let nixpkgsOptions = { overlays = [ (self: super: { /* NOTE: Namespaced under `pkgs.cryto.*` to prevent naming conflicts with upstream nixpkgs */ cryto = { fetchFromCrytoGit = self.callPackage ./lib/fetch/from-cryto-git.nix {}; nodeApplication = self.callPackage ./lib/node-application.nix {}; unpack = self.callPackage ./lib/unpack.nix {}; mobileProxy = self.callPackage ./packages/mobile-proxy { configFile = null; }; matrixRooms = self.callPackage ./packages/matrix-rooms {}; }; }) ]; }; pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz") nixpkgsOptions); pkgs1803 = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.03.tar.gz") nixpkgsOptions); presets = { base = (import ./presets/base.nix); kvm = (import ./presets/kvm.nix); }; nginxPresets = { # php = (import ./presets/nginx/php.nix); phpDisabled = (import ./presets/nginx/php-disabled.nix); # cphpApplication = (import ./presets/nginx/cphp-application.nix); reverseProxy = (import ./presets/nginx/reverse-proxy.nix); letsEncrypt = (import ./presets/nginx/lets-encrypt.nix); }; nodes = (import ./data/nodes.nix); tincConfiguration = (import ./lib/tinc-configuration.nix); in { network = { inherit pkgs; description = "Cryto"; }; "machine-borg2-01.cryto.net" = { pkgs, lib, ... }: { system.stateVersion = "18.09"; imports = [ presets.base presets.kvm ./hardware-configurations/machine-borg2-01.nix (tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; }) ]; boot.loader.grub.device = lib.mkForce "/dev/vda"; users.extraUsers = { backup-f0x = { createHome = true; home = "/home/backup-f0x"; }; backup-haless = { createHome = true; home = "/home/backup-haless"; }; }; users.extraGroups = { backup-f0x = { members = [ "backup-f0x" ]; }; backup-haless = { members = [ "backup-haless" ]; }; }; services.borgbackup.repos = { "f0x" = { allowSubRepos = true; quota = "250G"; path = "/home/backup-f0x"; user = "backup-f0x"; group = "backup-f0x"; authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus" ]; authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeMWPR38zXAbURVTJs+yGDnld5kO7bcgp/70l4wJG0k borg-backup@luna" ]; }; "haless" = { allowSubRepos = true; path = "/home/backup-haless"; user = "backup-haless"; group = "backup-haless"; authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzV5dI01NhwuL6ayiO0STcSQiDf7lEtu63NuLZKQUdZVuVHIqyt3Gquks2OI1NZGrJdXA315yw89ZqyMo+z7gSGHEV6P0fAXKW6G78JOFWsA5lGpaLxTsZ6Q7r0Z9FMqDvA5Jlsyznyj9hhO1cz01WPLzB92ypd9ifldtrAQIYQItxGXOuRkBJiShuIRqtr4Q2chXiOoRZKb4v4Gyt/UPxTpvfM/zcOz0zi1d4ijSbLqgIUJhxvrWADfdgEQ77unepDoD+HT51QBX7dj8RuYivxLSA3vpfNeCgt2CYBf6FYnmWkWSnN1RCtQPJNxsMuLzC2ZBbIkz0tDgcIBPbHxGr sven@linux-rfa7.site" ]; authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAOpXsDxE7SXeSw/kjgzdwEkNsL9REMabMqYVPM9rem root@machine-haless-03.cryto.net" ]; }; }; }; "machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: { system.stateVersion = "19.03"; imports = [ presets.base presets.kvm ./hardware-configurations/machine-haless-03.nix (tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; }) ]; deployment.healthChecks.http = let makeHostChecker = { protocol, port }: host: { scheme = protocol; port = port; path = "/"; host = host; description = "${host} (${protocol} :${toString port}) is up"; }; httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts; httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts; in lib.mkMerge [ (httpHosts [ # "haless.cryto.net" # "todo.cryto.net" # "books.cryto.net" # "learn.cryto.net" # "vps-list.cryto.net" "iomfats.cryto.net" "castleroland.cryto.net" "awesomedude.cryto.net" "matrix-rooms.cryto.net" "validatem.cryto.net" ]) (httpsHosts [ # "haless.cryto.net" # "books.cryto.net" # "vps-list.cryto.net" "iomfats.cryto.net" "castleroland.cryto.net" "awesomedude.cryto.net" "matrix-rooms.cryto.net" "validatem.cryto.net" ]) ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.borgbackup.jobs.system = { paths = "/"; exclude = [ "/nix" "/boot" "/sys" "/run" "/tmp" "/dev" "/proc" ]; repo = "backup-haless@machine-borg2-01.cryto.net:haless-03"; encryption = { mode = "repokey-blake2"; passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix); }; compression = "auto,zlib"; startAt = "daily"; }; services.nginx = { enable = true; virtualHosts = { "404.cryto.net" = { default = true; extraConfig = '' return 404; ''; }; "modular-matrix.