diff options
author | Ben Sima <ben@bsima.me> | 2024-11-15 14:55:37 -0500 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2024-12-21 10:06:49 -0500 |
commit | 6513755670892983db88a6633b8c1ea6019c03d1 (patch) | |
tree | 44e9eccdb7a3a74ab7e96a8fee7572dd6a78dc73 /Biz/Cloud | |
parent | ae7b7e0186b5f2e0dcd4d5fac0a71fa264caedc2 (diff) |
Re-namespace some stuff to Omni
I was getting confused about what is a product and what is internal
infrastructure; I think it is good to keep those things separate. So I moved a
bunch of stuff to an Omni namespace, actually most stuff went there. Only things
that are explicitly external products are still in the Biz namespace.
Diffstat (limited to 'Biz/Cloud')
-rw-r--r-- | Biz/Cloud/Chat.nix | 94 | ||||
-rw-r--r-- | Biz/Cloud/Comms.nix | 5 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Coturn.nix | 10 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Jitsi.nix | 17 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Mumble.nix | 25 | ||||
-rw-r--r-- | Biz/Cloud/Comms/Xmpp.nix | 210 | ||||
-rw-r--r-- | Biz/Cloud/Git.nix | 119 | ||||
-rw-r--r-- | Biz/Cloud/Gmnisrv.nix | 40 | ||||
-rw-r--r-- | Biz/Cloud/Grocy.nix | 17 | ||||
-rw-r--r-- | Biz/Cloud/Hardware.nix | 9 | ||||
-rw-r--r-- | Biz/Cloud/Hub.nix | 57 | ||||
-rw-r--r-- | Biz/Cloud/Mail.nix | 54 | ||||
-rw-r--r-- | Biz/Cloud/Networking.nix | 48 | ||||
-rw-r--r-- | Biz/Cloud/NostrRelay.nix | 39 | ||||
-rw-r--r-- | Biz/Cloud/Ports.nix | 46 | ||||
-rw-r--r-- | Biz/Cloud/Web.nix | 303 | ||||
-rw-r--r-- | Biz/Cloud/Znc.nix | 76 | ||||
-rwxr-xr-x | Biz/Cloud/post-receive.sh | 39 |
18 files changed, 0 insertions, 1208 deletions
diff --git a/Biz/Cloud/Chat.nix b/Biz/Cloud/Chat.nix deleted file mode 100644 index 7f86621..0000000 --- a/Biz/Cloud/Chat.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, pkgs, ... }: -# -# a homeserver for matrix.org. -# -# this uses the config.networking.domain as the ACME host. be sure to add the -# fqdn and element subdomains to security.acme.certs.<name>.extraDomainNames -# -# - nixos manual: https://nixos.org/nixos/manual/index.html#module-services-matrix -# -# to create new users: -# -# nix run nixpkgs.matrix-synapse -# register_new_matrix_user -k <registration_shared_secret> http://localhost:<matrix_port> -# -let - fqdn = "matrix.${config.networking.domain}"; - element = "chat.${config.networking.domain}"; - matrix_port = 8448; -in { - # matrix-synapse server. for what the settings mean, see: - # https://nixos.org/nixos/manual/index.html#module-services-matrix - # - services.matrix-synapse = { - enable = false; - settings.server_name = config.networking.domain; - #registration_shared_secret = "AkGRWSQLga3RoKRFnHhKoeCEIeZzu31y4TRzMRkMyRbBnETkVTSxilf24qySLzQn"; - settings.listeners = [{ - port = matrix_port; - bind_address = "::1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [{ - names = [ "client" "federation" ]; - compress = false; - }]; - }]; - }; - # matrix needs a database - # - services.postgresql.enable = true; - # web proxy for the matrix server - # - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - # route to matrix-synapse - "${config.networking.domain}" = { - locations."= /.well-known/matrix/server".extraConfig = - let server = { "m.server" = "${fqdn}:443"; }; - in '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server}'; - ''; - locations."= /.well-known/matrix/client".extraConfig = let - client = { - "m.homeserver" = { "base_url" = "https://${fqdn}"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; - in '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; - }; - # reverse proxy for matrix client-server and server-server communication - "${fqdn}" = { - forceSSL = true; - useACMEHost = config.networking.domain; - locations."/".extraConfig = '' - return 404; - ''; - locations."/_matrix" = { - proxyPass = "http://[::1]:${toString matrix_port}"; - }; - }; - }; - }; - # matrix client, available at chat.simatime.com - # - # note that element and matrix-synapse must be on separate fqdn's to - # protect from XSS attacks: - # https://github.com/vector-im/element-web#important-security-note - # - services.nginx.virtualHosts."