tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 9 Pull requests Releases Activity

Compare commits

base: tlaternet:tlater/authelia
Branches Tags
tlaternet:master
tlaternet:tlater/with-minecraft
tlaternet:tlater/nixpkgs-formatting
tlaternet:tlater/authelia
..
compare: tlaternet:master
Branches Tags
tlaternet:tlater/with-minecraft
tlaternet:master
tlaternet:tlater/nixpkgs-formatting
tlaternet:tlater/authelia

17 commits
tlater/aut ... master

Author SHA1 Message Date
Tristan Daniël Maat d56fad518b
git: Blame-ignore nixfmt commit 2024-08-18 20:41:58 +02:00
Tristan Daniël Maat 04f7a7ef1d
treewide: Use nixfmt for formatting 2024-08-18 20:41:20 +02:00
Tristan Daniël Maat 3a591863b0
flake.nix: Add default package to allow easily creating gc root 2024-08-18 18:53:33 +02:00
Tristan Daniël Maat 0ad265f6aa
pkgs/sources: Update package sources 2024-08-18 18:51:54 +02:00
Tristan Daniël Maat 521190297b
flake.lock: Update 
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/0257e44f4ad472b54f19a6dd1615aee7fa48ed49' (2024-08-05)
  → 'github:nix-community/disko/276a0d055a720691912c6a34abb724e395c8e38a' (2024-08-15)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/0ab9c4c1e0cab782fcde00ec2b32436abfd2a6d4' (2024-08-05)
  → 'github:nixos/nixpkgs/1cbd3d585263dc620c483e138d352a39b9f0e3ec' (2024-08-17)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/41d21a82c38e226e234e16f4ff213b3fcf85e6e9' (2024-08-05)
  → 'github:nixos/nixpkgs/abcef4da4ebb72240bddc370a27263627e64877f' (2024-08-18)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/eb34eb588132d653e4c4925d862f1e5a227cc2ab' (2024-07-27)
  → 'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34' (2024-08-12)
 2024-08-18 17:24:45 +02:00
Tristan Daniël Maat e1bd183cdd
pkgs: Update sources 2024-08-05 19:42:55 +02:00
Tristan Daniël Maat 0047b585a3
flake.lock: Update 
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/d185770ea261fb5cf81aa5ad1791b93a7834d12c' (2024-06-30)
  → 'github:nix-community/disko/0257e44f4ad472b54f19a6dd1615aee7fa48ed49' (2024-08-05)
• Updated input 'foundryvtt':
    'github:reckenrode/nix-foundryvtt/1176cc325e5e1d46c7a018663a8e02e699e838ec' (2024-06-28)
  → 'github:reckenrode/nix-foundryvtt/699a175398410688214615a9d977354e9ef98d2d' (2024-08-03)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e' (2024-07-01)
  → 'github:nixos/nixpkgs/0ab9c4c1e0cab782fcde00ec2b32436abfd2a6d4' (2024-08-05)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc' (2024-07-01)
  → 'github:nixos/nixpkgs/41d21a82c38e226e234e16f4ff213b3fcf85e6e9' (2024-08-05)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b5974d4331fb6c893e808977a2e1a6d34b3162d6' (2024-06-30)
  → 'github:Mic92/sops-nix/eb34eb588132d653e4c4925d862f1e5a227cc2ab' (2024-07-27)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/4a1e673523344f6ccc84b37f4413ad74ea19a119' (2024-06-29)
  → 'github:NixOS/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171' (2024-07-21)
 2024-08-05 19:38:04 +02:00
Tristan Daniël Maat d426e783cd
grafana: Properly proxy websocket connections 
Fixes #115
 2024-07-03 02:56:23 +02:00
Tristan Daniël Maat 306b69f6b5
nextcloud: Use the system postgres version 2024-07-03 01:28:23 +02:00
Tristan Daniël Maat 21b9112f76
fail2ban-exporter: Bump generated source json/nix 2024-07-01 19:24:04 +02:00
Tristan Daniël Maat d568436d83
conduit: Use new upstream delegation support 2024-07-01 19:24:03 +02:00
Tristan Daniël Maat 222829d82a
starbound: Don't build service for now 
This includes the really huge steam-run closure, which is just a PITA
to keep up with if we're never using it.
 2024-07-01 19:24:03 +02:00
Tristan Daniël Maat 32f4cabfa3
nextcloud: Update to 28 since 27 is EOL 
We were waiting for nextcloud news to update, but we can't wait any
longer.
 2024-07-01 19:24:02 +02:00
Tristan Daniël Maat 21cb4eab9c
foundryvtt: Set foundry version explicitly 2024-07-01 18:37:43 +02:00
Tristan Daniël Maat 9654d599e9
flake.lock: Update 
Flake lock file updates:

• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/88b3059b020da69cbe16526b8d639bd5e0b51c8b' (2024-04-01)
  → 'github:serokell/deploy-rs/3867348fa92bc892eba5d9ddb2d7a97b9e127a8a' (2024-06-12)
• Updated input 'disko':
    'github:nix-community/disko/285e26465a0bae510897ca04da26ce6307c652b4' (2024-04-26)
  → 'github:nix-community/disko/115311bc395f24c1b553338fec4b3aa28cbf5ae2' (2024-06-28)
• Updated input 'foundryvtt':
    'github:reckenrode/nix-foundryvtt/6025615b431170558c3c13f16b549fc0126425e1' (2024-04-09)
  → 'github:reckenrode/nix-foundryvtt/1176cc325e5e1d46c7a018663a8e02e699e838ec' (2024-06-28)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/cc54fb41d13736e92229c21627ea4f22199fee6b' (2024-06-12)
  → 'github:nixos/nixpkgs/89c49874fb15f4124bf71ca5f42a04f2ee5825fd' (2024-06-26)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/58a1abdbae3217ca6b702f03d3b35125d88a2994' (2024-04-27)
  → 'github:nixos/nixpkgs/2893f56de08021cffd9b6b6dfc70fd9ccd51eb60' (2024-06-24)
• Updated input 'nvfetcher':
    'github:berberman/nvfetcher/2a824322dc6a755ffda83a13b948d42304521e4d' (2024-04-17)
  → 'github:berberman/nvfetcher/fa7609950023462c6f91c425de7610c0bb6b86ba' (2024-06-13)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f1b0adc27265274e3b0c9b872a8f476a098679bd' (2024-04-23)
  → 'github:Mic92/sops-nix/c2ea1186c0cbfa4d06d406ae50f3e4b085ddc9b3' (2024-06-24)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/74574c38577914733b4f7a775dd77d24245081dd' (2024-04-20)
  → 'github:NixOS/nixpkgs/5e8e3b89adbd0be63192f6e645e0a54080004924' (2024-06-22)
 2024-07-01 18:37:42 +02:00
Tristan Daniël Maat 038a797427
git: Blame-ignore nixpkgs-fmt commit 2024-06-28 20:19:42 +02:00
Tristan Daniël Maat fd138d45e6
treewide: Start using nixpkgs-fmt formatting 2024-06-28 20:12:55 +02:00
40 changed files with 1061 additions and 1164 deletions
Show stats Expand all files Collapse all files

11
.git-blame-ignore-revs Normal file
View file

@ -0,0 +1,11 @@
# Run this command to always ignore formatting commits in `git blame`
# git config blame.ignoreRevsFile .git-blame-ignore-revs
# Switch to nixfmt formatting
04f7a7ef1d38906163afc9cddfa8ce2b0ebf3b45
# Switch to nixpkgs-fmt formatting
fd138d45e6a2cad89fead6e9f246ba282070d6b7
# Switch to alejandra formatting
046a88905ddfa7f9edc3291c310dbb985dee34f9

26
configuration/default.nix
View file

@ -5,7 +5,8 @@
modulesPath, modulesPath,
flake-inputs, flake-inputs,
... ...
}: { }:
{
imports = [ imports = [
flake-inputs.disko.nixosModules.disko flake-inputs.disko.nixosModules.disko
flake-inputs.sops-nix.nixosModules.sops flake-inputs.sops-nix.nixosModules.sops
@ -15,7 +16,6 @@
(import ../modules) (import ../modules)
./services/afvalcalendar.nix ./services/afvalcalendar.nix
./services/auth.nix
./services/backups.nix ./services/backups.nix
./services/battery-manager.nix ./services/battery-manager.nix
./services/conduit.nix ./services/conduit.nix
@ -26,7 +26,7 @@
./services/nextcloud.nix ./services/nextcloud.nix
./services/webserver.nix ./services/webserver.nix
./services/wireguard.nix ./services/wireguard.nix
./services/starbound.nix # ./services/starbound.nix -- Not currently used
./services/postgres.nix ./services/postgres.nix
./nginx.nix ./nginx.nix
./sops.nix ./sops.nix
@ -48,15 +48,15 @@
''; '';
# Enable remote builds from tlater # Enable remote builds from tlater
settings.trusted-users = ["@wheel"]; settings.trusted-users = [ "@wheel" ];
}; };
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"];
# Optimization for minecraft servers, see: # Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518 # https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = ["highres=off" "nohz=off"]; boot.kernelParams = [
"highres=off"
"nohz=off"
];
networking = { networking = {
usePredictableInterfaceNames = false; usePredictableInterfaceNames = false;
@ -107,15 +107,15 @@
users.users.tlater = { users.users.tlater = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["wheel"]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keyFiles = [../keys/tlater.pub]; openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ];
}; };
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
allowSFTP = false; allowSFTP = false;
ports = [2222]; ports = [ 2222 ];
startWhenNeeded = true; startWhenNeeded = true;
settings = { settings = {
@ -134,14 +134,14 @@
pam = { pam = {
sshAgentAuth = { sshAgentAuth = {
enable = true; enable = true;
authorizedKeysFiles = ["/etc/ssh/authorized_keys.d/%u"]; authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
}; };
services.sudo.sshAgentAuth = true; services.sudo.sshAgentAuth = true;
}; };
}; };
# Remove some unneeded packages # Remove some unneeded packages
environment.defaultPackages = []; environment.defaultPackages = [ ];
system.stateVersion = "20.09"; system.stateVersion = "20.09";
} }

6
configuration/hardware-specific/hetzner/default.nix
View file

@ -8,7 +8,7 @@
# disables it by default. # disables it by default.
# #
# TODO(tlater): See if would be useful for anything? # TODO(tlater): See if would be useful for anything?
boot.kernelParams = ["nosgx"]; boot.kernelParams = [ "nosgx" ];
networking.hostName = "hetzner-1"; networking.hostName = "hetzner-1";
services.nginx.domain = "tlater.net"; services.nginx.domain = "tlater.net";
@ -25,9 +25,7 @@
}; };
} }
# IPv6 # IPv6
{ { addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; }
addressConfig.Address = "2a01:4f8:10b:3c85::2/64";
}
]; ];
networkConfig = { networkConfig = {

