From d96fbd63510048bf56d3d600a65f7983096c1bb1 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 3 Mar 2021 00:51:39 +0100 Subject: migrating config This deploy logic is primarily based on hxchn's deploy lib [1], with some slight modifications to make it work with my setup. Everything seems to work fine for now. However, I am unsure about the usage of niv — the config doesn't seem to gain much from it, apart from (some) additional complexity. [1] https://gitlab.com/hexchen/nixfiles --- hosts/flora/configuration.nix | 69 ++++++++++++++++++++++ hosts/flora/hardware-configuration.nix | 25 ++++++++ hosts/flora/services/daemoniones.nix | 34 +++++++++++ hosts/flora/services/hedgedoc.nix | 66 +++++++++++++++++++++ hosts/flora/services/nginx.nix | 21 +++++++ hosts/flora/services/workadventure.nix | 104 +++++++++++++++++++++++++++++++++ 6 files changed, 319 insertions(+) create mode 100644 hosts/flora/configuration.nix create mode 100644 hosts/flora/hardware-configuration.nix create mode 100644 hosts/flora/services/daemoniones.nix create mode 100644 hosts/flora/services/hedgedoc.nix create mode 100644 hosts/flora/services/nginx.nix create mode 100644 hosts/flora/services/workadventure.nix (limited to 'hosts/flora') diff --git a/hosts/flora/configuration.nix b/hosts/flora/configuration.nix new file mode 100644 index 0000000..43f7f8e --- /dev/null +++ b/hosts/flora/configuration.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./services/hedgedoc.nix + ./services/daemoniones.nix + ./services/nginx.nix + ./services/workadventure.nix + # ./services/pleroma + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.devices = [ "/dev/sda" ]; + + hexchen.deploy = { + ssh.host = "flora"; + }; + + networking = { + hostName = "flora"; + + #enableIPv6 = true; + #defaultGateway6 = { + # address = "fe80::1"; + # interface = "ens3"; + #}; + + #interfaces.ens3.ipv6.addresses = [ { + # address = "2a01:4f9:c010:d319::1"; + # prefixLength = 64; + #} ]; + + useDHCP = false; + interfaces.ens3.useDHCP = true; + + firewall.logRefusedConnections = false; + }; + + services.fail2ban = { + enable = true; + bantime-increment.enable = true; + bantime-increment.overalljails = true; + bantime-increment.maxtime = "1312m"; + }; + + services.logrotate = { + enable = true; + paths.nginx = { + path = "/var/log/nginx"; + frequency = "weekly"; + }; + }; + + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system = { + stateVersion = "20.09"; # Did you read the comment? + }; + +} + diff --git a/hosts/flora/hardware-configuration.nix b/hosts/flora/hardware-configuration.nix new file mode 100644 index 0000000..faac1af --- /dev/null +++ b/hosts/flora/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/5d31cad5-9076-4d2f-93f6-6af817bc368b"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 1; +} + diff --git a/hosts/flora/services/daemoniones.nix b/hosts/flora/services/daemoniones.nix new file mode 100644 index 0000000..6c96b3c --- /dev/null +++ b/hosts/flora/services/daemoniones.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ...}: + +{ + systemd.services = + let simpledaemon = name: command: { + enable = true; + description = name; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "simple"; + script = command; + }; + in { + choclo = simpledaemon "choclo signalling server" "/root/simple-signalling/target/release/chaski -b 127.0.0.1:5000"; + wasi = simpledaemon "wasi backend" "/root/wasi-minimal/target/release/wasi"; + picarones = simpledaemon "picarones backend" "/root/picarones-server/target/release/picarones -b 127.0.0.1:6000"; + }; + + services.nginx = { + virtualHosts = + let websocketproxy = addr: { + locations."/".proxyPass = addr; + forceSSL = true; + enableACME = true; + locations."/".proxyWebsockets = true; + }; + in { + "wasi.stuebinm.eu" = websocketproxy "http://127.0.0.1:9000"; + "choclo.stuebinm.eu" = websocketproxy "http://127.0.0.1:5000"; + "picarones.stuebinm.eu" = websocketproxy "http://127.0.0.1:6000"; + }; + }; + + +} diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix new file mode 100644 index 0000000..4ce2256 --- /dev/null +++ b/hosts/flora/services/hedgedoc.