ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: ooks:1c8bd0d8662c3604945935921d1e55db563715c6
Branches Tags
ooks:main
...
compare: ooks:d9f629f3a9175e9af01131b3c356942098028dba
Branches Tags
ooks:main

10 commits
1c8bd0d866 ... d9f629f3a9

Author SHA1 Message Date
ooks-io
d9f629f3a9 admin: add group www 2024-11-01 12:47:49 +11:00
ooks-io
1e5e9b9dfd secrets: add ooknet_org key 2024-11-01 12:46:44 +11:00
ooks-io
68d3a494a1 server: add debloat module 2024-11-01 12:46:31 +11:00
ooks-io
90e096262b forgeje: use 2222 port for ssh 
server: move caddy to seperate module
 2024-11-01 12:46:12 +11:00
ooks-io
52cb6d10bc nix: use lix 2024-11-01 12:43:52 +11:00
ooks-io
ba30586443 home: add ooknet.org forgejo ssh configuration 2024-11-01 12:43:24 +11:00
ooks-io
331a15f0e6 server: add forgjo initial configuration 2024-10-31 22:42:23 +11:00
ooks-io
6360a976f2 server: add postgresql initial configuration 2024-10-31 22:41:52 +11:00
ooks-io
bf5c7b5434 ooksdesk: add printing feature 2024-10-31 22:41:28 +11:00
ooks-io
9ea4ff289f linode: open 443 2024-10-31 17:31:26 +11:00
28 changed files with 463 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

88
flake.lock generated
View file

@ -166,6 +166,24 @@
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_3"
},
"locked": {
"lastModified": 1726153070,
"narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1629284811,
@ -201,7 +219,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_6"
"systems": "systems_7"
},
"locked": {
"lastModified": 1726560853,
@ -679,6 +697,21 @@
"type": "github"
}
},
"nix-filter": {
"locked": {
"lastModified": 1710156097,
"narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "3342559a24e85fc164b295c3444e8a139924675b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "nix-filter",
"type": "github"
}
},
"nix-index-db": {
"inputs": {
"nixpkgs": [
@ -739,6 +772,18 @@
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
}
},
"nixpkgs-lib_3": {
"locked": {
"lastModified": 1725233747,
"narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
@ -985,6 +1030,29 @@
"type": "github"
}
},
"ooknet-website": {
"inputs": {
"flake-parts": "flake-parts_3",
"nix-filter": "nix-filter",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_5"
},
"locked": {
"lastModified": 1728305902,
"narHash": "sha256-761elKy4m30bx9+3QTlc2MGlRbESek/klbufIP75UqI=",
"ref": "refs/heads/master",
"rev": "b0ed4617e28b40e43cc286c9cd50d75d0e204668",
"revCount": 4,
"type": "git",
"url": "ssh://git@github.com/ooks-io/website"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/ooks-io/website"
}
},
"ooks-scripts": {
"inputs": {
"nixpkgs": [
@ -2793,8 +2861,9 @@
"nix-index-db": "nix-index-db",
"nixpkgs": "nixpkgs_3",
"nvf": "nvf",
"ooknet-website": "ooknet-website",
"ooks-scripts": "ooks-scripts",
"systems": "systems_5",
"systems": "systems_6",
"zjstatus": "zjstatus"
}
},
@ -2922,6 +2991,21 @@
}
},
"systems_6": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

4
flake.nix
View file

@ -30,6 +30,10 @@
url = "git+ssh://git@github.com/ooks-io/scripts";
inputs.nixpkgs.follows = "nixpkgs";
};
ooknet-website = {
url = "git+ssh://git@github.com/ooks-io/website";
inputs.nixpkgs.follows = "nixpkgs";
};
nvf.url = "github:notashelf/nvf/v0.7";

2
hosts/ooksdesk/hardware.nix
View file

@ -3,7 +3,7 @@
cpu.type = "amd";
cpu.amd.pstate.enable = true;
gpu.type = "amd";
features = ["ssd" "audio" "video"];
features = ["printing" "ssd" "audio" "video"];
monitors = [
{
name = "DP-3";

6
modules/home/console/tools/ssh.nix
View file

@ -17,6 +17,12 @@ in {
hostname = "github.com";
identityFile = "${osConfig.age.secrets.github_key.path}";
};
"git.ooknet.org" = {
user = "forgejo";
port = 2222;
hostname = "git.ooknet.org";
identityFile = "${osConfig.age.secrets.ooknet_org.path}";
};
};
};
};

