nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.fudo.org:2222/fudosys/NixOS

Browse Source
This commit is contained in:
root 2020-07-22 11:40:51 -07:00
commit 3dcb387a2a
5 changed files with 122 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
config/fudo/git.nix
View File

@ -25,35 +25,50 @@ let
}; };
}; };
sshOpts = { ... }: with types; {
options = {
listen-ip = mkOption {
type = str;
description = "IP on which to listen for SSH connections.";
};
listen-port = mkOption {
type = port;
description = "Port on which to listen for SSH connections, on <listen-ip>.";
default = 22;
};
};
};
in { in {
options.fudo.git = { options.fudo.git = with types; {
enable = mkEnableOption "Enable Fudo git web server."; enable = mkEnableOption "Enable Fudo git web server.";
hostname = mkOption { hostname = mkOption {
type = types.str; type = str;
description = "Hostname at which this git server is accessible."; description = "Hostname at which this git server is accessible.";
example = "git.fudo.org"; example = "git.fudo.org";
}; };
site-name = mkOption { site-name = mkOption {
type = types.str; type = str;
description = "Name to use for the git server."; description = "Name to use for the git server.";
default = "Fudo Git"; default = "Fudo Git";
}; };
database = mkOption { database = mkOption {
type = (types.submodule databaseOpts); type = (submodule databaseOpts);
description = "Gitea database options."; description = "Gitea database options.";
}; };
repository-dir = mkOption { repository-dir = mkOption {
type = types.path; type = path;
description = "Path at which to store repositories."; description = "Path at which to store repositories.";
example = /srv/git/repo; example = /srv/git/repo;
}; };
state-dir = mkOption { state-dir = mkOption {
type = types.path; type = path;
description = "Path at which to store server state."; description = "Path at which to store server state.";
example = /srv/git/state; example = /srv/git/state;
}; };
@ -63,6 +78,18 @@ in {
description = "System user as which to run."; description = "System user as which to run.";
default = "git"; default = "git";
}; };
local-port = mkOption {
type = port;
description = "Local port to which the Gitea server will bind. Not globally accessible.";
default = 3543;
};
ssh = mkOption {
type = nullOr (submodule sshOpts);
description = "SSH listen configuration.";
default = null;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -78,14 +105,23 @@ in {
name = cfg.database.name; name = cfg.database.name;
user = cfg.database.user; user = cfg.database.user;
passwordFile = cfg.database.password-file; passwordFile = cfg.database.password-file;
type = "postgres";
}; };
domain = cfg.hostname; domain = cfg.hostname;
httpAddress = "127.0.0.1"; httpAddress = "127.0.0.1";
httpPort = 3543; httpPort = cfg.local-port;
repositoryRoot = toString cfg.repository-dir; repositoryRoot = toString cfg.repository-dir;
stateDir = toString cfg.state-dir; stateDir = toString cfg.state-dir;
rootUrl = "https://${cfg.hostname}/"; rootUrl = "https://${cfg.hostname}/";
user = mkIf (cfg.user != null) cfg.user; user = mkIf (cfg.user != null) cfg.user;
extraConfig = mkIf (cfg.ssh != null) ''
[server]
START_SSH_SERVER = true
SSH_DOMAIN = ${cfg.hostname}
SSH_PORT = ${toString cfg.ssh.listen-port}
SSH_LISTEN_PORT = ${toString cfg.ssh.listen-port}
SSH_LISTEN_HOST = ${cfg.ssh.listen-ip}
'';
}; };
nginx = { nginx = {
@ -97,15 +133,15 @@ in {
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:3543"; proxyPass = "http://127.0.0.1:${toString cfg.local-port}";
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
''; '';
}; };
}; };
}; };

38
config/fudo/mail-container.nix
View File

@ -160,21 +160,21 @@ in rec {
}; };
}; };
users = { # users = {
users = { # users = {
${container-mail-user} = { # ${container-mail-user} = {
isSystemUser = true; # isSystemUser = true;
uid = container-mail-user-id; # uid = container-mail-user-id;
group = "mailer"; # group = "mailer";
}; # };
}; # };
groups = { # groups = {
${container-mail-group} = { # ${container-mail-group} = {
members = ["mailer"]; # members = ["mailer"];
}; # };
}; # };
}; # };
fudo.mail-server = { fudo.mail-server = {
enable = true; enable = true;
@ -193,10 +193,12 @@ in rec {
dovecot = { dovecot = {
ssl-certificate = "/etc/${container-dovecot-cert}"; ssl-certificate = "/etc/${container-dovecot-cert}";
ssl-private-key = "/etc/dovecot-certs/key.pem"; ssl-private-key = "/etc/dovecot-certs/key.pem";
ldap-ca = "/etc/${container-fudo-ca-cert}"; ldap = {
ldap-urls = cfg.dovecot.ldap-urls; # ca = "/etc/${container-fudo-ca-cert}";
ldap-reader-dn = cfg.dovecot.ldap-reader-dn; server-urls = cfg.dovecot.ldap.server-urls;
ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; reader-dn = cfg.dovecot.ldap.reader-dn;
reader-passwd = cfg.dovecot.ldap.reader-passwd;
};
}; };
local-domains = cfg.local-domains; local-domains = cfg.local-domains;

