nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.fudo.org:2222/fudosys/NixOS

Browse Source
This commit is contained in:
root 2020-07-22 11:40:51 -07:00
commit 3dcb387a2a
5 changed files with 122 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
config/fudo/git.nix
View File

@ -25,35 +25,50 @@ let
}; };
}; };
sshOpts = { ... }: with types; {
options = {
listen-ip = mkOption {
type = str;
description = "IP on which to listen for SSH connections.";
};
listen-port = mkOption {
type = port;
description = "Port on which to listen for SSH connections, on <listen-ip>.";
default = 22;
};
};
};
in { in {
options.fudo.git = { options.fudo.git = with types; {
enable = mkEnableOption "Enable Fudo git web server."; enable = mkEnableOption "Enable Fudo git web server.";
hostname = mkOption { hostname = mkOption {
type = types.str; type = str;
description = "Hostname at which this git server is accessible."; description = "Hostname at which this git server is accessible.";
example = "git.fudo.org"; example = "git.fudo.org";
}; };
site-name = mkOption { site-name = mkOption {
type = types.str; type = str;
description = "Name to use for the git server."; description = "Name to use for the git server.";
default = "Fudo Git"; default = "Fudo Git";
}; };
database = mkOption { database = mkOption {
type = (types.submodule databaseOpts); type = (submodule databaseOpts);
description = "Gitea database options."; description = "Gitea database options.";
}; };
repository-dir = mkOption { repository-dir = mkOption {
type = types.path; type = path;
description = "Path at which to store repositories."; description = "Path at which to store repositories.";
example = /srv/git/repo; example = /srv/git/repo;
}; };
state-dir = mkOption { state-dir = mkOption {
type = types.path; type = path;
description = "Path at which to store server state."; description = "Path at which to store server state.";
example = /srv/git/state; example = /srv/git/state;
}; };
@ -63,6 +78,18 @@ in {
description = "System user as which to run."; description = "System user as which to run.";
default = "git"; default = "git";
}; };
local-port = mkOption {
type = port;
description = "Local port to which the Gitea server will bind. Not globally accessible.";
default = 3543;
};
ssh = mkOption {
type = nullOr (submodule sshOpts);
description = "SSH listen configuration.";
default = null;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -78,14 +105,23 @@ in {
name = cfg.database.name; name = cfg.database.name;
user = cfg.database.user; user = cfg.database.user;
passwordFile = cfg.database.password-file; passwordFile = cfg.database.password-file;
type = "postgres";
}; };
domain = cfg.hostname; domain = cfg.hostname;
httpAddress = "127.0.0.1"; httpAddress = "127.0.0.1";
httpPort = 3543; httpPort = cfg.local-port;
repositoryRoot = toString cfg.repository-dir; repositoryRoot = toString cfg.repository-dir;
stateDir = toString cfg.state-dir; stateDir = toString cfg.state-dir;
rootUrl = "https://${cfg.hostname}/"; rootUrl = "https://${cfg.hostname}/";
user = mkIf (cfg.user != null) cfg.user; user = mkIf (cfg.user != null) cfg.user;
extraConfig = mkIf (cfg.ssh != null) ''
[server]
START_SSH_SERVER = true
SSH_DOMAIN = ${cfg.hostname}
SSH_PORT = ${toString cfg.ssh.listen-port}
SSH_LISTEN_PORT = ${toString cfg.ssh.listen-port}
SSH_LISTEN_HOST = ${cfg.ssh.listen-ip}
'';
}; };
nginx = { nginx = {
@ -97,7 +133,7 @@ in {
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:3543"; proxyPass = "http://127.0.0.1:${toString cfg.local-port}";
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;

38
config/fudo/mail-container.nix
View File

@ -160,21 +160,21 @@ in rec {
}; };
}; };
users = { # users = {
users = { # users = {
${container-mail-user} = { # ${container-mail-user} = {
isSystemUser = true; # isSystemUser = true;
uid = container-mail-user-id; # uid = container-mail-user-id;
group = "mailer"; # group = "mailer";
}; # };
}; # };
groups = { # groups = {
${container-mail-group} = { # ${container-mail-group} = {
members = ["mailer"]; # members = ["mailer"];
}; # };
}; # };
}; # };
fudo.mail-server = { fudo.mail-server = {
enable = true; enable = true;
@ -193,10 +193,12 @@ in rec {
dovecot = { dovecot = {
ssl-certificate = "/etc/${container-dovecot-cert}"; ssl-certificate = "/etc/${container-dovecot-cert}";
ssl-private-key = "/etc/dovecot-certs/key.pem"; ssl-private-key = "/etc/dovecot-certs/key.pem";
ldap-ca = "/etc/${container-fudo-ca-cert}"; ldap = {
ldap-urls = cfg.dovecot.ldap-urls; # ca = "/etc/${container-fudo-ca-cert}";
ldap-reader-dn = cfg.dovecot.ldap-reader-dn; server-urls = cfg.dovecot.ldap.server-urls;
ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; reader-dn = cfg.dovecot.ldap.reader-dn;
reader-passwd = cfg.dovecot.ldap.reader-passwd;
};
}; };
local-domains = cfg.local-domains; local-domains = cfg.local-domains;

