networkException/katzen-cafe
1
0
Fork 0
forked from katzen-cafe/katzen-cafe
Code Pull requests Activity

do too many things lmao

Browse source
This commit is contained in:
Schrottkatze 2023-07-30 16:24:46 +02:00
parent c3695556c2
commit 3b666eee63
15 changed files with 555 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

38
modules/base-stuff.nix
View file

@ -16,8 +16,19 @@
networking = {
nameservers = [ "9.9.9.9" "149.112.112.112" ];
hostName = "katzen-cafe";
networkmanager.enable = true;
networkmanager = {
enable = true;
unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" ];
};
firewall.allowedTCPPorts = [ 22 80 443 ];
# firewall.allowedUDPPorts = [ 25568 25569 ];
nat = {
enable = true;
internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" ];
externalInterface = "enp1s0";
};
interfaces."enp1s0" = {
ipv6.addresses = [{
@ -55,19 +66,24 @@
#networking.interfaces.enp1s0.ipv6.addresses = [ { address = "2a01:4f8:c17:c51f::1/64"; prefixLength = 64; } ];
#networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; };
#users.users.april = {
#isNormalUser = true;
#packages = with pkgs; [ git ];
#createHome = true;
#extraGroups = [ "docker" ];
#openssh.authorizedKeys.keys = [
#"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 waterdev@galaxycrow.de"
#];
#};
users.users.april = {
isNormalUser = true;
packages = with pkgs; [ git ];
createHome = true;
extraGroups = [ "docker" ];
openssh.authorizedKeys.keys = [
#"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 waterdev@galaxycrow.de"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDK4N06uWyGFbWDf0JdQ1mB2PkyQSxYLLbNOihmXGRf2ce8Do4LvlMqHreDNvEfixYK+pRQSdK8oeNqOiRjFXgyEhoo5v/Tg832iHq4r3wEHoqFR/w9XxmAp8Rv66h9uY1wY8+xFVlpgw8GqHN37JJt1P5i3oDkKnBXunzm7+vw1Qo/+LvD4nS9kQlso6ocNGSOAEf7N/IKJpGQp4FrsW1Qg4ZSWVCruUBm5iw02IampgjrzvbHQBO7TIG3jr0TxXBx2MFXydDTXdONwLtlJiwk210ppQIhgIjcqlUZBKZcYJy23ZesPbO2fSyT0iPWFAnvcIRHhsacp8HQ9paKR76J7ghBmAQm9KXyH0TjZM84+lHEvOAGNeDuh+VFr147uyTcun5aWy9zM8v8rW96pUIkId5HQNP8HPGymTFWXomwDvpdFJO/TA2F9YsNfVoTJGy4PbieWFDU5esI3CD6k696mB+vgLcF35qfc76uVFWOUWYHIX3KVwqXh7MQ8+CBWrE= u0_a269@localhost"
];
};
services.cron.systemCronJobs = [
"0 0 * * * april cd /home/april && ./build.sh"
];
services.cron.enable = true;
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
settings.PermitRootLogin = "prohibit-password";
};
environment.systemPackages = with pkgs; [

28
modules/conduit.nix
View file

@ -1,5 +1,6 @@
{ config
, pkgsUnstable
, inputs
, ...
}:
@ -46,7 +47,8 @@ in
# This causes NixOS to use the flake defined in this repository instead of
# the build of Conduit built into nixpkgsUnstable.
package = pkgsUnstable.matrix-conduit;
# package = pkgsUnstable.matrix-conduit;
package = inputs.conduit.packages.${pkgsUnstable.system}.default;
settings.global = {
inherit server_name;
@ -60,13 +62,18 @@ in
defaults = {
email = admin_email;
};
certs = {
"katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
"matrix.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
};
};
# ACME data must be readable by the NGINX user
users.users.nginx.extraGroups = [
"acme"
];
# Configure NGINX as a reverse proxy
services.nginx = {
enable = true;
@ -84,10 +91,19 @@ in
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
} {
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {

6
modules/containers/calckey.nix
View file

@ -8,7 +8,7 @@
networks.calcnet.name = "calcnet";
services = {
"web".service = {
image = "docker.io/waterdev/calckey_arm";
image = "iceshrimp.dev/iceshrimp/iceshrimp:latest-arm";
container_name = "calckey_web";
restart = "unless-stopped";
depends_on = [ "db" "redis" ];
@ -18,8 +18,8 @@
"NODE_ENV" = "production";
};
volumes = [
"/calckey/files:/calckey/files"
"/calckey/config:/calckey/.config:ro"
"/calckey/files:/iceshrimp/files"
"/calckey/config:/iceshrimp/.config:ro"
];
};
"redis".service = {