31
modules/home/workstation/gaming/options.nix Normal file
View file

@ -0,0 +1,31 @@
{
lib,
config,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str;
cfg = config.ooknet.gaming;
in {
options.ooknet.gaming = {
enable = mkEnableOption;
gamesPath = mkOption {
type = str;
default = "${config.home.homeDirectory}/Games";
description = "Location where games will be stored.";
};
prefixPath = mkOption {
type = str;
default = "${cfg.gamesPath}/prefixes";
};
compatDataPath = mkOption {
type = str;
default = "${cfg.prefixPath}/compatdata";
};
};
config = mkIf cfg.enable {
xdg.userDirs.XDG_GAMES_DIR = cfg.gamesPath;
};
}

55
modules/home/workstation/gaming/world-of-warcraft.nix Normal file
View file

@ -0,0 +1,55 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str package;
inherit (config.ooknet) gaming;
gamesDir = config.xdg.userDirs.extraConfig.XDG_GAMES_DIR;
cfg = config.ooknet.gaming.world-of-warcraft;
in {
options.ooknet.gaming.world-of-warcraft = {
enable = mkEnableOption "Enable the World of Warcraft module";
proton = {
package = mkOption {
type = package;
default = pkgs.proton-ge-custom;
};
prefix = {
path = mkOption {
type = str;
default = "${gaming.prefixPath}/WoW";
};
};
compatDataPath = mkOption {
type = str;
default = "${gaming.compatDataPath}/";
};
};
gamePrefixPath = mkOption {
type = str;
default = "${cfg.winePrefixesPath}/WoW";
description = "Location where the World of Warcraft prefix will be stored.";
};
gamePath = mkOption {
type = str;
default = "${cfg.world-of-warcraft.gamePrefixPath}/drive_c/Program Files (x86)/World of Warcraft";
description = "Location where the World of Warcraft installation will be symlinked.";
};
gameSharedPath = mkOption {
type = str;
default = "${cfg.wineProgramsPath}/World Of Warcraft";
description = "Location where World of Warcraft game files are stored.";
};
};
config =
mkIf cfg.enable {
};
}

1
modules/home/workstation/gaming/wow.nix
View file

@ -2,6 +2,7 @@
lib,
osConfig,
pkgs,
self',
...
}: let
inherit (lib) mkIf elem;

1
modules/nixos/base/admin.nix
View file

@ -30,6 +30,7 @@ in {
"libvirtd"
"streamer"
"torrenter"
"www"
];
};
};

12
modules/nixos/base/builder.nix Normal file
View file

@ -0,0 +1,12 @@
{
keys,
config,
...
}: let
inherit (config.ooknet.host) admin;
in {
users = {
groups.builder = {};
users.builder = (key: ''command="nix-daemon --stdio",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}'') keys.users.${admin.name};
};
}

2
modules/nixos/base/nix.nix
View file

@ -27,7 +27,7 @@ in {
variables = paths;
};
nix = {
# package = pkgs.lix;
package = pkgs.lix;
# collect garbage
gc = {

6
modules/nixos/base/secrets.nix
View file

@ -25,6 +25,12 @@ in {
owner = "${admin.name}";
group = "users";
};
ooknet_org = mkIf admin.homeManager {
file = "${self}/secrets/ooknet_org.age";
path = "/home/${admin.name}/.ssh/ooknet_org";
owner = "${admin.name}";
group = "users";
};
spotify_key = mkIf admin.homeManager {
file = "${self}/secrets/spotify_key.age";
owner = "${admin.name}";

5
modules/nixos/server/database/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./postgresql.nix
];
}

38
modules/nixos/server/database/postgresql.nix Normal file
View file

@ -0,0 +1,38 @@
{
config,
lib,
...
}: let
inherit (lib) mkIf elem optionals;
inherit (config.ooknet.server) services database;
in {
config = mkIf database.postgresql.enable {
services.postgresql = {
enable = true;
checkConfig = true;
ensureDatabases = optionals (elem "forgejo" services) ["forgejo"];
ensureUsers =
[
{
name = "postgres";
ensureClauses = {
login = true;
superuser = true;
replication = true;
createdb = true;
createrole = true;
};
}
]
++ (optionals (elem "forgejo" services) [
{
name = "forgejo";
ensureDBOwnership = true;
}
]);
};
};
}

16
modules/nixos/server/debloat.nix Normal file
View file

@ -0,0 +1,16 @@
{lib, ...}: let
inherit (lib) mkDefault;
in {
# from github:nix-community/srvos
# disable fonts
fonts.fontconfig.enable = false;
# dont generate documentation
documentation = {
enable = mkDefault false;
info.enable = mkDefault false;
man.enable = mkDefault false;
nixos.enable = mkDefault false;
};
}

