From 626ca355465120c6406028368475e3df33cd685e Mon Sep 17 00:00:00 2001 From: schrottkatze Date: Tue, 25 Apr 2023 14:52:33 +0200 Subject: [PATCH] final ig --- common.nix | 4 +- flake.nix | 17 +++ hosts/katzencafe/calckey.nix | 49 +++++++++ hosts/katzencafe/configuration.nix | 109 ++++++++++++++++++++ hosts/katzencafe/hardware-configuration.nix | 39 +++++++ hosts/katzencafe/proxy.nix | 61 +++++++++++ hosts/schrottserver/jitsi.nix | 8 -- 7 files changed, 277 insertions(+), 10 deletions(-) create mode 100644 hosts/katzencafe/calckey.nix create mode 100644 hosts/katzencafe/configuration.nix create mode 100644 hosts/katzencafe/hardware-configuration.nix create mode 100644 hosts/katzencafe/proxy.nix delete mode 100644 hosts/schrottserver/jitsi.nix diff --git a/common.nix b/common.nix index 06dda09..7ff46c6 100644 --- a/common.nix +++ b/common.nix @@ -41,9 +41,9 @@ with builtins; services = { openssh = { - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; enable = true; + # settings.PasswordAuthentication = false; + # settings.KbdInteractiveAuthentication = false; }; }; diff --git a/flake.nix b/flake.nix index 4ae43af..0316aca 100644 --- a/flake.nix +++ b/flake.nix @@ -78,6 +78,23 @@ } ]; }; + katzencafe = nixpkgs-stable.lib.nixosSystem { + specialArgs = { + inherit inputs; + }; + system = "aarch64-linux"; + modules = [ + ./hosts/katzencafe/configuration.nix + home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.jade = { nixosConfig, pkgs, ... }: { + home.sessionVariables.TZ = nixosConfig.time.timeZone; + home.stateVersion = "${nixosConfig.system.stateVersion}"; + }; + } + ]; + }; }; }; } diff --git a/hosts/katzencafe/calckey.nix b/hosts/katzencafe/calckey.nix new file mode 100644 index 0000000..60a0505 --- /dev/null +++ b/hosts/katzencafe/calckey.nix @@ -0,0 +1,49 @@ +{ pkgs, inputs, ... }: +{ + imports = [ inputs.arion.nixosModules.arion ]; + virtualisation.docker.enable = true; + virtualisation.arion = { + backend = "docker"; + projects.calckey.settings = { + networks.calcnet.name = "calcnet"; + services = { + "web".service = { + image = "docker.io/thatonecalculator/calckey"; + container_name = "calckey_web"; + restart = "unless-stopped"; + depends_on = [ "db" "redis" ]; + ports = [ "3000:3000" ]; + networks = [ "calcnet" ]; + environment = { + "NODE_ENV" = "production"; + }; + volumes = [ + "/calckey/files:/calckey/files" + "/calckey/config:/calckey/.config:ro" + ]; + }; + "redis".service = { + image = "docker.io/redis:7.0-alpine"; + container_name = "calckey_redis"; + restart = "unless-stopped"; + networks = [ "calcnet" ]; + volumes = [ "/calckey/redis:/data" ]; + }; + "db".service = { + image = "docker.io/postgres:12.2-alpine"; + container_name = "calckey_db"; + restart = "unless-stopped"; + networks = [ "calcnet" ]; + environment = { + POSTGRES_PASSWORD = "calckey"; + POSTGRES_USER = "calckey"; + POSTGRES_DB = "calckey"; + }; + volumes = [ + "/calckey/db:/var/lib/postgresql/data" + ]; + }; + }; + }; + }; +} diff --git a/hosts/katzencafe/configuration.nix b/hosts/katzencafe/configuration.nix new file mode 100644 index 0000000..bd3c1c5 --- /dev/null +++ b/hosts/katzencafe/configuration.nix @@ -0,0 +1,109 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../common.nix + ../../modules/zsh.nix + ../../modules/neovim.nix + ../../modules/firewall.nix + + ./proxy.nix + ./calckey.nix + ]; + + jade = { + neovim.enable = true; + zsh.enable = true; + }; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = false; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + networking.hostName = "katzencafe"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.jade = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + packages = with pkgs; [ + ]; + }; + + # List packages installed in system profile. To search, run: + environment.systemPackages = with pkgs; [ + vim gitMinimal # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + ]; + + system.stateVersion = "22.11"; # Did you read the comment? + + services.jitsi-meet = { + enable = true; + hostName = "meet.katzen.cafe"; + }; + services.jitsi-videobridge.openFirewall = true; + + services.murmur = { + enable = true; + openFirewall = true; + registerHostname = "mumble.katzen.cafe"; + sslKey = "/var/lib/acme/mumble.katzen.cafe/key.pem"; + sslCert = "/var/lib/acme/mumble.katzen.cafe/cert.pem"; + }; + + containers = { + "phtanumb-wiki" = { + autoStart = true; + forwardPorts = [ + { + containerPort = 8080; + hostPort = 8099; + protocol = "tcp"; + } + ]; + bindMounts = { + "/var/mediawiki" = { + hostPath = "/phtanum-b/wiki"; + isReadOnly = false; + }; + }; + config = { config, pkgs, ... }: { + services.mediawiki = { + enable = true; + name = "phtanum-b"; + virtualHost.listen = [ + { + #ip = "127.0.0.1"; + port = 8080; + ssl = false; + } + ]; + virtualHost.adminAddr = "admin@katzen.cafe"; + passwordFile = "/var/mediawiki/passwordFile"; + extraConfig = '' + # Disable anonymous editing + $wgGroupPermissions['*']['edit'] = false; + ''; + }; + + system.stateVersion = "22.11"; + }; + }; + }; +} + diff --git a/hosts/katzencafe/hardware-configuration.nix b/hosts/katzencafe/hardware-configuration.nix new file mode 100644 index 0000000..9164b68 --- /dev/null +++ b/hosts/katzencafe/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ]; + boot.initrd.kernelModules = [ "virtio_gpu" ]; + boot.kernelParams = [ "console=tty" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/0ce40e38-b9ef-4d84-b678-10745b7fedb4"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/DEBB-944F"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/9cb23bf3-128c-4847-8f72-f14f4aaa5026"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/hosts/katzencafe/proxy.nix b/hosts/katzencafe/proxy.nix new file mode 100644 index 0000000..c8db122 --- /dev/null +++ b/hosts/katzencafe/proxy.nix @@ -0,0 +1,61 @@ +{ inputs, config, pkgs, ... }: +{ + security.acme = { + acceptTerms = true; + defaults.email = "jade@schrottkatze.de"; + defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + defaults.webroot = "/var/lib/acme/acme-challenge"; + certs = { + "ck.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; + "meet.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; + "wiki.phtanum-b.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; + "mumble.katzen.cafe" = { + group = "murmur"; + keyType = "rsa4096"; + }; + }; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "ck.katzen.cafe" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 8M; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + ''; + }; + }; + "wiki.phtanum-b.katzen.cafe" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8099"; + }; + }; + }; + }; +} diff --git a/hosts/schrottserver/jitsi.nix b/hosts/schrottserver/jitsi.nix deleted file mode 100644 index 3964bf1..0000000 --- a/hosts/schrottserver/jitsi.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ inputs, config, pkgs, ... }: -{ - services.jitsi-meet = { - enable = true; - hostName = "meet.katzen.cafe"; - }; - services.jitsi-videobridge.openFirewall = true; -}