From 2d61711e0740e48c3bd15580959c3bd50cfcbb7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sat, 15 May 2021 20:57:59 +0100
Subject: [PATCH 1/8] flake.lock: Update
Flake input changes:
* Updated 'flake-utils': 'github:numtide/flake-utils/2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28' -> 'github:numtide/flake-utils/b543720b25df6ffdfcf9227afafc5b8c1fabfae8'
* Updated 'nixos-hardware': 'github:nixos/nixos-hardware/f7540d6c27704ec0fe56ecc8b2a9b663181850b0' -> 'github:nixos/nixos-hardware/c4399b921fa7ff5f93ee10b3521b56b722ed74d8'
* Updated 'nixpkgs': 'github:nixos/nixpkgs/d4e7af972158a14ebdd9c828b1c2e07e2ce7ef1c' -> 'github:nixos/nixpkgs/17d3dab8647a31a00d8a11433a56cc12d84b5ab4'
---
flake.lock | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/flake.lock b/flake.lock
index a1b77b8..03e3f45 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
"nodes": {
"flake-utils": {
"locked": {
- "lastModified": 1619345332,
- "narHash": "sha256-qHnQkEp1uklKTpx3MvKtY6xzgcqXDsz5nLilbbuL+3A=",
+ "lastModified": 1620759905,
+ "narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=",
"owner": "numtide",
"repo": "flake-utils",
- "rev": "2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28",
+ "rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8",
"type": "github"
},
"original": {
@@ -37,11 +37,11 @@
},
"nixos-hardware": {
"locked": {
- "lastModified": 1619336929,
- "narHash": "sha256-joIC2D26jtSbHodR/o8r+5T9XL2hXs6NIp5mVyA4JOc=",
+ "lastModified": 1620983891,
+ "narHash": "sha256-E2OKVgGo/cUqDsrIeYGVx64b4cxgzd7+bX33NHL0rbA=",
"owner": "nixos",
"repo": "nixos-hardware",
- "rev": "f7540d6c27704ec0fe56ecc8b2a9b663181850b0",
+ "rev": "c4399b921fa7ff5f93ee10b3521b56b722ed74d8",
"type": "github"
},
"original": {
@@ -53,11 +53,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1619486598,
- "narHash": "sha256-ZEvJ+uItcKLQ9uSjGbQFE6Euu9w1Y98x0TWydXIgHAI=",
+ "lastModified": 1621088295,
+ "narHash": "sha256-hn8Rk6o5nRbWK/GE+z2OK8DIDIgGxCmVkaXpNYkald0=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "d4e7af972158a14ebdd9c828b1c2e07e2ce7ef1c",
+ "rev": "17d3dab8647a31a00d8a11433a56cc12d84b5ab4",
"type": "github"
},
"original": {
From 517f4f00802e867e5abb2059c7ce61995e000b5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 16 May 2021 00:40:09 +0100
Subject: [PATCH 2/8] postgres: Get rid of password authentication
Podman pods make this obsolete; though we need to explicitly set
slirp4netns, otherwise podman will not create private network
namespaces for the pods.
