diff --git a/hosts/default.nix b/hosts/default.nix index 45563ee0..ffd9fca0 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -11,6 +11,33 @@ self.nixosModules.unlock-zfs-on-boot self.nixosModules.core self.nixosModules.docker + + self.nixosModules.nginx + self.nixosModules.collabora + self.nixosModules.coturn + self.nixosModules.forgejo + self.nixosModules.keycloak + self.nixosModules.mailman + self.nixosModules.mastodon + self.nixosModules.nginx-mastodon + self.nixosModules.nginx-mastodon-files + self.nixosModules.mediawiki + self.nixosModules.nextcloud + self.nixosModules.nginx-prometheus-exporters + self.nixosModules.nginx-website + self.nixosModules.nginx-website-miom + self.nixosModules.opensearch + self.nixosModules.owncast + self.nixosModules.postgresql + self.nixosModules.prometheus-exporters + self.nixosModules.promtail + self.nixosModules.searx + self.nixosModules.tmate + self.nixosModules.obs-portal + self.nixosModules.matrix + self.nixosModules.matrix-irc + self.nixosModules.matrix-telegram + self.nixosModules.nginx-matrix ]; }; @@ -21,6 +48,13 @@ ./flora-6 self.nixosModules.overlays self.nixosModules.core + + self.nixosModules.caddy + self.nixosModules.drone + self.nixosModules.forgejo-actions-runner + self.nixosModules.grafana + self.nixosModules.prometheus + self.nixosModules.loki ]; }; }; diff --git a/hosts/flora-6/default.nix b/hosts/flora-6/default.nix index 17910211..2175012b 100644 --- a/hosts/flora-6/default.nix +++ b/hosts/flora-6/default.nix @@ -8,13 +8,5 @@ ./configuration.nix ./triton-vmtools.nix ./wireguard.nix - - ./apps/caddy.nix - - ./apps/drone.nix - ./apps/forgejo-actions-runner.nix - ./apps/grafana.nix - ./apps/prometheus.nix - ./apps/loki.nix ]; } diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 8e1455e0..7ba250a1 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -10,33 +10,6 @@ ./networking.nix ./wireguard.nix ./backups.nix - ./apps/nginx.nix - ./apps/collabora.nix - ./apps/coturn.nix - ./apps/forgejo.nix - ./apps/keycloak.nix - ./apps/mailman.nix - ./apps/mastodon.nix - ./apps/mediawiki.nix - ./apps/nextcloud.nix - ./apps/nginx-mastodon.nix - ./apps/nginx-mastodon-files.nix - ./apps/nginx-prometheus-exporters.nix - ./apps/nginx-website.nix - ./apps/nginx-website-miom.nix - ./apps/opensearch.nix - ./apps/owncast.nix - ./apps/postgresql.nix - ./apps/prometheus-exporters.nix - ./apps/promtail.nix - ./apps/searx.nix - ./apps/tmate.nix - ./apps/obs-portal.nix - - ./apps/matrix/irc.nix - ./apps/matrix/mautrix-telegram.nix - ./apps/matrix/synapse.nix - ./apps/nginx-matrix.nix ]; } diff --git a/hosts/flora-6/apps/caddy.nix b/modules/apps/caddy.nix similarity index 58% rename from hosts/flora-6/apps/caddy.nix rename to modules/apps/caddy.nix index cf70d8d8..cc3acf61 100644 --- a/hosts/flora-6/apps/caddy.nix +++ b/modules/apps/caddy.nix @@ -6,45 +6,29 @@ }: { systemd.tmpfiles.rules = [ - "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -" + "d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -" ]; services.caddy = { enable = lib.mkForce true; - group = "hakkonaut"; - email = "admins@pub.solar"; + group = config.pub-solar-os.authentication.robot.username; + email = config.pub-solar-os.adminEmail; enableReload = true; globalConfig = lib.mkForce '' grace_period 60s ''; virtualHosts = { - "ci.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - reverse_proxy :4000 - ''; - }; "flora-6.pub.solar" = { logFormat = lib.mkForce '' output discard ''; extraConfig = '' basicauth * { - hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. + ${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. } reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port} ''; }; - "grafana.