From 01a36fa4fa50776b03128d85929f520b4eea53ef Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sat, 23 Jan 2021 17:16:48 +0000 Subject: [PATCH 01/19] Initial commit for empyrean configs --- amanuensis.nix | 47 +++++++++++++ catacomb.nix | 19 ++++++ configuration.nix | 133 +++++++++++++++++++++++++++++++++++++ docstore.nix | 49 ++++++++++++++ gitea.nix | 62 +++++++++++++++++ hardware-configuration.nix | 22 ++++++ 6 files changed, 332 insertions(+) create mode 100644 amanuensis.nix create mode 100644 catacomb.nix create mode 100644 configuration.nix create mode 100644 docstore.nix create mode 100644 gitea.nix create mode 100644 hardware-configuration.nix diff --git a/amanuensis.nix b/amanuensis.nix new file mode 100644 index 0000000..7186835 --- /dev/null +++ b/amanuensis.nix @@ -0,0 +1,47 @@ +# Configuration for the Amanuensis service + +{ config, pkgs, ... }: + +# Set up python +with pkgs; +let amanuensis-requires = python-packages: with python-packages; [ + flask flask_login flask_wtf gunicorn +]; +python3-with-amanuensis-requires = python3.withPackages amanuensis-requires; +in +{ + # Create a user for the server process to run under + users.users.amanuensis = { + isNormalUser = true; + description = "Amanuensis server user"; + packages = [ python3-with-amanuensis-requires ]; + }; + + # Create the server process systemd unit + systemd.services.amanuensis = { + enable = false; + description = "Amanuensis Lexicon server"; + serviceConfig = { + Type = "simple"; + ExecStart = "/home/amanuensis/Amanuensis/run.sh"; + Restart = "on-failure"; + User = "amanuensis"; + WorkingDirectory = "/home/amanuensis"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + # Configure nginx to forward to the server at the lexicon subdomain + services.nginx.virtualHosts."lexicon.alogoulogoi.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + access_log /var/log/nginx/access.lexicon.log; + ''; + locations."/".extraConfig = '' + proxy_buffering off; + proxy_pass http://localhost:8000/; + ''; + }; +} + diff --git a/catacomb.nix b/catacomb.nix new file mode 100644 index 0000000..8fdb43a --- /dev/null +++ b/catacomb.nix @@ -0,0 +1,19 @@ +# Configuration for the catacomb forwarder + +{ config, pkgs, ... }: + +{ + # Configure nginx to forward to the server on catacomb + services.nginx.virtualHosts."catacomb.alogoulogoi.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + access_log /var/log/nginx/access.catacomb.log; + ''; + locations."/".extraConfig = '' + proxy_buffering off; + proxy_pass http://10.7.3.16:7473/; + ''; + }; +} + diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..a4a9d6a --- /dev/null +++ b/configuration.nix @@ -0,0 +1,133 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./amanuensis.nix + ./docstore.nix + ./catacomb.nix + ./gitea.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/xvda"; + extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console"; + }; + boot.kernelParams = ["console=ttyS0"]; + console.extraTTYs = ["ttyS0"]; + + networking.hostName = "empyrean"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # Set your time zone. + time.timeZone = "UTC"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim htop git tinc_pre python3 + gitea + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + # Static pages + "www.alogoulogoi.com" = { + enableACME = true; + forceSSL = true; + root = "/srv/www/"; + extraConfig = '' + access_log /var/log/nginx/access.www.log; + index index.html; + ''; + }; + # Deny all other subdomains + "alogoulogoi.com" = { + default = true; + locations."