From 9f59ff30fec81b5f68edb9b3fae31c9a1a69729f Mon Sep 17 00:00:00 2001 From: root Date: Sat, 6 Jun 2020 20:58:13 -0500 Subject: [PATCH] Piles o' changes --- config/fudo/chat.nix | 2 + config/fudo/common.nix | 6 + config/fudo/git.nix | 115 ++++++++++++++ config/fudo/grafana.nix | 3 + config/fudo/mail-container.nix | 113 +++++--------- config/fudo/mail/postfix.nix | 7 +- config/fudo/node-exporter.nix | 2 + config/fudo/postgres.nix | 44 ++++-- config/fudo/prometheus.nix | 2 + config/fudo/system.nix | 37 +++++ config/fudo/webmail.nix | 103 ++++++++----- config/local.nix | 2 + defaults.nix | 6 +- fudo/groups.nix | 2 + fudo/sender-blacklist.nix | 1 + fudo/users.nix | 11 +- hosts/france.nix | 270 ++++++++++++++++++++++++++++++--- packages/local.nix | 13 ++ static/fudo.link/favicon.ico | Bin 15406 -> 15086 bytes static/fudo.org/favicon.ico | Bin 0 -> 1150 bytes static/selby.ca/favicon.ico | Bin 0 -> 1150 bytes 21 files changed, 587 insertions(+), 152 deletions(-) create mode 100644 config/fudo/git.nix create mode 100644 config/fudo/system.nix create mode 100644 static/fudo.org/favicon.ico create mode 100644 static/selby.ca/favicon.ico diff --git a/config/fudo/chat.nix b/config/fudo/chat.nix index d82d10a..dfaf28c 100644 --- a/config/fudo/chat.nix +++ b/config/fudo/chat.nix @@ -154,6 +154,8 @@ in { }; }; + security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email; + services.nginx = { enable = true; diff --git a/config/fudo/common.nix b/config/fudo/common.nix index ddbe3c6..93c9823 100644 --- a/config/fudo/common.nix +++ b/config/fudo/common.nix @@ -46,5 +46,11 @@ with lib; description = "Path at which to store www files for serving."; example = /var/www; }; + + admin-email = mkOption { + type = types.str; + description = "Email for administrator of this system."; + default = "admin@fudo.org"; + }; }; } diff --git a/config/fudo/git.nix b/config/fudo/git.nix new file mode 100644 index 0000000..9479582 --- /dev/null +++ b/config/fudo/git.nix @@ -0,0 +1,115 @@ +{ pkgs, lib, config, ... }: + +with lib; +let + cfg = config.fudo.git; + + databaseOpts = { ... }: { + options = { + name = mkOption { + type = types.str; + description = "Database name."; + }; + hostname = mkOption { + type = types.str; + description = "Hostname of the database server."; + }; + user = mkOption { + type = types.str; + description = "Database username."; + }; + password-file = mkOption { + type = types.path; + description = "File containing the database user's password."; + }; + }; + }; + +in { + options.fudo.git = { + enable = mkEnableOption "Enable Fudo git web server."; + + hostname = mkOption { + type = types.str; + description = "Hostname at which this git server is accessible."; + example = "git.fudo.org"; + }; + + site-name = mkOption { + type = types.str; + description = "Name to use for the git server."; + default = "Fudo Git"; + }; + + database = mkOption { + type = (types.submodule databaseOpts); + description = "Gitea database options."; + }; + + repository-dir = mkOption { + type = types.path; + description = "Path at which to store repositories."; + example = /srv/git/repo; + }; + + state-dir = mkOption { + type = types.path; + description = "Path at which to store server state."; + example = /srv/git/state; + }; + + user = mkOption { + type = with types; nullOr str; + description = "System user as which to run."; + default = "git"; + }; + }; + + config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email; + + services = { + gitea = { + enable = true; + appName = cfg.site-name; + database = { + createDatabase = true; + host = cfg.database.hostname; + name = cfg.database.name; + user = cfg.database.user; + passwordFile = cfg.database.password-file; + }; + domain = cfg.hostname; + httpAddress = "127.0.0.1"; + httpPort = 3543; + repositoryRoot = toString cfg.repository-dir; + stateDir = toString cfg.state-dir; + rootUrl = "https://${cfg.hostname}/"; + user = mkIf (cfg.user != null) cfg.user; + }; + + nginx = { + enable = true; + + virtualHosts = { + "${cfg.hostname}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:3543"; + + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; + }; + }; + }; +} diff --git a/config/fudo/grafana.nix b/config/fudo/grafana.nix index 61f869f..6bed0e5 100644 --- a/config/fudo/grafana.nix +++ b/config/fudo/grafana.