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - reverse_proxy :${toString config.services.grafana.settings.server.http_port} - ''; - }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/nachtigall/apps/collabora.nix b/modules/apps/collabora.nix similarity index 100% rename from hosts/nachtigall/apps/collabora.nix rename to modules/apps/collabora.nix diff --git a/hosts/nachtigall/apps/coturn.nix b/modules/apps/coturn.nix similarity index 100% rename from hosts/nachtigall/apps/coturn.nix rename to modules/apps/coturn.nix diff --git a/hosts/flora-6/apps/drone.nix b/modules/apps/drone.nix similarity index 94% rename from hosts/flora-6/apps/drone.nix rename to modules/apps/drone.nix index 9620d2bd..84d254e3 100644 --- a/hosts/flora-6/apps/drone.nix +++ b/modules/apps/drone.nix @@ -30,6 +30,15 @@ "d '/var/lib/drone-db' 0750 drone drone - -" ]; + services.caddy.virtualHosts."ci.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :4000 + ''; + }; + systemd.services."docker-network-drone" = let docker = config.virtualisation.oci-containers.backend; diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/modules/apps/forgejo/forgejo-actions-runner.nix similarity index 100% rename from hosts/flora-6/apps/forgejo-actions-runner.nix rename to modules/apps/forgejo/forgejo-actions-runner.nix diff --git a/hosts/nachtigall/apps/forgejo.nix b/modules/apps/forgejo/forgejo.nix similarity index 100% rename from hosts/nachtigall/apps/forgejo.nix rename to modules/apps/forgejo/forgejo.nix diff --git a/hosts/flora-6/apps/grafana-dashboards/node-exporter-full_rev33.json b/modules/apps/grafana/grafana-dashboards/node-exporter-full_rev33.json similarity index 100% rename from hosts/flora-6/apps/grafana-dashboards/node-exporter-full_rev33.json rename to modules/apps/grafana/grafana-dashboards/node-exporter-full_rev33.json diff --git a/hosts/flora-6/apps/grafana-dashboards/synapse.json b/modules/apps/grafana/grafana-dashboards/synapse.json similarity index 100% rename from hosts/flora-6/apps/grafana-dashboards/synapse.json rename to modules/apps/grafana/grafana-dashboards/synapse.json diff --git a/hosts/flora-6/apps/grafana.nix b/modules/apps/grafana/grafana.nix similarity index 93% rename from hosts/flora-6/apps/grafana.nix rename to modules/apps/grafana/grafana.nix index ceb63773..cbd7ba8c 100644 --- a/hosts/flora-6/apps/grafana.nix +++ b/modules/apps/grafana/grafana.nix @@ -33,6 +33,15 @@ }; }; + services.caddy.virtualHosts."grafana.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :${toString config.services.grafana.settings.server.http_port} + ''; + }; + services.grafana = { enable = true; settings = { diff --git a/hosts/nachtigall/apps/keycloak.nix b/modules/apps/keycloak.nix similarity index 100% rename from hosts/nachtigall/apps/keycloak.nix rename to modules/apps/keycloak.nix diff --git a/hosts/flora-6/apps/loki.nix b/modules/apps/loki.nix similarity index 100% rename from hosts/flora-6/apps/loki.nix rename to modules/apps/loki.nix diff --git a/hosts/nachtigall/apps/mailman.nix b/modules/apps/mailman.nix similarity index 100% rename from hosts/nachtigall/apps/mailman.nix rename to modules/apps/mailman.nix diff --git a/hosts/nachtigall/apps/mastodon.nix b/modules/apps/mastodon/mastodon.nix similarity index 100% rename from hosts/nachtigall/apps/mastodon.nix rename to modules/apps/mastodon/mastodon.nix diff --git a/hosts/nachtigall/apps/nginx-mastodon-files.nix b/modules/apps/mastodon/nginx-mastodon-files.nix similarity index 100% rename from hosts/nachtigall/apps/nginx-mastodon-files.nix rename to modules/apps/mastodon/nginx-mastodon-files.nix diff --git