143
configuration/hardware-specific/hetzner/disko.nix
View file

@ -1,82 +1,95 @@
{ {
disko.devices.disk = let disko.devices.disk =
bootPartition = { let
size = "1M"; bootPartition = {
type = "EF02"; size = "1M";
}; type = "EF02";
swapPartition = {
# 8G is apparently recommended for this much RAM, but we set up
# 4G on both disks for mirroring purposes.
#
# That'll still be 8G during normal operation, and it's probably
# not too bad to have slightly less swap if a disk dies.
size = "4G";
content = {
type = "swap";
randomEncryption = true;
}; };
};
mountOptions = ["compress=zstd" "noatime"]; swapPartition = {
in { # 8G is apparently recommended for this much RAM, but we set up
sda = { # 4G on both disks for mirroring purposes.
type = "disk"; #
device = "/dev/sda"; # That'll still be 8G during normal operation, and it's probably
content = { # not too bad to have slightly less swap if a disk dies.
type = "gpt"; size = "4G";
partitions = { content = {
boot = bootPartition; type = "swap";
swap = swapPartition; randomEncryption = true;
};
};
disk1 = { mountOptions = [
size = "100%"; "compress=zstd"
# Empty partition to combine in RAID0 with the other disk "noatime"
];
in
{
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
boot = bootPartition;
swap = swapPartition;
disk1 = {
size = "100%";
# Empty partition to combine in RAID0 with the other disk
};
}; };
}; };
}; };
};
sdb = { sdb = {
type = "disk"; type = "disk";
device = "/dev/sdb"; device = "/dev/sdb";
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
boot = bootPartition; boot = bootPartition;
swap = swapPartition; swap = swapPartition;
disk2 = { disk2 = {
size = "100%"; size = "100%";
content = { content = {
type = "btrfs"; type = "btrfs";
# Hack to get multi-device btrfs going # Hack to get multi-device btrfs going
# See https://github.com/nix-community/disko/issues/99 # See https://github.com/nix-community/disko/issues/99
extraArgs = ["-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3"]; extraArgs = [
subvolumes = { "-d"
"/volume" = {}; "raid1"
"/volume/root" = { "-m"
inherit mountOptions; "raid1"
mountpoint = "/"; "--runtime-features"
"quota"
"/dev/sda3"
];
subvolumes = {
"/volume" = { };
"/volume/root" = {
inherit mountOptions;
mountpoint = "/";
};
"/volume/home" = {
inherit mountOptions;
mountpoint = "/home";
};
"/volume/var" = {
inherit mountOptions;
mountpoint = "/var";
};
"/volume/nix-store" = {
inherit mountOptions;
mountpoint = "/nix";
};
"/snapshots" = { };
}; };
"/volume/home" = {
inherit mountOptions;
mountpoint = "/home";
};
"/volume/var" = {
inherit mountOptions;
mountpoint = "/var";
};
"/volume/nix-store" = {
inherit mountOptions;
mountpoint = "/nix";
};
"/snapshots" = {};
}; };
}; };
}; };
}; };
}; };
}; };
};
} }

5
configuration/hardware-specific/vm.nix
View file

@ -1,8 +1,9 @@
{lib, ...}: { { lib, ... }:
{
users.users.tlater.password = "insecure"; users.users.tlater.password = "insecure";
# Disable graphical tty so -curses works # Disable graphical tty so -curses works
boot.kernelParams = ["nomodeset"]; boot.kernelParams = [ "nomodeset" ];
networking.hostName = "testvm"; networking.hostName = "testvm";
# Sets the base domain for nginx to a local domain so that we can # Sets the base domain for nginx to a local domain so that we can

32
configuration/nginx.nix
View file

@ -1,8 +1,5 @@
{ config, lib, ... }:
{ {
config,
lib,
...
}: {
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
@ -27,7 +24,8 @@
# Override the default, just keep fewer logs # Override the default, just keep fewer logs
nginx.rotate = 6; nginx.rotate = 6;
} }
// lib.mapAttrs' (virtualHost: _: // lib.mapAttrs' (
virtualHost: _:
lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
frequency = "daily"; frequency = "daily";
rotate = 2; rotate = 2;
@ -35,23 +33,21 @@
delaycompress = true; delaycompress = true;
su = "${config.services.nginx.user} ${config.services.nginx.group}"; su = "${config.services.nginx.user} ${config.services.nginx.group}";
postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
}) }
config.services.nginx.virtualHosts; ) config.services.nginx.virtualHosts;
systemd.tmpfiles.rules = systemd.tmpfiles.rules = lib.mapAttrsToList (
lib.mapAttrsToList ( virtualHost: _:
virtualHost: _: #
# "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
"d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" ) config.services.nginx.virtualHosts;
)
config.services.nginx.virtualHosts;
security.acme = { security.acme = {
defaults.email = "tm@tlater.net"; defaults.email = "tm@tlater.net";
acceptTerms = true; acceptTerms = true;
certs."tlater.net" = { certs."tlater.net" = {
extraDomainNames = ["*.tlater.net"]; extraDomainNames = [ "*.tlater.net" ];
dnsProvider = "hetzner"; dnsProvider = "hetzner";
group = "nginx"; group = "nginx";
credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path; credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path;
@ -60,8 +56,8 @@
services.backups.acme = { services.backups.acme = {
user = "acme"; user = "acme";
paths = paths = lib.mapAttrsToList (
lib.mapAttrsToList (virtualHost: _: "/var/lib/acme/${virtualHost}") virtualHost: _: "/var/lib/acme/${virtualHost}"
config.services.nginx.virtualHosts; ) config.services.nginx.virtualHosts;
}; };
} }

24
configuration/services/afvalcalendar.nix
View file

@ -1,12 +1,9 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: {
systemd.services.afvalcalendar = { systemd.services.afvalcalendar = {
description = "Enschede afvalcalendar -> ical converter"; description = "Enschede afvalcalendar -> ical converter";
wantedBy = ["multi-user.target"]; wantedBy = [ "multi-user.target" ];
after = ["network.target"]; after = [ "network.target" ];
script = '' script = ''
${pkgs.local.afvalcalendar}/bin/afvalcalendar > /srv/afvalcalendar/afvalcalendar.ical ${pkgs.local.afvalcalendar}/bin/afvalcalendar > /srv/afvalcalendar/afvalcalendar.ical
@ -26,16 +23,23 @@
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectControlGroups = true; ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true; RestrictNamespaces = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"]; SystemCallFilter = [
"@system-service"
"~@privileged @resources @setuid @keyring"
];
Umask = 0002; Umask = 2;
SupplementaryGroups = "afvalcalendar-hosting"; SupplementaryGroups = "afvalcalendar-hosting";
ReadWritePaths = "/srv/afvalcalendar"; ReadWritePaths = "/srv/afvalcalendar";
@ -50,7 +54,7 @@
root = "/srv/afvalcalendar"; root = "/srv/afvalcalendar";
}; };
users.groups.afvalcalendar-hosting = {}; users.groups.afvalcalendar-hosting = { };
systemd.tmpfiles.settings."10-afvalcalendar" = { systemd.tmpfiles.settings."10-afvalcalendar" = {
"/srv/afvalcalendar".d = { "/srv/afvalcalendar".d = {
user = "nginx"; user = "nginx";

95
configuration/services/auth.nix
View file

@ -1,95 +0,0 @@
{
pkgs,
config,
...
}: let
user = config.services.authelia.instances.main.user;
domain = "auth.${config.services.nginx.domain}";
in {
services.authelia.instances.main = {
enable = true;
settings = {
theme = "auto";
access_control.default_policy = "one_factor";
authentication_backend = {
password_reset.disable = true;
file.path = "/var/lib/authelia-main/users.yml";
};
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
session = {
domain = config.services.nginx.domain;
redis.host = config.services.redis.servers.authelia.unixSocket;
};
storage.postgres = {
host = "/run/postgresql";
port = 5432;
database = user;
username = user;
password = "unnecessary";
};
};
secrets = {
storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path; # Database
sessionSecretFile = config.sops.secrets."authelia/sessionSecret".path; # Redis
jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
};
};
systemd.services.authelia-main.after = ["postgresql.service"];
services.nginx = {
# TODO(tlater): Possibly remove on next authelia release
additionalModules = with pkgs.nginxModules; [
develkit
set-misc
];
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
enableHSTS = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091";
recommendedProxySettings = false;
enableAutheliaProxy = true;
};
"/api/verify" = {
proxyPass = "http://127.0.0.1:9091";
recommendedProxySettings = false;
};
};
};
};
services.redis.servers.authelia = {
inherit user;
enable = true;
};
sops.secrets = {
"authelia/storageEncryptionKey" = {
owner = user;
group = user;
};
"authelia/sessionSecret" = {
owner = user;
group = user;
};
"authelia/jwtSecret" = {
owner = user;
group = user;
};
};
}

