From 9ea4ff289f6afaec7363cc0c1ffe5b013b9a7eb5 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Thu, 31 Oct 2024 17:31:26 +1100 Subject: [PATCH 01/10] linode: open 443 --- modules/nixos/server/profiles/linode/base/networking.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/server/profiles/linode/base/networking.nix b/modules/nixos/server/profiles/linode/base/networking.nix index 4f30557..019adbe 100644 --- a/modules/nixos/server/profiles/linode/base/networking.nix +++ b/modules/nixos/server/profiles/linode/base/networking.nix @@ -8,5 +8,6 @@ in { tempAddress = "disabled"; useDHCP = true; }; + firewall.allowedUDPPorts = [443]; }; } From bf5c7b5434ae549592490ec04d711d9b9b877b42 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Thu, 31 Oct 2024 22:41:28 +1100 Subject: [PATCH 02/10] ooksdesk: add printing feature --- hosts/ooksdesk/hardware.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/ooksdesk/hardware.nix b/hosts/ooksdesk/hardware.nix index d62d885..2b9e7ef 100644 --- a/hosts/ooksdesk/hardware.nix +++ b/hosts/ooksdesk/hardware.nix @@ -3,7 +3,7 @@ cpu.type = "amd"; cpu.amd.pstate.enable = true; gpu.type = "amd"; - features = ["ssd" "audio" "video"]; + features = ["printing" "ssd" "audio" "video"]; monitors = [ { name = "DP-3"; From 6360a976f2a0e57f067559113333d96e8d1cdc10 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Thu, 31 Oct 2024 22:41:52 +1100 Subject: [PATCH 03/10] server: add postgresql initial configuration --- modules/nixos/server/database/postgresql.nix | 24 ++++++ .../server/profiles/linode/postgresql.nix | 74 +++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 modules/nixos/server/database/postgresql.nix create mode 100644 modules/nixos/server/profiles/linode/postgresql.nix diff --git a/modules/nixos/server/database/postgresql.nix b/modules/nixos/server/database/postgresql.nix new file mode 100644 index 0000000..4bcec35 --- /dev/null +++ b/modules/nixos/server/database/postgresql.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf elem optionals; + inherit (config.ooknet.server) services database; +in { + config = mkIf database.postgresql { + services.postgresql = { + enable = true; + ensureDatabases = optionals (elem "forgejo" services) ["forgejo"]; + ensureUsers = optionals (elem "forgejo" services) [ + { + name = "forgejo"; + ensurePermissions = { + "DATABASE forgejo" = "ALL PRIVILEGES"; + }; + } + ]; + }; + }; +} + diff --git a/modules/nixos/server/profiles/linode/postgresql.nix b/modules/nixos/server/profiles/linode/postgresql.nix new file mode 100644 index 0000000..2376585 --- /dev/null +++ b/modules/nixos/server/profiles/linode/postgresql.nix @@ -0,0 +1,74 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.ooknet.server) database; +in { + # hardware based postgresql configuration for: linode nano + # 4GB RAM 1 Core + # generated with: + config = mkIf database.postgresql { + services.postgresql = { + settings = { + # Connectivity + max_connections = 20; + superuser_reserved_connections = 3; + + # Memory Settings + shared_buffers = "256 MB"; + work_mem = "32 MB"; + maintenance_work_mem = "320 MB"; + huge_pages = "off"; + effective_cache_size = "1 GB"; + effective_io_concurrency = 100; # concurrent IO only really activated if OS supports posix_fadvise function + random_page_cost = 1.25; # speed of random disk access relative to sequential access (1.0) + + # Monitoring + shared_preload_libraries = "pg_stat_statements"; # per statement resource usage stats + track_io_timing = "on"; # measure exact block IO times + track_functions = "pl"; # track execution times of pl-language procedures if any + + # Replication + wal_level = "replica"; # consider using at least 'replica' + max_wal_senders = 0; + synchronous_commit = "on"; + + # Checkpointing: + checkpoint_timeout = "15 min"; + checkpoint_completion_target = 0.9; + max_wal_size = "1024 MB"; + min_wal_size = "512 MB"; + + # WAL writing + wal_compression = "on"; + wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default) + wal_writer_delay = "200ms"; + wal_writer_flush_after = "1MB"; + + # Background writer + bgwriter_delay = "200ms"; + bgwriter_lru_maxpages = 100; + bgwriter_lru_multiplier = 2.0; + bgwriter_flush_after = 0; + + # Parallel queries: + max_worker_processes = 1; + max_parallel_workers_per_gather = 1; + max_parallel_maintenance_workers = 1; + max_parallel_workers = 1; + parallel_leader_participation = "on"; + + # Advanced features + enable_partitionwise_join = "on"; + enable_partitionwise_aggregate = "on"; + jit = "on"; + max_slot_wal_keep_size = "1000 MB"; + track_wal_io_timing = "on"; + maintenance_io_concurrency = 100; + wal_recycle = "on"; + }; + }; + }; +} From 331a15f0e6b328bafa35172371a2efc6c30d04ab Mon Sep 17 00:00:00 2001 From: ooks-io Date: Thu, 31 Oct 2024 22:42:23 +1100 Subject: [PATCH 04/10] server: add forgjo initial configuration --- modules/nixos/server/services/default.nix | 1 + .../nixos/server/services/forgejo/default.nix | 33 +++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 modules/nixos/server/services/forgejo/default.nix diff --git a/modules/nixos/server/services/default.nix b/modules/nixos/server/services/default.nix index 8c83eca..6d19766 100644 --- a/modules/nixos/server/services/default.nix +++ b/modules/nixos/server/services/default.nix @@ -1,5 +1,6 @@ { imports = [ ./website + ./forgejo ]; } diff --git a/modules/nixos/server/services/forgejo/default.nix b/modules/nixos/server/services/forgejo/default.nix new file mode 100644 index 0000000..b5a681f --- /dev/null +++ b/modules/nixos/server/services/forgejo/default.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + ... +}: let + inherit (config.ooknet.server) services domain; + inherit (lib) mkIf elem; +in { + config = mkIf (elem "forgejo" services) { + ooknet.server = { + webserver.caddy.enable = true; + database.postgresql.enable = true; + }; + services = { + forgejo = { + enable = true; + + settings = { + server = { + DOMAIN = "git.${domain}"; + ROOT_URL = "https://git.${domain}"; + HTTP_PORT = 3000; + }; + }; + }; + caddy.virtualHosts = { + "git.${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:3000 + ''; + }; + }; + }; +} From ba305864438ba6c4523494daeed97ce0556fe58d Mon Sep 17 00:00:00 2001 From: ooks-io Date: Fri, 1 Nov 2024 12:43:24 +1100 Subject: [PATCH 05/10] home: add ooknet.org forgejo ssh configuration --- flake.lock | 88 ++++++++++++++++++++++++++++- flake.nix | 4 ++ modules/home/console/tools/ssh.nix | 6 ++ outputs/hosts/servers.nix | 3 +- outputs/lib/builders.nix | 3 +- secrets/ooknet_org.age | Bin 0 -> 1259 bytes secrets/secrets.nix | 1 + 7 files changed, 101 insertions(+), 4 deletions(-) create mode 100644 secrets/ooknet_org.age diff --git a/flake.lock b/flake.lock index bc1eb89..3c92d63 100644 --- a/flake.lock +++ b/flake.lock @@ -166,6 +166,24 @@ "type": "github" } }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_3" + }, + "locked": { + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1629284811, @@ -201,7 +219,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_6" + "systems": "systems_7" }, "locked": { "lastModified": 1726560853, @@ -679,6 +697,21 @@ "type": "github" } }, + "nix-filter": { + "locked": { + "lastModified": 1710156097, + "narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "3342559a24e85fc164b295c3444e8a139924675b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, "nix-index-db": { "inputs": { "nixpkgs": [ @@ -739,6 +772,18 @@ "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" } }, + "nixpkgs-lib_3": { + "locked": { + "lastModified": 1725233747, + "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -985,6 +1030,29 @@ "type": "github" } }, + "ooknet-website": { + "inputs": { + "flake-parts": "flake-parts_3", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems_5" + }, + "locked": { + "lastModified": 1728305902, + "narHash": "sha256-761elKy4m30bx9+3QTlc2MGlRbESek/klbufIP75UqI=", + "ref": "refs/heads/master", + "rev": "b0ed4617e28b40e43cc286c9cd50d75d0e204668", + "revCount": 4, + "type": "git", + "url": "ssh://git@github.com/ooks-io/website" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/ooks-io/website" + } + }, "ooks-scripts": { "inputs": { "nixpkgs": [ @@ -2793,8 +2861,9 @@ "nix-index-db": "nix-index-db", "nixpkgs": "nixpkgs_3", "nvf": "nvf", + "ooknet-website": "ooknet-website", "ooks-scripts": "ooks-scripts", - "systems": "systems_5", + "systems": "systems_6", "zjstatus": "zjstatus" } }, @@ -2922,6 +2991,21 @@ } }, "systems_6": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_7": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", diff --git a/flake.nix b/flake.nix index f3deb21..4b9c24c 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,10 @@ url = "git+ssh://git@github.com/ooks-io/scripts"; inputs.nixpkgs.follows = "nixpkgs"; }; + ooknet-website = { + url = "git+ssh://git@github.com/ooks-io/website"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nvf.url = "github:notashelf/nvf/v0.7"; diff --git a/modules/home/console/tools/ssh.nix b/modules/home/console/tools/ssh.nix index 0e5c0d9..e13e177 100644 --- a/modules/home/console/tools/ssh.nix +++ b/modules/home/console/tools/ssh.nix @@ -17,6 +17,12 @@ in { hostname = "github.com"; identityFile = "${osConfig.age.secrets.github_key.path}"; }; + "git.ooknet.org" = { + user = "forgejo"; + port = 2222; + hostname = "git.ooknet.org"; + identityFile = "${osConfig.age.secrets.ooknet_org.path}"; + }; }; }; }; diff --git a/outputs/hosts/servers.nix b/outputs/hosts/servers.nix index a9e1649..70af570 100644 --- a/outputs/hosts/servers.nix +++ b/outputs/hosts/servers.nix @@ -10,9 +10,10 @@ in { inherit withSystem; system = "x86_64-linux"; hostname = "ooknode"; + domain = "ooknet.org"; type = "vm"; profile = "linode"; - services = ["website"]; + services = ["website" "forgejo"]; }; }; } diff --git a/outputs/lib/builders.nix b/outputs/lib/builders.nix index e73a5a6..f088b69 100644 --- a/outputs/lib/builders.nix +++ b/outputs/lib/builders.nix @@ -89,6 +89,7 @@ type, profile, services, + domain ? "", additionalModules ? [], specialArgs ? {}, }: @@ -98,7 +99,7 @@ additionalModules = concatLists [ (singleton { ooknet.server = { - inherit services; + inherit domain services; }; }) core diff --git a/secrets/ooknet_org.age b/secrets/ooknet_org.age new file mode 100644 index 0000000000000000000000000000000000000000..e957cac827c9731cfceeb3c380ab8b9ed2ad5ad8 GIT binary patch literal 1259 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyNcG4IbyTQu&+yFf z(GT%Wa>+<9(+=^r3@-EVO)@D>w=hqM$Z?BGGs-A-DGV?T59RVSNl#5rG4^ox$n?