${element}" = { - useACMEHost = config.networking.domain; - forceSSL = true; - root = pkgs.element-web; - }; -} diff --git a/Biz/Cloud/Comms.nix b/Biz/Cloud/Comms.nix deleted file mode 100644 index bf7a763..0000000 --- a/Biz/Cloud/Comms.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: - -{ - imports = [ ./Comms/Xmpp.nix ./Comms/Mumble.nix ]; -} diff --git a/Biz/Cloud/Comms/Coturn.nix b/Biz/Cloud/Comms/Coturn.nix deleted file mode 100644 index 93093f0..0000000 --- a/Biz/Cloud/Comms/Coturn.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: - -{ - services.coturn = { - enable = true; - cert = "/var/lib/acme/${config.networking.domain}/fullchain.pem"; - pkey = "/var/lib/acme/${config.networking.domain}/key.pem"; - cli-ip = "127.0.0.1"; - }; -} diff --git a/Biz/Cloud/Comms/Jitsi.nix b/Biz/Cloud/Comms/Jitsi.nix deleted file mode 100644 index 17aeced..0000000 --- a/Biz/Cloud/Comms/Jitsi.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, ... }: - -{ - services.jitsi-meet = { - enable = true; - config = { - enableWelcomePage = false; - defaulLang = "en"; - }; - - prosody.enable = true; - nginx.enable = true; - jibri.enable = false; - jicofo.enable = false; - videobridge.enable = false; - }; -} diff --git a/Biz/Cloud/Comms/Mumble.nix b/Biz/Cloud/Comms/Mumble.nix deleted file mode 100644 index 66d21a5..0000000 --- a/Biz/Cloud/Comms/Mumble.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, ... }: - -# mumble and related services -let ports = import ../Ports.nix; -in { - services.murmur = { - enable = true; - openFirewall = true; - environmentFile = "/var/lib/murmur/murmurd.env"; - registerHostname = config.networking.domain; - registerName = config.networking.domain; - }; - - services.botamusique = { - enable = true; - settings = { - webinterface = { - enabled = true; - listening_addr = "127.0.0.1"; - listening_port = ports.botamusique; - }; - radio = { lofi = "https://live.hunter.fm/lofi_high"; }; - }; - }; -} diff --git a/Biz/Cloud/Comms/Xmpp.nix b/Biz/Cloud/Comms/Xmpp.nix deleted file mode 100644 index ad8649b..0000000 --- a/Biz/Cloud/Comms/Xmpp.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ config, pkgs, ... }: -# -# xmpp chat service -# -let - rootDomain = config.networking.domain; # simatime.com - ssl = { - cert = "/var/lib/acme/${rootDomain}/fullchain.pem"; - key = "/var/lib/acme/${rootDomain}/key.pem"; - }; -in { - networking.firewall.allowedTCPPorts = [ - # https://prosody.im/doc/ports - 5000 # file transfer - 5222 # client connections - 5269 # server-to-server - 5280 # http - 5281 # https - 5347 # external components - 5582 # telnet console - ]; - - services.prosody = { - enable = true; - package = - pkgs.prosody.override { withCommunityModules = [ "conversejs" ]; }; - - # when i learn how to use security.acme better, and use separate certs, then i - # can fix this group - group = "nginx"; - admins = [ "bsima@${rootDomain}" ]; - allowRegistration = true; - inherit ssl; - uploadHttp = { - domain = "upload.${rootDomain}"; - uploadExpireAfter = toString (60 * 60 * 24 * 30); # 30 days, as seconds - }; - - modules = { - announce = true; - blocklist = true; - bookmarks = true; - bosh = true; - carbons = true; - cloud_notify = true; - csi = true; - dialback = true; - disco = true; - groups = true; - http_files = false; # hm, look into this - motd = true; - pep = true; - ping = true; - private = true; - proxy65 = true; - register = true; - roster = true; - server_contact_info = true; - smacks = true; - vcard = true; - watchregistrations = true; - websocket = true; - welcome = true; - }; - - extraConfig = '' - conversejs_options = { - allow_registration = true; - bosh_service_url = "https://${rootDomain}/http-bind"; - debug = true; - loglevel = "debug"; - -- default_domain = "${rootDomain}"; - -- domain_placeholder = "${rootDomain}"; - -- jid = "${rootDomain}"; - -- keepalive = true; - -- registration_domain = "${rootDomain}"; - websocket_url = "wss://${rootDomain}/xmpp-websocket"; - } - - cross_domain_websocket = { "https://${rootDomain}", "https://anon.