1
0
Fork 0
forked from pub-solar/infra

refactor: Move all apps into modules

This commit is contained in:
Benjamin Yule Bädorf 2024-04-28 17:25:40 +02:00
parent fee6ce74c7
commit ef94681e11
Signed by untrusted user: b12f
GPG key ID: 729956E1124F8F26
53 changed files with 291 additions and 166 deletions

View file

@ -11,6 +11,33 @@
self.nixosModules.unlock-zfs-on-boot
self.nixosModules.core
self.nixosModules.docker
self.nixosModules.nginx
self.nixosModules.collabora
self.nixosModules.coturn
self.nixosModules.forgejo
self.nixosModules.keycloak
self.nixosModules.mailman
self.nixosModules.mastodon
self.nixosModules.nginx-mastodon
self.nixosModules.nginx-mastodon-files
self.nixosModules.mediawiki
self.nixosModules.nextcloud
self.nixosModules.nginx-prometheus-exporters
self.nixosModules.nginx-website
self.nixosModules.nginx-website-miom
self.nixosModules.opensearch
self.nixosModules.owncast
self.nixosModules.postgresql
self.nixosModules.prometheus-exporters
self.nixosModules.promtail
self.nixosModules.searx
self.nixosModules.tmate
self.nixosModules.obs-portal
self.nixosModules.matrix
self.nixosModules.matrix-irc
self.nixosModules.matrix-telegram
self.nixosModules.nginx-matrix
];
};
@ -21,6 +48,13 @@
./flora-6
self.nixosModules.overlays
self.nixosModules.core
self.nixosModules.caddy
self.nixosModules.drone
self.nixosModules.forgejo-actions-runner
self.nixosModules.grafana
self.nixosModules.prometheus
self.nixosModules.loki
];
};
};

View file

@ -8,13 +8,5 @@
./configuration.nix
./triton-vmtools.nix
./wireguard.nix
./apps/caddy.nix
./apps/drone.nix
./apps/forgejo-actions-runner.nix
./apps/grafana.nix
./apps/prometheus.nix
./apps/loki.nix
];
}

View file

@ -10,33 +10,6 @@
./networking.nix
./wireguard.nix
./backups.nix
./apps/nginx.nix
./apps/collabora.nix
./apps/coturn.nix
./apps/forgejo.nix
./apps/keycloak.nix
./apps/mailman.nix
./apps/mastodon.nix
./apps/mediawiki.nix
./apps/nextcloud.nix
./apps/nginx-mastodon.nix
./apps/nginx-mastodon-files.nix
./apps/nginx-prometheus-exporters.nix
./apps/nginx-website.nix
./apps/nginx-website-miom.nix
./apps/opensearch.nix
./apps/owncast.nix
./apps/postgresql.nix
./apps/prometheus-exporters.nix
./apps/promtail.nix
./apps/searx.nix
./apps/tmate.nix
./apps/obs-portal.nix
./apps/matrix/irc.nix
./apps/matrix/mautrix-telegram.nix
./apps/matrix/synapse.nix
./apps/nginx-matrix.nix
];
}

View file

@ -6,45 +6,29 @@
}:
{
systemd.tmpfiles.rules = [
"d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
"d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -"
];
services.caddy = {
enable = lib.mkForce true;
group = "hakkonaut";
email = "admins@pub.solar";
group = config.pub-solar-os.authentication.robot.username;
email = config.pub-solar-os.adminEmail;
enableReload = true;
globalConfig = lib.mkForce ''
grace_period 60s
'';
virtualHosts = {
"ci.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :4000
'';
};
"flora-6.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
basicauth * {
hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
}
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
'';
};
"grafana.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :${toString config.services.grafana.settings.server.http_port}
'';
};
"obs-portal.pub.solar" = {
logFormat = lib.mkForce ''
output discard

View file

@ -30,6 +30,15 @@
"d '/var/lib/drone-db' 0750 drone drone - -"
];
services.caddy.virtualHosts."ci.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :4000
'';
};
systemd.services."docker-network-drone" =
let
docker = config.virtualisation.oci-containers.backend;

View file

@ -33,6 +33,15 @@
};
};
services.caddy.virtualHosts."grafana.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :${toString config.services.grafana.settings.server.http_port}
'';
};
services.grafana = {
enable = true;
settings = {