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.fudo.grafana; + fudo-cfg = config.fudo.common; database-name = "grafana"; database-user = "grafana"; @@ -73,6 +74,8 @@ in { }; config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services.nginx = { enable = true; diff --git a/config/fudo/mail-container.nix b/config/fudo/mail-container.nix index c26c974..aa7edb5 100644 --- a/config/fudo/mail-container.nix +++ b/config/fudo/mail-container.nix @@ -16,7 +16,7 @@ let container-mail-user = "mailer"; container-mail-user-id = 542; container-mail-group = "mailer"; - trusted-networks = config.fudo.common.local-networks; + fudo-cfg = config.fudo.common; in rec { options.fudo.mail-server.container = { @@ -25,18 +25,6 @@ in rec { description = "URL of the LDAP server to use for authentication."; example = "ldaps://auth.fudo.org/"; }; - - # host-ip = mkOption { - # type = types.str; - # description = "The IP to assign to this server, for communication with the mail server container."; - # default = "10.110.0.1"; - # }; - - # container-ip = mkOption { - # type = types.str; - # description = "The IP to assign to the mail server container."; - # default = "10.110.0.2"; - # }; }; config = mkIf (cfg.enableContainer && !cfg.enable) { @@ -73,6 +61,8 @@ in rec { }; }; + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services.nginx = mkIf cfg.monitoring { enable = true; @@ -81,9 +71,9 @@ in rec { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; ''; - trusted-network-string = optionalString ((length trusted-networks) > 0) + trusted-network-string = optionalString ((length fudo-cfg.local-networks) > 0) (concatStringsSep "\n" - (map (network: "allow ${network};") trusted-networks)) + "\ndeny all;"; + (map (network: "allow ${network};") fudo-cfg.local-networks)) + "\ndeny all;"; in { "${cfg.hostname}" = { @@ -123,30 +113,6 @@ in rec { }; }; - # services.xinetd = let - # xinetd-entry = name: port: { - # name = name; - # port = port; - # protocol = "tcp"; - # server = ""; - # extraConfig = '' - # socket_type = stream - # wait = no - # redirect = ${cfg.container.container-ip} ${toString port} - # ''; - # }; - # in { - # enable = true; - # services = [ - # (xinetd-entry "smtp" 25) - # (xinetd-entry "pop3" 110) - # (xinetd-entry "pop3s" 995) - # (xinetd-entry "imap" 143) - # (xinetd-entry "imaps" 993) - # (xinetd-entry "submission" 587) - # ]; - # }; - containers.mail-server = { autoStart = true; @@ -210,46 +176,45 @@ in rec { }; }; - fudo.mail-server = - { - enable = true; - hostname = cfg.hostname; - domain = cfg.domain; + fudo.mail-server = { + enable = true; + hostname = cfg.hostname; + domain = cfg.domain; - debug = cfg.debug; - monitoring = cfg.monitoring; + debug = cfg.debug; + monitoring = cfg.monitoring; - state-directory = container-statedir; - mail-directory = container-maildir; + state-directory = container-statedir; + mail-directory = container-maildir; - postfix.ssl-certificate = "/etc/${container-postfix-cert}"; - postfix.ssl-private-key = "/etc/postfix-certs/key.pem"; + postfix.ssl-certificate = "/etc/${container-postfix-cert}"; + postfix.ssl-private-key = "/etc/postfix-certs/key.pem"; - dovecot = { - ssl-certificate = "/etc/${container-dovecot-cert}"; - ssl-private-key = "/etc/dovecot-certs/key.pem"; - ldap-ca = "/etc/${container-fudo-ca-cert}"; - ldap-urls = cfg.dovecot.ldap-urls; - ldap-reader-dn = cfg.dovecot.ldap-reader-dn; - ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; - }; - - local-domains = cfg.local-domains; - - alias-users = cfg.alias-users; - user-aliases = cfg.user-aliases; - sender-blacklist = cfg.sender-blacklist; - recipient-blacklist = cfg.recipient-blacklist; - trusted-networks = cfg.trusted-networks; - - mail-user = container-mail-user; - mail-user-id = container-mail-user-id; - mail-group = container-mail-group; - - clamav.enable = cfg.clamav.enable; - - dkim.signing = cfg.dkim.signing; + dovecot = { + ssl-certificate = "/etc/${container-dovecot-cert}"; + ssl-private-key = "/etc/dovecot-certs/key.pem"; + ldap-ca = "/etc/${container-fudo-ca-cert}"; + ldap-urls = cfg.dovecot.ldap-urls; + ldap-reader-dn = cfg.dovecot.ldap-reader-dn; + ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; }; + + local-domains = cfg.local-domains; + + alias-users = cfg.alias-users; + user-aliases = cfg.user-aliases; + sender-blacklist = cfg.sender-blacklist; + recipient-blacklist = cfg.recipient-blacklist; + trusted-networks = cfg.trusted-networks; + + mail-user = container-mail-user; + mail-user-id = container-mail-user-id; + mail-group = container-mail-group; + + clamav.enable = cfg.clamav.enable; + + dkim.signing = cfg.dkim.signing; + }; }; }; }; diff --git a/config/fudo/mail/postfix.nix b/config/fudo/mail/postfix.nix index 940ffd3..776c584 100644 --- a/config/fudo/mail/postfix.nix +++ b/config/fudo/mail/postfix.nix @@ -105,9 +105,10 @@ in { domain = cfg.domain; origin = cfg.domain; hostname = cfg.hostname; - destination = ["localhost" "localhost.localdomain"] ++ - (map (domain: "localhost.${domain}") cfg.local-domains) ++ - cfg.local-domains; + destination = ["localhost" "localhost.localdomain"]; + # destination = ["localhost" "localhost.localdomain"] ++ + # (map (domain: "localhost.${domain}") cfg.local-domains) ++ + # cfg.local-domains; enableHeaderChecks = true; enableSmtp = true; diff --git a/config/fudo/node-exporter.nix b/config/fudo/node-exporter.nix index 6bc7cf3..927df44 100644 --- a/config/fudo/node-exporter.nix +++ b/config/fudo/node-exporter.nix @@ -20,6 +20,8 @@ in { }; config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services = { # This'll run an exporter at localhost:9100 prometheus.exporters.node = { diff --git a/config/fudo/postgres.nix b/config/fudo/postgres.nix index 5eb348b..4486a11 100644 --- a/config/fudo/postgres.nix +++ b/config/fudo/postgres.nix @@ -65,8 +65,9 @@ let (username: attrs: stringJoin "\n" (map (db: '' - host ${username} ${db} 127.0.0.1/16 md5 - host ${username} ${db} ::1/128 md5 + local ${db} ${username} md5 + host ${db} ${username} 127.0.0.1/16 md5 + host ${db} ${username} ::1/128 md5 '') (attrNames attrs.databases))) users); @@ -117,6 +118,24 @@ in { description = "A map of databases to database options."; default = {}; }; + + socket-directory = mkOption { + type = types.str; + description = "Directory in which to place unix sockets."; + default = "/run/postgresql"; + }; + + socket-group = mkOption { + type = types.str; + description = "Group for accessing sockets."; + default = "postgres_local"; + }; + + local-users = mkOption { + type = with types; listOf str; + description = "Users able to access the server via local socket."; + default = []; + }; }; config = mkIf cfg.enable { @@ -157,6 +176,12 @@ in { }; }; + users.groups = { + ${cfg.socket-group} = { + members = ["postgres"] ++ cfg.local-users; + }; + }; + services.postgresql = { enable = true; package = pkgs.postgresql_11_gssapi; @@ -172,23 +197,23 @@ in { }) cfg.users; - extraConfig = - '' + extraConfig = '' krb_server_keyfile = '/etc/postgresql/private/postgres.keytab' ssl = true ssl_cert_file = '/etc/postgresql/cert.pem' ssl_key_file = '/etc/postgresql/private/privkey.pem' - unix_socket_directories = '/var/run/postgresql' + unix_socket_directories = '${cfg.socket-directory}' + unix_socket_group = '${cfg.socket-group}' + unix_socket_permissions = 0777 ''; - authentication = - '' - local all all ident - + authentication = lib.mkForce '' ${makeLocalUserPasswordEntries cfg.users} + local all all ident + # host-local host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG @@ -204,6 +229,7 @@ in { systemd.services.postgresql.postStart = '' ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${pkgs.postgresql}/bin/psql --port ${toString config.services.postgresql.port} -f /etc/postgresql/private/user-script.sql -d postgres + ${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL* ''; }; } diff --git a/config/fudo/prometheus.nix b/config/fudo/prometheus.nix index df8c928..54e5b6a 100644 --- a/config/fudo/prometheus.nix +++ b/config/fudo/prometheus.nix @@ -77,6 +77,8 @@ in { config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services.nginx = { enable = true; diff --git a/config/fudo/system.nix b/config/fudo/system.nix new file mode 100644 index 0000000..b25aaf4 --- /dev/null +++ b/config/fudo/system.nix @@ -0,0 +1,37 @@ +{ pkgs, lib, config, ... }: + +with lib; +let + cfg = config.fudo.system; +in { + options.fudo.system = { + disableTransparentHugePages = mkOption { + type = types.bool; + description = '' + Disable transparent huge pages (recommended for database loads, in + particular for Redis. + ''; + default = false; + }; + + postHugePageServices = mkOption { + type = with types; listOf str; + description = "List of systemd services that should wait until after THP are disabled."; + default = []; + example = ["redis.service"]; + }; + }; + + config = mkIf cfg.disableTransparentHugePages { + systemd.services.disableHugePages = { + description = "Turn off Transparent Huge Pages (https://www.kernel.org/doc/Documentation/vm/transhuge.txt)"; + after = [ "sysinit.target" "localfs-target" ]; + before = cfg.postHugePageServices; + enable = true; + serviceConfig = { + ExecStart = "/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null"; + Type = "oneshot"; + }; + }; + }; +} diff --git a/config/fudo/webmail.nix b/config/fudo/webmail.nix index 310b8bf..d2c4f4e 100644 --- a/config/fudo/webmail.nix +++ b/config/fudo/webmail.nix @@ -145,6 +145,12 @@ let }; default = null; }; + + admin-email = mkOption { + type = types.str; + description = "Email of administrator of this site."; + default = "admin@fudo.org"; + }; }; }; @@ -220,6 +226,11 @@ in { }; }; + security.acme.certs = mapAttrs' (site: site-cfg: + nameValuePair site { + email = site-cfg.admin-email; + }) cfg.sites; + services = { phpfpm = { pools.webmail = { @@ -273,46 +284,62 @@ in { }; }; - systemd.services.nginx.preStart = let - link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let - cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version); - domain-cfg = builtins.toFile "${site}-domain.cfg" '' - imap_host = "${site-cfg.mail-server}" - imap_port = 143 - imap_secure = "TLS" - imap_short_login = On - sieve_use = Off - sieve_allow_raw = Off - sieve_host = "" - sieve_port = 4190 - sieve_secure = "None" - smtp_host = "${site-cfg.mail-server}" - smtp_port = 587 - smtp_secure = "TLS" - smtp_short_login = On - smtp_auth = On - smtp_php_mail = Off - white_list = "" - ''; + systemd.services = { + webmail-init = let + link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let + cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version); + domain-cfg = builtins.toFile "${site}-domain.cfg" '' + imap_host = "${site-cfg.mail-server}" + imap_port = 143 + imap_secure = "TLS" + imap_short_login = On + sieve_use = Off + sieve_allow_raw = Off + sieve_host = "" + sieve_port = 4190 + sieve_secure = "None" + smtp_host = "${site-cfg.mail-server}" + smtp_port = 587 + smtp_secure = "TLS" + smtp_short_login = On + smtp_auth = On + smtp_php_mail = Off + white_list = "" + ''; + in '' + ${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/configs + ${pkgs.coreutils}/bin/cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini - in '' - mkdir -p ${base-data-path}/${site}/_data_/_default_/configs - cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini + ${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/ + ${pkgs.coreutils}/bin/cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini + '') cfg.sites); + scriptPkg = (pkgs.writeScriptBin "webmail-init.sh" '' + #!${pkgs.bash}/bin/bash -e + ${link-configs} + ${pkgs.coreutils}/bin/chown -R ${webmail-user}:${webmail-group} ${base-data-path} + ${pkgs.coreutils}/bin/chmod -R ug+w ${base-data-path} + ''); + in { + requiredBy = [ "nginx.service" ]; + description = "Initialize webmail service directories prior to starting nginx."; + script = "${scriptPkg}/bin/webmail-init.sh"; + }; - mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/ - cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini + phpfpm-webmail-socket-perm = { + wantedBy = [ "multi-user.target" ]; + description = "Change ownership of the phpfpm socket for webmail once it's started."; + requires = [ "phpfpm-webmail.service" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.coreutils}/bin/chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket} + ''; + }; + }; - '') cfg.sites); - - in '' - ${link-configs} - - chown -R ${webmail-user}:${webmail-group} ${base-data-path} - chmod -R ug+w ${base-data-path} - ''; - - systemd.services.phpfpm-webmail.postStart = '' - chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket} - ''; + nginx = { + requires = [ "webmail-init.service" ]; + wantedBy = [ "phpfpm-webmail-socket-perm.service" ]; + }; + }; }; } diff --git a/config/local.nix b/config/local.nix index 2da9c2c..0e3b01f 100644 --- a/config/local.nix +++ b/config/local.nix @@ -7,6 +7,7 @@ with lib; ./fudo/authentication.nix ./fudo/chat.nix ./fudo/common.nix + ./fudo/git.nix ./fudo/grafana.nix ./fudo/kdc.nix ./fudo/ldap.nix @@ -16,6 +17,7 @@ with lib; ./fudo/node-exporter.nix ./fudo/postgres.nix ./fudo/prometheus.nix + ./fudo/system.nix ./fudo/webmail.nix ../fudo/profiles diff --git a/defaults.nix b/defaults.nix index 121c83b..fa03dcd 100644 --- a/defaults.nix +++ b/defaults.nix @@ -10,6 +10,7 @@ ]; nixpkgs.config.allowUnfree = true; + security.acme.acceptTerms = true; environment.systemPackages = with pkgs; [ asdf @@ -84,11 +85,10 @@ krb5.libdefaults.default_realm = "FUDO.ORG"; krb5.kerberos = pkgs.heimdalFull; + console.keyMap = "dvp"; + i18n = { - # consoleFont = "Lat2-Terminus16"; - consoleKeyMap = "dvp"; defaultLocale = "en_US.UTF-8"; - # consoleUseXkbConfig = true; }; programs = { diff --git a/fudo/groups.nix b/fudo/groups.nix index 5fb0c39..1bd2c05 100644 --- a/fudo/groups.nix +++ b/fudo/groups.nix @@ -35,6 +35,7 @@ "joker4ever" "jun" "kevin" + "kevinyinjunjie" "kris" "laura" "leefolio" @@ -108,6 +109,7 @@ members = [ "ansyg" "joker4ever" + "kevinyinjunjie" "niten" "omefire" "reaper" diff --git a/fudo/sender-blacklist.nix b/fudo/sender-blacklist.nix index 8ca71e0..311d8e1 100644 --- a/fudo/sender-blacklist.nix +++ b/fudo/sender-blacklist.nix @@ -2,6 +2,7 @@ # spamming. Learn2passward! [ + "animus@fudo.org" "ark@fudo.org" "theblacksun@fudo.org" ] diff --git a/fudo/users.nix b/fudo/users.nix index 85b3322..565f14b 100644 --- a/fudo/users.nix +++ b/fudo/users.nix @@ -19,14 +19,14 @@ uid = 10002; group = "fudo"; common-name = "James Frazer"; - hashed-password = "{MD5}5EenPxFXCKCkxMGFmSAHqQ=="; + hashed-password = ""; }; ark = { uid = 10005; group = "fudo"; common-name = "Roger Wong"; - hashed-password = "{SHA}H1+3u18I7JG+xcy7jBaKu1M6GFk="; + hashed-password = ""; }; ben = { @@ -415,4 +415,11 @@ common-name = "Fudo Chat"; hashed-password = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7"; }; + + kevinyinjunjie = { + uid = 10112; + group = "fudo"; + common-name = "Kevin"; + hashed-password = "{SSHA}1onx6HPMKCJvmLnRf1tiWFJ1D92DEtnl"; + }; } diff --git a/hosts/france.nix b/hosts/france.nix index 85ec23d..2fc57a7 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -6,6 +6,8 @@ let hostname = "france.${domain}"; mail-hostname = hostname; host_ipv4 = "208.81.3.117"; + # Use a special IP for git.fudo.org, since it needs to be SSH-able + docker_ipv4 = "208.81.3.126"; all-hostnames = []; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; @@ -56,6 +58,7 @@ in { lxd multipath-tools nix-prefetch-docker + tshark ]; fudo.prometheus = { @@ -109,6 +112,18 @@ in { ]; users = { + fudo_git = { + password = fileContents "/srv/git/secure/db.passwd"; + databases = { + fudo_git = "ALL PRIVILEGES"; + }; + }; + gitlab_postgres = { + password = fileContents "/srv/gitlab/secure/db.passwd"; + databases = { + gitlab = "ALL PRIVILEGES"; + }; + }; grafana = { password = fileContents "/srv/grafana/secure/db.passwd"; databases = { @@ -130,7 +145,13 @@ in { niten = {}; }; + local-users = [ + "fudo_git" + ]; + databases = { + fudo_git = ["niten"]; + gitlab = ["niten"]; grafana = ["niten"]; mattermost = ["niten"]; webmail = ["niten"]; @@ -217,7 +238,7 @@ in { mail-directory = "${system-mail-directory}/mailboxes"; dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; - dovecot.ldap-reader-passwd = removeSuffix "\n" (readFile /srv/ldap/secure/user_db.passwd); + dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. dovecot.ldap-urls = [ "ldap://france.fudo.org" ]; @@ -245,6 +266,33 @@ in { password-file = /srv/webmail/secure/db.passwd; }; }; + + "webmail.test.fudo.org" = { + title = "Fudo Webmail"; + favicon = "/etc/nixos/static/fudo.org/favicon.ico"; + mail-server = mail-hostname; + domain = "test.fudo.org"; + edit-mode = "Plain"; + database = { + name = "webmail"; + hostname = "localhost"; + user = "webmail"; + password-file = /srv/webmail/secure/db.passwd; + }; + }; + + "webmail.test.selby.ca" = { + title = "Selby Webmail"; + favicon = "/etc/nixos/static/selby.ca/favicon.ico"; + mail-server = mail-hostname; + domain = "test.selby.ca"; + database = { + name = "webmail"; + hostname = "localhost"; + user = "webmail"; + password-file = /srv/webmail/secure/db.passwd; + }; + }; }; }; @@ -264,14 +312,26 @@ in { }; }; + fudo.git = { + enable = true; + hostname = "git.test.fudo.org"; + site-name = "Fudo Git"; + user = "fudo_git"; + database = { + user = "fudo_git"; + password-file = /srv/git/secure/db.passwd; + hostname = "127.0.0.1"; + name = "fudo_git"; + }; + repository-dir = /srv/git/repo; + state-dir = /srv/git/state; + }; + networking = { hostName = hostname; dhcpcd.enable = false; useDHCP = false; - # Why on earth would these use DHCP? - # interfaces.enp4s0f0.useDHCP = true; - # interfaces.enp4s0f1.useDHCP = true; # TODO: fix IPv6 enableIPv6 = false; @@ -282,6 +342,10 @@ in { interface = "enp4s0f0"; mode = "bridge"; }; + extif1 = { + interface = "enp4s0f0"; + mode = "bridge"; + }; intif0 = { interface = "enp4s0f1"; mode = "bridge"; @@ -290,7 +354,8 @@ in { interfaces = { extif0 = { - # result of: echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + # result of: + # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:d4:e8:3b:10:2f"; ipv4.addresses = [ { @@ -299,8 +364,18 @@ in { } ]; }; + extif1 = { + macAddress = "02:6d:e2:e1:ad:ca"; + ipv4.addresses = [ + { + address = docker_ipv4; + prefixLength = 28; + } + ]; + }; intif0 = { - # result of: echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + # result of: + # echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:ba:ba:e9:08:21"; ipv4.addresses = [ { @@ -315,10 +390,6 @@ in { hardware.bluetooth.enable = false; virtualisation = { - lxd = { - enable = true; - }; - docker = { enable = true; enableOnBoot = true; @@ -327,6 +398,10 @@ in { enable = true; }; }; + + lxd = { + enable = true; + }; }; fileSystems = { @@ -362,22 +437,129 @@ in { }; }; - ## - # Archiva - ## + users = { + extraUsers = { + archiva = { + isNormalUser = false; + group = "nogroup"; + uid = 8001; + }; - users.extraUsers = { - archiva = { - isNormalUser = false; - group = "nogroup"; - uid = 1000; + fudo_git = { + isNormalUser = false; + uid = 8006; + }; + + gitlab = { + isNormalUser = false; + uid = 8002; + }; + + gitlab_postgres = { + isNormalUser = false; + group = config.fudo.postgresql.socket-group; + uid = 8003; + }; + + gitlab_redis = { + isNormalUser = false; + group = "redis-local"; + uid = 8004; + }; + + gitlab_www = { + isNormalUser = false; + group = "nogroup"; + uid = 8005; + }; + }; + + extraGroups = { + redis-local = { + members = ["redis"]; + gid = 7001; + }; + }; + }; + + boot.kernel.sysctl = { + # For Redis + "vm.overcommit_memory" = 1; + }; + + fudo.system = { + disableTransparentHugePages = true; + postHugePageServices = ["redis.service"]; + }; + + systemd.services.redis.postStart = '' + chgrp redis-local ${config.services.redis.unixSocket} + ''; + + security.acme.certs = { + "archiva.fudo.org".email = config.fudo.common.admin-email; + "git.fudo.org".email = config.fudo.common.admin-email; + }; + + services = { + + redis = { + enable = true; + bind = "127.0.0.1"; + unixSocket = "/run/redis/redis.socket"; + extraConfig = '' + unixsocketperm 770 + ''; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts = { + "archiva.fudo.org" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:8001"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + "git.fudo.org" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:8002"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; }; }; docker-containers = { archiva = { image = "xetusoss/archiva"; - ports = ["127.0.0.1:8091:8080"]; + ports = ["127.0.0.1:8001:8080"]; + # Ugly: name-to-uid lookup fails. + user = toString config.users.users.archiva.uid; volumes = [ "/srv/archiva:/archiva-data" ]; @@ -385,19 +567,61 @@ in { # Not directly connected to the world anyway SSL_ENABLED = "false"; }; - # Ugly as shit: name-to-uid lookup fails. - #user = "1000"; - user = toString config.users.users.archiva.uid; + }; + + gitlab = { + image = "gitlab/gitlab-ce:12.8.1-ce.0"; + ports = [ + "127.0.0.1:8002:80" + "${docker_ipv4}::22" + ]; + # user = toString config.users.users.gitlab.uid; + volumes = [ + "/run/redis:/var/opt/gitlab/redis" + "/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds" + "/srv/gitlab/config:/etc/gitlab" + "/srv/gitlab/logs:/var/log/gitlab" + "/srv/gitlab/gitlab:/var/opt/gitlab" + "${config.fudo.postgresql.socket-directory}:/run/postgresql" + "${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql" + ]; + extraDockerOptions = [ + "--hostname=git.fudo.org" + ]; }; }; + systemd.services.docker-gitlab-config = let + gitlab-config = pkgs.writeText "gitlab-config.rb" '' + gitlab_rails['db_adapter'] = "postgresql" + gitlab_rails['db_encoding'] = "unicode" + gitlab_rails['db_database'] = "gitlab" + gitlab_rails['db_username'] = "gitlab_postgres" + gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}" + + user['uid'] = "${toString config.users.users.gitlab.uid}" + user['gid'] = "${toString config.users.groups.redis-local.gid}" + + # Provided externally + redis['enable'] = false + postgresql['enable'] = false + + web_server['uid'] = "${toString config.users.users.gitlab_www.uid}" + web_server['gid'] = "${toString config.users.groups.nogroup.gid}" + ''; + in { + # before = ["docker-gitlab.service"]; + script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb"; + }; + systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"]; + ### # Minecraft ### fudo.minecraft-server = { enable = true; - package = pkgs.minecraft-server_1_15_1; + package = pkgs.minecraft-server_1_15_2; data-dir = minecraft-data-dir; world-name = "selbyland"; motd = "Welcome to the Selby Minecraft server."; diff --git a/packages/local.nix b/packages/local.nix index 5318f41..1e6174c 100644 --- a/packages/local.nix +++ b/packages/local.nix @@ -15,9 +15,22 @@ }; }); + minecraft-server_1_15_2 = pkgs.minecraft-server.overrideAttrs (oldAttrs: rec { + version = "1.15.2"; + src = builtins.fetchurl { + url = "https://launcher.mojang.com/v1/objects/bb2b6b1aefcd70dfd1892149ac3a215f6c636b07/server.jar"; + sha256 = "12kynrpxgcdg8x12wcvwkxka0fxgm5siqg8qq0nnmv0443f8dkw0"; + }; + }); + postgresql_11_gssapi = pkgs.postgresql_11.overrideAttrs (oldAttrs: rec { configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ]; buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; }); + + postgresql_12_gssapi = pkgs.postgresql_12.overrideAttrs (oldAttrs: rec { + configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ]; + buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; + }); }; } diff --git a/static/fudo.link/favicon.ico b/static/fudo.link/favicon.ico index 1023abe3aacde15e1a6fb4947d8836355edb8d7d..8fcc37ca6da9cd4f9082ce8d807e10345a7f5576 100644 GIT binary patch literal 15086 zcmZQzU}RusFfaho3Jfb$85qnM7#I{3pnL%ahI^_E3<3fWeg+EzLz@``g9ZZwg8>5r zLjnUtoB;$>Km;moaB%oPibum>G!2ZVfzdQT#WdjP_^ZX;{Xv_j=XGLmi>vFC1_y_~ zM8v`07B{yi#Fzl#>daRvTvW;g9{hz@1H;KfDePzoZ7I# zr!O>gBO!bGLPIy4-mt+3qz9jwAUTkl%lr1ZO^uJA)!^v(n~>Qs`Br!L`xkfZa{d4R zzrp|i|BZ;m`a7mhjcjsu{s1!vod(J6oH{k~|NsB`M4Ab*+W_PikekrW!^Lm&^t}4; z(j_~n9mfCv{|8~i|NsAE!yq{jHaxa!m4CB~%PU;wHoLgI1gU|V1JVP+*vtfpf#g8g z2;>%!n{b(nE)G)r=<;QInET&8d17^7;lhx;bLNEan>!bbLF^;TmIZ$M_|XjJzvG16 z{|clA=6;Y~kQpGekj(|z1+o)rt`W#BAUC1A6Bi$(7NiI2e#3q9=7qJmxjhEOKN9}b z?&Wpq#*rf~Fm)ie5eR=|_ZwY5a>NB>Mw7GiCnR$}fb0U<3H2w%?%zFgCMaEhMDee^ z{r?ts_xo259027LP&zdv)%_s7ATt{5?Ga^%gTwzOXXlR~JE`h^C#R3d_SA#i@8(9i z``z5`gUo`5jlKQ;TAWyhh2VtM{b=s;Y4ow0qO1Z z^E(1E3uGn;gX{p=1+tS$;cxu)!w0kLhY!1e;u{%*?Em%Shbc6lk(z#tL3%-EAe#wd zgX{v?2{o6j^babtpy3KC!$266#<5|L90(g8Te*@@`S}W@1{$s)Js^zDOpq8z4unZA zKSBBb)cW;a(0T?`7Q--#xlnh&NN#g)Z^Hlo|Mk%H;xktt zkCtXI>_b*-Z~q@;2FNU^`}IL~ zfW$D&h3Ug%exsAqcTikSOG=tLEirK#8lJvm%9I$WJw|JqnzE-RB+NilgRX}lA7lo| zENEF_2(n{ZV&ZfRbCZ&$g4_mjBSx4&{RC=n-#K*()b0Vb4?%5Dbc~$OK=~G3o?Jf2 zEO5Sp`U9Ie`XIM~+=$oxr%&T^KQ?o5i6Q$H#KxtLSaE{x2gMDje=#j7iD0~A#4mDs zOGucpsjDj)8kR;IySh@QQJU70lBR*&267{=@CS<%kx#(tplJ?UJ_F^yX$c9_p=Fi9 z)P#iTATexeQOtswiH#=JUD(XPE(R)RKf=m8DE($udU_Ac{UCO;i_06R+$#_bYGXDy zI1pbhVz(Q)yeEs@6BM*#=hUgupt=TJ=d4=g4{9UaJ#)qpRwsejATgLcNbSz4Q)57S zi4K1nxF1x{?4LI;1Xd?N%T`cX0>Yp?i(ICF#E`N6zIpRPKxPb-A6nep?qAuzAJ%_C zb}Pv3xG-EDNH55YfpR~ny$)*cLdzNBA78$h-8_2K86<`cgXBPJpy|p8qy}WhAaTFp z+0C21JA8c3g8CpJcOhet7)TDJ2Aa+Wo%=!UMo`%TE+^6Ro4x&ikQ_+OV0AyJd;z%; zS9$=+fz%9E_n%z1&bQUW;|{272erM?