From 35544912503b5202dd6a54ef9ae34b21f8aaf543 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 20 Jul 2020 19:16:52 -0500 Subject: [PATCH 1/2] Switch from gitlab to gitea. --- config/fudo/git.nix | 64 ++++++++++++++++----- defaults.nix | 14 +++-- hosts/france.nix | 135 ++++++-------------------------------------- 3 files changed, 74 insertions(+), 139 deletions(-) diff --git a/config/fudo/git.nix b/config/fudo/git.nix index 9479582..68cedac 100644 --- a/config/fudo/git.nix +++ b/config/fudo/git.nix @@ -25,35 +25,50 @@ let }; }; + sshOpts = { ... }: with types; { + options = { + listen-ip = mkOption { + type = str; + description = "IP on which to listen for SSH connections."; + }; + + listen-port = mkOption { + type = port; + description = "Port on which to listen for SSH connections, on ."; + default = 22; + }; + }; + }; + in { - options.fudo.git = { + options.fudo.git = with types; { enable = mkEnableOption "Enable Fudo git web server."; hostname = mkOption { - type = types.str; + type = str; description = "Hostname at which this git server is accessible."; example = "git.fudo.org"; }; site-name = mkOption { - type = types.str; + type = str; description = "Name to use for the git server."; default = "Fudo Git"; }; database = mkOption { - type = (types.submodule databaseOpts); + type = (submodule databaseOpts); description = "Gitea database options."; }; repository-dir = mkOption { - type = types.path; + type = path; description = "Path at which to store repositories."; example = /srv/git/repo; }; state-dir = mkOption { - type = types.path; + type = path; description = "Path at which to store server state."; example = /srv/git/state; }; @@ -63,6 +78,18 @@ in { description = "System user as which to run."; default = "git"; }; + + local-port = mkOption { + type = port; + description = "Local port to which the Gitea server will bind. Not globally accessible."; + default = 3543; + }; + + ssh = mkOption { + type = nullOr (submodule sshOpts); + description = "SSH listen configuration."; + default = null; + }; }; config = mkIf cfg.enable { @@ -78,14 +105,23 @@ in { name = cfg.database.name; user = cfg.database.user; passwordFile = cfg.database.password-file; + type = "postgres"; }; domain = cfg.hostname; httpAddress = "127.0.0.1"; - httpPort = 3543; + httpPort = cfg.local-port; repositoryRoot = toString cfg.repository-dir; stateDir = toString cfg.state-dir; rootUrl = "https://${cfg.hostname}/"; user = mkIf (cfg.user != null) cfg.user; + extraConfig = mkIf (cfg.ssh != null) '' + [server] + START_SSH_SERVER = true + SSH_DOMAIN = ${cfg.hostname} + SSH_PORT = ${toString cfg.ssh.listen-port} + SSH_LISTEN_PORT = ${toString cfg.ssh.listen-port} + SSH_LISTEN_HOST = ${cfg.ssh.listen-ip} + ''; }; nginx = { @@ -97,15 +133,15 @@ in { forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:3543"; + proxyPass = "http://127.0.0.1:${toString cfg.local-port}"; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-By $server_addr:$server_port; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; }; }; }; diff --git a/defaults.nix b/defaults.nix index fa03dcd..8e9334b 100644 --- a/defaults.nix +++ b/defaults.nix @@ -123,6 +123,7 @@ openssh = { enable = true; startWhenNeeded = true; + permitRootLogin = "prohibit-password"; extraConfig = '' GSSAPIAuthentication yes GSSAPICleanupCredentials yes @@ -133,12 +134,13 @@ security.pam = { enableSSHAgentAuth = true; # TODO: add yubico? - services.sshd = { - # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway. - # googleAuthenticator.enable = true; - makeHomeDir = true; - # Fails! - # requireWheel = true; + services = { + sshd = { + # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway. + # googleAuthenticator.enable = true; + makeHomeDir = true; + sshAgentAuth = true; + }; }; }; diff --git a/hosts/france.nix b/hosts/france.nix index 17905fc..34c00ec 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -7,7 +7,7 @@ let mail-hostname = hostname; host_ipv4 = "208.81.3.117"; # Use a special IP for git.fudo.org, since it needs to be SSH-able - docker_ipv4 = "208.81.3.126"; + git_ipv4 = "208.81.3.126"; all-hostnames = []; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; @@ -34,6 +34,15 @@ in { ../defaults.nix ]; + # services.openssh = { + # listenAddresses = [ + # { + # addr = host_ipv4; + # port = 22; + # } + # ]; + # }; + fudo.common = { # Sets some server-common settings. See /etc/nixos/fudo/profiles/... profile = "server"; @@ -118,12 +127,6 @@ in { fudo_git = "ALL PRIVILEGES"; }; }; - gitlab_postgres = { - password = fileContents "/srv/gitlab/secure/db.passwd"; - databases = { - gitlab = "ALL PRIVILEGES"; - }; - }; grafana = { password = fileContents "/srv/grafana/secure/db.passwd"; databases = { @@ -151,7 +154,6 @@ in { databases = { fudo_git = ["niten"]; - gitlab = ["niten"]; grafana = ["niten"]; mattermost = ["niten"]; webmail = ["niten"]; @@ -314,7 +316,7 @@ in { fudo.git = { enable = true; - hostname = "git.test.fudo.org"; + hostname = "git.fudo.org"; site-name = "Fudo Git"; user = "fudo_git"; database = { @@ -325,6 +327,10 @@ in { }; repository-dir = /srv/git/repo; state-dir = /srv/git/state; + ssh = { + listen-ip = git_ipv4; + listen-port = 2222; + }; }; networking = { @@ -368,7 +374,7 @@ in { macAddress = "02:6d:e2:e1:ad:ca"; ipv4.addresses = [ { - address = docker_ipv4; + address = git_ipv4; prefixLength = 28; } ]; @@ -449,42 +455,7 @@ in { isNormalUser = false; uid = 8006; }; - - gitlab = { - isNormalUser = false; - uid = 8002; - }; - - gitlab_postgres = { - isNormalUser = false; - group = config.fudo.postgresql.socket-group; - uid = 8003; - }; - - gitlab_redis = { - isNormalUser = false; - group = "redis-local"; - uid = 8004; - }; - - gitlab_www = { - isNormalUser = false; - group = "nogroup"; - uid = 8005; - }; }; - - extraGroups = { - redis-local = { - members = ["redis"]; - gid = 7001; - }; - }; - }; - - boot.kernel.sysctl = { - # For Redis - "vm.overcommit_memory" = 1; }; fudo.system = { @@ -492,10 +463,6 @@ in { postHugePageServices = ["redis.service"]; }; - systemd.services.redis.postStart = '' - chgrp redis-local ${config.services.redis.unixSocket} - ''; - security.acme.certs = { "archiva.fudo.org".email = config.fudo.common.admin-email; "git.fudo.org".email = config.fudo.common.admin-email; @@ -503,15 +470,6 @@ in { services = { - redis = { - enable = true; - bind = "127.0.0.1"; - unixSocket = "/run/redis/redis.socket"; - extraConfig = '' - unixsocketperm 770 - ''; - }; - nginx = { enable = true; recommendedGzipSettings = true; @@ -534,22 +492,6 @@ in { ''; }; }; - - "git.fudo.org" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:8002"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-By $server_addr:$server_port; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - }; }; }; }; @@ -568,53 +510,8 @@ in { SSL_ENABLED = "false"; }; }; - - gitlab = { - image = "gitlab/gitlab-ce:12.8.1-ce.0"; - ports = [ - "127.0.0.1:8002:80" - "${docker_ipv4}::22" - ]; - # user = toString config.users.users.gitlab.uid; - volumes = [ - "/run/redis:/var/opt/gitlab/redis" - "/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds" - "/srv/gitlab/config:/etc/gitlab" - "/srv/gitlab/logs:/var/log/gitlab" - "/srv/gitlab/gitlab:/var/opt/gitlab" - "${config.fudo.postgresql.socket-directory}:/run/postgresql" - "${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql" - ]; - extraDockerOptions = [ - "--hostname=git.fudo.org" - ]; - }; }; - systemd.services.docker-gitlab-config = let - gitlab-config = pkgs.writeText "gitlab-config.rb" '' - gitlab_rails['db_adapter'] = "postgresql" - gitlab_rails['db_encoding'] = "unicode" - gitlab_rails['db_database'] = "gitlab" - gitlab_rails['db_username'] = "gitlab_postgres" - gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}" - - user['uid'] = "${toString config.users.users.gitlab.uid}" - user['gid'] = "${toString config.users.groups.redis-local.gid}" - - # Provided externally - redis['enable'] = false - postgresql['enable'] = false - - web_server['uid'] = "${toString config.users.users.gitlab_www.uid}" - web_server['gid'] = "${toString config.users.groups.nogroup.gid}" - ''; - in { - # before = ["docker-gitlab.service"]; - script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb"; - }; - systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"]; - ### # Minecraft ### From 98fa41f1716629e6ed0d7b8963fa3a17e3236caa Mon Sep 17 00:00:00 2001 From: root Date: Tue, 21 Jul 