a/hosts/nachtigall/apps/nginx-mastodon.nix b/modules/apps/mastodon/nginx-mastodon.nix similarity index 100% rename from hosts/nachtigall/apps/nginx-mastodon.nix rename to modules/apps/mastodon/nginx-mastodon.nix diff --git a/hosts/nachtigall/apps/matrix/element-client-config.nix b/modules/apps/matrix/element-client-config.nix similarity index 100% rename from hosts/nachtigall/apps/matrix/element-client-config.nix rename to modules/apps/matrix/element-client-config.nix diff --git a/hosts/nachtigall/apps/matrix/irc.nix b/modules/apps/matrix/irc.nix similarity index 100% rename from hosts/nachtigall/apps/matrix/irc.nix rename to modules/apps/matrix/irc.nix diff --git a/hosts/nachtigall/apps/matrix/matrix-log-config.yaml b/modules/apps/matrix/matrix-log-config.yaml similarity index 100% rename from hosts/nachtigall/apps/matrix/matrix-log-config.yaml rename to modules/apps/matrix/matrix-log-config.yaml diff --git a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix b/modules/apps/matrix/mautrix-telegram.nix similarity index 100% rename from hosts/nachtigall/apps/matrix/mautrix-telegram.nix rename to modules/apps/matrix/mautrix-telegram.nix diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/modules/apps/matrix/nginx-matrix.nix similarity index 98% rename from hosts/nachtigall/apps/nginx-matrix.nix rename to modules/apps/matrix/nginx-matrix.nix index a65a3dce..b8f82657 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/modules/apps/matrix/nginx-matrix.nix @@ -5,7 +5,7 @@ let add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-XSS-Protection "1; mode=block"; ''; - clientConfig = import ./matrix/element-client-config.nix { inherit lib pkgs; }; + clientConfig = import ./element-client-config.nix { inherit lib pkgs; }; wellKnownClient = domain: { "m.homeserver".base_url = "https://matrix.${domain}"; "m.identity_server".base_url = "https://matrix.${domain}"; diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/modules/apps/matrix/synapse.nix similarity index 100% rename from hosts/nachtigall/apps/matrix/synapse.nix rename to modules/apps/matrix/synapse.nix diff --git a/hosts/nachtigall/apps/mediawiki.nix b/modules/apps/mediawiki.nix similarity index 100% rename from hosts/nachtigall/apps/mediawiki.nix rename to modules/apps/mediawiki.nix diff --git a/hosts/nachtigall/apps/nextcloud-skeleton/Documents/Example.odt b/modules/apps/nextcloud/nextcloud-skeleton/Documents/Example.odt similarity index 100% rename from hosts/nachtigall/apps/nextcloud-skeleton/Documents/Example.odt rename to modules/apps/nextcloud/nextcloud-skeleton/Documents/Example.odt diff --git a/hosts/nachtigall/apps/nextcloud-skeleton/Pictures/pubsolar.png b/modules/apps/nextcloud/nextcloud-skeleton/Pictures/pubsolar.png similarity index 100% rename from hosts/nachtigall/apps/nextcloud-skeleton/Pictures/pubsolar.png rename to modules/apps/nextcloud/nextcloud-skeleton/Pictures/pubsolar.png diff --git a/hosts/nachtigall/apps/nextcloud-skeleton/Pictures/pubsolar.svg b/modules/apps/nextcloud/nextcloud-skeleton/Pictures/pubsolar.svg similarity index 100% rename from hosts/nachtigall/apps/nextcloud-skeleton/Pictures/pubsolar.svg rename to modules/apps/nextcloud/nextcloud-skeleton/Pictures/pubsolar.svg diff --git a/hosts/nachtigall/apps/nextcloud-skeleton/Readme.md b/modules/apps/nextcloud/nextcloud-skeleton/Readme.md similarity index 100% rename from hosts/nachtigall/apps/nextcloud-skeleton/Readme.md rename to modules/apps/nextcloud/nextcloud-skeleton/Readme.md diff --git a/hosts/nachtigall/apps/nextcloud.nix b/modules/apps/nextcloud/nextcloud.nix similarity index 100% rename from hosts/nachtigall/apps/nextcloud.nix