diff options
| author | Ben Sima <ben@bsima.me> | 2019-05-13 17:37:27 -0700 |
|---|---|---|
| committer | Ben Sima <ben@bsima.me> | 2019-05-13 17:37:27 -0700 |
| commit | bd4e4dfefd73ed578be8bdac3b1fda6f21482979 (patch) | |
| tree | 1a3e59d184aa5d2a1b0f8f905878cea8ede36fab | |
| parent | 45f72cbf8ac58a8dd528c656482356c0933ed61f (diff) | |
refactor nutin-madaj nix code
| -rw-r--r-- | depo/nutin-madaj/configuration.nix | 222 | ||||
| -rw-r--r-- | depo/nutin-madaj/default.nix | 75 | ||||
| -rw-r--r-- | depo/nutin-madaj/git.nix | 65 | ||||
| -rw-r--r-- | depo/nutin-madaj/mail.nix | 40 | ||||
| -rw-r--r-- | depo/nutin-madaj/web.nix | 39 | ||||
| -rw-r--r-- | depo/nutin-madaj/znc.nix | 41 |
6 files changed, 257 insertions, 225 deletions
diff --git a/depo/nutin-madaj/configuration.nix b/depo/nutin-madaj/configuration.nix deleted file mode 100644 index 446a5f5..0000000 --- a/depo/nutin-madaj/configuration.nix +++ /dev/null @@ -1,222 +0,0 @@ -{ pkgs, ... }: - -let - bensIp = "68.107.97.20"; # hiddor-kahih - benKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiNB0iF9ClawNEizBtdYucqp1tAXXRbqvlPS6PFRrtiwSl+SJD29BCLgA5rLxcmFhBHZ/iId/En7GPFEzI/gMu071J7pUI4OcW0UVZju3GNc6ZEz/a6AD2u79JiXEDHfPEdmMqAe36kkaK0KJWSQP3xsFRwJ+8F8HHbSwoCLL+GJhBgAWHQLGfKesNrDacNljNDU3CgkEnDmu8QKuSzH2k1vrr69q2u2iMSAdiStDBAWEjN5nCVrm2XB2vmFLMtXpX2n8JI+znOGzRRDc8dNXejQeDMZGyV6jfVidEIX7vdgSydGjTRKcCLVAsKY3z0gYBZ8u8EUNujgcFBnnAvytj ben@neb"; - ibbPort = "3000"; - fathomPort = "3030"; - gitDir = "/srv/git"; -in -{ - nixpkgs.config.allowUnfree = true; - nixpkgs.overlays = [ - (import ../../pack/overlay.nix) - ]; - - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - - services = { - - gitolite = { - enable = true; - enableGitAnnex = true; - dataDir = "${gitDir}"; - user = "git"; - group = "git"; - extraGitoliteRc = '' - $RC{SITE_INFO} = 'a computer is a bicycle for the mind.'; - $RC{GIT_CONFIG_KEYS} = 'gitweb\.(owner|description|category)'; - ''; - adminPubkey = "${benKey}"; - }; - lighttpd = { - enable = true; - port = 8000; - document-root = "/srv/www"; - mod_userdir = true; - mod_status = true; - collectd = { - enable = true; - }; - cgit = { - # disable cgit for now; the ssh interface still works anyway. - enable = false; - subdir = "git"; - configText = '' - cache-size=0 - clone-url=git@simatime.com:$CGIT_REPO_URL - enable-index-owner=1 - enable-http-clone=0 - enable-index-links=1 - enable-commit-graph=1 - enable-log-filecount=1 - enable-log-linecount=1 - enable-git-config=1 - remove-suffix=1 - branch-sort=age - max-stats=week - mimetype.gif=image/gif - mimetype.html=text/html - mimetype.jpg=image/jpeg - mimetype.jpeg=image/jpeg - mimetype.pdf=application/pdf - mimetype.png=image/png - mimetype.svg=image/svg+xml - about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh - source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py - readme=:README.md - root-title=simatime git repository - root-desc=a computer is a bicycle for the mind. - project-list=${gitDir}/projects.list - scan-path=${gitDir}/repositories - ''; - }; - }; - - ibb = { - enable = true; - port = ibbPort; - }; - - fathom = { - enable = true; - port = fathomPort; - dataDir = "/var/lib/fathom"; - }; - - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { - # "bsima.me".locations."/".proxyPass = "http://localhost:8000/~ben"; - "simatime.com".locations."/".proxyPass = "http://localhost:8000"; - "web.simatime.com".locations."