From 90e096262bbe453484ceb03009b5cdb648137aa8 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Fri, 1 Nov 2024 12:45:18 +1100 Subject: [PATCH] forgeje: use 2222 port for ssh server: move caddy to seperate module --- modules/nixos/server/database/default.nix | 5 + modules/nixos/server/database/postgresql.nix | 34 +++++-- modules/nixos/server/default.nix | 4 +- modules/nixos/server/options.nix | 17 +++- modules/nixos/server/profiles/linode.nix | 94 ------------------- .../nixos/server/services/forgejo/default.nix | 35 ++++++- .../nixos/server/services/website/default.nix | 44 ++++----- modules/nixos/server/webserver/caddy.nix | 16 ++++ .../{profiles => webserver}/default.nix | 2 +- 9 files changed, 116 insertions(+), 135 deletions(-) create mode 100644 modules/nixos/server/database/default.nix delete mode 100644 modules/nixos/server/profiles/linode.nix create mode 100644 modules/nixos/server/webserver/caddy.nix rename modules/nixos/server/{profiles => webserver}/default.nix (57%) diff --git a/modules/nixos/server/database/default.nix b/modules/nixos/server/database/default.nix new file mode 100644 index 0000000..a619c94 --- /dev/null +++ b/modules/nixos/server/database/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./postgresql.nix + ]; +} diff --git a/modules/nixos/server/database/postgresql.nix b/modules/nixos/server/database/postgresql.nix index 4bcec35..ea800f0 100644 --- a/modules/nixos/server/database/postgresql.nix +++ b/modules/nixos/server/database/postgresql.nix @@ -6,19 +6,33 @@ inherit (lib) mkIf elem optionals; inherit (config.ooknet.server) services database; in { - config = mkIf database.postgresql { + config = mkIf database.postgresql.enable { services.postgresql = { enable = true; + + checkConfig = true; + ensureDatabases = optionals (elem "forgejo" services) ["forgejo"]; - ensureUsers = optionals (elem "forgejo" services) [ - { - name = "forgejo"; - ensurePermissions = { - "DATABASE forgejo" = "ALL PRIVILEGES"; - }; - } - ]; + + ensureUsers = + [ + { + name = "postgres"; + ensureClauses = { + login = true; + superuser = true; + replication = true; + createdb = true; + createrole = true; + }; + } + ] + ++ (optionals (elem "forgejo" services) [ + { + name = "forgejo"; + ensureDBOwnership = true; + } + ]); }; }; } - diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index e69436a..08ad3ca 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -1,7 +1,9 @@ { imports = [ ./options.nix + ./debloat.nix ./services - ./profiles + ./webserver + ./database ]; } diff --git a/modules/nixos/server/options.nix b/modules/nixos/server/options.nix index b36eb7f..2b437fd 100644 --- a/modules/nixos/server/options.nix +++ b/modules/nixos/server/options.nix @@ -1,6 +1,6 @@ {lib, ...}: let - inherit (lib) mkOption; - inherit (lib.types) nullOr listOf enum bool; + inherit (lib) mkOption mkEnableOption; + inherit (lib.types) str nullOr listOf enum bool; in { options.ooknet.server = { exitNode = mkOption { @@ -14,9 +14,20 @@ in { description = "The server profile the host will use as a base"; }; services = mkOption { - type = listOf (enum ["website"]); + type = listOf (enum ["website" "forgejo"]); default = []; description = "List of services the server will host"; }; + domain = mkOption { + type = str; + default = ""; + }; + + webserver = { + caddy.enable = mkEnableOption ""; + }; + database = { + postgresql.enable = mkEnableOption ""; + }; }; } diff --git a/modules/nixos/server/profiles/linode.nix b/modules/nixos/server/profiles/linode.nix deleted file mode 100644 index fd9025a..0000000 --- a/modules/nixos/server/profiles/linode.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: let - inherit (builtins) attrValues; - inherit (lib) mkForce getExe' mkIf; - inherit (config.ooknet.server) profile; -in { - config = mkIf (profile == "linode") { - services.qemuGuest.enable = true; - - networking = { - tempAddresses = "disabled"; - usePredictableInterfaceNames = mkForce false; - interfaces.eth0 = { - tempAddress = "disabled"; - useDHCP = true; - }; - }; - fileSystems."