diff options
| author | stuebinm | 2021-03-03 00:51:39 +0100 | 
|---|---|---|
| committer | stuebinm | 2021-03-03 00:51:39 +0100 | 
| commit | d96fbd63510048bf56d3d600a65f7983096c1bb1 (patch) | |
| tree | 192afecb97bcdb829e1461bebc283cc86fb99586 /hosts | |
migrating config
This deploy logic is primarily based on hxchn's deploy lib [1], with some
slight modifications to make it work with my setup. Everything seems to work
fine for now.
However, I am unsure about the usage of niv — the config doesn't seem to gain
much from it, apart from (some) additional complexity.
[1] https://gitlab.com/hexchen/nixfiles
Diffstat (limited to '')
| -rw-r--r-- | hosts/flora/configuration.nix | 69 | ||||
| -rw-r--r-- | hosts/flora/hardware-configuration.nix | 25 | ||||
| -rw-r--r-- | hosts/flora/services/daemoniones.nix | 34 | ||||
| -rw-r--r-- | hosts/flora/services/hedgedoc.nix | 66 | ||||
| -rw-r--r-- | hosts/flora/services/nginx.nix | 21 | ||||
| -rw-r--r-- | hosts/flora/services/workadventure.nix | 104 | 
6 files changed, 319 insertions, 0 deletions
| diff --git a/hosts/flora/configuration.nix b/hosts/flora/configuration.nix new file mode 100644 index 0000000..43f7f8e --- /dev/null +++ b/hosts/flora/configuration.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ +  imports = [ +    ./hardware-configuration.nix +    ./services/hedgedoc.nix +    ./services/daemoniones.nix +    ./services/nginx.nix +    ./services/workadventure.nix +    # ./services/pleroma +  ]; +   +  # Use the GRUB 2 boot loader. +  boot.loader.grub.enable = true; +  boot.loader.grub.version = 2; +  boot.loader.grub.devices = [ "/dev/sda" ]; + +  hexchen.deploy = { +    ssh.host = "flora"; +  }; + +  networking = { +    hostName = "flora"; +     +    #enableIPv6 = true; +    #defaultGateway6 = { +    #  address = "fe80::1"; +    #  interface = "ens3"; +    #}; +     +    #interfaces.ens3.ipv6.addresses = [ { +    #  address = "2a01:4f9:c010:d319::1"; +    #  prefixLength = 64; +    #} ];  +     +    useDHCP = false; +    interfaces.ens3.useDHCP = true; + +    firewall.logRefusedConnections = false; +  }; + +  services.fail2ban = { +    enable = true; +    bantime-increment.enable = true; +    bantime-increment.overalljails = true; +    bantime-increment.maxtime = "1312m"; +  }; +   +  services.logrotate = { +    enable = true; +    paths.nginx = { +      path = "/var/log/nginx"; +      frequency = "weekly"; +    }; +  }; + +   +  # This value determines the NixOS release from which the default +  # settings for stateful data, like file locations and database versions +  # on your system were taken. It‘s perfectly fine and recommended to leave +  # this value at the release version of the first install of this system. +  # Before changing this value read the documentation for this option +  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). +  system = { +    stateVersion = "20.09"; # Did you read the comment? +  }; + +} + diff --git a/hosts/flora/hardware-configuration.nix b/hosts/flora/hardware-configuration.nix new file mode 100644 index 0000000..faac1af --- /dev/null +++ b/hosts/flora/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file!  It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations.  Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ +  imports = +    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> +    ]; + +  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; +  boot.initrd.kernelModules = [ ]; +  boot.kernelModules = [ ]; +  boot.extraModulePackages = [ ]; + +  fileSystems."/" = +    { device = "/dev/disk/by-uuid/5d31cad5-9076-4d2f-93f6-6af817bc368b"; +      fsType = "ext4"; +    }; + +  swapDevices = [ ]; + +  nix.maxJobs = lib.mkDefault 1; +} + diff --git a/hosts/flora/services/daemoniones.nix b/hosts/flora/services/daemoniones.nix new file mode 100644 index 0000000..6c96b3c --- /dev/null +++ b/hosts/flora/services/daemoniones.