let nixpkgsOptions = { overlays = [ (self: super: { /* NOTE: Namespaced under `pkgs.cryto.*` to prevent naming conflicts with upstream nixpkgs */ cryto = { fetchFromCrytoGit = self.callPackage ./lib/fetch/from-cryto-git.nix {}; nodeApplication = self.callPackage ./lib/node-application.nix {}; unpack = self.callPackage ./lib/unpack.nix {}; mobileProxy = self.callPackage ./packages/mobile-proxy { configFile = null; }; matrixRooms = self.callPackage ./packages/matrix-rooms {}; }; }) ]; }; pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz") nixpkgsOptions); presets = { base = (import ./presets/base.nix); kvm = (import ./presets/kvm.nix); }; nginxPresets = { phpDisabled = (import ./presets/nginx/php-disabled.nix); reverseProxy = (import ./presets/nginx/reverse-proxy.nix); letsEncrypt = (import ./presets/nginx/lets-encrypt.nix); }; nodes = (import ./data/nodes.nix); tincConfiguration = (import ./lib/tinc-configuration.nix); in { network = { inherit pkgs; description = "Cryto"; }; "machine-borg2-01.cryto.net" = { pkgs, lib, ... }: { system.stateVersion = "18.09"; # FIXME: Why is this needed? nixpkgs.overlays = []; imports = [ presets.base presets.kvm ./hardware-configurations/machine-borg2-01.nix (tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; }) ]; boot.loader.grub.device = lib.mkForce "/dev/vda"; users.extraUsers = { backup-f0x = { createHome = true; home = "/home/backup-f0x"; }; backup-haless = { createHome = true; home = "/home/backup-haless"; }; }; users.extraGroups = { backup-f0x = { members = [ "backup-f0x" ]; }; backup-haless = { members = [ "backup-haless" ]; }; }; services.borgbackup.repos = { "f0x" = { allowSubRepos = true; quota = "400G"; path = "/home/backup-f0x"; user = "backup-f0x"; group = "backup-f0x"; authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus" ]; authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeMWPR38zXAbURVTJs+yGDnld5kO7bcgp/70l4wJG0k borg-backup@luna" ]; }; "haless" = { allowSubRepos = true; path = "/home/backup-haless"; user = "backup-haless"; group = "backup-haless"; authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzV5dI01NhwuL6ayiO0STcSQiDf7lEtu63NuLZKQUdZVuVHIqyt3Gquks2OI1NZGrJdXA315yw89ZqyMo+z7gSGHEV6P0fAXKW6G78JOFWsA5lGpaLxTsZ6Q7r0Z9FMqDvA5Jlsyznyj9hhO1cz01WPLzB92ypd9ifldtrAQIYQItxGXOuRkBJiShuIRqtr4Q2chXiOoRZKb4v4Gyt/UPxTpvfM/zcOz0zi1d4ijSbLqgIUJhxvrWADfdgEQ77unepDoD+HT51QBX7dj8RuYivxLSA3vpfNeCgt2CYBf6FYnmWkWSnN1RCtQPJNxsMuLzC2ZBbIkz0tDgcIBPbHxGr sven@linux-rfa7.site" ]; authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAOpXsDxE7SXeSw/kjgzdwEkNsL9REMabMqYVPM9rem root@machine-haless-03.cryto.net" ]; }; }; }; "machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: { system.stateVersion = "19.03"; imports = [ presets.base presets.kvm ./hardware-configurations/machine-haless-03.nix (tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; }) ]; deployment.healthChecks.http = let makeHostChecker = { protocol, port }: host: { scheme = protocol; port = port; path = "/"; host = host; description = "${host} (${protocol} :${toString port}) is up"; }; httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts; httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts; in lib.mkMerge [ (httpHosts [ "iomfats.cryto.net" "castleroland.cryto.net" "awesomedude.cryto.net" "matrix-rooms.cryto.net" "validatem.cryto.net" ]) (httpsHosts [ "iomfats.cryto.net" "castleroland.cryto.net" "awesomedude.cryto.net" "matrix-rooms.cryto.net" "validatem.cryto.net" ]) ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.borgbackup.jobs.system = { paths = "/"; exclude = [ "/nix" "/boot" "/sys" "/run" "/tmp" "/dev" "/proc" ]; repo = "backup-haless@machine-borg2-01.cryto.net:haless-03"; encryption = { mode = "repokey-blake2"; passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix); }; compression = "auto,zlib"; startAt = "daily"; }; services.nginx = { enable = true; virtualHosts = { "404.cryto.net" = { default = true; extraConfig = '' return 404; ''; }; "modular-matrix.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { root = ./sources/modular-matrix; } ]; "validatem.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { root = ./sources/validatem-site; } ]; "haless.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) { locations."/shadow/" = { alias = ./sources/shadow-generator; }; locations."/knex-mirror/" = { alias = ./sources/knex-mirror; }; } ]; "books.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.phpDisabled) ]; "todo.cryto.net" = lib.mkMerge [ (nginxPresets.phpDisabled) ]; "learn.cryto.net" = lib.mkMerge [ (nginxPresets.phpDisabled) ]; "vps-list.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.phpDisabled) ]; "iomfats.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3000/") ]; "castleroland.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3000/") ]; "awesomedude.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3000/") ]; "matrix-rooms.cryto.net" = lib.mkMerge [ (nginxPresets.letsEncrypt) (nginxPresets.reverseProxy "http://127.0.0.1:3842/") ]; }; }; users.extraUsers.mobile-proxy = { description = "mobile-proxy Service User"; }; systemd.services.mobile-proxy = let package = pkgs.cryto.mobileProxy.override { configFile = ./data/mobile-proxy/config.jsx; }; in { description = "Mobile Proxy"; wantedBy = ["multi-user.target"]; after = ["network.target"]; serviceConfig = { ExecStart = "${package}/bin/mobile-proxy"; User = "mobile-proxy"; Restart = "on-failure"; PermissionsStartOnly = true; }; preStart = '' mkdir -m 0700 -p /tmp/mobile-proxy-home chown mobile-proxy /tmp/mobile-proxy-home ''; environment = { HOME = "/tmp/mobile-proxy-home"; }; }; users.extraUsers.matrix-rooms = { description = "mobile-proxy Service User"; }; systemd.services.matrix-rooms = let package = pkgs.cryto.matrixRooms; in { description = "Matrix Room List Viewer"; wantedBy = ["multi-user.target"]; after = ["network.target"]; serviceConfig = { ExecStart = "${package}/bin/matrix-room-list-viewer"; /* FIXME: Change binary name in its package.json at some point */ User = "matrix-rooms"; Restart = "on-failure"; PermissionsStartOnly = true; }; # FIXME: Is a fake homes necessary for this application? preStart = '' mkdir -m 0700 -p /tmp/matrix-rooms-home chown matrix-rooms /tmp/matrix-rooms-home ''; environment = { HOME = "/tmp/matrix-rooms-home"; NODE_ENV = "production"; }; }; }; }