summaryrefslogtreecommitdiff
path: root/depo/nutin-madaj
diff options
context:
space:
mode:
Diffstat (limited to 'depo/nutin-madaj')
-rw-r--r--depo/nutin-madaj/configuration.nix222
-rw-r--r--depo/nutin-madaj/default.nix75
-rw-r--r--depo/nutin-madaj/git.nix65
-rw-r--r--depo/nutin-madaj/mail.nix40
-rw-r--r--depo/nutin-madaj/web.nix39
-rw-r--r--depo/nutin-madaj/znc.nix41
6 files changed, 257 insertions, 225 deletions
diff --git a/depo/nutin-madaj/configuration.nix b/depo/nutin-madaj/configuration.nix
deleted file mode 100644
index 446a5f5..0000000
--- a/depo/nutin-madaj/configuration.nix
+++ /dev/null
@@ -1,222 +0,0 @@
-{ pkgs, ... }:
-
-let
- bensIp = "68.107.97.20"; # hiddor-kahih
- benKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiNB0iF9ClawNEizBtdYucqp1tAXXRbqvlPS6PFRrtiwSl+SJD29BCLgA5rLxcmFhBHZ/iId/En7GPFEzI/gMu071J7pUI4OcW0UVZju3GNc6ZEz/a6AD2u79JiXEDHfPEdmMqAe36kkaK0KJWSQP3xsFRwJ+8F8HHbSwoCLL+GJhBgAWHQLGfKesNrDacNljNDU3CgkEnDmu8QKuSzH2k1vrr69q2u2iMSAdiStDBAWEjN5nCVrm2XB2vmFLMtXpX2n8JI+znOGzRRDc8dNXejQeDMZGyV6jfVidEIX7vdgSydGjTRKcCLVAsKY3z0gYBZ8u8EUNujgcFBnnAvytj ben@neb";
- ibbPort = "3000";
- fathomPort = "3030";
- gitDir = "/srv/git";
-in
-{
- nixpkgs.config.allowUnfree = true;
- nixpkgs.overlays = [
- (import ../../pack/overlay.nix)
- ];
-
- networking.firewall.allowedTCPPorts = [ 22 80 443 ];
-
- services = {
-
- gitolite = {
- enable = true;
- enableGitAnnex = true;
- dataDir = "${gitDir}";
- user = "git";
- group = "git";
- extraGitoliteRc = ''
- $RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
- $RC{GIT_CONFIG_KEYS} = 'gitweb\.(owner|description|category)';
- '';
- adminPubkey = "${benKey}";
- };
- lighttpd = {
- enable = true;
- port = 8000;
- document-root = "/srv/www";
- mod_userdir = true;
- mod_status = true;
- collectd = {
- enable = true;
- };
- cgit = {
- # disable cgit for now; the ssh interface still works anyway.
- enable = false;
- subdir = "git";
- configText = ''
- cache-size=0
- clone-url=git@simatime.com:$CGIT_REPO_URL
- enable-index-owner=1
- enable-http-clone=0
- enable-index-links=1
- enable-commit-graph=1
- enable-log-filecount=1
- enable-log-linecount=1
- enable-git-config=1
- remove-suffix=1
- branch-sort=age
- max-stats=week
- mimetype.gif=image/gif
- mimetype.html=text/html
- mimetype.jpg=image/jpeg
- mimetype.jpeg=image/jpeg
- mimetype.pdf=application/pdf
- mimetype.png=image/png
- mimetype.svg=image/svg+xml
- about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
- source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
- readme=:README.md
- root-title=simatime git repository
- root-desc=a computer is a bicycle for the mind.
