diff options
author | Alyssa Ross <hi@alyssa.is> | 2019-09-08 00:32:08 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2019-09-16 22:10:26 +0000 |
commit | 175b9acd282aaf65b5f354ea6e95c1348fe3daa3 (patch) | |
tree | f82d2ab76165529424d38b11e6a0e38e5333c21e | |
parent | 61de0d63f56e82ffd13df33300bb68f3c7162cf0 (diff) | |
download | nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.gz nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.bz2 nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.lz nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.xz nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.zst nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.zip |
sys/atuin: init
-rw-r--r-- | modules/server/default.nix | 8 | ||||
-rw-r--r-- | modules/server/dns/default.nix | 13 | ||||
-rw-r--r-- | modules/server/irc/bitlbee/default.nix | 6 | ||||
-rw-r--r-- | modules/server/irc/default.nix | 5 | ||||
-rw-r--r-- | modules/server/irc/znc/default.nix | 7 | ||||
-rw-r--r-- | modules/server/nginx/default.nix | 13 | ||||
-rw-r--r-- | modules/server/tor/default.nix | 18 | ||||
-rw-r--r-- | sys/atuin.nix | 179 | ||||
-rw-r--r-- | sys/default.nix | 1 |
9 files changed, 250 insertions, 0 deletions
diff --git a/modules/server/default.nix b/modules/server/default.nix new file mode 100644 index 000000000000..42d48ec1e93d --- /dev/null +++ b/modules/server/default.nix @@ -0,0 +1,8 @@ +{ ... }: + +{ + imports = [ ../nix ../locale ../ssh ../users ]; + + services.openssh.enable = true; + security.sudo.wheelNeedsPassword = false; +} diff --git a/modules/server/dns/default.nix b/modules/server/dns/default.nix new file mode 100644 index 000000000000..6274d6b6b348 --- /dev/null +++ b/modules/server/dns/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +{ + networking.nameservers = [ "127.0.0.1" ]; + + services.unbound.enable = true; + + systemd.services.doh-proxy = { + after = [ "networking.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "exec ${pkgs.doh-proxy}/bin/doh-httpproxy --port 4448"; + }; +} diff --git a/modules/server/irc/bitlbee/default.nix b/modules/server/irc/bitlbee/default.nix new file mode 100644 index 000000000000..c0aaaa0b4f17 --- /dev/null +++ b/modules/server/irc/bitlbee/default.nix @@ -0,0 +1,6 @@ +{ ... }: + +{ + services.bitlbee.enable = true; + services.bitlbee.portNumber = 6262; +} diff --git a/modules/server/irc/default.nix b/modules/server/irc/default.nix new file mode 100644 index 000000000000..f031773efacd --- /dev/null +++ b/modules/server/irc/default.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + imports = [ ./bitlbee ./znc ]; +} diff --git a/modules/server/irc/znc/default.nix b/modules/server/irc/znc/default.nix new file mode 100644 index 000000000000..76cce01180a8 --- /dev/null +++ b/modules/server/irc/znc/default.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + services.znc.enable = true; + services.znc.useLegacyConfig = false; + services.znc.modulePackages = with pkgs; [ zncModules.playback ]; +} diff --git a/modules/server/nginx/default.nix b/modules/server/nginx/default.nix new file mode 100644 index 000000000000..33ba06defd86 --- /dev/null +++ b/modules/server/nginx/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +{ + services.fcgiwrap.enable = true; + + services.nginx.enable = true; + services.nginx.package = pkgs.nginxMainline; + + services.nginx.recommendedOptimisation = true; + services.nginx.recommendedTlsSettings = true; + services.nginx.recommendedGzipSettings = true; + services.nginx.recommendedProxySettings = true; +} diff --git a/modules/server/tor/default.nix b/modules/server/tor/default.nix new file mode 100644 index 000000000000..645684c5dca2 --- /dev/null +++ b/modules/server/tor/default.nix @@ -0,0 +1,18 @@ +{ lib, config, ... }: + +{ + networking.firewall.allowedTCPPorts = [ config.services.tor.relay.port ]; + + services.tor.enable = true; + + services.tor.relay.accountingMax = + lib.mkDefault (throw "Set tor accountingMax!!"); + + services.tor.relay.accountingStart = + lib.mkDefault (throw "Set tor accountingStart!!"); + + services.tor.relay.enable = true; + services.tor.relay.nickname = lib.mkDefault config.networking.hostName; + services.tor.relay.port = 143; + services.tor.relay.role = "relay"; +} diff --git a/sys/atuin.nix b/sys/atuin.nix new file mode 100644 index 000000000000..7c9f6342fdb7 --- /dev/null +++ b/sys/atuin.nix @@ -0,0 +1,179 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../modules/server + ../modules/server/dns + ../modules/server/irc + ../modules/server/nginx + ../modules/server/tor + ../modules/users + ]; + + boot.initrd.availableKernelModules = [ "xen_blkfront" ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/abbb92f4-ea6e-4283-8a86-012516cc1a44"; + fsType = "ext4"; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/49f18b74-5f6e-4e61-b569-f7cc9dc5c600"; } + ]; + + nix.maxJobs = 2; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/xvda"; + + networking.hostName = "atuin"; + networking.domain = "qyliss.net"; + networking.interfaces.eth0 = { + ipv4.addresses = [ + { address = "85.119.82.108"; prefixLength = 21; } + ]; + ipv6.addresses = [ + { address = "2001:ba8:1f1:f0bc::2"; prefixLength = 64; } + ]; + }; + networking.defaultGateway = "85.119.80.1"; + networking.defaultGateway6 = { address = "2001:ba8:1f1:f0bc::1"; }; + networking.dhcpcd.enable = false; + + networking.firewall.allowedTCPPorts = [ 80 443 6697 ]; + networking.firewall.extraCommands = '' + iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE + ''; + + boot.kernelPackages = pkgs.linuxPackages; + + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + + networking.firewall.allowedUDPPorts = with config; [ + networking.wireguard.interfaces.wg0.listenPort + ]; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.172.171.1" ]; + listenPort = 51820; + privateKeyFile = "/home/qyliss/wgkeys/private"; + peers = [ + { + publicKey = "oQZ3fcb9LsnQj8sDYLHf1+hodnW4XEhsM0rNBgHROz8="; + allowedIPs = [ "10.172.171.2/32" ]; + } + { + publicKey = "lu4ZxYq7qpkmIt8z0Q/wb5Y0Wc3fa0ui9wOWn/+xYxI="; + allowedIPs = [ "10.172.171.3/32" ]; + } + { + publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ="; + allowedIPs = [ "10.13.12.0/24" ]; + } + ]; + }; + }; + + security.acme.certs = + with lib; + let + coalesce = maybe: default: if maybe == null then default else maybe; + + toAttrs = val: if isList val then genAttrs val (_: null) else val; + + vhostDomains = mapAttrsToList + (name: { serverName, ... }: coalesce serverName name) + config.services.nginx.virtualHosts; + + domains = { + "spectrum-os.org" = { extraDomains = [ "spectrumos.org" ]; }; + "qyliss.net" = {}; + }; + in + mapAttrs ( + domain: + { email ? "hi@alyssa.is" + , postRun ? "systemctl reload nginx.service" + , webroot ? "/var/lib/acme/acme-challenge" + , extraDomains ? {} + , ... + } @ value: + + let + extraDomainsFromVhosts = + toAttrs (filter (hasSuffix ".${domain}") vhostDomains); + in + value // { + inherit email postRun webroot; + extraDomains = extraDomainsFromVhosts // (toAttrs extraDomains); + } + ) domains; + + services.nginx.virtualHosts = + let + vhosts = { + "znc.qyliss.net".locations."/".proxyPass = "http://127.0.0.1:6667/"; + "spectrumos.org".locations."/".return = "https://spectrum-os.org/"; + "spectrum-os.org".locations."/".root = "/var/www/spectrum-os.org"; + + default = { + serverName = null; + default = true; + enableACME = false; + useACMEHost = "qyliss.net"; + + locations."/".return = "https://alyssa.is/"; + locations."/dns-query".proxyPass = "http://[::1]:4448/"; + }; + + "git.qyliss.net" = { + root = "${pkgs.cgit}/cgit"; + + locations."@cgit".extraConfig = '' + fastcgi_param CGIT_CONFIG ${cgitConfig}; + fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + + fastcgi_pass unix:/run/fcgiwrap.sock; + ''; + + extraConfig = '' + try_files $uri @cgit; + ''; + }; + }; + + cgitConfig = pkgs.writeText "cgit.conf" '' + root-desc=Alyssa Ross's personal Git repositories + root-title=git.qyliss.net + virtual-root=/ + ''; + in + lib.mapAttrs ( + _: { forceSSL ? true, enableACME ? true, ... } @ args: + args // { inherit forceSSL enableACME; } + ) + vhosts; + + services.nginx.appendConfig = '' + stream { + server { + listen 6697 ssl; + ssl_certificate /var/lib/acme/qyliss.net/fullchain.pem; + ssl_certificate_key /var/lib/acme/qyliss.net/key.pem; + proxy_pass 127.0.0.1:6667; + } + } + ''; + + services.tor.relay.accountingMax = "20 GBytes"; + services.tor.relay.accountingStart = "day 12:00"; + + system.stateVersion = "18.03"; +} diff --git a/sys/default.nix b/sys/default.nix index 7d23118cb6ad..a53338a06dad 100644 --- a/sys/default.nix +++ b/sys/default.nix @@ -5,5 +5,6 @@ let in { + atuin = buildSystem ./atuin.nix; x220 = buildSystem ./x220.nix; } |