4
modules/nixos/server/default.nix
View file

@ -1,7 +1,9 @@
{
imports = [
./options.nix
./debloat.nix
./services
./profiles
./webserver
./database
];
}

17
modules/nixos/server/options.nix
View file

@ -1,6 +1,6 @@
{lib, ...}: let
inherit (lib) mkOption;
inherit (lib.types) nullOr listOf enum bool;
inherit (lib) mkOption mkEnableOption;
inherit (lib.types) str nullOr listOf enum bool;
in {
options.ooknet.server = {
exitNode = mkOption {
@ -14,9 +14,20 @@ in {
description = "The server profile the host will use as a base";
};
services = mkOption {
type = listOf (enum ["website"]);
type = listOf (enum ["website" "forgejo"]);
default = [];
description = "List of services the server will host";
};
domain = mkOption {
type = str;
default = "";
};
webserver = {
caddy.enable = mkEnableOption "";
};
database = {
postgresql.enable = mkEnableOption "";
};
};
}

94
modules/nixos/server/profiles/linode.nix
View file

@ -1,94 +0,0 @@
{
lib,
pkgs,
config,
...
}: let
inherit (builtins) attrValues;
inherit (lib) mkForce getExe' mkIf;
inherit (config.ooknet.server) profile;
in {
config = mkIf (profile == "linode") {
services.qemuGuest.enable = true;
networking = {
tempAddresses = "disabled";
usePredictableInterfaceNames = mkForce false;
interfaces.eth0 = {
tempAddress = "disabled";
useDHCP = true;
};
};
fileSystems."/" = {
device = "/dev/sda";
fsType = "ext4";
autoResize = true;
};
swapDevices = [{device = "/dev/sdb";}];
boot = {
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [];
# LISH console support
kernelParams = ["console=ttyS0,19200n8"];
extraModulePackages = [];
growPartition = true;
initrd = {
availableKernelModules = [
# modules generated by nixos-generate-config
"virtio_pci"
"virtio_scsi"
"ahci"
"sd_mod"
# qemu guest modules
"virtio_net"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
];
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
];
};
loader = {
grub = {
enable = true;
device = "nodev";
forceInstall = true;
copyKernels = true;
fsIdentifier = "label";
splashImage = null;
extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
extraInstallCommands = "${getExe' pkgs.coreutils "ln"} -fs /boot/grub /boot/grub2";
};
timeout = mkForce 10;
# disable base settings
efi.canTouchEfiVariables = mkForce false;
systemd-boot.enable = mkForce false;
};
};
environment = {
systemPackages = attrValues {
inherit
(pkgs)
inetutils
mtr
sysstat
linode-cli
;
};
};
};
}

1
modules/nixos/server/profiles/linode/base/networking.nix
View file

@ -8,5 +8,6 @@ in {
tempAddress = "disabled";
useDHCP = true;
};
firewall.allowedUDPPorts = [443];
};
}

74
modules/nixos/server/profiles/linode/postgresql.nix Normal file
View file

@ -0,0 +1,74 @@
{
config,
lib,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.server) database;
in {
# hardware based postgresql configuration for: linode nano
# 4GB RAM 1 Core
# generated with: <http://pgconfigurator.cybertec.at>
config = mkIf database.postgresql {
services.postgresql = {
settings = {
# Connectivity
max_connections = 20;
superuser_reserved_connections = 3;
# Memory Settings
shared_buffers = "256 MB";
work_mem = "32 MB";
maintenance_work_mem = "320 MB";
huge_pages = "off";
effective_cache_size = "1 GB";
effective_io_concurrency = 100; # concurrent IO only really activated if OS supports posix_fadvise function
random_page_cost = 1.25; # speed of random disk access relative to sequential access (1.0)
# Monitoring
shared_preload_libraries = "pg_stat_statements"; # per statement resource usage stats
track_io_timing = "on"; # measure exact block IO times
track_functions = "pl"; # track execution times of pl-language procedures if any
# Replication
wal_level = "replica"; # consider using at least 'replica'
max_wal_senders = 0;
synchronous_commit = "on";
# Checkpointing:
checkpoint_timeout = "15 min";
checkpoint_completion_target = 0.9;
max_wal_size = "1024 MB";
min_wal_size = "512 MB";
# WAL writing
wal_compression = "on";
wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default)
wal_writer_delay = "200ms";
wal_writer_flush_after = "1MB";
# Background writer
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
# Parallel queries:
max_worker_processes = 1;
max_parallel_workers_per_gather = 1;
max_parallel_maintenance_workers = 1;
max_parallel_workers = 1;
parallel_leader_participation = "on";
# Advanced features
enable_partitionwise_join = "on";
enable_partitionwise_aggregate = "on";
jit = "on";
max_slot_wal_keep_size = "1000 MB";
track_wal_io_timing = "on";
maintenance_io_concurrency = 100;
wal_recycle = "on";
};
};
};
}