- project-list=${gitDir}/projects.list
- scan-path=${gitDir}/repositories
- '';
- };
- };
-
- ibb = {
- enable = true;
- port = ibbPort;
- };
-
- fathom = {
- enable = true;
- port = fathomPort;
- dataDir = "/var/lib/fathom";
- };
-
- nginx = {
- enable = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedProxySettings = true;
- recommendedTlsSettings = true;
- virtualHosts = {
- # "bsima.me".locations."/".proxyPass = "http://localhost:8000/~ben";
- "simatime.com".locations."/".proxyPass = "http://localhost:8000";
- "web.simatime.com".locations."/".proxyPass = "http://${bensIp}:8000";
- "dev.simatime.com".locations."/".proxyPass = "http://${bensIp}:${ibbPort}";
- "hero.simatime.com".locations."/".proxyPass = "http://${bensIp}:3001";
- "tv.simatime.com".locations."/".proxyPass = "http://${bensIp}:8096"; # emby runs on port 8096
-
- "notebook.simatime.com".locations = {
- "/" = {
- proxyPass = "http://${bensIp}:3099";
- proxyWebsockets = true;
- extraConfig = ''
- proxy_buffering off;
- proxy_read_timeout 86400;
-
- '';
- };
- "/(api/kernels/[^/]+/channels|terminals/websocket)/" = {
- proxyPass = "http://${bensIp}:3099";
- proxyWebsockets = true;
- };
- };
- "stats.simatime.com" = {
- locations."/".proxyPass = "http://localhost:${fathomPort}";
- forceSSL = true;
- enableACME = true;
- };
- "influencedbybooks.com" = {
- forceSSL = true;
- enableACME = true;
- locations = {
- "/" = {
- proxyPass = "http://localhost:${ibbPort}";
- };
- };
- };
- };
- };
-
- znc = {
- enable = true;
- mutable = true;
- useLegacyConfig = false;
- openFirewall = true;
- config = {
- LoadModule = [ "adminlog" "fail2ban" ];
- User.bsima = {
- Admin = true;
- Nick = "bsima";
- AltNick = "bsima1";
- LoadModule = [ "chansaver" "controlpanel" ];
- Network.freenode = { Server = "chat.freenode.net +6697";
- LoadModule = [ "simple_away" "nickserv" ];
- Chan = {
- "#ai" = {};
- "#bsima" = {};
- "#emacs" = {};
- "#haskell" = {};
- "#haskell-miso" = {};
- "#home-manager" = {};
- "#nixos" = {};
- "#servant" = {};
- "#sr.ht" = {};
- "#xmonad" = {};
- };
- };
- Pass.password = {
- Method = "sha256";
- Hash = "4a6703074c713a26d56a906fc9ea82bb591177f10a25a650719266bf588d9525";
- Salt = "QByO-A:4Rbib;dl_3wEH";
- };
- };
- };
- };
- };
-
- mailserver = {
- enable = true;
- monitoring = {
- enable = true;
- alertAddress = "ben@bsima.me";
- };
- fqdn = "mail.simatime.com";
- domains = [ "simatime.com" ];
- certificateScheme = 3; # let's encrypt
- enableImap = true;
- enablePop3 = true;
- enableImapSsl = true;
- enablePop3Ssl = true;
- enableManageSieve = true;
- virusScanning = false; # ur on ur own
-
- loginAccounts = {
- "ben@simatime.com" = {
- hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/";
- aliases = [
- # admin stuff
- "postmaster@simatime.com"
- "abuse@simatime.com"
- ];
- catchAll = [ "simatime.com" ];
- quota = "1G";
- };
- "nick@simatime.com" = {
- hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1";
- aliases = [
- "nicolai@simatime.com"
- ];
- quota = "1G";
- };
- };
- };
-
- virtualisation = {
- libvirtd.enable = true;
- docker.enable = true;
- virtualbox.guest.enable = true;
- virtualbox.host.enable = true;
- virtualbox.host.headless = false;
- virtualbox.host.addNetworkInterface = true;
-
- };
-
- boot.cleanTmpDir = true;
- networking.hostName = "simatime";
- networking.firewall.allowPing = true;
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [ benKey ];
-}
diff --git a/depo/nutin-madaj/default.nix b/depo/nutin-madaj/default.nix
index fa95947..ffb2909 100644
--- a/depo/nutin-madaj/default.nix
+++ b/depo/nutin-madaj/default.nix
@@ -1,9 +1,24 @@
+/*
+
+nutin-madaj - cloud infrastructure server.
+
+This serves the git repo, mailserver, znc bouncer, user sites, and so on.
+
+Currently also used as a catch-all production/staging server, until I get real
+stuff deployed.
