Browse Source

infra/emet-selch: init (vm only so far)

master
parent
commit
5348056b80
Signed by: govanify GPG Key ID: DE62E1E2A6145556
12 changed files with 121 additions and 107 deletions
  1. +1
    -0
      .gitignore
  2. +3
    -3
      components/server/chat.nix
  3. +2
    -7
      components/server/mail.nix
  4. +11
    -11
      components/server/monitor.nix
  5. +24
    -39
      components/server/projects.nix
  6. +58
    -45
      components/server/web.nix
  7. +2
    -1
      infrastructure/default.nix
  8. +18
    -0
      infrastructure/emet-selch/default.nix
  9. +2
    -1
      profiles/default.nix
  10. BIN
      secrets/emet-selch/assets/emet-selch.md
  11. BIN
      secrets/emet-selch/infrastructure/emet-selch/amaurot.nix
  12. BIN
      secrets/headfull/components/deployment.nix

+ 1
- 0
.gitignore View File

@ -1,3 +1,4 @@
configuration.nix
vm-*.nix
*.qcow2
result

+ 3
- 3
components/server/chat.nix View File

@ -72,6 +72,8 @@ in
services.matrix-synapse = {
enable = true;
server_name = cfg.domain;
enable_metrics = config.navi.components.monitor.enable;
registration_shared_secret = cfg.secret;
listeners = [
{
port = 8008;
@ -79,11 +81,9 @@ in
type = "http";
tls = false;
x_forwarded = true;
enable_metrics = navi.components.monitor.enable;
registration_shared_secret = cfg.secret;
resources = [
{
names = [ "client" "federation" ] ++ optionals navi.components.monitor.enable [ "client" ];
names = [ "client" "federation" ] ++ optionals config.navi.components.monitor.enable [ "client" ];
compress = false;
}
];


+ 2
- 7
components/server/mail.nix View File

@ -11,12 +11,7 @@ in
options.navi.components.mail-server = {
enable = mkEnableOption "Enable navi's mail server";
accounts = mkOption {
type = mailserver.loginAccounts.type;
description = ''
List of accounts and per-accounts rules for the mail server.
'';
};
#inherit (options.mailserver) loginAccounts;
domains = mkOption {
type = types.listOf types.str;
default = [ ];
@ -44,7 +39,7 @@ in
keyFile = "${cert}/key.pem";
dkimSelector = config.navi.device;
dkimKeyBits = 2048;
loginAccounts = cfg.accounts;
#loginAccounts = cfg.accounts;
};
navi.components.web-server = {
enable = true;


+ 11
- 11
components/server/monitor.nix View File

@ -118,23 +118,23 @@ in
enabledCollectors = [ "systemd" ];
port = 9002;
};
nginx = mkIf navi.components.web-server.enable {
nginx = mkIf config.navi.components.web-server.enable {
enable = true;
port = 9113;
};
tor = mkIf services.tor.enable {
tor = mkIf config.services.tor.enable {
enable = true;
port = 9130;
};
postgres = mkIf services.postgresql.enable {
postgres = mkIf config.services.postgresql.enable {
enable = true;
port = 9187;
};
postfix = mkIf navi.components.mail-server.enable {
postfix = mkIf config.navi.components.mail-server.enable {
enable = true;
port = 9154;
};
dovecot = mkIf navi.components.mail-server.enable {
dovecot = mkIf config.navi.components.mail-server.enable {
enable = true;
port = 9166;
};
@ -145,7 +145,7 @@ in
targets = [ "127.0.0.1:9002" ];
}];
}] ++ optionals
navi.components.chat-server.enable
config.navi.components.chat-server.enable
[{
job_name = "synapse";
metrics_path = "/_synapse/metrics";
@ -153,35 +153,35 @@ in
targets = [ "127.0.0.1:8008" ];
}];
}] ++ optionals
navi.components.web-server.enable
config.navi.components.web-server.enable
[{
job_name = "nginx";
static_configs = [{
targets = [ "127.0.0.1:9112" ];
}];
}] ++ optionals
services.tor.enable
config.services.tor.enable
[{
job_name = "tor";
static_configs = [{
targets = [ "127.0.0.1:9130" ];
}];
}] ++ optionals
services.postgresql.enable
config.services.postgresql.enable
[{
job_name = "postgres";
static_configs = [{
targets = [ "127.0.0.1:9187" ];
}];
}] ++ optionals
navi.components.projects.enable
config.navi.components.projects.enable
[{
job_name = "gitea";
static_configs = [{
targets = [ "127.0.0.1:3001" ];
}];
}] ++ optionals
navi.components.mail-server.enable
config.navi.components.mail-server.enable
[{
job_name = "postfix";
static_configs = [{