238
configuration/services/backups.nix
View file

@ -3,27 +3,33 @@
pkgs, pkgs,
lib, lib,
... ...
}: let }:
let
inherit (lib) types optional singleton; inherit (lib) types optional singleton;
mkShutdownScript = service: mkShutdownScript =
service:
pkgs.writeShellScript "backup-${service}-shutdown" '' pkgs.writeShellScript "backup-${service}-shutdown" ''
if systemctl is-active --quiet '${service}'; then if systemctl is-active --quiet '${service}'; then
touch '/tmp/${service}-was-active' touch '/tmp/${service}-was-active'
systemctl stop '${service}' systemctl stop '${service}'
fi fi
''; '';
mkRestartScript = service: mkRestartScript =
service:
pkgs.writeShellScript "backup-${service}-restart" '' pkgs.writeShellScript "backup-${service}-restart" ''
if [ -f '/tmp/${service}-was-active' ]; then if [ -f '/tmp/${service}-was-active' ]; then
rm '/tmp/${service}-was-active' rm '/tmp/${service}-was-active'
systemctl start '${service}' systemctl start '${service}'
fi fi
''; '';
writeScript = name: packages: text: writeScript =
lib.getExe (pkgs.writeShellApplication { name: packages: text:
inherit name text; lib.getExe (
runtimeInputs = packages; pkgs.writeShellApplication {
}); inherit name text;
runtimeInputs = packages;
}
);
# *NOT* a TOML file, for some reason quotes are interpreted # *NOT* a TOML file, for some reason quotes are interpreted
# *literally # *literally
@ -42,96 +48,98 @@
RESTIC_REPOSITORY = "rclone:storagebox:backups"; RESTIC_REPOSITORY = "rclone:storagebox:backups";
RCLONE_CONFIG = rcloneConfig; RCLONE_CONFIG = rcloneConfig;
}; };
in { in
{
options = { options = {
services.backups = lib.mkOption { services.backups = lib.mkOption {
description = lib.mdDoc '' description = lib.mdDoc ''
Configure restic backups with a specific tag. Configure restic backups with a specific tag.
''; '';
type = types.attrsOf (types.submodule ({ type = types.attrsOf (
config, types.submodule (
name, { config, name, ... }:
... {
}: { options = {
options = { user = lib.mkOption {
user = lib.mkOption { type = types.str;
type = types.str; description = ''
description = '' The user as which to run the backup.
The user as which to run the backup. '';
''; };
}; paths = lib.mkOption {
paths = lib.mkOption { type = types.listOf types.str;
type = types.listOf types.str; description = ''
description = '' The paths to back up.
The paths to back up. '';
''; };
}; tag = lib.mkOption {
tag = lib.mkOption { type = types.str;
type = types.str; description = ''
description = '' The restic tag to mark the backup with.
The restic tag to mark the backup with. '';
''; default = name;
default = name; };
}; preparation = {
preparation = { packages = lib.mkOption {
packages = lib.mkOption { type = types.listOf types.package;
type = types.listOf types.package; default = [ ];
default = []; description = ''
description = '' The list of packages to make available in the
The list of packages to make available in the preparation script.
preparation script. '';
''; };
}; text = lib.mkOption {
text = lib.mkOption { type = types.nullOr types.str;
type = types.nullOr types.str; default = null;
default = null; description = ''
description = '' The preparation script to run before the backup.
The preparation script to run before the backup.
This should include things like database dumps and This should include things like database dumps and
enabling maintenance modes. If a service needs to be enabling maintenance modes. If a service needs to be
shut down for backups, use `pauseServices` instead. shut down for backups, use `pauseServices` instead.
''; '';
}; };
}; };
cleanup = { cleanup = {
packages = lib.mkOption { packages = lib.mkOption {
type = types.listOf types.package; type = types.listOf types.package;
default = []; default = [ ];
description = '' description = ''
The list of packages to make available in the The list of packages to make available in the
cleanup script. cleanup script.
''; '';
}; };
text = lib.mkOption { text = lib.mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
description = '' description = ''
The cleanup script to run after the backup. The cleanup script to run after the backup.
This should do things like cleaning up database dumps This should do things like cleaning up database dumps
and disabling maintenance modes. and disabling maintenance modes.
''; '';
}; };
}; };
pauseServices = lib.mkOption { pauseServices = lib.mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [ ];
description = '' description = ''
The systemd services that need to be shut down before The systemd services that need to be shut down before
the backup can run. Services will be restarted after the the backup can run. Services will be restarted after the
backup is complete. backup is complete.
This is intended to be used for services that do not This is intended to be used for services that do not
support hot backups. support hot backups.
''; '';
}; };
}; };
})); }
)
);
}; };
}; };
config = lib.mkIf (config.services.backups != {}) { config = lib.mkIf (config.services.backups != { }) {
systemd.services = systemd.services =
{ {
restic-prune = { restic-prune = {
@ -164,16 +172,15 @@ in {
}; };
}; };
} }
// lib.mapAttrs' (name: backup: // lib.mapAttrs' (
name: backup:
lib.nameValuePair "backup-${name}" { lib.nameValuePair "backup-${name}" {
# Don't want to restart mid-backup # Don't want to restart mid-backup
restartIfChanged = false; restartIfChanged = false;
environment = environment = resticEnv // {
resticEnv RESTIC_CACHE_DIR = "%C/backup-${name}";
// { };
RESTIC_CACHE_DIR = "%C/backup-${name}";
};
path = with pkgs; [ path = with pkgs; [
coreutils coreutils
@ -196,47 +203,60 @@ in {
PrivateTmp = true; PrivateTmp = true;
ExecStart = [ ExecStart = [
(lib.concatStringsSep " " (["${pkgs.restic}/bin/restic" "backup" "--tag" name] ++ backup.paths)) (lib.concatStringsSep " " (
[
"${pkgs.restic}/bin/restic"
"backup"
"--tag"
name
]
++ backup.paths
))
]; ];
ExecStartPre = ExecStartPre =
map (service: "+${mkShutdownScript service}") backup.pauseServices map (service: "+${mkShutdownScript service}") backup.pauseServices
++ singleton (writeScript "backup-${name}-repo-init" [] '' ++ singleton (
restic snapshots || restic init writeScript "backup-${name}-repo-init" [ ] ''
'') restic snapshots || restic init
++ optional (backup.preparation.text != null) ''
(writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text); )
++ optional (backup.preparation.text != null) (
writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
);
# TODO(tlater): Add repo pruning/checking # TODO(tlater): Add repo pruning/checking
ExecStopPost = ExecStopPost =
map (service: "+${mkRestartScript service}") backup.pauseServices map (service: "+${mkRestartScript service}") backup.pauseServices
++ optional (backup.cleanup.text != null) ++ optional (backup.cleanup.text != null) (
(writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text); writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
);
}; };
}) }
config.services.backups; ) config.services.backups;
systemd.timers = systemd.timers =
{ {
restic-prune = { restic-prune = {
wantedBy = ["timers.target"]; wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "Thursday 03:00:00 UTC"; timerConfig.OnCalendar = "Thursday 03:00:00 UTC";
# Don't make this persistent, in case the server was offline # Don't make this persistent, in case the server was offline
# for a while. This job cannot run at the same time as any # for a while. This job cannot run at the same time as any
# of the backup jobs. # of the backup jobs.
}; };
} }
// lib.mapAttrs' (name: backup: // lib.mapAttrs' (
name: backup:
lib.nameValuePair "backup-${name}" { lib.nameValuePair "backup-${name}" {
wantedBy = ["timers.target"]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = "Wednesday 02:30:00 UTC"; OnCalendar = "Wednesday 02:30:00 UTC";
RandomizedDelaySec = "1h"; RandomizedDelaySec = "1h";
FixedRandomDelay = true; FixedRandomDelay = true;
Persistent = true; Persistent = true;
}; };
}) }
config.services.backups; ) config.services.backups;
users = { users = {
# This user is only used to own the ssh key, because apparently # This user is only used to own the ssh key, because apparently
@ -245,7 +265,7 @@ in {
group = "backup"; group = "backup";
isSystemUser = true; isSystemUser = true;
}; };
groups.backup = {}; groups.backup = { };
}; };
}; };
} }

9
configuration/services/battery-manager.nix
View file

@ -1,11 +1,6 @@
{ config, flake-inputs, ... }:
{ {
config, imports = [ flake-inputs.sonnenshift.nixosModules.default ];
flake-inputs,
...
}: {
imports = [
flake-inputs.sonnenshift.nixosModules.default
];
services.batteryManager = { services.batteryManager = {
enable = true; enable = true;

220
configuration/services/conduit.nix
View file

@ -3,13 +3,15 @@
config, config,
lib, lib,
... ...
}: let }:
let
inherit (lib.strings) concatMapStringsSep; inherit (lib.strings) concatMapStringsSep;
cfg = config.services.matrix-conduit; cfg = config.services.matrix-conduit;
domain = "matrix.${config.services.nginx.domain}"; domain = "matrix.${config.services.nginx.domain}";
turn-realm = "turn.${config.services.nginx.domain}"; turn-realm = "turn.${config.services.nginx.domain}";
in { in
{
services.matrix-conduit = { services.matrix-conduit = {
enable = true; enable = true;
settings.global = { settings.global = {
@ -17,99 +19,112 @@ in {
server_name = domain; server_name = domain;
database_backend = "rocksdb"; database_backend = "rocksdb";
turn_uris = let # Set up delegation: https://docs.conduit.rs/delegation.html#automatic-recommended
address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}"; # This is primarily to make sliding sync work
tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}"; well_known = {
in [ client = "https://${domain}";
"turn:${address}?transport=udp" server = "${domain}:443";
"turn:${address}?transport=tcp"
"turns:${tls-address}?transport=udp"
"turns:${tls-address}?transport=tcp"
];
};
};
systemd.services.heisenbridge = let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
id = "heisenbridge";
url = "http://127.0.0.1:9898";
as_token = "@AS_TOKEN@";
hs_token = "@HS_TOKEN@";
rate_limited = false;
sender_localpart = "heisenbridge";
namespaces = {
users = [
{
regex = "@irc_.*";
exclusive = true;
}
{
regex = "@heisenbridge:.*";
exclusive = true;
}
];
aliases = [];
rooms = [];
}; };
});
# TODO(tlater): Starting with systemd 253 it will become possible turn_uris =
# to do the credential setup as part of ExecStartPre/preStart let
# instead. address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
# tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
# This will also make it possible to actually set caps on the in
# heisenbridge process using systemd, so that we can run the [
# identd process. "turn:${address}?transport=udp"
execScript = pkgs.writeShellScript "heisenbridge" '' "turn:${address}?transport=tcp"
cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml" "turns:${tls-address}?transport=udp"
chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml "turns:${tls-address}?transport=tcp"
${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml" ];
${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
${pkgs.heisenbridge}/bin/heisenbridge \
--config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \
--owner @tlater:matrix.tlater.net \
'http://localhost:${toString cfg.settings.global.port}'
'';
in {
description = "Matrix<->IRC bridge";
wantedBy = ["multi-user.target"];
after = ["conduit.service"];
serviceConfig = {
Type = "simple";
LoadCredential = "heisenbridge:/run/secrets/heisenbridge";
ExecStart = execScript;
DynamicUser = true;
RuntimeDirectory = "heisenbridge";
RuntimeDirectoryMode = "0700";
RestrictNamespaces = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_INET AF_INET6"];
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ProcSubset = "pid";
UMask = 0077;
# For the identd port
# CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
# AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
}; };
}; };
systemd.services.heisenbridge =
let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
registrationFile = builtins.toFile "heisenbridge-registration.yaml" (
builtins.toJSON {
id = "heisenbridge";
url = "http://127.0.0.1:9898";
as_token = "@AS_TOKEN@";
hs_token = "@HS_TOKEN@";
rate_limited = false;
sender_localpart = "heisenbridge";
namespaces = {
users = [
{
regex = "@irc_.*";
exclusive = true;
}
{
regex = "@heisenbridge:.*";
exclusive = true;
}
];
aliases = [ ];
rooms = [ ];
};
}
);
# TODO(tlater): Starting with systemd 253 it will become possible
# to do the credential setup as part of ExecStartPre/preStart
# instead.
#
# This will also make it possible to actually set caps on the
# heisenbridge process using systemd, so that we can run the
# identd process.
execScript = pkgs.writeShellScript "heisenbridge" ''
cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
${pkgs.heisenbridge}/bin/heisenbridge \
--config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \
--owner @tlater:matrix.tlater.net \
'http://localhost:${toString cfg.settings.global.port}'
'';
in
{
description = "Matrix<->IRC bridge";
wantedBy = [ "multi-user.target" ];
after = [ "conduit.service" ];
serviceConfig = {
Type = "simple";
LoadCredential = "heisenbridge:/run/secrets/heisenbridge";
ExecStart = execScript;
DynamicUser = true;
RuntimeDirectory = "heisenbridge";
RuntimeDirectoryMode = "0700";
RestrictNamespaces = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ProcSubset = "pid";
UMask = 77;
# For the identd port
# CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
# AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
};
};
# Pass in the TURN secret via EnvironmentFile, not supported by # Pass in the TURN secret via EnvironmentFile, not supported by
# upstream module currently. # upstream module currently.
# #
@ -122,9 +137,7 @@ in {
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."turn/secret".path; static-auth-secret-file = config.sops.secrets."turn/secret".path;
realm = turn-realm; realm = turn-realm;
relay-ips = [ relay-ips = [ "116.202.158.55" ];
"116.202.158.55"
];
# SSL config # SSL config
# #
@ -225,30 +238,17 @@ in {
proxy_buffering off; proxy_buffering off;
''; '';
}; };
"/.well-known/matrix" = {
# Add Element X support proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
# TODO(tlater): Remove when no longer required: https://github.com/vector-im/element-x-android/issues/1085
"=/.well-known/matrix/client" = {
alias = pkgs.writeText "well-known-matrix-client" (builtins.toJSON {
"m.homeserver".base_url = "https://${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
});
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
}; };
}; };
}; };
services.backups.conduit = { services.backups.conduit = {
user = "root"; user = "root";
paths = [ paths = [ "/var/lib/private/matrix-conduit/" ];
"/var/lib/private/matrix-conduit/"
];
# Other services store their data in conduit, so no other services # Other services store their data in conduit, so no other services
# need to be shut down currently. # need to be shut down currently.
pauseServices = ["conduit.service"]; pauseServices = [ "conduit.service" ];
}; };
} }

