|
|
|
let
|
|
|
|
nixpkgsOptions = {
|
|
|
|
overlays = [
|
|
|
|
(self: super: {
|
|
|
|
/* NOTE: Namespaced under `pkgs.cryto.*` to prevent naming conflicts with upstream nixpkgs */
|
|
|
|
cryto = {
|
|
|
|
fetchFromCrytoGit = self.callPackage ./lib/fetch/from-cryto-git.nix {};
|
|
|
|
nodeApplication = self.callPackage ./lib/node-application.nix {};
|
|
|
|
unpack = self.callPackage ./lib/unpack.nix {};
|
|
|
|
mobileProxy = self.callPackage ./packages/mobile-proxy { configFile = null; };
|
|
|
|
matrixRooms = self.callPackage ./packages/matrix-rooms {};
|
|
|
|
};
|
|
|
|
})
|
|
|
|
];
|
|
|
|
};
|
|
|
|
pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz") nixpkgsOptions);
|
|
|
|
pkgs1803 = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.03.tar.gz") nixpkgsOptions);
|
|
|
|
presets = {
|
|
|
|
base = (import ./presets/base.nix);
|
|
|
|
kvm = (import ./presets/kvm.nix);
|
|
|
|
};
|
|
|
|
nginxPresets = {
|
|
|
|
# php = (import ./presets/nginx/php.nix);
|
|
|
|
phpDisabled = (import ./presets/nginx/php-disabled.nix);
|
|
|
|
# cphpApplication = (import ./presets/nginx/cphp-application.nix);
|
|
|
|
reverseProxy = (import ./presets/nginx/reverse-proxy.nix);
|
|
|
|
letsEncrypt = (import ./presets/nginx/lets-encrypt.nix);
|
|
|
|
};
|
|
|
|
nodes = (import ./data/nodes.nix);
|
|
|
|
tincConfiguration = (import ./lib/tinc-configuration.nix);
|
|
|
|
in {
|
|
|
|
network = {
|
|
|
|
inherit pkgs;
|
|
|
|
description = "Cryto";
|
|
|
|
};
|
|
|
|
|
|
|
|
"machine-borg2-01.cryto.net" = { pkgs, lib, ... }: {
|
|
|
|
system.stateVersion = "18.09";
|
|
|
|
|
|
|
|
# FIXME: Why is this needed?
|
|
|
|
nixpkgs.overlays = [];
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
presets.base
|
|
|
|
presets.kvm
|
|
|
|
./hardware-configurations/machine-borg2-01.nix
|
|
|
|
(tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; })
|
|
|
|
];
|
|
|
|
|
|
|
|
boot.loader.grub.device = lib.mkForce "/dev/vda";
|
|
|
|
|
|
|
|
users.extraUsers = {
|
|
|
|
backup-f0x = {
|
|
|
|
createHome = true;
|
|
|
|
home = "/home/backup-f0x";
|
|
|
|
};
|
|
|
|
backup-haless = {
|
|
|
|
createHome = true;
|
|
|
|
home = "/home/backup-haless";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
users.extraGroups = {
|
|
|
|
backup-f0x = { members = [ "backup-f0x" ]; };
|
|
|
|
backup-haless = { members = [ "backup-haless" ]; };
|
|
|
|
};
|
|
|
|
|
|
|
|
services.borgbackup.repos = {
|
|
|
|
"f0x" = {
|
|
|
|
allowSubRepos = true;
|
|
|
|
quota = "250G";
|
|
|
|
path = "/home/backup-f0x";
|
|
|
|
user = "backup-f0x";
|
|
|
|
group = "backup-f0x";
|
|
|
|
authorizedKeys = [
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus"
|
|
|
|
];
|
|
|
|
authorizedKeysAppendOnly = [
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra"
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeMWPR38zXAbURVTJs+yGDnld5kO7bcgp/70l4wJG0k borg-backup@luna"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
"haless" = {
|
|
|
|
allowSubRepos = true;
|
|
|
|
path = "/home/backup-haless";
|
|
|
|
user = "backup-haless";
|
|
|
|
group = "backup-haless";
|
|
|
|
authorizedKeys = [
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzV5dI01NhwuL6ayiO0STcSQiDf7lEtu63NuLZKQUdZVuVHIqyt3Gquks2OI1NZGrJdXA315yw89ZqyMo+z7gSGHEV6P0fAXKW6G78JOFWsA5lGpaLxTsZ6Q7r0Z9FMqDvA5Jlsyznyj9hhO1cz01WPLzB92ypd9ifldtrAQIYQItxGXOuRkBJiShuIRqtr4Q2chXiOoRZKb4v4Gyt/UPxTpvfM/zcOz0zi1d4ijSbLqgIUJhxvrWADfdgEQ77unepDoD+HT51QBX7dj8RuYivxLSA3vpfNeCgt2CYBf6FYnmWkWSnN1RCtQPJNxsMuLzC2ZBbIkz0tDgcIBPbHxGr sven@linux-rfa7.site"
|
|
|
|
];
|
|
|
|
authorizedKeysAppendOnly = [
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAOpXsDxE7SXeSw/kjgzdwEkNsL9REMabMqYVPM9rem root@machine-haless-03.cryto.net"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
"machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: {
|
|
|
|
system.stateVersion = "19.03";
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
