forgeje: use 2222 port for ssh

server: move caddy to seperate module
2024-11-01 12:45:18 +11:00 · 2024-11-01 12:45:18 +11:00 · 90e096262b
commit 90e096262b
parent 52cb6d10bc
9 changed files with 116 additions and 135 deletions
--- a/modules/nixos/server/database/default.nix
+++ b/modules/nixos/server/database/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./postgresql.nix
+  ];
+}
--- a/modules/nixos/server/database/postgresql.nix
+++ b/modules/nixos/server/database/postgresql.nix
@ -6,19 +6,33 @@
  inherit (lib) mkIf elem optionals;
  inherit (config.ooknet.server) services database;
 in {
-  config = mkIf database.postgresql {
+  config = mkIf database.postgresql.enable {
    services.postgresql = {
      enable = true;
+
+      checkConfig = true;
+
      ensureDatabases = optionals (elem "forgejo" services) ["forgejo"];
-      ensureUsers = optionals (elem "forgejo" services) [
-        {
-          name = "forgejo";
-          ensurePermissions = {
-            "DATABASE forgejo" = "ALL PRIVILEGES";
-          };
-        }
-      ];
+
+      ensureUsers =
+        [
+          {
+            name = "postgres";
+            ensureClauses = {
+              login = true;
+              superuser = true;
+              replication = true;
+              createdb = true;
+              createrole = true;
+            };
+          }
+        ]
+        ++ (optionals (elem "forgejo" services) [
+          {
+            name = "forgejo";
+            ensureDBOwnership = true;
+          }
+        ]);
    };
  };
 }
-
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@ -1,7 +1,9 @@
 {
  imports = [
    ./options.nix
+    ./debloat.nix
    ./services
-    ./profiles
+    ./webserver
+    ./database
  ];
 }
--- a/modules/nixos/server/options.nix
+++ b/modules/nixos/server/options.nix
@ -1,6 +1,6 @@
 {lib, ...}: let
-  inherit (lib) mkOption;
-  inherit (lib.types) nullOr listOf enum bool;
+  inherit (lib) mkOption mkEnableOption;
+  inherit (lib.types) str nullOr listOf enum bool;
 in {
  options.ooknet.server = {
    exitNode = mkOption {
@ -14,9 +14,20 @@ in {
      description = "The server profile the host will use as a base";
    };
    services = mkOption {
-      type = listOf (enum ["website"]);
+      type = listOf (enum ["website" "forgejo"]);
      default = [];
      description = "List of services the server will host";
    };
+    domain = mkOption {
+      type = str;
+      default = "";
+    };
+
+    webserver = {
+      caddy.enable = mkEnableOption "";
+    };
+    database = {
+      postgresql.enable = mkEnableOption "";
+    };
  };
 }
--- a/modules/nixos/server/profiles/linode.nix
+++ b/modules/nixos/server/profiles/linode.nix
@ -1,94 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}: let
-  inherit (builtins) attrValues;
-  inherit (lib) mkForce getExe' mkIf;
-  inherit (config.ooknet.server) profile;
-in {
-  config = mkIf (profile == "linode") {
-    services.qemuGuest.enable = true;
-
-    networking = {
-      tempAddresses = "disabled";
-      usePredictableInterfaceNames = mkForce false;
-      interfaces.eth0 = {
-        tempAddress = "disabled";
-        useDHCP = true;
-      };
-    };
-    fileSystems."/" = {
-      device = "/dev/sda";
-      fsType = "ext4";
-      autoResize = true;
-    };
-    swapDevices = [{device = "/dev/sdb";}];
-
-    boot = {
-      kernelPackages = pkgs.linuxPackages_latest;
-      kernelModules = [];
-      # LISH console support
-      kernelParams = ["console=ttyS0,19200n8"];
-      extraModulePackages = [];
-      growPartition = true;
-      initrd = {
-        availableKernelModules = [
-          # modules generated by nixos-generate-config
-          "virtio_pci"
-          "virtio_scsi"
-          "ahci"
-          "sd_mod"
-
-          # qemu guest modules
-          "virtio_net"
-          "virtio_mmio"
-          "virtio_blk"
-          "virtio_scsi"
-          "9p"
-          "9pnet_virtio"
-        ];
-        kernelModules = [
-          "virtio_balloon"
-          "virtio_console"
-          "virtio_rng"
-          "virtio_gpu"
-        ];
-      };
-      loader = {
-        grub = {
-          enable = true;
-          device = "nodev";
-          forceInstall = true;
-          copyKernels = true;
-          fsIdentifier = "label";
-          splashImage = null;
-          extraConfig = ''
-            serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
-            terminal_input serial;
-            terminal_output serial
-          '';
-
-          extraInstallCommands = "${getExe' pkgs.coreutils "ln"} -fs /boot/grub /boot/grub2";
-        };
-        timeout = mkForce 10;
-        # disable base settings
-        efi.canTouchEfiVariables = mkForce false;
-        systemd-boot.enable = mkForce false;
-      };
-    };
-
-    environment = {
-      systemPackages = attrValues {
-        inherit
-          (pkgs)
-          inetutils
-          mtr
-          sysstat
-          linode-cli
-          ;
-      };
-    };
-  };
-}
--- a/modules/nixos/server/services/forgejo/default.nix
+++ b/modules/nixos/server/services/forgejo/default.nix
@ -7,6 +7,8 @@
  inherit (lib) mkIf elem;
 in {
  config = mkIf (elem "forgejo" services) {
+    networking.firewall.allowedTCPPorts = [2222];
+
    ooknet.server = {
      webserver.caddy.enable = true;
      database.postgresql.enable = true;
@ -20,12 +22,43 @@ in {
            DOMAIN = "git.${domain}";
            ROOT_URL = "https://git.${domain}";
            HTTP_PORT = 3000;
+            LANDING_PAGE = "explore";
+
+            START_SSH_SERVER = true;
+            SSH_PORT = 2222;
+            SSH_LISTEN_PORT = 2222;
+          };
+          database = {
+            type = "postgres";
+            createDatabase = true;
+          };
+          service = {
+            DISABLE_REGISTRATION = true;
+          };
+          security = {
+            INSTALL_LOCK = true;
          };
        };
      };
      caddy.virtualHosts = {
        "git.${domain}".extraConfig = ''
-          reverse_proxy 127.0.0.1:3000
+          header {
+            Strict-Transport-Security "max-age=31536000;"
+            X-XSS-Protection "1; mode=block"
+            X-Frame-Options "DENY"
+            X-Content-Type-Options "nosniff"
+            -Server
+            Referrer-Policy "no-referrer"
+          }
+
+          # Handle proxying
+          handle_path /* {
+            reverse_proxy localhost:3000 {
+              header_up X-Real-IP {remote_host}
+              header_up X-Forwarded-For {remote_host}
+              header_up X-Forwarded-Proto {scheme}
+            }
+          }
        '';
      };
    };
--- a/modules/nixos/server/services/website/default.nix
+++ b/modules/nixos/server/services/website/default.nix
@ -9,8 +9,7 @@
  inherit (self'.packages) website;
 in {
  config = mkIf (elem "website" services) {
-    users.groups.www = {};
-
+    ooknet.server.webserver.caddy.enable = true;
    systemd.tmpfiles.rules = [
      "d /var/www 0775 caddy www"
      "d /var/www/ooknet.org 0775 caddy www"
@ -40,34 +39,29 @@ in {
    };