${rootDomain}" } - cross_domain_bosh = false; -- handle this with nginx - consider_bosh_secure = true; - - -- this is a virtualhost that allows anonymous authentication. use this - -- for a public lobby. the nix module doesn't support 'authentication' - -- so i have to do this here. - VirtualHost "anon.${rootDomain}" - authentication = "anonymous" - ssl = { - cafile = "/etc/ssl/certs/ca-bundle.crt"; - key = "${ssl.key}"; - certificate = "${ssl.cert}"; - }; - ''; - - muc = [ - { - domain = "conference.${rootDomain}"; - maxHistoryMessages = 10000; - name = "Chat Rooms"; - restrictRoomCreation = "admin"; - roomDefaultHistoryLength = 20; - roomDefaultMembersOnly = true; - roomDefaultModerated = true; - roomDefaultPublic = false; - } - { - domain = "chat.${rootDomain}"; - maxHistoryMessages = 10000; - name = "Chat Rooms"; - restrictRoomCreation = false; - roomDefaultHistoryLength = 200; - roomDefaultMembersOnly = false; - roomDefaultModerated = false; - roomDefaultPublic = true; - roomDefaultPublicJids = true; - } - ]; - - virtualHosts = { - "${rootDomain}" = { - domain = "${rootDomain}"; - enabled = true; - inherit ssl; - }; - }; - }; - - services.prosody-filer = { enable = true; }; - - services.nginx.virtualHosts."${rootDomain}".locations = { - "/http-bind" = { - proxyPass = "https://${rootDomain}:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - "/xmpp-websocket" = { - proxyPass = "https://${rootDomain}:5281/xmpp-websocket"; - extraConfig = '' - proxy_http_version 1.1; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - "/chat" = { - proxyPass = "https://${rootDomain}:5281/conversejs"; - extraConfig = '' - add_header Access-Control-Allow-Origin "*"; - ''; - }; - }; - - services.nginx.virtualHosts."anon.${rootDomain}" = { - useACMEHost = "${rootDomain}"; - forceSSL = true; - locations = { - "/http-bind" = { - proxyPass = "https://anon.${rootDomain}:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - if ($request_method ~* "(GET|POST)") { - add_header Access-Control-Allow-Origin "*"; - } - if ($request_method = OPTIONS) { - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD"; - add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; - return 200; - } - ''; - }; - }; - }; - - users.users.nginx.extraGroups = [ "prosody" ]; - - security.acme.certs.${rootDomain}.extraDomainNames = [ - # these stopped working idk why - #"upload.${rootDomain}" - #"conference.${rootDomain}" - "anon.${rootDomain}" - "chat.${rootDomain}" - ]; - - #security.acme.certs.prosody = { - # domain = "${domain}"; - # group = "prosody"; - # dnsProvider = "rfc2136"; - # #credentialsFile = config.secrets.files.dns_creds.path; - # postRun = "systemctl restart prosody"; - # extraDomainNames = [ - # domain - # "upload.${domain}" - # ]; - #}; -} diff --git a/Biz/Cloud/Git.nix b/Biz/Cloud/Git.nix deleted file mode 100644 index bc97d23..0000000 --- a/Biz/Cloud/Git.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ lib, config, pkgs, ... }: - -let - inherit (config.networking) domain; - root = "/var/git"; - ports = import ./Ports.nix; -in { - services = { - cgit.cloud = { - enable = true; - nginx.location = "/git"; - nginx.virtualHost = "/git"; - scanPath = "/var/git/repositories"; - settings = { - strict-export = "git-daemon-export-ok"; - css = "/git/cgit.css"; - logo = "/git/cgit.png"; - root-title = "ben's git repos"; - root-desc = "building"; - enable-git-config = 1; - clone-url = lib.strings.concatStringsSep " " [ - "https://$HTTP_HOST/git/$CGIT_REPO_URL" - "git://$HTTP_HOST/$CGIT_REPO_URL" - "git@$HTTP_HOST:$CGIT_REPO_URL" - ]; - }; - }; - gitolite = { - enable = true; - enableGitAnnex = true; - dataDir = root; - user = "git"; - group = "git"; - # the umask is necessary to give the git group read permissions, otherwise - # git-daemon et al can't access the repos - extraGitoliteRc = '' - $RC{SITE_INFO} = 'a computer is a bicycle for the mind.'; - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = '.*'; - ''; - adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [ - builtins.readFile - (lib.strings.splitString "\n") - lib.lists.head - ]; - # commonHooks = [ ./git-hooks ]; - }; - gitDaemon = { - enable = true; - basePath = "${root}/repositories"; - listenAddress = domain; - user = "gitDaemon"; - group = "gitDaemon"; - }; - gerrit = { - enable = false; - builtinPlugins = [ - "commit-message-length-validator" - "delete-project" - "plugin-manager" - "singleusergroup" - "reviewnotes" - ]; - jvmOpts = [ - # https://stackoverflow.com/a/71817404 - "--add-opens" - "java.base/java.lang=ALL-UNNAMED" - "--add-opens" - "java.base/java.util=ALL-UNNAMED" - ]; - plugins = [ - (pkgs.fetchurl { - url = - "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar"; - sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk="; - }) - ]; - listenAddress = "[::]:${toString ports.gerrit}"; - serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae"; - settings = { - auth.type = "OAUTH"; - auth.gitBasicAuthPolicy = "HTTP"; - download.command = [ "checkout" "cherry_pick" "pull" "format_patch" ]; - gerrit.canonicalWebUrl = "https://gerrit.${domain}"; - httpd.listenUrl = - "proxy-https://${config.services.gerrit.listenAddress}"; - plugin.gerrit-oauth-provider-github-oauth = { - root-url = "https://github.com"; - client-id = "e48084aa0eebe31a2b18"; - }; - sshd.advertisedAddress = - "gerrit.${domain}:${toString ports.gerrit-ssh}"; - sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}"; - }; - }; - nginx.virtualHosts."gerrit.${domain}" = { - forceSSL = true; - useACMEHost = domain; - locations."/" = { - proxyPass = "http://localhost:${toString ports.gerrit}"; - extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - ''; - }; - }; - }; - # need to specify that these users can access git files by being part of the - # git group - users.users = { - gitDaemon = { - group = "gitDaemon"; - isSystemUser = true; - description = "Git daemon user"; - extraGroups = [ "git" ]; - }; - "nginx".extraGroups = [ "git" ]; - }; - users.groups = { gitDaemon = { }; }; -} diff --git a/Biz/Cloud/Gmnisrv.nix b/Biz/Cloud/Gmnisrv.nix deleted file mode 100644 index e2a66f6..0000000 --- a/Biz/Cloud/Gmnisrv.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ lib, config, pkgs, ... }: - -let cfg = config.services.gmnisrv; -in { - meta.maintainers = [ lib.maintainers.bsima ]; - options.services.gmnisrv = { - enable = lib.mkEnableOption "Enable the gmnisrv service"; - listen = lib.mkOption { - description = "Addresses and ports on which to listen."; - default = lib.mkDefault "0.0.0.0:1965 [::]:1965"; - }; - settings = lib.mkOption { - # type = cfgFormat.type; - description = '' - Configuration for gmnisrv. See gmnisrv.ini(5) for supported settings. - ''; - default = { - ":tls" = { "store" = lib.mkDefault "${cfg.dataDir}/certs"; }; - }; - }; - dataDir = lib.mkOption { - type = lib.types.str; - default = "/var/lib/gemini"; - description = "Where gmnisrv should store certs and other data."; - }; - }; - config = lib.mkIf cfg.enable { - systemd.services.gmnisrv = { - description = "gmnisrv service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - script = let - ini = lib.generators.toINIWithGlobalSection { } { - globalSection = { "listen" = cfg.listen; }; - sections = cfg.settings; - }; - in "${pkgs.gmnisrv}/bin/gmnisrv -C ${ini}"; - }; - }; -} diff --git a/Biz/Cloud/Grocy.nix b/Biz/Cloud/Grocy.nix deleted file mode 100644 index 697c2f1..0000000 --- a/Biz/Cloud/Grocy.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: - -{ - services.grocy = { - enable = true; - hostName = "grocy.simatime.com"; - nginx.enableSSL = false; # set in Web.nix - settings = { - calendar = { - firstDayOfWeek = 1; - showWeekNumber = true; - }; - currency = "USD"; - culture = "en"; - }; - }; -} diff --git a/Biz/Cloud/Hardware.nix b/Biz/Cloud/Hardware.nix deleted file mode 100644 index 8fdbd4e..0000000 --- a/Biz/Cloud/Hardware.