From 3b666eee637e7a6f1754c25fa74fea517938ff15 Mon Sep 17 00:00:00 2001 From: Jade Date: Sun, 30 Jul 2023 16:24:46 +0200 Subject: [PATCH] do too many things lmao --- flake.lock | 226 ++++++++++++++++++++++--- flake.nix | 20 ++- modules/base-stuff.nix | 38 +++-- modules/conduit.nix | 28 ++- modules/containers/calckey.nix | 6 +- modules/containers/default.nix | 1 + modules/containers/katzencafe-wiki.nix | 100 +++++++++++ modules/containers/penpot.nix | 2 + modules/containers/phtanumb-wiki.nix | 48 +++--- modules/forgejo.nix | 28 ++- modules/keycloak.nix | 4 +- modules/mailserver.nix | 51 ++++++ modules/modded-mc.nix | 24 ++- modules/monitoring.nix | 31 ++++ modules/proxy.nix | 35 +++- 15 files changed, 555 insertions(+), 87 deletions(-) create mode 100644 modules/containers/katzencafe-wiki.nix create mode 100644 modules/mailserver.nix create mode 100644 modules/monitoring.nix diff --git a/flake.lock b/flake.lock index 9e1c3b2..4653e50 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1682181677, - "narHash": "sha256-El8WQ2ccxWwkSrjuwKNR0gD/O7vS/KLBY4Q2/nF8m1c=", + "lastModified": 1689948211, + "narHash": "sha256-XVDDrerEzYucD6cL7nNW7dNfGhDnhfpB+rbuDvlaWrc=", "owner": "hercules-ci", "repo": "arion", - "rev": "6a1f03329c400327b3b2e0ed5e1efff11037ba67", + "rev": "9ba47f9fbb8650158d9983e19b53206586be4382", "type": "github" }, "original": { @@ -36,7 +36,93 @@ "type": "gitlab" } }, + "conduit": { + "inputs": { + "crane": "crane", + "fenix": "fenix", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1690660551, + "narHash": "sha256-4F5dkDy52pLeP8Pnxz/rFzFx6ckL7bZkY0VazaEcr7U=", + "owner": "famedly", + "repo": "conduit", + "rev": "afd8112e25a86918c7f9ac657523698b2e0315f4", + "type": "gitlab" + }, + "original": { + "owner": "famedly", + "repo": "conduit", + "type": "gitlab" + } + }, + "crane": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "conduit", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1688772518, + "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1689488573, + "narHash": "sha256-diVASflKCCryTYv0djvMnP2444mFsIG0ge5pa7ahauQ=", + "owner": "nix-community", + "repo": "fenix", + "rev": "39096fe3f379036ff4a5fa198950b8e79defe939", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1668681692, @@ -52,7 +138,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1668681692, @@ -90,6 +176,24 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -138,10 +242,10 @@ }, "mms": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "nix": "nix", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1669478601, @@ -160,7 +264,7 @@ "nix": { "inputs": { "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-regression": "nixpkgs-regression" }, "locked": { @@ -241,11 +345,11 @@ }, "nixpkgsOld": { "locked": { - "lastModified": 1687666471, - "narHash": "sha256-88VoE8jLzjRhH38mUUrom+zJ7GVMjuW4M321Iri5C/w=", + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6610eb320efb234025e477e51ae7625ccd65a2e8", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", "type": "github" }, "original": { @@ -257,11 +361,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1687898314, - "narHash": "sha256-B4BHon3uMXQw8ZdbwxRK1BmxVOGBV4viipKpGaIlGwk=", + "lastModified": 1690031011, + "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e18dc963075ed115afb3e312b64643bf8fd4b474", + "rev": "12303c652b881435065a98729eb7278313041e49", "type": "github" }, "original": { @@ -272,6 +376,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1689444953, + "narHash": "sha256-0o56bfb2LC38wrinPdCGLDScd77LVcr7CrH1zK7qvDg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8acef304efe70152463a6399f73e636bcc363813", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1657693803, "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=", @@ -287,7 +407,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1669378442, "narHash": "sha256-nm+4PN0A4SnV0SzEchxrMyKPvI3Ld/aoom4PnHeHucs=", @@ -303,13 +423,13 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { - "lastModified": 1687829761, - "narHash": "sha256-QRe1Y8SS3M4GeC58F/6ajz6V0ZLUVWX3ZAMgov2N3/g=", + "lastModified": 1690148897, + "narHash": "sha256-l/j/AX1d2K79EWslwgWR2+htkzCbtjKZsS5NbWXnhz4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9790f3242da2152d5aa1976e3e4b8b414f4dd206", + "rev": "ac1acba43b2f9db073943ff5ed883ce7e8a40a2c", "type": "github" }, "original": { @@ -319,7 +439,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1670751203, "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", @@ -337,18 +457,63 @@ "root": { "inputs": { "arion": "arion", + "conduit": "conduit", "mms": "mms", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nixpkgsOld": "nixpkgsOld", "nixpkgsUnstable": "nixpkgsUnstable", "simple-nixos-mailserver": "simple-nixos-mailserver" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1689441253, + "narHash": "sha256-4MSDZaFI4DOfsLIZYPMBl0snzWhX1/OqR/QHir382CY=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "996e054f1eb1dbfc8455ecabff0f6ff22ba7f7c8", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "conduit", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688351637, + "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_5", + "flake-compat": "flake-compat_3", + "nixpkgs": "nixpkgs_6", "nixpkgs-22_11": "nixpkgs-22_11", "nixpkgs-23_05": "nixpkgs-23_05", "utils": "utils" @@ -368,6 +533,21 @@ "type": "gitlab" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1605370193, diff --git a/flake.nix b/flake.nix index 841b923..8f54f2b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,16 +1,18 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; + nixpkgsOld.url = "github:NixOS/nixpkgs/nixos-22.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixos-unstable"; #nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; arion.url = "github:hercules-ci/arion"; mms.url = "github:mkaito/nixos-modded-minecraft-servers"; - # conduit = { - # url = "gitlab:famedly/conduit"; - # }; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; + conduit = { + url = "gitlab:famedly/conduit"; + }; }; - outputs = { self, nixpkgs, nixpkgsUnstable, ... }@inputs: + outputs = { self, nixpkgsOld, nixpkgs, nixpkgsUnstable, ... }@inputs: let hostPkgs = import nixpkgs { system = "x86_64-linux"; }; in { @@ -30,6 +32,10 @@ system = "aarch64-linux"; overlays = []; }; + pkgsOld = import nixpkgsOld { + system = "aarch64-linux"; + overlays = []; + }; }; }; @@ -43,7 +49,7 @@ ./modules/base-stuff.nix ./modules/proxy.nix ./modules/postgres.nix - #./modules/jitsi.nix + # ./modules/jitsi.nix ./modules/containers ./modules/conduit.nix ./modules/keycloak.nix @@ -52,6 +58,8 @@ ./modules/modded-mc.nix #./modules/prosody.nix ./modules/vault.nix + ./modules/monitoring.nix + ./modules/mailserver.nix ]; system.stateVersion = "22.11"; diff --git a/modules/base-stuff.nix b/modules/base-stuff.nix index 48f8125..b4fb3c2 100644 --- a/modules/base-stuff.nix +++ b/modules/base-stuff.nix @@ -16,8 +16,19 @@ networking = { nameservers = [ "9.9.9.9" "149.112.112.112" ]; hostName = "katzen-cafe"; - networkmanager.enable = true; + networkmanager = { + enable = true; + unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" ]; + }; + firewall.allowedTCPPorts = [ 22 80 443 ]; + # firewall.allowedUDPPorts = [ 25568 25569 ]; + + nat = { + enable = true; + internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" ]; + externalInterface = "enp1s0"; + }; interfaces."enp1s0" = { ipv6.addresses = [{ @@ -55,19 +66,24 @@ #networking.interfaces.enp1s0.ipv6.addresses = [ { address = "2a01:4f8:c17:c51f::1/64"; prefixLength = 64; } ]; #networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; }; - #users.users.april = { - #isNormalUser = true; - #packages = with pkgs; [ git ]; - #createHome = true; - #extraGroups = [ "docker" ]; - #openssh.authorizedKeys.keys = [ - #"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 waterdev@galaxycrow.de" - #]; - #}; + users.users.april = { + isNormalUser = true; + packages = with pkgs; [ git ]; + createHome = true; + extraGroups = [ "docker" ]; + openssh.authorizedKeys.keys = [ + #"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 waterdev@galaxycrow.de" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDK4N06uWyGFbWDf0JdQ1mB2PkyQSxYLLbNOihmXGRf2ce8Do4LvlMqHreDNvEfixYK+pRQSdK8oeNqOiRjFXgyEhoo5v/Tg832iHq4r3wEHoqFR/w9XxmAp8Rv66h9uY1wY8+xFVlpgw8GqHN37JJt1P5i3oDkKnBXunzm7+vw1Qo/+LvD4nS9kQlso6ocNGSOAEf7N/IKJpGQp4FrsW1Qg4ZSWVCruUBm5iw02IampgjrzvbHQBO7TIG3jr0TxXBx2MFXydDTXdONwLtlJiwk210ppQIhgIjcqlUZBKZcYJy23ZesPbO2fSyT0iPWFAnvcIRHhsacp8HQ9paKR76J7ghBmAQm9KXyH0TjZM84+lHEvOAGNeDuh+VFr147uyTcun5aWy9zM8v8rW96pUIkId5HQNP8HPGymTFWXomwDvpdFJO/TA2F9YsNfVoTJGy4PbieWFDU5esI3CD6k696mB+vgLcF35qfc76uVFWOUWYHIX3KVwqXh7MQ8+CBWrE= u0_a269@localhost" + ]; + }; + services.cron.systemCronJobs = [ + "0 0 * * * april cd /home/april && ./build.sh" + ]; + services.cron.enable = true; services.openssh = { enable = true; - permitRootLogin = "prohibit-password"; + settings.PermitRootLogin = "prohibit-password"; }; environment.systemPackages = with pkgs; [ diff --git a/modules/conduit.nix b/modules/conduit.nix index fa67c84..ce3f83d 100644 --- a/modules/conduit.nix +++ b/modules/conduit.nix @@ -1,5 +1,6 @@ { config , pkgsUnstable +, inputs , ... }: @@ -46,7 +47,8 @@ in # This causes NixOS to use the flake defined in this repository instead of # the build of Conduit built into nixpkgsUnstable. - package = pkgsUnstable.matrix-conduit; + # package = pkgsUnstable.matrix-conduit; + package = inputs.conduit.packages.${pkgsUnstable.system}.default; settings.global = { inherit server_name; @@ -60,13 +62,18 @@ in defaults = { email = admin_email; }; + certs = { + "katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; + "matrix.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; + }; }; - # ACME data must be readable by the NGINX user - users.users.nginx.extraGroups = [ - "acme" - ]; - # Configure NGINX as a reverse proxy services.nginx = { enable = true; @@ -84,10 +91,19 @@ in ssl = true; } { + addr = "[::]"; + port = 443; + ssl = true; + } { addr = "0.0.0.0"; port = 8448; ssl = true; } + { + addr = "[::]"; + port = 8448; + ssl = true; + } ]; locations."