(+ zFVA%`&(1SWvdjo7DNMV zBtO+4u{_z$u`<}u%d8~d(BG?~G{D`z$Sv47J)bKoG|{EfNk2^6-NMm8JJ&hK(Y4Ij zG9ol5-O?yDSvxet*frJFFx0%TG!)%7W0!JwlX8WO%uqu!Z~bHwW50mPz>q|jV8f6w z*ZfkSRPXd+%fuwNl7fOnN1w7n_du>l*CLmKken3%z{>Q@ET1gz3~#UEe3wGM$RbC- z^z!1wjB?+^GIKY5i*$6`{PHZqD;yQFQamlaf-`f|0+Pytj7w9B-P3ZT3_Jn@y+fm_ zObtCF9n&fb3cQPba(ubc%FJ_&JoJ52L(9yJ%ah78Q^LygBD9UFd_tVHJqo;Ca!iZN z^S!gRvoUOQPtmq4NLL8;Fmwt^FO4cN%kWApF->wz^K{R3HFq+rs`PdAPD&3CO>r!X z^fR?c59Eq4&MF9V&Wj2(35!fDEK2p!&koB9E=lny4b3x(@`}ocNXsjT%5yCAEl2lT zs&AIISGq!KwrhS)RknXrse77>N3LFz}(N!jk9iMi$#+Ky=+ZdnxtNja5)g+WCw`XR3FNv>SFy1EK}h3Tewe#NF~UQUVW zuEmw9IaLN(p^;u8M&`an{%+>QhLIJah9;gB-ho^Tq{~%1w6^+7vH$-6Q|?);NC{UH zv!{vVv(x3=$^mz_SUa4%^ZClBne&>$oHuR@5S&zf=)w${XP0j;DbraRwRz!zg=>sA zduPSF?oHgymCVxVa!Bx?Q*VQg8E2d46RiVsNjm!fUiNL=ov~gwW%t|AklU@Za;7J( zWawVjzyDp)b(TPh+jc#3bzFDOOSoxsFZ|_vPn%6Fob3@;I(EMMvaEvTiqPs88&+nX zc=W0`TgO>_?(=}wJ9QowA!&>GQ#HPw)QwYL$!Vml!O@!ZY}Kr0hBB55i5Jq=_Hr{d;iul~ySh`VwBKXCl~BaTn{X0t3D z8YKkUb&HQiW-=Yy^SgP|nK0>PlLA_pE6XE3rpsFKuFY;z*b^7FqHTTl!AUD8E;;o3 z*}||!J;TJNF77`SDQhIo)?Ig!o%H9);tjnkBrHz<<1ckKHHu1W^_jfm_3B#_3XArA zQM+xm?`xHJUX#Ffk3*JUowgTtWqRm!-mT&4KIl*|aTU|n66H%>A6ch)?3*R<`kH=v I{;T&o00NKPF8}}l literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c0acbe8..10c1d7c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,4 +5,5 @@ in { "tailscale-auth.age".publicKeys = [users.ooks] ++ workstations; "github_key.age".publicKeys = [users.ooks] ++ workstations; "spotify_key.age".publicKeys = [users.ooks] ++ workstations; + "ooknet_org.age".publicKeys = [users.ooks] ++ workstations; } From 52cb6d10bc258ee6181dbcf0cf14095d0db6d8d9 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Fri, 1 Nov 2024 12:43:52 +1100 Subject: [PATCH 06/10] nix: use lix --- modules/nixos/base/nix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix index c4a7a85..411a097 100644 --- a/modules/nixos/base/nix.nix +++ b/modules/nixos/base/nix.nix @@ -27,7 +27,7 @@ in { variables = paths; }; nix = { - # package = pkgs.lix; + package = pkgs.lix; # collect garbage gc = { From 90e096262bbe453484ceb03009b5cdb648137aa8 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Fri, 1 Nov 2024 12:45:18 +1100 Subject: [PATCH 07/10] forgeje: use 2222 port for ssh server: move caddy to seperate module --- modules/nixos/server/database/default.nix | 5 + modules/nixos/server/database/postgresql.nix | 34 +++++-- modules/nixos/server/default.nix | 4 +- modules/nixos/server/options.nix | 17 +++- modules/nixos/server/profiles/linode.nix | 94 ------------------- .../nixos/server/services/forgejo/default.nix | 35 ++++++- .../nixos/server/services/website/default.nix | 44 ++++----- modules/nixos/server/webserver/caddy.nix | 16 ++++ .../{profiles => webserver}/default.nix | 2 +- 9 files changed, 116 insertions(+), 135 deletions(-) create mode 100644 modules/nixos/server/database/default.nix delete mode 100644 modules/nixos/server/profiles/linode.nix create mode 100644 modules/nixos/server/webserver/caddy.nix rename modules/nixos/server/{profiles => webserver}/default.nix (57%) diff --git