View file

@ -5,7 +5,7 @@ let
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block";
'';
clientConfig = import ./matrix/element-client-config.nix { inherit lib pkgs; };
clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
wellKnownClient = domain: {
"m.homeserver".base_url = "https://matrix.${domain}";
"m.identity_server".base_url = "https://matrix.${domain}";

View file

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 29 KiB

View file

Before

Width:  |  Height:  |  Size: 8.7 KiB

After

Width:  |  Height:  |  Size: 8.7 KiB

35
modules/core/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, config, flake, lib, ... }: {
imports = [
./nix.nix
./networking.nix
./terminal-tooling.nix
./users.nix
];
options.pub-solar-os = with lib; {
adminEmail = mkOption {
description = "Email address to use for administrative stuff like ACME";
type = types.str;
default = "admins@pub.solar";
};
};
config = {
environment = {
# Just a couple of global packages to make our lives easier
systemPackages = with pkgs; [ git vim wget ];
};
# Select internationalization properties
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
time.timeZone = "Etc/UTC";
home-manager.users.${config.pub-solar-os.authentication.username} = {
home.stateVersion = "23.05";
};
};
}

View file

@ -0,0 +1,67 @@
{
pkgs,
lib,
config,
...
}: {
options.pub-solar-os.networking = with lib; {
domain = mkOption {
description = "domain on which all services should run. This defaults to pub.solar";
type = types.str;
default = "pub.solar";
};
defaultInterface = mkOption {
description = "Network interface which should be used as the default internet-connected one";
type = types.nullOr types.str;
};
};
config = {
# Don't expose SSH via public interfaces
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
networking.hosts = {
"10.7.6.1" = ["nachtigall.${config.pub-solar-os.networking.domain}"];
"10.7.6.2" = ["flora-6.${config.pub-solar-os.networking.domain}"];
};
services.openssh = {
enable = true;
openFirewall = lib.mkDefault false;
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
# Add back openssh MACs that got removed from defaults
# for backwards compatibility
#
# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
# This breaks compatibilty with clients that do not offer these MACs. For
# compatibility reasons, we add back the old defaults.
# See: https://github.com/NixOS/nixpkgs/pull/231165
#
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
};
services.resolved = {
enable = true;
extraConfig = ''
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
Domains=~.
DNSOverTLS=yes
'';
};
};
}

View file

@ -41,7 +41,7 @@
nixPath = [
"nixpkgs=${flake.inputs.nixpkgs}"
"nixos-config=${../lib/compat/nixos}"
"nixos-config=${../../lib/compat/nixos}"
"home-manager=${flake.inputs.home-manager}"
];
};

View file

@ -1,5 +1,5 @@
{ flake, ... }: {
home-manager.users.${flake.self.username} = {
{ flake, config, ... }: {
home-manager.users.${config.pub-solar-os.authentication.username} = {
programs.git.enable = true;
programs.starship.enable = true;
programs.bash.enable = true;

70
modules/core/users.nix Normal file
View file

@ -0,0 +1,70 @@
{
flake,
pkgs,
lib,
config,
...
}: {
options.pub-solar-os.authentication = with lib; {
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption {
description = "Hashed password of the root account";
type = types.str;
default = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
};
robot.username = mkOption {
description = "username for the robot user";
type = types.str;
default = "hakkonaut";
};
robot.sshPubKeys = mkOption {
description = "SSH Keys to use for the robot user";
type = types.listOf types.str;
default = flake.self.logins.robots.sshPubKeys;
};
};
config = {
users.users.${config.pub-solar-os.authentication.username} = {
name = config.pub-solar-os.authentication.username;
group = config.pub-solar-os.authentication.username;
extraGroups = [ "wheel" "docker" ];
isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
};
users.groups.${config.pub-solar-os.authentication.username} = { };
# TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
users.users.${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true;
useDefaultShell = true;
uid = 998;
group = "${config.pub-solar-os.authentication.robot.username}";
isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
};
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
users.users.root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
security.sudo.wheelNeedsPassword = false;
};
}

