x8v";
|
||||
};
|
||||
in ''
|
||||
// Configure short URLs
|
||||
$wgScriptPath = "";
|
||||
$wgArticlePath = "/wiki/$1";
|
||||
$wgUsePathInfo = true;
|
||||
|
||||
require_once('${wikidb}/WikiDB.php');
|
||||
$wgExtraNamespaces = array( 100 => "Table", 101 => "Table_Talk",);
|
||||
$wgWikiDBNamespaces = 100;
|
||||
$wgGroupPermissions['user']['writeapi'] = true;
|
||||
$wgDefaultUserOptions['visualeditor-enable'] = 1;
|
||||
$wgLogo = "images/c/c5/LantifaLogoFem0.3.png";
|
||||
|
||||
// PageForms config
|
||||
$wgGroupPermissions['*']['viewedittab'] = false;
|
||||
$wgGroupPermissions['user']['viewedittab'] = true;
|
||||
|
||||
// Moderation setting
|
||||
$wgModerationNotificationEnable = true;
|
||||
$wgModerationEmail = "wiki_mod@lantifa.org";
|
||||
$wgLogRestrictions["newusers"] = 'moderation';
|
||||
|
||||
// intersection / DynamicPageList config
|
||||
$wgDLPMaxCacheTime = 5 * 60;
|
||||
'';
|
||||
|
||||
extensions = {
|
||||
TemplateData = null;
|
||||
VisualEditor = null;
|
||||
InputBox = null;
|
||||
Moderation = pkgs.fetchzip {
|
||||
url = "https://github.com/edwardspec/mediawiki-moderation/archive/v1.4.20.tar.gz";
|
||||
sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i";
|
||||
};
|
||||
intersection = pkgs.fetchzip { # This is the DynamicPageList extension
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_35-1adb683.tar.gz";
|
||||
sha256 = "0jh3b22vq1ml3kdj0hhhbfjsilpw39bcjbnkajgx1pcvr7haxld7";
|
||||
};
|
||||
PageForms = pkgs.fetchzip {
|
||||
url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip";
|
||||
sha256 = "172m7p941fbkl29h5bhanx3dn42jfmzgyvgmgm2lgdbmkawwly96";
|
||||
};
|
||||
};
|
||||
|
||||
virtualHost = {
|
||||
hostName = "wiki.lantifa.org";
|
||||
listen = [ { port = 80; } ];
|
||||
adminAddr = "admin@hacc.space";
|
||||
extraConfig = ''
|
||||
RewriteEngine On
|
||||
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
|
||||
RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L]
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.mysqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "mediawiki" ];
|
||||
calendar = "*-*-* 23:45:00";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."wiki.lantifa.org" = {
|
||||
locations."/".proxyPass = "http://[" + config.containers.lantifa.localAddress6 + "]";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
}
|
|
@ -1,231 +0,0 @@
|
|||
{config, pkgs, lib, ...}:
|
||||
|
||||
{
|
||||
containers.mattermost = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.30";
|
||||
localAddress = "192.168.100.31";
|
||||
|
||||
bindMounts."/secrets" = {
|
||||
hostPath = "/var/lib/mattermost/";
|
||||
isReadOnly = true;
|
||||
};
|
||||
|
||||
config = {pkgs, config, ...}: {
|
||||
|
||||
# have to import these here, since container's dont
|
||||
# inherit imports of their environment.
|
||||
imports = [ ../../../modules/mattermost.nix ];
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# couldn't figure out how to actually overwrite modules, so now
