From d96fbd63510048bf56d3d600a65f7983096c1bb1 Mon Sep 17 00:00:00 2001
From: stuebinm
Date: Wed, 3 Mar 2021 00:51:39 +0100
Subject: migrating config
This deploy logic is primarily based on hxchn's deploy lib [1], with some
slight modifications to make it work with my setup. Everything seems to work
fine for now.
However, I am unsure about the usage of niv — the config doesn't seem to gain
much from it, apart from (some) additional complexity.
[1] https://gitlab.com/hexchen/nixfiles
---
hosts/flora/configuration.nix | 69 ++++++++++++++++++++++
hosts/flora/hardware-configuration.nix | 25 ++++++++
hosts/flora/services/daemoniones.nix | 34 +++++++++++
hosts/flora/services/hedgedoc.nix | 66 +++++++++++++++++++++
hosts/flora/services/nginx.nix | 21 +++++++
hosts/flora/services/workadventure.nix | 104 +++++++++++++++++++++++++++++++++
6 files changed, 319 insertions(+)
create mode 100644 hosts/flora/configuration.nix
create mode 100644 hosts/flora/hardware-configuration.nix
create mode 100644 hosts/flora/services/daemoniones.nix
create mode 100644 hosts/flora/services/hedgedoc.nix
create mode 100644 hosts/flora/services/nginx.nix
create mode 100644 hosts/flora/services/workadventure.nix
(limited to 'hosts')
diff --git a/hosts/flora/configuration.nix b/hosts/flora/configuration.nix
new file mode 100644
index 0000000..43f7f8e
--- /dev/null
+++ b/hosts/flora/configuration.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./hardware-configuration.nix
+ ./services/hedgedoc.nix
+ ./services/daemoniones.nix
+ ./services/nginx.nix
+ ./services/workadventure.nix
+ # ./services/pleroma
+ ];
+
+ # Use the GRUB 2 boot loader.
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.devices = [ "/dev/sda" ];
+
+ hexchen.deploy = {
+ ssh.host = "flora";
+ };
+
+ networking = {
+ hostName = "flora";
+
+ #enableIPv6 = true;
+ #defaultGateway6 = {
+ # address = "fe80::1";
+ # interface = "ens3";
+ #};
+
+ #interfaces.ens3.ipv6.addresses = [ {
+ # address = "2a01:4f9:c010:d319::1";
+ # prefixLength = 64;
+ #} ];
+
+ useDHCP = false;
+ interfaces.ens3.useDHCP = true;
+
+ firewall.logRefusedConnections = false;
+ };
+
+ services.fail2ban = {
+ enable = true;
+ bantime-increment.enable = true;
+ bantime-increment.overalljails = true;
+ bantime-increment.maxtime = "1312m";
+ };
+
+ services.logrotate = {
+ enable = true;
+ paths.nginx = {
+ path = "/var/log/nginx";
+ frequency = "weekly";
+ };
+ };
+
+
+ # This value determines the NixOS release from which the default
+ # settings for stateful data, like file locations and database versions
+ # on your system were taken. It‘s perfectly fine and recommended to leave
+ # this value at the release version of the first install of this system.
+ # Before changing this value read the documentation for this option
+ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+ system = {
+ stateVersion = "20.09"; # Did you read the comment?
