nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Piles o' changes

This commit is contained in:
root 2020-06-06 20:58:13 -05:00
parent 2aa6b8efc6
commit 9f59ff30fe
21 changed files with 587 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/fudo/chat.nix
View File

@ -154,6 +154,8 @@ in {
};
};
security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email;
services.nginx = {
enable = true;

6
config/fudo/common.nix
View File

@ -46,5 +46,11 @@ with lib;
description = "Path at which to store www files for serving.";
example = /var/www;
};
admin-email = mkOption {
type = types.str;
description = "Email for administrator of this system.";
default = "admin@fudo.org";
};
};
}

115
config/fudo/git.nix Normal file
View File

@ -0,0 +1,115 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.fudo.git;
databaseOpts = { ... }: {
options = {
name = mkOption {
type = types.str;
description = "Database name.";
};
hostname = mkOption {
type = types.str;
description = "Hostname of the database server.";
};
user = mkOption {
type = types.str;
description = "Database username.";
};
password-file = mkOption {
type = types.path;
description = "File containing the database user's password.";
};
};
};
in {
options.fudo.git = {
enable = mkEnableOption "Enable Fudo git web server.";
hostname = mkOption {
type = types.str;
description = "Hostname at which this git server is accessible.";
example = "git.fudo.org";
};
site-name = mkOption {
type = types.str;
description = "Name to use for the git server.";
default = "Fudo Git";
};
database = mkOption {
type = (types.submodule databaseOpts);
description = "Gitea database options.";
};
repository-dir = mkOption {
type = types.path;
description = "Path at which to store repositories.";
example = /srv/git/repo;
};
state-dir = mkOption {
type = types.path;
description = "Path at which to store server state.";
example = /srv/git/state;
};
user = mkOption {
type = with types; nullOr str;
description = "System user as which to run.";
default = "git";
};
};
config = mkIf cfg.enable {
security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email;
services = {
gitea = {
enable = true;
appName = cfg.site-name;
database = {
createDatabase = true;
host = cfg.database.hostname;
name = cfg.database.name;
user = cfg.database.user;
passwordFile = cfg.database.password-file;
};
domain = cfg.hostname;
httpAddress = "127.0.0.1";
httpPort = 3543;
repositoryRoot = toString cfg.repository-dir;
stateDir = toString cfg.state-dir;
rootUrl = "https://${cfg.hostname}/";
user = mkIf (cfg.user != null) cfg.user;
};
nginx = {
enable = true;
virtualHosts = {
"${cfg.hostname}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3543";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};
};
};
}

3
config/fudo/grafana.nix
View File

@ -5,6 +5,7 @@
with lib;
let
cfg = config.fudo.grafana;
fudo-cfg = config.fudo.common;
database-name = "grafana";
database-user = "grafana";
@ -73,6 +74,8 @@ in {
};
config = mkIf cfg.enable {
security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
services.nginx = {
enable = true;

113
config/fudo/mail-container.nix
View File

@ -16,7 +16,7 @@ let
container-mail-user = "mailer";
container-mail-user-id = 542;
container-mail-group = "mailer";
trusted-networks = config.fudo.common.local-networks;
fudo-cfg = config.fudo.common;
in rec {
options.fudo.mail-server.container = {
@ -25,18 +25,6 @@ in rec {
description = "URL of the LDAP server to use for authentication.";
example = "ldaps://auth.fudo.org/";
};
# host-ip = mkOption {
# type = types.str;
# description = "The IP to assign to this server, for communication with the mail server container.";
# default = "10.110.0.1";
# };
# container-ip = mkOption {
# type = types.str;
# description = "The IP to assign to the mail server container.";
# default = "10.110.0.2";
# };
};
config = mkIf (cfg.enableContainer && !cfg.enable) {
@ -73,6 +61,8 @@ in rec {
};
};
security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
services.nginx = mkIf cfg.monitoring {
enable = true;
@ -81,9 +71,9 @@ in rec {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
'';
trusted-network-string = optionalString ((length trusted-networks) > 0)
trusted-network-string = optionalString ((length fudo-cfg.local-networks) > 0)
(concatStringsSep "\n"
(map (network: "allow ${network};") trusted-networks)) + "\ndeny all;";
(map (network: "allow ${network};") fudo-cfg.local-networks)) + "\ndeny all;";
in {
"${cfg.hostname}" = {
@ -123,30 +113,6 @@ in rec {
};
};
# services.xinetd = let
# xinetd-entry = name: port: {
# name = name;
# port = port;
# protocol = "tcp";
# server = "";
# extraConfig = ''
# socket_type = stream
# wait = no
# redirect = ${cfg.container.container-ip} ${toString port}
# '';
# };
# in {
# enable = true;
# services = [
# (xinetd-entry "smtp" 25)
# (xinetd-entry "pop3" 110)
# (xinetd-entry "pop3s" 995)
# (xinetd-entry "imap" 143)
# (xinetd-entry "imaps" 993)
# (xinetd-entry "submission" 587)
# ];
# };
containers.mail-server = {
autoStart = true;
@ -210,46 +176,45 @@ in rec {
};
};
fudo.mail-server =
{
enable = true;
hostname = cfg.hostname;
domain = cfg.domain;
fudo.mail-server = {
enable = true;
hostname = cfg.hostname;
domain = cfg.domain;
debug = cfg.debug;
monitoring = cfg.monitoring;
debug = cfg.debug;
monitoring = cfg.monitoring;
state-directory = container-statedir;
mail-directory = container-maildir;
state-directory = container-statedir;
mail-directory = container-maildir;
postfix.ssl-certificate = "/etc/${container-postfix-cert}";
postfix.ssl-private-key = "/etc/postfix-certs/key.pem";
postfix.ssl-certificate = "/etc/${container-postfix-cert}";
postfix.ssl-private-key = "/etc/postfix-certs/key.pem";
dovecot = {
ssl-certificate = "/etc/${container-dovecot-cert}";
ssl-private-key = "/etc/dovecot-certs/key.pem";
ldap-ca = "/etc/${container-fudo-ca-cert}";
ldap-urls = cfg.dovecot.ldap-urls;
ldap-reader-dn = cfg.dovecot.ldap-reader-dn;
ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd;
};
local-domains = cfg.local-domains;
alias-users = cfg.alias-users;
user-aliases = cfg.user-aliases;
sender-blacklist = cfg.sender-blacklist;
recipient-blacklist = cfg.recipient-blacklist;
trusted-networks = cfg.trusted-networks;
mail-user = container-mail-user;
mail-user-id = container-mail-user-id;
mail-group = container-mail-group;
clamav.enable = cfg.clamav.enable;
dkim.signing = cfg.dkim.signing;
dovecot = {
ssl-certificate = "/etc/${container-dovecot-cert}";
ssl-private-key = "/etc/dovecot-certs/key.pem";
ldap-ca = "/etc/${container-fudo-ca-cert}";
ldap-urls = cfg.dovecot.ldap-urls;
ldap-reader-dn = cfg.dovecot.ldap-reader-dn;
ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd;
};
local-domains = cfg.local-domains;
alias-users = cfg.alias-users;
user-aliases = cfg.user-aliases;
sender-blacklist = cfg.sender-blacklist;
recipient-blacklist = cfg.recipient-blacklist;
trusted-networks = cfg.trusted-networks;
mail-user = container-mail-user;
mail-user-id = container-mail-user-id;
mail-group = container-mail-group;
clamav.enable = cfg.clamav.enable;
dkim.signing = cfg.dkim.signing;
};
};
};
};

7
config/fudo/mail/postfix.nix
View File

@ -105,9 +105,10 @@ in {
domain = cfg.domain;
origin = cfg.domain;
hostname = cfg.hostname;
destination = ["localhost" "localhost.localdomain"] ++
(map (domain: "localhost.${domain}") cfg.local-domains) ++
cfg.local-domains;
destination = ["localhost" "localhost.localdomain"];
# destination = ["localhost" "localhost.localdomain"] ++
# (map (domain: "localhost.${domain}") cfg.local-domains) ++
# cfg.local-domains;
enableHeaderChecks = true;
enableSmtp = true;

2
config/fudo/node-exporter.nix
View File

@ -20,6 +20,8 @@ in {
};
config = mkIf cfg.enable {
security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
services = {
# This'll run an exporter at localhost:9100
prometheus.exporters.node = {