|
||||
# there's two mattermost modules ...
|
||||
services.mattermost-patched = {
|
||||
enable = true;
|
||||
siteUrl = "https://mattermost-beta.infra4future.de";
|
||||
siteName = "Mattermost - Blabla for Future";
|
||||
listenAddress = "0.0.0.0:3000";
|
||||
mutableConfig = false;
|
||||
|
||||
secretConfig = "/secrets/secrets.json";
|
||||
|
||||
extraConfig = {
|
||||
ServiceSettings = {
|
||||
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
||||
ReadTimeout = 300;
|
||||
WriteTimeout = 600;
|
||||
IdleTimeout = 60;
|
||||
MaximumLoginAttempts = 10;
|
||||
AllowCorsFrom = "*.infra4future.de/*";
|
||||
WebserverMode = "gzip";
|
||||
EnableCustomEmoji = true;
|
||||
EnableEmojiPicker = true;
|
||||
EnableGifPicker = false;
|
||||
RestrictCustomEmojiCreation = "all";
|
||||
RestrictPostDelete = "all";
|
||||
AllowEditPost = "always";
|
||||
PostEditTimeout = -1;
|
||||
EnableTutorial = false;
|
||||
ExperimentalChannelSidebarOrganization = "default_on";
|
||||
ExperimentalChannelOrganization = true;
|
||||
ExperimentalDataPrefetch = true;
|
||||
EnableEmailInvitations = true;
|
||||
DisableLegacyMFA = true;
|
||||
EnableSVGs = true;
|
||||
EnableLaTeX = true;
|
||||
ThreadAutoFollow = true;
|
||||
EnableSecurityFixAlert = false;
|
||||
};
|
||||
TeamSettings = {
|
||||
EnableTeamCreation = true;
|
||||
EnableUserCreation = true;
|
||||
EnableOpenServer = false;
|
||||
EnableUserDeactivation = true;
|
||||
ExperimentalViewArchivedChannels = true;
|
||||
ExperimentalEnableAutomaticReplies = true;
|
||||
};
|
||||
LogSettings = {
|
||||
EnableConsole = true;
|
||||
ConsoleLevel = "ERROR";
|
||||
EnableDiagnostics = false;
|
||||
EnableWebhookDebugging = false;
|
||||
};
|
||||
NotificationLogSettings = {
|
||||
EnableConsole = true;
|
||||
ConsoleLevel = "INFO";
|
||||
};
|
||||
PasswordSettings = {
|
||||
MinimumLength = 10;
|
||||
# turn of all the bullshit requirements
|
||||
Lowercase = false;
|
||||
Number = false;
|
||||
Uppercase = false;
|
||||
Symbol = false;
|
||||
};
|
||||
FileSettings = {
|
||||
EnableFileAttachments = true;
|
||||
MaxFileSize = 52428800;
|
||||
DriverName = "local";
|
||||
Directory = "/var/lib/mattermost/uploads-storage";
|
||||
EnablePublicLink = true;
|
||||
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
||||
};
|
||||
EmailSettings = {
|
||||
EnableSignUpWithEmail = false;
|
||||
EnableSignInWithEmail = false;
|
||||
EnableSignInWithUsername = false;
|
||||
SendEmailNotifications = true;
|
||||
FeedbackName = "mattermost";
|
||||
FeedbackEmail = "mattermost@infra4future.de";
|
||||
ReplyToAddress = "mattermost@infra4future.de";
|
||||
FeedbackOrganization = "∆infra4future.de";
|
||||
EnableSMTPAuth = true;
|
||||
SMTPUsername = "noreply@infra4future.de";
|
||||
SMTPServer = "mail.hacc.space";
|
||||
};
|
||||
RateLimitSettings.Enable = false;
|
||||
PrivacySettings = {
|
||||
ShowEmailAddress = false;
|
||||
ShowFullName = true;
|
||||
};
|
||||
SupportSettings = {
|
||||
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
AboutLink = "https://infra4future.de";
|
||||
SupportEmail = "info@infra4future.de";
|
||||
CustomTermsOfServiceEnabled = false;
|
||||
EnableAskCommunityLink = true;
|
||||
};
|
||||
AnnouncementSettings.EnableBanner = false;
|
||||
GitLabSettings = {
|
||||
Enable = true;
|
||||
Id = "mattermost-beta";
|
||||
Scope = "";
|
||||
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||
};
|
||||
# for some reason, these don't appear to be working; the startup
|
||||
# process complaines and sets these back to en
|
||||
LocalizationSettings = {
|
||||
DefaultServerLocale = "de";
|
||||
DefaultClientLocale = "de";
|
||||
AvailableLocales = "de,en";
|
||||
};
|
||||
MessageExportSettings.EnableExport = false;
|
||||
# plugins appear to have trouble with the read-only filesystem; it may
|
||||
# be necessary to manually change their paths etc.
|
||||
PluginSettings = {
|
||||
Enable = true;
|
||||
EnableUploads = true;
|
||||
Plugins = {
|
||||
bigbluebutton = {
|
||||
adminonly = false;
|
||||
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
|
||||
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
|
||||
};
|
||||
"com.github.matterpoll.matterpoll" = {
|
||||
experimentalui = true;
|
||||
trigger = "poll";
|
||||
};
|
||||
};
|
||||
PluginStates = {
|
||||
bigbluebutton.Enable = true;
|
||||
"com.github.matterpoll.matterpoll".Enable = true;
|
||||
};
|
||||
};
|
||||
ComplianceSettings.Enable = false;
|
||||
ClusterSettings.Enable = false;
|
||||
MetricsSettings.Enable = false;
|
||||
GuestAccountsSettings.Enable = false;
|
||||
# this is just the general allow-this-at-all switch; users
|
||||
# still have to turn it on for themselves
|
||||
FeatureFlags.CollapsedThreads = true;
|
||||
};
