Set up konjassiem-02 (Git)

configuration/data/nodes.nix

@@ -9,4 +9,9 @@
 		internalIpv4 = "10.217.0.6";
 		tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub;
 	};
+	"machine-konjassiem-02.cryto.net" = {
+		ipv4 = "81.4.122.123";
+		internalIpv4 = "10.217.0.7";
+		tincPublicKey = builtins.readFile ./tinc-keys/machine-konjassiem-02.cryto.net.pub;
+	};
 }

configuration/data/tinc-keys/machine-konjassiem-02.cryto.net.pub

@@ -0,0 +1 @@
+NKfdfCXEVrVOs+t5j3vNp36ym0e+8h66Lb3YPYWe9DG

configuration/default.nix

@@ -119,6 +119,7 @@ in {
 				"awesomedude.cryto.net"
 				"matrix-rooms.cryto.net"
 				"validatem.cryto.net"
+				"nixos-manual-mdx.cryto.net"
 			])
 			(httpsHosts [
 				"iomfats.cryto.net"
@@ -126,6 +127,7 @@ in {
 				"awesomedude.cryto.net"
 				"matrix-rooms.cryto.net"
 				"validatem.cryto.net"
+				"nixos-manual-mdx.cryto.net"
 			])
 		];
 
@@ -164,9 +166,17 @@ in {
 					(nginxPresets.letsEncrypt)
 					{ root = ./sources/modular-matrix; }
 				];
+				# "validatem.cryto.net" = lib.mkMerge [
+				# 	(nginxPresets.letsEncrypt)
+				# 	{ root = ./sources/validatem-site; }
+				# ];
 				"validatem.cryto.net" = lib.mkMerge [
 					(nginxPresets.letsEncrypt)
-					{ root = ./sources/validatem-site; }
+					{ root = ../../validatem/site/build; }
+				];
+				"nixos-manual-mdx.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					{ root = ../../nixos-manual-mdx/build; }
 				];
 				"haless.cryto.net" = lib.mkMerge [
 					(nginxPresets.letsEncrypt)
@@ -270,4 +280,139 @@ in {
 			};
 		};
 	};
+
+	"machine-konjassiem-02.cryto.net" = { pkgs, lib, config, ... }@args: {
+		system.stateVersion = "20.03";
+
+		imports = [
+			presets.base
+			presets.kvm
+			./hardware-configurations/machine-konjassiem-02.nix
+			(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
+		];
+
+		services.postgresql = {
+			enable = true;
+			ensureDatabases = [ "gitea" ];
+			ensureUsers = [{
+				name = "git";
+				ensurePermissions = {
+					"DATABASE gitea" = "ALL PRIVILEGES";
+				};
+			}];
+		};
+
+		users.users.git = {
+			description = "Gitea Service";
+			home = "/var/lib/gitea";
+			useDefaultShell = true;
+			group = "git";
+			isSystemUser = true;
+		};
+
+		users.groups.git = {};
+
+		networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+		services.nginx = {
+			enable = true;
+			virtualHosts = {
+				"404.cryto.net" = {
+					default = true;
+					extraConfig = ''
+						return 404;
+					'';
+				};
+				"git.cryto.net" = lib.mkMerge [
+					(nginxPresets.letsEncrypt)
+					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
+				];
+			};
+		};
+
+		# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
+		systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
+
+		services.gitea = {
+			enable = true;
+			user = "git";
+			appName = "Cryto Git";
+			repositoryRoot = "/var/lib/repositories";
+
+			domain = "git.cryto.net";
+			httpAddress = "localhost";
+			httpPort = 3000;
+			rootUrl = "https://git.cryto.net/";
+			
+			database = {
+				createDatabase = false;
+				type = "postgres";
+				socket = "/run/postgresql";
+				user = "git";
+			};
+
+			extraConfig = ''
+				[database]
+				LOG_SQL = false
+
+				[service]
+				ENABLE_CAPTCHA = true
+				REGISTER_EMAIL_CONFIRM = true
+				ENABLE_NOTIFY_MAIL = true
+				ENABLE_USER_HEATMAP = false
+
+				[security]
+				PASSWORD_COMPLEXITY = off
+
+				[session]
+				PROVIDER = file
+
+				[mailer]
+				ENABLED = true
+				MAILER_TYPE = sendmail
+				FROM = "Cryto Git" <noreply@git.cryto.net>
+				SENDMAIL_PATH = ${pkgs.system-sendmail}/bin/sendmail
+			'';
+
+			# FIXME: Use this instead of extraConfig in 20.09
+			# settings = {
+			# 	database = {
+			# 		LOG_SQL = false;
+			# 	};
+
+			# 	service = {
+			# 		ENABLE_CAPTCHA = true;
+			# 		REGISTER_EMAIL_CONFIRM = true;
+			# 		ENABLE_NOTIFY_MAIL = true;
+			# 		ENABLE_USER_HEATMAP = false;
+			# 	};
+
+			# 	security = {
+			# 		PASSWORD_COMPLEXITY = "off";
+			# 	};
+
+			# 	session = {
+			# 		PROVIDER = "file";
+			# 	};
+
+			# 	mailer = {
+			# 		ENABLED = true;
+			# 		MAILER_TYPE = "sendmail";
+			# 		FROM = "\"Cryto Git\" <noreply@git.cryto.net>";
+			# 		SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+			# 	};
+			# };
+		};
+
+		# FIXME: DKIM/DMARC
+		services.opensmtpd = {
+			enable = true;
+			serverConfiguration = ''
+				listen on lo
+
+				action "outbound" relay
+				match from local for any action "outbound"
+			'';
+		};
+	};
 }