7
configuration/services/fail2ban.nix
View file

@ -1,7 +1,8 @@
{pkgs, ...}: { { pkgs, ... }:
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
extraPackages = [pkgs.ipset]; extraPackages = [ pkgs.ipset ];
banaction = "iptables-ipset-proto6-allports"; banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true; bantime-increment.enable = true;
@ -21,7 +22,7 @@
}; };
# Allow metrics services to connect to the socket as well # Allow metrics services to connect to the socket as well
users.groups.fail2ban = {}; users.groups.fail2ban = { };
systemd.services.fail2ban.serviceConfig = { systemd.services.fail2ban.serviceConfig = {
ExecStartPost = ExecStartPost =
"+" "+"

40
configuration/services/foundryvtt.nix
View file

@ -2,11 +2,14 @@
lib, lib,
config, config,
flake-inputs, flake-inputs,
pkgs,
... ...
}: let }:
let
domain = "foundryvtt.${config.services.nginx.domain}"; domain = "foundryvtt.${config.services.nginx.domain}";
in { in
imports = [flake-inputs.foundryvtt.nixosModules.foundryvtt]; {
imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ];
services.foundryvtt = { services.foundryvtt = {
enable = true; enable = true;
@ -14,30 +17,31 @@ in {
minifyStaticFiles = true; minifyStaticFiles = true;
proxySSL = true; proxySSL = true;
proxyPort = 443; proxyPort = 443;
package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
}; };
# Want to start it manually when I need it, not have it constantly # Want to start it manually when I need it, not have it constantly
# running # running
systemd.services.foundryvtt.wantedBy = lib.mkForce []; systemd.services.foundryvtt.wantedBy = lib.mkForce [ ];
services.nginx.virtualHosts."${domain}" = let services.nginx.virtualHosts."${domain}" =
inherit (config.services.foundryvtt) port; let
in { inherit (config.services.foundryvtt) port;
forceSSL = true; in
useACMEHost = "tlater.net"; {
enableHSTS = true; forceSSL = true;
useACMEHost = "tlater.net";
enableHSTS = true;
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://localhost:${toString port}"; proxyPass = "http://localhost:${toString port}";
};
}; };
};
services.backups.foundryvtt = { services.backups.foundryvtt = {
user = "foundryvtt"; user = "foundryvtt";
paths = [ paths = [ config.services.foundryvtt.dataDir ];
config.services.foundryvtt.dataDir pauseServices = [ "foundryvtt.service" ];
];
pauseServices = ["foundryvtt.service"];
}; };
} }

60
configuration/services/gitea.nix
View file

@ -3,9 +3,11 @@
config, config,
lib, lib,
... ...
}: let }:
let
domain = "gitea.${config.services.nginx.domain}"; domain = "gitea.${config.services.nginx.domain}";
in { in
{
services.forgejo = { services.forgejo = {
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
@ -27,33 +29,35 @@ in {
}; };
}; };
systemd.services.forgejo.serviceConfig.ExecStartPre = let systemd.services.forgejo.serviceConfig.ExecStartPre =
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; let
secretPath = config.sops.secrets."forgejo/metrics-token".path; replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; secretPath = config.sops.secrets."forgejo/metrics-token".path;
in [ runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
"+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" in
]; [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ];
# Set up SSL # Set up SSL
services.nginx.virtualHosts."${domain}" = let services.nginx.virtualHosts."${domain}" =
httpAddress = config.services.forgejo.settings.server.HTTP_ADDR; let
httpPort = config.services.forgejo.settings.server.HTTP_PORT; httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
in { httpPort = config.services.forgejo.settings.server.HTTP_PORT;
forceSSL = true; in
useACMEHost = "tlater.net"; {
enableHSTS = true; forceSSL = true;
useACMEHost = "tlater.net";
enableHSTS = true;
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
locations."/metrics" = { locations."/metrics" = {
extraConfig = '' extraConfig = ''
access_log off; access_log off;
allow 127.0.0.1; allow 127.0.0.1;
${lib.optionalString config.networking.enableIPv6 "allow ::1;"} ${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
deny all; deny all;
''; '';
};
}; };
};
# Block repeated failed login attempts # Block repeated failed login attempts
# #
@ -83,13 +87,13 @@ in {
# Conf is backed up via nix # Conf is backed up via nix
]; ];
preparation = { preparation = {
packages = [config.services.postgresql.package]; packages = [ config.services.postgresql.package ];
text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql"; text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
}; };
cleanup = { cleanup = {
packages = [pkgs.coreutils]; packages = [ pkgs.coreutils ];
text = "rm /var/lib/forgejo/forgejo-db.sql"; text = "rm /var/lib/forgejo/forgejo-db.sql";
}; };
pauseServices = ["forgejo.service"]; pauseServices = [ "forgejo.service" ];
}; };
} }

94
configuration/services/metrics/exporters.nix
View file

@ -3,23 +3,25 @@
pkgs, pkgs,
lib, lib,
... ...
}: let }:
yaml = pkgs.formats.yaml {}; let
in { yaml = pkgs.formats.yaml { };
in
{
services.prometheus = { services.prometheus = {
exporters = { exporters = {
# Periodically check domain registration status # Periodically check domain registration status
domain = { domain = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
extraFlags = let extraFlags =
conf.domains = [ let
"tlater.net" conf.domains = [
"tlater.com" "tlater.net"
]; "tlater.com"
in [ ];
"--config=${yaml.generate "domains.yml" conf}" in
]; [ "--config=${yaml.generate "domains.yml" conf}" ];
}; };
# System statistics # System statistics
@ -48,48 +50,50 @@ in {
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
group = "nginx"; group = "nginx";
settings.namespaces = settings.namespaces = lib.mapAttrsToList (name: virtualHost: {
lib.mapAttrsToList (name: virtualHost: { inherit name;
inherit name; metrics_override.prefix = "nginxlog";
metrics_override.prefix = "nginxlog"; namespace_label = "vhost";
namespace_label = "vhost";
format = lib.concatStringsSep " " [ format = lib.concatStringsSep " " [
"$remote_addr - $remote_user [$time_local]" "$remote_addr - $remote_user [$time_local]"
''"$request" $status $body_bytes_sent'' ''"$request" $status $body_bytes_sent''
''"$http_referer" "$http_user_agent"'' ''"$http_referer" "$http_user_agent"''
''rt=$request_time uct="$upstream_connect_time"'' ''rt=$request_time uct="$upstream_connect_time"''
''uht="$upstream_header_time" urt="$upstream_response_time"'' ''uht="$upstream_header_time" urt="$upstream_response_time"''
]; ];
source.files = [ source.files = [ "/var/log/nginx/${name}/access.log" ];
"/var/log/nginx/${name}/access.log" }) config.services.nginx.virtualHosts;
];
})
config.services.nginx.virtualHosts;
}; };
}; };
extraExporters = { extraExporters = {
fail2ban = let fail2ban =
cfg = config.services.prometheus.extraExporters.fail2ban; let
in { cfg = config.services.prometheus.extraExporters.fail2ban;
port = 9191; in
serviceOpts = { {
after = ["fail2ban.service"]; port = 9191;
requires = ["fail2ban.service"]; serviceOpts = {
serviceConfig = { after = [ "fail2ban.service" ];
Group = "fail2ban"; requires = [ "fail2ban.service" ];
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; serviceConfig = {
ExecStart = lib.concatStringsSep " " [ Group = "fail2ban";
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter" RestrictAddressFamilies = [
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock" "AF_UNIX"
"--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'" "AF_INET"
"--collector.f2b.exit-on-socket-connection-error=true" "AF_INET6"
]; ];
ExecStart = lib.concatStringsSep " " [
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
"--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'"
"--collector.f2b.exit-on-socket-connection-error=true"
];
};
}; };
}; };
};
}; };
# TODO(tlater): # TODO(tlater):

15
configuration/services/metrics/grafana.nix
View file

@ -1,6 +1,8 @@
{config, ...}: let { config, ... }:
let
domain = "metrics.${config.services.nginx.domain}"; domain = "metrics.${config.services.nginx.domain}";
in { in
{
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {
@ -40,7 +42,12 @@ in {
forceSSL = true; forceSSL = true;
useACMEHost = "tlater.net"; useACMEHost = "tlater.net";
enableHSTS = true; enableHSTS = true;
enableAuthorization = true; locations = {
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; "/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
"/api/live" = {
proxyWebsockets = true;
proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
};
};
}; };
} }