/".return = "444"; + }; + }; + }; + security.acme = { + email = "tim.vanbaak+alogoulogoi@gmail.com"; + acceptTerms = true; + }; + + services.gitolite = { + enable = true; + adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkSvOcY0eFuYqewc73MNHGP/Owzfnt+BZDSOCwr4h+gJenOBmXol695sRKdIw8phgshb6LsNyWeEAr3YISwzjdOvWNKpSsdyH/79VFIffC+/RBhPFhIPHn1zpHIwgthXji8FMmnO6B1bhJvbJxD5bUqhdBLnUeMhNgUkDj4Qi42S8yK1VZkgWRuPOTGqlzkODEdzG6OST7ndL58jEQaK8R2KRC2cZfrjingmPL+ORyf1/lGwyF6MEAmbQuE6UdspMs8FWt2e8jQJS+ZQ8dl+NDFrC1QfPRFpBJWnQceBcfAVZTtDaJpRhc4ClZstBy/bVRjiKeQiNv5NasjKRvvIvot4+LXmBKrXJs81enExtMSHMPuqPRlyVZLMMCVmdLDP/HUYOASDzlUhV/v5Wp0jjY4Wy0IWC7nm7P8EKsp1ZofwU6rJ9XPLpQJt7UUURX71h1FMaqi+lylW6xkD3LqD8oT5Bdp+Vs0bUbPQVRw1Fenjc6G1URU94GOAggyNgsWms= root@empyrean"; + }; + + services.ntp = { + enable = true; + servers = ["time.nist.gov"]; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + permitRootLogin = "prohibit-password"; + }; + + services.tinc.networks.beatific = { + listenAddress = "0.0.0.0"; + chroot = false; + }; + + networking.firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ + 22 # ssh + 80 # http + 443 # https + 655 # tinc + ]; + allowedUDPPorts = [ + 655 # tinc + ]; + }; + + security.hideProcessInformation = true; + + users.users.tvb = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.03"; # Did you read the comment? + +} + diff --git a/docstore.nix b/docstore.nix new file mode 100644 index 0000000..4abf86b --- /dev/null +++ b/docstore.nix @@ -0,0 +1,49 @@ +# Configuration for the DocStore service + +{ config, pkgs, ... }: + +# Set up python +with pkgs; +let docstore-requires = python-packages: with python-packages; [ + flask flask_login flask_wtf gunicorn +]; +python3-with-docstore-requires = python3.withPackages docstore-requires; +in +{ + # Create a user for the server process to run under + users.users.docstore = { + description = "DocStore system user"; + isSystemUser = true; + home = "/home/docstore"; + createHome = true; + packages = [ python3-with-docstore-requires ]; + }; + + # Create the server process systemd unit + systemd.services.docstore = { + enable = true; + description = "DocStore server"; + serviceConfig = { + Type = "simple"; + ExecStart = "${python3-with-docstore-requires}/bin/python -m docstore.server /srv/docstore --port 8001"; + Restart = "on-failure"; + User = "docstore"; + WorkingDirectory = "/home/docstore/DocStore"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + # Configure nginx to forward to the server at the docs subdomain + services.nginx.virtualHosts."docs.alogoulogoi.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + access_log /var/log/nginx/access.docs.log; + ''; + locations."/".extraConfig = '' + proxy_buffering off; + proxy_pass http://localhost:8001/; + ''; + }; +} + diff --git a/gitea.nix b/gitea.nix new file mode 100644 index 0000000..7a516b2 --- /dev/null +++ b/gitea.nix @@ -0,0 +1,62 @@ +# Configuration for Gitea instance + +{ config, pkgs, ... }: + +{ + # Gitea configuration + services.gitea = { + # Enable Gitea and configure for reverse proxy + enable = true; + httpAddress = "127.0.0.1"; + httpPort = 3300; + + # Private server + disableRegistration = true; + #useWizard = true; # Needed for first-time building + + # Settings + appName = "Horse Codes"; + lfs.enable = true; + dump = { + enable = true; + interval = "weekly"; + }; + log.level = "Info"; + settings = { + "repository" = { + DEFAULT_PRIVATE = true; + }; + "ui" = { + DEFAULT_THEME = "arc-green"; + SHOW_USER_EMAIL = false; + }; + "ui.meta" = { + AUTHOR = "Horse Codes"; + DESCRIPTION = "Alogoulogoi Gitea instance"; + KEYWORDS = ""; + }; + "security" = { + INSTALL_LOCK = true; + }; + "picture" = { + DISABLE_GRAVATAR = true; + }; + "cron.archive_cleanup".ENABLED = false; + "cron.sync_external_users".ENABLED = false; + }; + }; + + # Configure nginx to forward to the server at the git subdomain + services.nginx.virtualHosts."git.alogoulogoi.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + access_log /var/log/nginx/access.git.log; + ''; + locations."/".extraConfig = '' + proxy_buffering off; + proxy_pass http://localhost:3300/; + ''; + }; +} + diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..66d6ba0 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "sr_mod" "xen_blkfront" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/60aa6f09-f77f-472e-beb1-3441423a5d6d"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 1; +} From acb25a0956108dc0a795978af66d8f406290f1b1 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sat, 23 Jan 2021 17:33:01 +0000 Subject: [PATCH 02/19] Fix gitea domain --- gitea.