a/modules/nixos/server/database/default.nix b/modules/nixos/server/database/default.nix new file mode 100644 index 0000000..a619c94 --- /dev/null +++ b/modules/nixos/server/database/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./postgresql.nix + ]; +} diff --git a/modules/nixos/server/database/postgresql.nix b/modules/nixos/server/database/postgresql.nix index 4bcec35..ea800f0 100644 --- a/modules/nixos/server/database/postgresql.nix +++ b/modules/nixos/server/database/postgresql.nix @@ -6,19 +6,33 @@ inherit (lib) mkIf elem optionals; inherit (config.ooknet.server) services database; in { - config = mkIf database.postgresql { + config = mkIf database.postgresql.enable { services.postgresql = { enable = true; + + checkConfig = true; + ensureDatabases = optionals (elem "forgejo" services) ["forgejo"]; - ensureUsers = optionals (elem "forgejo" services) [ - { - name = "forgejo"; - ensurePermissions = { - "DATABASE forgejo" = "ALL PRIVILEGES"; - }; - } - ]; + + ensureUsers = + [ + { + name = "postgres"; + ensureClauses = { + login = true; + superuser = true; + replication = true; + createdb = true; + createrole = true; + }; + } + ] + ++ (optionals (elem "forgejo" services) [ + { + name = "forgejo"; + ensureDBOwnership = true; + } + ]); }; }; } - diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index e69436a..08ad3ca 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -1,7 +1,9 @@ { imports = [ ./options.nix + ./debloat.nix ./services - ./profiles + ./webserver + ./database ]; } diff --git a/modules/nixos/server/options.nix b/modules/nixos/server/options.nix index b36eb7f..2b437fd 100644 --- a/modules/nixos/server/options.nix +++ b/modules/nixos/server/options.nix @@ -1,6 +1,6 @@ {lib, ...}: let - inherit (lib) mkOption; - inherit (lib.types) nullOr listOf enum bool; + inherit (lib) mkOption mkEnableOption; + inherit (lib.types) str nullOr listOf enum bool; in { options.ooknet.server = { exitNode = mkOption { @@ -14,9 +14,20 @@ in { description = "The server profile the host will use as a base"; }; services = mkOption { - type = listOf (enum ["website"]); + type = listOf (enum ["website" "forgejo"]); default = []; description = "List of services the server will host"; }; + domain = mkOption { + type = str; + default = ""; + }; + + webserver = { + caddy.enable = mkEnableOption ""; + }; + database = { + postgresql.enable = mkEnableOption ""; + }; }; } diff --git a/modules/nixos/server/profiles/linode.nix b/modules/nixos/server/profiles/linode.nix deleted file mode 100644 index fd9025a..0000000 --- a/modules/nixos/server/profiles/linode.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: let - inherit (builtins) attrValues; - inherit (lib) mkForce getExe' mkIf; - inherit (config.ooknet.server) profile; -in { - config = mkIf (profile == "linode") { - services.qemuGuest.enable = true; - - networking = { - tempAddresses = "disabled"; - usePredictableInterfaceNames = mkForce false; - interfaces.eth0 = { - tempAddress = "disabled"; - useDHCP = true; - }; - }; - fileSystems."