migrating config

This deploy logic is primarily based on hxchn's deploy lib [1], with some slight modifications to make it work with my setup. Everything seems to work fine for now. However, I am unsure about the usage of niv — the config doesn't seem to gain much from it, apart from (some) additional complexity. [1] https://gitlab.com/hexchen/nixfiles
author: stuebinm 2021-03-03 00:51:39 +0100
committer: stuebinm 2021-03-03 00:51:39 +0100
commit: d96fbd63510048bf56d3d600a65f7983096c1bb1 (patch)
tree: 192afecb97bcdb829e1461bebc283cc86fb99586 /hosts/flora
6 files changed, 319 insertions, 0 deletions
diff --git a/hosts/flora/configuration.nix b/hosts/flora/configuration.nix
new file mode 100644
index 0000000..43f7f8e
--- /dev/null
+++ b/hosts/flora/configuration.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./services/hedgedoc.nix
+    ./services/daemoniones.nix
+    ./services/nginx.nix
+    ./services/workadventure.nix
+    # ./services/pleroma
+  ];
+  
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.devices = [ "/dev/sda" ];
+
+  hexchen.deploy = {
+    ssh.host = "flora";
+  };
+
+  networking = {
+    hostName = "flora";
+    
+    #enableIPv6 = true;
+    #defaultGateway6 = {
+    #  address = "fe80::1";
+    #  interface = "ens3";
+    #};
+    
+    #interfaces.ens3.ipv6.addresses = [ {
+    #  address = "2a01:4f9:c010:d319::1";
+    #  prefixLength = 64;
+    #} ]; 
+    
+    useDHCP = false;
+    interfaces.ens3.useDHCP = true;
+
+    firewall.logRefusedConnections = false;
+  };
+
+  services.fail2ban = {
+    enable = true;
+    bantime-increment.enable = true;
+    bantime-increment.overalljails = true;
+    bantime-increment.maxtime = "1312m";
+  };
+  
+  services.logrotate = {
+    enable = true;
+    paths.nginx = {
+      path = "/var/log/nginx";
+      frequency = "weekly";
+    };
+  };
+
+  
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system = {
+    stateVersion = "20.09"; # Did you read the comment?
+  };
+
+}
+
diff --git a/hosts/flora/hardware-configuration.nix b/hosts/flora/hardware-configuration.nix
new file mode 100644
index 0000000..faac1af
--- /dev/null
+++ b/hosts/flora/hardware-configuration.nix
@@ -0,0 +1,25 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5d31cad5-9076-4d2f-93f6-6af817bc368b";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 1;
+}
+
diff --git a/hosts/flora/services/daemoniones.nix b/hosts/flora/services/daemoniones.nix
new file mode 100644
index 0000000..6c96b3c
--- /dev/null
+++ b/hosts/flora/services/daemoniones.nix
@@ -0,0 +1,34 @@
+{ config, pkgs, ...}:
+
+{
+  systemd.services = 
+    let simpledaemon = name: command: {
+      enable = true;
+      description = name;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Type = "simple";
+      script = command;
+    };
+  in {
+    choclo = simpledaemon "choclo signalling server" "/root/simple-signalling/target/release/chaski -b 127.0.0.1:5000";
+    wasi = simpledaemon "wasi backend" "/root/wasi-minimal/target/release/wasi";
+    picarones = simpledaemon "picarones backend" "/root/picarones-server/target/release/picarones -b 127.0.0.1:6000";
+  };
+
+  services.nginx = {
+    virtualHosts = 
+      let websocketproxy = addr: {
+        locations."/".proxyPass = addr;
+        forceSSL = true;
+        enableACME = true;
+        locations."/".proxyWebsockets = true;
+      };
+    in {
+      "wasi.stuebinm.eu" = websocketproxy "http://127.0.0.1:9000";
+      "choclo.stuebinm.eu" = websocketproxy "http://127.0.0.1:5000";
+      "picarones.stuebinm.eu" = websocketproxy "http://127.0.0.1:6000";
+    };
+  };
+
+
+}
diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix
new file mode 100644
index 0000000..4ce2256
--- /dev/null
+++ b/hosts/flora/services/hedgedoc.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+{
+    # Container containing CodiMD and its database
+  # has its own internal network; needs a reverse-proxy to be reachable from the outside
+  # TODO: persistent memory for pads
+  containers.codimd = { 
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:10";
+    localAddress6 = "fd00::42:11";
+    
+    config = {config, pkgs, ... }: {
+      # open CodiMD port
+      networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ];
+
+      # database (postgres 11), with default database reachable for CodiMD; no imperative config needed!
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql_11;
+        ensureDatabases = [ "codimd" ];
+        ensureUsers = [ {
+          name = "codimd";
+          ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";};
+        } ];
+        # ugly workaround to allow CodiMD to login without password — this service has lots of options,
+        # but apparently not for authentification, which even needs to be forced …
+        authentication = pkgs.lib.mkForce ''
+            # Generated file; do not edit!