37
config/fudo/mail/dovecot.nix
View File

@ -53,30 +53,33 @@ let
} }
''; '';
ldapOpts = with types; { ldapOpts = {
ca = mkOption { options = with types; {
type = str; ca = mkOption {
description = "The path to the CA cert used to sign the LDAP server certificate."; type = nullOr str;
}; description = "The path to the CA cert used to sign the LDAP server certificate.";
default = null;
};
server-urls = mkOption { server-urls = mkOption {
type = listOf str; type = listOf str;
description = "A list of LDAP server URLs used for authentication."; description = "A list of LDAP server URLs used for authentication.";
}; };
reader-dn = mkOption { reader-dn = mkOption {
type = str; type = str;
description = '' description = ''
DN to use for reading user information. Needs access to homeDirectory, DN to use for reading user information. Needs access to homeDirectory,
uidNumber, gidNumber, and uid, but not password attributes. uidNumber, gidNumber, and uid, but not password attributes.
''; '';
}; };
reader-pw = mkOption { reader-passwd = mkOption {
type = str; type = str;
description = '' description = ''
Password for the user specified in ldap-reader-dn. Password for the user specified in ldap-reader-dn.
''; '';
};
}; };
}; };
@ -204,7 +207,7 @@ in {
auth_mechanisms = login plain auth_mechanisms = login plain
${optionalString (cfg.dovecot.ldap != null) ${optionalString (cfg.dovecot.ldap != null)
(ldap-conf cfg.dovecot.ldap)} (ldap-passwd-entry cfg.dovecot.ldap)}
userdb { userdb {
driver = static driver = static
args = uid=${toString cfg.mail-user-id} home=${cfg.mail-directory}/%u args = uid=${toString cfg.mail-user-id} home=${cfg.mail-directory}/%u

14
defaults.nix
View File

@ -142,6 +142,7 @@
openssh = { openssh = {
enable = true; enable = true;
startWhenNeeded = true; startWhenNeeded = true;
permitRootLogin = "prohibit-password";
extraConfig = '' extraConfig = ''
GSSAPIAuthentication yes GSSAPIAuthentication yes
GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes
@ -164,12 +165,13 @@
security.pam = { security.pam = {
# TODO: add yubico? # TODO: add yubico?
services.sshd = { services = {
# This should only ask for a code if ~/.google_authenticator exists, but it asks anyway. sshd = {
# googleAuthenticator.enable = true; # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway.
makeHomeDir = true; # googleAuthenticator.enable = true;
# Fails! makeHomeDir = true;
# requireWheel = true; sshAgentAuth = true;
};
}; };
}; };