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ...}: + +{ +  systemd.services =  +    let simpledaemon = name: command: { +      enable = true; +      description = name; +      wantedBy = [ "multi-user.target" ]; +      serviceConfig.Type = "simple"; +      script = command; +    }; +  in { +    choclo = simpledaemon "choclo signalling server" "/root/simple-signalling/target/release/chaski -b 127.0.0.1:5000"; +    wasi = simpledaemon "wasi backend" "/root/wasi-minimal/target/release/wasi"; +    picarones = simpledaemon "picarones backend" "/root/picarones-server/target/release/picarones -b 127.0.0.1:6000"; +  }; + +  services.nginx = { +    virtualHosts =  +      let websocketproxy = addr: { +        locations."/".proxyPass = addr; +        forceSSL = true; +        enableACME = true; +        locations."/".proxyWebsockets = true; +      }; +    in { +      "wasi.stuebinm.eu" = websocketproxy "http://127.0.0.1:9000"; +      "choclo.stuebinm.eu" = websocketproxy "http://127.0.0.1:5000"; +      "picarones.stuebinm.eu" = websocketproxy "http://127.0.0.1:6000"; +    }; +  }; + + +} diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix new file mode 100644 index 0000000..4ce2256 --- /dev/null +++ b/hosts/flora/services/hedgedoc.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +{ +    # Container containing CodiMD and its database +  # has its own internal network; needs a reverse-proxy to be reachable from the outside +  # TODO: persistent memory for pads +  containers.codimd = {  +    autoStart = true; +    privateNetwork = true; +    hostAddress6 = "fd00::42:10"; +    localAddress6 = "fd00::42:11"; +     +    config = {config, pkgs, ... }: { +      # open CodiMD port +      networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ]; + +      # database (postgres 11), with default database reachable for CodiMD; no imperative config needed! +      services.postgresql = { +        enable = true; +        package = pkgs.postgresql_11; +        ensureDatabases = [ "codimd" ]; +        ensureUsers = [ { +          name = "codimd"; +          ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";}; +        } ]; +        # ugly workaround to allow CodiMD to login without password — this service has lots of options, +        # but apparently not for authentification, which even needs to be forced … +        authentication = pkgs.lib.mkForce '' +            # Generated file; do not edit! +            local all all              trust +            host  codimd codimd ::1/128      trust +          ''; +      }; +      # CodiMD itself +      services.hedgedoc = { +        enable = true; +        workDir = "/var/codimd/"; +        configuration = { +          dbURL = "postgres:///codimd"; +          port = 3000; +          domain = "nix.stuebinm.eu"; +          urlAddPort = false; +          protocolUseSSL = true; +          allowPDFExport = true; +          host = "::"; +          allowEmailRegister = false; +          allowFreeURL = true; +          uploadsPath = "/var/codimd/uploads"; +          #email = false; +        }; +      }; +    }; +  }; + +     +  networking.firewall.allowedTCPPorts = [ 80 443 ]; + +  services.nginx.virtualHosts."nix.stuebinm.eu" = { +    locations."/" = { +      proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000"; +      proxyWebsockets = true; +    }; +    forceSSL = true; +    enableACME = true; +  }; +} diff --git a/hosts/flora/services/nginx.nix b/hosts/flora/services/nginx.nix new file mode 100644 index 0000000..5d21a14 --- /dev/null +++ b/hosts/flora/services/nginx.