+ 24
- 39
components/server/projects.nix View File

@ -35,11 +35,11 @@ in
config = mkIf cfg.enable {
users.users.git = {
isSystemUser = true;
useDefaultShell = true;
home = "/var/lib/gitea";
group = "gitea";
};
users.extraGroups = [ "gitea" ];
services.gitea = {
enable = true;
@ -53,47 +53,32 @@ in
domain = "${cfg.domain}";
rootUrl = "https://${cfg.domain}/";
httpPort = 3001;
disableRegistration = cfg.registration;
extraConfig =
let
docutils =
pkgs.python37.withPackages (ps: with ps; [
docutils
pygments
]);
in
''
[mailer]
ENABLED = true
FROM = "admin@${cfg.domain}"
[service]
REGISTER_EMAIL_CONFIRM = true
[markup.restructuredtext]
ENABLED = true
FILE_EXTENSIONS = .rst
RENDER_COMMAND = ${docutils}/bin/rst2html.py
IS_INPUT_FILE = false
[metrics]
ENABLED=true
[ui]
DEFAULT_THEME = arc-green
[repository.upload]
ALLOWED_TYPES = */*
[attachment]
ALLOWED_TYPES = */*
[picture]
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = false
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[security]
DISABLE_GIT_HOOKS = ${cfg.disableHooks}
'';
disableRegistration = cfg.disableRegistration;
settings = {
mailer = {
ENABLED = true;
FROM = "admin@${cfg.domain}";
};
service.REGISTER_EMAIL_CONFIRM = true;
metrics.ENABLED = config.navi.components.monitor.enable;
ui.DEFAULT_THEME = "arc-green";
"repository.upload".ALLOWED_TYPES = "*/*";
attachment.ALLOWED_TYPES = "*/*";
picture = {
DISABLE_GRAVATAR = true;
ENABLE_FEDERATED_AVATAR = false;
};
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = false;
};
security.DISABLE_GIT_HOOKS = cfg.disableHooks;
};
};
services.nginx.virtualHosts = {
virtualHosts."${domain}" = {
"${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:3001/";