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { root = ./sources/modular-matrix; } ]; "validatem.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { root = ./sources/validatem-site; } ]; "haless.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { locations."/shadow/" = { alias = ./sources/shadow-generator; }; locations."/knex-mirror/" = { alias = ./sources/knex-mirror; }; } ]; "books.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.phpDisabled) # (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ # { # root = pkgs.stdenv.mkDerivation { # name = "cryto-books"; # src = ./sources/cryto-books; # installPhase = '' # mkdir -p $out/ # cp -r $src/* $out/ # cp ${../private/cryto-books/credentials.php} $out/credentials.php # ''; # }; # } ]; "todo.cryto.net" = lib.mkMerge [ (nginxPresets.phpDisabled) # (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ # (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation { # name = "cryto-todo"; # src = ./sources/cryto-todo; # installPhase = '' # mkdir -p $out/public_html # cp -r $src/* $out/public_html # cp ${../private/cryto-todo/config.json} $out/config.json # ''; # })) ]; "learn.cryto.net" = lib.mkMerge [ (nginxPresets.phpDisabled) # (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ # (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation { # name = "cryto-learn"; # src = ./sources/cryto-learn; # installPhase = '' # mkdir -p $out/public_html # cp -r $src/* $out/public_html # cp ${../private/cryto-learn/config.json} $out/config.json # ''; # })) ]; "vps-list.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.phpDisabled) # (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ # (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation { # name = "vps-list"; # src = ./sources/vps-list; # installPhase = '' # mkdir -p $out/public_html # mkdir -p $out/public_html/cphp # cp -r $src/* $out/public_html # cp ${../private/vps-list/config.php} $out/public_html/cphp/config.php # ''; # })) ]; "iomfats.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3000/") ]; "castleroland.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3000/") ]; "awesomedude.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3000/") ]; "matrix-rooms.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3842/") ]; }; }; # services.mysql = { # enable = true; # package = pkgs.mysql55; # }; # services.phpfpm = { # settings = { # "log_level" = "notice"; # }; # phpPackage = pkgs1803.php56; # pools = { # main = { # # listen = "/var/run/phpfpm-main.sock"; # user = "nobody"; # settings = { # "listen.owner" = "nginx"; # "listen.group" = "nginx"; # "listen.mode" = 0660; # "pm" = "dynamic"; # "pm.max_children" = 75; # "pm.start_servers" = 10; # "pm.min_spare_servers" = 5; # "pm.max_spare_servers" = 20; # "pm.max_requests" = 500; # "catch_workers_output" = true; # }; # }; # }; # }; users.extraUsers.mobile-proxy = { description = "mobile-proxy Service User"; }; systemd.services.mobile-proxy = let package = pkgs.cryto.mobileProxy.override { configFile = ./data/mobile-proxy/config.jsx; }; in { description = "Mobile Proxy"; wantedBy = ["multi-user.target"]; after = ["network.target"]; serviceConfig = { ExecStart = "${package}/bin/mobile-proxy"; User = "mobile-proxy"; Restart = "on-failure"; PermissionsStartOnly = true; }; preStart = '' mkdir -m 0700 -p /tmp/mobile-proxy-home chown mobile-proxy /tmp/mobile-proxy-home ''; environment = { HOME = "/tmp/mobile-proxy-home"; }; }; users.extraUsers.matrix-rooms = { description = "mobile-proxy Service User"; }; systemd.services.matrix-rooms = let package = pkgs.cryto.matrixRooms; in { description = "Matrix Room List Viewer"; wantedBy = ["multi-user.target"]; after = ["network.target"]; serviceConfig = { ExecStart = "${package}/bin/matrix-room-list-viewer"; /* FIXME: Change binary name in its package.json at some point */ User = "matrix-rooms"; Restart = "on-failure"; PermissionsStartOnly = true; }; # FIXME: Is a fake homes necessary for this application? preStart = '' mkdir -m 0700 -p /tmp/matrix-rooms-home chown matrix-rooms /tmp/matrix-rooms-home ''; environment = { HOME = "/tmp/matrix-rooms-home"; NODE_ENV = "production"; }; }; }; }