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ modulesPath, ... }: { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.loader.grub.device = "/dev/vda"; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { - device = "/dev/vda1"; - fsType = "ext4"; - }; -} diff --git a/Biz/Cloud/Hub.nix b/Biz/Cloud/Hub.nix deleted file mode 100644 index 39bbdd0..0000000 --- a/Biz/Cloud/Hub.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ lib, pkgs, config, ... }: - -let - ssl = { - cert = "/var/lib/acme/${config.networking.domain}/fullchain.pem"; - key = "/var/lib/acme/${config.networking.domain}/key.pem"; - }; - ports = import ./Ports.nix; - mkPlugin = path: settings: { - plugin = "${pkgs.uhub}/plugins/${path}"; - inherit settings; - }; - motdFile = pkgs.writeText "motd" '' - Meshheads write code. - ''; - rulesFile = pkgs.writeText "rules" '' - 1. x - 2. (λx.M) - 3. (M N) - 4. Profit. - ''; -in { - networking.firewall.allowedUDPPorts = [ ports.meshhub ]; - networking.firewall.allowedTCPPorts = [ ports.meshhub ]; - - services.uhub = { - "meshhub" = { - enable = true; - enableTLS = false; - settings = { - hub_name = "meshhub"; - hub_description = "vaporware is dead. long live vaporware"; - server_port = toString ports.meshhub; - server_bind_addr = "any"; - max_users = 14; # we only have 14 users in meshheads chat - tls_private_key = ssl.key; - tls_certificate = ssl.cert; - tls_enable = "no"; - tls_require = "no"; - }; - plugins = lib.attrsets.mapAttrsToList mkPlugin { - #"mod_logging.so" = { - # file = "/var/log/uhub/meshhub.log"; - #}; - "mod_welcome.so" = { - motd = "${motdFile}"; - rules = "${rulesFile}"; - }; - "mod_chat_history.so" = { - history_max = "200"; - history_default = "10"; - history_connect = "5"; - }; - }; - }; - }; -} diff --git a/Biz/Cloud/Mail.nix b/Biz/Cloud/Mail.nix deleted file mode 100644 index fa99cf3..0000000 --- a/Biz/Cloud/Mail.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ ... }: - -/* Known issues: - - - when the acme cert gets refreshed, you need to manually restart dovecot - - when restarting dovecot, it might hang, in that case do: - systemctl --job-mode=ignore-dependencies restart dovecot2 postfix -*/ - -{ - mailserver = { - enable = true; - monitoring = { - enable = false; - alertAddress = "bsima@me.com"; - }; - fqdn = "simatime.com"; - domains = [ "simatime.com" "bsima.me" ]; - certificateScheme = 3; # let's encrypt - enableImap = true; - enablePop3 = true; - enableImapSsl = true; - enablePop3Ssl = true; - enableManageSieve = true; - virusScanning = false; # ur on ur own - localDnsResolver = true; - - loginAccounts = { - "ben@simatime.com" = { - hashedPasswordFile = "/home/ben/hashed-mail-password"; - aliases = [ - # my default email - "ben@bsima.me" - # admin stuff - "postmaster@simatime.com" - "abuse@simatime.com" - ]; - catchAll = [ "simatime.com" "bsima.me" ]; - quota = "10G"; - }; - "dev@simatime.com" = { - hashedPasswordFile = "/home/ben/hashed-mail-password"; - aliases = [ "dev@bsima.me" ]; - quota = "10G"; - }; - "nick@simatime.com" = { - hashedPassword = - "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1"; - aliases = [ "nicolai@simatime.com" ]; - quota = "1G"; - }; - }; - }; -} diff --git a/Biz/Cloud/Networking.nix b/Biz/Cloud/Networking.nix deleted file mode 100644 index 1c1f832..0000000 --- a/Biz/Cloud/Networking.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ lib, ... }: { - # This file was populated at runtime with the networking - # details gathered from the active system. - networking = { - nameservers = [ "8.8.8.8" ]; - defaultGateway = "143.198.112.1"; - defaultGateway6 = "2604:a880:400:d0::1"; - dhcpcd.enable = false; - usePredictableInterfaceNames = lib.mkForce false; - interfaces = { - eth0 = { - ipv4.addresses = [ - { - address = "143.198.118.179"; - prefixLength = 20; - } - { - address = "10.10.0.7"; - prefixLength = 16; - } - ]; - ipv6.addresses = [ - { - address = "2604:a880:400:d0::19f1:7001"; - prefixLength = 64; - } - { - address = "fe80::a06e:26ff:fee1:941"; - prefixLength = 64; - } - ]; - ipv4.routes = [{ - address = "143.198.112.1"; - prefixLength = 32; - }]; - ipv6.routes = [{ - address = "2604:a880:400:d0::1"; - prefixLength = 128; - }]; - }; - - }; - }; - services.udev.extraRules = '' - ATTR{address}=="a2:6e:26:e1:09:41", NAME="eth0" - ATTR{address}=="f2:4e:52:1a:72:ef", NAME="eth1" - ''; -} diff --git a/Biz/Cloud/NostrRelay.nix b/Biz/Cloud/NostrRelay.nix deleted file mode 100644 index 0be8a6f..0000000 --- a/Biz/Cloud/NostrRelay.