1
modules/containers/default.nix
View file

@ -1,6 +1,7 @@
{ pkgs, ... }:
{
imports = [
./katzencafe-wiki.nix
./phtanumb-wiki.nix
./calckey.nix
./penpot.nix

100
modules/containers/katzencafe-wiki.nix Normal file
View file

@ -0,0 +1,100 @@
{ pkgsOld, ... }:
{
containers."katzenwiki" = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.2.1";
localAddress = "10.0.2.2";
bindMounts = {
"/var/lib/mediawiki" = {
hostPath = "/katzenwiki";
isReadOnly = false;
};
};
# extraVeths = {
# "katzenwiki" = {
# hostAddress = "10.0.2.1";
# localAddress = "10.0.2.2";
# };
# };
config = { config, pkgs, ... }: {
environment.systemPackages = with pkgs; [btop ];
networking.firewall.enable = false;
# networking.nameservers = [ "9.9.9.9" "149.112.112.112" ];
environment.etc."resolv.conf".text = "nameserver 9.9.9.9";
services.mediawiki = {
enable = true;
name = "katzenwiki";
database = {
type = "mysql";
};
virtualHost = {
hostName = "wiki.katzen.cafe";
adminAddr = "admin@katzen.cafe";
listen = [
{
ip = "10.0.2.2";
port = 80;
ssl = false;
}
];
};
passwordFile = "/var/lib/mediawiki/passwordFile";
extraConfig = ''
# $wgShowExceptionDetails = true;
# $wgDebugToolbar = true;
# $wgShowDebug = true;
# $wgDevelopmentWarnings = true;
# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['oidc_interface_admin'] = $wgGroupPermissions['interface_admin'];
$wgGroupPermissions['oidc_admin'] = $wgGroupPermissions['sysop'];
$wgGroupPermissions['oidc_admin']['userrights'] = true;
$oidcClientSecret = file_get_contents('/var/lib/mediawiki/keycloakClientSecret', false, null, 0, 32);
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://auth.katzen.cafe/realms/katzen.cafe',
'clientID' => 'katzenwiki',
# hack to try dynamically get the secret
'clientsecret' => $oidcClientSecret,
'global_roles' => ['property' => ['realm_access', 'roles']],
'wiki_roles' => ['property' => ['resource_access', 'katzenwiki', 'roles']]
]
];
'';
extensions = {
PluggableAuth = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-068be5d.tar.gz";
sha256 = "sha256-OWfr3oq2XzyJ5tynP5bRRPm34ymqz2oIBe2vBPHK+/Q=";
};
OpenIDConnect = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_39-42e4d75.tar.gz";
sha256 = "sha256-g+PGNzt0o2FebI3xyVamz5RA95E86MD2yqD4v8N6zKU=";
};
WikiEditor = null;
CodeEditor = null;
};
};
system.stateVersion = "23.05";
};
};
deployment.keys = {
# NOTE: for some reason, i ahd to manually chown +r the password file for mediawiki to work.
# i should figure out why to make this work when setting up new instances...
"katzenwikiPwFile" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/katzenwiki-passwordFile" ];
destDir = "/katzenwiki";
name = "passwordFile";
};
"katzenwikiKeycloakClientSecret" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/katzenwiki-keycloak-secret" ];
destDir = "/katzenwiki";
name = "keycloakClientSecret";
permissions = "0604";
};
};
}

2
modules/containers/penpot.nix
View file

@ -9,6 +9,8 @@
services = {
"penpot-backend".service = {
image = "penpotapp/backend:latest";
# NOTE: you have to change the owner of the assets folder to 1001:1001
# command: # chown -R 1001:1001 /penpot/assets
volumes = [ "/penpot/assets:/opt/data/assets" ];
depends_on = [ "penpot-postgres" "penpot-redis" ];
networks = [ "penpot" ];