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gitea.nix b/gitea.nix index 7a516b2..b14b67b 100644 --- a/gitea.nix +++ b/gitea.nix @@ -9,6 +9,8 @@ enable = true; httpAddress = "127.0.0.1"; httpPort = 3300; + domain = "git.alogoulogoi.com"; + rootUrl = "https://git.alogoulogoi.com/"; # Private server disableRegistration = true; From f082b940114a6eec27b77997c32ca2ec5eb416d1 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Fri, 19 Feb 2021 01:32:57 +0000 Subject: [PATCH 03/19] Replace docstore with redstring server --- configuration.nix | 2 +- redstring.nix | 83 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 redstring.nix diff --git a/configuration.nix b/configuration.nix index a4a9d6a..4fd1fd0 100644 --- a/configuration.nix +++ b/configuration.nix @@ -9,7 +9,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./amanuensis.nix - ./docstore.nix + ./redstring.nix ./catacomb.nix ./gitea.nix ]; diff --git a/redstring.nix b/redstring.nix new file mode 100644 index 0000000..190164e --- /dev/null +++ b/redstring.nix @@ -0,0 +1,83 @@ +{pkgs, ...}: + +let + # Import package + redstringSource = builtins.fetchGit { + url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git"; + ref = "master"; + rev = "440301d737b3c565b3860741d11097a7a5fcbfd1"; + }; + redstring = pkgs.callPackage redstringSource {}; + + # Define the data directory + redstringDir = "/var/lib/redstring/"; + redstringData = "${redstringDir}docs/"; + + # Define the service user + redstringUser = { + name = "redstring"; + description = "redstring service user"; + isSystemUser = true; + }; + + # Create the config file in the nix store + redstringConfigAttrs = { + "root" = redstringData; + "password_file" = "${redstringDir}login"; + }; + redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); }; + + # Create a setup script to ensure the data directory exists + redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" '' + # Ensure the service directory + ${pkgs.coreutils}/bin/mkdir -p ${redstringData} + + # Ensure ownership + chown -R ${redstringUser.name} ${redstringDir} + chmod 700 ${redstringDir} + ''; + + # Create a run script for the server + redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" '' + cd ${redstringDir} + ${redstring}/bin/gunicorn \ + --bind=localhost:24144 \ + --workers=4 \ + --log-level info \ + --env REDSTRING_CONFIG=${redstringConfig} \ + "redstring.server:wsgi()" + ''; +in +{ + users.users.redstring = redstringUser; + + # Run the setup script on activation + system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh"; + + # Set up the inquisitor service + systemd.services.redstring = + { + description = "redstring server"; + script = "${redstringRun}/bin/redstring-run.sh"; + serviceConfig = { + User = "${redstringUser.name}"; + Type = "simple"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + enable = true; + }; + + # Configure nginx to forward to the server at the docs subdomain + services.nginx.virtualHosts."docs.alogoulogoi.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + access_log /var/log/nginx/access.docs.log; + ''; + locations."/".extraConfig = '' + proxy_buffering off; + proxy_pass http://localhost:24144/; + ''; + }; +} From 40a9aa5f53de3457419e432be43e0dc268b10acd Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Fri, 19 Feb 2021 07:44:32 +0000 Subject: [PATCH 04/19] Avoid strange CSRF issues by running two redstring servers --- redstring.nix | 77 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 21 deletions(-) diff --git a/redstring.nix b/redstring.nix index 190164e..b52bacb 100644 --- a/redstring.nix +++ b/redstring.nix @@ -1,11 +1,12 @@ -{pkgs, ...