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, pkgs, ... }: - -let - ports = import ./Ports.nix; - dataDir = "/var/lib/nostr-rs-relay"; - # https://git.sr.ht/~gheartsfield/nostr-rs-relay/tree/master/config.toml - cfg = pkgs.writeText "config.toml" '' - [info] - name = "simatime" - relay_url = "wss://nostr.simatime.com" - description = "yet another nostr relay" - - [database] - data_directory = "/var/lib/nostr-rs-relay" - - [network] - address = "0.0.0.0" - port = ${toString ports.nostr-relay} - ''; -in { - config.systemd.services.nostr-relay = { - path = [ pkgs.nostr-rs-relay ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p ${dataDir} - cat "${cfg}" > ${dataDir}/config.toml - ''; - script = "nostr-rs-relay --db ${dataDir}"; - serviceConfig = { - Environment = - [ "RUST_LOG=info,nostr_rs_relay=info" "APP_DATA=${dataDir}" ]; - WorkingDirectory = dataDir; - KillSignal = "INT"; - Type = "simple"; - Restart = "always"; - RestartSec = "1"; - }; - }; -} diff --git a/Biz/Cloud/Ports.nix b/Biz/Cloud/Ports.nix deleted file mode 100644 index 5b8446c..0000000 --- a/Biz/Cloud/Ports.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ - bensIp = "24.140.205.252"; # not a port, but it's convenient - barrier = 24800; - bitcoind = 8333; - bitcoind-rpc = 8332; - botamusique = 8181; - dandel-rovbur = 8080; - delugeWeb = 8112; - dns = 53; - dragons = 8095; - et = 2022; - gemini = 1965; - gerrit = 8081; - gerrit-ssh = 2222; - git = 9418; - headscale = 8844; - hoogle = 8008; - http = 80; - httpdev = { - from = 8000; - to = 8099; - }; - https = 443; - invidious = 8086; - jellyfin = 8096; - jupyter = 4000; - k3s = 6443; - libreddit = 8085; - meshhub = 1511; - mpd = 6600; - mpd-stream = 8097; - murmur = 64738; - nostr-relay = 8084; - radicale = 5232; - sabten = 8081; - ssh = 22; - stableDiffusion = 8501; - syncthing-gui = 8384; - tor = 144; - torrents = { - from = 3000; - to = 3099; - }; - wireguard = 51820; - znc = 5000; -} diff --git a/Biz/Cloud/Web.nix b/Biz/Cloud/Web.nix deleted file mode 100644 index 0e080f5..0000000 --- a/Biz/Cloud/Web.nix +++ /dev/null @@ -1,303 +0,0 @@ -{ config, ... }: - -let - rootDomain = config.networking.domain; - ports = import ./Ports.nix; -in { - imports = [ ./Gmnisrv.nix ]; - networking.firewall = { - allowedTCPPorts = [ - ports.ssh - ports.git - ports.http - ports.https - ports.sabten - ports.gemini - ports.radicale - ports.znc - ports.gerrit-ssh - ]; - }; - - services = { - - libreddit = { - enable = true; - address = "127.0.0.1"; - openFirewall = true; - port = ports.libreddit; - }; - - invidious = { - enable = true; - database.createLocally = true; - domain = "youtube.${rootDomain}"; - nginx.enable = false; # do this myself, below - port = ports.invidious; - }; - - radicale = { - enable = true; - rights = { - # Allow reading root collection for authenticated users - root = { - user = ".+"; - collection = ""; - permissions = "R"; - }; - # Allow reading and writing principal collection (same as username) - principal = { - user = ".+"; - collection = "{user}"; - permissions = "RW"; - }; - # Allow reading and writing calendars and address books that are direct - # children of the principal collection - calendars = { - user = ".+"; - collection = "{user}/[^/]+"; - permissions = "rw"; - }; - # Allow any authenticated user to modify the public collection - public = { - user = ".*"; - collection = "public/.