presets.base
|
|
|
|
presets.kvm
|
|
|
|
./hardware-configurations/machine-haless-03.nix
|
|
|
|
(tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; })
|
|
|
|
];
|
|
|
|
|
|
|
|
deployment.healthChecks.http = let
|
|
|
|
makeHostChecker = { protocol, port }: host: {
|
|
|
|
scheme = protocol;
|
|
|
|
port = port;
|
|
|
|
path = "/";
|
|
|
|
host = host;
|
|
|
|
description = "${host} (${protocol} :${toString port}) is up";
|
|
|
|
};
|
|
|
|
httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
|
|
|
|
httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
|
|
|
|
in lib.mkMerge [
|
|
|
|
(httpHosts [
|
|
|
|
# "haless.cryto.net"
|
|
|
|
# "todo.cryto.net"
|
|
|
|
# "books.cryto.net"
|
|
|
|
# "learn.cryto.net"
|
|
|
|
# "vps-list.cryto.net"
|
|
|
|
"iomfats.cryto.net"
|
|
|
|
"castleroland.cryto.net"
|
|
|
|
"awesomedude.cryto.net"
|
|
|
|
"matrix-rooms.cryto.net"
|
|
|
|
"validatem.cryto.net"
|
|
|
|
])
|
|
|
|
(httpsHosts [
|
|
|
|
# "haless.cryto.net"
|
|
|
|
# "books.cryto.net"
|
|
|
|
# "vps-list.cryto.net"
|
|
|
|
"iomfats.cryto.net"
|
|
|
|
"castleroland.cryto.net"
|
|
|
|
"awesomedude.cryto.net"
|
|
|
|
"matrix-rooms.cryto.net"
|
|
|
|
"validatem.cryto.net"
|
|
|
|
])
|
|
|
|
];
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
|
|
|
|
services.borgbackup.jobs.system = {
|
|
|
|
paths = "/";
|
|
|
|
exclude = [
|
|
|
|
"/nix"
|
|
|
|
"/boot"
|
|
|
|
"/sys"
|
|
|
|
"/run"
|
|
|
|
"/tmp"
|
|
|
|
"/dev"
|
|
|
|
"/proc"
|
|
|
|
];
|
|
|
|
repo = "backup-haless@machine-borg2-01.cryto.net:haless-03";
|
|
|
|
encryption = {
|
|
|
|
mode = "repokey-blake2";
|
|
|
|
passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix);
|
|
|
|
};
|
|
|
|
compression = "auto,zlib";
|
|
|
|
startAt = "daily";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts = {
|
|
|
|
"404.cryto.net" = {
|
|
|
|
default = true;
|
|
|
|
extraConfig = ''
|
|
|
|
return 404;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
"modular-matrix.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
{ root = ./sources/modular-matrix; }
|
|
|
|
];
|
|
|
|
"validatem.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
{ root = ./sources/validatem-site; }
|
|
|
|
];
|
|
|
|
"haless.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
{
|
|
|
|
locations."/shadow/" = {
|
|
|
|
alias = ./sources/shadow-generator;
|
|
|
|
};
|
|
|
|
locations."/knex-mirror/" = {
|
|
|
|
alias = ./sources/knex-mirror;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
"books.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
(nginxPresets.phpDisabled)
|
|
|
|
# (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
|
|
|
|
# {
|
|
|
|
# root = pkgs.stdenv.mkDerivation {
|
|
|
|
# name = "cryto-books";
|
|
|
|
# src = ./sources/cryto-books;
|
|
|
|
|
|
|
|
# installPhase = ''
|
|
|
|
# mkdir -p $out/
|
|
|
|
# cp -r $src/* $out/
|
|
|
|
# cp ${../private/cryto-books/credentials.php} $out/credentials.php
|
|
|
|
# '';
|
|
|
|
# };
|
|
|
|
# }
|
|
|
|
];
|
|
|
|
"todo.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.phpDisabled)
|
|
|
|
# (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
|
|
|
|
# (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation {
|
|
|
|
# name = "cryto-todo";
|
|
|
|
# src = ./sources/cryto-todo;
|
|
|
|
|
|
|
|
# installPhase = ''
|
|
|
|
# mkdir -p $out/public_html
|
|
|
|
# cp -r $src/* $out/public_html
|
|
|
|
# cp ${../private/cryto-todo/config.json} $out/config.json
|
|
|
|
# '';
|
|
|
|
# }))
|
|
|
|
];
|
|
|
|
"learn.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.phpDisabled)
|
|
|
|
# (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
|
|
|
|
# (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation {
|
|
|
|
# name = "cryto-learn";
|
|
|
|
# src = ./sources/cryto-learn;
|
|
|
|
|
|
|
|
# installPhase = ''
|
|
|
|
# mkdir -p $out/public_html
|
|
|
|