rename to modules/apps/nextcloud/nextcloud.nix diff --git a/hosts/nachtigall/apps/nginx-website-miom.nix b/modules/apps/nginx-website-miom.nix similarity index 100% rename from hosts/nachtigall/apps/nginx-website-miom.nix rename to modules/apps/nginx-website-miom.nix diff --git a/hosts/nachtigall/apps/nginx-website.nix b/modules/apps/nginx-website.nix similarity index 100% rename from hosts/nachtigall/apps/nginx-website.nix rename to modules/apps/nginx-website.nix diff --git a/hosts/nachtigall/apps/nginx.nix b/modules/apps/nginx.nix similarity index 100% rename from hosts/nachtigall/apps/nginx.nix rename to modules/apps/nginx.nix diff --git a/hosts/nachtigall/apps/obs-portal.nix b/modules/apps/obs-portal.nix similarity index 100% rename from hosts/nachtigall/apps/obs-portal.nix rename to modules/apps/obs-portal.nix diff --git a/hosts/nachtigall/apps/opensearch.nix b/modules/apps/opensearch.nix similarity index 100% rename from hosts/nachtigall/apps/opensearch.nix rename to modules/apps/opensearch.nix diff --git a/hosts/nachtigall/apps/owncast.nix b/modules/apps/owncast.nix similarity index 100% rename from hosts/nachtigall/apps/owncast.nix rename to modules/apps/owncast.nix diff --git a/hosts/nachtigall/apps/postgresql.nix b/modules/apps/postgresql.nix similarity index 100% rename from hosts/nachtigall/apps/postgresql.nix rename to modules/apps/postgresql.nix diff --git a/hosts/nachtigall/apps/nginx-prometheus-exporters.nix b/modules/apps/prometheus/nginx-prometheus-exporters.nix similarity index 100% rename from hosts/nachtigall/apps/nginx-prometheus-exporters.nix rename to modules/apps/prometheus/nginx-prometheus-exporters.nix diff --git a/hosts/nachtigall/apps/prometheus-exporters.nix b/modules/apps/prometheus/prometheus-exporters.nix similarity index 100% rename from hosts/nachtigall/apps/prometheus-exporters.nix rename to modules/apps/prometheus/prometheus-exporters.nix diff --git a/hosts/flora-6/apps/prometheus.nix b/modules/apps/prometheus/prometheus.nix similarity index 100% rename from hosts/flora-6/apps/prometheus.nix rename to modules/apps/prometheus/prometheus.nix diff --git a/hosts/nachtigall/apps/promtail.nix b/modules/apps/promtail.nix similarity index 100% rename from hosts/nachtigall/apps/promtail.nix rename to modules/apps/promtail.nix diff --git a/hosts/nachtigall/apps/searx.nix b/modules/apps/searx.nix similarity index 100% rename from hosts/nachtigall/apps/searx.nix rename to modules/apps/searx.nix diff --git a/hosts/nachtigall/apps/tmate.nix b/modules/apps/tmate.nix similarity index 100% rename from hosts/nachtigall/apps/tmate.nix rename to modules/apps/tmate.nix diff --git a/modules/core/default.nix b/modules/core/default.nix new file mode 100644 index 00000000..a15dbbc5 --- /dev/null +++ b/modules/core/default.nix @@ -0,0 +1,35 @@ +{ pkgs, config, flake, lib, ... }: { + imports = [ + ./nix.nix + ./networking.nix + ./terminal-tooling.nix + ./users.nix + ]; + + options.pub-solar-os = with lib; { + adminEmail = mkOption { + description = "Email address to use for administrative stuff like ACME"; + type = types.str; + default = "admins@pub.solar"; + }; + }; + + config = { + environment = { + # Just a couple of global packages to make our lives easier + systemPackages = with pkgs; [ git vim wget ]; + }; + + # Select internationalization properties + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + time.timeZone = "Etc/UTC"; + + home-manager.users.