configuration/hardware-configurations/machine-konjassiem-02.nix

@@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.loader.grub.device = lib.mkForce "/dev/vda";
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/df8e6a13-8975-4c25-9d6b-b7065cc27086";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8a56fa7d-ec2d-4814-b77e-688c0446624c";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b5a55d95-9dfc-4efd-8296-23db4bcf1f1e"; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 2;
+}

configuration/lib/tinc-configuration.nix

@@ -1,7 +1,7 @@
 /* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */
 
 { hostname, nodes, pingInterval ? 10 }:
-	{ lib, ... }: let
+	{ pkgs, lib, ... }: let
 		/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
 		generateConfiguration = options:
 			let
@@ -22,6 +22,8 @@
 
 		services.tinc.networks.cryto = {
 			debugLevel = 3;
+			chroot = false;
+			ed25519PrivateKeyFile = "/etc/tinc/cryto/ed25519_key.priv";
 
 			extraConfig = generateConfiguration {
 				AutoConnect = "yes";
@@ -43,10 +45,10 @@
 			in lib.mapAttrs' mapper nodes;
 		};
 
-		networking.interfaces."tinc.cryto".ipv4.addresses = [{
-			address = nodes.${hostname}.internalIpv4;
-			prefixLength = 24;
-		}];
+		# networking.interfaces."tinc.cryto".ipv4.addresses = [{
+		# 	address = nodes.${hostname}.internalIpv4;
+		# 	prefixLength = 24;
+		# }];
 
 		networking.firewall = {
 			allowedTCPPorts = [
@@ -59,4 +61,32 @@
 				"tinc.cryto"
 			];
 		};
+
+		# FIXME: Make the netmask be generated from the prefixLength, instead of hard-coding it
+		environment.etc = {
+			"tinc/cryto/tinc-up".source = pkgs.writeScript "tinc-up-cryto" ''
+				#!${pkgs.stdenv.shell}
+				${pkgs.nettools}/bin/ifconfig tinc.cryto ${nodes.${hostname}.internalIpv4} netmask 255.255.255.0
+			'';
+			"tinc/cryto/tinc-down".source = pkgs.writeScript "tinc-down-cryto" ''
+				#!${pkgs.stdenv.shell}
+				/run/wrappers/bin/sudo ${pkgs.nettools}/bin/ifconfig tinc.cryto down
+			'';
+		};
+
+		security.sudo.extraRules = [{
+			users    = [ "tinc.cryto" ];
+			commands = [{
+				command  = "${pkgs.nettools}/bin/ifconfig tinc.cryto down";
+				options  = [ "NOPASSWD" ];
+			}];
+		}];
+
+		# Override this to get rid of the automatic key generation
+		systemd.services."tinc.cryto".preStart = lib.mkForce ''
+			mkdir -p /etc/tinc/cryto/hosts
+			chown tinc.cryto /etc/tinc/cryto/hosts
+			mkdir -p /etc/tinc/cryto/invitations
+			chown tinc.cryto /etc/tinc/cryto/invitations
+		'';
 	}