|
||||
|
||||
# turn of the weirder parts of this module (which insist on passwords
|
||||
# in nix files, instead of just using socket-based authentication)
|
||||
#
|
||||
# It will still attempt to use its default password, but postgres will
|
||||
# just let it in regardless of that.
|
||||
localDatabaseCreate = false;
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||
ensureDatabases = [ "mattermost" ];
|
||||
ensureUsers = [ {
|
||||
name = "mattermost";
|
||||
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
|
||||
} ];
|
||||
|
||||
authentication = lib.mkForce ''
|
||||
# Generated file; do not edit!
|
||||
local all all trust
|
||||
host mattermost mattermost ::1/128 trust
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."mattermost-beta.infra4future.de" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
|
||||
# Mattermost CSR Patch
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
proxy_redirect off;
|
||||
'';
|
||||
};
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
internalInterfaces = [ "ve-mattermost" ];
|
||||
externalInterface = "enp6s0";
|
||||
};
|
||||
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
webExternalUrl = "https://stats.hacc.space";
|
||||
exporters = {
|
||||
dovecot = {
|
||||
enable = true;
|
||||
scopes = [ "user" "global" ];
|
||||
socketPath = "/var/run/dovecot2/old-stats";
|
||||
};
|
||||
nginx.enable = true;
|
||||
node.enable = true;
|
||||
postfix = {
|
||||
enable = true;
|
||||
systemd.enable = true;
|
||||
};
|
||||
rspamd.enable = true;
|
||||
};
|
||||
scrapeConfigs = (lib.mapAttrsToList (name: val:
|
||||
{
|
||||
job_name = "${name}-${config.networking.hostName}";
|
||||
static_configs = [{
|
||||
targets = [ "localhost:${toString val.port}" ];
|
||||
labels.host = config.networking.hostName;
|
||||
}];
|
||||
}
|
||||
) (lib.filterAttrs (_: val: val.enable) config.services.prometheus.exporters));
|
||||
};
|
||||
|
||||
services.dovecot2.extraConfig = ''
|
||||
mail_plugins = $mail_plugins old_stats
|
||||
service old-stats {
|
||||
unix_listener old-stats {
|
||||
user = dovecot-exporter
|
||||
group = dovecot-exporter
|
||||
}
|
||||
}
|
||||
'';
|
||||
services.nginx.statusPage = true;
|
||||
}
|
|
@ -1,56 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.email = "info+acme@hacc.space";
|
||||
services.nginx.enable = true;
|
||||
services.nginx.package = pkgs.nginx.override {
|
||||
modules = [ pkgs.nginxModules.rtmp ];
|
||||
};
|
||||
|
||||
# services.nginx.recommendedProxySettings = true;
|
||||
|
||||
services.nginx.virtualHosts = let
|
||||
in {
|
||||
# let all empty subdomains pointing to hainich return 404
|
||||
"hainich.hacc.space" = {
|
||||
default = true;
|
||||
locations."/".return = "404";
|
||||
};
|
||||
"hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".return = "301 https://hacc.earth";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 1935 ];
|
||||
services.nginx = {
|
||||
appendHttpConfig = ''
|
||||
add_header Permissions-Policy "interest-cohort=()";
|
||||
'';
|
||||
appendConfig = ''
|
||||
rtmp {
|
||||
server {
|
||||
listen 1935;
|
||||
application cutiestream {
|
||||
live on;
|
||||
allow publish all;
|
||||
allow play all;
|
||||
}
|
||||
application ingest {
|
||||
live on;
|
||||
|
||||
record all;
|
||||
record_path /data/ingest;
|
||||
record_unique on;
|
||||
|
||||
# include /var/secrets/ingest.conf;
|
||||
}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
relay.enable = false;
|
||||
openDefaultPorts = true;
|
||||
declarative = {
|
||||
devices = {
|
||||
# schweby
|
||||
txsbcct = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "AQHOPTO-X3LWJXZ-2SPLSEW-MCVMX3R-VSLPPYE-NIOTDMW-QOYRSDZ-2LR7RAD";
|
||||
};
|
||||
octycs = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "KIJVGWZ-GRXPAUX-ZOTZDLS-KUKANCC-A2IBZRM-BT3RZK7-5M43O6R-OZD5IQE";
|
||||
};
|
||||
stuebinm-desktop = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "CWZTKG7-F45LE2O-TIT6IBC-RQD6MLH-K5ECUGJ-LOHJXF3-I2F4R6I-JVMRLAJ";
|
||||
};
|
||||
raphael-laptop = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG";
|
||||
};
|
||||
# zauberberg
|
||||
conway = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "HV7IU2N-Q4W3A7F-BSASR43-OB575SM-47FY2UW-7N5GMFM-PX3LWRN-HXBXMQF";
|
||||
};
|
||||
# hexchen
|
||||
storah = {
|
||||
addresses = [ "tcp://46.4.62.95:22000" "quic://46.4.62.95:22000" ];
|
||||
id = "SGHQ2JA-7FJ6CKM-N3I54R4-UOJC5KO-7W22O62-YLTF26F-S7DLZG4-ZLP7HAM";
|
||||
};
|
||||
};
|
||||
|
||||
folders = {
|
||||
"/var/lib/syncthing/hacc" = {
|
||||
id = "qt2ly-xvvvs";
|
||||
devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
|
||||
type = "receiveonly";
|
||||
versioning = {
|
||||
type = "simple";
|
||||
params.keep = "10";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
}
|
|
@ -1,102 +0,0 @@
|
|||
{pkgs, lib, config, ...}:
|
||||
|
||||
let
|
||||
sources = import ../../../nix/sources.nix {};
|
||||
# why the double outPath? Dunno, just niv things …
|
||||
workadventure-nix = sources.workadventure.outPath.outPath;
|
||||
haccmap = sources.haccmap.outPath.outPath;