365
configuration/services/metrics/options.nix
View file

@ -3,202 +3,223 @@
config, config,
lib, lib,
... ...
}: let }:
let
inherit (lib) types mkOption mkDefault; inherit (lib) types mkOption mkDefault;
yaml = pkgs.formats.yaml {}; yaml = pkgs.formats.yaml { };
in { in
{
options = { options = {
services.prometheus = { services.prometheus = {
extraExporters = mkOption { extraExporters = mkOption {
type = types.attrsOf (types.submodule { type = types.attrsOf (
options = { types.submodule {
port = mkOption { options = {
type = types.int; port = mkOption {
description = "The port on which this exporter listens."; type = types.int;
description = "The port on which this exporter listens.";
};
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Address to listen on.";
};
serviceOpts = mkOption {
type = types.attrs;
description = "An attrset to be merged with the exporter's systemd service.";
};
}; };
listenAddress = mkOption { }
type = types.str; );
default = "127.0.0.1";
description = "Address to listen on.";
};
serviceOpts = mkOption {
type = types.attrs;
description = "An attrset to be merged with the exporter's systemd service.";
};
};
});
}; };
}; };
services.victoriametrics.scrapeConfigs = mkOption { services.victoriametrics.scrapeConfigs = mkOption {
type = types.attrsOf (types.submodule ({ type = types.attrsOf (
name, types.submodule (
self, { name, self, ... }:
... {
}: { options = {
options = { job_name = mkOption {
job_name = mkOption { type = types.str;
type = types.str; default = name;
default = name;
};
extraSettings = mkOption {
type = types.anything;
description = ''
Other settings to set for this scrape config.
'';
default = {};
};
targets = mkOption {
type = types.listOf types.str;
description = lib.mdDoc ''
Addresses scrape targets for this config listen on.
Shortcut for `static_configs = lib.singleton {targets = [<targets>];}`
'';
default = [];
};
static_configs = mkOption {
default = [];
type = types.listOf (types.submodule {
options = {
targets = mkOption {
type = types.listOf types.str;
description = lib.mdDoc ''
The addresses scrape targets for this config listen on.
Must in `listenAddress:port` format.
'';
};
labels = mkOption {
type = types.attrsOf types.str;
description = lib.mdDoc ''
Labels to apply to all targets defined for this static config.
'';
default = {};
};
}; };
});
}; extraSettings = mkOption {
}; type = types.anything;
})); description = ''
Other settings to set for this scrape config.
'';
default = { };
};
targets = mkOption {
type = types.listOf types.str;
description = lib.mdDoc ''
Addresses scrape targets for this config listen on.
Shortcut for `static_configs = lib.singleton {targets = [<targets>];}`
'';
default = [ ];
};
static_configs = mkOption {
default = [ ];
type = types.listOf (
types.submodule {
options = {
targets = mkOption {
type = types.listOf types.str;
description = lib.mdDoc ''
The addresses scrape targets for this config listen on.
Must in `listenAddress:port` format.
'';
};
labels = mkOption {
type = types.attrsOf types.str;
description = lib.mdDoc ''
Labels to apply to all targets defined for this static config.
'';
default = { };
};
};
}
);
};
};
}
)
);
}; };
}; };
config = { config = {
systemd.services = lib.mkMerge [ systemd.services = lib.mkMerge [
(lib.mapAttrs' (name: exporter: (lib.mapAttrs' (
lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [ name: exporter:
{ lib.nameValuePair "prometheus-${name}-exporter" (
# Shamelessly copied from upstream because the upstream lib.mkMerge [
# module is an intractable mess {
wantedBy = ["multi-user.target"]; # Shamelessly copied from upstream because the upstream
after = ["network.target"]; # module is an intractable mess
serviceConfig.Restart = mkDefault "always"; wantedBy = [ "multi-user.target" ];
serviceConfig.PrivateTmp = mkDefault true; after = [ "network.target" ];
serviceConfig.WorkingDirectory = mkDefault /tmp; serviceConfig.Restart = mkDefault "always";
serviceConfig.DynamicUser = mkDefault true; serviceConfig.PrivateTmp = mkDefault true;
# Hardening serviceConfig.WorkingDirectory = mkDefault /tmp;
serviceConfig.CapabilityBoundingSet = mkDefault [""]; serviceConfig.DynamicUser = mkDefault true;
serviceConfig.DeviceAllow = [""]; # Hardening
serviceConfig.LockPersonality = true; serviceConfig.CapabilityBoundingSet = mkDefault [ "" ];
serviceConfig.MemoryDenyWriteExecute = true; serviceConfig.DeviceAllow = [ "" ];
serviceConfig.NoNewPrivileges = true; serviceConfig.LockPersonality = true;
serviceConfig.PrivateDevices = mkDefault true; serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.ProtectClock = mkDefault true; serviceConfig.NoNewPrivileges = true;
serviceConfig.ProtectControlGroups = true; serviceConfig.PrivateDevices = mkDefault true;
serviceConfig.ProtectHome = true; serviceConfig.ProtectClock = mkDefault true;
serviceConfig.ProtectHostname = true; serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectKernelLogs = true; serviceConfig.ProtectHome = true;
serviceConfig.ProtectKernelModules = true; serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelTunables = true; serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectSystem = mkDefault "strict"; serviceConfig.ProtectKernelModules = true;
serviceConfig.RemoveIPC = true; serviceConfig.ProtectKernelTunables = true;
serviceConfig.RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; serviceConfig.ProtectSystem = mkDefault "strict";
serviceConfig.RestrictNamespaces = true; serviceConfig.RemoveIPC = true;
serviceConfig.RestrictRealtime = true; serviceConfig.RestrictAddressFamilies = [
serviceConfig.RestrictSUIDSGID = true; "AF_INET"
serviceConfig.SystemCallArchitectures = "native"; "AF_INET6"
serviceConfig.UMask = "0077"; ];
} serviceConfig.RestrictNamespaces = true;
exporter.serviceOpts serviceConfig.RestrictRealtime = true;
])) serviceConfig.RestrictSUIDSGID = true;
config.services.prometheus.extraExporters) serviceConfig.SystemCallArchitectures = "native";
serviceConfig.UMask = "0077";
}
exporter.serviceOpts
]
)
) config.services.prometheus.extraExporters)
{ {
vmagent-scrape-exporters = let vmagent-scrape-exporters =
listenAddress = config.services.victoriametrics.listenAddress; let
vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress; listenAddress = config.services.victoriametrics.listenAddress;
promscrape = yaml.generate "prometheus.yml" { vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress;
scrape_configs = lib.mapAttrsToList (_: scrape: promscrape = yaml.generate "prometheus.yml" {
lib.recursiveUpdate { scrape_configs = lib.mapAttrsToList (
inherit (scrape) job_name; _: scrape:
static_configs = lib.recursiveUpdate {
scrape.static_configs inherit (scrape) job_name;
++ lib.optional (scrape.targets != []) {targets = scrape.targets;}; static_configs =
} scrape.static_configs
scrape.extraSettings) ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; };
config.services.victoriametrics.scrapeConfigs; } scrape.extraSettings
}; ) config.services.victoriametrics.scrapeConfigs;
in { };
enable = true; in
path = [pkgs.victoriametrics]; {
wantedBy = ["multi-user.target"]; enable = true;
after = ["network.target" "victoriametrics.service"]; path = [ pkgs.victoriametrics ];
serviceConfig = { wantedBy = [ "multi-user.target" ];
ExecStart = [ after = [
(lib.concatStringsSep " " [ "network.target"
"${pkgs.victoriametrics}/bin/vmagent" "victoriametrics.service"
"-promscrape.config=${promscrape}"
"-remoteWrite.url=http://${vmAddr}/api/v1/write"
"-remoteWrite.tmpDataPath=%t/vmagent"
])
]; ];
SupplementaryGroups = "metrics"; serviceConfig = {
ExecStart = [
(lib.concatStringsSep " " [
"${pkgs.victoriametrics}/bin/vmagent"
"-promscrape.config=${promscrape}"
"-remoteWrite.url=http://${vmAddr}/api/v1/write"
"-remoteWrite.tmpDataPath=%t/vmagent"
])
];
SupplementaryGroups = "metrics";
DynamicUser = true; DynamicUser = true;
RuntimeDirectory = "vmagent"; RuntimeDirectory = "vmagent";
CapabilityBoundingSet = [""]; CapabilityBoundingSet = [ "" ];
DeviceAllow = [""]; DeviceAllow = [ "" ];
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; RestrictAddressFamilies = [
RestrictNamespaces = true; "AF_INET"
RestrictRealtime = true; "AF_INET6"
RestrictSUIDSGID = true; ];
SystemCallArchitectures = "native"; RestrictNamespaces = true;
UMask = "0077"; RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
}; };
};
} }
]; ];
users.groups.metrics = {}; users.groups.metrics = { };
services.victoriametrics.scrapeConfigs = let services.victoriametrics.scrapeConfigs =
allExporters = let
lib.mapAttrs (name: exporter: { allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) (
inherit (exporter) listenAddress port; (lib.filterAttrs (
}) ((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable) _: exporter: builtins.isAttrs exporter && exporter.enable
config.services.prometheus.exporters) ) config.services.prometheus.exporters)
// config.services.prometheus.extraExporters); // config.services.prometheus.extraExporters
in );
in
lib.mapAttrs (_: exporter: { lib.mapAttrs (_: exporter: {
targets = ["${exporter.listenAddress}:${toString exporter.port}"]; targets = [ "${exporter.listenAddress}:${toString exporter.port}" ];
}) }) allExporters;
allExporters;
}; };
} }

11
configuration/services/metrics/victoriametrics.nix
View file

@ -1,16 +1,15 @@
{config, ...}: { { config, ... }:
{
config.services.victoriametrics = { config.services.victoriametrics = {
enable = true; enable = true;
extraOptions = [ extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
"-storage.minFreeDiskSpaceBytes=5GB"
];
scrapeConfigs = { scrapeConfigs = {
forgejo = { forgejo = {
targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"]; targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path; extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
}; };
coturn.targets = ["127.0.0.1:9641"]; coturn.targets = [ "127.0.0.1:9641" ];
}; };
}; };
} }

34
configuration/services/nextcloud.nix
View file

@ -1,18 +1,35 @@
{ {
pkgs, pkgs,
config, config,
lib,
... ...
}: let }:
let
# Update pending on rewrite of nextcloud news, though there is an # Update pending on rewrite of nextcloud news, though there is an
# alpha to switch to if it becomes necessary: # alpha to switch to if it becomes necessary:
# https://github.com/nextcloud/news/issues/2610 # https://github.com/nextcloud/news/issues/2610
nextcloud = pkgs.nextcloud27; nextcloud = pkgs.nextcloud28;
hostName = "nextcloud.${config.services.nginx.domain}"; hostName = "nextcloud.${config.services.nginx.domain}";
in { in
{
services.nextcloud = { services.nextcloud = {
inherit hostName; inherit hostName;
package = nextcloud; package = nextcloud;
phpPackage = lib.mkForce (
pkgs.php.override {
packageOverrides = final: prev: {
extensions = prev.extensions // {
pgsql = prev.extensions.pgsql.overrideAttrs (old: {
configureFlags = [ "--with-pgsql=${config.services.postgresql.package}" ];
});
pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (old: {
configureFlags = [ "--with-pdo-pgsql=${config.services.postgresql.package}" ];
});
};
};
}
);
enable = true; enable = true;
maxUploadSize = "2G"; maxUploadSize = "2G";
https = true; https = true;
@ -37,12 +54,19 @@ in {
}; };
extraApps = { extraApps = {
inherit (pkgs.local) bookmarks calendar contacts cookbook news notes; inherit (pkgs.local)
bookmarks
calendar
contacts
cookbook
news
notes
;
}; };
}; };
# Ensure that this service doesn't start before postgres is ready # Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = ["postgresql.service"]; systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
# Set up SSL # Set up SSL
services.nginx.virtualHosts."${hostName}" = { services.nginx.virtualHosts."${hostName}" = {

10
configuration/services/postgres.nix
View file

@ -1,8 +1,5 @@
{ pkgs, ... }:
{ {
config,
pkgs,
...
}: {
services.postgresql = { services.postgresql = {
package = pkgs.postgresql_14; package = pkgs.postgresql_14;
enable = true; enable = true;
@ -28,16 +25,11 @@
name = "nextcloud"; name = "nextcloud";
ensureDBOwnership = true; ensureDBOwnership = true;
} }
{
name = config.services.authelia.instances.main.user;
ensureDBOwnership = true;
}
]; ];
ensureDatabases = [ ensureDatabases = [
"grafana" "grafana"
"nextcloud" "nextcloud"
config.services.authelia.instances.main.user
]; ];
}; };
} }

20
configuration/services/starbound.nix
View file

@ -1,16 +1,14 @@
{ { pkgs, lib, ... }:
pkgs, let
lib,
...
}: let
inherit (lib) concatStringsSep; inherit (lib) concatStringsSep;
in { in
{
# Sadly, steam-run requires some X libs # Sadly, steam-run requires some X libs
environment.noXlibs = false; environment.noXlibs = false;
systemd.services.starbound = { systemd.services.starbound = {
description = "Starbound"; description = "Starbound";
after = ["network.target"]; after = [ "network.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.local.starbound}/bin/launch-starbound ${./configs/starbound.json}"; ExecStart = "${pkgs.local.starbound}/bin/launch-starbound ${./configs/starbound.json}";
@ -67,7 +65,7 @@ in {
# Game servers shouldn't use cgroups themselves either # Game servers shouldn't use cgroups themselves either
ProtectControlGroups = true; ProtectControlGroups = true;
# Most game servers will never need other socket types # Most game servers will never need other socket types
RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"]; RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
# Also a no-brainer, no game server should ever need this # Also a no-brainer, no game server should ever need this
LockPersonality = true; LockPersonality = true;
# Some game servers will probably try to set this, but they # Some game servers will probably try to set this, but they
@ -113,9 +111,7 @@ in {
services.backups.starbound = { services.backups.starbound = {
user = "root"; user = "root";
paths = [ paths = [ "/var/lib/private/starbound/storage/universe/" ];
"/var/lib/private/starbound/storage/universe/" pauseServices = [ "starbound.service" ];
];
pauseServices = ["starbound.service"];
}; };
} }