+ 58
- 45
components/server/web.nix View File

@ -5,39 +5,49 @@ let
git_paths_bringup = concatStrings (
mapAttrsToList
(domain: attr: optionalString (attr.git.user != null) ''
if [[ ! -d "/home/${attr.git.user}/${domain}.git/" ]]
(name: attr: optionalString (attr.git.user != null) ''
if [[ ! -d "/home/${attr.git.user}/${name}.git/" ]]
then
${pkgs.git}/bin/git init /home/${attr.git.user}/${domain}.git/
${pkgs.git}/bin/git clone -l /home/${attr.git.user}/${domain}.git/ /var/www/${domain}
cat <<'EOF' >> /home/${attr.git.user}/${domain}.git/hooks/post-receive
${pkgs.git}/bin/git init /home/${attr.git.user}/${name}.git/
${pkgs.git}/bin/git clone -l /home/${attr.git.user}/${name}.git/ /var/www/${name}
cat <<'EOF' >> /home/${attr.git.user}/${name}.git/hooks/post-receive
#!/bin/sh
GIT_WORK_TREE=/home/${attr.git.user}/${domain}.git/ ${pkgs.git}/bin/git checkout -f
GIT_WORK_TREE=/home/${attr.git.user}/${name}.git/ ${pkgs.git}/bin/git checkout -f
EOF
chmod +x /home/${attr.git.user}/${domain}.git/hooks/post-receive
chown ${attr.git.user}:users -R /home/${attr.git.user}/${domain}.git/
chown ${attr.git.user}:users -R /var/www/${domain}
chmod a+r /var/www/${domain}
chmod +x /home/${attr.git.user}/${name}.git/hooks/post-receive
chown ${attr.git.user}:users -R /home/${attr.git.user}/${name}.git/
chown ${attr.git.user}:users -R /var/www/${name}
chmod a+r /var/www/${name}
fi
'')
cfg.domains);
virtualhosts = mapAttrs' (domain: attr: {
"${domain}" = {
forceSSL = attr.tls;
enableACME = attr.tls;
root = mkIf (attr.static || (attr.git.user != null)) (if attr.root == null then
"/var/www/${domain}" else attr.root);
return = mkIf (attr.return != null) attr.return;
};
} cfg.domains);
virtualhosts = mapAttrs'
(name: attr: (lib.nameValuePair
"${name}"
{
forceSSL = attr.tls;
enableACME = attr.tls;
root =
if (attr.static || (attr.git.user != null)) then
(if attr.root == null then
"/var/www/${name}" else attr.root) else null;
locations = if (attr.return != null) then { "/".return = attr.return; } else { };
}))
cfg.domains;
git_users = mapAttrs' (_: attr: {
"${attr.git.user}" = mkIf (attr.git.user != null) {
isNormalUser = true;
openssh.authorizedKeys.keyFiles = attr.git.keys;
};
} cfg.domains);
git_users = mapAttrs'
(name: attr: (if (attr.git.user != null) then
(lib.nameValuePair
"${attr.git.user}"
{
isNormalUser = true;
openssh.authorizedKeys.keyFiles = attr.git.keys;
# we already have set the main username's data, as such nix won't fail
# in a weird fashion trying to create a blank user! Probably a better
# way to do this but nix syntax is _so_ obtuse sometimes
}) else lib.nameValuePair "${config.navi.username}" { }))
cfg.domains;
in
{
@ -58,6 +68,12 @@ in
example = "example.com";
description = "The url of the domain.";
};
root = mkOption {
type = types.nullOr types.str;
default = null;
example = "/var/www/example.com";
description = "The root folder of the domain, if static.";
};
static = mkOption {
type = types.bool;
default = false;
@ -73,26 +89,23 @@ in
default = null;
description = "Return code that this domain should return. Useful for maintenance.";
};
git = mkOption {
default = { };
description = ''
Whether to use a git based versionning system for static websites.
If you toggle this option, you will be able to update your prod
website by pushing to the following git path:
user@example.com:~/domain.git
'';
type = types.submodule {
options = {
user = mkOption {
type = types.nullOr types.str;
example = "govanify";
description = "The username to use to manage the git website.";
};
keys = mkOption {
type = types.nullOr (types.listOf types.path);
description = "The ssh public key allowed to manage remotely the website.";
};
};
git = {
user = mkOption {
type = types.nullOr types.str;
default = null;
example = "govanify";
description = ''
The username to use to manage the git website.
Setting this will toggle a git based versionning system for static websites.
If you toggle this option, you will be able to update your prod
website by pushing to the following git path:
user@example.com:~/domain.git
'';
};
keys = mkOption {
type = types.nullOr (types.listOf types.path);
default = null;
description = "The ssh public key allowed to manage remotely the website.";
};
};
};


+ 2
- 1
infrastructure/default.nix View File

@ -5,6 +5,7 @@ with lib;
imports = [
./xanadu
./alastor
./emet-selch
./graphical.nix
];
@ -14,7 +15,7 @@ with lib;
The name of the device you target
'';
};
config = {
config = mkIf (config.navi.profile.headfull) {
# setup the trusted build servers here
nix.buildMachines = [
{


+ 18
- 0
infrastructure/emet-selch/default.nix View File

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
with lib;
{
config = mkIf (config.navi.device == "emet-selch") {
networking = {
hostName = "emet-selch";
domain = "govanify.com";
};
# TODO: find emet-selch pixel art :)
users.motd = ''
'';
time.timeZone = "Europe/Paris";
navi.profile.name = "server";
};
}

+ 2
- 1
profiles/default.nix View File

@ -85,8 +85,9 @@ with lib;
serviceConfig.Type = "oneshot";
environment = config.nix.envVars // {
inherit (config.environment.sessionVariables) NIX_PATH;
inherit (config.environment.variables) GNUPGHOME;
HOME = "/root";
} // optionalAttrs config.navi.components.xdg.enable {
inherit (config.environment.variables) GNUPGHOME;
} // config.networking.proxy.envVars;
path = [ pkgs.gnupg pkgs.git ];
script = "cd /etc/nixos && git pull --verify-signatures origin master";


BIN
secrets/emet-selch/assets/emet-selch.md View File


BIN
secrets/emet-selch/infrastructure/emet-selch/amaurot.nix View File


BIN
secrets/headfull/components/deployment.nix View File


Loading…
Cancel
Save