    # using caddy because it makes my life easy
-    services.caddy = {
-      enable = true;
-      group = "www";
+    services.caddy.virtualHosts = {
+      "ooknet.org".extraConfig =
+        # sh
+        ''
+          encode zstd gzip

-      virtualHosts = {
-        "ooknet.org".extraConfig =
-          # sh
-          ''
-            encode zstd gzip
-
-            header {
-              Strict-Transport-Security "max-age=31536000;"
-              X-XSS-Protection "1; mode=block"
-              X-Frame-Options "DENY"
-              X-Content-Type-Options "nosniff"
-              -Server
+          header {
+            Strict-Transport-Security "max-age=31536000;"
+            X-XSS-Protection "1; mode=block"
+            X-Frame-Options "DENY"
+            X-Content-Type-Options "nosniff"
+            -Server


-              Referrer-Policy: no-referrer
-            }
+            Referrer-Policy: no-referrer
+          }

-            root * /var/www/ooknet.org/
-            file_server
-          '';
-        "www.ooknet.org".extraConfig = ''
-          redir https://ooknet.org{uri}
+          root * /var/www/ooknet.org/
+          file_server
        '';
-      };
+      "www.ooknet.org".extraConfig = ''
+        redir https://ooknet.org{uri}
+      '';
    };
  };
 }
--- a/modules/nixos/server/webserver/caddy.nix
+++ b/modules/nixos/server/webserver/caddy.nix
@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.ooknet.server.webserver) caddy;
+in {
+  config = mkIf caddy.enable {
+    users.groups.www = {};
+    services.caddy = {
+      enable = true;
+      group = "www";
+    };
+  };
+}
--- a/modules/nixos/server/webserver/default.nix
+++ b/modules/nixos/server/webserver/default.nix
@ -1,5 +1,5 @@
 {
  imports = [
-    ./linode.nix
+    ./caddy.nix
  ];
 }