11
config/fudo/mail/dovecot.nix
View File

@ -53,10 +53,12 @@ let
} }
''; '';
ldapOpts = with types; { ldapOpts = {
options = with types; {
ca = mkOption { ca = mkOption {
type = str; type = nullOr str;
description = "The path to the CA cert used to sign the LDAP server certificate."; description = "The path to the CA cert used to sign the LDAP server certificate.";
default = null;
}; };
server-urls = mkOption { server-urls = mkOption {
@ -72,13 +74,14 @@ let
''; '';
}; };
reader-pw = mkOption { reader-passwd = mkOption {
type = str; type = str;
description = '' description = ''
Password for the user specified in ldap-reader-dn. Password for the user specified in ldap-reader-dn.
''; '';
}; };
}; };
};
dovecot-user = config.services.dovecot2.user; dovecot-user = config.services.dovecot2.user;
@ -204,7 +207,7 @@ in {
auth_mechanisms = login plain auth_mechanisms = login plain
${optionalString (cfg.dovecot.ldap != null) ${optionalString (cfg.dovecot.ldap != null)
(ldap-conf cfg.dovecot.ldap)} (ldap-passwd-entry cfg.dovecot.ldap)}
userdb { userdb {
driver = static driver = static
args = uid=${toString cfg.mail-user-id} home=${cfg.mail-directory}/%u args = uid=${toString cfg.mail-user-id} home=${cfg.mail-directory}/%u

8
defaults.nix
View File

@ -142,6 +142,7 @@
openssh = { openssh = {
enable = true; enable = true;
startWhenNeeded = true; startWhenNeeded = true;
permitRootLogin = "prohibit-password";
extraConfig = '' extraConfig = ''
GSSAPIAuthentication yes GSSAPIAuthentication yes
GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes
@ -164,12 +165,13 @@
security.pam = { security.pam = {
# TODO: add yubico? # TODO: add yubico?
services.sshd = { services = {
sshd = {
# This should only ask for a code if ~/.google_authenticator exists, but it asks anyway. # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway.
# googleAuthenticator.enable = true; # googleAuthenticator.enable = true;
makeHomeDir = true; makeHomeDir = true;
# Fails! sshAgentAuth = true;
# requireWheel = true; };
}; };
}; };