+ };
+
+}
+
diff --git a/hosts/flora/hardware-configuration.nix b/hosts/flora/hardware-configuration.nix
new file mode 100644
index 0000000..faac1af
--- /dev/null
+++ b/hosts/flora/hardware-configuration.nix
@@ -0,0 +1,25 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+ imports =
+ [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+ ];
+
+ boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/5d31cad5-9076-4d2f-93f6-6af817bc368b";
+ fsType = "ext4";
+ };
+
+ swapDevices = [ ];
+
+ nix.maxJobs = lib.mkDefault 1;
+}
+
diff --git a/hosts/flora/services/daemoniones.nix b/hosts/flora/services/daemoniones.nix
new file mode 100644
index 0000000..6c96b3c
--- /dev/null
+++ b/hosts/flora/services/daemoniones.nix
@@ -0,0 +1,34 @@
+{ config, pkgs, ...}:
+
+{
+ systemd.services =
+ let simpledaemon = name: command: {
+ enable = true;
+ description = name;
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.Type = "simple";
+ script = command;
+ };
+ in {
+ choclo = simpledaemon "choclo signalling server" "/root/simple-signalling/target/release/chaski -b 127.0.0.1:5000";
+ wasi = simpledaemon "wasi backend" "/root/wasi-minimal/target/release/wasi";
+ picarones = simpledaemon "picarones backend" "/root/picarones-server/target/release/picarones -b 127.0.0.1:6000";
+ };
+
+ services.nginx = {
+ virtualHosts =
+ let websocketproxy = addr: {
+ locations."/".proxyPass = addr;
+ forceSSL = true;
+ enableACME = true;
+ locations."/".proxyWebsockets = true;
+ };
+ in {
+ "wasi.stuebinm.eu" = websocketproxy "http://127.0.0.1:9000";
+ "choclo.stuebinm.eu" = websocketproxy "http://127.0.0.1:5000";
+ "picarones.stuebinm.eu" = websocketproxy "http://127.0.0.1:6000";
+ };
+ };
+
+
+}
diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix
new file mode 100644
index 0000000..4ce2256
--- /dev/null
+++ b/hosts/flora/services/hedgedoc.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+{
+ # Container containing CodiMD and its database
+ # has its own internal network; needs a reverse-proxy to be reachable from the outside
+ # TODO: persistent memory for pads
+ containers.codimd = {
+ autoStart = true;
+ privateNetwork = true;
+ hostAddress6 = "fd00::42:10";
+ localAddress6 = "fd00::42:11";
+
+ config = {config, pkgs, ... }: {
+ # open CodiMD port
+ networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ];
+
+ # database (postgres 11), with default database reachable for CodiMD; no imperative config needed!
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_11;
+ ensureDatabases = [ "codimd" ];
+ ensureUsers = [ {
+ name = "codimd";
+ ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";};
+ } ];
+ # ugly workaround to allow CodiMD to login without password — this service has lots of options,
+ # but apparently not for authentification, which even needs to be forced …
+ authentication = pkgs.lib.mkForce ''
+ # Generated file; do not edit!
+ local all all trust
+ host codimd codimd ::1/128 trust
+ '';
+ };
+ # CodiMD itself
+ services.hedgedoc = {
+ enable = true;
+ workDir = "/var/codimd/";
+ configuration = {
+ dbURL = "postgres:///codimd";
+ port = 3000;
+ domain = "nix.stuebinm.eu";
+ urlAddPort = false;
+ protocolUseSSL = true;
+ allowPDFExport = true;
+ host = "::";
+ allowEmailRegister = false;
+ allowFreeURL = true;
+ uploadsPath = "/var/codimd/uploads";
+ #email = false;
+ };
+ };
+ };
+ };
+
+
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+ services.nginx.virtualHosts."nix.stuebinm.eu" = {
+ locations."/" = {
+ proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000";
+ proxyWebsockets = true;
+ };
+ forceSSL = true;