/" = { - device = "/dev/sda"; - fsType = "ext4"; - autoResize = true; - }; - swapDevices = [{device = "/dev/sdb";}]; - - boot = { - kernelPackages = pkgs.linuxPackages_latest; - kernelModules = []; - # LISH console support - kernelParams = ["console=ttyS0,19200n8"]; - extraModulePackages = []; - growPartition = true; - initrd = { - availableKernelModules = [ - # modules generated by nixos-generate-config - "virtio_pci" - "virtio_scsi" - "ahci" - "sd_mod" - - # qemu guest modules - "virtio_net" - "virtio_mmio" - "virtio_blk" - "virtio_scsi" - "9p" - "9pnet_virtio" - ]; - kernelModules = [ - "virtio_balloon" - "virtio_console" - "virtio_rng" - "virtio_gpu" - ]; - }; - loader = { - grub = { - enable = true; - device = "nodev"; - forceInstall = true; - copyKernels = true; - fsIdentifier = "label"; - splashImage = null; - extraConfig = '' - serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; - terminal_input serial; - terminal_output serial - ''; - - extraInstallCommands = "${getExe' pkgs.coreutils "ln"} -fs /boot/grub /boot/grub2"; - }; - timeout = mkForce 10; - # disable base settings - efi.canTouchEfiVariables = mkForce false; - systemd-boot.enable = mkForce false; - }; - }; - - environment = { - systemPackages = attrValues { - inherit - (pkgs) - inetutils - mtr - sysstat - linode-cli - ; - }; - }; - }; -} diff --git a/modules/nixos/server/services/forgejo/default.nix b/modules/nixos/server/services/forgejo/default.nix index b5a681f..c31731a 100644 --- a/modules/nixos/server/services/forgejo/default.nix +++ b/modules/nixos/server/services/forgejo/default.nix @@ -7,6 +7,8 @@ inherit (lib) mkIf elem; in { config = mkIf (elem "forgejo" services) { + networking.firewall.allowedTCPPorts = [2222]; + ooknet.server = { webserver.caddy.enable = true; database.postgresql.enable = true; @@ -20,12 +22,43 @@ in { DOMAIN = "git.${domain}"; ROOT_URL = "https://git.${domain}"; HTTP_PORT = 3000; + LANDING_PAGE = "explore"; + + START_SSH_SERVER = true; + SSH_PORT = 2222; + SSH_LISTEN_PORT = 2222; + }; + database = { + type = "postgres"; + createDatabase = true; + }; + service = { + DISABLE_REGISTRATION = true; + }; + security = { + INSTALL_LOCK = true; }; }; }; caddy.virtualHosts = { "git.${domain}".extraConfig = '' - reverse_proxy 127.0.0.1:3000 + header { + Strict-Transport-Security "max-age=31536000;" + X-XSS-Protection "1; mode=block" + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + -Server + Referrer-Policy "no-referrer" + } + + # Handle proxying + handle_path /* { + reverse_proxy localhost:3000 { + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + } ''; }; }; diff --git a/modules/nixos/server/services/website/default.nix b/modules/nixos/server/services/website/default.nix index 7a495f7..af0bf4f 100644 --- a/modules/nixos/server/services/website/default.nix +++ b/modules/nixos/server/services/website/default.nix @@ -9,8 +9,7 @@ inherit (self'.packages) website; in { config = mkIf (elem "website" services) { - users.groups.www = {}; - + ooknet.server.webserver.caddy.enable = true; systemd.tmpfiles.rules = [ "d /var/www 0775 caddy www" "d /var/www/ooknet.org 0775 caddy www" @@ -40,34 +39,29 @@ in { }; # using caddy because it makes my life easy - services.caddy = { - enable = true; - group = "www"; + services.caddy.virtualHosts = { + "ooknet.org".extraConfig = + # sh + '' + encode zstd gzip - virtualHosts = { - "ooknet.org".extraConfig = - # sh - '' - encode zstd gzip - - header { - Strict-Transport-Security "max-age=31536000;" - X-XSS-Protection "1; mode=block" - X-Frame-Options "DENY" - X-Content-Type-Options "nosniff" - -Server + header { + Strict-Transport-Security "max-age=31536000;" + X-XSS-Protection "1; mode=block" + X-Frame-Options "DENY" + X-Content-Type-Options "nosniff" + -Server - Referrer-Policy: no-referrer - } + Referrer-Policy: no-referrer + } - root * /var/www/ooknet.org/ - file_server - ''; - "www.ooknet.org".extraConfig = '' - redir https://ooknet.org{uri} + root * /var/www/ooknet.org/ + file_server ''; - }; + "www.ooknet.org".extraConfig = '' + redir https://ooknet.org{uri} + ''; }; }; } diff --git a/modules/nixos/server/webserver/caddy.nix b/modules/nixos/server/webserver/caddy.nix new file mode 100644 index 0000000..99dd2b2 --- /dev/null +++ b/modules/nixos/server/webserver/caddy.