+
+*/
+
let
nixpkgs = builtins.fetchTarball (import ../../pack/nixpkgs.nix);
nixos-mailserver = builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz";
sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx";
};
+ benKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiNB0iF9ClawNEizBtdYucqp1tAXXRbqvlPS6PFRrtiwSl+SJD29BCLgA5rLxcmFhBHZ/iId/En7GPFEzI/gMu071J7pUI4OcW0UVZju3GNc6ZEz/a6AD2u79JiXEDHfPEdmMqAe36kkaK0KJWSQP3xsFRwJ+8F8HHbSwoCLL+GJhBgAWHQLGfKesNrDacNljNDU3CgkEnDmu8QKuSzH2k1vrr69q2u2iMSAdiStDBAWEjN5nCVrm2XB2vmFLMtXpX2n8JI+znOGzRRDc8dNXejQeDMZGyV6jfVidEIX7vdgSydGjTRKcCLVAsKY3z0gYBZ8u8EUNujgcFBnnAvytj ben@neb";
+ ibbPort = "3000";
+ fathomPort = "3030";
+
in
import "${nixpkgs}/nixos" {
system = "x86_64-linux";
@@ -12,15 +27,69 @@ import "${nixpkgs}/nixos" {
./hardware-configuration.nix
./networking.nix
- # end config
- ./configuration.nix
+ # configured modules
+ ./git.nix
+ ./mail.nix
+ ./web.nix
+ ./znc.nix
- # our modules
+ # our custom modules
../../mode/ibb.nix
../../mode/fathom.nix
# third party
nixos-mailserver
];
+
+ nixpkgs.config.allowUnfree = true;
+ nixpkgs.overlays = [
+ (import ../../pack/overlay.nix)
+ ];
+
+ networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+
+ virtualisation = {
+ libvirtd.enable = true;
+ docker.enable = true;
+ virtualbox.guest.enable = true;
+ virtualbox.host.enable = true;
+ virtualbox.host.headless = false;
+ virtualbox.host.addNetworkInterface = true;
+ };
+
+ # our custom apps
+ services = {
+ ibb = {
+ enable = true;
+ port = ibbPort;
+ };
+ # TODO: move this nginx config into mode/ibb.nix
+ nginx.virtualHosts."influencedbybooks.com" = {
+ forceSSL = true;
+ enableACME = true;
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:${ibbPort}";
+ };
+ };
+ };
+
+ fathom = {
+ enable = true;
+ port = fathomPort;
+ dataDir = "/var/lib/fathom";
+ };
+ nginx.virtualHosts."stats.simatime.com" = {
+ locations."/".proxyPass = "http://localhost:${fathomPort}";
+ forceSSL = true;
+ enableACME = true;
+ };
+ };
+
+ boot.cleanTmpDir = true;
+ networking.hostName = "simatime";
+ networking.firewall.allowPing = true;
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [ benKey ];
};
}
diff --git a/depo/nutin-madaj/git.nix b/depo/nutin-madaj/git.nix
new file mode 100644
index 0000000..ef86d52
--- /dev/null
+++ b/depo/nutin-madaj/git.nix
@@ -0,0 +1,65 @@
+{ pkgs, ... }:
+
+let
+ benKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiNB0iF9ClawNEizBtdYucqp1tAXXRbqvlPS6PFRrtiwSl+SJD29BCLgA5rLxcmFhBHZ/iId/En7GPFEzI/gMu071J7pUI4OcW0UVZju3GNc6ZEz/a6AD2u79JiXEDHfPEdmMqAe36kkaK0KJWSQP3xsFRwJ+8F8HHbSwoCLL+GJhBgAWHQLGfKesNrDacNljNDU3CgkEnDmu8QKuSzH2k1vrr69q2u2iMSAdiStDBAWEjN5nCVrm2XB2vmFLMtXpX2n8JI+znOGzRRDc8dNXejQeDMZGyV6jfVidEIX7vdgSydGjTRKcCLVAsKY3z0gYBZ8u8EUNujgcFBnnAvytj ben@neb";
+ gitDir = "/srv/git";
+in
+{
+ services = {
+ gitolite = {
+ enable = true;
+ enableGitAnnex = true;
+ dataDir = "${gitDir}";
+ user = "git";
+ group = "git";
+ extraGitoliteRc = ''
+ $RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
+ $RC{GIT_CONFIG_KEYS} = 'gitweb\.(owner|description|category)';
+ '';
+ adminPubkey = "${benKey}";
+ };
+ lighttpd = {
+ enable = true;
+ port = 8000;
+ document-root = "/srv/www";
+ mod_userdir = true;
+ mod_status = true;
+ collectd = {
+ enable = true;
+ };
+ cgit = {
+ # disable cgit for now; the ssh interface still works anyway.
+ enable = false;
+ subdir = "git";
+ configText = ''
+ cache-size=0
+ clone-url=git@simatime.com:$CGIT_REPO_URL
+ enable-index-owner=1
+ enable-http-clone=0
+ enable-index-links=1
+ enable-commit-graph=1
+ enable-log-filecount=1
+ enable-log-linecount=1
+ enable-git-config=1
+ remove-suffix=1
+ branch-sort=age
+ max-stats=week
+ mimetype.gif=image/gif
+ mimetype.html=text/html
+ mimetype.jpg=image/jpeg
+ mimetype.jpeg=image/jpeg
+ mimetype.pdf=application/pdf
+ mimetype.png=image/png
+ mimetype.svg=image/svg+xml
+ about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+ source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+ readme=:README.md
+ root-title=simatime git repository
+ root-desc=a computer is a bicycle for the mind.