configuration/sources/validatem-site/validatem-icon.svg

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="120"
+   height="120"
+   viewBox="0 0 31.750001 31.750001"
+   version="1.1"
+   id="svg8"
+   inkscape:version="0.92.4 (5da689c313, 2019-01-14)"
+   sodipodi:docname="validatem-icon.svg">
+  <defs
+     id="defs2" />
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1.979899"
+     inkscape:cx="164.91615"
+     inkscape:cy="47.583886"
+     inkscape:document-units="mm"
+     inkscape:current-layer="text817"
+     showgrid="false"
+     inkscape:window-width="1870"
+     inkscape:window-height="1015"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     fit-margin-top="3"
+     fit-margin-bottom="3"
+     fit-margin-right="3"
+     fit-margin-left="3"
+     units="px" />
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-32.405043,-64.590621)">
+    <g
+       aria-label="validatem"
+       style="font-style:normal;font-weight:normal;font-size:10.58333302px;line-height:6.61458302px;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       id="text817">
+      <path
+         d="M 47.155564,93.308937 H 43.451397 L 39.184991,81.380638 h 3.274219 l 2.083593,6.669705 c 0.110243,0.367477 0.371152,1.286169 0.782726,2.756077 0.0735,-0.301331 0.224161,-0.830498 0.451996,-1.5875 0.227836,-0.757003 6.893866,-17.128097 8.356424,-21.596615 h 3.241146 z"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:22.57777786px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';letter-spacing:-1.22766662px;word-spacing:0px;fill:#008000;stroke-width:0.26458332px"
+         id="path838"
+         inkscape:connector-curvature="0"
+         sodipodi:nodetypes="ccccccsccc" />
+    </g>
+  </g>
+</svg>

data/dummy-configuration.nix

@@ -40,5 +40,5 @@
 			"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzV5dI01NhwuL6ayiO0STcSQiDf7lEtu63NuLZKQUdZVuVHIqyt3Gquks2OI1NZGrJdXA315yw89ZqyMo+z7gSGHEV6P0fAXKW6G78JOFWsA5lGpaLxTsZ6Q7r0Z9FMqDvA5Jlsyznyj9hhO1cz01WPLzB92ypd9ifldtrAQIYQItxGXOuRkBJiShuIRqtr4Q2chXiOoRZKb4v4Gyt/UPxTpvfM/zcOz0zi1d4ijSbLqgIUJhxvrWADfdgEQ77unepDoD+HT51QBX7dj8RuYivxLSA3vpfNeCgt2CYBf6FYnmWkWSnN1RCtQPJNxsMuLzC2ZBbIkz0tDgcIBPbHxGr sven@linux-rfa7.site"
 		];
 
-		system.stateVersion = "19.03";
+		system.stateVersion = "20.03";
 	}

notes/nixos-setup.txt

@@ -36,7 +36,7 @@ curl https://git.cryto.net/joepie91/morph-rc/raw/master/data/dummy-configuration
 nixos-install
 
 # NOTE: Don't forget to set a better root password over SSH after restarting
-
+# NOTE: Don't forget to run ./deploy-secrets if needed!
 
 #################################
 

notes/tinc-key-setup.txt

@@ -3,3 +3,5 @@ nix-shell --command 'tinc --batch --config ./ -n cryto generate-ed25519-keys' --
 
 # NOTE: Change the machine name!
 mv ed25519_key.priv tinc-key.priv && sed -i -r 's/^Ed25519PublicKey = //' ed25519_key.pub && mv ed25519_key.pub ../../configuration/data/tinc-keys/machine-haless-03.cryto.net.pub
+
+# Don't forget to run ./deploy-secrets!