Switch over to nix flakes and introduce podman pods #26

Manually merged
tlater merged 5 commits from tlater/flake into master 2021-04-12 02:16:38 +01:00
23 changed files with 183 additions and 973 deletions
Showing only changes of commit 5e87a5ec0c - Show all commits

1
.gitattributes vendored
View file

@ -1 +0,0 @@
*.tar.gz filter=lfs diff=lfs merge=lfs -text

2
.gitignore vendored
View file

@ -1,2 +1,2 @@
/result /result
/tlater.net.qcow2 /tlaternet.qcow2

View file

@ -1,11 +0,0 @@
result: etc/nixos/configuration.nix
nix-build '<nixpkgs/nixos>' -A vm -k -I nixos-config=$^
tlaternet.qcow2:
nix-shell -p qemu --run 'qemu-img create -f qcow2 $@ 10G'
run: result tlaternet.qcow2
QEMU_OPTS="-m 4096 -nographic" QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8000-:80,hostfwd=tcp::25565-:25565" ./result/bin/run-tlaternet-vm
format: $(wildcard etc/nixos/**/*.nix)
nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt $^'

View file

@ -6,51 +6,30 @@ This is the NixOS configuration for [tlater.net](https://tlater.net/).
### Building ### Building
To test locally in a VM, [nix](https://nixos.org/nix/) is Build the VM with:
required. Using a properly-configured nix, a qemu-based VM running the
server can be created by first applying the following patch to disable
hardware-specific configuration:
```patch
diff --git a/etc/nixos/configuration.nix b/etc/nixos/configuration.nix
index 387113d..aabee88 100644
--- a/etc/nixos/configuration.nix
+++ b/etc/nixos/configuration.nix
@@ -2,8 +2,8 @@
{
imports = [
- ./hardware-configuration.nix
- ./linode.nix
+ # ./hardware-configuration.nix
+ # ./linode.nix
];
networking = {
```
Then building the VM with:
``` ```
nix-build '<nixpkgs/nixos>' -A vm -k -I nixos-config=./configuration.nix nixos-rebuild build-vm --flake '.#vm'
``` ```
### Running ### Running
To invoke the VM, use: Running should *mostly* be as simple as running the command the build
script echos.
``` One caveat: create a larger disk image first. This can be done by
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8000-:80" ./result/bin/run-tlater.net-vm running the following in the repository root:
```bash
qemu-img create -f qcow2 ./tlaternet.qcow2 20G
``` ```
This will set up a qemu VM with ports 2222 linked to the ssh port, and Everything else should be handled by the devShell.
8000 to the http port. If other ports are required, adjust the
environment variable (notably, ssl is provided by the image, although
it should not work since it is unlikely that letsencrypt will supply
any certificates).
Note that other environment variables are available (such as one for ### New services
disabling the qt GUI, probably handy for eventual CI). They are listed
under "Building a service as a VM (for testing)" Whenever a new service is added, append an appropriate
[here](https://nixos.wiki/wiki/Cheatsheet) (not linked since the page `,hostfwd=::3<port>:<port>` to the `QEMU_NET_OPTS` specified in
isn't set up very nicely). `flake.nix` to bind the service to a host port.
There is no way to test this without binding to the host port, sadly.

57
configuration/default.nix Normal file
View file

@ -0,0 +1,57 @@
{ config, pkgs, ... }:
{
imports = [ ];
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
networking = {
hostName = "tlaternet";
usePredictableInterfaceNames = false;
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall.allowedTCPPorts = [ 80 443 2222 2221 25565 ];
};
time.timeZone = "Europe/London";
users.users.tlater = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ];
};
services.openssh = {
enable = true;
allowSFTP = false;
passwordAuthentication = false;
permitRootLogin = "no";
ports = [ 2222 ];
startWhenNeeded = true;
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "10G";
};
security.acme = {
email = "tm@tlater.net";
acceptTerms = true;
};
virtualisation.oci-containers.backend = "podman";
system.stateVersion = "20.09";
}

View file

@ -2,9 +2,7 @@
{ {
# Required for the lish console # Required for the lish console
boot = { boot.kernelParams = [ "console=ttyS0,19200n8" ];
kernelParams = [ "console=ttyS0,19200n8" ];
};
boot.loader = { boot.loader = {
# Timeout to allow lish to connect # Timeout to allow lish to connect

View file

@ -1,68 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./linode.nix
<nixpkgs/nixos/modules/profiles/headless.nix>
./modules/networked-docker-containers.nix
# FIXME: It'd be much nicer if these were imported further down,
# and set inside the docker-containers set, instead of setting the
# docker-containers set here.
./services/nginx.nix
./services/gitea.nix
./services/nextcloud.nix
./services/tlaternet.nix
./services/minecraft.nix
];
networking = {
hostName = "tlaternet";
usePredictableInterfaceNames = false;
# useDHCP is deprecated
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall = {
enable = true;
allowedTCPPorts = [
80
443
2222
2221
25565
];
};
};
time.timeZone = "Europe/London";
users.users = {
tlater = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" ];
openssh.authorizedKeys.keyFiles = [ ./keys/tlater.pub ];
};
};
services = {
openssh = {
enable = true;
allowSFTP = false;
passwordAuthentication = false;
permitRootLogin = "no";
ports = [ 2222 ];
startWhenNeeded = true;
};
};
virtualisation.docker = {
enable = true;
autoPrune.enable = true;
};
system.stateVersion = "19.09";
}

BIN
etc/nixos/derivations/dist.tar.gz (Stored with Git LFS)

Binary file not shown.

@ -1 +0,0 @@
Subproject commit 114a87885e1b3852c4cf6fe9854c86045770b3e4

View file

@ -1,15 +0,0 @@
{ pkgs ? import <nixpkgs> {} }:
with pkgs;
# TODO: Once https://github.com/svanderburg/node2nix/issues/184 is
# fixed, use a proper nixos package instead of a tarball.
stdenv.mkDerivation {
pname = "tlaternet-templates";
version = "1.0";
src = ./dist.tar.gz;
installPhase = ''
mkdir -p $out/srv/
mv browser $out/srv/web
'';
}

View file

@ -1,306 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networked-docker-containers;
networkedDockerContainer =
{ ... }: {
options = {
image = mkOption {
type = with types; str;
description = "Docker image to run.";
example = "library/hello-world";
};
imageFile = mkOption {
type = with types; nullOr package;
default = null;
description = ''
Path to an image file to load instead of pulling from a registry.
If defined, do not pull from registry.
You still need to set the <literal>image</literal> attribute, as it
will be used as the image name for docker to start a container.
'';
example = literalExample "pkgs.dockerTools.buildDockerImage {...};";
};
cmd = mkOption {
type = with types; listOf str;
default = [];
description = "Commandline arguments to pass to the image's entrypoint.";
example = literalExample ''
["--port=9000"]
'';
};
entrypoint = mkOption {
type = with types; nullOr str;
description = "Overwrite the default entrypoint of the image.";
default = null;
example = "/bin/my-app";
};
environment = mkOption {
type = with types; attrsOf str;
default = {};
description = "Environment variables to set for this container.";
example = literalExample ''
{
DATABASE_HOST = "db.example.com";
DATABASE_PORT = "3306";
}
'';
};
log-driver = mkOption {
type = types.str;
default = "none";
description = ''
Logging driver for the container. The default of
<literal>"none"</literal> means that the container's logs will be
handled as part of the systemd unit. Setting this to
<literal>"journald"</literal> will result in duplicate logging, but
the container's logs will be visible to the <command>docker
logs</command> command.
For more details and a full list of logging drivers, refer to the
<link xlink:href="https://docs.docker.com/engine/reference/run/#logging-drivers---log-driver">
Docker engine documentation</link>
'';
};
networks = mkOption {
type = with types; listOf str;
default = [];
description = ''
Docker networks to create and connect this container to.
The first network in this list will be connected with
<literal>--network=</literal>, others after container
creation with <command>docker network connect</command>.
Any networks will be created if they do not exist before
the container is started.
'';
};
ports = mkOption {
type = with types; listOf str;
default = [];
description = ''
Network ports to publish from the container to the outer host.
Valid formats:
<itemizedlist>
<listitem>
<para>
<literal>&lt;ip&gt;:&lt;hostPort&gt;:&lt;containerPort&gt;</literal>
</para>
</listitem>
<listitem>
<para>
<literal>&lt;ip&gt;::&lt;containerPort&gt;</literal>
</para>
</listitem>
<listitem>
<para>
<literal>&lt;hostPort&gt;:&lt;containerPort&gt;</literal>
</para>
</listitem>
<listitem>
<para>
<literal>&lt;containerPort&gt;</literal>
</para>
</listitem>
</itemizedlist>
Both <literal>hostPort</literal> and
<literal>containerPort</literal> can be specified as a range of
ports. When specifying ranges for both, the number of container
ports in the range must match the number of host ports in the
range. Example: <literal>1234-1236:1234-1236/tcp</literal>
When specifying a range for <literal>hostPort</literal> only, the
<literal>containerPort</literal> must <emphasis>not</emphasis> be a
range. In this case, the container port is published somewhere
within the specified <literal>hostPort</literal> range. Example:
<literal>1234-1236:1234/tcp</literal>
Refer to the
<link xlink:href="https://docs.docker.com/engine/reference/run/#expose-incoming-ports">
Docker engine documentation</link> for full details.
'';
example = literalExample ''
[
"8080:9000"
]
'';
};
user = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Override the username or UID (and optionally groupname or GID) used
in the container.
'';
example = "nobody:nogroup";
};
volumes = mkOption {
type = with types; listOf str;
default = [];
description = ''
List of volumes to attach to this container.
Note that this is a list of <literal>"src:dst"</literal> strings to
allow for <literal>src</literal> to refer to
<literal>/nix/store</literal> paths, which would difficult with an
attribute set. There are also a variety of mount options available
as a third field; please refer to the
<link xlink:href="https://docs.docker.com/engine/reference/run/#volume-shared-filesystems">
docker engine documentation</link> for details.
'';
example = literalExample ''
[
"volume_name:/path/inside/container"
"/path/on/host:/path/inside/container"
]
'';
};
workdir = mkOption {
type = with types; nullOr str;
default = null;
description = "Override the default working directory for the container.";
example = "/var/lib/hello_world";
};
dependsOn = mkOption {
type = with types; listOf str;
default = [];
description = ''
Define which other containers this one depends on. They will be added to both After and Requires for the unit.
Use the same name as the attribute under <literal>services.docker-containers</literal>.
'';
example = literalExample ''
services.docker-containers = {
node1 = {};
node2 = {
dependsOn = [ "node1" ];
}
}
'';
};
extraDockerOptions = mkOption {
type = with types; listOf str;
default = [];
description = "Extra options for <command>docker run</command>.";
example = literalExample ''
["--network=host"]
'';
};
};
};
mkService = name: container: let
mkAfter = map (x: "docker-${x}.service") container.dependsOn;
in
rec {
wantedBy = [ "multi-user.target" ];
after = [ "docker.service" "docker.socket" "docker-networks.service" ] ++ mkAfter;
requires = after;
serviceConfig = {
ExecStart = [ "${pkgs.docker}/bin/docker start -a ${name}" ];
ExecStartPre = [
"-${pkgs.docker}/bin/docker rm -f ${name}"
"-${pkgs.docker}/bin/docker image prune -f"
] ++ (
optional (container.imageFile != null)
[ "${pkgs.docker}/bin/docker load -i ${container.imageFile}" ]
) ++ [
(
concatStringsSep " \\\n " (
[
"${pkgs.docker}/bin/docker create"
"--rm"
"--name=${name}"
"--log-driver=${container.log-driver}"
] ++ optional (container.entrypoint != null)
"--entrypoint=${escapeShellArg container.entrypoint}"
++ (mapAttrsToList (k: v: "-e ${escapeShellArg k}=${escapeShellArg v}") container.environment)
++ map (p: "-p ${escapeShellArg p}") container.ports
++ optional (container.user != null) "-u ${escapeShellArg container.user}"
++ map (v: "-v ${escapeShellArg v}") container.volumes
++ optional (container.workdir != null) "-w ${escapeShellArg container.workdir}"
++ optional (container.networks != []) "--network=${escapeShellArg (builtins.head container.networks)}"
++ map escapeShellArg container.extraDockerOptions
++ [ container.image ]
++ map escapeShellArg container.cmd
)
)
] ++ map (n: "${pkgs.docker}/bin/docker network connect ${escapeShellArg n} ${name}") (drop 1 container.networks);
ExecStop = ''${pkgs.bash}/bin/sh -c "[ $SERVICE_RESULT = success ] || ${pkgs.docker}/bin/docker stop ${name}"'';
ExecStopPost = "-${pkgs.docker}/bin/docker rm -f ${name}";
### There is no generalized way of supporting `reload` for docker
### containers. Some containers may respond well to SIGHUP sent to their
### init process, but it is not guaranteed; some apps have other reload
### mechanisms, some don't have a reload signal at all, and some docker
### images just have broken signal handling. The best compromise in this
### case is probably to leave ExecReload undefined, so `systemctl reload`
### will at least result in an error instead of potentially undefined
### behaviour.
###
### Advanced users can still override this part of the unit to implement
### a custom reload handler, since the result of all this is a normal
### systemd service from the perspective of the NixOS module system.
###
# ExecReload = ...;
###
TimeoutStartSec = 0;
TimeoutStopSec = 120;
Restart = "no";
};
};
in
{
options.networked-docker-containers = mkOption {
default = {};
type = types.attrsOf (types.submodule networkedDockerContainer);
description = "Docker containers to run as systemd services.";
};
config = mkIf (cfg != {}) {
systemd.services = mapAttrs' (n: v: nameValuePair "docker-${n}" (mkService n v)) cfg // {
"docker-networks" = rec {
after = [ "docker.service" "docker.socket" ];
requires = after;
serviceConfig = {
Type = "oneshot";
ExecStart = map (
n: ''${pkgs.bash}/bin/sh -c "${pkgs.docker}/bin/docker network inspect ${escapeShellArg n} > /dev/null || \
${pkgs.docker}/bin/docker network create ${escapeShellArg n}"''
) (unique (flatten (mapAttrsToList (_: c: c.networks) cfg)));
};
};
};
virtualisation.docker.enable = true;
};
}

Binary file not shown.

View file

@ -1,173 +0,0 @@
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;
#gzip on;
upstream php-handler {
server nextcloud:9000;
}
server {
listen 80;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
# fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
}

View file

@ -1 +0,0 @@
client_max_body_size 16G;

View file

@ -1,51 +0,0 @@
{ ... }:
{
networked-docker-containers = {
gitea = {
image = "gitea/gitea:latest";
ports = [
"2221:2221"
];
volumes = [
"gitea:/data:Z"
"/etc/timezone:/etc/timezone:ro"
"/etc/localtime:/etc/localtime:ro"
];
environment = {
VIRTUAL_PORT = "3000";
VIRTUAL_HOST = "gitea.tlater.net";
LETSENCRYPT_HOST = "gitea.tlater.net";
DB_TYPE = "postgres";
DB_HOST = "gitea-postgres:5432";
DB_NAME = "gitea";
DB_USER = "gitea";
DB_PASSWD = "/qNDDK9WCMuubfA7D8DFwfl9T+Gy2IMDvPhiNpcxZjY=";
RUN_MODE = "prod";
DOMAIN = "gitea.tlater.net";
SSH_PORT = "2221";
};
networks = [
"webproxy"
"gitea"
];
};
gitea-postgres = {
image = "postgres:alpine";
environment = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
POSTGRES_PASSWORD = "/qNDDK9WCMuubfA7D8DFwfl9T+Gy2IMDvPhiNpcxZjY=";
};
volumes = [
"gitea-db-data-new:/var/lib/postgresql/data"
];
networks = [
"gitea"
];
};
};
}

View file

@ -1,130 +0,0 @@
{ pkgs, ... }:
let
entrypoint = pkgs.writeScript "entrypoint.sh" ''
#!${pkgs.bash}/bin/bash
${pkgs.busybox}/bin/mkdir -p /var/lib/
${pkgs.gzip}/bin/gzip -dc ${./configs/minecraft.tar.gz} | ${pkgs.gnutar}/bin/tar -xf - -C /var/lib
echo 'eula=true' > /var/lib/minecraft/eula.txt
${pkgs.busybox}/bin/cp -f ${properties} /var/lib/minecraft/server.properties
$@
'';
ops = pkgs.writeText "ops.json" (builtins.toJSON [
{
uuid = "140d177a-966f-41b8-a4c0-e305babd291b";
name = "TLATER";
level = 4;
bypassesPlayerLimit = true;
}
]);
whitelist = pkgs.writeText "whitelist.json" (builtins.toJSON [
{
uuid = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
name = "romino25";
}
{
uuid = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
name = "lasi25";
}
{
uuid = "140d177a-966f-41b8-a4c0-e305babd291b";
name = "TLATER";
}
]);
properties = pkgs.writeText "server.properties" ''
#Minecraft server properties
#Sun Jul 19 16:04:54 GMT 2020
max-tick-time=60000
generator-settings=
allow-nether=true
force-gamemode=false
gamemode=0
enable-query=false
player-idle-timeout=0
difficulty=1
spawn-monsters=true
op-permission-level=4
pvp=false
snooper-enabled=true
level-type=DEFAULT
hardcore=false
enable-command-block=false
max-players=4
network-compression-threshold=256
resource-pack-sha1=
max-world-size=29999984
server-port=25565
server-ip=
spawn-npcs=true
allow-flight=true
level-name=world
view-distance=15
resource-pack=
spawn-animals=true
white-list=true
generate-structures=true
online-mode=true
max-build-height=256
level-seed=
prevent-proxy-connections=false
use-native-transport=true
motd=Adventures met die broers
enable-rcon=false
'';
in
{
docker-containers = {
minecraft = {
image = "tlaternet/minecraft";
imageFile = pkgs.dockerTools.buildImage {
name = "tlaternet/minecraft";
tag = "latest";
config = {
Entrypoint = [ "${entrypoint}" ];
Cmd = [ "${pkgs.jre}/bin/java"
"-Xms2G"
"-Xmx2G"
# Using recommended flags from https://mcflags.emc.gs
"-XX:+UseG1GC"
"-XX:+ParallelRefProcEnabled"
"-XX:MaxGCPauseMillis=200"
"-XX:+UnlockExperimentalVMOptions"
"-XX:+DisableExplicitGC"
"-XX:+AlwaysPreTouch"
"-XX:G1NewSizePercent=30"
"-XX:G1MaxNewSizePercent=40"
"-XX:G1HeapRegionSize=8M"
"-XX:G1ReservePercent=20"
"-XX:G1HeapWastePercent=5"
"-XX:G1MixedGCCountTarget=4"
"-XX:InitiatingHeapOccupancyPercent=15"
"-XX:G1MixedGCLiveThresholdPercent=90"
"-XX:G1RSetUpdatingPauseTimePercent=5"
"-XX:SurvivorRatio=32"
"-XX:+PerfDisableSharedMem"
"-XX:MaxTenuringThreshold=1"
"-jar"
"/var/lib/minecraft/forge-1.12.2-14.23.5.2854.jar"
"nogui"
];
Volumes = {
"/var/lib/minecraft/world" = {};
};
WorkingDir = "/var/lib/minecraft";
ExposedPorts = {
"25565" = {};
};
};
};
ports = [
"25565:25565"
];
volumes = [
"minecraft:/var/lib/minecraft/world"
"${ops}:/var/lib/minecraft/ops.json:ro"
"${whitelist}:/var/lib/minecraft/whitelist.json:ro"
];
};
};
}

View file

@ -1,76 +0,0 @@
{ ... }:
{
networked-docker-containers = {
nextcloud = {
image = "nextcloud:fpm-alpine";
dependsOn = ["nextcloud-postgres"];
volumes = [
"nextcloud-apps:/var/www/html/custom_apps"
"nextcloud-config:/var/www/html/config"
"nextcloud-data:/var/www/html/data"
];
environment = {
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
POSTGRES_HOST = "nextcloud-postgres";
POSTGRES_PASSWORD = "rI7t7Nek1yGA9ucrRc7Uhy0jcjwPjnXa8me4o8tJON8=";
OVERWRITEPROTOCOL = "https";
};
networks = [
"nextcloud"
];
extraDockerOptions = [
"--domainname=nextcloud.tlater.net"
];
};
nextcloud-cron = {
image = "nextcloud:fpm-alpine";
entrypoint = "/cron.sh";
dependsOn = ["nextcloud-postgres"];
extraDockerOptions = [
"--volumes-from"
"nextcloud"
];
networks = [
"nextcloud"
];
};
nextcloud-nginx = {
image = "nginx:alpine";
dependsOn = ["nextcloud"];
environment = {
LETSENCRYPT_HOST = "nextcloud.tlater.net";
VIRTUAL_HOST = "nextcloud.tlater.net";
};
volumes = [
"${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro"
];
networks = [
"webproxy"
"nextcloud"
];
extraDockerOptions = [
"--volumes-from"
"nextcloud"
];
};
nextcloud-postgres = {
image = "postgres:alpine";
environment = {
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
POSTGRES_PASSWORD = "rI7t7Nek1yGA9ucrRc7Uhy0jcjwPjnXa8me4o8tJON8=";
};
volumes = [
"nextcloud-db-data-new:/var/lib/postgresql/data"
];
networks = [
"nextcloud"
];
};
};
}

View file

@ -1,47 +0,0 @@
{ ... }:
{
networked-docker-containers = {
nginx-proxy = {
image = "jwilder/nginx-proxy:alpine";
ports = [
"80:80"
"443:443"
];
volumes = [
"${./configs/nginx-proxy.conf}:/etc/nginx/conf.d/general.conf:ro"
# So that we can watch new containers come up
"/var/run/docker.sock:/tmp/docker.sock:ro"
# So that we can access generated certs
"nginx-certs:/etc/nginx/certs:ro"
# So that we can write challenge files for letsencrypt auth
"nginx-challenges:/usr/share/nginx/html"
# So that we can modify config on-the-fly to set up challenge
# files
"nginx-conf:/etc/nginx/vhost.d"
];
environment = {
DHPARAM_GENERATION = "false"; # Provided by nginx-proxy-letsencrypt
};
networks = [
"webproxy"
];
};
nginx-proxy-letsencrypt = {
image = "jrcs/letsencrypt-nginx-proxy-companion";
dependsOn = ["nginx-proxy"];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"nginx-certs:/etc/nginx/certs"
];
environment = {
DEFAULT_EMAIL = "tm@tlater.net";
};
extraDockerOptions = [
"--volumes-from"
"nginx-proxy"
];
};
};
}

View file

@ -1,45 +0,0 @@
{ pkgs, ... }:
let
tlaternet = import ../derivations/tlaternet { inherit pkgs; };
tlaternet-templates = import ../derivations/tlaternet-templates.nix { inherit pkgs; };
in
{
networked-docker-containers = {
web = {
image = "tlaternet/web";
imageFile = pkgs.dockerTools.buildImage {
name = "tlaternet/web";
tag = "latest";
contents = tlaternet;
config = {
Cmd = [ "${tlaternet}/bin/tlaternet" ];
Volumes = {
"/srv/mail" = {};
};
Env = [
"ROCKET_PORT=80"
"ROCKET_TEMPLATE_DIR=${tlaternet-templates}/srv/web"
];
ExposedPorts = {
"80" = {};
};
};
};
volumes = [
"tlaternet-mail:/srv/mail"
];
environment = {
VIRTUAL_HOST = "tlater.net,www.tlater.net";
LETSENCRYPT_HOST = "tlater.net,www.tlater.net";
};
networks = [
"webproxy"
];
extraDockerOptions = [
"--domainname=tlater.net"
];
};
};
}

60
flake.lock Normal file
View file

@ -0,0 +1,60 @@
{
"nodes": {
"flake-utils": {
"locked": {
"lastModified": 1617631617,
"narHash": "sha256-PARRCz55qN3gy07VJZIlFeOX420d0nGF0RzGI/9hVlw=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b2c27d1a81b0dc266270fa8aeecebbd1807fc610",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1617690895,
"narHash": "sha256-5TUizPI+ibn/LBzevTIIyIZ1XeLl3HU0PTRk7H6AKTQ=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "7c00c8b5cab5dedb6519eabba7ca6d069e2dfdae",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1618149891,
"narHash": "sha256-Sz3DzI1k49Puq+F5KRBsaN3gRXHDzCTG6AwK29Znw0M=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a7ff7a57c96588fd89370568b72751dd15d24e72",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-20.09",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

47
flake.nix Normal file
View file

@ -0,0 +1,47 @@
{
description = "tlater.net host configuration";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-20.09";
nixos-hardware.url = "github:nixos/nixos-hardware/master";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { nixpkgs, nixos-hardware, flake-utils, ... }@inputs:
{
nixosConfigurations = {
tlaternet = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
(import ./configuration)
(import ./configuration/linode.nix)
(import ./configuration/hardware-configuration.nix)
nixpkgs.modules.headless
];
};
vm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
(import ./configuration)
({ ... }: {
users.users.tlater.password = "insecure";
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;
})
];
};
};
} // flake-utils.lib.eachDefaultSystem (system: {
devShell = with nixpkgs.legacyPackages.${system};
mkShell {
buildInputs = [ nixfmt git-lfs ];
shellHook = ''
export QEMU_OPTS="-m 3941 -smp 2"
export QEMU_NET_OPTS="hostfwd=::3022-:2222,hostfwd=::3080-:80,hostfwd=::3443-:443,hostfwd=::3021-:2221,hostfwd=::25565-:25565"
'';
};
});
}