${config.pub-solar-os.authentication.username} = { + home.stateVersion = "23.05"; + }; + }; +} diff --git a/modules/core/networking.nix b/modules/core/networking.nix new file mode 100644 index 00000000..37865f7c --- /dev/null +++ b/modules/core/networking.nix @@ -0,0 +1,67 @@ +{ + pkgs, + lib, + config, + ... +}: { + options.pub-solar-os.networking = with lib; { + domain = mkOption { + description = "domain on which all services should run. This defaults to pub.solar"; + type = types.str; + default = "pub.solar"; + }; + + defaultInterface = mkOption { + description = "Network interface which should be used as the default internet-connected one"; + type = types.nullOr types.str; + }; + }; + + config = { + + # Don't expose SSH via public interfaces + networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; + + networking.hosts = { + "10.7.6.1" = ["nachtigall.${config.pub-solar-os.networking.domain}"]; + "10.7.6.2" = ["flora-6.${config.pub-solar-os.networking.domain}"]; + }; + + services.openssh = { + enable = true; + openFirewall = lib.mkDefault false; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + # Add back openssh MACs that got removed from defaults + # for backwards compatibility + # + # NixOS default openssh MACs have changed to use "encrypt-then-mac" only. + # This breaks compatibilty with clients that do not offer these MACs. For + # compatibility reasons, we add back the old defaults. + # See: https://github.com/NixOS/nixpkgs/pull/231165 + # + # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html + # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + }; + }; + + services.resolved = { + enable = true; + extraConfig = '' + DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net + FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net + Domains=~. + DNSOverTLS=yes + ''; + }; + }; +} diff --git a/modules/nix.nix b/modules/core/nix.nix similarity index 95% rename from modules/nix.nix rename to modules/core/nix.nix index 4585a04f..c662f4de 100644 --- a/modules/nix.nix +++ b/modules/core/nix.nix @@ -41,7 +41,7 @@ nixPath = [ "nixpkgs=${flake.inputs.nixpkgs}" - "nixos-config=${../lib/compat/nixos}" + "nixos-config=${../../lib/compat/nixos}" "home-manager=${flake.inputs.home-manager}" ]; }; diff --git a/modules/terminal-tooling.nix b/modules/core/terminal-tooling.nix similarity index 79% rename from modules/terminal-tooling.nix rename to modules/core/terminal-tooling.nix index c0d00505..bb7853b7 100644 --- a/modules/terminal-tooling.nix +++ b/modules/core/terminal-tooling.nix @@ -1,5 +1,5 @@ -{ flake, ... }: { - home-manager.users.${flake.self.username} = { +{ flake, config, ... }: { + home-manager.users.${config.pub-solar-os.authentication.username} = { programs.git.enable = true; programs.starship.enable = true; programs.bash.enable = true; diff --git a/modules/core/users.nix b/modules/core/users.nix new file mode 100644 index 00000000..3df4a1c5 --- /dev/null +++ b/modules/core/users.nix @@ -0,0 +1,70 @@ +{ + flake, + pkgs, + lib, + config, + ... +}: { + options.pub-solar-os.authentication = with lib; { + username = mkOption { + description = "Username for the adminstrative user"; + type = types.str; + default = flake.self.username; + }; + + sshPubKeys = mkOption { + description = "SSH Keys that should have administrative root access"; + type = types.listOf types.str; + default = flake.self.logins.admins.sshPubKeys; + }; + + root.initialHashedPassword = mkOption { + description = "Hashed password of the root account"; + type = types.str; + default = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; + }; + + robot.username = mkOption { + description = "username for the robot user"; + type = types.str; + default = "hakkonaut"; + }; + + robot.sshPubKeys = mkOption { + description = "SSH Keys to use for the robot user"; + type = types.listOf types.str; + default = flake.self.logins.robots.sshPubKeys; + }; + }; + + config = { + users.users.