---
configuration/services/gitea.nix | 3 +--
configuration/services/nextcloud.nix | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 0abdb49..2258566 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -14,6 +14,7 @@
virtualisation.pods.gitea = {
hostname = "gitea.tlater.net";
publish = [ "3000:3000" "2221:2221" ];
+ network = "slirp4netns";
containers = {
gitea = {
@@ -26,7 +27,6 @@
DB_HOST = "gitea-postgres:5432";
DB_NAME = "gitea";
DB_USER = "gitea";
- DB_PASSWD = "/qNDDK9WCMuubfA7D8DFwfl9T+Gy2IMDvPhiNpcxZjY=";
USER_UID = toString config.users.extraUsers.gitea.uid;
USER_GID = toString config.users.extraGroups.gitea.gid;
@@ -42,7 +42,6 @@
environment = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
- POSTGRES_PASSWORD = "/qNDDK9WCMuubfA7D8DFwfl9T+Gy2IMDvPhiNpcxZjY=";
};
volumes = [ "gitea-db-data:/var/lib/postgresql/data" ];
};
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index ba1754b..4b74ac7 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -4,6 +4,7 @@
virtualisation.pods.nextcloud = {
hostname = "nextcloud.tlater.net";
publish = [ "3001:80" ];
+ network = "slirp4netns";
containers = {
nextcloud = {
@@ -18,7 +19,6 @@
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
POSTGRES_HOST = "nextcloud-postgres";
- POSTGRES_PASSWORD = "rI7t7Nek1yGA9ucrRc7Uhy0jcjwPjnXa8me4o8tJON8=";
OVERWRITEPROTOCOL = "https";
};
};
@@ -43,7 +43,6 @@
environment = {
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
- POSTGRES_PASSWORD = "rI7t7Nek1yGA9ucrRc7Uhy0jcjwPjnXa8me4o8tJON8=";
};
volumes = [ "nextcloud-db-data:/var/lib/postgresql/data" ];
};
From 458f6c7f7b1df2a35dc7b78daf9dce5817aefcb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 16 May 2021 01:34:03 +0100
Subject: [PATCH 3/8] nginx: Avoid connection issues caused by IPv6 resolution
If localhost is specified in the proxyPass url, nginx will happily
resolve IPv6 addresses, even if the upstream doesn't support them.
This can result in connection issues, especially with containers that
don't support IPv6.
---
configuration/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configuration/default.nix b/configuration/default.nix
index f6ff072..72c955d 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -60,7 +60,7 @@
{
forceSSL = true;
enableACME = true;
- locations."/" = { proxyPass = "http://localhost:${toString port}"; };
+ locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
} // extra;
in {
"tlater.net" = host 3002 { serverAliases = [ "www.tlater.net" ]; };
From b8bf3bd3a219300a9a8fd1868e28776806785c55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Sun, 16 May 2021 23:07:18 +0100
Subject: [PATCH 4/8] minecraft: Clean up use of pkgs.lib
---
configuration/services/minecraft.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix
index c3831aa..9b77c09 100644
--- a/configuration/services/minecraft.nix
+++ b/configuration/services/minecraft.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
let
minecraft-server-args = [
@@ -52,7 +52,7 @@ let
in {
nixpkgs.config.allowUnfreePredicate = pkg:
- builtins.elem (pkgs.lib.getName pkg) [ "forge-server" ];
+ builtins.elem (lib.getName pkg) [ "forge-server" ];
virtualisation.oci-containers.containers.minecraft-voor-kia = let
properties = ./configs/minecraft/voor-kia/server.properties;
From 5f8899d542e43b63e2d3e59642f2691013ad237e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Mon, 17 May 2021 00:00:34 +0100
Subject: [PATCH 5/8] nginx: Make VM testing easier by binding virtualHosts to
localhost
---
configuration/default.nix | 8 +++++---
flake.nix | 6 +++++-
modules/default.nix | 9 ++++++++-
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/configuration/default.nix b/configuration/default.nix
index 72c955d..49668dd 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -54,6 +54,7 @@
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "10G";
+ domain = "tlater.net";
virtualHosts = let
host = port: extra:
@@ -62,10 +63,11 @@
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
} // extra;
+ domain = config.services.nginx.domain;
in {
- "tlater.net" = host 3002 { serverAliases = [ "www.tlater.net" ]; };
- "gitea.tlater.net" = host 3000 { };
- "nextcloud.tlater.net" = host 3001 { };
+ "${domain}" = host 3002 { serverAliases = [ "www.${domain}" ]; };
+ "gitea.${domain}" = host 3000 { };
+ "nextcloud.${domain}" = host 3001 { };
};
};
diff --git a/flake.nix b/flake.nix
index a9baf34..78a3cfb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -68,12 +68,16 @@
(import ./modules)
(import ./configuration)
- ({ ... }: {
+ ({ lib, ... }: {
users.users.tlater.password = "insecure";
# Disable graphical tty so -curses works
boot.kernelParams = [ "nomodeset" ];
+ # Sets the base domain for nginx to localhost so that we
+ # can easily test locally with the VM.