|
||||
in
|
||||
{
|
||||
# not the most intuitive of container names, but "workadventure" is too long
|
||||
containers.wa-void = {
|
||||
|
||||
# we'll need the outer config to get the turn secret inside the container,
|
||||
# and I'm feeling haskelly so config' it is!
|
||||
config = let config' = config; in {config, pkgs, ...}: {
|
||||
imports = [ workadventure-nix ];
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
|
||||
services.workadventure."void.hacc.space" = {
|
||||
packageset = (
|
||||
import "${workadventure-nix}/wapkgs.nix" {
|
||||
inherit pkgs lib;
|
||||
}
|
||||
).workadventure-xce;
|
||||
|
||||
nginx = {
|
||||
default = true;
|
||||
domain = "void.hacc.space";
|
||||
maps = {
|
||||
serve = true;
|
||||
path = "${haccmap}/";
|
||||
};
|
||||
};
|
||||
|
||||
frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
|
||||
|
||||
commonConfig = {
|
||||
webrtc.stun.url = "stun:turn.hacc.space:3478";
|
||||
webrtc.turn = {
|
||||
url = "turn:46.4.63.148";
|
||||
user = "turn";
|
||||
password = config'.services.coturn.static-auth-secret;
|
||||
};
|
||||
jitsi.url = "meet.ffmuc.net";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
privateNetwork = true;
|
||||
hostAddress6 = "fd00::42:14";
|
||||
localAddress6 = "fd00::42:16";
|
||||
|
||||
autoStart = true;
|
||||
|
||||
};
|
||||
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
realm = "turn.hacc.space";
|
||||
# this is a static "secret" that is also compiled into workadventure,
|
||||
# so it seems ok to put it into the nix store
|
||||
static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
|
||||
use-auth-secret = true;
|
||||
no-cli = true;
|
||||
no-tcp-relay = true;
|
||||
|
||||
cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
|
||||
pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
|
||||
};
|
||||
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts."void.hacc.space" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://[${config.containers.wa-void.localAddress6}]";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
# this isn't actually needed, but acme requires a webserver to serve
|
||||
# challanges, so I guess it's easier to just define a virtualHost here
|
||||
virtualHosts."turn.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
networking.firewall = with config.services.coturn;
|
||||
let
|
||||
ports = [ listening-port tls-listening-port ];
|
||||
in {
|
||||
allowedTCPPorts = [ 80 ] ++ ports;
|
||||
allowedUDPPorts = ports;
|
||||
allowedUDPPortRanges = [
|
||||
{ from = min-port; to = max-port; }
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
systemd.services.wireguard-upstream = {
|
||||
wants = [ "wg-upstream-key.service" ];
|
||||
after = [ "wg-upstream-key.service" ];
|
||||
};
|
||||
networking.wireguard.interfaces.upstream = {
|
||||
ips = [ "2a0d:eb04:8:ffff:2::2/128" ];
|
||||
generatePrivateKeyFile = true;
|
||||
privateKeyFile = "/etc/wireguard/upstream.key";
|
||||
listenPort = 51820;
|
||||
peers = [
|
||||
{
|
||||
allowedIPs = [ "::/0" ];
|
||||
endpoint = "103.105.50.220:51823";
|
||||
publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY=";
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128
|
||||
${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128
|
||||
'';
|
||||
};
|
||||
networking.interfaces.lo.ipv6 = {
|
||||
addresses = [{
|
||||
address = "2a0d:eb04:8:10::1";
|
||||
prefixLength = 128;
|
||||
}];
|
||||
};
|
||||
networking.defaultGateway6 = {
|
||||
address = "2a0d:eb04:8:ffff:2::1";
|
||||
interface = "upstream";
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue