tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 9 Pull requests Releases Activity

Compare commits

base: tlaternet:72e7eed9d1d92ead802b444a662c4e4da303ec9c
Branches Tags
tlaternet:master
tlaternet:tlater/with-minecraft
tlaternet:tlater/nixpkgs-formatting
tlaternet:tlater/authelia
..
compare: tlaternet:23a867de844861854ce58400020b1675f2225096
Branches Tags
tlaternet:tlater/with-minecraft
tlaternet:master
tlaternet:tlater/nixpkgs-formatting
tlaternet:tlater/authelia

No commits in common. "72e7eed9d1d92ead802b444a662c4e4da303ec9c" and "23a867de844861854ce58400020b1675f2225096" have entirely different histories.
72e7eed9d1 ... 23a867de84

10 changed files with 111 additions and 264 deletions
Show stats Expand all files Collapse all files

35
configuration/default.nix
View file

@ -1,13 +1,9 @@
{ {
pkgs, pkgs,
lib, lib,
modulesPath,
... ...
}: { }: {
imports = [ imports = [
"${modulesPath}/profiles/headless.nix"
(import ../modules)
./services/gitea.nix ./services/gitea.nix
./services/nextcloud.nix ./services/nextcloud.nix
./services/webserver.nix ./services/webserver.nix
@ -16,14 +12,6 @@
./sops.nix ./sops.nix
]; ];
nixpkgs.overlays = [
(final: prev: {
local = import ../pkgs {
pkgs = prev;
};
})
];
nix = { nix = {
package = pkgs.nixFlakes; package = pkgs.nixFlakes;
extraOptions = '' extraOptions = ''
@ -35,7 +23,7 @@
}; };
nixpkgs.config.allowUnfreePredicate = pkg: nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steamcmd"]; builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"];
# Optimization for minecraft servers, see: # Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518 # https://bugs.mojang.com/browse/MC-183518
@ -84,26 +72,5 @@
acceptTerms = true; acceptTerms = true;
}; };
services.fail2ban = {
enable = true;
extraPackages = [pkgs.ipset];
banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true;
jails = {
nginx-botsearch = ''
enabled = true
logpath = /var/log/nginx/access.log
'';
};
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
system.stateVersion = "20.09"; system.stateVersion = "20.09";
} }

0
configuration/hardware-specific/linode/hardware-configuration.nix → configuration/hardware-configuration.nix
View file

17
configuration/hardware-specific/vm.nix
View file

@ -1,17 +0,0 @@
{lib, ...}: {
users.users.tlater.password = "insecure";
# Disable graphical tty so -curses works
boot.kernelParams = ["nomodeset"];
# Sets the base domain for nginx to localhost so that we
# can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost";
# Use the staging secrets
sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
# # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;
}

0
configuration/hardware-specific/linode/default.nix → configuration/linode.nix
View file

19
configuration/services/gitea.nix
View file

@ -28,23 +28,4 @@ in {
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
}; };
# Block repeated failed login attempts
#
# TODO(tlater): Update to the new regex, since apparently this one
# is deprecated (but the new one doesn't work on the current version
# of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
environment.etc = {
"fail2ban/filter.d/gitea.conf".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
'';
};
services.fail2ban.jails = {
gitea = ''
enabled = true
'';
};
} }

25
configuration/services/nextcloud.nix
View file

@ -4,7 +4,7 @@
... ...
}: let }: let
inherit (pkgs) fetchNextcloudApp; inherit (pkgs) fetchNextcloudApp;
nextcloud = pkgs.nextcloud24; nextcloud = pkgs.nextcloud23;
hostName = "nextcloud.${config.services.nginx.domain}"; hostName = "nextcloud.${config.services.nginx.domain}";
in { in {
services.nextcloud = { services.nextcloud = {
@ -40,27 +40,4 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
# Block repeated failed login attempts
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
'';
};
services.fail2ban.jails = {
nextcloud = ''
enabled = true
# Nextcloud does some throttling already, so we need to set
# these to something bigger.
findtime = 43200
bantime = 86400
'';
};
} }