@JEo`$@S}f2dVpwKfZcp0qS=nk4GVoOM&D- zY6eUG1&!T+$`Dxj19ca28IO$(FF!$gL1y4eZ?qO~c6EJzY~@N&dH}T{ah3PD#0@}t zL1xg}op{XuJ25J1$%P#|JV9gKpfPV^Fi0&(4@fT={aUixIe7f=r^U_f5vX553I^$E zaB%p8$6RW=bJRTaI&G9cnkGimz=%!*sH=fU=P~|&!2Z91fr0t|2mb#Du+RrS@H2zN zanU&R!OUflVPLQTIg1Cfo{2$@fuVwdfr0=3|Ns9#AZP{#kS!pEj13@?fdNL>|AX-V z|Hn>$;D?CgqH*binG4ZPE(uzvrNF?z;DEeNO90cf(Rz}KYcqyNnfI^J(eZbqqvJ0u z7_?Rb-&&Ht1oYw^R|DAxYJ0A#ug_c6(2xtJL2M{q-O!LbGc~mz)PF-yw;(Z)97qki zKA2e(qoS6A>_FEGeYwFK0k1I?}W1O;K(4-x~(fz*KF5TpmH_Z`SAkeMK}L3Y6GL#IJE=a4}9L1ux>1ep!81KnO2 zA0!7-0~#M*-`<`M8dnF+&GdzaZdy=KP!9@QkR2eq@Yrt*QVY@p)w=;?7RXGH*&sV$ z_My|Q?(Vm59y#t;ebwq%m&$kZZC`v8gtz~ zX;SRJzkfmYnEv_w8=Rj0{`q49@;8Woan~*n&^iE^9vBT01IdBZfYgHYfb0kJzkfFc znF%r*WCu(SHX4)%y8{FFb_WFPo0ps00t&aaEiIYdfq{Fv0|R%1*3jVSoBjpKfz*K1 zg7kp&g3JJ!1u_$4Ha0s!VvUZDKS6zVFm`cy37Qv}92+|ilx`Lk7gvMUIDxUN>x&jw z*JmxRu20eMvu0P<7hp9mE-yiPKzc!DfXo7myShFHnGdoHWG5Wk+y4iR*`M3G)$9EB z?VccfZre7`d*{x9=FAMA-??KA5<|h;wt1f2vc(I8&u`lX)`Kh$(gVu#ATvN_!Q?=8 zfb2p~KOixX984XE2Ju1TsvsJ~hvRMAJV9m5k1t+C=6US1cW z>1*$Vh=|pxHluU{shI^g$@A143){WAt( z5E~>0k^`v$sYMT8GW?6^zu4Qu%U@8QhGJORgj`O6*`V^5>h_0)fy;l8ALnLgx5CTU zu(0(Y_S~GDR!~_3D)&I;F0Jebm2IH17P)=_u|Z-WIa=EfitGNcuyyeI)y3s4hz$}0 z$cJ# zM1X;T{R964{vYxmK$u5D!T^N%EMy8md=O?hz{~)`^8f$;0AcWu2xwSD{s#jC2unyX zFu*W~55oK(uvrD(PX-#60F6~JGJr@11_l;PrBusLu=OS|8a>Wo;xHOX9@KXP_4E3} z!`Fh!+y1by^{pNrH(_oAu|Z;Bx$y9{AhjSpF!>fYwKx#m0L3&{FjZRKqK13=DQP3=A?BkfH`u{D4Mk*&i@4uq7}s IfM{er0E9jZXaE2J literal 15406 zcmZQzU}Rus5D);-3Je)63=C!r3=9ei5Wa>W1H(KP1_lEI2tPxOf#H}a1A_(w1A_oa z9Roz10S5?WV5kdaVE7rz!0?|$4AMicUYK1VGhl40&?S0$|L5i9{hynY1Ev=i75!gQ zR`!2dVj|JzFRiHff9u4F|1sR$|D(CM{ugR#{Xf5b`~NsTKBCM3*?(#GZWOh-Dk}e5 zJv~vxaD_KW|3x(YxYS}3AL;r*@pt3M5u(BxJ^YIG^#0Gu&i+3;GxL9^zdu=Kpqoj6 zPe~pC=_NN0g7xAk7Kj!Gl`{$q3=9qg${7X*2Br`OhMG_YhGzuAgPLLf3}h#g-PAOj zXtO|WptHZx-A2zaN4I;FPkP-tAYpcK*RKDs?%)6a?AERSPp)78|MbR<|IcsV{{Qmc zz5j0>J^KId*|Yy2U%mSO<=wmg-#&i)zkTv#s=G6upa1{&&!7K;z|j>e{-;Sw{!bJV z`kx>u_&-@p?0>nj@&837CI3IZeEI*?g9raZ85ybW22dD)>|b78jniyUeg5^shyT@< zmN?arTh6_>dlzK=e^5P!&x~bNRsVNRok}zNmz0;|H9J*8;{WEpKD=u1xgVDt%>RV! z$EBZA@lpFB>2Ear@uz=E(-|)Pqv>yCr$1Qzv#hd`>SZggGzSxp<>iIfzk6oQqDlP< zvkRR*zheiu?eXx^rT_QNo&~o-9$mTee^z=r-NOOhZKHgW$A<=6oDF0j2;2`Hs5AuX zeK2X$w+#bTfFg28c;X4uf2SphX!octYi(hZ_MsZ)qwXFe28_&*^s^8cjh=>L;rW5IIMl9K+b8~b5&(F{Qzp$|I z|H9(p{~0neboYCwukZgGN00vh{PyktA78%w|Muw<3I>hGf-p$#$Jej_e}4P+|L6Db z|9}1X@&EVFpZ|aV`t|=02><>K4u^q?=V(sO|Jx=_`v33mU-0-Th}bcC@_*2raJGWN z{|s4KFwT^d`=76&0iKUt-Prj5?&;I;J}+pVcc9!4vKN$&Kw%4V`@etx{+AgV5=;-V zJUstrWn}z+^Z4=qpI^WJ2l)?V)<9rT`Uj;Gko!StqCiuVp!-4Yj9_8;zo@tvoVEy! zdxO-|3WM_L_b*>S&j0`G`}h9^8X82oALO1S5t087E?)e9|NQy?pf~}E(HkSXAC!(r zaX-kdpg8#S`t|>2S68C_4bn#~OsV@pb48#$1e%|rmYYa1hf?>GVizscj=Fzf$GJws ze>D6l$=9RlXEgncrXNWAjhyxmC1FPmy`%YeH2+ePj)r>rLGC|-#urHKzfcl()X)p+ zdw|AAKpn`xfB*h3(bpf4eiS)=iDGB}zoow)W&8v*HWkLqJgEK9;p6lF>cNBmKfHPc z9=H1X{ylh&B4~XcXe{gfix>Z|A35?rPfcx5`UAA)d}eCu|EUQH;PJxlz`*~YF}d!b zATS@acLB5>9kkw#oOm78Gq82aX!wtYKONJ+P@aPXxg9hIJSfX)BH|Fd76LREPlVdR w=Ev`#^#h&sm!Y(N2Ih8<`$zF;2#^~B0L3<{TmS$7 diff --git a/static/fudo.org/favicon.ico b/static/fudo.org/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..758d2cf324e304360f5bea97361dacf13791afd0 GIT binary patch literal 1150 zcmZQzU}Ruq5D);-3Je)63=Con3=A3!3=9Gc3=9ek5OD?&U}0cT6@y?9cQE0zrBiLr zmQKBJwsh+2v!zqt;J~-emQD@E=I*nlQ}3TGo%){${OxS%R33CQkn}w}TRQa)7W@!N zjWQ1XAiYfJaxnhc(y2$FW~ji#U^G*_ literal 0 HcmV?d00001 diff --git a/static/selby.ca/favicon.ico b/static/selby.ca/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..0e5b332c52f6a3d820e30c6f27ecec89a064acbe GIT binary patch literal 1150 zcmZQzU}Ruq5D);-3Je)63=Con3=A3!3=9Gc3=9ek5OD?&U}0cT6@y?9ms)shp#Ac# zf%gBl2HO885`)w(h1pM{UYH&Kko3dENTTuR|GPENzH@7!y$BR{Z4I;siJ_Q}L;tg_ zf%eW@1MQu*2HM})8fbrWYoNU&ln;`Fn}J3DwylBo5?cf98@2}8|3L~%kljsCxh*hp zH2uf62HMMQ4YWT5lgC0IhN=P4|Ize=-1P;E9*{UPhO5D%A6XqiHj@5)Y~hQ?EugR| zfawR(TLbOgw+7n3#-j)3o|jt#?Oj27(DBwldl>@Z2MSwhbbZMDt%3H;TLbOuvBX~^ zNDf&oKK9l?dk1Lxxdlo)_|#G&_y0cwLjxmm_y98l!vl5(h7bG<41eqy7(jXfcFKYe literal 0 HcmV?d00001