44
config/fudo/postgres.nix
View File

@ -65,8 +65,9 @@ let
(username: attrs:
stringJoin "\n"
(map (db: ''
host ${username} ${db} 127.0.0.1/16 md5
host ${username} ${db} ::1/128 md5
local ${db} ${username} md5
host ${db} ${username} 127.0.0.1/16 md5
host ${db} ${username} ::1/128 md5
'') (attrNames attrs.databases)))
users);
@ -117,6 +118,24 @@ in {
description = "A map of databases to database options.";
default = {};
};
socket-directory = mkOption {
type = types.str;
description = "Directory in which to place unix sockets.";
default = "/run/postgresql";
};
socket-group = mkOption {
type = types.str;
description = "Group for accessing sockets.";
default = "postgres_local";
};
local-users = mkOption {
type = with types; listOf str;
description = "Users able to access the server via local socket.";
default = [];
};
};
config = mkIf cfg.enable {
@ -157,6 +176,12 @@ in {
};
};
users.groups = {
${cfg.socket-group} = {
members = ["postgres"] ++ cfg.local-users;
};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_11_gssapi;
@ -172,23 +197,23 @@ in {
})
cfg.users;
extraConfig =
''
extraConfig = ''
krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
ssl = true
ssl_cert_file = '/etc/postgresql/cert.pem'
ssl_key_file = '/etc/postgresql/private/privkey.pem'
unix_socket_directories = '/var/run/postgresql'
unix_socket_directories = '${cfg.socket-directory}'
unix_socket_group = '${cfg.socket-group}'
unix_socket_permissions = 0777
'';
authentication =
''
local all all ident
authentication = lib.mkForce ''
${makeLocalUserPasswordEntries cfg.users}
local all all ident
# host-local
host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
@ -204,6 +229,7 @@ in {
systemd.services.postgresql.postStart = ''
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${pkgs.postgresql}/bin/psql --port ${toString config.services.postgresql.port} -f /etc/postgresql/private/user-script.sql -d postgres
${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL*
'';
};
}

2
config/fudo/prometheus.nix
View File

@ -77,6 +77,8 @@ in {
config = mkIf cfg.enable {
security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
services.nginx = {
enable = true;

37
config/fudo/system.nix Normal file
View File

@ -0,0 +1,37 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.fudo.system;
in {
options.fudo.system = {
disableTransparentHugePages = mkOption {
type = types.bool;
description = ''
Disable transparent huge pages (recommended for database loads, in
particular for Redis.
'';
default = false;
};
postHugePageServices = mkOption {
type = with types; listOf str;
description = "List of systemd services that should wait until after THP are disabled.";
default = [];
example = ["redis.service"];
};
};
config = mkIf cfg.disableTransparentHugePages {
systemd.services.disableHugePages = {
description = "Turn off Transparent Huge Pages (https://www.kernel.org/doc/Documentation/vm/transhuge.txt)";
after = [ "sysinit.target" "localfs-target" ];
before = cfg.postHugePageServices;
enable = true;
serviceConfig = {
ExecStart = "/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null";
Type = "oneshot";
};
};
};
}

103
config/fudo/webmail.nix
View File

@ -145,6 +145,12 @@ let
};
default = null;
};
admin-email = mkOption {
type = types.str;
description = "Email of administrator of this site.";
default = "admin@fudo.org";
};
};
};
@ -220,6 +226,11 @@ in {
};
};
security.acme.certs = mapAttrs' (site: site-cfg:
nameValuePair site {
email = site-cfg.admin-email;
}) cfg.sites;
services = {
phpfpm = {
pools.webmail = {
@ -273,46 +284,62 @@ in {
};
};
systemd.services.nginx.preStart = let
link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let
cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version);
domain-cfg = builtins.toFile "${site}-domain.cfg" ''
imap_host = "${site-cfg.mail-server}"
imap_port = 143
imap_secure = "TLS"
imap_short_login = On
sieve_use = Off
sieve_allow_raw = Off
sieve_host = ""
sieve_port = 4190
sieve_secure = "None"
smtp_host = "${site-cfg.mail-server}"
smtp_port = 587
smtp_secure = "TLS"
smtp_short_login = On
smtp_auth = On
smtp_php_mail = Off
white_list = ""
'';
systemd.services = {
webmail-init = let
link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let
cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version);
domain-cfg = builtins.toFile "${site}-domain.cfg" ''
imap_host = "${site-cfg.mail-server}"
imap_port = 143
imap_secure = "TLS"
imap_short_login = On
sieve_use = Off
sieve_allow_raw = Off
sieve_host = ""
sieve_port = 4190
sieve_secure = "None"
smtp_host = "${site-cfg.mail-server}"
smtp_port = 587
smtp_secure = "TLS"
smtp_short_login = On
smtp_auth = On
smtp_php_mail = Off
white_list = ""
'';
in ''
${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/configs
${pkgs.coreutils}/bin/cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini
in ''
mkdir -p ${base-data-path}/${site}/_data_/_default_/configs
cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini
${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/
${pkgs.coreutils}/bin/cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini
'') cfg.sites);
scriptPkg = (pkgs.writeScriptBin "webmail-init.sh" ''
#!${pkgs.bash}/bin/bash -e
${link-configs}
${pkgs.coreutils}/bin/chown -R ${webmail-user}:${webmail-group} ${base-data-path}
${pkgs.coreutils}/bin/chmod -R ug+w ${base-data-path}
'');
in {
requiredBy = [ "nginx.service" ];
description = "Initialize webmail service directories prior to starting nginx.";
script = "${scriptPkg}/bin/webmail-init.sh";
};
mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/
cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini
phpfpm-webmail-socket-perm = {
wantedBy = [ "multi-user.target" ];
description = "Change ownership of the phpfpm socket for webmail once it's started.";
requires = [ "phpfpm-webmail.service" ];
serviceConfig = {
ExecStart = ''
${pkgs.coreutils}/bin/chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket}
'';
};
};
'') cfg.sites);
in ''
${link-configs}
chown -R ${webmail-user}:${webmail-group} ${base-data-path}
chmod -R ug+w ${base-data-path}
'';
systemd.services.phpfpm-webmail.postStart = ''
chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket}
'';
nginx = {
requires = [ "webmail-init.service" ];
wantedBy = [ "phpfpm-webmail-socket-perm.service" ];
};
};
};
}