+ enableACME = true;
+ };
+}
diff --git a/hosts/flora/services/nginx.nix b/hosts/flora/services/nginx.nix
new file mode 100644
index 0000000..5d21a14
--- /dev/null
+++ b/hosts/flora/services/nginx.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+ services.nginx = {
+ enable = true;
+
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ recommendedProxySettings = true;
+
+ # virtualHosts = {
+ # "stuebinm.eu" = {
+ # forceSSL = true;
+ # enableACME = true;
+ # root = "/var/www/stats";
+ # };
+ # };
+ };
+}
diff --git a/hosts/flora/services/workadventure.nix b/hosts/flora/services/workadventure.nix
new file mode 100644
index 0000000..f38f5da
--- /dev/null
+++ b/hosts/flora/services/workadventure.nix
@@ -0,0 +1,104 @@
+{pkgs, config, ...}:
+
+
+let
+ haccpkgssrc = pkgs.fetchgit {
+ url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
+ rev = "a4ffb828aadf5ffd54a269f8a9ec9553c016069b";
+ sha256 = "12qfisfwr170b94j12rhy2q3smrwc7a3nh6xzbxlphnr3vadplvz";
+ };
+ haccpkgs = import "${haccpkgssrc}";
+ fediventure = pkgs.fetchgit {
+ url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple";
+ rev = "f32d3c5efd39df558f80b862c60b2866c567d999";
+ sha256 = "0kdb29hzh6s7rsz8s9z40hsmj09rrww1lcyfdi7wpng9ixi1jfvx";
+ };
+in
+
+{
+
+ containers.wa-test = {
+ autoStart = true;
+ privateNetwork = true;
+ hostAddress6 = "fd00::42:20";
+ localAddress6 = "fd00::42:21";
+
+ config = {config, pkgs, ...}: {
+ imports = [ "${fediventure}/workadventure.nix" ];
+ networking.firewall.allowedTCPPorts = [ 80 443 5000 7890 ];
+
+ services.workadventure.instances."space.stuebinm.eu" = {
+ nginx.default = true;
+ nginx.domain = "space.stuebinm.eu";
+ maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
+ frontend.settings.startRoomUrl = "space.stuebinm.eu/maps/main.json";
+ frontend.settings = {
+ stunServer = "stun:chaski.stuebinm.eu:3478";
+ turnServer = "turn:95.217.159.23";
+ turnUser = "chaski";
+ turnPassword = "chaski";
+ jitsiUrl = "meet.ffmuc.net";
+ };
+ };
+
+ services.prometheus = {
+ enable = true;
+ port = 9001;
+ scrapeConfigs = [ {
+ job_name = "workadventure-back";
+ static_configs = [ {
+ targets = [ "localhost:8080" ];
+ } ];
+ } ];
+ };
+
+ services.grafana = {
+ enable = true;
+ port = 5000;
+ addr = "[::]";
+ rootUrl = "https://space.stuebinm.eu/metrics/";
+ auth.anonymous.enable = true;
+ provision = {
+ enable = true;
+ datasources = [ {
+ name = "workadventure";
+ type = "prometheus";
+ url = "http://localhost:9001";
+ } ];
+ };
+ };
+
+ systemd.services.goaccess = {
+ enable = true;
+ description = "Uses goaccess to publish a neat acces log on /var/www/index.html";
+ requires = [ "nginx.service" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.Type = "simple";
+ path = [ pkgs.goaccess ];
+ environment = {"HOME" = "/tmp";}; # necessary as goaccess will crash otherwise — is fixed upstream, but not yet in nixos
+ script = ''
+ mkdir -p /var/www-goaccess/
+ goaccess /var/log/nginx/access.log -o /var/www-goaccess/index.html --log-format=COMBINED --html
+ '';
+ };
+
+ services.nginx.virtualHosts."space.stuebinm.eu" = {
+ locations."/stats/".alias = "/var/www-goaccess/";
+ };
+ };
+ };
+
+ services.nginx.virtualHosts."space.stuebinm.eu" = {
+ extraConfig = ''
+ proxy_read_timeout 300s;
+ proxy_connect_timeout 75s;
+ '';
+ locations."/metrics/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:5000/";
+ locations."/metrics/".proxyWebsockets = true;
+ locations."/".proxyPass = "http://[${config.containers.wa-test.localAddress6}]:80";
+ locations."/".proxyWebsockets = true;
+ enableACME = true;
+ forceSSL = true;
+ };
+}
+
--
cgit v1.2.3