149
hosts/france.nix
View File

@ -7,7 +7,7 @@ let
mail-hostname = hostname; mail-hostname = hostname;
host_ipv4 = "208.81.3.117"; host_ipv4 = "208.81.3.117";
# Use a special IP for git.fudo.org, since it needs to be SSH-able # Use a special IP for git.fudo.org, since it needs to be SSH-able
docker_ipv4 = "208.81.3.126"; git_ipv4 = "208.81.3.126";
all-hostnames = []; all-hostnames = [];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
@ -34,6 +34,15 @@ in {
../defaults.nix ../defaults.nix
]; ];
# services.openssh = {
# listenAddresses = [
# {
# addr = host_ipv4;
# port = 22;
# }
# ];
# };
fudo.common = { fudo.common = {
# Sets some server-common settings. See /etc/nixos/fudo/profiles/... # Sets some server-common settings. See /etc/nixos/fudo/profiles/...
profile = "server"; profile = "server";
@ -118,12 +127,6 @@ in {
fudo_git = "ALL PRIVILEGES"; fudo_git = "ALL PRIVILEGES";
}; };
}; };
gitlab_postgres = {
password = fileContents "/srv/gitlab/secure/db.passwd";
databases = {
gitlab = "ALL PRIVILEGES";
};
};
grafana = { grafana = {
password = fileContents "/srv/grafana/secure/db.passwd"; password = fileContents "/srv/grafana/secure/db.passwd";
databases = { databases = {
@ -151,7 +154,6 @@ in {
databases = { databases = {
fudo_git = ["niten"]; fudo_git = ["niten"];
gitlab = ["niten"];
grafana = ["niten"]; grafana = ["niten"];
mattermost = ["niten"]; mattermost = ["niten"];
webmail = ["niten"]; webmail = ["niten"];
@ -237,11 +239,13 @@ in {
state-directory = "${system-mail-directory}/var"; state-directory = "${system-mail-directory}/var";
mail-directory = "${system-mail-directory}/mailboxes"; mail-directory = "${system-mail-directory}/mailboxes";
dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; dovecot.ldap = {
dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; reader-dn = "cn=user_db_reader,dc=fudo,dc=org";
reader-passwd = fileContents /srv/ldap/secure/user_db.passwd;
# FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.
dovecot.ldap-urls = [ "ldap://france.fudo.org" ]; server-urls = [ "ldap://france.fudo.org" ];
};
clamav.enable = true; clamav.enable = true;
@ -277,7 +281,7 @@ in {
name = "webmail"; name = "webmail";
hostname = "localhost"; hostname = "localhost";
user = "webmail"; user = "webmail";
password-file = /srv/webmail/secure/db.passwd; password-file = "/srv/webmail/secure/db.passwd";
}; };
}; };
@ -290,7 +294,7 @@ in {
name = "webmail"; name = "webmail";
hostname = "localhost"; hostname = "localhost";
user = "webmail"; user = "webmail";
password-file = /srv/webmail/secure/db.passwd; password-file = "/srv/webmail/secure/db.passwd";
}; };
}; };
}; };
@ -314,7 +318,7 @@ in {
fudo.git = { fudo.git = {
enable = true; enable = true;
hostname = "git.test.fudo.org"; hostname = "git.fudo.org";
site-name = "Fudo Git"; site-name = "Fudo Git";
user = "fudo_git"; user = "fudo_git";
database = { database = {
@ -325,6 +329,10 @@ in {
}; };
repository-dir = /srv/git/repo; repository-dir = /srv/git/repo;
state-dir = /srv/git/state; state-dir = /srv/git/state;
ssh = {
listen-ip = git_ipv4;
listen-port = 2222;
};
}; };
networking = { networking = {
@ -368,7 +376,7 @@ in {
macAddress = "02:6d:e2:e1:ad:ca"; macAddress = "02:6d:e2:e1:ad:ca";
ipv4.addresses = [ ipv4.addresses = [
{ {
address = docker_ipv4; address = git_ipv4;
prefixLength = 28; prefixLength = 28;
} }
]; ];
@ -449,42 +457,7 @@ in {
isNormalUser = false; isNormalUser = false;
uid = 8006; uid = 8006;
}; };
gitlab = {
isNormalUser = false;
uid = 8002;
};
gitlab_postgres = {
isNormalUser = false;
group = config.fudo.postgresql.socket-group;
uid = 8003;
};
gitlab_redis = {
isNormalUser = false;
group = "redis-local";
uid = 8004;
};
gitlab_www = {
isNormalUser = false;
group = "nogroup";
uid = 8005;
};
}; };
extraGroups = {
redis-local = {
members = ["redis"];
gid = 7001;
};
};
};
boot.kernel.sysctl = {
# For Redis
"vm.overcommit_memory" = 1;
}; };
fudo.system = { fudo.system = {
@ -492,10 +465,6 @@ in {
postHugePageServices = ["redis.service"]; postHugePageServices = ["redis.service"];
}; };
systemd.services.redis.postStart = ''
chgrp redis-local ${config.services.redis.unixSocket}
'';
security.acme.certs = { security.acme.certs = {
"archiva.fudo.org".email = config.fudo.common.admin-email; "archiva.fudo.org".email = config.fudo.common.admin-email;
"git.fudo.org".email = config.fudo.common.admin-email; "git.fudo.org".email = config.fudo.common.admin-email;
@ -503,15 +472,6 @@ in {
services = { services = {
redis = {
enable = true;
bind = "127.0.0.1";
unixSocket = "/run/redis/redis.socket";
extraConfig = ''
unixsocketperm 770
'';
};
nginx = { nginx = {
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
@ -534,22 +494,6 @@ in {
''; '';
}; };
}; };
"git.fudo.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8002";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
}; };
}; };
}; };
@ -568,53 +512,8 @@ in {
SSL_ENABLED = "false"; SSL_ENABLED = "false";
}; };
}; };
gitlab = {
image = "gitlab/gitlab-ce:12.8.1-ce.0";
ports = [
"127.0.0.1:8002:80"
"${docker_ipv4}::22"
];
# user = toString config.users.users.gitlab.uid;
volumes = [
"/run/redis:/var/opt/gitlab/redis"
"/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds"
"/srv/gitlab/config:/etc/gitlab"
"/srv/gitlab/logs:/var/log/gitlab"
"/srv/gitlab/gitlab:/var/opt/gitlab"
"${config.fudo.postgresql.socket-directory}:/run/postgresql"
"${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql"
];
extraDockerOptions = [
"--hostname=git.fudo.org"
];
};
}; };
systemd.services.docker-gitlab-config = let
gitlab-config = pkgs.writeText "gitlab-config.rb" ''
gitlab_rails['db_adapter'] = "postgresql"
gitlab_rails['db_encoding'] = "unicode"
gitlab_rails['db_database'] = "gitlab"
gitlab_rails['db_username'] = "gitlab_postgres"
gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}"
user['uid'] = "${toString config.users.users.gitlab.uid}"
user['gid'] = "${toString config.users.groups.redis-local.gid}"
# Provided externally
redis['enable'] = false
postgresql['enable'] = false
web_server['uid'] = "${toString config.users.users.gitlab_www.uid}"
web_server['gid'] = "${toString config.users.groups.nogroup.gid}"
'';
in {
# before = ["docker-gitlab.service"];
script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb";
};
systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"];
### ###
# Minecraft # Minecraft
### ###