2
config/local.nix
View File

@ -7,6 +7,7 @@ with lib;
./fudo/authentication.nix
./fudo/chat.nix
./fudo/common.nix
./fudo/git.nix
./fudo/grafana.nix
./fudo/kdc.nix
./fudo/ldap.nix
@ -16,6 +17,7 @@ with lib;
./fudo/node-exporter.nix
./fudo/postgres.nix
./fudo/prometheus.nix
./fudo/system.nix
./fudo/webmail.nix
../fudo/profiles

6
defaults.nix
View File

@ -10,6 +10,7 @@
];
nixpkgs.config.allowUnfree = true;
security.acme.acceptTerms = true;
environment.systemPackages = with pkgs; [
asdf
@ -84,11 +85,10 @@
krb5.libdefaults.default_realm = "FUDO.ORG";
krb5.kerberos = pkgs.heimdalFull;
console.keyMap = "dvp";
i18n = {
# consoleFont = "Lat2-Terminus16";
consoleKeyMap = "dvp";
defaultLocale = "en_US.UTF-8";
# consoleUseXkbConfig = true;
};
programs = {

2
fudo/groups.nix
View File

@ -35,6 +35,7 @@
"joker4ever"
"jun"
"kevin"
"kevinyinjunjie"
"kris"
"laura"
"leefolio"
@ -108,6 +109,7 @@
members = [
"ansyg"
"joker4ever"
"kevinyinjunjie"
"niten"
"omefire"
"reaper"

1
fudo/sender-blacklist.nix
View File

@ -2,6 +2,7 @@
# spamming. Learn2passward!
[
"animus@fudo.org"
"ark@fudo.org"
"theblacksun@fudo.org"
]

11
fudo/users.nix
View File

@ -19,14 +19,14 @@
uid = 10002;
group = "fudo";
common-name = "James Frazer";
hashed-password = "{MD5}5EenPxFXCKCkxMGFmSAHqQ==";
hashed-password = "";
};
ark = {
uid = 10005;
group = "fudo";
common-name = "Roger Wong";
hashed-password = "{SHA}H1+3u18I7JG+xcy7jBaKu1M6GFk=";
hashed-password = "";
};
ben = {
@ -415,4 +415,11 @@
common-name = "Fudo Chat";
hashed-password = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7";
};
kevinyinjunjie = {
uid = 10112;
group = "fudo";
common-name = "Kevin";
hashed-password = "{SSHA}1onx6HPMKCJvmLnRf1tiWFJ1D92DEtnl";
};
}