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.ooknet.server.webserver) caddy; +in { + config = mkIf caddy.enable { + users.groups.www = {}; + services.caddy = { + enable = true; + group = "www"; + }; + }; +} diff --git a/modules/nixos/server/profiles/default.nix b/modules/nixos/server/webserver/default.nix similarity index 57% rename from modules/nixos/server/profiles/default.nix rename to modules/nixos/server/webserver/default.nix index cd85c40..1f898a8 100644 --- a/modules/nixos/server/profiles/default.nix +++ b/modules/nixos/server/webserver/default.nix @@ -1,5 +1,5 @@ { imports = [ - ./linode.nix + ./caddy.nix ]; } From 68d3a494a11371792bff3b25db64e40fa33f6717 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Fri, 1 Nov 2024 12:46:31 +1100 Subject: [PATCH 08/10] server: add debloat module --- modules/nixos/server/debloat.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 modules/nixos/server/debloat.nix diff --git a/modules/nixos/server/debloat.nix b/modules/nixos/server/debloat.nix new file mode 100644 index 0000000..616203c --- /dev/null +++ b/modules/nixos/server/debloat.nix @@ -0,0 +1,16 @@ +{lib, ...}: let + inherit (lib) mkDefault; +in { + # from github:nix-community/srvos + + # disable fonts + fonts.fontconfig.enable = false; + + # dont generate documentation + documentation = { + enable = mkDefault false; + info.enable = mkDefault false; + man.enable = mkDefault false; + nixos.enable = mkDefault false; + }; +} From 1e5e9b9dfde4ca8ce32bba3e79cfff1a6affef10 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Fri, 1 Nov 2024 12:46:44 +1100 Subject: [PATCH 09/10] secrets: add ooknet_org key --- modules/nixos/base/secrets.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/nixos/base/secrets.nix b/modules/nixos/base/secrets.nix index 14685a1..63406e2 100644 --- a/modules/nixos/base/secrets.nix +++ b/modules/nixos/base/secrets.nix @@ -25,6 +25,12 @@ in { owner = "${admin.name}"; group = "users"; }; + ooknet_org = mkIf admin.homeManager { + file = "${self}/secrets/ooknet_org.age"; + path = "/home/${admin.name}/.ssh/ooknet_org"; + owner = "${admin.name}"; + group = "users"; + }; spotify_key = mkIf admin.homeManager { file = "${self}/secrets/spotify_key.age"; owner = "${admin.name}"; From d9f629f3a9175e9af01131b3c356942098028dba Mon Sep 17 00:00:00 2001 From: ooks-io Date: Fri, 1 Nov 2024 12:47:49 +1100 Subject: [PATCH 10/10] admin: add group www --- modules/home/workstation/gaming/options.nix | 31 +++++++++++ .../workstation/gaming/world-of-warcraft.nix | 55 +++++++++++++++++++ modules/home/workstation/gaming/wow.nix | 1 + modules/nixos/base/admin.nix | 1 + modules/nixos/base/builder.nix | 12 ++++ 5 files changed, 100 insertions(+) create mode 100644 modules/home/workstation/gaming/options.nix create mode 100644 modules/home/workstation/gaming/world-of-warcraft.nix create mode 100644 modules/nixos/base/builder.nix diff --git