*"; - permissions = "rw"; - }; - }; - settings = { - server = { - hosts = [ - "0.0.0.0:${toString ports.radicale}" - "[::]:${toString ports.radicale}" - ]; - }; - auth = { - type = "htpasswd"; - htpasswd_filename = "/etc/radicale/users"; - htpasswd_encryption = "plain"; - }; - }; - }; - - gmnisrv = { - enable = false; - listen = "0.0.0.0:${toString ports.gemini} [::]:${toString ports.gemini}"; - settings = { - ":tls" = { store = "/var/lib/gmnisrv"; }; - "bsima.me" = { "root" = "/var/web/ben"; }; - "${rootDomain}" = { - "root" = "/var/web/simatime.com"; - "cgi" = "on"; - }; - }; - }; - - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - statusPage = true; - - user = "nginx"; - group = "nginx"; - - virtualHosts = { - ${rootDomain} = { - forceSSL = true; - enableACME = true; - locations = { - # the nginx/cgit module puts a '/' at the end of 'location', so we need to - # redirect '/git' to '/git/' - "/git".return = "301 https://$host/git/"; - # nostr nip-5 verification - "/.well-known/nostr.json".return = "200 '${ - builtins.toJSON { - names.bensima = - "2fa4b9ba71b6dab17c4723745bb7850dfdafcb6ae1a8642f76f9c64fa5f43436"; - } - }'"; - # disabled for nixpert test - "/" = { - root = "/var/web/simatime.com"; - extraConfig = '' - autoindex on; - ''; - }; - # serve /~$USER paths - "~ ^/~(.+?)(/.*)?$" = { - alias = "/var/web/$1$2"; - index = "index.html index.htm"; - extraConfig = '' - autoindex on; - ''; - }; - }; - }; - - "bsima.me" = { - locations."/" = { - root = "/var/web/ben"; - index = "index.html index.htm"; - extraConfig = '' - autoindex on; - ''; - }; - serverAliases = [ "www.bsima.me" ]; - forceSSL = true; - useACMEHost = rootDomain; - }; - - "hoogle.${rootDomain}" = { - locations."/".proxyPass = - "http://${ports.bensIp}:${toString ports.hoogle}"; - forceSSL = true; - useACMEHost = rootDomain; - }; - - "tv.${rootDomain}" = { - locations."/".proxyPass = - "http://${ports.bensIp}:${toString ports.jellyfin}"; - forceSSL = true; - useACMEHost = rootDomain; - }; - - "cal.${rootDomain}" = { - locations."/".proxyPass = - "http://localhost:${toString ports.radicale}"; - forceSSL = true; - useACMEHost = rootDomain; - extraConfig = '' - proxy_set_header X-Script-Name /radicale; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_pass_header Authorization; - ''; - }; - - "reddit.${rootDomain}" = { - locations."/".proxyPass = - "http://localhost:${toString ports.libreddit}"; - forceSSL = true; - useACMEHost = rootDomain; - }; - "www.reddit.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - globalRedirect = "reddit.${rootDomain}"; - }; - "old.reddit.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - globalRedirect = "reddit.${rootDomain}"; - }; - - "youtube.${rootDomain}" = { - locations."/".proxyPass = - "http://localhost:${toString ports.invidious}"; - forceSSL = true; - useACMEHost = rootDomain; - }; - "www.youtube.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - globalRedirect = "youtube.${rootDomain}"; - }; - "m.youtube.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - globalRedirect = "youtube.${rootDomain}"; - }; - - "dandel-rovbur.${rootDomain}" = { - locations."/".proxyPass = - "http://${ports.bensIp}:${toString ports.dandel-rovbur}"; - forceSSL = true; - useACMEHost = rootDomain; - }; - - "sabten.${rootDomain}" = { - locations."/".proxyPass = "http://localhost:${toString ports.sabten}"; - forceSSL = true; - useACMEHost = rootDomain; - }; - - "sd.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - locations."/" = { - proxyPass = - "http://${ports.bensIp}:${toString ports.stableDiffusion}"; - proxyWebsockets = true; - }; - }; - - "music.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - locations."/".proxyPass = - "http://localhost:${toString ports.botamusique}"; - }; - - "nostr.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - locations."/" = { - proxyPass = "http://localhost:${toString ports.nostr-relay}"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - ''; - }; - }; - - "notebook.