You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

273 lines
7.5 KiB

let
nixpkgsOptions = {
overlays = [
(self: super: {
/* NOTE: Namespaced under `pkgs.cryto.*` to prevent naming conflicts with upstream nixpkgs */
cryto = {
fetchFromCrytoGit = self.callPackage ./lib/fetch/from-cryto-git.nix {};
nodeApplication = self.callPackage ./lib/node-application.nix {};
unpack = self.callPackage ./lib/unpack.nix {};
mobileProxy = self.callPackage ./packages/mobile-proxy { configFile = null; };
matrixRooms = self.callPackage ./packages/matrix-rooms {};
};
})
];
};
pkgs = (import (fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-20.03.tar.gz") nixpkgsOptions);
presets = {
base = (import ./presets/base.nix);
kvm = (import ./presets/kvm.nix);
};
nginxPresets = {
phpDisabled = (import ./presets/nginx/php-disabled.nix);
reverseProxy = (import ./presets/nginx/reverse-proxy.nix);
letsEncrypt = (import ./presets/nginx/lets-encrypt.nix);
};
nodes = (import ./data/nodes.nix);
tincConfiguration = (import ./lib/tinc-configuration.nix);
in {
network = {
inherit pkgs;
description = "Cryto";
};
"machine-borg2-01.cryto.net" = { pkgs, lib, ... }: {
system.stateVersion = "18.09";
# FIXME: Why is this needed?
nixpkgs.overlays = [];
imports = [
presets.base
presets.kvm
./hardware-configurations/machine-borg2-01.nix
(tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; })
];
boot.loader.grub.device = lib.mkForce "/dev/vda";
users.extraUsers = {
backup-f0x = {
createHome = true;
home = "/home/backup-f0x";
};
backup-haless = {
createHome = true;
home = "/home/backup-haless";
};
};
users.extraGroups = {
backup-f0x = { members = [ "backup-f0x" ]; };
backup-haless = { members = [ "backup-haless" ]; };
};
services.borgbackup.repos = {
"f0x" = {
allowSubRepos = true;
quota = "400G";
path = "/home/backup-f0x";
user = "backup-f0x";
group = "backup-f0x";
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJDP2TDyj1X/L6gNgHCXASIWoW/VnJ77FQy39VRTi8 f0x@elephantus"
];
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7WSUY6Y2lsIawo8dPBu4/Omx6c7/1SMD9ve/vpcorN borg-backup@terra"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeMWPR38zXAbURVTJs+yGDnld5kO7bcgp/70l4wJG0k borg-backup@luna"
];
};
"haless" = {
allowSubRepos = true;
path = "/home/backup-haless";
user = "backup-haless";
group = "backup-haless";
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzV5dI01NhwuL6ayiO0STcSQiDf7lEtu63NuLZKQUdZVuVHIqyt3Gquks2OI1NZGrJdXA315yw89ZqyMo+z7gSGHEV6P0fAXKW6G78JOFWsA5lGpaLxTsZ6Q7r0Z9FMqDvA5Jlsyznyj9hhO1cz01WPLzB92ypd9ifldtrAQIYQItxGXOuRkBJiShuIRqtr4Q2chXiOoRZKb4v4Gyt/UPxTpvfM/zcOz0zi1d4ijSbLqgIUJhxvrWADfdgEQ77unepDoD+HT51QBX7dj8RuYivxLSA3vpfNeCgt2CYBf6FYnmWkWSnN1RCtQPJNxsMuLzC2ZBbIkz0tDgcIBPbHxGr sven@linux-rfa7.site"
];
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAOpXsDxE7SXeSw/kjgzdwEkNsL9REMabMqYVPM9rem root@machine-haless-03.cryto.net"
];
};
};
};
"machine-haless-03.cryto.net" = { pkgs, lib, config, ... }@args: {
system.stateVersion = "19.03";
imports = [
presets.base
presets.kvm
./hardware-configurations/machine-haless-03.nix
(tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; })
];
deployment.healthChecks.http = let
makeHostChecker = { protocol, port }: host: {
scheme = protocol;
port = port;
path = "/";
host = host;
description = "${host} (${protocol} :${toString port}) is up";
};
httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
in lib.mkMerge [
(httpHosts [
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
"matrix-rooms.cryto.net"
"validatem.cryto.net"
])
(httpsHosts [
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
"matrix-rooms.cryto.net"
"validatem.cryto.net"
])
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.borgbackup.jobs.system = {
paths = "/";
exclude = [
"/nix"
"/boot"
"/sys"
"/run"
"/tmp"
"/dev"
"/proc"
];
repo = "backup-haless@machine-borg2-01.cryto.net:haless-03";
encryption = {
mode = "repokey-blake2";
passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix);
};
compression = "auto,zlib";
startAt = "daily";
};
services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
default = true;
extraConfig = ''
return 404;
'';
};
"modular-matrix.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{ root = ./sources/modular-matrix; }
];
"validatem.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{ root = ./sources/validatem-site; }
];
"haless.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{
locations."/shadow/" = {
alias = ./sources/shadow-generator;
};
locations."/knex-mirror/" = {
alias = ./sources/knex-mirror;
};
}
];
"books.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.phpDisabled)
];
"todo.cryto.net" = lib.mkMerge [
(nginxPresets.phpDisabled)
];
"learn.cryto.net" = lib.mkMerge [
(nginxPresets.phpDisabled)
];
"vps-list.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.phpDisabled)
];
"iomfats.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"castleroland.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"awesomedude.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"matrix-rooms.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3842/")
];
};
};
users.extraUsers.mobile-proxy = {
description = "mobile-proxy Service User";
};
systemd.services.mobile-proxy = let
package = pkgs.cryto.mobileProxy.override { configFile = ./data/mobile-proxy/config.jsx; };
in {
description = "Mobile Proxy";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
ExecStart = "${package}/bin/mobile-proxy";
User = "mobile-proxy";
Restart = "on-failure";
PermissionsStartOnly = true;
};
preStart = ''
mkdir -m 0700 -p /tmp/mobile-proxy-home
chown mobile-proxy /tmp/mobile-proxy-home
'';
environment = {
HOME = "/tmp/mobile-proxy-home";
};
};
users.extraUsers.matrix-rooms = {
description = "mobile-proxy Service User";
};
systemd.services.matrix-rooms = let
package = pkgs.cryto.matrixRooms;
in {
description = "Matrix Room List Viewer";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
ExecStart = "${package}/bin/matrix-room-list-viewer"; /* FIXME: Change binary name in its package.json at some point */
User = "matrix-rooms";
Restart = "on-failure";
PermissionsStartOnly = true;
};
# FIXME: Is a fake homes necessary for this application?
preStart = ''
mkdir -m 0700 -p /tmp/matrix-rooms-home
chown matrix-rooms /tmp/matrix-rooms-home
'';
environment = {
HOME = "/tmp/matrix-rooms-home";
NODE_ENV = "production";
};
};
};
}