105
flake.lock
View file

@ -40,26 +40,6 @@
"type": "github" "type": "github"
} }
}, },
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"utils": "utils"
},
"locked": {
"lastModified": 1659725433,
"narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"devshell": { "devshell": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -84,7 +64,7 @@
"flake-utils-pre-commit": "flake-utils-pre-commit", "flake-utils-pre-commit": "flake-utils-pre-commit",
"gomod2nix": "gomod2nix", "gomod2nix": "gomod2nix",
"mach-nix": "mach-nix", "mach-nix": "mach-nix",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_2",
"poetry2nix": "poetry2nix", "poetry2nix": "poetry2nix",
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
@ -148,22 +128,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1648199409,
"narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "64a525ee38886ab9028e6f61790de0832aa3ef03",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils-pre-commit": { "flake-utils-pre-commit": {
"locked": { "locked": {
"lastModified": 1644229661, "lastModified": 1644229661,
@ -226,18 +190,34 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1648219316, "lastModified": 1665321371,
"narHash": "sha256-Ctij+dOi0ZZIfX5eMhgwugfvB+WZSrvVNAyAuANOsnQ=", "narHash": "sha256-0SO6MTW0bX6lxZmz1AZW/Xmk+hnTd7/hp1vF7Tp7jg0=",
"owner": "NixOS", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixos-hardware",
"rev": "30d3d79b7d3607d56546dd2a6b49e156ba0ec634", "rev": "236ba4df714131059945d7754c0aa3fbe9d2f74c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixpkgs-unstable", "ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1665466769,
"narHash": "sha256-L+qcHpb4Ac3PipMXJY/Ktbu1+KXy23WCZ8pXWmsf7zY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0b20bf89e0035b6d62ad58f9db8fdbc99c2b01e8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -259,22 +239,6 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1665466769,
"narHash": "sha256-L+qcHpb4Ac3PipMXJY/Ktbu1+KXy23WCZ8pXWmsf7zY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0b20bf89e0035b6d62ad58f9db8fdbc99c2b01e8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1657638268, "lastModified": 1657638268,
"narHash": "sha256-blBNtQSslAFkg0Gym9fWNJk+bPxGSZib4SOcPrmTPi4=", "narHash": "sha256-blBNtQSslAFkg0Gym9fWNJk+bPxGSZib4SOcPrmTPi4=",
@ -335,8 +299,8 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"deploy-rs": "deploy-rs", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"tlaternet-webserver": "tlaternet-webserver" "tlaternet-webserver": "tlaternet-webserver"
} }
@ -417,21 +381,6 @@
"type": "git", "type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet.git" "url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
} }
},
"utils": {
"locked": {
"lastModified": 1648297722,
"narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