2020 01:16:30 -0500 Subject: [PATCH 2/2] Merged frace --- config/fudo/mail-container.nix | 38 ++++++++++++++++++---------------- config/fudo/mail/dovecot.nix | 37 ++++++++++++++++++--------------- hosts/france.nix | 14 +++++++------ 3 files changed, 48 insertions(+), 41 deletions(-) diff --git a/config/fudo/mail-container.nix b/config/fudo/mail-container.nix index aa7edb5..e12b9ff 100644 --- a/config/fudo/mail-container.nix +++ b/config/fudo/mail-container.nix @@ -160,21 +160,21 @@ in rec { }; }; - users = { - users = { - ${container-mail-user} = { - isSystemUser = true; - uid = container-mail-user-id; - group = "mailer"; - }; - }; + # users = { + # users = { + # ${container-mail-user} = { + # isSystemUser = true; + # uid = container-mail-user-id; + # group = "mailer"; + # }; + # }; - groups = { - ${container-mail-group} = { - members = ["mailer"]; - }; - }; - }; + # groups = { + # ${container-mail-group} = { + # members = ["mailer"]; + # }; + # }; + # }; fudo.mail-server = { enable = true; @@ -193,10 +193,12 @@ in rec { dovecot = { ssl-certificate = "/etc/${container-dovecot-cert}"; ssl-private-key = "/etc/dovecot-certs/key.pem"; - ldap-ca = "/etc/${container-fudo-ca-cert}"; - ldap-urls = cfg.dovecot.ldap-urls; - ldap-reader-dn = cfg.dovecot.ldap-reader-dn; - ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; + ldap = { + # ca = "/etc/${container-fudo-ca-cert}"; + server-urls = cfg.dovecot.ldap.server-urls; + reader-dn = cfg.dovecot.ldap.reader-dn; + reader-passwd = cfg.dovecot.ldap.reader-passwd; + }; }; local-domains = cfg.local-domains; diff --git a/config/fudo/mail/dovecot.nix b/config/fudo/mail/dovecot.nix index 9d8f1cf..ae994b7 100644 --- a/config/fudo/mail/dovecot.nix +++ b/config/fudo/mail/dovecot.nix @@ -53,30 +53,33 @@ let } ''; - ldapOpts = with types; { - ca = mkOption { - type = str; - description = "The path to the CA cert used to sign the LDAP server certificate."; - }; + ldapOpts = { + options = with types; { + ca = mkOption { + type = nullOr str; + description = "The path to the CA cert used to sign the LDAP server certificate."; + default = null; + }; - server-urls = mkOption { - type = listOf str; - description = "A list of LDAP server URLs used for authentication."; - }; + server-urls = mkOption { + type = listOf str; + description = "A list of LDAP server URLs used for authentication."; + }; - reader-dn = mkOption { - type = str; - description = '' + reader-dn = mkOption { + type = str; + description = '' DN to use for reading user information. Needs access to homeDirectory, uidNumber, gidNumber, and uid, but not password attributes. ''; - }; + }; - reader-pw = mkOption { - type = str; - description = '' + reader-passwd = mkOption { + type = str; + description = '' Password for the user specified in ldap-reader-dn. ''; + }; }; }; @@ -204,7 +207,7 @@ in { auth_mechanisms = login plain ${optionalString (cfg.dovecot.ldap != null) - (ldap-conf cfg.dovecot.ldap)} + (ldap-passwd-entry cfg.dovecot.ldap)} userdb { driver = static args = uid=${toString cfg.mail-user-id} home=${cfg.mail-directory}/%u diff --git a/hosts/france.nix b/hosts/france.nix index c866d88..ed3a775 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -237,11 +237,13 @@ in { state-directory = "${system-mail-directory}/var"; mail-directory = "${system-mail-directory}/mailboxes"; - dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; - dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; + dovecot.ldap = { + reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; + reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; - # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. - dovecot.ldap-urls = [ "ldap://france.fudo.org" ]; + # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. + server-urls = [ "ldap://france.fudo.org" ]; + }; clamav.enable = true; @@ -277,7 +279,7 @@ in { name = "webmail"; hostname = "localhost"; user = "webmail"; - password-file = /srv/webmail/secure/db.passwd; + password-file = "/srv/webmail/secure/db.passwd"; }; }; @@ -290,7 +292,7 @@ in { name = "webmail"; hostname = "localhost"; user = "webmail"; - password-file = /srv/webmail/secure/db.passwd; + password-file = "/srv/webmail/secure/db.passwd"; }; }; };