+ services.nginx.domain = lib.mkOverride 99 "localhost";
+
# # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;
diff --git a/modules/default.nix b/modules/default.nix
index 0bc1f1c..1fd86fc 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,5 +1,12 @@
-{ ... }:
+{ lib, ... }:
+
+with lib;
{
imports = [ ./virtualisation/pods.nix ];
+
+ options.services.nginx.domain = mkOption {
+ type = types.str;
+ description = "The base domain name to append to virtual domain names";
+ };
}
From 343c7fcc36b78badfa7f9910bfa101124c0fb990 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Mon, 17 May 2021 00:02:03 +0100
Subject: [PATCH 6/8] nginx: Don't override extra options in the host helper
---
configuration/default.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/configuration/default.nix b/configuration/default.nix
index 49668dd..a12aceb 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
{
imports = [
@@ -58,11 +58,11 @@
virtualHosts = let
host = port: extra:
- {
+ lib.recursiveUpdate {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
- } // extra;
+ } extra;
domain = config.services.nginx.domain;
in {
"${domain}" = host 3002 { serverAliases = [ "www.${domain}" ]; };
From a24c68d9db3ca87688950943cd5203b57cd90e97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Mon, 17 May 2021 00:02:41 +0100
Subject: [PATCH 7/8] webserver: Use SIGKILL instead of SIGTERM
This is necessary because rocket 0.4 does not support SIGTERM.
---
configuration/services/webserver.nix | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix
index e1c396d..d912618 100644
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@@ -34,6 +34,10 @@
ports = [ "3002:3002" ];
volumes = [ "tlaternet-mail:/srv/mail" ];
- extraOptions = [ "--hostname=tlater.net" ];
+ extraOptions = [
+ "--hostname=tlater.net"
+ # This can change with rocket 0.5.
+ "--stop-signal=SIGKILL"
+ ];
};
}
From 2a7f905bc2c34742388e5a9c580db3f6a7631a3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?=
<tristan.maat@codethink.co.uk>
Date: Thu, 13 May 2021 21:12:11 +0100
Subject: [PATCH 8/8] WIP: Add hydra
---
configuration/default.nix | 2 ++
configuration/services/hydra.nix | 16 ++++++++++++++++
flake.nix | 14 +++++++++++++-
3 files changed, 31 insertions(+), 1 deletion(-)
create mode 100644 configuration/services/hydra.nix
diff --git a/configuration/default.nix b/configuration/default.nix
index a12aceb..42e43ec 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -3,6 +3,7 @@
{
imports = [
./services/gitea.nix
+ ./services/hydra.nix
./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
@@ -68,6 +69,7 @@
"${domain}" = host 3002 { serverAliases = [ "www.${domain}" ]; };
"gitea.${domain}" = host 3000 { };
"nextcloud.${domain}" = host 3001 { };
+ "hydra.${domain}" = host config.services.hydra.port { };
};
};
diff --git a/configuration/services/hydra.nix b/configuration/services/hydra.nix
new file mode 100644
index 0000000..2321407
--- /dev/null
+++ b/configuration/services/hydra.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ services.hydra = {
+ enable = true;
+ port = 3003;
+
+ hydraURL = "hydra.tlater.net";
+ notificationSender = "hydra@tlater.net";
+ extraConfig = ''
+ <gitea_authorization>
+
+ </gitea_authorization>
+ '';
+ };
+}
diff --git a/flake.nix b/flake.nix
index 78a3cfb..bf1c240 100644
--- a/flake.nix
+++ b/flake.nix
@@ -68,7 +68,7 @@
(import ./modules)
(import ./configuration)
- ({ lib, ... }: {
+ ({ config, lib, ... }: {
users.users.tlater.password = "insecure";
# Disable graphical tty so -curses works
@@ -78,6 +78,18 @@
# can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost";
+ # Hydra uses X-Forwarded-Port to figure out how to
+ # include links to static files, but because we redirect
+ # 443 -> 3443 in the vm we need to explicitly set this
+ # (nginx can't see qemu's port redirection).
+ services.nginx.virtualHosts =
+ let domain = config.services.nginx.domain;
+ in {
+ "hydra.${domain}".locations."/".extraConfig = ''
+ proxy_set_header X-Forwarded-Port 3443;
+ '';
+ };
+
# # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;