134
flake.nix
View file

@ -3,11 +3,12 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
deploy-rs.url = "github:serokell/deploy-rs"; nixos-hardware.url = "github:nixos/nixos-hardware/master";
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
tlaternet-webserver = { tlaternet-webserver = {
url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git"; url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -17,112 +18,111 @@
outputs = { outputs = {
self, self,
nixpkgs, nixpkgs,
nixos-hardware,
sops-nix, sops-nix,
deploy-rs,
tlaternet-webserver, tlaternet-webserver,
}: let }: let
system = "x86_64-linux"; system = "x86_64-linux";
in {
##################
# Configurations #
##################
nixosConfigurations = let
# Modules that should be generic to all systems
genericModule = {...}: {
imports = [
# Inject flake dependencies
sops-nix.nixosModules.sops
tlaternet-webserver.nixosModules.default
# Import actual configuration overlays = [
(import ./configuration) (final: prev: {
]; local = import ./pkgs {
pkgs = prev;
}; };
})
];
pkgs = import nixpkgs {inherit system overlays;};
sops-pkgs = sops-nix.packages.${system};
in { in {
# The actual system definition nixosConfigurations = {
tlaternet = nixpkgs.lib.nixosSystem { tlaternet = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
genericModule ({modulesPath, ...}: {
(import ./configuration/hardware-specific/linode) imports = [(modulesPath + "/profiles/headless.nix")];
nixpkgs.overlays = overlays;
})
(import ./modules)
(import ./configuration)
(import ./configuration/linode.nix)
(import ./configuration/hardware-configuration.nix)
sops-nix.nixosModules.sops
tlaternet-webserver.nixosModules.default
]; ];
}; };
# A qemu VM to test the above with
vm = nixpkgs.lib.nixosSystem { vm = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
genericModule ({modulesPath, ...}: {
(import ./configuration/hardware-specific/vm.nix) imports = [(modulesPath + "/profiles/headless.nix")];
nixpkgs.overlays = overlays;
})
(import ./modules)
(import ./configuration)
sops-nix.nixosModules.sops
tlaternet-webserver.nixosModules.default
({lib, ...}: {
users.users.tlater.password = "insecure";
# Disable graphical tty so -curses works
boot.kernelParams = ["nomodeset"];
# Sets the base domain for nginx to localhost so that we
# can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost";
# Use the staging secrets
sops.defaultSopsFile = lib.mkOverride 99 ./keys/staging.yaml;
# # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;
})
]; ];
}; };
}; };
############################
# Deployment configuration #
############################
deploy.nodes.tlaternet = {
hostname = "tlater.net";
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.tlaternet;
};
sshUser = "tlater";
sshOpts = ["-p" "2222"];
fastConnection = true;
};
#########
# Tests #
#########
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
####################
# Helper functions #
####################
lib = import ./lib {lib = nixpkgs.lib;};
####################
# VM launch script #
####################
apps.${system}.default = let apps.${system}.default = let
inherit (self.nixosConfigurations.vm.config.system.build) vm; inherit (self.nixosConfigurations.vm.config.system.build) vm;
inherit (nixpkgs.legacyPackages.${system}) writeShellScript; inherit (nixpkgs.legacyPackages.${system}) writeShellScript;
qemuNetOpts = self.lib.makeQemuNetOpts { inherit (nixpkgs.lib.attrsets) mapAttrsToList;
inherit (nixpkgs.lib.strings) concatStringsSep;
ports = {
"2222" = "2222"; "2222" = "2222";
"3080" = "80"; "3080" = "80";
"3443" = "443"; "3443" = "443";
"2221" = "2221";
"21025" = "21025"; # Starbound "21025" = "21025"; # Starbound
}; };
QEMU_NET_OPTS =
concatStringsSep ","
(mapAttrsToList
(host: vm: "hostfwd=::${host}-:${vm}")
ports);
in { in {
type = "app"; type = "app";
program = builtins.toString (writeShellScript "run-vm" '' program = builtins.toString (writeShellScript "run-vm" ''
export QEMU_OPTS="-m 3941 -smp 2 -display curses" export QEMU_OPTS="-m 3941 -smp 2 -curses"
export QEMU_NET_OPTS="${qemuNetOpts}" export QEMU_NET_OPTS="${QEMU_NET_OPTS}"
"${vm}/bin/run-tlaternet-vm" "${vm}/bin/run-tlaternet-vm"
''); '');
}; };
########################### devShells.${system}.default = pkgs.mkShell {
# Development environment #
###########################
devShells.${system}.default = let
inherit (sops-nix.packages.${system}) sops-import-keys-hook sops-init-gpg-key;
deploy-rs-bin = deploy-rs.packages.${system}.default;
pkgs = nixpkgs.legacyPackages.${system};
in
nixpkgs.legacyPackages.${system}.mkShell {
sopsPGPKeyDirs = ["./keys/hosts/" "./keys/users/"]; sopsPGPKeyDirs = ["./keys/hosts/" "./keys/users/"];
nativeBuildInputs = [ nativeBuildInputs = [
sops-import-keys-hook sops-pkgs.sops-import-keys-hook
]; ];
packages = with pkgs; [ buildInputs = with pkgs; [
nixfmt nixfmt
git-lfs git-lfs
sops-init-gpg-key sops-pkgs.sops-init-gpg-key
deploy-rs-bin
]; ];
shellHook = '' shellHook = ''

10
lib/default.nix
View file

@ -1,10 +0,0 @@
{lib}: let
inherit (lib.attrsets) mapAttrsToList;
inherit (lib.strings) concatStringsSep;
in {
makeQemuNetOpts = portMapping:
concatStringsSep ","
(mapAttrsToList
(host: vm: "hostfwd=::${host}-:${vm}")
portMapping);
}

2
pkgs/default.nix
View file

@ -1,5 +1,5 @@
{pkgs, ...}: let {pkgs, ...}: let
inherit (pkgs) callPackage; inherit (pkgs.lib) callPackage;
in { in {
starbound = callPackage ./starbound {}; starbound = callPackage ./starbound {};
} }