From 9f59ff30fec81b5f68edb9b3fae31c9a1a69729f Mon Sep 17 00:00:00 2001 From: root Date: Sat, 6 Jun 2020 20:58:13 -0500 Subject: [PATCH] Piles o' changes --- config/fudo/chat.nix | 2 + config/fudo/common.nix | 6 + config/fudo/git.nix | 115 ++++++++++++++ config/fudo/grafana.nix | 3 + config/fudo/mail-container.nix | 113 +++++--------- config/fudo/mail/postfix.nix | 7 +- config/fudo/node-exporter.nix | 2 + config/fudo/postgres.nix | 44 ++++-- config/fudo/prometheus.nix | 2 + config/fudo/system.nix | 37 +++++ config/fudo/webmail.nix | 103 ++++++++----- config/local.nix | 2 + defaults.nix | 6 +- fudo/groups.nix | 2 + fudo/sender-blacklist.nix | 1 + fudo/users.nix | 11 +- hosts/france.nix | 270 ++++++++++++++++++++++++++++++--- packages/local.nix | 13 ++ static/fudo.link/favicon.ico | Bin 15406 -> 15086 bytes static/fudo.org/favicon.ico | Bin 0 -> 1150 bytes static/selby.ca/favicon.ico | Bin 0 -> 1150 bytes 21 files changed, 587 insertions(+), 152 deletions(-) create mode 100644 config/fudo/git.nix create mode 100644 config/fudo/system.nix create mode 100644 static/fudo.org/favicon.ico create mode 100644 static/selby.ca/favicon.ico diff --git a/config/fudo/chat.nix b/config/fudo/chat.nix index d82d10a..dfaf28c 100644 --- a/config/fudo/chat.nix +++ b/config/fudo/chat.nix @@ -154,6 +154,8 @@ in { }; }; + security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email; + services.nginx = { enable = true; diff --git a/config/fudo/common.nix b/config/fudo/common.nix index ddbe3c6..93c9823 100644 --- a/config/fudo/common.nix +++ b/config/fudo/common.nix @@ -46,5 +46,11 @@ with lib; description = "Path at which to store www files for serving."; example = /var/www; }; + + admin-email = mkOption { + type = types.str; + description = "Email for administrator of this system."; + default = "admin@fudo.org"; + }; }; } diff --git a/config/fudo/git.nix b/config/fudo/git.nix new file mode 100644 index 0000000..9479582 --- /dev/null +++ b/config/fudo/git.nix @@ -0,0 +1,115 @@ +{ pkgs, lib, config, ... }: + +with lib; +let + cfg = config.fudo.git; + + databaseOpts = { ... }: { + options = { + name = mkOption { + type = types.str; + description = "Database name."; + }; + hostname = mkOption { + type = types.str; + description = "Hostname of the database server."; + }; + user = mkOption { + type = types.str; + description = "Database username."; + }; + password-file = mkOption { + type = types.path; + description = "File containing the database user's password."; + }; + }; + }; + +in { + options.fudo.git = { + enable = mkEnableOption "Enable Fudo git web server."; + + hostname = mkOption { + type = types.str; + description = "Hostname at which this git server is accessible."; + example = "git.fudo.org"; + }; + + site-name = mkOption { + type = types.str; + description = "Name to use for the git server."; + default = "Fudo Git"; + }; + + database = mkOption { + type = (types.submodule databaseOpts); + description = "Gitea database options."; + }; + + repository-dir = mkOption { + type = types.path; + description = "Path at which to store repositories."; + example = /srv/git/repo; + }; + + state-dir = mkOption { + type = types.path; + description = "Path at which to store server state."; + example = /srv/git/state; + }; + + user = mkOption { + type = with types; nullOr str; + description = "System user as which to run."; + default = "git"; + }; + }; + + config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email; + + services = { + gitea = { + enable = true; + appName = cfg.site-name; + database = { + createDatabase = true; + host = cfg.database.hostname; + name = cfg.database.name; + user = cfg.database.user; + passwordFile = cfg.database.password-file; + }; + domain = cfg.hostname; + httpAddress = "127.0.0.1"; + httpPort = 3543; + repositoryRoot = toString cfg.repository-dir; + stateDir = toString cfg.state-dir; + rootUrl = "https://${cfg.hostname}/"; + user = mkIf (cfg.user != null) cfg.user; + }; + + nginx = { + enable = true; + + virtualHosts = { + "${cfg.hostname}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:3543"; + + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; + }; + }; + }; +} diff --git a/config/fudo/grafana.nix b/config/fudo/grafana.nix index 61f869f..6bed0e5 100644 --- a/config/fudo/grafana.nix +++ b/config/fudo/grafana.