diff --git a/config/fudo/backplane/dns.nix b/config/fudo/backplane/dns.nix index e36b775..9b20319 100644 --- a/config/fudo/backplane/dns.nix +++ b/config/fudo/backplane/dns.nix @@ -134,15 +134,14 @@ in { listen-v6-addresses = mkOption { type = with types; listOf str; description = "IPv6 addresses on which to listen for dns requests."; - example = [ - "[abcd::1]" - ]; - default = []; + example = [ "[abcd::1]" ]; + default = [ ]; }; required-services = mkOption { type = with types; listOf str; - description = "A list of services required before the DNS server can start."; + description = + "A list of services required before the DNS server can start."; }; user = mkOption { @@ -177,18 +176,12 @@ in { createHome = true; home = "/var/home/${cfg.user}"; }; - backplane-powerdns = { - isSystemUser = true; - }; + backplane-powerdns = { isSystemUser = true; }; }; groups = { - "${cfg.group}" = { - members = [cfg.user]; - }; - backplane-powerdns = { - members = [ "backplane-powerdns" ]; - }; + "${cfg.group}" = { members = [ cfg.user ]; }; + backplane-powerdns = { members = [ "backplane-powerdns" ]; }; }; }; @@ -221,31 +214,30 @@ in { "backplane-dns-config-generator.service" "backplane-dns.target" ]; - after = [ - "network.target" - "postgresql.service" - ]; + after = [ "network.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ postgresql ]; serviceConfig = { - Restart="on-failure"; - RestartSec="10"; - StartLimitInterval="0"; - PrivateDevices=true; + Restart = "on-failure"; + RestartSec = "10"; + StartLimitInterval = "0"; + PrivateDevices = true; # CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT"; # NoNewPrivileges=true; ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${powerdns-home}"; - ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=backplane-powerdns --setgid=backplane-powerdns --chroot=${powerdns-home} --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}"; - ProtectSystem="full"; + ExecStart = + "${pkgs.powerdns}/bin/pdns_server --setuid=backplane-powerdns --setgid=backplane-powerdns --chroot=${powerdns-home} --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}"; + ProtectSystem = "full"; # ProtectHome=true; - RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; }; }; backplane-dns-config-generator = { - description = "Generate postgres configuration for backplane DNS server."; + description = + "Generate postgres configuration for backplane DNS server."; requiredBy = [ "backplane-powerdns.service" ]; requires = cfg.required-services; serviceConfig.Type = "oneshot"; @@ -260,35 +252,35 @@ in { # This builds the config in a bash script, to avoid storing the password # in the nix store at any point script = '' - if [ ! -d ${powerdns-conf-dir} ]; then - mkdir ${powerdns-conf-dir} - fi + if [ ! -d ${powerdns-conf-dir} ]; then + mkdir ${powerdns-conf-dir} + fi - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX) - TMPCONF=$TMPDIR/pdns.local.gpgsql.conf + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX) + TMPCONF=$TMPDIR/pdns.local.gpgsql.conf - if [ ! -f ${cfg.database.password-file} ]; then - echo "${cfg.database.password-file} does not exist!" - exit 1 - fi + if [ ! -f ${cfg.database.password-file} ]; then + echo "${cfg.database.password-file} does not exist!" + exit 1 + fi - touch $TMPCONF - chown backplane-powerdns:backplane-powerdns $TMPCONF - chmod go-rwx $TMPCONF - PASSWORD=$(cat ${cfg.database.password-file}) - echo "launch+=gpgsql" >> $TMPCONF - echo "gpgsql-host=${cfg.database.host}" >> $TMPCONF - echo "gpgsql-dbname=${cfg.database.database}" >> $TMPCONF - echo "gpgsql-user=${cfg.database.username}" >> $TMPCONF - echo "gpgsql-password=$PASSWORD" >> $TMPCONF - echo "gpgsql-dnssec=yes" >> $TMPCONF + touch $TMPCONF + chown backplane-powerdns:backplane-powerdns $TMPCONF + chmod go-rwx $TMPCONF + PASSWORD=$(cat ${cfg.database.password-file}) + echo "launch+=gpgsql" >> $TMPCONF + echo "gpgsql-host=${cfg.database.host}" >> $TMPCONF + echo "gpgsql-dbname=${cfg.database.database}" >> $TMPCONF + echo "gpgsql-user=${cfg.database.username}" >> $TMPCONF + echo "gpgsql-password=$PASSWORD" >> $TMPCONF + echo "gpgsql-dnssec=yes" >> $TMPCONF - mv $TMPCONF ${powerdns-conf-dir}/pdns.local.gpgsql.conf + mv $TMPCONF ${powerdns-conf-dir}/pdns.local.gpgsql.conf - rm -rf $TMPDIR + rm -rf $TMPDIR - exit 0 - ''; + exit 0 + ''; }; backplane-dns = { @@ -296,11 +288,13 @@ in { restartIfChanged = true; serviceConfig = { - ExecStart = "${pkgs.backplane-dns-server}/bin/launch-backplane-dns.sh"; + ExecStart = + "${pkgs.backplane-dns-server}/bin/launch-backplane-dns.sh"; Restart = "on-failure"; PIDFile = "/run/backplane-dns.$USERNAME.pid"; User = cfg.user; Group = cfg.group; + StandardOutput = "journal"; }; environment = { @@ -311,13 +305,15 @@ in { FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane.password-file; FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.backplane.database.host; FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.backplane.database.database; - FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.backplane.database.username; - FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE = cfg.backplane.database.password-file; + FUDO_DNS_BACKPLANE_DATABASE_USERNAME = + cfg.backplane.database.username; + FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE = + cfg.backplane.database.password-file; # CL_SOURCE_REGISTRY = "${pkgs.localLispPackages.backplane-dns}//"; - CL_SOURCE_REGISTRY = lib.concatStringsSep ":" (map (pkg: "${pkg}//") - lisp-pkgs); + CL_SOURCE_REGISTRY = + lib.concatStringsSep ":" (map (pkg: "${pkg}//") lisp-pkgs); }; requires = cfg.required-services; diff --git a/fudo/user-aliases.nix b/fudo/user-aliases.nix index 05cfb9e..e38b19f 100644 --- a/fudo/user-aliases.nix +++ b/fudo/user-aliases.nix @@ -7,6 +7,7 @@ "peter@fudo.link" "pselby@fudo.org" "yiliu@fudo.org" + "forum@selby.ca" "peter@selby.ca" ]; @@ -26,11 +27,7 @@ "reaper@fudo.link" ]; - "swaff@fudo.org" = [ - "mark@fudo.org" - ]; + "swaff@fudo.org" = [ "mark@fudo.org" ]; - "ken@selby.ca" = [ - "kselby@selby.ca" - ]; + "ken@selby.ca" = [ "kselby@selby.ca" ]; } diff --git a/fudo/users.nix b/fudo/users.nix index 3f53c62..9ce4ea3 100644 --- a/fudo/users.nix +++ b/fudo/users.nix @@ -75,7 +75,7 @@ uid = 10035; group = "selby"; common-name = "Ken Selby"; - hashed-password = "{SSHA}wUGV/9dr8inz/HyqSF/OWKxy0DCy5AI3"; + hashed-password = "{SSHA}flr48Sao0/fUp8yl9zFpm8ERnI7qYTds"; # hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc"; }; @@ -272,7 +272,7 @@ uid = 10086; group = "selby"; common-name = "Helen Selby"; - hashed-password = "{MD5}cT8gLj4MDWqeP/GnzPfgHQ=="; + hashed-password = "{SSHA}uckUXX09MjYq9++sF3f9b2IY8a9UBIxm"; }; vee = { diff --git a/hosts/france.nix b/hosts/france.nix index 596e2cc..a22a472 