# cp -r $src/* $out/public_html
|
|
|
|
# cp ${../private/cryto-learn/config.json} $out/config.json
|
|
|
|
# '';
|
|
|
|
# }))
|
|
|
|
];
|
|
|
|
"vps-list.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
(nginxPresets.phpDisabled)
|
|
|
|
# (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
|
|
|
|
# (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation {
|
|
|
|
# name = "vps-list";
|
|
|
|
# src = ./sources/vps-list;
|
|
|
|
|
|
|
|
# installPhase = ''
|
|
|
|
# mkdir -p $out/public_html
|
|
|
|
# mkdir -p $out/public_html/cphp
|
|
|
|
|
|
|
|
# cp -r $src/* $out/public_html
|
|
|
|
# cp ${../private/vps-list/config.php} $out/public_html/cphp/config.php
|
|
|
|
# '';
|
|
|
|
# }))
|
|
|
|
];
|
|
|
|
"iomfats.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
|
|
|
|
];
|
|
|
|
"castleroland.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
|
|
|
|
];
|
|
|
|
"awesomedude.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
|
|
|
|
];
|
|
|
|
"matrix-rooms.cryto.net" = lib.mkMerge [
|
|
|
|
(nginxPresets.letsEncrypt)
|
|
|
|
(nginxPresets.reverseProxy "http://127.0.0.1:3842/")
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# services.mysql = {
|
|
|
|
# enable = true;
|
|
|
|
# package = pkgs.mysql55;
|
|
|
|
# };
|
|
|
|
|
|
|
|
# services.phpfpm = {
|
|
|
|
# settings = {
|
|
|
|
# "log_level" = "notice";
|
|
|
|
# };
|
|
|
|
|
|
|
|
# phpPackage = pkgs1803.php56;
|
|
|
|
|
|
|
|
# pools = {
|
|
|
|
# main = {
|
|
|
|
# # listen = "/var/run/phpfpm-main.sock";
|
|
|
|
# user = "nobody";
|
|
|
|
# settings = {
|
|
|
|
# "listen.owner" = "nginx";
|
|
|
|
# "listen.group" = "nginx";
|
|
|
|
# "listen.mode" = 0660;
|
|
|
|
|
|
|
|
# "pm" = "dynamic";
|
|
|
|
# "pm.max_children" = 75;
|
|
|
|
# "pm.start_servers" = 10;
|
|
|
|
# "pm.min_spare_servers" = 5;
|
|
|
|
# "pm.max_spare_servers" = 20;
|
|
|
|
# "pm.max_requests" = 500;
|
|
|
|
|
|
|
|
# "catch_workers_output" = true;
|
|
|
|
# };
|
|
|
|
# };
|
|
|
|
# };
|
|
|
|
# };
|
|
|
|
|
|
|
|
users.extraUsers.mobile-proxy = {
|
|
|
|
description = "mobile-proxy Service User";
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.mobile-proxy = let
|
|
|
|
package = pkgs.cryto.mobileProxy.override { configFile = ./data/mobile-proxy/config.jsx; };
|
|
|
|
in {
|
|
|
|
description = "Mobile Proxy";
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
after = ["network.target"];
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${package}/bin/mobile-proxy";
|
|
|
|
User = "mobile-proxy";
|
|
|
|
Restart = "on-failure";
|
|
|
|
PermissionsStartOnly = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
preStart = ''
|
|
|
|
mkdir -m 0700 -p /tmp/mobile-proxy-home
|
|
|
|
chown mobile-proxy /tmp/mobile-proxy-home
|
|
|
|
'';
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
HOME = "/tmp/mobile-proxy-home";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
users.extraUsers.matrix-rooms = {
|
|
|
|
description = "mobile-proxy Service User";
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.matrix-rooms = let
|
|
|
|
package = pkgs.cryto.matrixRooms;
|
|
|
|
in {
|
|
|
|
description = "Matrix Room List Viewer";
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
after = ["network.target"];
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${package}/bin/matrix-room-list-viewer"; /* FIXME: Change binary name in its package.json at some point */
|
|
|
|
User = "matrix-rooms";
|
|
|
|
Restart = "on-failure";
|
|
|
|
PermissionsStartOnly = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
# FIXME: Is a fake homes necessary for this application?
|
|
|
|
preStart = ''
|
|
|
|
mkdir -m 0700 -p /tmp/matrix-rooms-home
|
|
|
|
chown matrix-rooms /tmp/matrix-rooms-home
|
|
|
|
'';
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
HOME = "/tmp/matrix-rooms-home";
|
|
|
|
NODE_ENV = "production";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|