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.fudo.grafana; + fudo-cfg = config.fudo.common; database-name = "grafana"; database-user = "grafana"; @@ -73,6 +74,8 @@ in { }; config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services.nginx = { enable = true; diff --git a/config/fudo/mail-container.nix b/config/fudo/mail-container.nix index c26c974..aa7edb5 100644 --- a/config/fudo/mail-container.nix +++ b/config/fudo/mail-container.nix @@ -16,7 +16,7 @@ let container-mail-user = "mailer"; container-mail-user-id = 542; container-mail-group = "mailer"; - trusted-networks = config.fudo.common.local-networks; + fudo-cfg = config.fudo.common; in rec { options.fudo.mail-server.container = { @@ -25,18 +25,6 @@ in rec { description = "URL of the LDAP server to use for authentication."; example = "ldaps://auth.fudo.org/"; }; - - # host-ip = mkOption { - # type = types.str; - # description = "The IP to assign to this server, for communication with the mail server container."; - # default = "10.110.0.1"; - # }; - - # container-ip = mkOption { - # type = types.str; - # description = "The IP to assign to the mail server container."; - # default = "10.110.0.2"; - # }; }; config = mkIf (cfg.enableContainer && !cfg.enable) { @@ -73,6 +61,8 @@ in rec { }; }; + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services.nginx = mkIf cfg.monitoring { enable = true; @@ -81,9 +71,9 @@ in rec { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; ''; - trusted-network-string = optionalString ((length trusted-networks) > 0) + trusted-network-string = optionalString ((length fudo-cfg.local-networks) > 0) (concatStringsSep "\n" - (map (network: "allow ${network};") trusted-networks)) + "\ndeny all;"; + (map (network: "allow ${network};") fudo-cfg.local-networks)) + "\ndeny all;"; in { "${cfg.hostname}" = { @@ -123,30 +113,6 @@ in rec { }; }; - # services.xinetd = let - # xinetd-entry = name: port: { - # name = name; - # port = port; - # protocol = "tcp"; - # server = ""; - # extraConfig = '' - # socket_type = stream - # wait = no - # redirect = ${cfg.container.container-ip} ${toString port} - # ''; - # }; - # in { - # enable = true; - # services = [ - # (xinetd-entry "smtp" 25) - # (xinetd-entry "pop3" 110) - # (xinetd-entry "pop3s" 995) - # (xinetd-entry "imap" 143) - # (xinetd-entry "imaps" 993) - # (xinetd-entry "submission" 587) - # ]; - # }; - containers.mail-server = { autoStart = true; @@ -210,46 +176,45 @@ in rec { }; }; - fudo.mail-server = - { - enable = true; - hostname = cfg.hostname; - domain = cfg.domain; + fudo.mail-server = { + enable = true; + hostname = cfg.hostname; + domain = cfg.domain; - debug = cfg.debug; - monitoring = cfg.monitoring; + debug = cfg.debug; + monitoring = cfg.monitoring; - state-directory = container-statedir; - mail-directory = container-maildir; + state-directory = container-statedir; + mail-directory = container-maildir; - postfix.ssl-certificate = "/etc/${container-postfix-cert}"; - postfix.ssl-private-key = "/etc/postfix-certs/key.pem"; + postfix.ssl-certificate = "/etc/${container-postfix-cert}"; + postfix.ssl-private-key = "/etc/postfix-certs/key.pem"; - dovecot = { - ssl-certificate = "/etc/${container-dovecot-cert}"; - ssl-private-key = "/etc/dovecot-certs/key.pem"; - ldap-ca = "/etc/${container-fudo-ca-cert}"; - ldap-urls = cfg.dovecot.ldap-urls; - ldap-reader-dn = cfg.dovecot.ldap-reader-dn; - ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; - }; - - local-domains = cfg.local-domains; - - alias-users = cfg.alias-users; - user-aliases = cfg.user-aliases; - sender-blacklist = cfg.sender-blacklist; - recipient-blacklist = cfg.recipient-blacklist; - trusted-networks = cfg.trusted-networks; - - mail-user = container-mail-user; - mail-user-id = container-mail-user-id; - mail-group = container-mail-group; - - clamav.enable = cfg.clamav.enable; - - dkim.signing = cfg.dkim.signing; + dovecot = { + ssl-certificate = "/etc/${container-dovecot-cert}"; + ssl-private-key = "/etc/dovecot-certs/key.pem"; + ldap-ca = "/etc/${container-fudo-ca-cert}"; + ldap-urls = cfg.dovecot.ldap-urls; + ldap-reader-dn = cfg.dovecot.ldap-reader-dn; + ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; }; + + local-domains = cfg.local-domains; + + alias-users = cfg.alias-users; + user-aliases = cfg.user-aliases; + sender-blacklist = cfg.sender-blacklist; + recipient-blacklist = cfg.recipient-blacklist; + trusted-networks = cfg.trusted-networks; + + mail-user = container-mail-user; + mail-user-id = container-mail-user-id; + mail-group = container-mail-group; + + clamav.enable = cfg.clamav.enable; + + dkim.signing = cfg.dkim.signing; + }; }; }; }; diff --git a/config/fudo/mail/postfix.nix b/config/fudo/mail/postfix.nix index 940ffd3..776c584 100644 --- a/config/fudo/mail/postfix.nix +++ b/config/fudo/mail/postfix.nix @@ -105,9 +105,10 @@ in { domain = cfg.domain; origin = cfg.domain; hostname = cfg.hostname; - destination = ["localhost" "localhost.localdomain"] ++ - (map (domain: "localhost.${domain}") cfg.local-domains) ++ - cfg.local-domains; + destination = ["localhost" "localhost.localdomain"]; + # destination = ["localhost" "localhost.localdomain"] ++ + # (map (domain: "localhost.${domain}") cfg.local-domains) ++ + # cfg.local-domains; enableHeaderChecks = true; enableSmtp = true; diff --git a/config/fudo/node-exporter.nix b/config/fudo/node-exporter.nix index 6bc7cf3..927df44 100644 --- a/config/fudo/node-exporter.nix +++ b/config/fudo/node-exporter.nix @@ -20,6 +20,8 @@ in { }; config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services = { # This'll run an exporter at localhost:9100 prometheus.exporters.node = { diff --git a/config/fudo/postgres.nix b/config/fudo/postgres.nix index 5eb348b..4486a11 100644 --- a/config/fudo/postgres.nix +++ b/config/fudo/postgres.nix @@ -65,8 +65,9 @@ let (username: attrs: stringJoin "\n" (map (db: '' - host ${username} ${db} 127.0.0.1/16 md5 - host ${username} ${db} ::1/128 md5 + local ${db} ${username} md5 + host ${db} ${username} 127.0.0.1/16 md5 + host ${db} ${username} ::1/128 md5 '') (attrNames attrs.databases))) users); @@ -117,6 +118,24 @@ in { description = "A map of databases to database options."; default = {}; }; + + socket-directory = mkOption { + type = types.str; + description = "Directory in which to place unix sockets."; + default = "/run/postgresql"; + }; + + socket-group = mkOption { + type = types.str; + description = "Group for accessing sockets."; + default = "postgres_local"; + }; + + local-users = mkOption { + type = with types; listOf str; + description = "Users able to access the server via local socket."; + default = []; + }; }; config = mkIf cfg.enable { @@ -157,6 +176,12 @@ in { }; }; + users.groups = { + ${cfg.socket-group} = { + members = ["postgres"] ++ cfg.local-users; + }; + }; + services.postgresql = { enable = true; package = pkgs.postgresql_11_gssapi; @@ -172,23 +197,23 @@ in { }) cfg.users; - extraConfig = - '' + extraConfig = '' krb_server_keyfile = '/etc/postgresql/private/postgres.keytab' ssl = true ssl_cert_file = '/etc/postgresql/cert.pem' ssl_key_file = '/etc/postgresql/private/privkey.pem' - unix_socket_directories = '/var/run/postgresql' + unix_socket_directories = '${cfg.socket-directory}' + unix_socket_group = '${cfg.socket-group}' + unix_socket_permissions = 0777 ''; - authentication = - '' - local all all ident - + authentication = lib.mkForce '' ${makeLocalUserPasswordEntries cfg.users} + local all all ident + # host-local host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG @@ -204,6 +229,7 @@ in { systemd.services.postgresql.postStart = '' ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${pkgs.postgresql}/bin/psql --port ${toString config.services.postgresql.port} -f /etc/postgresql/private/user-script.sql -d postgres + ${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL* ''; }; } diff --git a/config/fudo/prometheus.nix b/config/fudo/prometheus.nix index