+            local all all              trust
+            host  codimd codimd ::1/128      trust
+          '';
+      };
+      # CodiMD itself
+      services.hedgedoc = {
+        enable = true;
+        workDir = "/var/codimd/";
+        configuration = {
+          dbURL = "postgres:///codimd";
+          port = 3000;
+          domain = "nix.stuebinm.eu";
+          urlAddPort = false;
+          protocolUseSSL = true;
+          allowPDFExport = true;
+          host = "::";
+          allowEmailRegister = false;
+          allowFreeURL = true;
+          uploadsPath = "/var/codimd/uploads";
+          #email = false;
+        };
+      };
+    };
+  };
+
+    
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx.virtualHosts."nix.stuebinm.eu" = {
+    locations."/" = {
+      proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000";
+      proxyWebsockets = true;
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+}
diff --git a/hosts/flora/services/nginx.nix b/hosts/flora/services/nginx.nix
new file mode 100644
index 0000000..5d21a14
--- /dev/null
+++ b/hosts/flora/services/nginx.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+  
+   # virtualHosts = {
+   #   "stuebinm.eu" = {
+   #     forceSSL = true;
+   #     enableACME = true;
+   #     root = "/var/www/stats";
+   #   };
+   # };
+  };
+}
diff --git a/hosts/flora/services/workadventure.nix b/hosts/flora/services/workadventure.nix
new file mode 100644
index 0000000..f38f5da
--- /dev/null
+++ b/hosts/flora/services/workadventure.nix
@@ -0,0 +1,104 @@
+{pkgs, config, ...}:
+
+
+let
+  haccpkgssrc = pkgs.fetchgit {
+    url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
+    rev = "a4ffb828aadf5ffd54a269f8a9ec9553c016069b";
+    sha256 = "12qfisfwr170b94j12rhy2q3smrwc7a3nh6xzbxlphnr3vadplvz";
+  };
+  haccpkgs = import "${haccpkgssrc}";
+  fediventure = pkgs.fetchgit {
+    url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple";
+    rev = "f32d3c5efd39df558f80b862c60b2866c567d999";
+    sha256 = "0kdb29hzh6s7rsz8s9z40hsmj09rrww1lcyfdi7wpng9ixi1jfvx";
+  };
+in
+
+{
+
+  containers.wa-test = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:20";
+    localAddress6 = "fd00::42:21";
+    
+    config = {config, pkgs, ...}: {
+      imports = [ "${fediventure}/workadventure.nix"  ];
+      networking.firewall.allowedTCPPorts = [ 80 443 5000 7890 ];
+
+      services.workadventure.instances."space.stuebinm.eu" = {
+        nginx.default = true;
+        nginx.domain = "space.stuebinm.eu";
+        maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
+        frontend.settings.startRoomUrl = "space.stuebinm.eu/maps/main.json";
+        frontend.settings = {
+          stunServer = "stun:chaski.stuebinm.eu:3478";
+          turnServer = "turn:95.217.159.23";
+          turnUser = "chaski";
+          turnPassword = "chaski";
+          jitsiUrl = "meet.ffmuc.net";
+        };
+      };
+      
+      services.prometheus = {
+        enable = true;
+        port = 9001;
+        scrapeConfigs = [ {
+          job_name = "workadventure-back";
+          static_configs = [ {
+            targets = [ "localhost:8080" ];
+          } ];
+        } ];
+      };
+      
+      services.grafana = {
+        enable = true;
+        port = 5000;
+        addr = "[::]";
+        rootUrl = "https://space.stuebinm.eu/metrics/";
+        auth.anonymous.enable = true;
+        provision = {
+          enable = true;
+          datasources = [ {
+            name = "workadventure";
+            type = "prometheus";
+            url = "http://localhost:9001";
+          } ];
+        };
+      };
+
+      systemd.services.goaccess = {
+        enable = true;
+        description = "Uses goaccess to publish a neat acces log on /var/www/index.html";
+        requires = [ "nginx.service" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig.Type = "simple";
+        path = [ pkgs.goaccess ];
+        environment = {"HOME" = "/tmp";}; # necessary as goaccess will crash otherwise — is fixed upstream, but not yet in nixos
+        script = ''
+            mkdir -p /var/www-goaccess/
+            goaccess /var/log/nginx/access.log -o /var/www-goaccess/index.html --log-format=COMBINED --html
+        '';
+      };
+
+      services.nginx.virtualHosts."space.stuebinm.eu" = {
+        locations."/stats/".alias = "/var/www-goaccess/";
+      };
+    };
+  };
+  
+  services.nginx.virtualHosts."space.stuebinm.eu" = {
+     extraConfig = ''
+       proxy_read_timeout 300s;
+       proxy_connect_timeout 75s;
+     '';
+     locations."/metrics/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:5000/";
+     locations."/metrics/".proxyWebsockets = true;
+     locations."/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:80";
+     locations."/".proxyWebsockets = true;
+     enableACME = true;
+     forceSSL = true;
+  };
+}
+
author	stuebinm	2021-03-03 00:51:39 +0100
committer	stuebinm	2021-03-03 00:51:39 +0100
commit	d96fbd63510048bf56d3d600a65f7983096c1bb1 (patch)
tree	192afecb97bcdb829e1461bebc283cc86fb99586 /hosts/flora