/" = { - device = "/dev/sda"; - fsType = "ext4"; - autoResize = true; - }; - swapDevices = [{device = "/dev/sdb";}]; - - boot = { - kernelPackages = pkgs.linuxPackages_latest; - kernelModules = []; - # LISH console support - kernelParams = ["console=ttyS0,19200n8"]; - extraModulePackages = []; - growPartition = true; - initrd = { - availableKernelModules = [ - # modules generated by nixos-generate-config - "virtio_pci" - "virtio_scsi" - "ahci" - "sd_mod" - - # qemu guest modules - "virtio_net" - "virtio_mmio" - "virtio_blk" - "virtio_scsi" - "9p" - "9pnet_virtio" - ]; - kernelModules = [ - "virtio_balloon" - "virtio_console" - "virtio_rng" - "virtio_gpu" - ]; - }; - loader = { - grub = { - enable = true; - device = "nodev"; - forceInstall = true; - copyKernels = true; - fsIdentifier = "label"; - splashImage = null; - extraConfig = '' - serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; - terminal_input serial; - terminal_output serial - ''; - - extraInstallCommands = "${getExe' pkgs.coreutils "ln"} -fs /boot/grub /boot/grub2"; - }; - timeout = mkForce 10; - # disable base settings - efi.canTouchEfiVariables = mkForce false; - systemd-boot.enable = mkForce false; - }; - }; - - environment = { - systemPackages = attrValues { - inherit - (pkgs) - inetutils - mtr - sysstat - linode-cli - ; - }; - }; - }; -} diff --git a/modules/nixos/server/services/forgejo/default.nix b/modules/nixos/server/services/forgejo/default.nix index b5a681f..c31731a 100644 --- a/modules/nixos/server/services/forgejo/default.nix +++ b/modules/nixos/server/services/forgejo/default.nix @@ -7,6 +7,8 @@ inherit (lib) mkIf elem; in { config = mkIf (elem "forgejo" services) { + networking.firewall.allowedTCPPorts = [2222]; + ooknet.server = { webserver.caddy.enable = true; database.postgresql.enable = true; @@ -20,12 +22,43 @@ in { DOMAIN = "git.${domain}"; ROOT_URL = "https://git.${domain}"; HTTP_PORT = 3000; + LANDING_PAGE = "explore"; + + START_SSH_SERVER = true; + SSH_PORT = 2222; + SSH_LISTEN_PORT = 2222; + }; + database = { + type = "postgres"; + createDatabase = true; + }; + service = { + DISABLE_REGISTRATION = true; + }; + security = { + INSTALL_LOCK = true; }; }; }; caddy.virtualHosts = { "git.${domain}".extraConfig = '' - reverse_proxy 127.0.0.1:3000 + header { + Strict-Transport-Security "max-age=31536000;" + X-XSS-Protection "1; mode=block" + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + -Server + Referrer-Policy "no-referrer" + } + + # Handle proxying + handle_path /* { + reverse_proxy localhost:3000 { + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + } ''; }; }; diff --git a/modules/nixos/server/services/website/default.nix b/modules/nixos/server/services/website/default.nix index 7a495f7..af0bf4f 100644 --- a/modules/nixos/server/services/website/default.nix +++ b/modules/nixos/server/services/website/default.nix @@ -9,8 +9,7 @@ inherit (self'.packages) website; in { config = mkIf (elem "website" services) { - users.groups.www = {}; - + ooknet.server.webserver.caddy.enable = true; systemd.tmpfiles.rules = [ "d /var/www 0775 caddy www" "d /var/www/ooknet.org 0775 caddy www" @@ -40,34 +39,29 @@ in { }; # using caddy because it makes my life easy - services.caddy = { - enable = true; - group = "www"; + services.caddy.virtualHosts = { + "ooknet.org".extraConfig = + # sh + '' + encode zstd gzip - virtualHosts = { - "ooknet.org".extraConfig = - # sh - '' - encode zstd gzip - - header { - Strict-Transport-Security "max-age=31536000;" - X-XSS-Protection "1; mode=block" - X-Frame-Options "DENY" - X-Content-Type-Options "nosniff" - -Server + header { + Strict-Transport-Security "max-age=31536000;" + X-XSS-Protection "1; mode=block" + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + -Server - Referrer-Policy: no-referrer - } + Referrer-Policy: no-referrer + } - root * /var/www/ooknet.org/ - file_server - ''; - "www.ooknet.org".extraConfig = '' - redir https://ooknet.org{uri} + root * /var/www/ooknet.org/ + file_server ''; - }; + "www.ooknet.org".extraConfig = '' + redir https://ooknet.org{uri} + ''; }; }; } diff --git a/modules/nixos/server/webserver/caddy.nix b/modules/nixos/server/webserver/caddy.nix new file mode 100644 index 0000000..99dd2b2 --- /dev/null +++ b/modules/nixos/server/webserver/caddy.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.ooknet.server.webserver) caddy; +in { + config = mkIf caddy.enable { + users.groups.www = {}; + services.caddy = { + enable = true; + group = "www"; + }; + }; +} diff --git a/modules/nixos/server/profiles/default.nix b/modules/nixos/server/webserver/default.nix similarity index 57% rename from modules/nixos/server/profiles/default.nix rename to modules/nixos/server/webserver/default.nix index cd85c40..1f898a8 100644 --- a/modules/nixos/server/profiles/default.nix +++ b/modules/nixos/server/webserver/default.nix @@ -1,5 +1,5 @@ { imports = [ - ./linode.nix + ./caddy.nix ]; }