${config.pub-solar-os.authentication.username} = { + name = config.pub-solar-os.authentication.username; + group = config.pub-solar-os.authentication.username; + extraGroups = [ "wheel" "docker" ]; + isNormalUser = true; + openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + }; + users.groups.${config.pub-solar-os.authentication.username} = { }; + + # TODO: Remove when we stop locking ourselves out. + users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + + users.users.${config.pub-solar-os.authentication.robot.username} = { + description = "CI and automation user"; + home = "/home/${config.pub-solar-os.authentication.robot.username}"; + createHome = true; + useDefaultShell = true; + uid = 998; + group = "${config.pub-solar-os.authentication.robot.username}"; + isSystemUser = true; + openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; + }; + + users.groups.${config.pub-solar-os.authentication.robot.username} = { }; + + users.users.root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; + + security.sudo.wheelNeedsPassword = false; + }; +} diff --git a/modules/default.nix b/modules/default.nix index b8a037db..093e9b52 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,38 +2,43 @@ { flake = { nixosModules = rec { - nix = import ./nix.nix; - networking = import ./networking.nix; + core = import ./core; + unlock-zfs-on-boot = import ./unlock-zfs-on-boot.nix; docker = import ./docker.nix; - terminal-tooling = import ./terminal-tooling.nix; - users = import ./users.nix; - core = { pkgs, ... }: { - imports = [ - nix - networking - terminal-tooling - users - ]; - - environment = { - # Just a couple of global packages to make our lives easier - systemPackages = with pkgs; [ git vim wget ]; - }; - - # Select internationalization properties - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - }; - - time.timeZone = "Etc/UTC"; - - home-manager.users.${self.username} = { - home.stateVersion = "23.05"; - }; - }; + caddy = import ./apps/caddy.nix; + collabora = import ./apps/collabora.nix; + coturn = import ./apps/coturn.nix; + drone = import ./apps/drone.nix; + forgejo-actions-runner = import ./apps/forgejo/forgejo-actions-runner.nix; + forgejo = import ./apps/forgejo/forgejo.nix; + grafana = import ./apps/grafana/grafana.nix; + keycloak = import ./apps/keycloak.nix; + loki = import ./apps/loki.nix; + mailman = import ./apps/mailman.nix; + mastodon = import ./apps/mastodon/mastodon.nix; + nginx-mastodon = import ./apps/mastodon/nginx-mastodon.nix; + nginx-mastodon-files = import ./apps/mastodon/nginx-mastodon-files.nix; + matrix = import ./apps/matrix/synapse.nix; + nginx-matrix = import ./apps/matrix/nginx-matrix.nix; + matrix-telegram = import ./apps/matrix/mautrix-telegram.nix; + matrix-irc = import ./apps/matrix/irc.nix; + mediawiki = import ./apps/mediawiki.nix; + nextcloud = import ./apps/nextcloud/nextcloud.nix; + nginx-website-miom = import ./apps/nginx-website-miom.nix; + nginx-website = import ./apps/nginx-website.nix; + nginx = import ./apps/nginx.nix; + obs-portal = import ./apps/obs-portal.nix; + opensearch = import ./apps/opensearch.nix; + owncast = import ./apps/owncast.nix; + postgresql = import ./apps/postgresql.nix; + prometheus = import ./apps/prometheus/prometheus.nix; + prometheus-exporters = import ./apps/prometheus/prometheus-exporters.nix; + nginx-prometheus-exporters = import ./apps/prometheus/nginx-prometheus-exporters.nix; + promtail = import ./apps/promtail.nix; + searx = import ./apps/searx.nix; + tmate = import ./apps/tmate.nix; }; }; } diff --git a/modules/networking.nix b/modules/networking.nix deleted file mode 100644 index 490715b2..00000000 --- a/modules/networking.