df8c928..54e5b6a 100644 --- a/config/fudo/prometheus.nix +++ b/config/fudo/prometheus.nix @@ -77,6 +77,8 @@ in { config = mkIf cfg.enable { + security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email; + services.nginx = { enable = true; diff --git a/config/fudo/system.nix b/config/fudo/system.nix new file mode 100644 index 0000000..b25aaf4 --- /dev/null +++ b/config/fudo/system.nix @@ -0,0 +1,37 @@ +{ pkgs, lib, config, ... }: + +with lib; +let + cfg = config.fudo.system; +in { + options.fudo.system = { + disableTransparentHugePages = mkOption { + type = types.bool; + description = '' + Disable transparent huge pages (recommended for database loads, in + particular for Redis. + ''; + default = false; + }; + + postHugePageServices = mkOption { + type = with types; listOf str; + description = "List of systemd services that should wait until after THP are disabled."; + default = []; + example = ["redis.service"]; + }; + }; + + config = mkIf cfg.disableTransparentHugePages { + systemd.services.disableHugePages = { + description = "Turn off Transparent Huge Pages (https://www.kernel.org/doc/Documentation/vm/transhuge.txt)"; + after = [ "sysinit.target" "localfs-target" ]; + before = cfg.postHugePageServices; + enable = true; + serviceConfig = { + ExecStart = "/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null"; + Type = "oneshot"; + }; + }; + }; +} diff --git a/config/fudo/webmail.nix b/config/fudo/webmail.nix index 310b8bf..d2c4f4e 100644 --- a/config/fudo/webmail.nix +++ b/config/fudo/webmail.nix @@ -145,6 +145,12 @@ let }; default = null; }; + + admin-email = mkOption { + type = types.str; + description = "Email of administrator of this site."; + default = "admin@fudo.org"; + }; }; }; @@ -220,6 +226,11 @@ in { }; }; + security.acme.certs = mapAttrs' (site: site-cfg: + nameValuePair site { + email = site-cfg.admin-email; + }) cfg.sites; + services = { phpfpm = { pools.webmail = { @@ -273,46 +284,62 @@ in { }; }; - systemd.services.nginx.preStart = let - link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let - cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version); - domain-cfg = builtins.toFile "${site}-domain.cfg" '' - imap_host = "${site-cfg.mail-server}" - imap_port = 143 - imap_secure = "TLS" - imap_short_login = On - sieve_use = Off - sieve_allow_raw = Off - sieve_host = "" - sieve_port = 4190 - sieve_secure = "None" - smtp_host = "${site-cfg.mail-server}" - smtp_port = 587 - smtp_secure = "TLS" - smtp_short_login = On - smtp_auth = On - smtp_php_mail = Off - white_list = "" - ''; + systemd.services = { + webmail-init = let + link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let + cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version); + domain-cfg = builtins.toFile "${site}-domain.cfg" '' + imap_host = "${site-cfg.mail-server}" + imap_port = 143 + imap_secure = "TLS" + imap_short_login = On + sieve_use = Off + sieve_allow_raw = Off + sieve_host = "" + sieve_port = 4190 + sieve_secure = "None" + smtp_host = "${site-cfg.mail-server}" + smtp_port = 587 + smtp_secure = "TLS" + smtp_short_login = On + smtp_auth = On + smtp_php_mail = Off + white_list = "" + ''; + in '' + ${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/configs + ${pkgs.coreutils}/bin/cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini - in '' - mkdir -p ${base-data-path}/${site}/_data_/_default_/configs - cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini + ${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/ + ${pkgs.coreutils}/bin/cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini + '') cfg.sites); + scriptPkg = (pkgs.writeScriptBin "webmail-init.sh" '' + #!