diff options
| author | Alyssa Ross <hi@alyssa.is> | 2019-09-08 00:32:08 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2019-09-16 22:10:26 +0000 |
| commit | 175b9acd282aaf65b5f354ea6e95c1348fe3daa3 (patch) | |
| tree | f82d2ab76165529424d38b11e6a0e38e5333c21e /sys | |
| parent | 61de0d63f56e82ffd13df33300bb68f3c7162cf0 (diff) | |
| download | nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.gz nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.bz2 nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.lz nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.xz nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.tar.zst nixlib-175b9acd282aaf65b5f354ea6e95c1348fe3daa3.zip | |
sys/atuin: init
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/atuin.nix | 179 | ||||
| -rw-r--r-- | sys/default.nix | 1 |
2 files changed, 180 insertions, 0 deletions
diff --git a/sys/atuin.nix b/sys/atuin.nix new file mode 100644 index 000000000000..7c9f6342fdb7 --- /dev/null +++ b/sys/atuin.nix @@ -0,0 +1,179 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../modules/server + ../modules/server/dns + ../modules/server/irc + ../modules/server/nginx + ../modules/server/tor + ../modules/users + ]; + + boot.initrd.availableKernelModules = [ "xen_blkfront" ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/abbb92f4-ea6e-4283-8a86-012516cc1a44"; + fsType = "ext4"; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/49f18b74-5f6e-4e61-b569-f7cc9dc5c600"; } + ]; + + nix.maxJobs = 2; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/xvda"; + + networking.hostName = "atuin"; + networking.domain = "qyliss.net"; + networking.interfaces.eth0 = { + ipv4.addresses = [ + { address = "85.119.82.108"; prefixLength = 21; } + ]; + ipv6.addresses = [ + { address = "2001:ba8:1f1:f0bc::2"; prefixLength = 64; } + ]; + }; + networking.defaultGateway = "85.119.80.1"; + networking.defaultGateway6 = { address = "2001:ba8:1f1:f0bc::1"; }; + networking.dhcpcd.enable = false; + + networking.firewall.allowedTCPPorts = [ 80 443 6697 ]; + networking.firewall.extraCommands = '' + iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE + ''; + + boot.kernelPackages = pkgs.linuxPackages; + + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + + networking.firewall.allowedUDPPorts = with config; [ + networking.wireguard.interfaces.wg0.listenPort + ]; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.172.171.1" ]; + listenPort = 51820; + privateKeyFile = "/home/qyliss/wgkeys/private"; + peers = [ + { + publicKey = "oQZ3fcb9LsnQj8sDYLHf1+hodnW4XEhsM0rNBgHROz8="; + allowedIPs = [ "10.172.171.2/32" ]; + } + { + publicKey = "lu4ZxYq7qpkmIt8z0Q/wb5Y0Wc3fa0ui9wOWn/+xYxI="; + allowedIPs = [ "10.172.171.3/32" ]; + } + { + publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ="; + allowedIPs = [ "10.13.12.0/24" ]; + } + ]; + }; + }; + + security.acme.certs = + with lib; + let + coalesce = maybe: default: if maybe == null then default else maybe; + + toAttrs = val: if isList val then genAttrs val (_: null) else val; + + vhostDomains = mapAttrsToList + (name: { serverName, ... }: coalesce serverName name) + config.services.nginx.virtualHosts; + + domains = { + "spectrum-os.org" = { extraDomains = [ "spectrumos.org" ]; }; + "qyliss.net" = {}; + }; + in + mapAttrs ( + domain: + { email ? "hi@alyssa.is" + , postRun ? "systemctl reload nginx.service" + , webroot ? "/var/lib/acme/acme-challenge" + , extraDomains ? {} + , ... + } @ value: + + let + extraDomainsFromVhosts = + toAttrs (filter (hasSuffix ".${domain}") vhostDomains); + in + value // { + inherit email postRun webroot; + extraDomains = extraDomainsFromVhosts // (toAttrs extraDomains); + } + ) domains; + + services.nginx.virtualHosts = + let + vhosts = { + "znc.qyliss.net".locations."/".proxyPass = "http://127.0.0.1:6667/"; + "spectrumos.org".locations."/".return = "https://spectrum-os.org/"; + "spectrum-os.org".locations."/".root = "/var/www/spectrum-os.org"; + + default = { + serverName = null; + default = true; + enableACME = false; + useACMEHost = "qyliss.net"; + + locations."/".return = "https://alyssa.is/"; + locations."/dns-query".proxyPass = "http://[::1]:4448/"; + }; + + "git.qyliss.net" = { + root = "${pkgs.cgit}/cgit"; + + locations."@cgit".extraConfig = '' + fastcgi_param CGIT_CONFIG ${cgitConfig}; + fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + + fastcgi_pass unix:/run/fcgiwrap.sock; + ''; + + extraConfig = '' + try_files $uri @cgit; + ''; + }; + }; + + cgitConfig = pkgs.writeText "cgit.conf" '' + root-desc=Alyssa Ross's personal Git repositories + root-title=git.qyliss.net + virtual-root=/ + ''; + in + lib.mapAttrs ( + _: { forceSSL ? true, enableACME ? true, ... } @ args: + args // { inherit forceSSL enableACME; } + ) + vhosts; + + services.nginx.appendConfig = '' + stream { + server { + listen 6697 ssl; + ssl_certificate /var/lib/acme/qyliss.net/fullchain.pem; + ssl_certificate_key /var/lib/acme/qyliss.net/key.pem; + proxy_pass 127.0.0.1:6667; + } + } + ''; + + services.tor.relay.accountingMax = "20 GBytes"; + services.tor.relay.accountingStart = "day 12:00"; + + system.stateVersion = "18.03"; +} diff --git a/sys/default.nix b/sys/default.nix index 7d23118cb6ad..a53338a06dad 100644 --- a/sys/default.nix +++ b/sys/default.nix @@ -5,5 +5,6 @@ let in { + atuin = buildSystem ./atuin.nix; x220 = buildSystem ./x220.nix; } |