270
hosts/france.nix
View File

@ -6,6 +6,8 @@ let
hostname = "france.${domain}";
mail-hostname = hostname;
host_ipv4 = "208.81.3.117";
# Use a special IP for git.fudo.org, since it needs to be SSH-able
docker_ipv4 = "208.81.3.126";
all-hostnames = [];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
@ -56,6 +58,7 @@ in {
lxd
multipath-tools
nix-prefetch-docker
tshark
];
fudo.prometheus = {
@ -109,6 +112,18 @@ in {
];
users = {
fudo_git = {
password = fileContents "/srv/git/secure/db.passwd";
databases = {
fudo_git = "ALL PRIVILEGES";
};
};
gitlab_postgres = {
password = fileContents "/srv/gitlab/secure/db.passwd";
databases = {
gitlab = "ALL PRIVILEGES";
};
};
grafana = {
password = fileContents "/srv/grafana/secure/db.passwd";
databases = {
@ -130,7 +145,13 @@ in {
niten = {};
};
local-users = [
"fudo_git"
];
databases = {
fudo_git = ["niten"];
gitlab = ["niten"];
grafana = ["niten"];
mattermost = ["niten"];
webmail = ["niten"];
@ -217,7 +238,7 @@ in {
mail-directory = "${system-mail-directory}/mailboxes";
dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org";
dovecot.ldap-reader-passwd = removeSuffix "\n" (readFile /srv/ldap/secure/user_db.passwd);
dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd;
# FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.
dovecot.ldap-urls = [ "ldap://france.fudo.org" ];
@ -245,6 +266,33 @@ in {
password-file = /srv/webmail/secure/db.passwd;
};
};
"webmail.test.fudo.org" = {
title = "Fudo Webmail";
favicon = "/etc/nixos/static/fudo.org/favicon.ico";
mail-server = mail-hostname;
domain = "test.fudo.org";
edit-mode = "Plain";
database = {
name = "webmail";
hostname = "localhost";
user = "webmail";
password-file = /srv/webmail/secure/db.passwd;
};
};
"webmail.test.selby.ca" = {
title = "Selby Webmail";
favicon = "/etc/nixos/static/selby.ca/favicon.ico";
mail-server = mail-hostname;
domain = "test.selby.ca";
database = {
name = "webmail";
hostname = "localhost";
user = "webmail";
password-file = /srv/webmail/secure/db.passwd;
};
};
};
};
@ -264,14 +312,26 @@ in {
};
};
fudo.git = {
enable = true;
hostname = "git.test.fudo.org";
site-name = "Fudo Git";
user = "fudo_git";
database = {
user = "fudo_git";
password-file = /srv/git/secure/db.passwd;
hostname = "127.0.0.1";
name = "fudo_git";
};
repository-dir = /srv/git/repo;
state-dir = /srv/git/state;
};
networking = {
hostName = hostname;
dhcpcd.enable = false;
useDHCP = false;
# Why on earth would these use DHCP?
# interfaces.enp4s0f0.useDHCP = true;
# interfaces.enp4s0f1.useDHCP = true;
# TODO: fix IPv6
enableIPv6 = false;
@ -282,6 +342,10 @@ in {
interface = "enp4s0f0";
mode = "bridge";
};
extif1 = {
interface = "enp4s0f0";
mode = "bridge";
};
intif0 = {
interface = "enp4s0f1";
mode = "bridge";
@ -290,7 +354,8 @@ in {
interfaces = {
extif0 = {
# result of: echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
# result of:
# echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:d4:e8:3b:10:2f";
ipv4.addresses = [
{
@ -299,8 +364,18 @@ in {
}
];
};
extif1 = {
macAddress = "02:6d:e2:e1:ad:ca";
ipv4.addresses = [
{
address = docker_ipv4;
prefixLength = 28;
}
];
};
intif0 = {
# result of: echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
# result of:
# echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:ba:ba:e9:08:21";
ipv4.addresses = [
{
@ -315,10 +390,6 @@ in {
hardware.bluetooth.enable = false;
virtualisation = {
lxd = {
enable = true;
};
docker = {
enable = true;
enableOnBoot = true;
@ -327,6 +398,10 @@ in {
enable = true;
};
};
lxd = {
enable = true;
};
};
fileSystems = {
@ -362,22 +437,129 @@ in {
};
};
##
# Archiva
##
users = {
extraUsers = {
archiva = {
isNormalUser = false;
group = "nogroup";
uid = 8001;
};
users.extraUsers = {
archiva = {
isNormalUser = false;
group = "nogroup";
uid = 1000;
fudo_git = {
isNormalUser = false;
uid = 8006;
};
gitlab = {
isNormalUser = false;
uid = 8002;
};
gitlab_postgres = {
isNormalUser = false;
group = config.fudo.postgresql.socket-group;
uid = 8003;
};
gitlab_redis = {
isNormalUser = false;
