From deba8c91eb4892c31864c7d03506eb70cae1baff Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 19 Mar 2021 22:53:25 +0100 Subject: migrating chaski config --- hosts/chaski/configuration.nix | 81 +++++++++++++++++++++++++++++++++ hosts/chaski/hardware-configuration.nix | 23 ++++++++++ hosts/chaski/services/cgit.nix | 79 ++++++++++++++++++++++++++++++++ hosts/chaski/services/coturn.nix | 57 +++++++++++++++++++++++ 4 files changed, 240 insertions(+) create mode 100644 hosts/chaski/configuration.nix create mode 100644 hosts/chaski/hardware-configuration.nix create mode 100644 hosts/chaski/services/cgit.nix create mode 100644 hosts/chaski/services/coturn.nix diff --git a/hosts/chaski/configuration.nix b/hosts/chaski/configuration.nix new file mode 100644 index 0000000..6aa24bc --- /dev/null +++ b/hosts/chaski/configuration.nix @@ -0,0 +1,81 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./services/coturn.nix + ./services/cgit.nix + ]; + + hexchen.deploy = { + ssh.host = "chaski"; + }; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + + networking.hostName = "chaski"; # Define your hostname. + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens10.useDHCP = true; + networking.interfaces.ens3.useDHCP = true; + + environment.systemPackages = with pkgs; [ + wget curl htop iftop vim git + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + + boot.loader.grub.devices = [ "/dev/sda" ]; + # Initial empty root password for easy login: + users.users.root.initialHashedPassword = ""; + services.openssh.permitRootLogin = "prohibit-password"; + services.openssh.enable = true; + # Replace this by your SSH pubkey + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw==" + ]; + + users.users.git = { + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + home = "/var/git"; + isNormalUser = true; + }; + + security.sudo.enable = false; + + security.acme = { + acceptTerms = true; + email = "stuebinm@disroot.org"; + }; + + + services.nginx = { + enable = true; + virtualHosts."stuebinm.eu" = { + forceSSL = true; + enableACME = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 442 ]; +} + diff --git a/hosts/chaski/hardware-configuration.nix b/hosts/chaski/hardware-configuration.nix new file mode 100644 index 0000000..54fbcba --- /dev/null +++ b/hosts/chaski/hardware-configuration.nix @@ -0,0 +1,23 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/5beea4aa-5ea3-4518-9b7d-97f289be92ea"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + +} diff --git a/hosts/chaski/services/cgit.nix b/hosts/chaski/services/cgit.nix new file mode 100644 index 0000000..abe69e5 --- /dev/null +++ b/hosts/chaski/services/cgit.nix @@ -0,0 +1,79 @@ +{pkgs, config, ...}: + +{ + containers.cgit = { + autoStart = true; + privateNetwork = true; + hostAddress6 = "fd00::42:12"; + localAddress6 = "fd00::42:13"; + + bindMounts."/git" = { + hostPath = "/var/git/public"; + isReadOnly = true; + }; + + config = {pkgs, config, ...}: { + services.lighttpd.enable = true; + services.lighttpd.extraConfig = ''server.use-ipv6 = "enable"''; + services.lighttpd.cgit = { + enable = true; + subdir = "git"; + configText = '' + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + cache-size=1000 + logo=/git/cgit.png + favicon=/git/favicon.ico + + # take css from an assumed repo `config` + css=/git/config/plain/cgit.css + + # remove .git extensions from repo names + remove-suffix=1 + + # readme formats which may be parsed + readme=:README.md + readme=:README + readme=:README.txt + readme=:README.org + + # allow cloning repos + enable-http-clone=1 + + enable-follow-links=1 + enable-html-serving=1 + enable-index-owner=0 + + mimetype.css=text/css + mimetype.jpg=image/jpeg + mimetype.jpeg=image/jpeg + mimetype.pdf=application/pdf + mimetype.png=image/png + mimetype.svg=image/svg+xml + + # some nice formatting + root-title=An Assortment of Stuff + root-desc=hand-squished into git repos + enable-commit-graph=1 + enable-log-linecount=1 + enable-log-filecount=1 + branch-sort=age + # suppress email addresses in html logs + noplainemail=1 + + # maximum file size for plain blobs in kilobyte + max-blob-size=100 + + cache-scanrc-ttl=1 + + scan-path=/git + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + }; + + services.nginx.recommendedProxySettings = true; + services.nginx.virtualHosts."stuebinm.eu".locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]"; +} diff --git a/hosts/chaski/services/coturn.nix b/hosts/chaski/services/coturn.nix new file mode 100644 index 0000000..9a2211f --- /dev/null +++ b/hosts/chaski/services/coturn.nix @@ -0,0 +1,57 @@ +{pkgs, config, ...}: + +{ + services.coturn = { + enable = true; + realm = "chaski.stuebinm.eu"; +# static-auth-secret = "chaski"; +# use-auth-secret = true; + no-cli = true; +# no-tcp-relay = true; + lt-cred-mech = true; + extraConfig = '' + verbose + fingerprint + external-ip=95.217.159.23 + user=chaski:chaski + server-name=chaski.stuebinm.eu + #mobility + #listening-ip=95.217.159.23 + prometheus + ''; + + cert = config.security.acme.certs."chaski.stuebinm.eu".directory + "full.pem"; + pkey = config.security.acme.certs."chaski.stuebinm.eu".directory + "key.pem"; + }; + + security.acme = { + email = "stuebinm@disroot.org"; + acceptTerms = true; + }; + + # just here to serve acme challanges + services.nginx = { + enable = true; + user = "turnserver"; + virtualHosts."chaski.stuebinm.eu" = { + root = "/var/www"; + enableACME = true; + }; + }; + + networking.firewall = with config.services.coturn; { + allowedTCPPorts = [ + 80 # for acme challanges + listening-port tls-listening-port + (listening-port +1) (tls-listening-port +1) + ]; + allowedUDPPorts = [ + listening-port + tls-listening-port + (listening-port +1) (tls-listening-port +1) + ]; + allowedUDPPortRanges = [ + { from = min-port; to = max-port; } + ]; + }; +} -- cgit v1.2.3