${pkgs.bash}/bin/bash -e + ${link-configs} + ${pkgs.coreutils}/bin/chown -R ${webmail-user}:${webmail-group} ${base-data-path} + ${pkgs.coreutils}/bin/chmod -R ug+w ${base-data-path} + ''); + in { + requiredBy = [ "nginx.service" ]; + description = "Initialize webmail service directories prior to starting nginx."; + script = "${scriptPkg}/bin/webmail-init.sh"; + }; - mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/ - cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini + phpfpm-webmail-socket-perm = { + wantedBy = [ "multi-user.target" ]; + description = "Change ownership of the phpfpm socket for webmail once it's started."; + requires = [ "phpfpm-webmail.service" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.coreutils}/bin/chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket} + ''; + }; + }; - '') cfg.sites); - - in '' - ${link-configs} - - chown -R ${webmail-user}:${webmail-group} ${base-data-path} - chmod -R ug+w ${base-data-path} - ''; - - systemd.services.phpfpm-webmail.postStart = '' - chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket} - ''; + nginx = { + requires = [ "webmail-init.service" ]; + wantedBy = [ "phpfpm-webmail-socket-perm.service" ]; + }; + }; }; } diff --git a/config/local.nix b/config/local.nix index 2da9c2c..0e3b01f 100644 --- a/config/local.nix +++ b/config/local.nix @@ -7,6 +7,7 @@ with lib; ./fudo/authentication.nix ./fudo/chat.nix ./fudo/common.nix + ./fudo/git.nix ./fudo/grafana.nix ./fudo/kdc.nix ./fudo/ldap.nix @@ -16,6 +17,7 @@ with lib; ./fudo/node-exporter.nix ./fudo/postgres.nix ./fudo/prometheus.nix + ./fudo/system.nix ./fudo/webmail.nix ../fudo/profiles diff --git a/defaults.nix b/defaults.nix index 121c83b..fa03dcd 100644 --- a/defaults.nix +++ b/defaults.nix @@ -10,6 +10,7 @@ ]; nixpkgs.config.allowUnfree = true; + security.acme.acceptTerms = true; environment.systemPackages = with pkgs; [ asdf @@ -84,11 +85,10 @@ krb5.libdefaults.default_realm = "FUDO.ORG"; krb5.kerberos = pkgs.heimdalFull; + console.keyMap = "dvp"; + i18n = { - # consoleFont = "Lat2-Terminus16"; - consoleKeyMap = "dvp"; defaultLocale = "en_US.UTF-8"; - # consoleUseXkbConfig = true; }; programs = { diff --git a/fudo/groups.nix b/fudo/groups.nix index 5fb0c39..1bd2c05 100644 --- a/fudo/groups.nix +++ b/fudo/groups.nix @@ -35,6 +35,7 @@ "joker4ever" "jun" "kevin" + "kevinyinjunjie" "kris" "laura" "leefolio" @@ -108,6 +109,7 @@ members = [ "ansyg" "joker4ever" + "kevinyinjunjie" "niten" "omefire" "reaper" diff --git a/fudo/sender-blacklist.nix b/fudo/sender-blacklist.nix index 8ca71e0..311d8e1 100644 --- a/fudo/sender-blacklist.nix +++ b/fudo/sender-blacklist.nix @@ -2,6 +2,7 @@ # spamming. Learn2passward! [ + "animus@fudo.org" "ark@fudo.org" "theblacksun@fudo.org" ] diff --git a/fudo/users.nix b/fudo/users.nix index 85b3322..565f14b 100644 --- a/fudo/users.nix +++ b/fudo/users.nix @@ -19,14 +19,14 @@ uid = 10002; group = "fudo"; common-name = "James Frazer"; - hashed-password = "{MD5}5EenPxFXCKCkxMGFmSAHqQ=="; + hashed-password = ""; }; ark = { uid = 10005; group = "fudo"; common-name = "Roger Wong"; - hashed-password = "{SHA}H1+3u18I7JG+xcy7jBaKu1M6GFk="; + hashed-password = ""; }; ben = { @@ -415,4 +415,11 @@ common-name = "Fudo Chat"; hashed-password = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7"; }; + + kevinyinjunjie = { + uid = 10112; + group = "fudo"; + common-name = "Kevin"; + hashed-password = "{SSHA}1onx6HPMKCJvmLnRf1tiWFJ1D92DEtnl"; + }; } diff --git a/hosts/france.nix b/hosts/france.nix index 85ec23d..2fc57a7 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -6,6 +6,8 @@ let hostname = "france.${domain}"; mail-hostname = hostname; host_ipv4 = "208.81.3.117"; + # Use a special IP for git.fudo.org, since it needs to be SSH-able + docker_ipv4 = "208.81.3.126"; all-hostnames = []; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; @@ -56,6 +58,7 @@ in { lxd multipath-tools nix-prefetch-docker + tshark ]; fudo.prometheus = { @@ -109,6 +112,18 @@ in { ]; users = { + fudo_git = { + password = fileContents "/srv/git/secure/db.passwd"; + databases = { + fudo_git = "ALL PRIVILEGES"; + }; + }; + gitlab_postgres = { + password = fileContents "/srv/gitlab/secure/db.passwd"; + databases = { + gitlab = "ALL PRIVILEGES"; + }; + }; grafana = { password = fileContents "/srv/grafana/secure/db.passwd"; databases = { @@ -130,7 +145,13 @@ in { niten = {}; }; + local-users = [ + "fudo_git" + ]; + databases = { + fudo_git = ["niten"]; + gitlab = ["niten"]; grafana = ["niten"]; mattermost = ["niten"]; webmail = ["niten"]; @@ -217,7 +238,7 @@ in { mail-directory = "${system-mail-directory}/mailboxes"; dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; - dovecot.ldap-reader-passwd = removeSuffix "\n" (readFile /srv/ldap/secure/user_db.passwd); + dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. dovecot.ldap-urls = [ "ldap://france.fudo.org" ]; @@ -245,6 +266,33 @@ in { password-file = /srv/webmail/secure/db.passwd; }; }; + + "webmail.test.fudo.org" = { + title = "Fudo Webmail"; + favicon = "/etc/nixos/static/fudo.org/favicon.ico"; + mail-server = mail-hostname; + domain = "test.fudo.org"; + edit-mode = "Plain"; + database = { + name = "webmail"; + hostname = "localhost"; + user = "webmail"; + password-file = /srv/webmail/secure/db.passwd; + }; + }; + + "webmail.test.selby.ca" = { + title = "Selby Webmail"; + favicon = "/etc/nixos/static/selby.ca/favicon.ico"; + mail-server = mail-hostname; + domain = "test.selby.ca"; + database = { + name = "webmail"; + hostname = "localhost"; + user = "webmail"; + password-file = /srv/webmail/secure/db.passwd; + }; + }; }; }; @@ -264,14 +312,26 @@ in { }; }; + fudo.git = { + enable = true; + hostname = "git.test.fudo.org"; + site-name = "Fudo Git"; + user = "fudo_git"; + database = { + user = "fudo_git"; + password-file = /srv/git/secure/db.passwd; + hostname = "127.0.0.1"; + name = "fudo_git"; + }; + repository-dir = /srv/git/repo; + state-dir = /srv/git/state; + }; + networking = { hostName = hostname; dhcpcd.enable = false; useDHCP = false; - # Why on earth would these use DHCP? - # interfaces.enp4s0f0.useDHCP = true; - # interfaces.enp4s0f1.useDHCP = true; # TODO: fix IPv6 enableIPv6 = false; @@ -282,6 +342,10 @@ in { interface = "enp4s0f0"; mode = "bridge"; }; + extif1 = { + interface = "enp4s0f0"; + mode = "bridge"; + }; intif0 = { interface = "enp4s0f1"; mode = "bridge"; @@ -290,7 +354,8 @@ in { interfaces = { extif0 = { - # result of: echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + # result of: + # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:d4:e8:3b:10:2f"; ipv4.addresses = [ { @@ -299,8 +364,18 @@ in { } ]; }; + extif1 = { + macAddress = "02:6d:e2:e1:ad:ca"; + ipv4.addresses = [ + { + address = docker_ipv4; + prefixLength = 28; + } + ]; + }; intif0 = { - # result of: echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + # result of: + # echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:ba:ba:e9:08:21"; ipv4.addresses = [ { @@ -315,10 +390,6 @@ in { hardware.bluetooth.enable = false; virtualisation = { - lxd = { - enable = true; - }; - docker = { enable = true; enableOnBoot = true; @@ -327,6 +398,10 @@ in { enable = true; }; }; + + lxd = { + enable = true; + }; }; fileSystems = { @@ -362,22 +437,129 @@ in { }; }; - ## - # Archiva - ## + users = { + extraUsers = { + archiva = { + isNormalUser = false; + group = "nogroup"; + uid = 8001; + }; - users.extraUsers = { - archiva = { - isNormalUser = false; - group = "nogroup"; - uid = 1000; + fudo_git = { + isNormalUser = false; + uid = 8006; + }; + + gitlab = { + isNormalUser = false; + uid = 8002; + }; + + gitlab_postgres = { + isNormalUser = false; + group = config.fudo.postgresql.socket-group; + uid = 8003; + }; + + gitlab_redis = { + isNormalUser = false; + group = "redis-local"; + uid = 8004; + }; + + gitlab_www = { + isNormalUser = false; + group = "nogroup"; + uid = 8005; + }; + }; + + extraGroups = { + redis-local = { + members = ["redis"]; + gid = 7001; + }; + }; + }; + + boot.kernel.sysctl = { + # For Redis + "vm.overcommit_memory" = 1; + }; + + fudo.system = { + disableTransparentHugePages = true; + postHugePageServices = ["redis.service"]; + }; + + systemd.services.redis.postStart = '' + chgrp redis-local ${config.services.redis.unixSocket} + ''; + + security.acme.certs = { + "archiva.fudo.org".email = config.fudo.common.admin-email; + "git.fudo.org".email = config.fudo.common.admin-email; + }; + + services = { + + redis = { + enable = true; + bind = "127.0.0.1"; + unixSocket = "/run/redis/redis.socket"; + extraConfig = '' + unixsocketperm 770 + ''; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts = { + "archiva.fudo.org" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:8001"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + "git.fudo.org" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:8002"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; }; }; docker-containers = { archiva = { image = "xetusoss/archiva"; - ports = ["127.0.0.1:8091:8080"]; + ports = ["127.0.0.1:8001:8080"]; + # Ugly: name-to-uid lookup fails. + user = toString config.users.users.archiva.uid; volumes = [ "/srv/archiva:/archiva-data" ]; @@ -385,19 +567,61 @@ in { # Not directly connected to the world anyway SSL_ENABLED = "false"; }; - # Ugly as shit: name-to-uid lookup fails. - #user = "1000"; - user = toString config.users.users.archiva.uid; + }; + + gitlab = { + image = "gitlab/gitlab-ce:12.8.1-ce.0"; + ports = [ + "127.0.0.1:8002:80" + "${docker_ipv4}::22" + ]; + # user = toString config.users.users.gitlab.uid; + volumes = [ + "/run/redis:/var/opt/gitlab/redis" + "/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds" + "/srv/gitlab/config:/etc/gitlab" + "/srv/gitlab/logs:/var/log/gitlab" + "/srv/gitlab/gitlab:/var/opt/gitlab" + "${config.fudo.postgresql.socket-directory}:/run/postgresql" + "${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql" + ]; + extraDockerOptions = [ + "--hostname=git.fudo.org" + ]; }; }; + systemd.services.docker-gitlab-config = let + gitlab-config = pkgs.writeText "gitlab-config.rb" '' + gitlab_rails['db_adapter'] = "postgresql" + gitlab_rails['db_encoding'] = "unicode" + gitlab_rails['db_database'] = "gitlab" + gitlab_rails['db_username'] = "gitlab_postgres" + gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}" + + user['uid'] = "${toString config.users.users.gitlab.uid}" + user['gid'] = "${toString config.users.groups.redis-local.gid}" + + # Provided externally + redis['enable'] = false + postgresql['enable'] = false + + web_server['uid'] = "${toString config.users.users.gitlab_www.uid}" + web_server['gid'] = "${toString config.users.groups.nogroup.gid}" + ''; + in { + # before = ["docker-gitlab.service"]; + script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb"; + }; + systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"]; + ### # Minecraft ### fudo.minecraft-server = { enable = true; - package = pkgs.minecraft-server_1_15_1; + package = pkgs.minecraft-server_1_15_2; data-dir = minecraft-data-dir; world-name = "selbyland"; motd = "Welcome to the Selby Minecraft server."; diff --git a/packages/local.nix b/packages/local.nix index 5318f41..1e6174c 100644 --- a/packages/local.nix +++ b/packages/local.nix @@ -15,9 +15,22 @@ }; }); + minecraft-server_1_15_2 = pkgs.minecraft-server.overrideAttrs (oldAttrs: rec { + version = "1.15.2"; + src = builtins.fetchurl { + url = "https://launcher.mojang.com/v1/objects/bb2b6b1aefcd70dfd1892149ac3a215f6c636b07/server.jar"; + sha256 = "12kynrpxgcdg8x12wcvwkxka0fxgm5siqg8qq0nnmv0443f8dkw0"; + }; + }); + postgresql_11_gssapi = pkgs.postgresql_11.overrideAttrs (oldAttrs: rec { configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ]; buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; }); + + postgresql_12_gssapi = pkgs.postgresql_12.overrideAttrs (oldAttrs: rec { + configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ]; + buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; + }); }; } diff --git a/static/fudo.link/favicon.ico b/static/fudo.link/favicon.ico index 1023abe3aacde15e1a6fb4947d8836355edb8d7d..8fcc37ca6da9cd4f9082ce8d807e10345a7f5576 100644 GIT binary patch literal 15086 zcmeI3Yj76j701`1Q@%KjANjx(KD3>FGFKRC9ReX2peUeRt<)emfLsIwOO-JJg4lpi zC>H^V0?H@|K`wGJfd~i!a*Yl}s05){12PGv5JKL({r@(*%Vx8i_azr5oyj|M@;rN< zbN=V-b2-mtpBTnNMjIn8&QRLX`0&?;(b+JJjvcM%M-1aT@g7l1`RJb+#v2m&tz@KP zWQyRMzhBiP?!VdHx`kV*wGLYQKx-dp?E_8N2fBB!%*n_od81daGtp2^TH0mRe<+GJ z2<4=wUycS78GOi=FHzv$n+Ljgzq{nQ=azrHXHR;`$&<+!PMqjgA0cyO^X5MD2M+us zk{!uxJ}TL0af{`Hd|9D)xEl%EE}xx|apBbN-D%-)I8KxhCB^PsvSjGY9zDuz9B)e5 zF3AWlHcCuv$KeY;dGUgt)o$NhJbk*WWg}536dyoN`N8$;`_4*DEe*m|*^kIrIF4Qf z+ys2VryyJ}AKCAVi<5=R`zQW%`SN2$t5**weCM6PdseM7iTr_e>-yg+FYkYzBI!B_&s@fgEZzY(f%&FF{gL$)BiYdAXRpF&-?X1;f!