${rootDomain}" = { - forceSSL = true; - useACMEHost = rootDomain; - locations = { - "/" = { - proxyPass = "http://${ports.bensIp}:${toString ports.jupyter}"; - proxyWebsockets = true; - extraConfig = '' - proxy_buffering off; - proxy_read_timeout 86400; - ''; - }; - "/(api/kernels/[^/]+/channels|terminals/websocket)/" = { - proxyPass = "http://${ports.bensIp}:${toString ports.jupyter}"; - proxyWebsockets = true; - }; - }; - }; - - }; - }; - }; - - # This must contain all of the other domains we host - security.acme.certs.${rootDomain}.extraDomainNames = - [ "bsima.me" "www.bsima.me" ] ++ map (sub: "${sub}.${rootDomain}") [ - "music" - "tv" - "matrix" - "chat" - "hoogle" - "dandel-rovbur" - "sabten" - "cal" - "notebook" - "nostr" - "reddit" - "old.reddit" - "www.reddit" - "youtube" - "www.youtube" - "m.youtube" - "sd" - "gerrit" - ]; -} diff --git a/Biz/Cloud/Znc.nix b/Biz/Cloud/Znc.nix deleted file mode 100644 index e68ebc7..0000000 --- a/Biz/Cloud/Znc.nix +++ /dev/null @@ -1,76 +0,0 @@ -/* N.B.: generate znc passwords with 'nix-shell -p znc --command "znc --makepass"' - - - https://wiki.znc.in/Configuration -*/ - -{ pkgs, ... }: - -{ - services = { - znc = { - enable = true; - openFirewall = true; - modulePackages = with pkgs.zncModules; - [ - #backlog clientaway clientbuffer - #ignore - ]; - useLegacyConfig = false; - config = { - LoadModule = [ "adminlog" ]; - Motd = "welcome to znc.simatime.com"; - User.bsima = { - Admin = true; - Nick = "bsima"; - AltNick = "bsima1"; - LoadModule = [ "chansaver" "controlpanel" "log" ]; - Network = { - efnet = { - Server = "irc.efnet.info +6697"; - LoadModule = [ "simple_away" ]; - }; - libera = { - Server = "irc.libera.chat +6697"; - LoadModule = [ "simple_away" "nickserv" "sasl" ]; - Nick = "bsima"; - Chan = { - "#emacs" = { Detached = true; }; - "#guile" = { }; - "#guix" = { Detached = true; }; - "#haskell" = { }; - "#hledger" = { }; - "#nixos" = { }; - "#notmuch" = { Detached = true; }; - "#org-mode" = { Detached = true; }; - "#scheme" = { Detached = true; }; - "#sr.ht" = { Detached = true; }; - "#xmonad" = { Detached = true; }; - }; - }; - oftc = { - Server = "irc.oftc.net +6697"; - LoadModule = [ "simple_away" "nickserv" ]; - Nick = "bsima"; - Chan = { "#home-manager" = { }; }; - }; - zeronode = { - Server = "irc.zeronode.net +6697"; - LoadModule = [ "simple_away" "nickserv" ]; - Nick = "bsima"; - Chan = { "#NoAgenda" = { }; }; - }; - #sorcery = { - # Server = "irc.sorcery.net +6697"; - #}; - }; - Pass.password = { - Method = "sha256"; - Hash = - "bead16d806e7bf5cbbc31d572b20f01e2b253eb60e2497ce465df56306becd02"; - Salt = "/GhmBMc+E6b7qd8muFEe"; - }; - }; - }; - }; - }; -} diff --git a/Biz/Cloud/post-receive.sh b/Biz/Cloud/post-receive.sh deleted file mode 100755 index cedbf90..0000000 --- a/Biz/Cloud/post-receive.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env bash -# -# creates an archive of a git repo on push -# -# unfortunately the nixos gitolite module does not copy the 'commonHooks' -# properly, so we have to manually deploy this like so: -# -# scp Biz/Cloud/post-receive \ -# root@simatime.com:/srv/git/.gitolite/hooks/common/post-receive -# -# One time only: -# -# ssh root@simatime.com "sudo -u git gitolite setup -ho" -# -# Also on first-time setup, might need to manually check the permissions are -# correct on $webroot/archive or wherever else. -# -set -euo pipefail -while read -r _ newrev refname -do - if [[ -e ./git-daemon-export-ok ]] - then - repo=$(basename "$PWD" | sed 's/.git//g') - branch=$(git rev-parse --symbolic --abbrev-ref "$refname") - webroot="/srv/www/simatime.com/" - outdir="$webroot/archive/$repo/$branch" - mkdir -p "$outdir" - echo " making: https://simatime.com/archive/$repo/$branch/$newrev.tar.gz" - git archive "$branch" --prefix "$repo-$branch/" --format tar \ - | gzip > "$outdir/$newrev.tar.gz" - echo " making: https://simatime.com/archive/$repo/$branch/$newrev.sha256" - hash=$(nix-prefetch-url --unpack file://"$outdir"/"$newrev".tar.gz 2>/dev/null) - echo "$hash" > "$outdir/$newrev.sha256" - echo " commit: $newrev" - echo " sha256: $hash" - echo " in biz: deps update $repo --branch $branch --rev $newrev --attribute sha256=$hash" - chmod -R 755 "$webroot/archive" - fi -done |