+ project-list=${gitDir}/projects.list
+ scan-path=${gitDir}/repositories
+ '';
+ };
+ };
+ };
+}
diff --git a/depo/nutin-madaj/mail.nix b/depo/nutin-madaj/mail.nix
new file mode 100644
index 0000000..96ad506
--- /dev/null
+++ b/depo/nutin-madaj/mail.nix
@@ -0,0 +1,40 @@
+{ ... }:
+
+{
+ mailserver = {
+ enable = true;
+ monitoring = {
+ enable = true;
+ alertAddress = "ben@bsima.me";
+ };
+ fqdn = "mail.simatime.com";
+ domains = [ "simatime.com" ];
+ certificateScheme = 3; # let's encrypt
+ enableImap = true;
+ enablePop3 = true;
+ enableImapSsl = true;
+ enablePop3Ssl = true;
+ enableManageSieve = true;
+ virusScanning = false; # ur on ur own
+
+ loginAccounts = {
+ "ben@simatime.com" = {
+ hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/";
+ aliases = [
+ # admin stuff
+ "postmaster@simatime.com"
+ "abuse@simatime.com"
+ ];
+ catchAll = [ "simatime.com" ];
+ quota = "1G";
+ };
+ "nick@simatime.com" = {
+ hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1";
+ aliases = [
+ "nicolai@simatime.com"
+ ];
+ quota = "1G";
+ };
+ };
+ };
+}
diff --git a/depo/nutin-madaj/web.nix b/depo/nutin-madaj/web.nix
new file mode 100644
index 0000000..d14a2c7
--- /dev/null
+++ b/depo/nutin-madaj/web.nix
@@ -0,0 +1,39 @@
+{ ... }:
+
+let
+ bensIp = "68.107.97.20"; # hiddor-kahih
+in
+{
+ services = {
+ nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ virtualHosts = {
+ # "bsima.me".locations."/".proxyPass = "http://localhost:8000/~ben";
+ "simatime.com".locations."/".proxyPass = "http://localhost:8000";
+ "web.simatime.com".locations."/".proxyPass = "http://${bensIp}:8000";
+ "hero.simatime.com".locations."/".proxyPass = "http://${bensIp}:3001";
+ "tv.simatime.com".locations."/".proxyPass = "http://${bensIp}:8096"; # emby runs on port 8096
+
+ "notebook.simatime.com".locations = {
+ "/" = {
+ proxyPass = "http://${bensIp}:3099";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_buffering off;
+ proxy_read_timeout 86400;
+
+ '';
+ };
+ "/(api/kernels/[^/]+/channels|terminals/websocket)/" = {
+ proxyPass = "http://${bensIp}:3099";
+ proxyWebsockets = true;
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/depo/nutin-madaj/znc.nix b/depo/nutin-madaj/znc.nix
new file mode 100644
index 0000000..a7623c1
--- /dev/null
+++ b/depo/nutin-madaj/znc.nix
@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+ services = {
+ znc = {
+ enable = true;
+ mutable = true;
+ useLegacyConfig = false;
+ openFirewall = true;
+ config = {
+ LoadModule = [ "adminlog" "fail2ban" ];
+ User.bsima = {
+ Admin = true;
+ Nick = "bsima";
+ AltNick = "bsima1";
+ LoadModule = [ "chansaver" "controlpanel" ];
+ Network.freenode = { Server = "chat.freenode.net +6697";
+ LoadModule = [ "simple_away" "nickserv" ];
+ Chan = {
+ "#ai" = {};
+ "#bsima" = {};
+ "#emacs" = {};
+ "#haskell" = {};
+ "#haskell-miso" = {};
+ "#home-manager" = {};
+ "#nixos" = {};
+ "#servant" = {};
+ "#sr.ht" = {};
+ "#xmonad" = {};
+ };
+ };
+ Pass.password = {
+ Method = "sha256";
+ Hash = "4a6703074c713a26d56a906fc9ea82bb591177f10a25a650719266bf588d9525";
+ Salt = "QByO-A:4Rbib;dl_3wEH";
+ };
+ };
+ };
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-01 16:39:10 +0000