ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

forgeje: use 2222 port for ssh

Browse source 
server: move caddy to seperate module
This commit is contained in:
ooks-io 2024-11-01 12:45:18 +11:00
parent 52cb6d10bc
commit 90e096262b
9 changed files with 116 additions and 135 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/nixos/server/database/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./postgresql.nix
];
}

34
modules/nixos/server/database/postgresql.nix
View file

@ -6,19 +6,33 @@
inherit (lib) mkIf elem optionals; inherit (lib) mkIf elem optionals;
inherit (config.ooknet.server) services database; inherit (config.ooknet.server) services database;
in { in {
config = mkIf database.postgresql { config = mkIf database.postgresql.enable {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
checkConfig = true;
ensureDatabases = optionals (elem "forgejo" services) ["forgejo"]; ensureDatabases = optionals (elem "forgejo" services) ["forgejo"];
ensureUsers = optionals (elem "forgejo" services) [
{ ensureUsers =
name = "forgejo"; [
ensurePermissions = { {
"DATABASE forgejo" = "ALL PRIVILEGES"; name = "postgres";
}; ensureClauses = {
} login = true;
]; superuser = true;
replication = true;
createdb = true;
createrole = true;
};
}
]
++ (optionals (elem "forgejo" services) [
{
name = "forgejo";
ensureDBOwnership = true;
}
]);
}; };
}; };
} }

4
modules/nixos/server/default.nix
View file

@ -1,7 +1,9 @@
{ {
imports = [ imports = [
./options.nix ./options.nix
./debloat.nix
./services ./services
./profiles ./webserver
./database
]; ];
} }

17
modules/nixos/server/options.nix
View file

@ -1,6 +1,6 @@
{lib, ...}: let {lib, ...}: let
inherit (lib) mkOption; inherit (lib) mkOption mkEnableOption;
inherit (lib.types) nullOr listOf enum bool; inherit (lib.types) str nullOr listOf enum bool;
in { in {
options.ooknet.server = { options.ooknet.server = {
exitNode = mkOption { exitNode = mkOption {
@ -14,9 +14,20 @@ in {
description = "The server profile the host will use as a base"; description = "The server profile the host will use as a base";
}; };
services = mkOption { services = mkOption {
type = listOf (enum ["website"]); type = listOf (enum ["website" "forgejo"]);
default = []; default = [];
description = "List of services the server will host"; description = "List of services the server will host";
}; };
domain = mkOption {
type = str;
default = "";
};
webserver = {
caddy.enable = mkEnableOption "";
};
database = {
postgresql.enable = mkEnableOption "";
};
}; };
} }

94
modules/nixos/server/profiles/linode.nix
View file

@ -1,94 +0,0 @@
{
lib,
pkgs,
config,
...
}: let
inherit (builtins) attrValues;
inherit (lib) mkForce getExe' mkIf;
inherit (config.ooknet.server) profile;
in {
config = mkIf (profile == "linode") {
services.qemuGuest.enable = true;
networking = {
tempAddresses = "disabled";
usePredictableInterfaceNames = mkForce false;
interfaces.eth0 = {
tempAddress = "disabled";
useDHCP = true;
};
};
fileSystems."/" = {
device = "/dev/sda";
fsType = "ext4";
autoResize = true;
};
swapDevices = [{device = "/dev/sdb";}];
boot = {
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [];
# LISH console support
kernelParams = ["console=ttyS0,19200n8"];
extraModulePackages = [];
growPartition = true;
initrd = {
availableKernelModules = [
# modules generated by nixos-generate-config
"virtio_pci"
"virtio_scsi"
"ahci"
"sd_mod"
# qemu guest modules
"virtio_net"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
];
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
];
};
loader = {
grub = {
enable = true;
device = "nodev";
forceInstall = true;
copyKernels = true;
fsIdentifier = "label";
splashImage = null;
extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
extraInstallCommands = "${getExe' pkgs.coreutils "ln"} -fs /boot/grub /boot/grub2";
};
timeout = mkForce 10;
# disable base settings
efi.canTouchEfiVariables = mkForce false;
systemd-boot.enable = mkForce false;
};
};
environment = {
systemPackages = attrValues {
inherit
(pkgs)
inetutils
mtr
sysstat
linode-cli
;
};
};
};
}