1
modules/nixos/server/services/default.nix
View file

@ -1,5 +1,6 @@
{
imports = [
./website
./forgejo
];
}

66
modules/nixos/server/services/forgejo/default.nix Normal file
View file

@ -0,0 +1,66 @@
{
config,
lib,
...
}: let
inherit (config.ooknet.server) services domain;
inherit (lib) mkIf elem;
in {
config = mkIf (elem "forgejo" services) {
networking.firewall.allowedTCPPorts = [2222];
ooknet.server = {
webserver.caddy.enable = true;
database.postgresql.enable = true;
};
services = {
forgejo = {
enable = true;
settings = {
server = {
DOMAIN = "git.${domain}";
ROOT_URL = "https://git.${domain}";
HTTP_PORT = 3000;
LANDING_PAGE = "explore";
START_SSH_SERVER = true;
SSH_PORT = 2222;
SSH_LISTEN_PORT = 2222;
};
database = {
type = "postgres";
createDatabase = true;
};
service = {
DISABLE_REGISTRATION = true;
};
security = {
INSTALL_LOCK = true;
};
};
};
caddy.virtualHosts = {
"git.${domain}".extraConfig = ''
header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
-Server
Referrer-Policy "no-referrer"
}
# Handle proxying
handle_path /* {
reverse_proxy localhost:3000 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
'';
};
};
};
}

44
modules/nixos/server/services/website/default.nix
View file

@ -9,8 +9,7 @@
inherit (self'.packages) website;
in {
config = mkIf (elem "website" services) {
users.groups.www = {};
ooknet.server.webserver.caddy.enable = true;
systemd.tmpfiles.rules = [
"d /var/www 0775 caddy www"
"d /var/www/ooknet.org 0775 caddy www"
@ -40,34 +39,29 @@ in {
};
# using caddy because it makes my life easy
services.caddy = {
enable = true;
group = "www";
services.caddy.virtualHosts = {
"ooknet.org".extraConfig =
# sh
''
encode zstd gzip
virtualHosts = {
"ooknet.org".extraConfig =
# sh
''
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
-Server
header {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
-Server
Referrer-Policy: no-referrer
}
Referrer-Policy: no-referrer
}
root * /var/www/ooknet.org/
file_server
'';
"www.ooknet.org".extraConfig = ''
redir https://ooknet.org{uri}
root * /var/www/ooknet.org/
file_server
'';
};
"www.ooknet.org".extraConfig = ''
redir https://ooknet.org{uri}
'';
};
};
}

16
modules/nixos/server/webserver/caddy.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet.server.webserver) caddy;
in {
config = mkIf caddy.enable {
users.groups.www = {};
services.caddy = {
enable = true;
group = "www";
};
};
}

2
modules/nixos/server/profiles/default.nix → modules/nixos/server/webserver/default.nix
View file

@ -1,5 +1,5 @@
{
imports = [
./linode.nix
./caddy.nix
];
}

3
outputs/hosts/servers.nix
View file

@ -10,9 +10,10 @@ in {
inherit withSystem;
system = "x86_64-linux";
hostname = "ooknode";
domain = "ooknet.org";
type = "vm";
profile = "linode";
services = ["website"];
services = ["website" "forgejo"];
};
};
}

3
outputs/lib/builders.nix
View file

@ -89,6 +89,7 @@
type,
profile,
services,
domain ? "",
additionalModules ? [],
specialArgs ? {},
}:
@ -98,7 +99,7 @@
additionalModules = concatLists [
(singleton {
ooknet.server = {
inherit services;
inherit domain services;
};
})
core

BIN
secrets/ooknet_org.age Normal file
View file

Binary file not shown.

1
secrets/secrets.nix
View file

@ -5,4 +5,5 @@ in {
"tailscale-auth.age".publicKeys = [users.ooks] ++ workstations;
"github_key.age".publicKeys = [users.ooks] ++ workstations;
"spotify_key.age".publicKeys = [users.ooks] ++ workstations;
"ooknet_org.age".publicKeys = [users.ooks] ++ workstations;
}