From deba8c91eb4892c31864c7d03506eb70cae1baff Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 19 Mar 2021 22:53:25 +0100 Subject: migrating chaski config --- hosts/chaski/services/cgit.nix | 79 ++++++++++++++++++++++++++++++++++++++++ hosts/chaski/services/coturn.nix | 57 +++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 hosts/chaski/services/cgit.nix create mode 100644 hosts/chaski/services/coturn.nix (limited to 'hosts/chaski/services') diff --git a/hosts/chaski/services/cgit.nix b/hosts/chaski/services/cgit.nix new file mode 100644 index 0000000..abe69e5 --- /dev/null +++ b/hosts/chaski/services/cgit.nix @@ -0,0 +1,79 @@ +{pkgs, config, ...}: + +{ + containers.cgit = { + autoStart = true; + privateNetwork = true; + hostAddress6 = "fd00::42:12"; + localAddress6 = "fd00::42:13"; + + bindMounts."/git" = { + hostPath = "/var/git/public"; + isReadOnly = true; + }; + + config = {pkgs, config, ...}: { + services.lighttpd.enable = true; + services.lighttpd.extraConfig = ''server.use-ipv6 = "enable"''; + services.lighttpd.cgit = { + enable = true; + subdir = "git"; + configText = '' + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + cache-size=1000 + logo=/git/cgit.png + favicon=/git/favicon.ico + + # take css from an assumed repo `config` + css=/git/config/plain/cgit.css + + # remove .git extensions from repo names + remove-suffix=1 + + # readme formats which may be parsed + readme=:README.md + readme=:README + readme=:README.txt + readme=:README.org + + # allow cloning repos + enable-http-clone=1 + + enable-follow-links=1 + enable-html-serving=1 + enable-index-owner=0 + + mimetype.css=text/css + mimetype.jpg=image/jpeg + mimetype.jpeg=image/jpeg + mimetype.pdf=application/pdf + mimetype.png=image/png + mimetype.svg=image/svg+xml + + # some nice formatting + root-title=An Assortment of Stuff + root-desc=hand-squished into git repos + enable-commit-graph=1 + enable-log-linecount=1 + enable-log-filecount=1 + branch-sort=age + # suppress email addresses in html logs + noplainemail=1 + + # maximum file size for plain blobs in kilobyte + max-blob-size=100 + + cache-scanrc-ttl=1 + + scan-path=/git + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + }; + + services.nginx.recommendedProxySettings = true; + services.nginx.virtualHosts."stuebinm.eu".locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]"; +} diff --git a/hosts/chaski/services/coturn.nix b/hosts/chaski/services/coturn.nix new file mode 100644 index 0000000..9a2211f --- /dev/null +++ b/hosts/chaski/services/coturn.nix @@ -0,0 +1,57 @@ +{pkgs, config, ...}: + +{ + services.coturn = { + enable = true; + realm = "chaski.stuebinm.eu"; +# static-auth-secret = "chaski"; +# use-auth-secret = true; + no-cli = true; +# no-tcp-relay = true; + lt-cred-mech = true; + extraConfig = '' + verbose + fingerprint + external-ip=95.217.159.23 + user=chaski:chaski + server-name=chaski.stuebinm.eu + #mobility + #listening-ip=95.217.159.23 + prometheus + ''; + + cert = config.security.acme.certs."chaski.stuebinm.eu".directory + "full.pem"; + pkey = config.security.acme.certs."chaski.stuebinm.eu".directory + "key.pem"; + }; + + security.acme = { + email = "stuebinm@disroot.org"; + acceptTerms = true; + }; + + # just here to serve acme challanges + services.nginx = { + enable = true; + user = "turnserver"; + virtualHosts."chaski.stuebinm.eu" = { + root = "/var/www"; + enableACME = true; + }; + }; + + networking.firewall = with config.services.coturn; { + allowedTCPPorts = [ + 80 # for acme challanges + listening-port tls-listening-port + (listening-port +1) (tls-listening-port +1) + ]; + allowedUDPPorts = [ + listening-port + tls-listening-port + (listening-port +1) (tls-listening-port +1) + ]; + allowedUDPPortRanges = [ + { from = min-port; to = max-port; } + ]; + }; +} -- cgit v1.2.3