>_ z5ataRZW*?)2`1Q$_5ZWw%jwtUwc05;Ijq=l;hUl&#z}+xM;DB2VY#ufh0P}QKP9Ey zZ6^!=)6*O8zc9dZ{8xUaY&E6-`_`^~TJ2m+EG7;>^8I4&lTRM__RB9*8e0G8{#6)Y zIk>WcEo?SX{U`pntgQ2y{rgjCZ#QATvZA7s>@;Znq6>x_lRUPtY2h}g|NF#G`nVrC zaq!?rA4Q6vrN~(IYU}x7!gI>+H-0kykL2g~76$W-JMP!Q^^`rjb>6&8_1*tCec7|O zqipM2Z)HmFQIBqYxUu+xPeHgo{LuVCgYpYjtQc}=!-l@ZY~~$nPB81`?7@RQRG0lI zLuT881(_NT`+czPjZM7|GTSBV;0gmQy^o2D4Q$!C@?j{x2sfIwmD^S|F`4<)qO0#s zn)JHtu%?J-O)@hz^(VW$zIyk*lVoo=dcpw9YLB@0CQf`^Wmlc@n)OJv7bEbQSmr~- zxOZNBagOYmeQM#*q3g`J=au#JnL2hn@?d~v`5%i7UtC+S9{d?8DYt2>rO!XVWa;qX zOFgt~=iulFZDvJu+UMh|gevC0xcpJT`>6tPZYx!Z&=ZQzzCtX^nB_ z{E;Kc!l91oCth-oGsd;IyrIwLdPsPT0c`l;#Nr!1*6aV#qsh__^4||Pi06LSAfJMC z{rD06H~WwF7wSI|+r3Wvy8D~@#FpIL5msF$e3F|xa%p4xntWpKQ(ylv+a-!|Qmg%J zc~{E#lfTRCexN?SEO1QLGah~IL@OV?9C5bXj(1jiZN;cj^KAdgi+{~6W36YSkBia! zmT0i)909b zpX1(_P=<{BH~Uvh^WQl?A(nc_qIkp~*ZE08OY@)jf{%54x88*^WLj$dAKtX-iP=4S zo+q}m_V!RYWry?gpJ<`}Czh9%c46P`K96#rcTt8+OBuhO^B+4ddgHwJ*_Jc=zj^-S z9V-v$c~)B551Lo$53Co1;(ZW54qY&U#>)fXhZa8b%=;&I?(7xKdANNBk1RUq%E$ZN z*Vc_~jccze&7t43uecvVN4{4*fI4pK_ie>%Tz_e;zt;L|?E@{O54i6FH6;H~xTI}3 z+c4UM%VNSsK50=|OdI$?X@H)MYqU3vE;#mZ&3z{0mxeJ-k1?9?!)5nUEFh-aPT6MS zq*>K9&*89tS{75o4@!gdY}^{{hW_QAR!31ck#kQ=ce%X3)_JlC?`E`+vDe5pt)8Jf z5u!>T;;uw}>%ve3-FnZ}u*ceSeOA_l_1W3u&6K=F8^l}w!V3%7zj@yg9%abb@=j{; zg#7_Fyt?+Y){Z4w|E4Pf@Ewb@D^fSbYM<39w{PFi-QSGK!z;gfm2Z~5dfgP)BY|(LI$x|~AD;EiHi0%o$I`tHmULtJ zCL68&m1D-d$=R|=UAu;L#+@InePpwwW9x%;pZ4SO=gb+!xjNrwly1@Yvn*jGM)CfM z$f9HEZU#%baS`7?BjcRDIdZ)b4`{W){pv1rk->QKn+ zXH|Fan*AwMRh7hh^Q=2ZJ-G*9_Zd5dM;S86qJtmiv-&KUU}MA9@k<$ldcVTC{rc_6 z8$Uir7;zhOa>j^PAo@&uLGBCr#h?&n$RLXjx?q4MULn|iHsL8Q++ojdlI}Cf&uf1l zHY`sVv1?v_`87Sm`%&fp)}6X5qJMel3T3t&I_QD{mZfXrW2=@Q>gSxi{s_cq^2Reo&Sw%*VQrYsruXL;(~$)!oLj}vfH_=Cn^+FBmjvlQX|s^D{ikn$5n|{`9v~yLR<- zuP?~Mqs+A54DGL&wd2n1+w?!b^_9Iwi@kH}Rsyn3+Ws03#PF4)N9X#kFJ0?XWRP`Y zt9L9l?wR$q-@4r4$*$kr7(BKc=T9r{|9Sm+&jWaFTNYCiQ_-OedbnM?IOrE$+E283 zMo}9B>JScBK<1GM$0HpoYN%a1!?4Nb#pqDQ=f^n(#}XYy&N+qt*UbBCvhl>a$4%b$ zbC;2Kl{5C(=PejKcq8#vl&}5FSzCrYJhMzP$f9GHYyEkd_1c+z`%?K{di~0k-@Q9w z!VJ5dJUq&fK^7gmT=|QvzhwVo);o$t@~Tx{O&%U)$RLZ3M?Y=b{P}-cJ9X+` zP8SrUYOnH|T}~bzWynaMdkl`g?ik(VUfaf5vqoz#o5mVfYwJS0KFPzQ3>jq6vHhE; z^$~Zd)=ZxKs=jykd3)r@h1Pv3?!}pRoUApv`c}GZhUCG0<>Z?}Y6|c@S-_@*sOkXw$ zo}X+W&sCoh>Z^|ZKujNB-SOb@#|`5*BMqbLbi-(`LtH`);fIsjwk3w~^URvmaQ*%V Dggy&s literal 15406 zcmeHOYe-dD6yAGZ(p1@m(vt>#aV5=4m7pcp>JX6~q!Z|_4#zu9Z+5xv}d?z#6I@3|NEhJ6ob@4fa~ z>)UJZefHYxG8V<6*{W5HKP}7_!`L^BF^gsTJu#lKyS!}Y&YAiI#u~n6ERnb2B%ETp zoIkv#BaHpPvzuoGn29D>T7_3Id=*-+&!X+yaW^jycg~#?&zcJt@SwODH`CL-w)dv< z!;2Tu_T~*vEME@mvSldPx)qJJwKy3YtEms--~96BytcWUH{+*$`{tE-<4t8m-{e8> ztF5>4#ZFJ-*ZTUkCagX2E9CZbJ0}OfW@qE-!Gl5d;n}C3cRh1J&m0uAUKfP`3Td6O z@cb>$v_7e%ufAjKdya+O4<1HhZYQ2xCWW_=eQWN^1id|F3nk{Byybh~d#fp!HNAL& zzRphA+uHDVOAG#KZN*~Uhs3^l_APguyE-m%hH|^(RgM%pD zv&UzfVAr{x_IAOa_A#|S9$mhS=arSJZPe&})hYZRl$5CUow;rue!qTQwT&+xYUNt_ ztM#F$PV%3&KY!z|2V*r_iND037Qn@7f6D&z=+Y&_*H*Q8M|CMHSI+Lge^gg5$o}d} zhQ_)&@$KLy%XOc-S6L{`plV-`Re!R}`UvsU1u&oFn1*0X z3%6}URaO>mWoF`+)KuI^PDa_WV<<~X!j0p{QEs)OA|*xC-OR|qt<$Gb#m_Xi&z{Ad z++5tt&qqx`0cr{hVcW1F)i z#eM8=SFWJ_?c3QiFWvK+B|q^cJ0ff;O-)Uqc-Jn!@}#U-fohu#pFe(tn~x9aXO<3R z|70hW$R^Hj*`i67q?j1o=k`yw<7PZ#zc~{ zeW0fYEj%7PFCif;^`MyZD(*Y1OiL5~!fS^PfqZh;4j&fp^xp-FN2hqZV8&I_n7gM) z{3ZS&w1G&zgB0-uA;ik)^;E<{&|Q24>flu3I4Bk(!gO$w%pCJLib0tZ#}V%F1hero OitHr6OcH@$5%?d)HmY0z diff --git a/static/fudo.org/favicon.ico b/static/fudo.org/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..758d2cf324e304360f5bea97361dacf13791afd0 GIT binary patch literal 1150 zcmd6ky-LJD6oro(wQz9*3%08y3wFMMZ((OAHX>M92wMuGZ{R!F*jZQ#3N{M1E&&z6 z!oN~b(D+@Ffgxr#cAD_z&OPUz$&g4R+;J?Pvs#O!8A zv=0d7UrW#YVSM3t{BzkFZ3W&NvY+_d)vW9BrXhhez>oL3>|fP9myDB17%Moxmo8R| R_34gez4L7Dwq0Z__YM5|MYsR} literal 0 HcmV?d00001 diff --git a/static/selby.ca/favicon.ico b/static/selby.ca/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..0e5b332c52f6a3d820e30c6f27ecec89a064acbe GIT binary patch literal 1150 zcmb`F!Ab&A6o!8(XqgKMArUu0Z($kH+P7$@Z;-mP_YhyeT1SGacW8w?hv+4I1-;U4yfFR8 NiS&IcEt`^Me*t#Nf)4-y literal 0 HcmV?d00001