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ +  networking.firewall.allowedTCPPorts = [ 80 443 ]; + +  services.nginx = { +    enable = true; +     +    recommendedOptimisation = true; +    recommendedTlsSettings = true; +    recommendedProxySettings = true; +   +   # virtualHosts = { +   #   "stuebinm.eu" = { +   #     forceSSL = true; +   #     enableACME = true; +   #     root = "/var/www/stats"; +   #   }; +   # }; +  }; +} diff --git a/hosts/flora/services/workadventure.nix b/hosts/flora/services/workadventure.nix new file mode 100644 index 0000000..f38f5da --- /dev/null +++ b/hosts/flora/services/workadventure.nix @@ -0,0 +1,104 @@ +{pkgs, config, ...}: + + +let +  haccpkgssrc = pkgs.fetchgit { +    url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc"; +    rev = "a4ffb828aadf5ffd54a269f8a9ec9553c016069b"; +    sha256 = "12qfisfwr170b94j12rhy2q3smrwc7a3nh6xzbxlphnr3vadplvz"; +  }; +  haccpkgs = import "${haccpkgssrc}"; +  fediventure = pkgs.fetchgit { +    url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple"; +    rev = "f32d3c5efd39df558f80b862c60b2866c567d999"; +    sha256 = "0kdb29hzh6s7rsz8s9z40hsmj09rrww1lcyfdi7wpng9ixi1jfvx"; +  }; +in + +{ + +  containers.wa-test = { +    autoStart = true; +    privateNetwork = true; +    hostAddress6 = "fd00::42:20"; +    localAddress6 = "fd00::42:21"; +     +    config = {config, pkgs, ...}: { +      imports = [ "${fediventure}/workadventure.nix"  ]; +      networking.firewall.allowedTCPPorts = [ 80 443 5000 7890 ]; + +      services.workadventure.instances."space.stuebinm.eu" = { +        nginx.default = true; +        nginx.domain = "space.stuebinm.eu"; +        maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/"; +        frontend.settings.startRoomUrl = "space.stuebinm.eu/maps/main.json"; +        frontend.settings = { +          stunServer = "stun:chaski.stuebinm.eu:3478"; +          turnServer = "turn:95.217.159.23"; +          turnUser = "chaski"; +          turnPassword = "chaski"; +          jitsiUrl = "meet.ffmuc.net"; +        }; +      }; +       +      services.prometheus = { +        enable = true; +        port = 9001; +        scrapeConfigs = [ { +          job_name = "workadventure-back"; +          static_configs = [ { +            targets = [ "localhost:8080" ]; +          } ]; +        } ]; +      }; +       +      services.grafana = { +        enable = true; +        port = 5000; +        addr = "[::]"; +        rootUrl = "https://space.stuebinm.eu/metrics/"; +        auth.anonymous.enable = true; +        provision = { +          enable = true; +          datasources = [ { +            name = "workadventure"; +            type = "prometheus"; +            url = "http://localhost:9001"; +          } ]; +        }; +      }; + +      systemd.services.goaccess = { +        enable = true; +        description = "Uses goaccess to publish a neat acces log on /var/www/index.html"; +        requires = [ "nginx.service" ]; +        wantedBy = [ "multi-user.target" ]; +        serviceConfig.Type = "simple"; +        path = [ pkgs.goaccess ]; +        environment = {"HOME" = "/tmp";}; # necessary as goaccess will crash otherwise — is fixed upstream, but not yet in nixos +        script = '' +            mkdir -p /var/www-goaccess/ +            goaccess /var/log/nginx/access.log -o /var/www-goaccess/index.html --log-format=COMBINED --html +        ''; +      }; + +      services.nginx.virtualHosts."space.stuebinm.eu" = { +        locations."/stats/".alias = "/var/www-goaccess/"; +      }; +    }; +  }; +   +  services.nginx.virtualHosts."space.stuebinm.eu" = { +     extraConfig = '' +       proxy_read_timeout 300s; +       proxy_connect_timeout 75s; +     ''; +     locations."/metrics/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:5000/"; +     locations."/metrics/".proxyWebsockets = true; +     locations."/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:80"; +     locations."/".proxyWebsockets = true; +     enableACME = true; +     forceSSL = true; +  }; +} + | 