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, ... }: + +{ + # Container containing CodiMD and its database + # has its own internal network; needs a reverse-proxy to be reachable from the outside + # TODO: persistent memory for pads + containers.codimd = { + autoStart = true; + privateNetwork = true; + hostAddress6 = "fd00::42:10"; + localAddress6 = "fd00::42:11"; + + config = {config, pkgs, ... }: { + # open CodiMD port + networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ]; + + # database (postgres 11), with default database reachable for CodiMD; no imperative config needed! + services.postgresql = { + enable = true; + package = pkgs.postgresql_11; + ensureDatabases = [ "codimd" ]; + ensureUsers = [ { + name = "codimd"; + ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";}; + } ]; + # ugly workaround to allow CodiMD to login without password — this service has lots of options, + # but apparently not for authentification, which even needs to be forced … + authentication = pkgs.lib.mkForce '' + # Generated file; do not edit! + local all all trust + host codimd codimd ::1/128 trust + ''; + }; + # CodiMD itself + services.hedgedoc = { + enable = true; + workDir = "/var/codimd/"; + configuration = { + dbURL = "postgres:///codimd"; + port = 3000; + domain = "nix.stuebinm.eu"; + urlAddPort = false; + protocolUseSSL = true; + allowPDFExport = true; + host = "::"; + allowEmailRegister = false; + allowFreeURL = true; + uploadsPath = "/var/codimd/uploads"; + #email = false; + }; + }; + }; + }; + + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx.virtualHosts."nix.stuebinm.eu" = { + locations."/" = { + proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000"; + proxyWebsockets = true; + }; + forceSSL = true; + enableACME = true; + }; +} diff --git a/hosts/flora/services/nginx.nix b/hosts/flora/services/nginx.nix new file mode 100644 index 0000000..5d21a14 --- /dev/null +++ b/hosts/flora/services/nginx.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + # virtualHosts = { + # "stuebinm.eu" = { + # forceSSL = true; + # enableACME = true; + # root = "/var/www/stats"; + # }; + # }; + }; +} diff --git a/hosts/flora/services/workadventure.nix b/hosts/flora/services/workadventure.nix new file mode 100644 index 0000000..f38f5da --- /dev/null +++ b/hosts/flora/services/workadventure.nix @@ -0,0 +1,104 @@ +{pkgs, config, ...}: + + +let + haccpkgssrc = pkgs.fetchgit { + url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc"; + rev = "a4ffb828aadf5ffd54a269f8a9ec9553c016069b"; + sha256 = "12qfisfwr170b94j12rhy2q3smrwc7a3nh6xzbxlphnr3vadplvz"; + }; + haccpkgs = import "${haccpkgssrc}"; + fediventure = pkgs.fetchgit { + url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple"; + rev = "f32d3c5efd39df558f80b862c60b2866c567d999"; + sha256 = "0kdb29hzh6s7rsz8s9z40hsmj09rrww1lcyfdi7wpng9ixi1jfvx"; + }; +in + +{ + + containers.wa-test = { + autoStart = true; + privateNetwork = true; + hostAddress6 = "fd00::42:20"; + localAddress6 = "fd00::42:21"; + + config = {config, pkgs, ...}: { + imports = [ "${fediventure}/workadventure.nix" ]; + networking.firewall.allowedTCPPorts = [ 80 443 5000 7890 ]; + + services.workadventure.instances."space.stuebinm.eu" = { + nginx.default = true; + nginx.domain = "space.stuebinm.eu"; + maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/"; + frontend.settings.startRoomUrl = "space.stuebinm.eu/maps/main.json"; + frontend.settings = { + stunServer = "stun:chaski.stuebinm.eu:3478"; + turnServer = "turn:95.217.159.23"; + turnUser = "chaski"; + turnPassword = "chaski"; + jitsiUrl = "meet.ffmuc.net"; + }; + }; + + services.prometheus = { + enable = true; + port = 9001; + scrapeConfigs = [ { + job_name = "workadventure-back"; + static_configs = [ { + targets = [ "localhost:8080" ]; + } ]; + } ]; + }; + + services.grafana = { + enable = true; + port = 5000; + addr = "[::]"; + rootUrl = "https://space.stuebinm.eu/metrics/"; + auth.anonymous.enable = true; + provision = { + enable = true; + datasources = [ { + name = "workadventure"; + type = "prometheus"; + url = "http://localhost:9001"; + } ]; + }; + }; + + systemd.services.goaccess = { + enable = true; + description = "Uses goaccess to publish a neat acces log on /var/www/index.html"; + requires = [ "nginx.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "simple"; + path = [ pkgs.goaccess ]; + environment = {"HOME" = "/tmp";}; # necessary as goaccess will crash otherwise — is fixed upstream, but not yet in nixos + script = '' + mkdir -p /var/www-goaccess/ + goaccess /var/log/nginx/access.log -o /var/www-goaccess/index.html --log-format=COMBINED --html + ''; + }; + + services.nginx.virtualHosts."space.stuebinm.eu" = { + locations."/stats/".alias = "/var/www-goaccess/"; + }; + }; + }; + + services.nginx.virtualHosts."space.stuebinm.eu" = { + extraConfig = '' + proxy_read_timeout 300s; + proxy_connect_timeout 75s; + ''; + locations."/metrics/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:5000/"; + locations."/metrics/".proxyWebsockets = true; + locations."/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:80"; + locations."/".proxyWebsockets = true; + enableACME = true; + forceSSL = true; + }; +} + -- cgit v1.2.3