/".proxyPass = "http://${bensIp}:8000"; - "dev.simatime.com".locations."/".proxyPass = "http://${bensIp}:${ibbPort}"; - "hero.simatime.com".locations."/".proxyPass = "http://${bensIp}:3001"; - "tv.simatime.com".locations."/".proxyPass = "http://${bensIp}:8096"; # emby runs on port 8096 - - "notebook.simatime.com".locations = { - "/" = { - proxyPass = "http://${bensIp}:3099"; - proxyWebsockets = true; - extraConfig = '' - proxy_buffering off; - proxy_read_timeout 86400; - - ''; - }; - "/(api/kernels/[^/]+/channels|terminals/websocket)/" = { - proxyPass = "http://${bensIp}:3099"; - proxyWebsockets = true; - }; - }; - "stats.simatime.com" = { - locations."/".proxyPass = "http://localhost:${fathomPort}"; - forceSSL = true; - enableACME = true; - }; - "influencedbybooks.com" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://localhost:${ibbPort}"; - }; - }; - }; - }; - }; - - znc = { - enable = true; - mutable = true; - useLegacyConfig = false; - openFirewall = true; - config = { - LoadModule = [ "adminlog" "fail2ban" ]; - User.bsima = { - Admin = true; - Nick = "bsima"; - AltNick = "bsima1"; - LoadModule = [ "chansaver" "controlpanel" ]; - Network.freenode = { Server = "chat.freenode.net +6697"; - LoadModule = [ "simple_away" "nickserv" ]; - Chan = { - "#ai" = {}; - "#bsima" = {}; - "#emacs" = {}; - "#haskell" = {}; - "#haskell-miso" = {}; - "#home-manager" = {}; - "#nixos" = {}; - "#servant" = {}; - "#sr.ht" = {}; - "#xmonad" = {}; - }; - }; - Pass.password = { - Method = "sha256"; - Hash = "4a6703074c713a26d56a906fc9ea82bb591177f10a25a650719266bf588d9525"; - Salt = "QByO-A:4Rbib;dl_3wEH"; - }; - }; - }; - }; - }; - - mailserver = { - enable = true; - monitoring = { - enable = true; - alertAddress = "ben@bsima.me"; - }; - fqdn = "mail.simatime.com"; - domains = [ "simatime.com" ]; - certificateScheme = 3; # let's encrypt - enableImap = true; - enablePop3 = true; - enableImapSsl = true; - enablePop3Ssl = true; - enableManageSieve = true; - virusScanning = false; # ur on ur own - - loginAccounts = { - "ben@simatime.com" = { - hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/"; - aliases = [ - # admin stuff - "postmaster@simatime.com" - "abuse@simatime.com" - ]; - catchAll = [ "simatime.com" ]; - quota = "1G"; - }; - "nick@simatime.com" = { - hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1"; - aliases = [ - "nicolai@simatime.com" - ]; - quota = "1G"; - }; - }; - }; - - virtualisation = { - libvirtd.enable = true; - docker.enable = true; - virtualbox.guest.enable = true; - virtualbox.host.enable = true; - virtualbox.host.headless = false; - virtualbox.host.addNetworkInterface = true; - - }; - - boot.cleanTmpDir = true; - networking.hostName = "simatime"; - networking.firewall.allowPing = true; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ benKey ]; -} diff --git a/depo/nutin-madaj/default.nix b/depo/nutin-madaj/default.nix index fa95947..ffb2909 100644 --- a/depo/nutin-madaj/default.nix +++ b/depo/nutin-madaj/default.nix @@ -1,9 +1,24 @@ +/* + +nutin-madaj - cloud infrastructure server. + +This serves the git repo, mailserver, znc bouncer, user sites, and so on. + +Currently also used as a catch-all production/staging server, until I get real +stuff deployed. + +*/ + let nixpkgs = builtins.fetchTarball (import ../../pack/nixpkgs.nix); nixos-mailserver = builtins.fetchTarball { url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz"; sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx"; }; + benKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiNB0iF9ClawNEizBtdYucqp1tAXXRbqvlPS6PFRrtiwSl+SJD29BCLgA5rLxcmFhBHZ/iId/En7GPFEzI/gMu071J7pUI4OcW0UVZju3GNc6ZEz/a6AD2u79JiXEDHfPEdmMqAe36kkaK0KJWSQP3xsFRwJ+8F8HHbSwoCLL+GJhBgAWHQLGfKesNrDacNljNDU3CgkEnDmu8QKuSzH2k1vrr69q2u2iMSAdiStDBAWEjN5nCVrm2XB2vmFLMtXpX2n8JI+znOGzRRDc8dNXejQeDMZGyV6jfVidEIX7vdgSydGjTRKcCLVAsKY3z0gYBZ8u8EUNujgcFBnnAvytj ben@neb"; + ibbPort = "3000"; + fathomPort = "3030"; + in import "${nixpkgs}/nixos" { system = "x86_64-linux"; @@ -12,15 +27,69 @@ import "${nixpkgs}/nixos" { ./hardware-configuration.nix ./networking.nix - # end config - ./configuration.nix + # configured modules + ./git.nix + ./mail.nix + ./web.nix + ./znc.nix - # our modules + # our custom modules ../../mode/ibb.nix ../../mode/fathom.nix # third party nixos-mailserver ]; + + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = [ + (import ../../pack/overlay.nix) + ]; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + + virtualisation = { + libvirtd.enable = true; + docker.enable = true; + virtualbox.guest.enable = true; + virtualbox.host.enable = true; + virtualbox.host.headless = false; + virtualbox.host.addNetworkInterface = true; + }; + + # our custom apps + services = { + ibb = { + enable = true; + port = ibbPort; + }; + # TODO: move this nginx config into mode/ibb.nix + nginx.virtualHosts."influencedbybooks.com" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:${ibbPort}"; + }; + }; + }; + + fathom = { + enable = true; + port = fathomPort; + dataDir = "/var/lib/fathom"; + }; + nginx.virtualHosts."stats.simatime.com" = { + locations."/".proxyPass = "http://localhost:${fathomPort}"; + forceSSL = true; + enableACME = true; + }; + }; + + boot.cleanTmpDir = true; + networking.hostName = "simatime"; + networking.firewall.allowPing = true; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ benKey ]; }; } diff --git a/depo/nutin-madaj/git.nix b/depo/nutin-madaj/git.nix new file mode 100644 index 0000000..ef86d52 --- /dev/null +++ b/depo/nutin-madaj/git.nix @@ -0,0 +1,65 @@ +{ pkgs, ... }: + +let + benKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiNB0iF9ClawNEizBtdYucqp1tAXXRbqvlPS6PFRrtiwSl+SJD29BCLgA5rLxcmFhBHZ/iId/En7GPFEzI/gMu071J7pUI4OcW0UVZju3GNc6ZEz/a6AD2u79JiXEDHfPEdmMqAe36kkaK0KJWSQP3xsFRwJ+8F8HHbSwoCLL+GJhBgAWHQLGfKesNrDacNljNDU3CgkEnDmu8QKuSzH2k1vrr69q2u2iMSAdiStDBAWEjN5nCVrm2XB2vmFLMtXpX2n8JI+znOGzRRDc8dNXejQeDMZGyV6jfVidEIX7vdgSydGjTRKcCLVAsKY3z0gYBZ8u8EUNujgcFBnnAvytj ben@neb"; + gitDir = "/srv/git"; +in +{ + services = { + gitolite = { + enable = true; + enableGitAnnex = true; + dataDir = "${gitDir}"; + user = "git"; + group = "git"; + extraGitoliteRc = '' + $RC{SITE_INFO} = 'a computer is a bicycle for the mind.'; + $RC{GIT_CONFIG_KEYS} = 'gitweb\.(owner|description|category)'; + ''; + adminPubkey = "${benKey}"; + }; + lighttpd = { + enable = true; + port = 8000; + document-root = "/srv/www"; + mod_userdir = true; + mod_status = true; + collectd = { + enable = true; + }; + cgit = { + # disable cgit for now; the ssh interface still works anyway. + enable = false; + subdir = "git"; + configText = '' + cache-size=0 + clone-url=git@simatime.com:$CGIT_REPO_URL + enable-index-owner=1 + enable-http-clone=0 + enable-index-links=1 + enable-commit-graph=1 + enable-log-filecount=1 + enable-log-linecount=1 + enable-git-config=1 + remove-suffix=1 + branch-sort=age + max-stats=week + mimetype.gif=image/gif + mimetype.html=text/html + mimetype.jpg=image/jpeg + mimetype.jpeg=image/jpeg + mimetype.pdf=application/pdf + mimetype.png=image/png + mimetype.svg=image/svg+xml + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + readme=:README.md + root-title=simatime git repository + root-desc=a computer is a bicycle for the mind. + project-list=${gitDir}/projects.list + scan-path=${gitDir}/repositories + ''; + }; + }; + }; +} diff --git a/depo/nutin-madaj/mail.nix b/depo/nutin-madaj/mail.nix new file mode 100644 index 0000000..96ad506 --- /dev/null +++ b/depo/nutin-madaj/mail.nix @@ -0,0 +1,40 @@ +{ ... }: + +{ + mailserver = { + enable = true; + monitoring = { + enable = true; + alertAddress = "ben@bsima.me"; + }; + fqdn = "mail.simatime.com"; + domains = [ "simatime.com" ]; + certificateScheme = 3; # let's encrypt + enableImap = true; + enablePop3 = true; + enableImapSsl = true; + enablePop3Ssl = true; + enableManageSieve = true; + virusScanning = false; # ur on ur own + + loginAccounts = { + "ben@simatime.com" = { + hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/"; + aliases = [ + # admin stuff + "postmaster@simatime.com" + "abuse@simatime.com" + ]; + catchAll = [ "simatime.com" ]; + quota = "1G"; + }; + "nick@simatime.com" = { + hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1"; + aliases = [ + "nicolai@simatime.com" + ]; + quota = "1G"; + }; + }; + }; +} diff --git a/depo/nutin-madaj/web.nix b/depo/nutin-madaj/web.nix new file mode 100644 index 0000000..d14a2c7 --- /dev/null +++ b/depo/nutin-madaj/web.nix @@ -0,0 +1,39 @@ +{ ... }: + +let + bensIp = "68.107.97.20"; # hiddor-kahih +in +{ + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + # "bsima.me".locations."/".proxyPass = "http://localhost:8000/~ben"; + "simatime.com".locations."/".proxyPass = "http://localhost:8000"; + "web.simatime.com".locations."/".proxyPass = "http://${bensIp}:8000"; + "hero.simatime.com".locations."/".proxyPass = "http://${bensIp}:3001"; + "tv.simatime.com".locations."/".proxyPass = "http://${bensIp}:8096"; # emby runs on port 8096 + + "notebook.simatime.com".locations = { + "/" = { + proxyPass = "http://${bensIp}:3099"; + proxyWebsockets = true; + extraConfig = '' + proxy_buffering off; + proxy_read_timeout 86400; + + ''; + }; + "/(api/kernels/[^/]+/channels|terminals/websocket)/" = { + proxyPass = "http://${bensIp}:3099"; + proxyWebsockets = true; + }; + }; + }; + }; + }; +} diff --git a/depo/nutin-madaj/znc.nix b/depo/nutin-madaj/znc.nix new file mode 100644 index 0000000..a7623c1 --- /dev/null +++ b/depo/nutin-madaj/znc.nix @@ -0,0 +1,41 @@ +{ ... }: + +{ + services = { + znc = { + enable = true; + mutable = true; + useLegacyConfig = false; + openFirewall = true; + config = { + LoadModule = [ "adminlog" "fail2ban" ]; + User.bsima = { + Admin = true; + Nick = "bsima"; + AltNick = "bsima1"; + LoadModule = [ "chansaver" "controlpanel" ]; + Network.freenode = { Server = "chat.freenode.net +6697"; + LoadModule = [ "simple_away" "nickserv" ]; + Chan = { + "#ai" = {}; + "#bsima" = {}; + "#emacs" = {}; + "#haskell" = {}; + "#haskell-miso" = {}; + "#home-manager" = {}; + "#nixos" = {}; + "#servant" = {}; + "#sr.ht" = {}; + "#xmonad" = {}; + }; + }; + Pass.password = { + Method = "sha256"; + Hash = "4a6703074c713a26d56a906fc9ea82bb591177f10a25a650719266bf588d9525"; + Salt = "QByO-A:4Rbib;dl_3wEH"; + }; + }; + }; + }; + }; +} |