group = "redis-local";
uid = 8004;
};
gitlab_www = {
isNormalUser = false;
group = "nogroup";
uid = 8005;
};
};
extraGroups = {
redis-local = {
members = ["redis"];
gid = 7001;
};
};
};
boot.kernel.sysctl = {
# For Redis
"vm.overcommit_memory" = 1;
};
fudo.system = {
disableTransparentHugePages = true;
postHugePageServices = ["redis.service"];
};
systemd.services.redis.postStart = ''
chgrp redis-local ${config.services.redis.unixSocket}
'';
security.acme.certs = {
"archiva.fudo.org".email = config.fudo.common.admin-email;
"git.fudo.org".email = config.fudo.common.admin-email;
};
services = {
redis = {
enable = true;
bind = "127.0.0.1";
unixSocket = "/run/redis/redis.socket";
extraConfig = ''
unixsocketperm 770
'';
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"archiva.fudo.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
"git.fudo.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8002";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};
};
docker-containers = {
archiva = {
image = "xetusoss/archiva";
ports = ["127.0.0.1:8091:8080"];
ports = ["127.0.0.1:8001:8080"];
# Ugly: name-to-uid lookup fails.
user = toString config.users.users.archiva.uid;
volumes = [
"/srv/archiva:/archiva-data"
];
@ -385,19 +567,61 @@ in {
# Not directly connected to the world anyway
SSL_ENABLED = "false";
};
# Ugly as shit: name-to-uid lookup fails.
#user = "1000";
user = toString config.users.users.archiva.uid;
};
gitlab = {
image = "gitlab/gitlab-ce:12.8.1-ce.0";
ports = [
"127.0.0.1:8002:80"
"${docker_ipv4}::22"
];
# user = toString config.users.users.gitlab.uid;
volumes = [
"/run/redis:/var/opt/gitlab/redis"
"/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds"
"/srv/gitlab/config:/etc/gitlab"
"/srv/gitlab/logs:/var/log/gitlab"
"/srv/gitlab/gitlab:/var/opt/gitlab"
"${config.fudo.postgresql.socket-directory}:/run/postgresql"
"${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql"
];
extraDockerOptions = [
"--hostname=git.fudo.org"
];
};
};
systemd.services.docker-gitlab-config = let
gitlab-config = pkgs.writeText "gitlab-config.rb" ''
gitlab_rails['db_adapter'] = "postgresql"
gitlab_rails['db_encoding'] = "unicode"
gitlab_rails['db_database'] = "gitlab"
gitlab_rails['db_username'] = "gitlab_postgres"
gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}"
user['uid'] = "${toString config.users.users.gitlab.uid}"
user['gid'] = "${toString config.users.groups.redis-local.gid}"
# Provided externally
redis['enable'] = false
postgresql['enable'] = false
web_server['uid'] = "${toString config.users.users.gitlab_www.uid}"
web_server['gid'] = "${toString config.users.groups.nogroup.gid}"
'';
in {
# before = ["docker-gitlab.service"];
script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb";
};
systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"];
###
# Minecraft
###
fudo.minecraft-server = {
enable = true;
package = pkgs.minecraft-server_1_15_1;
package = pkgs.minecraft-server_1_15_2;
data-dir = minecraft-data-dir;
world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server.";

13
packages/local.nix
View File

@ -15,9 +15,22 @@
};
});
minecraft-server_1_15_2 = pkgs.minecraft-server.overrideAttrs (oldAttrs: rec {
version = "1.15.2";
src = builtins.fetchurl {
url = "https://launcher.mojang.com/v1/objects/bb2b6b1aefcd70dfd1892149ac3a215f6c636b07/server.jar";
sha256 = "12kynrpxgcdg8x12wcvwkxka0fxgm5siqg8qq0nnmv0443f8dkw0";
};
});
postgresql_11_gssapi = pkgs.postgresql_11.overrideAttrs (oldAttrs: rec {
configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ];
buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
});
postgresql_12_gssapi = pkgs.postgresql_12.overrideAttrs (oldAttrs: rec {
configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ];
buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
});
};
}

BIN
static/fudo.link/favicon.ico
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

BIN
static/fudo.org/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
static/selby.ca/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB