From 851c6d86ecc1dee13127c17a9ef92cd10af0b68f Mon Sep 17 00:00:00 2001 From: atagen Date: Sat, 18 Mar 2023 00:24:22 +1100 Subject: [PATCH] add server --- server-conf.nix | 344 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 344 insertions(+) create mode 100644 server-conf.nix diff --git a/server-conf.nix b/server-conf.nix new file mode 100644 index 0000000..ce50609 --- /dev/null +++ b/server-conf.nix @@ -0,0 +1,344 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ lib, config, pkgs, ... }: + +let + wekan-compose = pkgs.fetchurl { + url = "https://github.com/wekan/wekan/raw/v6.68/docker-compose.yml"; + sha256 = "sha256-gLZ8bZZ8ZMo1NGz3ooIgXRH6JuMoEMp+to7lfqAvc6E="; + }; + # wekan-private = pkgs.runCommand "wekan-private" {} '' + # cp ${wekan-compose} $out + # sed -i '/localtime/d' $out + # sed -i '/timezone/d' $out + # sed -i 's/80:8080/7897:8080/g' $out + # sed -i 's/ROOT_URL=.*/ROOT_URL=https:\/\/reflector\.beam\/kanban\//' $out + # ''; + wekan-rhizome = pkgs.runCommand "wekan-rhizome" {} '' + cp ${wekan-compose} $out + sed -i '/localtime/d' $out + sed -i '/timezone/d' $out + sed -i 's/80:8080/7897:8080/g' $out + sed -i 's/ROOT_URL=.*/ROOT_URL=https:\/\/board\.rhizome\.tf\//' $out + ''; + foswiki-compose = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/timlegge/docker-foswiki/master/docker-compose.1-simple.yml"; + sha256 = "sha256-XqGWGTZ/URKsIdDEEpBQUK7xoIdZ164lRhHEiWdnKpM="; + }; +in +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + # ./cachix.nix + # (import (builtins.fetchTarball "https://github.com/jonascarpay/declarative-cachix/archive/master.tar.gz")) + ]; + + # cachix = [ + # "nix-community" + # ]; + + nix.settings.experimental-features = [ "flakes" "nix-command" ]; + systemd.services.NetworkManager-wait-online.enable = false; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only + + networking.hostName = "reflector"; # Define your hostname. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + time.timeZone = "Australia/Sydney"; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.sunshine = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + packages = with pkgs; []; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSQC8VgKLzoU5BSynJJuC8BFqAEN8JlSIzsZ2Vg9rfXHM7T4vbWtnxSCSbNw3CEnZCfrdDQTeRum7Uq+gvrcHWd9Aj+rVmubTdud70ybW7T7SlGv3b5TYBhMNbrAz0JIJjLnFMy3/pWids1v6mKW3i7k6Kbq8fSt7jva5Yg5x1jtkUUwvjSZjPg/E/Zl0hAcnx8fWe4foFTcYYsUbfEpp6bxdN2QuVmb17UKnLrMz6JTj88Jd2uYZkeKxGOwk+uwrd0WArY8JIiRi1NcPA3I42aAQfZKxCUY/xmVyRlF+l6K8caD4CZlysms9aXQzBhmPPDIY87AwyRlVK5JsRbaMEBMsffX2xk8DdV+2+9RbztgeXOoYk7WjJX1/+WcxY3RGn8QsUfrGALmrQTRGXgYRbtM/ZJq1m9aP6IvVQeKE1NOpKguXpmokB7JsyKPcWk/PCMVYyXM/qYspc6hRPJgGWiJsayj7myO6X5Ssl9uQnHpNNyrQNY+cx3/boBu2J1sM= bolt@quiver" + ]; + }; + + + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + helix + ripgrep + fd + curl + + cachix + headscale + + comma + + woodpecker-agent + woodpecker-server + + # podman + # podman-compose + # shadow + + dufs + ]; + + virtualisation = { + docker.enable = true; + # podman = { + # enable = true; + # dockerCompat = true; + # defaultNetwork.dnsname.enable = true; + # }; + }; + + # services.resolved = { + # enable = true; + # fallbackDns = [ "103.1.206.179" "168.138.8.38" "168.138.12.137" ]; + # dnssec = "false"; + # }; + + services.fail2ban.enable = true; + + services.tailscale.enable = true; + + services.headscale = { + enable = true; + serverUrl = "https://net.atagen.co"; + dns = { + nameservers = [ "103.1.206.179" "168.138.8.38" "168.138.12.137" ]; + magicDns = true; + }; + }; + + services.syncthing = { + enable = true; + extraOptions = { + gui = { + insecureSkipHostcheck = true; + }; + }; + }; + + services.gitea = { + enable = true; + appName = "atagen gitea"; + domain = "git.atagen.co"; + httpPort = 3033; + settings.server = { + START_SSH_SERVER = true; + SSH_PORT = 6660; + SSH_DOMAIN = "git.atagen.co"; + DISABLE_SSH = false; + }; + rootUrl = "https://git.atagen.co"; + settings.service.DISABLE_REGISTRATION = true; + settings.webhook.ALLOWED_HOST_LIST="external,loopback"; + }; + + + users.users.ci = { + isSystemUser = true; + createHome = true; + group = "ci"; + extraGroups = [ "docker" "wheel" ]; + }; + users.groups.ci = { }; + + users.users.ci-agent = { + isSystemUser = true; + createHome = true; + group = "ci"; + extraGroups = [ "docker" "wheel" ]; + }; + users.groups.ci = { }; + + users.users.dufs = { + isSystemUser = true; + createHome = true; + group = "dufs"; + }; + users.groups.dufs = { }; + + systemd.services.woodpecker-server = { + wantedBy = [ "multi-user.target" ]; + description = "woodpecker CI/CD server"; + serviceConfig = { + Environment = [ + "WOODPECKER_OPEN=true" + "WOODPECKER_ADMIN=atagen" + "WOODPECKER_REPO_OWNERS=rhizome" + "WOODPECKER_HOST=https://ci.atagen.co" + "WOODPECKER_GITEA=true" + "WOODPECKER_GITEA_URL=https://git.atagen.co" + "WOODPECKER_GITEA_CLIENT=1418f1d9-e2ce-4e8f-b8b2-7cf714baa07e" + "WOODPECKER_GITEA_SECRET=gto_chpk65trvfbnrqs4cog62kn7sgmvpizg5wbr4zknb54o4gxlssba" + "WOODPECKER_GITEA_SKIP_VERIFY=true" + "WOODPECKER_AGENT_SECRET=71a0ac7d617aef46fb93811c6e2a300e041a324727df12b4805d5f4e9e1f3326" + "WOODPECKER_DATABASE_DATASOURCE=/var/lib/woodpecker/woodpecker.sqlite" + ]; + Restart = "always"; + ExecStart = "${pkgs.woodpecker-server}/bin/woodpecker-server"; + User = "ci"; + Group = "ci"; + }; + }; + + systemd.services.woodpecker-agent = { + wantedBy = [ "multi-user.target" ]; + description = "woodpecker CI/CD agent"; + serviceConfig = { + Environment = [ + "WOODPECKER_SERVER=localhost:9000" + "WOODPECKER_AGENT_SECRET=71a0ac7d617aef46fb93811c6e2a300e041a324727df12b4805d5f4e9e1f3326" + ]; + Restart = "always"; + ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent"; + User = "ci-agent"; + }; + }; + + # systemd.services.wekan-private = { + # wantedBy = [ "multi-user.target" ]; + # after = [ "network.target" "docker.service" ]; + # requires = [ "docker.service" ]; + # description = "wekan kanban board"; + # serviceConfig = { + # Restart = "always"; + # User = "root"; + # ExecStart = "${pkgs.docker}/bin/docker compose -f ${wekan-private} up"; + # ExecStop = "${pkgs.docker}/bin/docker compose -f ${wekan-private} down"; + # }; + # }; + + systemd.services.wekan-rhizome = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "docker.service" ]; + requires = [ "docker.service" ]; + description = "wekan kanban board for rhizomers"; + serviceConfig = { + Restart = "always"; + User = "root"; + ExecStart = "${pkgs.docker}/bin/docker compose -f ${wekan-rhizome} up"; + ExecStop = "${pkgs.docker}/bin/docker compose -f ${wekan-rhizome} down"; + }; + }; + + systemd.services.dufs = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "dufs webdav server"; + serviceConfig = { + User = "dufs"; + Restart = "always"; + ExecStart = "${pkgs.dufs}/bin/dufs -b 127.0.0.1 -p 8083 /home/dufs/files"; + }; + }; + + # systemd.services.foswiki = { + # wantedBy = [ "multi-user.target" ]; + # after = [ "network.target" "docker.service" ]; + # requires = [ "docker.service" ]; + # description = "foswiki wiki site"; + # serviceConfig = { + # Restart = "always"; + # User = "root"; + # ExecStart = "${pkgs.docker}/bin/docker compose -f ${foswiki-compose} up"; + # ExecStop = "${pkgs.docker}/bin/docker compose -f ${foswiki-compose} down"; + # }; + # }; + + services.caddy = { + enable = true; + virtualHosts = { + + "atagen.co" = { + serverAliases = [ "www.atagen.co" ]; + extraConfig = '' + respond "i live.. again" + ''; + }; + + "iced-rs.info".extraConfig = '' + reverse_proxy http://127.0.0.1:8765 + ''; + + "ci.atagen.co".extraConfig = '' + reverse_proxy http://127.0.0.1:8000 + ''; + + # "ci.rhizome.tf".extraConfig = '' + # reverse_proxy http://127.0.0.1:8000 + # ''; + + "git.atagen.co".extraConfig = '' + reverse_proxy http://127.0.0.1:3033 + ''; + + # "git.rhizome.tf".extraConfig = '' + # reverse_proxy http://127.0.0.1:3033 + # ''; + + "board.rhizome.tf".extraConfig = '' + reverse_proxy http://127.0.0.1:7897 + ''; + + "net.atagen.co".extraConfig = '' + reverse_proxy http://127.0.0.1:8080 + ''; + + "reflector.beam".extraConfig = '' + tls /etc/selfsigned/cert.pem /etc/selfsigned/key.pem + + route /sync/* { + uri strip_prefix /sync + reverse_proxy http://127.0.0.1:8384 + } + + route /philez/* { + uri strip_prefix /philez + reverse_proxy http://127.0.0.1:8083 + } + ''; + + }; + }; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + permitRootLogin = "no"; + }; + + networking.firewall = { + enable = true; + trustedInterfaces = [ "tailscale0" ]; + checkReversePath = "loose"; + allowedTCPPorts = [ 80 443 6660 ]; + allowedUDPPorts = [ 80 443 41641 6660 ]; + }; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? + +} +