35
modules/nixos/server/services/forgejo/default.nix
View file

@ -7,6 +7,8 @@
inherit (lib) mkIf elem; inherit (lib) mkIf elem;
in { in {
config = mkIf (elem "forgejo" services) { config = mkIf (elem "forgejo" services) {
networking.firewall.allowedTCPPorts = [2222];
ooknet.server = { ooknet.server = {
webserver.caddy.enable = true; webserver.caddy.enable = true;
database.postgresql.enable = true; database.postgresql.enable = true;
@ -20,12 +22,43 @@ in {
DOMAIN = "git.${domain}"; DOMAIN = "git.${domain}";
ROOT_URL = "https://git.${domain}"; ROOT_URL = "https://git.${domain}";
HTTP_PORT = 3000; HTTP_PORT = 3000;
LANDING_PAGE = "explore";
START_SSH_SERVER = true;
SSH_PORT = 2222;
SSH_LISTEN_PORT = 2222;
};
database = {
type = "postgres";
createDatabase = true;
};
service = {
DISABLE_REGISTRATION = true;
};
security = {
INSTALL_LOCK = true;
}; };
}; };
}; };
caddy.virtualHosts = { caddy.virtualHosts = {
"git.${domain}".extraConfig = '' "git.${domain}".extraConfig = ''
reverse_proxy 127.0.0.1:3000 header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
-Server
Referrer-Policy "no-referrer"
}
# Handle proxying
handle_path /* {
reverse_proxy localhost:3000 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
''; '';
}; };
}; };

44
modules/nixos/server/services/website/default.nix
View file

@ -9,8 +9,7 @@
inherit (self'.packages) website; inherit (self'.packages) website;
in { in {
config = mkIf (elem "website" services) { config = mkIf (elem "website" services) {
users.groups.www = {}; ooknet.server.webserver.caddy.enable = true;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/www 0775 caddy www" "d /var/www 0775 caddy www"
"d /var/www/ooknet.org 0775 caddy www" "d /var/www/ooknet.org 0775 caddy www"
@ -40,34 +39,29 @@ in {
}; };
# using caddy because it makes my life easy # using caddy because it makes my life easy
services.caddy = { services.caddy.virtualHosts = {
enable = true; "ooknet.org".extraConfig =
group = "www"; # sh
''
encode zstd gzip
virtualHosts = { header {
"ooknet.org".extraConfig = Strict-Transport-Security "max-age=31536000;"
# sh X-XSS-Protection "1; mode=block"
'' X-Frame-Options "DENY"
encode zstd gzip X-Content-Type-Options "nosniff"
-Server
header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
-Server
Referrer-Policy: no-referrer Referrer-Policy: no-referrer
} }
root * /var/www/ooknet.org/ root * /var/www/ooknet.org/
file_server file_server
'';
"www.ooknet.org".extraConfig = ''
redir https://ooknet.org{uri}
''; '';
}; "www.ooknet.org".extraConfig = ''
redir https://ooknet.org{uri}
'';
}; };
}; };
} }

16
modules/nixos/server/webserver/caddy.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.server.webserver) caddy;
in {
config = mkIf caddy.enable {
users.groups.www = {};
services.caddy = {
enable = true;
group = "www";
};
};
}

2
modules/nixos/server/profiles/default.nix → modules/nixos/server/webserver/default.nix
View file

@ -1,5 +1,5 @@
{ {
imports = [ imports = [
./linode.nix ./caddy.nix
]; ];
} }