26
configuration/services/webserver.nix
View file

@ -1,6 +1,8 @@
{config, ...}: let { config, ... }:
let
domain = config.services.nginx.domain; domain = config.services.nginx.domain;
in { in
{
services.tlaternet-webserver = { services.tlaternet-webserver = {
enable = true; enable = true;
listen = { listen = {
@ -10,15 +12,17 @@ in {
}; };
# Set up SSL # Set up SSL
services.nginx.virtualHosts."${domain}" = let services.nginx.virtualHosts."${domain}" =
inherit (config.services.tlaternet-webserver.listen) addr port; let
in { inherit (config.services.tlaternet-webserver.listen) addr port;
serverAliases = ["www.${domain}"]; in
{
serverAliases = [ "www.${domain}" ];
forceSSL = true; forceSSL = true;
useACMEHost = "tlater.net"; useACMEHost = "tlater.net";
enableHSTS = true; enableHSTS = true;
locations."/".proxyPass = "http://${addr}:${toString port}"; locations."/".proxyPass = "http://${addr}:${toString port}";
}; };
} }

7
configuration/services/wireguard.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
# iptables needs to permit forwarding from wg0 to wg0 # iptables needs to permit forwarding from wg0 to wg0
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
@ -26,7 +27,7 @@
{ {
# yui # yui
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = ["10.45.249.2/32"]; AllowedIPs = [ "10.45.249.2/32" ];
PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0="; PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
}; };
} }
@ -34,7 +35,7 @@
{ {
# yuanyuan # yuanyuan
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = ["10.45.249.10/32"]; AllowedIPs = [ "10.45.249.10/32" ];
PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE="; PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
}; };
} }

8
configuration/sops.nix
View file

@ -31,8 +31,8 @@
}; };
# Heisenbridge # Heisenbridge
"heisenbridge/as-token" = {}; "heisenbridge/as-token" = { };
"heisenbridge/hs-token" = {}; "heisenbridge/hs-token" = { };
"hetzner-api" = { "hetzner-api" = {
owner = "acme"; owner = "acme";
@ -62,10 +62,10 @@
}; };
# Steam # Steam
"steam/tlater" = {}; "steam/tlater" = { };
# Turn # Turn
"turn/env" = {}; "turn/env" = { };
"turn/secret" = { "turn/secret" = {
owner = "turnserver"; owner = "turnserver";
}; };

86
flake.lock
View file

@ -7,11 +7,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1711973905, "lastModified": 1718194053,
"narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=", "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b", "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -27,11 +27,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714103775, "lastModified": 1723685519,
"narHash": "sha256-kcBiIrmqzt3bNTr2GMBfAyA+on8BEKO1iKzzDFQZkjI=", "narHash": "sha256-GkXQIoZmW2zCPp1YFtAYGg/xHNyFH/Mgm79lcs81rq0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "285e26465a0bae510897ca04da26ce6307c652b4", "rev": "276a0d055a720691912c6a34abb724e395c8e38a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -47,11 +47,11 @@
"pyproject-nix": "pyproject-nix" "pyproject-nix": "pyproject-nix"
}, },
"locked": { "locked": {
"lastModified": 1702457430, "lastModified": 1719685993,
"narHash": "sha256-8NQiXtYCOiC7XFayy6GPGDudCBrPROry3mfWjpdVj5g=", "narHash": "sha256-04gy1icwnGO3ZXF6r96yBm/C0PNPzeLxA/8xzzq0dBI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "dream2nix", "repo": "dream2nix",
"rev": "262198033e23e9ee832f0cc8133d38f07598f555", "rev": "1b5e01219a32324c8f6889fe1f4db933ec7932f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -69,11 +69,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1704003651, "lastModified": 1719815435,
"narHash": "sha256-bA3d4E1CX5G7TVbKwJOm9jZfVOGOPp6u5CKEUzNsE8E=", "narHash": "sha256-K2xFp142onP35jcx7li10xUxNVEVRWjAdY8DSuR7Naw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "c6d82e087ac96f24b90c5787a17e29a72566c2b4", "rev": "ebfe2c639111d7e82972a12711206afaeeda2450",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -157,11 +157,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1712623723, "lastModified": 1722661736,
"narHash": "sha256-jPD5+M+QPyMRk52zfFMIeHdv7yXYJ/yNGqwS0PhYF+E=", "narHash": "sha256-0lujsK40JV/2PlqCjhZMGpHKL4vDKzJcnkFJYnG1WZA=",
"owner": "reckenrode", "owner": "reckenrode",
"repo": "nix-foundryvtt", "repo": "nix-foundryvtt",
"rev": "6025615b431170558c3c13f16b549fc0126425e1", "rev": "699a175398410688214615a9d977354e9ef98d2d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -210,59 +210,59 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1713638189, "lastModified": 1721524707,
"narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=", "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "74574c38577914733b4f7a775dd77d24245081dd", "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.11", "ref": "release-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1714253743, "lastModified": 1723957280,
"narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=", "narHash": "sha256-J08Yqf2IJ73y7myI69qEKsQ048ibweG6FeJeCxbIdB4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994", "rev": "abcef4da4ebb72240bddc370a27263627e64877f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-unstable", "ref": "nixos-unstable-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1718208800, "lastModified": 1723920526,
"narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=", "narHash": "sha256-USs6A60raDKZ/8BEpqja1XjZIsRzADX+NtWKH6wIxIw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cc54fb41d13736e92229c21627ea4f22199fee6b", "rev": "1cbd3d585263dc620c483e138d352a39b9f0e3ec",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.05", "ref": "nixos-24.05-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1702272962, "lastModified": 1719468428,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", "rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -281,11 +281,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1713333471, "lastModified": 1718252448,
"narHash": "sha256-sIVQKOXzruxtTYiBRHZa8UQH+CSIa9K5MZlY6vavYfA=", "narHash": "sha256-xZZBdKqe1ByITzvx65pVgGQ5jeb73MybjgrcfI84lEo=",
"owner": "berberman", "owner": "berberman",
"repo": "nvfetcher", "repo": "nvfetcher",
"rev": "2a824322dc6a755ffda83a13b948d42304521e4d", "rev": "fa7609950023462c6f91c425de7610c0bb6b86ba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -375,11 +375,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1703965384, "lastModified": 1719760370,
"narHash": "sha256-3iyouqkBvhh/E48TkBlt4JmmcIEyfQwY7pokKBx9WNg=", "narHash": "sha256-fsxAuW6RxKZYjAP3biUC6C4vaYFhDfWv8lp1Tmx3ZCY=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "e872f5085cf5b0e44558442365c1c033d486eff2", "rev": "ea7fdada6a0940b239ddbde2048a4d7dac1efe1e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -442,11 +442,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1713892811, "lastModified": 1723501126,
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=", "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd", "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -523,11 +523,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1704840002, "lastModified": 1719851829,
"narHash": "sha256-ik2LeuRjcnRXwBLoRSOyGEMXscE+coO8G79IFhZhdJk=", "narHash": "sha256-M5miiIbiwP4uArTyeIr/RKA857rP14AEJUe11AZsKAc=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "d14f50c8dcc8ab30a5e5fa907b392ac0df6c7b52", "rev": "4a099f27a27f4107ceb14969e2158eaabebcf1d4",
"revCount": 73, "revCount": 74,
"type": "git", "type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet.git" "url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
}, },

250
flake.nix
View file

@ -2,8 +2,8 @@
description = "tlater.net host configuration"; description = "tlater.net host configuration";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -32,126 +32,144 @@
}; };
}; };
outputs = { outputs =
self, {
nixpkgs, self,
sops-nix, nixpkgs,
nvfetcher, sops-nix,
deploy-rs, nvfetcher,
... deploy-rs,
} @ inputs: let ...
system = "x86_64-linux"; }@inputs:
pkgs = nixpkgs.legacyPackages.${system}; let
in { system = "x86_64-linux";
################## pkgs = nixpkgs.legacyPackages.${system};
# Configurations #
################## vm = nixpkgs.lib.nixosSystem {
nixosConfigurations = {
# The actual system definition
hetzner-1 = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs.flake-inputs = inputs; specialArgs.flake-inputs = inputs;
modules = [ modules = [
./configuration ./configuration
./configuration/hardware-specific/hetzner ./configuration/hardware-specific/vm.nix
];
};
in
{
##################
# Configurations #
##################
nixosConfigurations = {
# The actual system definition
hetzner-1 = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs.flake-inputs = inputs;
modules = [
./configuration
./configuration/hardware-specific/hetzner
];
};
};
############################
# Deployment configuration #
############################
deploy.nodes = {
hetzner-1 = {
hostname = "116.202.158.55";
profiles.system = {
user = "root";
path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.hetzner-1;
};
sshUser = "tlater";
sshOpts = [
"-p"
"2222"
"-o"
"ForwardAgent=yes"
];
};
};
#########
# Tests #
#########
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
###########################
# Garbage collection root #
###########################
packages.${system}.default = vm.config.system.build.vm;
###################
# Utility scripts #
###################
apps.${system} = {
default = self.apps.${system}.run-vm;
run-vm = {
type = "app";
program =
let
in
(pkgs.writeShellScript "" ''
${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
'').outPath;
};
update-pkgs = {
type = "app";
program =
let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in
(pkgs.writeShellScript "update-pkgs" ''
cd "$(git rev-parse --show-toplevel)/pkgs"
${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml
'').outPath;
};
update-nextcloud-apps = {
type = "app";
program =
let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in
(pkgs.writeShellScript "update-nextcloud-apps" ''
cd "$(git rev-parse --show-toplevel)/pkgs"
${nvfetcher-bin} -o _sources_nextcloud -c nextcloud-apps.toml
'').outPath;
};
};
###########################
# Development environment #
###########################
devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell {
sopsPGPKeyDirs = [
"./keys/hosts/"
"./keys/users/"
];
nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ];
packages = with pkgs; [
sops-nix.packages.${system}.sops-init-gpg-key
deploy-rs.packages.${system}.default
nixpkgs-fmt
cargo
clippy
rustc
rustfmt
rust-analyzer
pkg-config
openssl
]; ];
}; };
}; };
############################
# Deployment configuration #
############################
deploy.nodes = {
hetzner-1 = {
hostname = "116.202.158.55";
profiles.system = {
user = "root";
path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.hetzner-1;
};
sshUser = "tlater";
sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
};
};
#########
# Tests #
#########
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
###################
# Utility scripts #
###################
apps.${system} = {
default = self.apps.${system}.run-vm;
run-vm = {
type = "app";
program = let
vm = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs.flake-inputs = inputs;
modules = [
./configuration
./configuration/hardware-specific/vm.nix
];
};
in
(pkgs.writeShellScript "" ''
${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
'')
.outPath;
};
update-pkgs = {
type = "app";
program = let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in
(pkgs.writeShellScript "update-pkgs" ''
cd "$(git rev-parse --show-toplevel)/pkgs"
${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml
'')
.outPath;
};
update-nextcloud-apps = {
type = "app";
program = let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in
(pkgs.writeShellScript "update-nextcloud-apps" ''
cd "$(git rev-parse --show-toplevel)/pkgs"
${nvfetcher-bin} -o _sources_nextcloud -c nextcloud-apps.toml
'')
.outPath;
};
};
###########################
# Development environment #
###########################
devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell {
sopsPGPKeyDirs = ["./keys/hosts/" "./keys/users/"];
nativeBuildInputs = [
sops-nix.packages.${system}.sops-import-keys-hook
];
packages = with pkgs; [
sops-nix.packages.${system}.sops-init-gpg-key
deploy-rs.packages.${system}.default
cargo
clippy
rustc
rustfmt
rust-analyzer
pkg-config
openssl
];
};
};
} }

8
keys/production.yaml
View file

@ -1,6 +1,4 @@
authelia: hetzner-api: ENC[AES256_GCM,data:OsUfo86AzcBe/OELkfB5brEfsZ4gkbeehxwIVUBwQgE=,iv:Bt/cjlZ6oZEVUOQjWMDL7/mfL3HWLFAw1tEGeLMgeKg=,tag:TMU2XiHlMgP4aes10mIQYQ==,type:str]
storageEncryptionKey: ENC[AES256_GCM,data:OUCC+6Gcr6U7Mub1+DaIyswTV6da1wd1u0WGEm4wpJ8L0mi7WSpEmVjH79YyRhp7AmiZhdFFDXFeEYthBb2AZl+xoS9gqs6rWyfU4ezaCbXBiS/dIhsA5foPg13wq5A33qJWtPTy7DJEgqHaIonnaBuVJIBwH3wzPTHc3bDvBo4=,iv:intiZzngz5cMTtjEI9rTKMW0Xv3KB3ZEgtYN3amwKCE=,tag:AKxfbeZlPs54esHCsVnNCg==,type:str]
sessionSecret: ENC[AES256_GCM,data:GEMWhBltOIOs0g9FsWk3OQGs6dMcbwz3ZuhlyBFYROylsIZb4xTXWLgNwIpHwQukQU3TgvIxbCW/fGRWiALPanE2koSVAHNx0UU0hj1mVNRFQGK4H3EL10tPp7l4PofrcdeCbLPrOwM/xLOuPt+52sKlcbL2Awz5/MmpUVpCKXc=,iv:kWX2ptOpTgW3obBgri0MvVv6gCEPR3o77sldOXFQeks=,tag:je4pqLcEOhuBTQkoZHYNCw==,type:str]
battery-manager: battery-manager:
email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str] email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str] password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
@ -34,8 +32,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-04-11T23:38:56Z" lastmodified: "2024-04-15T23:13:18Z"
mac: ENC[AES256_GCM,data:GjIB0EbWsh4o+QoFSyIXgGYnNhRlvfSmue1LyTt6oUlIjNgODhdIB8px8LnRo0rmm/f1YHbDq2MFOxlgdm3PTNaqm/MoKyW3r/wuAeWADsYayQszLNxyhTMXcjWtfm6zCRIuc/+YyM44pXRfVrOZRAin9B6pmJZsRJwBAZpogbU=,iv:r/ZQZvrP0E9dOW5fhBH2I21Z0uv2e3njdEGmadxEALg=,tag:iZvbGTvRJFo80n8aoKSSmQ==,type:str] mac: ENC[AES256_GCM,data:3/v+WgSWJ+VcBSBe1Wkis3z+tMmSjbKzLFqBB8xugc6DvgQG8J+1HRrPucLnpNNtEdmpyoTa72U6fPm6JnyUsuj5pLEghLprOJkqQNdRI06fllhw+9d3e3twx6D4oIIsVH6/io4ElXrGsGQTsfNbYhgn+987wa3WP5N25fBac3U=,iv:FL3tzPutOMN6IPkQfXIu/JOZT+OzUSqpMSQrUeXZQHE=,tag:jL1BTsYTA9XjrsjFszxZhA==,type:str]
pgp: pgp:
- created_at: "2024-03-18T04:02:00Z" - created_at: "2024-03-18T04:02:00Z"
enc: |- enc: |-

9
keys/staging.yaml
View file

@ -1,7 +1,4 @@
authelia: hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBcvfL4qYYhKwCg=,tag:Xeu8JuRm+b+5RO+wFR2M8w==,type:str]
storageEncryptionKey: ENC[AES256_GCM,data:8X6Zvq7ct1MkMH+lc5kTTHXOo6rGyhSzc3aWxGRA5tnBet+TGcENo0RYTYmactsPGVpTIUGGplaG7B7dqRPhkdDHhbCCZCm2nLaYjpVJ241DrpUNKHn8lvg/bMxUQ/Dvw76ByYuWN6bREr3XRaBztBSPzld8zTSYx71I0CKY7vk=,iv:cJSwfuVWO39qqKCGt2Mvw7pN8+hD6kRH9v4c/u4hLuk=,tag:YhdlXuX2ETxjb443RI8MsA==,type:str]
sessionSecret: ENC[AES256_GCM,data:dnoWmc4HND62w3jMXL+akncAEb61c/I70DgRytx55Wxcn4rMiswp6zCkRdsP4CkouTQ1lyAcQrubp5I8M9Kyow/KBMYz9dPkr4+2xJ9w0SEmAVhyPe2DFvYos3x0Uvx5S0B3o1mXoXqbg78e4w5yEIbALiJT8VPGrWK8Cl4nVPo=,iv:FHDXUW2DWUmEZzWUYkYduogdVOtvMlRH4/fVg05cZaI=,tag:u282WQnHpBsZGYJH7mFFKA==,type:str]
jwtSecret: ENC[AES256_GCM,data:0M3AyoMp+orrljl5NsxmthzrHMmu0REcz7+9fpFKbwwqV6KqlpgGddjYZIsTpHEWEq9zhZ2YWLJkMxKdDgROVHUFZGKut28JPSAjjY+1V0wxNBnfSCnxEv5BUw2+cCxcpCwYQyNfRK6SotTt8aqpxvda4oRXpzxV6SW7ogDjc6E=,iv:D57SynZkW2JuFyX6bpZYkxpR2KtkOmKaySg1Bxim0r8=,tag:JCPGZaumdHrtgcH16A7b+g==,type:str]
battery-manager: battery-manager:
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str] email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str] password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
@ -35,8 +32,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-04-12T01:00:31Z" lastmodified: "2024-04-15T23:13:27Z"
mac: ENC[AES256_GCM,data:fVnMwfvGi7vtP1Fg4NLrhGvLF2PcIgZPOcwk4Ssm4iw5iSj0K1npOX3pd5BWzyszqchfYYRHY99GllAump0bZmprVAld9rf70B2HZIVvowBPuUXfc9Cz/5q0z+s8bQ5vCdElW1Bh7h8W/POePdc8cFGAyBS4i1ZVNheIDOHdDjI=,iv:Bi6rekXOx3/dwwPRryF3CoAoQi3D06ABysRF1oBeG5A=,tag:0TCra+AkhBDczj4uvAzKMw==,type:str] mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
pgp: pgp:
- created_at: "2023-12-29T15:25:27Z" - created_at: "2023-12-29T15:25:27Z"
enc: | enc: |

6
modules/default.nix
View file

@ -1,5 +1 @@
{ { imports = [ ./nginxExtensions.nix ]; }
imports = [
./nginxExtensions.nix
];
}

171
modules/nginxExtensions.nix
View file

@ -3,156 +3,57 @@
pkgs, pkgs,
lib, lib,
... ...
}: { }:
{
options = { options = {
services.nginx.domain = lib.mkOption { services.nginx.domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "The base domain name to append to virtual domain names"; description = "The base domain name to append to virtual domain names";
}; };
services.nginx.virtualHosts = let services.nginx.virtualHosts =
autheliaDomain = "auth.${config.services.nginx.domain}"; let
extraLocationOptions = {config, ...}: { extraVirtualHostOptions =
options = { { name, config, ... }:
enableAutheliaProxy = lib.mkEnableOption "Enable recommended authelia proxy settings"; {
enableAuthorization = lib.mkEnableOption "Enable authorization via authelia"; options = {
}; enableHSTS = lib.mkEnableOption "Enable HSTS";
config = { addAccessLog = lib.mkOption {
recommendedProxySettings = lib.mkIf config.enableAutheliaProxy false; type = lib.types.bool;
default = true;
description = ''
Add special logging to `/var/log/nginx/''${serverName}`
'';
};
};
extraConfig = lib.concatStringsSep "\n" [ config = {
(lib.optionalString config.enableAutheliaProxy '' extraConfig = lib.concatStringsSep "\n" [
proxy_set_header Host $host; (lib.optionalString config.enableHSTS ''
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
proxy_set_header X-Forwarded-Proto $scheme; '')
proxy_set_header X-Forwarded-Host $http_host; (lib.optionalString config.addAccessLog ''
proxy_set_header X-Forwarded-URI $request_uri; access_log /var/log/nginx/${name}/access.log upstream_time;
proxy_set_header X-Forwarded-Ssl on; '')
proxy_set_header X-Forwarded-For $remote_addr; ];
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection "";
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
'')
(lib.optionalString config.enableAuthorization ''
auth_request /authelia;
set_escape_uri $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
error_page 401 =302 https://${autheliaDomain}/?rd=$target_url;
'')
];
};
};
extraVirtualHostOptions = {
name,
config,
...
}: {
options = {
enableAuthorization = lib.mkEnableOption "Enable authorization via authelia";
enableHSTS = lib.mkEnableOption "Enable HSTS";
addAccessLog = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Add special logging to `/var/log/nginx/''${serverName}`
'';
};
locations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule extraLocationOptions);
};
};
config = {
extraConfig = lib.concatStringsSep "\n" [
(lib.optionalString config.enableHSTS ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'')
(lib.optionalString config.addAccessLog ''
access_log /var/log/nginx/${name}/access.log upstream_time;
'')
];
locations = lib.mkIf config.enableAuthorization {
"/".enableAuthorization = true;
"/authelia" = {
proxyPass = "http://127.0.0.1:9091/api/verify";
recommendedProxySettings = false;
extraConfig = ''
internal;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
'';
}; };
}; };
}; in
}; lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); };
in
lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
};
}; };
config = { config = {
# Don't attempt to run acme if the domain name is not tlater.net # Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let systemd.services =
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]''; let
in confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
lib.mapAttrs' (cert: _: in
lib.mapAttrs' (
cert: _:
lib.nameValuePair "acme-${cert}" { lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
}) }
config.security.acme.certs; ) config.security.acme.certs;
}; };
} }

30
pkgs/_sources_nextcloud/generated.json
View file

@ -7,11 +7,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo=", "sha256": "sha256-V4zZsAwPn8QiCXEDqOgNFHaXqMOcHMpMbJ1Oz3Db0pc=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz" "url": "https://github.com/nextcloud/bookmarks/releases/download/v14.2.4/bookmarks-14.2.4.tar.gz"
}, },
"version": "13.1.3" "version": "14.2.4"
}, },
"calendar": { "calendar": {
"cargoLocks": null, "cargoLocks": null,
@ -21,11 +21,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI=", "sha256": "sha256-sipXeyOL4OhENz7V2beFeSYBAoFZdCWtqftIy0lsqEY=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz" "url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.15/calendar-v4.7.15.tar.gz"
}, },
"version": "v4.6.7" "version": "v4.7.15"
}, },
"contacts": { "contacts": {
"cargoLocks": null, "cargoLocks": null,
@ -49,11 +49,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk=", "sha256": "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz" "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz"
}, },
"version": "0.10.5" "version": "0.11.1"
}, },
"news": { "news": {
"cargoLocks": null, "cargoLocks": null,
@ -63,11 +63,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4=", "sha256": "sha256-AhTZGQCLeNgsRBF5w3+Lf9JtNN4D1QncB5t+odU+XUc=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz" "url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha8/news.tar.gz"
}, },
"version": "24.0.0" "version": "25.0.0-alpha8"
}, },
"notes": { "notes": {
"cargoLocks": null, "cargoLocks": null,
@ -77,10 +77,10 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-ydpxatwuZUz7XIgK8FMklZlxNQklpsP8Uqpxvt3iK0k=", "sha256": "sha256-A3QNWGWeC2OcZngMrh9NpYbU5qp5x9xiDcRfB9cRXBo=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud/notes/releases/download/v4.10.0/notes.tar.gz" "url": "https://github.com/nextcloud-releases/notes/releases/download/v4.10.1/notes-v4.10.1.tar.gz"
}, },
"version": "v4.10.0" "version": "v4.10.1"
} }
} }

30
pkgs/_sources_nextcloud/generated.nix
View file

@ -3,18 +3,18 @@
{ {
bookmarks = { bookmarks = {
pname = "bookmarks"; pname = "bookmarks";
version = "13.1.3"; version = "14.2.4";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz"; url = "https://github.com/nextcloud/bookmarks/releases/download/v14.2.4/bookmarks-14.2.4.tar.gz";
sha256 = "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo="; sha256 = "sha256-V4zZsAwPn8QiCXEDqOgNFHaXqMOcHMpMbJ1Oz3Db0pc=";
}; };
}; };
calendar = { calendar = {
pname = "calendar"; pname = "calendar";
version = "v4.6.7"; version = "v4.7.15";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz"; url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.15/calendar-v4.7.15.tar.gz";
sha256 = "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI="; sha256 = "sha256-sipXeyOL4OhENz7V2beFeSYBAoFZdCWtqftIy0lsqEY=";
}; };
}; };
contacts = { contacts = {
@ -27,26 +27,26 @@
}; };
cookbook = { cookbook = {
pname = "cookbook"; pname = "cookbook";
version = "0.10.5"; version = "0.11.1";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz"; url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz";
sha256 = "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk="; sha256 = "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68=";
}; };
}; };
news = { news = {
pname = "news"; pname = "news";
version = "24.0.0"; version = "25.0.0-alpha8";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz"; url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha8/news.tar.gz";
sha256 = "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4="; sha256 = "sha256-AhTZGQCLeNgsRBF5w3+Lf9JtNN4D1QncB5t+odU+XUc=";
}; };
}; };
notes = { notes = {
pname = "notes"; pname = "notes";
version = "v4.10.0"; version = "v4.10.1";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud/notes/releases/download/v4.10.0/notes.tar.gz"; url = "https://github.com/nextcloud-releases/notes/releases/download/v4.10.1/notes-v4.10.1.tar.gz";
sha256 = "sha256-ydpxatwuZUz7XIgK8FMklZlxNQklpsP8Uqpxvt3iK0k="; sha256 = "sha256-A3QNWGWeC2OcZngMrh9NpYbU5qp5x9xiDcRfB9cRXBo=";
}; };
}; };
} }

1
pkgs/_sources_pkgs/generated.json
View file

@ -13,6 +13,7 @@
"name": null, "name": null,
"rev": "v0.10.1", "rev": "v0.10.1",
"sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=", "sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=",
"sparseCheckout": [],
"type": "git", "type": "git",
"url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter" "url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
}, },

1
pkgs/_sources_pkgs/generated.nix
View file

@ -10,6 +10,7 @@
fetchSubmodules = false; fetchSubmodules = false;
deepClone = false; deepClone = false;
leaveDotGit = false; leaveDotGit = false;
sparseCheckout = [ ];
sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI="; sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=";
}; };
}; };

14
pkgs/afvalcalendar/default.nix
View file

@ -1,20 +1,12 @@
{ { pkgs, rustPlatform, ... }:
pkgs,
rustPlatform,
...
}:
rustPlatform.buildRustPackage { rustPlatform.buildRustPackage {
pname = "afvalcalendar"; pname = "afvalcalendar";
version = "0.1.0"; version = "0.1.0";
src = ./.; src = ./.;
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [ pkg-config ];
pkg-config
];
buildInputs = with pkgs; [ buildInputs = with pkgs; [ openssl ];
openssl
];
cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI="; cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI=";
} }

36
pkgs/default.nix
View file

@ -1,22 +1,20 @@
{ { pkgs, lib }:
pkgs, let
lib,
}: let
inherit (builtins) fromJSON mapAttrs readFile; inherit (builtins) fromJSON mapAttrs readFile;
inherit (pkgs) callPackage; inherit (pkgs) callPackage;
in in
{ {
starbound = callPackage ./starbound {}; starbound = callPackage ./starbound { };
prometheus-fail2ban-exporter = callPackage ./prometheus/fail2ban-exporter.nix { prometheus-fail2ban-exporter = callPackage ./prometheus/fail2ban-exporter.nix {
sources = pkgs.callPackage ./_sources_pkgs/generated.nix {}; sources = pkgs.callPackage ./_sources_pkgs/generated.nix { };
}; };
afvalcalendar = callPackage ./afvalcalendar {}; afvalcalendar = callPackage ./afvalcalendar { };
} }
// ( // (
# Add nextcloud apps # Add nextcloud apps
let let
mkNextcloudApp = pkgs.callPackage ./mkNextcloudApp.nix {}; mkNextcloudApp = pkgs.callPackage ./mkNextcloudApp.nix { };
sources = fromJSON (readFile ./_sources_nextcloud/generated.json); sources = fromJSON (readFile ./_sources_nextcloud/generated.json);
in in
mapAttrs (_: source: mkNextcloudApp source) sources mapAttrs (_: source: mkNextcloudApp source) sources
) )

6
pkgs/mkNextcloudApp.nix
View file

@ -1,7 +1,5 @@
{ { fetchNextcloudApp, lib }:
fetchNextcloudApp, source:
lib,
}: source:
fetchNextcloudApp { fetchNextcloudApp {
url = source.src.url; url = source.src.url;
sha256 = source.src.sha256; sha256 = source.src.sha256;

17
pkgs/nextcloud-apps.toml
View file

@ -1,12 +1,10 @@
[bookmarks] [bookmarks]
# src.github = "nextcloud/bookmarks" src.github = "nextcloud/bookmarks"
src.prefix = "v" src.prefix = "v"
src.manual = "v13.1.3"
fetch.tarball = "https://github.com/nextcloud/bookmarks/releases/download/v$ver/bookmarks-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud/bookmarks/releases/download/v$ver/bookmarks-$ver.tar.gz"
[calendar] [calendar]
# src.github = "nextcloud-releases/calendar" src.github = "nextcloud-releases/calendar"
src.manual = "v4.6.7"
fetch.tarball = "https://github.com/nextcloud-releases/calendar/releases/download/$ver/calendar-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud-releases/calendar/releases/download/$ver/calendar-$ver.tar.gz"
[contacts] [contacts]
@ -15,17 +13,16 @@ src.manual = "v5.5.3"
fetch.tarball = "https://github.com/nextcloud-releases/contacts/releases/download/$ver/contacts-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud-releases/contacts/releases/download/$ver/contacts-$ver.tar.gz"
[cookbook] [cookbook]
# src.github = "christianlupus-nextcloud/cookbook-releases" src.github = "christianlupus-nextcloud/cookbook-releases"
src.prefix = "v" src.prefix = "v"
src.manual = "0.10.5"
fetch.tarball = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v$ver/Cookbook-$ver.tar.gz" fetch.tarball = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v$ver/Cookbook-$ver.tar.gz"
[news] [news]
# Update manually until angular rewrite is done
# src.github = "nextcloud/news" # src.github = "nextcloud/news"
# Update to 25 when angular rewrite is done/the alpha when I need to switch to nextcloud 28+ src.manual = "25.0.0-alpha8"
src.manual = "24.0.0"
fetch.tarball = "https://github.com/nextcloud/news/releases/download/$ver/news.tar.gz" fetch.tarball = "https://github.com/nextcloud/news/releases/download/$ver/news.tar.gz"
[notes] [notes]
src.github = "nextcloud/notes" src.github = "nextcloud-releases/notes"
fetch.tarball = "https://github.com/nextcloud/notes/releases/download/$ver/notes.tar.gz" fetch.tarball = "https://github.com/nextcloud-releases/notes/releases/download/$ver/notes-$ver.tar.gz"

5
pkgs/prometheus/fail2ban-exporter.nix
View file

@ -1,7 +1,4 @@
{ { buildGoModule, sources }:
buildGoModule,
sources,
}:
buildGoModule { buildGoModule {
inherit (sources.prometheus-fail2ban-exporter) pname src version; inherit (sources.prometheus-fail2ban-exporter) pname src version;
vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY="; vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY=";

49
pkgs/starbound/default.nix
View file

@ -5,30 +5,33 @@
patchelf, patchelf,
steamPackages, steamPackages,
replace-secret, replace-secret,
}: let }:
let
# Use the directory in which starbound is installed so steamcmd # Use the directory in which starbound is installed so steamcmd
# doesn't have to be reinstalled constantly (we're using DynamicUser # doesn't have to be reinstalled constantly (we're using DynamicUser
# with StateDirectory to persist this). # with StateDirectory to persist this).
steamcmd = steamPackages.steamcmd.override { steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; };
steamRoot = "/var/lib/starbound/.steamcmd"; wrapperPath = lib.makeBinPath [
}; patchelf
wrapperPath = lib.makeBinPath [patchelf steamcmd replace-secret]; steamcmd
replace-secret
];
in in
stdenv.mkDerivation { stdenv.mkDerivation {
name = "starbound-update-script"; name = "starbound-update-script";
nativeBuildInputs = [makeWrapper]; nativeBuildInputs = [ makeWrapper ];
dontUnpack = true; dontUnpack = true;
patchPhase = '' patchPhase = ''
interpreter="$(cat $NIX_CC/nix-support/dynamic-linker)" interpreter="$(cat $NIX_CC/nix-support/dynamic-linker)"
substitute ${./launch-starbound.sh} launch-starbound --subst-var interpreter substitute ${./launch-starbound.sh} launch-starbound --subst-var interpreter
''; '';
installPhase = '' installPhase = ''
mkdir -p $out/bin mkdir -p $out/bin
cp launch-starbound $out/bin/launch-starbound cp launch-starbound $out/bin/launch-starbound
chmod +x $out/bin/launch-starbound chmod +x $out/bin/launch-starbound
''; '';
postFixup = '' postFixup = ''
wrapProgram $out/bin/launch-starbound \ wrapProgram $out/bin/launch-starbound \
--prefix PATH : "${wrapperPath}" --prefix PATH : "${wrapperPath}"
''; '';
} }