/_matrix/" = { diff --git a/modules/containers/calckey.nix b/modules/containers/calckey.nix index c5b6853..1acc1ea 100644 --- a/modules/containers/calckey.nix +++ b/modules/containers/calckey.nix @@ -8,7 +8,7 @@ networks.calcnet.name = "calcnet"; services = { "web".service = { - image = "docker.io/waterdev/calckey_arm"; + image = "iceshrimp.dev/iceshrimp/iceshrimp:latest-arm"; container_name = "calckey_web"; restart = "unless-stopped"; depends_on = [ "db" "redis" ]; @@ -18,8 +18,8 @@ "NODE_ENV" = "production"; }; volumes = [ - "/calckey/files:/calckey/files" - "/calckey/config:/calckey/.config:ro" + "/calckey/files:/iceshrimp/files" + "/calckey/config:/iceshrimp/.config:ro" ]; }; "redis".service = { diff --git a/modules/containers/default.nix b/modules/containers/default.nix index 95df9a5..a0384f4 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -1,6 +1,7 @@ { pkgs, ... }: { imports = [ + ./katzencafe-wiki.nix ./phtanumb-wiki.nix ./calckey.nix ./penpot.nix diff --git a/modules/containers/katzencafe-wiki.nix b/modules/containers/katzencafe-wiki.nix new file mode 100644 index 0000000..3d90326 --- /dev/null +++ b/modules/containers/katzencafe-wiki.nix @@ -0,0 +1,100 @@ +{ pkgsOld, ... }: +{ + containers."katzenwiki" = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.0.2.1"; + localAddress = "10.0.2.2"; + bindMounts = { + "/var/lib/mediawiki" = { + hostPath = "/katzenwiki"; + isReadOnly = false; + }; + }; + # extraVeths = { + # "katzenwiki" = { + # hostAddress = "10.0.2.1"; + # localAddress = "10.0.2.2"; + # }; + # }; + config = { config, pkgs, ... }: { + environment.systemPackages = with pkgs; [btop ]; + networking.firewall.enable = false; + # networking.nameservers = [ "9.9.9.9" "149.112.112.112" ]; + environment.etc."resolv.conf".text = "nameserver 9.9.9.9"; + services.mediawiki = { + enable = true; + name = "katzenwiki"; + database = { + type = "mysql"; + }; + virtualHost = { + hostName = "wiki.katzen.cafe"; + adminAddr = "admin@katzen.cafe"; + listen = [ + { + ip = "10.0.2.2"; + port = 80; + ssl = false; + } + ]; + }; + passwordFile = "/var/lib/mediawiki/passwordFile"; + extraConfig = '' + # $wgShowExceptionDetails = true; + # $wgDebugToolbar = true; + # $wgShowDebug = true; + # $wgDevelopmentWarnings = true; + + # Disable anonymous editing + $wgGroupPermissions['*']['edit'] = false; + $wgGroupPermissions['oidc_interface_admin'] = $wgGroupPermissions['interface_admin']; + $wgGroupPermissions['oidc_admin'] = $wgGroupPermissions['sysop']; + $wgGroupPermissions['oidc_admin']['userrights'] = true; + + $oidcClientSecret = file_get_contents('/var/lib/mediawiki/keycloakClientSecret', false, null, 0, 32); + $wgPluggableAuth_Config[] = [ + 'plugin' => 'OpenIDConnect', + 'data' => [ + 'providerURL' => 'https://auth.katzen.cafe/realms/katzen.cafe', + 'clientID' => 'katzenwiki', + # hack to try dynamically get the secret + 'clientsecret' => $oidcClientSecret, + 'global_roles' => ['property' => ['realm_access', 'roles']], + 'wiki_roles' => ['property' => ['resource_access', 'katzenwiki', 'roles']] + ] + ]; + ''; + extensions = { + PluggableAuth = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-068be5d.tar.gz"; + sha256 = "sha256-OWfr3oq2XzyJ5tynP5bRRPm34ymqz2oIBe2vBPHK+/Q="; + }; + OpenIDConnect = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_39-42e4d75.tar.gz"; + sha256 = "sha256-g+PGNzt0o2FebI3xyVamz5RA95E86MD2yqD4v8N6zKU="; + }; + WikiEditor = null; + CodeEditor = null; + }; + }; + + system.stateVersion = "23.05"; + }; + }; + deployment.keys = { + # NOTE: for some reason, i ahd to manually chown +r the password file for mediawiki to work. + # i should figure out why to make this work when setting up new instances... + "katzenwikiPwFile" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/katzenwiki-passwordFile" ]; + destDir = "/katzenwiki"; + name = "passwordFile"; + }; + "katzenwikiKeycloakClientSecret" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/katzenwiki-keycloak-secret" ]; + destDir = "/katzenwiki"; + name = "keycloakClientSecret"; + permissions = "0604"; + }; + }; +} diff --git a/modules/containers/penpot.nix b/modules/containers/penpot.nix index 477c1a0..804e09c 100644 --- a/modules/containers/penpot.nix +++ b/modules/containers/penpot.nix @@ -9,6 +9,8 @@ services = { "penpot-backend".service = { image = "penpotapp/backend:latest"; + # NOTE: you have to change the owner of the assets folder to 1001:1001 + # command: # chown -R 1001:1001 /penpot/assets volumes = [ "/penpot/assets:/opt/data/assets" ]; depends_on = [ "penpot-postgres" "penpot-redis" ]; networks = [ "penpot" ]; diff --git a/modules/containers/phtanumb-wiki.nix b/modules/containers/phtanumb-wiki.nix index 359695d..5421df6 100644 --- a/modules/containers/phtanumb-wiki.nix +++ b/modules/containers/phtanumb-wiki.nix @@ -1,40 +1,42 @@ -{ pkgs, ... }: +{ pkgsOld, ... }: { containers."phtanumb-wiki" = { autoStart = true; - hostAddress = "127.0.0.1"; + privateNetwork = true; + hostAddress = "10.0.1.1"; + localAddress = "10.0.1.2"; + nixpkgs = pkgsOld.path; bindMounts = { "/var/mediawiki" = { hostPath = "/phtanum-b/wiki"; isReadOnly = false; }; }; - forwardPorts = [ - { - protocol = "tcp"; - hostPort = 5432; - containerPort = 5432; - } - { - protocol = "tcp"; - hostPort = 8081; - containerPort = 8081; - } - ]; + # extraVeths = { + # "phtanumb" = { + # hostAddress = "10.0.1.1"; + # localAddress = "10.0.1.2"; + # }; + # }; config = { config, pkgs, ... }: { environment.systemPackages = with pkgs; [ luajit ]; + networking.firewall.enable = false; + # networking.nameservers = [ "9.9.9.9" "149.112.112.112" ]; + environment.etc."resolv.conf".text = "nameserver 9.9.9.9"; services.mediawiki = { enable = true; name = "phtanum-b"; - virtualHost.listen = [ - { - ip = "127.0.0.2"; - port = 8081; - ssl = false; - } - ]; - virtualHost.hostName = "wiki.phtanum-b.katzen.cafe"; - virtualHost.adminAddr = "admin@katzen.cafe"; + virtualHost = { + hostName = "wiki.phtanum-b.katzen.cafe"; + adminAddr = "admin@katzen.cafe"; + listen = [ + { + ip = "10.0.1.2"; + port = 80; + ssl = false; + } + ]; + }; passwordFile = "/var/mediawiki/passwordFile"; extraConfig = '' # $wgShowExceptionDetails = true; diff --git a/modules/forgejo.nix b/modules/forgejo.nix index 7c20803..44a60fc 100644 --- a/modules/forgejo.nix +++ b/modules/forgejo.nix @@ -5,24 +5,21 @@ package = pkgsUnstable.forgejo; repositoryRoot = "/forgejo/repos"; appName = "Katzenschmiede"; - rootUrl = "https://forge.katzen.cafe/"; - httpPort = 8082; - domain = "forge.katzen.cafe"; database = { type = "postgres"; }; settings = { openid = { ENABLE_OPENID_SIGNIN = true; - #ENABLE_OPENID_SIGNUP = true; }; federation = { ENABLED = true; }; - #server = { - #ROOT_URL = "https://forge.katzen.cafe/"; - #HTTP_PORT = 8082; - #}; + server = { + ROOT_URL = "https://forge.katzen.cafe/"; + HTTP_PORT = 8082; + DOMAIN = "forge.katzen.cafe"; + }; service = { REGISTER_MANUAL_CONFIRM = true; SHOW_REGISTRATION_BUTTON = false; @@ -30,7 +27,17 @@ actions = { ENABLED = true; }; + mailer = { + ENABLED = true; + FROM = "forge@noreply.katzen.cafe"; + MAILER_TYPE = "smtp"; + SMTP_ADDR = "mail.katzen.cafe"; + SMTP_PORT = 465; + IS_TLS_ENABLED = true; + USER = "forge@noreply.katzen.cafe"; + }; }; + mailerPasswordFile = "/forgejo/secret/mailerPassword"; }; deployment.keys = { "forgejoDbPw" = { @@ -38,5 +45,10 @@ destDir = "/forgejo/secret/"; permissions = "0604"; }; + "mailerPassword" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mailer-pw-forgejo" ]; + destDir = "/forgejo/secret/"; + permissions = "0604"; + }; }; } diff --git a/modules/keycloak.nix b/modules/keycloak.nix index bcce38f..373ebf2 100644 --- a/modules/keycloak.nix +++ b/modules/keycloak.nix @@ -5,14 +5,16 @@ settings = { http-port = 8080; + http-host = "127.0.0.1"; http-enabled = true; + https-port = 8443; proxy = "edge"; hostname = "auth.katzen.cafe"; hostname-port = "-1"; hostname-admin-url = "https://auth.katzen.cafe"; - hostname-strict-backchannel = true; + # hostname-strict-backchannel = true; }; #sslCertificateKey = "/var/lib/acme/auth.katzen.cafe/key.pem"; diff --git a/modules/mailserver.nix b/modules/mailserver.nix new file mode 100644 index 0000000..cf058c9 --- /dev/null +++ b/modules/mailserver.nix @@ -0,0 +1,51 @@ +{ inputs, ... }: +{ + imports = [ inputs.simple-nixos-mailserver.nixosModule ]; + mailserver = { + enable = true; + fqdn = "mail.katzen.cafe"; + sendingFqdn = "katzen.cafe"; + domains = [ "katzen.cafe" "noreply.katzen.cafe" ]; + loginAccounts = { + "admin@katzen.cafe" = { + hashedPasswordFile = "/var/lib/secrets/admin-mail-pw"; + aliases = [ "postmaster@katzen.cafe" "abuse@katzen.cafe" ]; + }; + "ck@noreply.katzen.cafe" = { + hashedPasswordFile = "/var/lib/secrets/noreply-mail-ck"; + }; + "forge@noreply.katzen.cafe" = { + hashedPasswordFile = "/var/lib/secrets/noreply-mail-forgejo"; + }; + "keycloak@noreply.katzen.cafe" = { + hashedPasswordFile = "/var/lib/secrets/noreply-mail-keycloak"; + }; + "penpot@noreply.katzen.cafe" = { + hashedPasswordFile = "/var/lib/secrets/noreply-mail-penpot"; + }; + }; + certificateScheme = "acme-nginx"; + }; + deployment.keys = { + "admin-mail-pw" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/admin-mail-pw" ]; + destDir = "/var/lib/secrets"; + }; + "noreply-mail-ck" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-ck" ]; + destDir = "/var/lib/secrets"; + }; + "noreply-mail-forgejo" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-forgejo" ]; + destDir = "/var/lib/secrets"; + }; + "noreply-mail-keycloak" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-keycloak" ]; + destDir = "/var/lib/secrets"; + }; + "noreply-mail-penpot" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-penpot" ]; + destDir = "/var/lib/secrets"; + }; + }; +} diff --git a/modules/modded-mc.nix b/modules/modded-mc.nix index ce272c3..833ba93 100644 --- a/modules/modded-mc.nix +++ b/modules/modded-mc.nix @@ -12,7 +12,7 @@ # and the user `mc-e2es`. instances = { "catpile-v1" = { - enable = true; + enable = false; jvmPackage = pkgs.temurin-jre-bin; @@ -33,6 +33,28 @@ allow-flight = true; }; }; + # "tleg" = { + # enable = true; + + # jvmPackage = pkgs.jre8; + + # # Keys that can access the state of this instance (read/write!) over an rsync module + # # Leave empty to disable + # rsyncSSHKeys = [ + # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDu9lhNUjovmaeUczUv18GVoSp8Xo8Izi+HSxC7Go3YOTkaijMB4fCWIIQ/MZkKd7BG0OLPwbNSFrP7XrLxyXbMfNNoOBHTtQv85HwRP7XcvsYomHrdtcU3Nf49/MSXA4z42FqzUF114+D0czJz+Nxer+MbEHqAKZRjNuHOizKv8Rqq2hkwTL/Oi3fQxNaj/rHKth0/8BqcUixxofY/e48E+3SAEUJhb/h4m8nyvecKtyfAdxvPg3ZVi+vWZTeY8aoMRliw6kho59tBzumiXsRve0FyFbGx/t/T3zR2dxBZ63LSePhiTO3XdE3spSq/gzsZRNkxxoSWHiW6xrXQAgoyBGPp0ISw3ljtDgTgaJ5JS9JYRKpkfHDlsBKuLpeoD4i6Ts2Z+0dyFnVyBs64bwY7PyqRtS9l/EM/f2VxfsndWMoCuGFCZSS2WbONirqp6e7czxCQ2iqShYKzfupbTf8eYV1i4+VTJE1Qs0oFbmcwZDJbHqaUZn2aeS7fW9pYrA0= jade@monosodium-glutamate-g" + # ]; + + # serverConfig = { + # # Port must be unique + # server-port = 25568; + # motd = "Be excellent to eachother"; + + # white-list = true; + # spawn-protection = 0; + # max-tick-time = 5 * 60 * 1000; + # allow-flight = true; + # }; + # }; }; }; } diff --git a/modules/monitoring.nix b/modules/monitoring.nix new file mode 100644 index 0000000..864e8f7 --- /dev/null +++ b/modules/monitoring.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + services.prometheus = { + enable = true; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; + }; + scrapeConfigs = [ + { + job_name = "katzencafe"; + static_configs = [{ + targets = [ "127.0.0.1:9100" ]; + }]; + } + ]; + }; + services.grafana = { + enable = true; + settings = { + server = { + domain = "grafana.katzen.cafe"; + http_port = 2343; + http_addr = "127.0.0.1"; + }; + }; + }; + +} diff --git a/modules/proxy.nix b/modules/proxy.nix index 0866187..227b096 100644 --- a/modules/proxy.nix +++ b/modules/proxy.nix @@ -19,6 +19,10 @@ group = "nginx"; keyType = "rsa4096"; }; + "wiki.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; "auth.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; @@ -31,11 +35,15 @@ group = "nginx"; keyType = "rsa4096"; }; - "mumble.katzen.cafe" = { - group = "murmur"; + # "mumble.katzen.cafe" = { + # group = "murmur"; + # keyType = "rsa4096"; + # }; + "hc-vault.katzen.cafe" = { + group = "nginx"; keyType = "rsa4096"; }; - "hc-vault.katzen.cafe" = { + "grafana.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; }; @@ -57,7 +65,17 @@ recommendedTlsSettings = true; recommendedProxySettings = true; + statusPage = true; + virtualHosts = { + "grafana.katzen.cafe" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:2343"; + proxyWebsockets = true; + }; + }; "ck.katzen.cafe" = { forceSSL = true; enableACME = true; @@ -85,11 +103,11 @@ enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8080"; + # proxy_set_header Host $host; extraConfig = '' proxy_buffers 4 256k; proxy_buffer_size 128k; proxy_busy_buffers_size 256k; - proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_protocol_addr; proxy_set_header X-Real-IP $remote_addr; @@ -107,11 +125,18 @@ proxyWebsockets = true; }; }; + "wiki.katzen.cafe" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.0.2.2"; + }; + }; "wiki.phtanum-b.katzen.cafe" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://127.0.0.2:8081"; + proxyPass = "http://10.0.1.2"; }; }; "hc-vault.katzen.cafe" = {