View file

@ -2,38 +2,43 @@
{
flake = {
nixosModules = rec {
nix = import ./nix.nix;
networking = import ./networking.nix;
core = import ./core;
unlock-zfs-on-boot = import ./unlock-zfs-on-boot.nix;
docker = import ./docker.nix;
terminal-tooling = import ./terminal-tooling.nix;
users = import ./users.nix;
core = { pkgs, ... }: {
imports = [
nix
networking
terminal-tooling
users
];
environment = {
# Just a couple of global packages to make our lives easier
systemPackages = with pkgs; [ git vim wget ];
};
# Select internationalization properties
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
time.timeZone = "Etc/UTC";
home-manager.users.${self.username} = {
home.stateVersion = "23.05";
};
};
caddy = import ./apps/caddy.nix;
collabora = import ./apps/collabora.nix;
coturn = import ./apps/coturn.nix;
drone = import ./apps/drone.nix;
forgejo-actions-runner = import ./apps/forgejo/forgejo-actions-runner.nix;
forgejo = import ./apps/forgejo/forgejo.nix;
grafana = import ./apps/grafana/grafana.nix;
keycloak = import ./apps/keycloak.nix;
loki = import ./apps/loki.nix;
mailman = import ./apps/mailman.nix;
mastodon = import ./apps/mastodon/mastodon.nix;
nginx-mastodon = import ./apps/mastodon/nginx-mastodon.nix;
nginx-mastodon-files = import ./apps/mastodon/nginx-mastodon-files.nix;
matrix = import ./apps/matrix/synapse.nix;
nginx-matrix = import ./apps/matrix/nginx-matrix.nix;
matrix-telegram = import ./apps/matrix/mautrix-telegram.nix;
matrix-irc = import ./apps/matrix/irc.nix;
mediawiki = import ./apps/mediawiki.nix;
nextcloud = import ./apps/nextcloud/nextcloud.nix;
nginx-website-miom = import ./apps/nginx-website-miom.nix;
nginx-website = import ./apps/nginx-website.nix;
nginx = import ./apps/nginx.nix;
obs-portal = import ./apps/obs-portal.nix;
opensearch = import ./apps/opensearch.nix;
owncast = import ./apps/owncast.nix;
postgresql = import ./apps/postgresql.nix;
prometheus = import ./apps/prometheus/prometheus.nix;
prometheus-exporters = import ./apps/prometheus/prometheus-exporters.nix;
nginx-prometheus-exporters = import ./apps/prometheus/nginx-prometheus-exporters.nix;
promtail = import ./apps/promtail.nix;
searx = import ./apps/searx.nix;
tmate = import ./apps/tmate.nix;
};
};
}

View file

@ -1,46 +0,0 @@
{ pkgs, lib, ... }: {
# Don't expose SSH via public interfaces
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
networking.hosts = {
"10.7.6.1" = ["nachtigall.pub.solar"];
"10.7.6.2" = ["flora-6.pub.solar"];
};
services.openssh = {
enable = true;
openFirewall = lib.mkDefault false;
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
# Add back openssh MACs that got removed from defaults
# for backwards compatibility
#
# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
# This breaks compatibilty with clients that do not offer these MACs. For
# compatibility reasons, we add back the old defaults.
# See: https://github.com/NixOS/nixpkgs/pull/231165
#
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
};
services.resolved = {
enable = true;
extraConfig = ''
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
Domains=~.
DNSOverTLS=yes
'';
};
}

View file

@ -1,4 +1,4 @@
{ flake, ... }: {
{ flake, config, ... }: {
# From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
boot.initrd.network = {
enable = true;
@ -10,7 +10,7 @@
# Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.logins.admins.sshPubKeys;
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
};
# this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue

View file

@ -1,30 +0,0 @@
{ flake, pkgs, ... }: {
users.users.${flake.self.username} = {
name = flake.self.username;
group = flake.self.username;
extraGroups = [ "wheel" "docker" ];
isNormalUser = true;
openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
};
users.groups.${flake.self.username} = { };
# TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
users.users.hakkonaut = {
description = "CI and automation user";
home = "/home/hakkonaut";
createHome = true;
useDefaultShell = true;
uid = 998;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys;
};
users.groups.hakkonaut = { };
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
security.sudo.wheelNeedsPassword = false;
}

23
tests/website.nix Normal file
View file

@ -0,0 +1,23 @@
{
self,
pkgs,
lib,
config,
...
}: {
name = "website";
nodes.nachtigall-test = self.nixosConfigurations.nachtigall-test;
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
hostPkgs = pkgs;
enableOCR = true;
testScript = ''
machine.wait_for_unit("system.slice")
machine.succeed("ping 127.0.0.1 -c 2")
machine.wait_for_unit("nginx.service")
machine.succeed("curl -H 'Host:pub.solar' http://127.0.0.1/")
'';
}