48
modules/containers/phtanumb-wiki.nix
View file

@ -1,40 +1,42 @@
{ pkgs, ... }:
{ pkgsOld, ... }:
{
containers."phtanumb-wiki" = {
autoStart = true;
hostAddress = "127.0.0.1";
privateNetwork = true;
hostAddress = "10.0.1.1";
localAddress = "10.0.1.2";
nixpkgs = pkgsOld.path;
bindMounts = {
"/var/mediawiki" = {
hostPath = "/phtanum-b/wiki";
isReadOnly = false;
};
};
forwardPorts = [
{
protocol = "tcp";
hostPort = 5432;
containerPort = 5432;
}
{
protocol = "tcp";
hostPort = 8081;
containerPort = 8081;
}
];
# extraVeths = {
# "phtanumb" = {
# hostAddress = "10.0.1.1";
# localAddress = "10.0.1.2";
# };
# };
config = { config, pkgs, ... }: {
environment.systemPackages = with pkgs; [ luajit ];
networking.firewall.enable = false;
# networking.nameservers = [ "9.9.9.9" "149.112.112.112" ];
environment.etc."resolv.conf".text = "nameserver 9.9.9.9";
services.mediawiki = {
enable = true;
name = "phtanum-b";
virtualHost.listen = [
{
ip = "127.0.0.2";
port = 8081;
ssl = false;
}
];
virtualHost.hostName = "wiki.phtanum-b.katzen.cafe";
virtualHost.adminAddr = "admin@katzen.cafe";
virtualHost = {
hostName = "wiki.phtanum-b.katzen.cafe";
adminAddr = "admin@katzen.cafe";
listen = [
{
ip = "10.0.1.2";
port = 80;
ssl = false;
}
];
};
passwordFile = "/var/mediawiki/passwordFile";
extraConfig = ''
# $wgShowExceptionDetails = true;

28
modules/forgejo.nix
View file

@ -5,24 +5,21 @@
package = pkgsUnstable.forgejo;
repositoryRoot = "/forgejo/repos";
appName = "Katzenschmiede";
rootUrl = "https://forge.katzen.cafe/";
httpPort = 8082;
domain = "forge.katzen.cafe";
database = {
type = "postgres";
};
settings = {
openid = {
ENABLE_OPENID_SIGNIN = true;
#ENABLE_OPENID_SIGNUP = true;
};
federation = {
ENABLED = true;
};
#server = {
#ROOT_URL = "https://forge.katzen.cafe/";
#HTTP_PORT = 8082;
#};
server = {
ROOT_URL = "https://forge.katzen.cafe/";
HTTP_PORT = 8082;
DOMAIN = "forge.katzen.cafe";
};
service = {
REGISTER_MANUAL_CONFIRM = true;
SHOW_REGISTRATION_BUTTON = false;
@ -30,7 +27,17 @@
actions = {
ENABLED = true;
};
mailer = {
ENABLED = true;
FROM = "forge@noreply.katzen.cafe";
MAILER_TYPE = "smtp";
SMTP_ADDR = "mail.katzen.cafe";
SMTP_PORT = 465;
IS_TLS_ENABLED = true;
USER = "forge@noreply.katzen.cafe";
};
};
mailerPasswordFile = "/forgejo/secret/mailerPassword";
};
deployment.keys = {
"forgejoDbPw" = {
@ -38,5 +45,10 @@
destDir = "/forgejo/secret/";
permissions = "0604";
};
"mailerPassword" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mailer-pw-forgejo" ];
destDir = "/forgejo/secret/";
permissions = "0604";
};
};
}

4
modules/keycloak.nix
View file

@ -5,14 +5,16 @@
settings = {
http-port = 8080;
http-host = "127.0.0.1";
http-enabled = true;
https-port = 8443;
proxy = "edge";
hostname = "auth.katzen.cafe";
hostname-port = "-1";
hostname-admin-url = "https://auth.katzen.cafe";
hostname-strict-backchannel = true;
# hostname-strict-backchannel = true;
};
#sslCertificateKey = "/var/lib/acme/auth.katzen.cafe/key.pem";

51
modules/mailserver.nix Normal file
View file

@ -0,0 +1,51 @@
{ inputs, ... }:
{
imports = [ inputs.simple-nixos-mailserver.nixosModule ];
mailserver = {
enable = true;
fqdn = "mail.katzen.cafe";
sendingFqdn = "katzen.cafe";
domains = [ "katzen.cafe" "noreply.katzen.cafe" ];
loginAccounts = {
"admin@katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/admin-mail-pw";
aliases = [ "postmaster@katzen.cafe" "abuse@katzen.cafe" ];
};
"ck@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-ck";
};
"forge@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-forgejo";
};
"keycloak@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-keycloak";
};
"penpot@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-penpot";
};
};
certificateScheme = "acme-nginx";
};
deployment.keys = {
"admin-mail-pw" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/admin-mail-pw" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-ck" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-ck" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-forgejo" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-forgejo" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-keycloak" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-keycloak" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-penpot" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-penpot" ];
destDir = "/var/lib/secrets";
};
};
}