a/modules/home/workstation/gaming/options.nix b/modules/home/workstation/gaming/options.nix new file mode 100644 index 0000000..f6061ed --- /dev/null +++ b/modules/home/workstation/gaming/options.nix @@ -0,0 +1,31 @@ +{ + lib, + config, + ... +}: let + inherit (lib) mkIf mkEnableOption mkOption; + inherit (lib.types) str; + cfg = config.ooknet.gaming; +in { + options.ooknet.gaming = { + enable = mkEnableOption; + + gamesPath = mkOption { + type = str; + default = "${config.home.homeDirectory}/Games"; + description = "Location where games will be stored."; + }; + + prefixPath = mkOption { + type = str; + default = "${cfg.gamesPath}/prefixes"; + }; + compatDataPath = mkOption { + type = str; + default = "${cfg.prefixPath}/compatdata"; + }; + }; + config = mkIf cfg.enable { + xdg.userDirs.XDG_GAMES_DIR = cfg.gamesPath; + }; +} diff --git a/modules/home/workstation/gaming/world-of-warcraft.nix b/modules/home/workstation/gaming/world-of-warcraft.nix new file mode 100644 index 0000000..5bb944c --- /dev/null +++ b/modules/home/workstation/gaming/world-of-warcraft.nix @@ -0,0 +1,55 @@ +{ + lib, + config, + pkgs, + ... +}: let + inherit (lib) mkIf mkEnableOption mkOption; + inherit (lib.types) str package; + inherit (config.ooknet) gaming; + gamesDir = config.xdg.userDirs.extraConfig.XDG_GAMES_DIR; + cfg = config.ooknet.gaming.world-of-warcraft; +in { + options.ooknet.gaming.world-of-warcraft = { + enable = mkEnableOption "Enable the World of Warcraft module"; + + proton = { + package = mkOption { + type = package; + default = pkgs.proton-ge-custom; + }; + prefix = { + path = mkOption { + type = str; + default = "${gaming.prefixPath}/WoW"; + }; + }; + compatDataPath = mkOption { + type = str; + default = "${gaming.compatDataPath}/"; + }; + }; + + gamePrefixPath = mkOption { + type = str; + default = "${cfg.winePrefixesPath}/WoW"; + description = "Location where the World of Warcraft prefix will be stored."; + }; + + gamePath = mkOption { + type = str; + default = "${cfg.world-of-warcraft.gamePrefixPath}/drive_c/Program Files (x86)/World of Warcraft"; + description = "Location where the World of Warcraft installation will be symlinked."; + }; + + gameSharedPath = mkOption { + type = str; + default = "${cfg.wineProgramsPath}/World Of Warcraft"; + description = "Location where World of Warcraft game files are stored."; + }; + }; + config = + mkIf cfg.enable { + }; +} + diff --git a/modules/home/workstation/gaming/wow.nix b/modules/home/workstation/gaming/wow.nix index 0c82934..9ca101e 100644 --- a/modules/home/workstation/gaming/wow.nix +++ b/modules/home/workstation/gaming/wow.nix @@ -2,6 +2,7 @@ lib, osConfig, pkgs, + self', ... }: let inherit (lib) mkIf elem; diff --git a/modules/nixos/base/admin.nix b/modules/nixos/base/admin.nix index 319472d..64bf329 100644 --- a/modules/nixos/base/admin.nix +++ b/modules/nixos/base/admin.nix @@ -30,6 +30,7 @@ in { "libvirtd" "streamer" "torrenter" + "www" ]; }; }; diff --git a/modules/nixos/base/builder.nix b/modules/nixos/base/builder.nix new file mode 100644 index 0000000..d37d94c --- /dev/null +++ b/modules/nixos/base/builder.nix @@ -0,0 +1,12 @@ +{ + keys, + config, + ... +}: let + inherit (config.ooknet.host) admin; +in { + users = { + groups.builder = {}; + users.builder = (key: ''command="nix-daemon --stdio",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}'') keys.users.${admin.name}; + }; +}