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs, lib, ... }: { - # Don't expose SSH via public interfaces - networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; - - networking.hosts = { - "10.7.6.1" = ["nachtigall.pub.solar"]; - "10.7.6.2" = ["flora-6.pub.solar"]; - }; - - services.openssh = { - enable = true; - openFirewall = lib.mkDefault false; - settings = { - PermitRootLogin = "prohibit-password"; - PasswordAuthentication = false; - # Add back openssh MACs that got removed from defaults - # for backwards compatibility - # - # NixOS default openssh MACs have changed to use "encrypt-then-mac" only. - # This breaks compatibilty with clients that do not offer these MACs. For - # compatibility reasons, we add back the old defaults. - # See: https://github.com/NixOS/nixpkgs/pull/231165 - # - # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html - # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 - Macs = [ - "hmac-sha2-512-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "umac-128-etm@openssh.com" - "hmac-sha2-512" - "hmac-sha2-256" - "umac-128@openssh.com" - ]; - }; - }; - - services.resolved = { - enable = true; - extraConfig = '' - DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net - FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net - Domains=~. - DNSOverTLS=yes - ''; - }; -} diff --git a/modules/unlock-zfs-on-boot.nix b/modules/unlock-zfs-on-boot.nix index d459b10b..7fade1b6 100644 --- a/modules/unlock-zfs-on-boot.nix +++ b/modules/unlock-zfs-on-boot.nix @@ -1,4 +1,4 @@ -{ flake, ... }: { +{ flake, config, ... }: { # From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot boot.initrd.network = { enable = true; @@ -10,7 +10,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = flake.self.logins.admins.sshPubKeys; + authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; }; # this will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue diff --git a/modules/users.nix b/modules/users.nix deleted file mode 100644 index 91b78e0a..00000000 --- a/modules/users.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ flake, pkgs, ... }: { - users.users.${flake.self.username} = { - name = flake.self.username; - group = flake.self.username; - extraGroups = [ "wheel" "docker" ]; - isNormalUser = true; - openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys; - }; - users.groups.${flake.self.username} = { }; - - # TODO: Remove when we stop locking ourselves out. - users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys; - - users.users.hakkonaut = { - description = "CI and automation user"; - home = "/home/hakkonaut"; - createHome = true; - useDefaultShell = true; - uid = 998; - group = "hakkonaut"; - isSystemUser = true; - openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys; - }; - - users.groups.hakkonaut = { }; - - users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; - - security.sudo.wheelNeedsPassword = false; -} diff --git a/tests/website.nix b/tests/website.nix new file mode 100644 index 00000000..dffd6a58 --- /dev/null +++ b/tests/website.nix @@ -0,0 +1,23 @@ +{ + self, + pkgs, + lib, + config, + ... +}: { + name = "website"; + + nodes.nachtigall-test = self.nixosConfigurations.nachtigall-test; + + node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs; + hostPkgs = pkgs; + + enableOCR = true; + + testScript = '' + machine.wait_for_unit("system.slice") + machine.succeed("ping 127.0.0.1 -c 2") + machine.wait_for_unit("nginx.service") + machine.succeed("curl -H 'Host:pub.solar' http://127.0.0.1/") + ''; +}