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -8,7 +8,7 @@ let host_ipv4 = "208.81.3.117"; # Use a special IP for git.fudo.org, since it needs to be SSH-able link_ipv4 = "208.81.3.126"; - all-hostnames = []; + all-hostnames = [ ]; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem"; @@ -33,6 +33,7 @@ in { ../defaults.nix ./france/jabber.nix ./france/backplane.nix + ./france/selby-forum.nix ]; environment.systemPackages = with pkgs; [ @@ -55,22 +56,18 @@ in { www-root = /srv/www; - local-networks = [ - "208.81.1.128/28" - "208.81.3.112/28" - "172.17.0.0/16" - "127.0.0.0/8" - ]; + local-networks = + [ "208.81.1.128/28" "208.81.3.112/28" "172.17.0.0/16" "127.0.0.0/8" ]; }; fudo.prometheus = { enable = true; hostname = "metrics.fudo.org"; service-discovery-dns = { - node = [ "node._metrics._tcp.fudo.org" ]; + node = [ "node._metrics._tcp.fudo.org" ]; postfix = [ "postfix._metrics._tcp.fudo.org" ]; dovecot = [ "dovecot._metrics._tcp.fudo.org" ]; - rspamd = [ "rspamd._metrics._tcp.fudo.org" ]; + rspamd = [ "rspamd._metrics._tcp.fudo.org" ]; }; }; @@ -91,9 +88,7 @@ in { }; # So that grafana waits for postgresql - systemd.services.grafana.after = [ - "postgresql.service" - ]; + systemd.services.grafana.after = [ "postgresql.service" ]; fudo.postgresql = { enable = true; @@ -162,27 +157,16 @@ in { }; }; }; - niten = {}; + niten = { }; }; - local-users = [ - "niten" - "fudo_git" - ]; + local-users = [ "niten" "fudo_git" ]; databases = { - fudo_git = { - users = ["niten"]; - }; - grafana = { - users = ["niten"]; - }; - mattermost = { - users = ["niten"]; - }; - webmail = { - users = ["niten"]; - }; + fudo_git = { users = [ "niten" ]; }; + grafana = { users = [ "niten" ]; }; + mattermost = { users = [ "niten" ]; }; + webmail = { users = [ "niten" ]; }; }; }; @@ -207,7 +191,8 @@ in { ns3 = { ip-addresses = [ "104.131.53.95" ]; ipv6-addresses = [ "2604:a880:800:10::8:7001" ]; - description = "Nameserver 3, ns2.henchmman21.net, in New York City, NY, US"; + description = + "Nameserver 3, ns2.henchmman21.net, in New York City, NY, US"; rp = "reaper reaper.rp"; }; ns4 = { @@ -218,11 +203,9 @@ in { }; }; - listen-ips = [host_ipv4]; + listen-ips = [ host_ipv4 ]; - domains = { - "fudo.org" = import ../fudo/fudo.org.nix { inherit config; }; - }; + domains = { "fudo.org" = import ../fudo/fudo.org.nix { inherit config; }; }; }; # Not all users need access to france; don't allow LDAP-user access. @@ -251,11 +234,7 @@ in { # sslKey = (acme-private-key hostname); # sslCACert = acme-ca; - listen-uris = [ - "ldap:///" - "ldaps:///" - "ldapi:///" - ]; + listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ]; users = import ../fudo/users.nix; @@ -271,11 +250,7 @@ in { realm = "FUDO.ORG"; mkey-file = "/var/heimdal/m-key"; acl-file = "/etc/heimdal/kdc.acl"; - bind-addresses = [ - host_ipv4 - "127.0.0.1" - "127.0.1.1" - ]; + bind-addresses = [ host_ipv4 "127.0.0.1" "127.0.1.1" ]; }; }; @@ -293,7 +268,7 @@ in { fudo.mail-server = import ../fudo/email.nix { inherit config; } // { enableContainer = true; - debug = true; + debug = false; monitoring = true; hostname = mail-hostname; @@ -459,32 +434,26 @@ in { # result of: # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:d4:e8:3b:10:2f"; - ipv4.addresses = [ - { - address = host_ipv4; - prefixLength = 28; - } - ]; + ipv4.addresses = [{ + address = host_ipv4; + prefixLength = 28; + }]; }; extif1 = { macAddress = "02:6d:e2:e1:ad:ca"; - ipv4.addresses = [ - { - address = link_ipv4; - prefixLength = 28; - } - ]; + ipv4.addresses = [{ + address = link_ipv4; + prefixLength = 28; + }]; }; intif0 = { # result of: # echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:ba:ba:e9:08:21"; - ipv4.addresses = [ - { - address = "192.168.11.1"; - prefixLength = 24; - } - ]; + ipv4.addresses = [{ + address = "192.168.11.1"; + prefixLength = 24; + }]; }; }; }; @@ -496,35 +465,31 @@ in { enable = true; enableOnBoot = true; - autoPrune = { - enable = true; - }; + autoPrune = { enable = true; }; }; - lxd = { - enable = true; - }; + lxd = { enable = true; }; }; fileSystems = { "/srv/archiva" = { fsType = "btrfs"; - options = ["subvol=archiva"]; + options = [ "subvol=archiva" ]; label = "pool0"; }; "/srv/grafana" = { fsType = "btrfs"; - options = ["subvol=grafana"]; + options = [ "subvol=grafana" ]; label = "pool0"; }; "${system-mail-directory}" = { fsType = "btrfs"; - options = ["subvol=mail"]; + options = [ "subvol=mail" ]; label = "pool0"; }; "/srv/gitlab" = { fsType = "btrfs"; - options = ["subvol=gitlab"]; + options = [ "subvol=gitlab" ]; label = "pool0"; }; "/var/lib/lxd/storage-pools/pool0" = { @@ -576,12 +541,12 @@ in { locations."/" = { proxyPass = "http://127.0.0.1:8001"; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-By $server_addr:$server_port; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; }; }; @@ -600,12 +565,10 @@ in { docker-containers = { archiva = { image = "xetusoss/archiva"; - ports = ["127.0.0.1:8001:8080"]; + ports = [ "127.0.0.1:8001:8080" ]; # Ugly: name-to-uid lookup fails. user = toString config.users.users.archiva.uid; - volumes = [ - "/srv/archiva:/archiva-data" - ]; + volumes = [ "/srv/archiva:/archiva-data" ]; environment = { # Not directly connected to the world anyway SSL_ENABLED = "false"; diff --git a/hosts/france/selby-forum.nix b/hosts/france/selby-forum.nix new file mode 100644 index 0000000..e3948b9 --- /dev/null +++ b/hosts/france/selby-forum.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +let + hostname = "forum.test.selby.ca"; + postgres-host = "france.fudo.org"; + config-path = "/srv/selby-forum/conf"; + redis-data-path = "/srv/selby-forum/redis-data"; + sidekiq-data-path = "/srv/selby-forum/sidekiq-data"; + discourse-data-path = "/srv/selby-forum/discourse-data"; + +in { + config = { + users.users = { + selby-discourse = { isSystemUser = true; }; + selby-discourse-redis = { isSystemUser = true; }; + selby-discourse-sidekiq = { isSystemUser = true; }; + }; + + docker-containers = { + selby-discourse = { + image = "bitnami/discourse"; + ports = [ ]; + user = toString config.users.users.selby-discourse.uid; + volumes = [ + "${config-path}:/opt/bitnami/discourse/mounted-conf" + "${discourse-data-path}:/bitnami" + ]; + extraDockerOptions = [ "--network=selby-discourse" ]; + environment = { + DISCOURSE_SITENAME = "Selby Forum"; + DISCOURSE_EMAIL = "forum@selby.ca"; + DISCOURSE_HOSTNAME = hostname; + }; + }; + + selby-discourse-redis = { + image = "bitnami/redis"; + user = toString config.users.users.selby-discourse-redis.uid; + volumes = [ "${redis-data-path}:/bitnami" ]; + extraDockerOptions = [ "--network=selby-discourse" ]; + environment = { ALLOW_EMPTY_PASSWORD = "yes"; }; + }; + + selby-discourse-sidekiq = { + image = "bitnami/discourse"; + user = toString config.users.users.selby-discourse-sidekiq.uid; + volumes = [ "${sidekiq-data-path}:/bitnami" ]; + entrypoint = "nami"; + cmd = [ "start" "discourse-sidekiq" ]; + extraDockerOptions = [ "--network=selby-discourse" ]; + }; + }; + + systemd = { + services = { + # selby-discourse-config = { + # description = "Generate configuration for Selby discourse server."; + # requiredBy = [ "docker-selby-discourse.service" ]; + # requires = [ "fudo-passwords.target" ]; + # serviceConfig.Type = "oneshot"; + # restartIfChanged = true; + + # script = ""; + # }; + }; + }; + }; +} diff --git a/packages/backplane-dns.nix b/packages/backplane-dns.nix deleted file mode 100644 index 10d08c2..0000000 --- a/packages/backplane-dns.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, fetchgit, pkgs }: - -let - url = "https://git.fudo.org/fudo-public/backplane-dns.git"; - version = "0.1"; - -in stdenv.mkDerivation { - name = "backplane-dns-${version}"; - - src = fetchgit { - url = url; - rev = "c552394e55816541a9426974c5f8e6f1f83bf195"; - sha256 = "0r61bwj5a2dvzl41cwdf2pdnhdsmp3kzfyxa5x5hsg67al6s7vi8"; - fetchSubmodules = false; - }; - - phases = ["installPhase"]; - - installPhase = '' - mkdir -p "$out/lib/common-lisp/backplane-dns" - cp "$src/backplane-dns.asd" "$out/lib/common-lisp/backplane-dns" - cp -R $src/*.lisp "$out/lib/common-lisp/backplane-dns" - ''; -} diff --git a/packages/lisp/backplane-dns.nix b/packages/lisp/backplane-dns.nix index 2f3345e..b2e7d5f 100644 --- a/packages/lisp/backplane-dns.nix +++ b/packages/lisp/backplane-dns.nix @@ -14,13 +14,14 @@ pkgs.lispPackages.buildLispPackage { cl-ppcre ip-utils postmodern + prove trivia ]; src = pkgs.fetchgit { - url = "https://git.fudo.org/fudo-public/backplane-dns.git"; - rev = "d9e13bae165b08976fd025053bb2dde44bb4278d"; - sha256 = "0b4y75hq5753v8pk47c4pwpyc95igpjl7md7f29jjvqaviys66xh"; + url = "https://git.fudo.org/fudo-public/backplane-dns.git"; + rev = "3075453a8ccc8bf285bfc83d84317044590ae060"; + sha256 = "1sdgr9zxqam4c8f7nlkgm77si45j0qvvgj6rav9kd6jz6vqgcbi5"; fetchSubmodules = false; }; diff --git a/packages/lisp/backplane-server.nix b/packages/lisp/backplane-server.nix index f23f621..096ea7e 100644 --- a/packages/lisp/backplane-server.nix +++ b/packages/lisp/backplane-server.nix @@ -7,17 +7,12 @@ pkgs.lispPackages.buildLispPackage { buildSystems = [ "backplane-server" ]; - deps = with pkgs.lispPackages; [ - alexandria - arrows - cl-json - cl-xmpp - ]; + deps = with pkgs.lispPackages; [ alexandria arrows cl-json cl-xmpp prove ]; src = pkgs.fetchgit { - url = "https://git.fudo.org/fudo-public/backplane-server.git"; - rev = "665f362ce1a0a22bc10d3bbe95d5a8adec2df653"; - sha256 = "0lzq0vlqjymcwxbc80x6wp5mij80am12w9fi7abs5wnqcs68lwnf"; + url = "https://git.fudo.org/fudo-public/backplane-server.git"; + rev = "5b50dd8badf5b5460e9cc7e76e191d274712a3bd"; + sha256 = "18fysksmrbfk131fgazbw1cpaxz47015ashap9y4rswd904dzzss"; fetchSubmodules = false; }; diff --git a/packages/local.nix b/packages/local.nix index 4a34ecf..ab57fe2 100644 --- a/packages/local.nix +++ b/packages/local.nix @@ -148,8 +148,8 @@ in { doom-emacs-config = pkgs.fetchgit { url = "https://git.fudo.org/niten/doom-emacs.git"; - rev = "ed65ca4881d0cc3cfe308f5fc66ccbf15f560043"; - sha256 = "17z4scl4p84hin6yzx69a707s5ibjk3jrxszy07cg8zijrg1744a"; + rev = "467c45705c73ee39acbfabc04c5aaa4099408dc4"; + sha256 = "172ah7ymlwymb4rx719nhsfvsxwmq14nlisba84kw34cmhdcsjh7"; }; }; }