24
modules/modded-mc.nix
View file

@ -12,7 +12,7 @@
# and the user `mc-e2es`.
instances = {
"catpile-v1" = {
enable = true;
enable = false;
jvmPackage = pkgs.temurin-jre-bin;
@ -33,6 +33,28 @@
allow-flight = true;
};
};
# "tleg" = {
# enable = true;
# jvmPackage = pkgs.jre8;
# # Keys that can access the state of this instance (read/write!) over an rsync module
# # Leave empty to disable
# rsyncSSHKeys = [
# "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDu9lhNUjovmaeUczUv18GVoSp8Xo8Izi+HSxC7Go3YOTkaijMB4fCWIIQ/MZkKd7BG0OLPwbNSFrP7XrLxyXbMfNNoOBHTtQv85HwRP7XcvsYomHrdtcU3Nf49/MSXA4z42FqzUF114+D0czJz+Nxer+MbEHqAKZRjNuHOizKv8Rqq2hkwTL/Oi3fQxNaj/rHKth0/8BqcUixxofY/e48E+3SAEUJhb/h4m8nyvecKtyfAdxvPg3ZVi+vWZTeY8aoMRliw6kho59tBzumiXsRve0FyFbGx/t/T3zR2dxBZ63LSePhiTO3XdE3spSq/gzsZRNkxxoSWHiW6xrXQAgoyBGPp0ISw3ljtDgTgaJ5JS9JYRKpkfHDlsBKuLpeoD4i6Ts2Z+0dyFnVyBs64bwY7PyqRtS9l/EM/f2VxfsndWMoCuGFCZSS2WbONirqp6e7czxCQ2iqShYKzfupbTf8eYV1i4+VTJE1Qs0oFbmcwZDJbHqaUZn2aeS7fW9pYrA0= jade@monosodium-glutamate-g"
# ];
# serverConfig = {
# # Port must be unique
# server-port = 25568;
# motd = "Be excellent to eachother";
# white-list = true;
# spawn-protection = 0;
# max-tick-time = 5 * 60 * 1000;
# allow-flight = true;
# };
# };
};
};
}

31
modules/monitoring.nix Normal file
View file

@ -0,0 +1,31 @@
{ pkgs, ... }:
{
services.prometheus = {
enable = true;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
};
scrapeConfigs = [
{
job_name = "katzencafe";
static_configs = [{
targets = [ "127.0.0.1:9100" ];
}];
}
];
};
services.grafana = {
enable = true;
settings = {
server = {
domain = "grafana.katzen.cafe";
http_port = 2343;
http_addr = "127.0.0.1";
};
};
};
}

35
modules/proxy.nix
View file

@ -19,6 +19,10 @@
group = "nginx";
keyType = "rsa4096";
};
"wiki.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
"auth.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
@ -31,11 +35,15 @@
group = "nginx";
keyType = "rsa4096";
};
"mumble.katzen.cafe" = {
group = "murmur";
# "mumble.katzen.cafe" = {
# group = "murmur";
# keyType = "rsa4096";
# };
"hc-vault.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
"hc-vault.katzen.cafe" = {
"grafana.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
@ -57,7 +65,17 @@
recommendedTlsSettings = true;
recommendedProxySettings = true;
statusPage = true;
virtualHosts = {
"grafana.katzen.cafe" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2343";
proxyWebsockets = true;
};
};
"ck.katzen.cafe" = {
forceSSL = true;
enableACME = true;
@ -85,11 +103,11 @@
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
# proxy_set_header Host $host;
extraConfig = ''
proxy_buffers 4 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Real-IP $remote_addr;
@ -107,11 +125,18 @@
proxyWebsockets = true;
};
};
"wiki.katzen.cafe" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.0.2.2";
};
};
"wiki.phtanum-b.katzen.cafe" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.2:8081";
proxyPass = "http://10.0.1.2";
};
};
"hc-vault.katzen.cafe" = {