147
hosts/france.nix
View File

@ -7,7 +7,7 @@ let
mail-hostname = hostname; mail-hostname = hostname;
host_ipv4 = "208.81.3.117"; host_ipv4 = "208.81.3.117";
# Use a special IP for git.fudo.org, since it needs to be SSH-able # Use a special IP for git.fudo.org, since it needs to be SSH-able
docker_ipv4 = "208.81.3.126"; git_ipv4 = "208.81.3.126";
all-hostnames = []; all-hostnames = [];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
@ -34,6 +34,15 @@ in {
../defaults.nix ../defaults.nix
]; ];
# services.openssh = {
# listenAddresses = [
# {
# addr = host_ipv4;
# port = 22;
# }
# ];
# };
fudo.common = { fudo.common = {
# Sets some server-common settings. See /etc/nixos/fudo/profiles/... # Sets some server-common settings. See /etc/nixos/fudo/profiles/...
profile = "server"; profile = "server";
@ -118,12 +127,6 @@ in {
fudo_git = "ALL PRIVILEGES"; fudo_git = "ALL PRIVILEGES";
}; };
}; };
gitlab_postgres = {
password = fileContents "/srv/gitlab/secure/db.passwd";
databases = {
gitlab = "ALL PRIVILEGES";
};
};
grafana = { grafana = {
password = fileContents "/srv/grafana/secure/db.passwd"; password = fileContents "/srv/grafana/secure/db.passwd";
databases = { databases = {
@ -151,7 +154,6 @@ in {
databases = { databases = {
fudo_git = ["niten"]; fudo_git = ["niten"];
gitlab = ["niten"];
grafana = ["niten"]; grafana = ["niten"];
mattermost = ["niten"]; mattermost = ["niten"];
webmail = ["niten"]; webmail = ["niten"];
@ -237,11 +239,13 @@ in {
state-directory = "${system-mail-directory}/var"; state-directory = "${system-mail-directory}/var";
mail-directory = "${system-mail-directory}/mailboxes"; mail-directory = "${system-mail-directory}/mailboxes";
dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; dovecot.ldap = {
dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; reader-dn = "cn=user_db_reader,dc=fudo,dc=org";
reader-passwd = fileContents /srv/ldap/secure/user_db.passwd;
# FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.
dovecot.ldap-urls = [ "ldap://france.fudo.org" ]; server-urls = [ "ldap://france.fudo.org" ];
};
clamav.enable = true; clamav.enable = true;
@ -277,7 +281,7 @@ in {
name = "webmail"; name = "webmail";
hostname = "localhost"; hostname = "localhost";
user = "webmail"; user = "webmail";
password-file = /srv/webmail/secure/db.passwd; password-file = "/srv/webmail/secure/db.passwd";
}; };
}; };
@ -290,7 +294,7 @@ in {
name = "webmail"; name = "webmail";
hostname = "localhost"; hostname = "localhost";
user = "webmail"; user = "webmail";
password-file = /srv/webmail/secure/db.passwd; password-file = "/srv/webmail/secure/db.passwd";
}; };
}; };
}; };
@ -314,7 +318,7 @@ in {
fudo.git = { fudo.git = {
enable = true; enable = true;
hostname = "git.test.fudo.org"; hostname = "git.fudo.org";
site-name = "Fudo Git"; site-name = "Fudo Git";
user = "fudo_git"; user = "fudo_git";
database = { database = {
@ -325,6 +329,10 @@ in {
}; };
repository-dir = /srv/git/repo; repository-dir = /srv/git/repo;
state-dir = /srv/git/state; state-dir = /srv/git/state;
ssh = {
listen-ip = git_ipv4;
listen-port = 2222;
};
}; };
networking = { networking = {
@ -368,7 +376,7 @@ in {
macAddress = "02:6d:e2:e1:ad:ca"; macAddress = "02:6d:e2:e1:ad:ca";
ipv4.addresses = [ ipv4.addresses = [
{ {
address = docker_ipv4; address = git_ipv4;
prefixLength = 28; prefixLength = 28;
} }
]; ];
@ -449,42 +457,7 @@ in {
isNormalUser = false; isNormalUser = false;
uid = 8006; uid = 8006;
}; };
gitlab = {
isNormalUser = false;
uid = 8002;
}; };
gitlab_postgres = {
isNormalUser = false;
group = config.fudo.postgresql.socket-group;
uid = 8003;
};
gitlab_redis = {
isNormalUser = false;
group = "redis-local";
uid = 8004;
};
gitlab_www = {
isNormalUser = false;
group = "nogroup";
uid = 8005;
};
};
extraGroups = {
redis-local = {
members = ["redis"];
gid = 7001;
};
};
};
boot.kernel.sysctl = {
# For Redis
"vm.overcommit_memory" = 1;
}; };
fudo.system = { fudo.system = {
@ -492,10 +465,6 @@ in {
postHugePageServices = ["redis.service"]; postHugePageServices = ["redis.service"];
}; };
systemd.services.redis.postStart = ''
chgrp redis-local ${config.services.redis.unixSocket}
'';
security.acme.certs = { security.acme.certs = {
"archiva.fudo.org".email = config.fudo.common.admin-email; "archiva.fudo.org".email = config.fudo.common.admin-email;
"git.fudo.org".email = config.fudo.common.admin-email; "git.fudo.org".email = config.fudo.common.admin-email;
@ -503,15 +472,6 @@ in {
services = { services = {
redis = {
enable = true;
bind = "127.0.0.1";
unixSocket = "/run/redis/redis.socket";
extraConfig = ''
unixsocketperm 770
'';
};
nginx = { nginx = {
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
@ -534,22 +494,6 @@ in {
''; '';
}; };
}; };
"git.fudo.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8002";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
}; };
}; };
}; };
@ -568,52 +512,7 @@ in {
SSL_ENABLED = "false"; SSL_ENABLED = "false";
}; };
}; };
gitlab = {
image = "gitlab/gitlab-ce:12.8.1-ce.0";
ports = [
"127.0.0.1:8002:80"
"${docker_ipv4}::22"
];
# user = toString config.users.users.gitlab.uid;
volumes = [
"/run/redis:/var/opt/gitlab/redis"
"/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds"
"/srv/gitlab/config:/etc/gitlab"
"/srv/gitlab/logs:/var/log/gitlab"
"/srv/gitlab/gitlab:/var/opt/gitlab"
"${config.fudo.postgresql.socket-directory}:/run/postgresql"
"${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql"
];
extraDockerOptions = [
"--hostname=git.fudo.org"
];
}; };
};
systemd.services.docker-gitlab-config = let
gitlab-config = pkgs.writeText "gitlab-config.rb" ''
gitlab_rails['db_adapter'] = "postgresql"
gitlab_rails['db_encoding'] = "unicode"
gitlab_rails['db_database'] = "gitlab"
gitlab_rails['db_username'] = "gitlab_postgres"
gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}"
user['uid'] = "${toString config.users.users.gitlab.uid}"
user['gid'] = "${toString config.users.groups.redis-local.gid}"
# Provided externally
redis['enable'] = false
postgresql['enable'] = false
web_server['uid'] = "${toString config.users.users.gitlab_www.uid}"
web_server['gid'] = "${toString config.users.groups.nogroup.gid}"
'';
in {
# before = ["docker-gitlab.service"];
script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb";
};
systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"];
### ###
# Minecraft # Minecraft