}: +# redstring server module +{ pkgs, ... }: let # Import package redstringSource = builtins.fetchGit { url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git"; ref = "master"; - rev = "440301d737b3c565b3860741d11097a7a5fcbfd1"; + rev = "e5ea4f871c57c58f4986800122602ebb31347c9e"; }; redstring = pkgs.callPackage redstringSource {}; @@ -20,12 +21,21 @@ let isSystemUser = true; }; - # Create the config file in the nix store - redstringConfigAttrs = { - "root" = redstringData; - "password_file" = "${redstringDir}login"; + # Create the public server config file in the nix store + publicConfigAttrs = { + root = redstringData; + edit = false; + }; + publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); }; + + # Create the private server config file in the nix store + privateConfig = pkgs.writeTextFile { + name = "redstring-config-internal.json"; + text = (builtins.toJSON { + root = redstringData; + edit = true; + }); }; - redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); }; # Create a setup script to ensure the data directory exists redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" '' @@ -37,14 +47,25 @@ let chmod 700 ${redstringDir} ''; - # Create a run script for the server - redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" '' + # Create a run script for the public server + publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" '' cd ${redstringDir} ${redstring}/bin/gunicorn \ --bind=localhost:24144 \ - --workers=4 \ - --log-level info \ - --env REDSTRING_CONFIG=${redstringConfig} \ + --workers=3 \ + --log-level debug \ + --env REDSTRING_CONFIG=${publicConfig} \ + "redstring.server:wsgi()" + ''; + + # Create a run script for the private server + privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" '' + cd ${redstringDir}; + ${redstring}/bin/gunicorn \ + --bind=10.7.3.1:24145 \ + --workers=3 \ + --log-level debug \ + --env REDSTRING_CONFIG=${privateConfig} \ "redstring.server:wsgi()" ''; in @@ -54,11 +75,11 @@ in # Run the setup script on activation system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh"; - # Set up the inquisitor service - systemd.services.redstring = + # Set up the public redstring service + systemd.services."redstring-public" = { - description = "redstring server"; - script = "${redstringRun}/bin/redstring-run.sh"; + description = "redstring public read-only server"; + script = "${publicRun}/bin/redstring-run-external.sh"; serviceConfig = { User = "${redstringUser.name}"; Type = "simple"; @@ -68,16 +89,30 @@ in enable = true; }; - # Configure nginx to forward to the server at the docs subdomain + # Set up the private redstring service + systemd.services."redstring-private" = + { + description = "redstring private editable server"; + script = "${privateRun}/bin/redstring-run-internal.sh"; + serviceConfig = { + User = redstringUser.name; + Type = "simple"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + enable = true; + }; + + # Configure nginx to forward to the public server at the docs subdomain services.nginx.virtualHosts."docs.alogoulogoi.com" = { enableACME = true; forceSSL = true; extraConfig = '' access_log /var/log/nginx/access.docs.log; ''; - locations."/".extraConfig = '' - proxy_buffering off; - proxy_pass http://localhost:24144/; - ''; + locations."/".proxyPass = "http://localhost:24144"; }; + + # Open the firewall to the private server's port + networking.firewall.allowedTCPPorts = [ 24145 ]; } From 8ceedf2b8d930876486a3ee7f214cee59ec6b044 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Fri, 19 Feb 2021 07:52:22 +0000 Subject: [PATCH 05/19] Remove unneeded docstore config --- docstore.nix | 49 ------------------------------------------------- 1 file changed, 49 deletions(-) delete mode 100644 docstore.nix diff --git a/docstore.nix b/docstore.nix deleted file mode 100644 index 4abf86b..0000000 --- a/docstore.nix +++ /dev/null @@ -1,49 +0,0 @@ -# Configuration for the DocStore service - -{ config, pkgs, ... }: - -# Set up python -with pkgs; -let docstore-requires = python-packages: with python-packages; [ - flask flask_login flask_wtf gunicorn -]; -python3-with-docstore-requires = python3.withPackages docstore-requires; -in -{ - # Create a user for the server process to run under - users.users.docstore = { - description = "DocStore system user"; - isSystemUser = true; - home = "/home/docstore"; - createHome = true; - packages = [ python3-with-docstore-requires ]; - }; - - # Create the server process systemd unit - systemd.services.docstore = { - enable = true; - description = "DocStore server"; - serviceConfig = { - Type = "simple"; - ExecStart = "${python3-with-docstore-requires}/bin/python -m docstore.server /srv/docstore --port 8001"; - Restart = "on-failure"; - User = "docstore"; - WorkingDirectory = "/home/docstore/DocStore"; - }; - wantedBy = [ "multi-user.target" ]; - }; - - # Configure nginx to forward to the server at the docs subdomain - services.nginx.virtualHosts."docs.alogoulogoi.com" = { - enableACME = true; - forceSSL = true; - extraConfig = '' - access_log /var/log/nginx/access.docs.log; - ''; - locations."/".extraConfig = '' - proxy_buffering off; - proxy_pass http://localhost:8001/; - ''; - }; -} - From 62cf31d9ce8e709ca16c8696e3fe0541bc1de6be Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Thu, 25 Feb 2021 06:19:04 +0000 Subject: [PATCH 06/19] Update redstring version --- redstring.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redstring.nix b/redstring.nix index b52bacb..ec5ec04 100644 --- a/redstring.nix +++ b/redstring.nix @@ -6,7 +6,7 @@ let redstringSource = builtins.fetchGit { url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git"; ref = "master"; - rev = "e5ea4f871c57c58f4986800122602ebb31347c9e"; + rev = "c49d21f6938322da2cd89b9f39bb285161d35272"; }; redstring = pkgs.callPackage redstringSource {}; From 37ea881b0129049edbebf984a82660798c40deee Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sun, 2 Jan 2022 20:57:15 +0000 Subject: [PATCH 07/19] Fix some pathing issues for amanuensis This should deprecate the need for using the python venv, as long as you su to the user as a login shell --- amanuensis.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/amanuensis.nix b/amanuensis.nix index 7186835..c94236f 100644 --- a/amanuensis.nix +++ b/amanuensis.nix @@ -19,8 +19,9 @@ in # Create the server process systemd unit systemd.services.amanuensis = { - enable = false; + enable = true; description = "Amanuensis Lexicon server"; + path = [ python3-with-amanuensis-requires ]; serviceConfig = { Type = "simple"; ExecStart = "/home/amanuensis/Amanuensis/run.sh"; From 4e73e04688e9d659d8896ffc18aad981dd327ed6 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sun, 2 Jan 2022 20:57:46 +0000 Subject: [PATCH 08/19] Add nginx config for the catacomb auth server --- catacomb.nix | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/catacomb.nix b/catacomb.nix index 8fdb43a..407788e 100644 --- a/catacomb.nix +++ b/catacomb.nix @@ -10,10 +10,24 @@ extraConfig = '' access_log /var/log/nginx/access.catacomb.log; ''; - locations."/".extraConfig = '' - proxy_buffering off; - proxy_pass http://10.7.3.16:7473/; - ''; + locations = { + # Forwards to the index server + "/browse/".proxyPass = "http://10.7.3.16:7472/browse/"; + # Forwards to nginx via catacomb auth server + "/".extraConfig = '' + auth_request /auth; + proxy_buffering off; + proxy_pass http://10.7.3.16:7470/; + ''; + "= /auth".extraConfig = '' + internal; + proxy_buffering off; + proxy_pass_request_body off; + proxy_pass http://10.7.3.16:7471/; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; + ''; + }; }; } From 14d28357f6dae9002248df94bf6e177554147eac Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sun, 2 Jan 2022 20:58:05 +0000 Subject: [PATCH 09/19] Allow catacomb to ssh into gitea for dump backups --- gitea.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/gitea.nix b/gitea.nix index b14b67b..6eaf7ff 100644 --- a/gitea.nix +++ b/gitea.nix @@ -48,6 +48,10 @@ }; }; + users.users.gitea.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYr3Y4waQA4Qb9Vv29APxqkAE6E8KSoTcK1L+NSKOEAb3IxlqitMMnDFfWENXuQlEkkxkqszGA3oe2uchN89UckBFIkm8oEBNE2ZQ0SnuVv+ETHRYMmGvhfOnsnEzpD/j6qSk/0/ea2eJpzfUazMVNTDP7aX6pI0F0n6lXFty0vVan/gN6lM41aNatlQPGxY2XDJQ/e2IJJeOubb2YwH/Vj7/t25yuKiQ5AmaX9fVheM4xA1xfNTs42UfoHzU7Pk3gT6D6L1DGHjsbO0FD4lKPe030XYcPVvpqSiEKGTAYvcWnPH/RDXuz6cEQpN3kMajEtvKUcu0FM/3NPJhvUuxEX0wJnvPPRuY30tcD2WuYemQjm5OCGewdIr1a7mMJ/5zEAzRq4AttEdw7PtTjoj8O+0S6pFrFnv6Dp5TOrg9jyRLICEv7SPb76OhPWWr2uf3TllfXJcQMdsEd3gnTxaUUgJRmD3hfAQO5fOR0MFuVw+bVgleeYctBCW5UjbWZqE1lzEU8xwVYKB05HnWI5tgeh/pkdjg9AfdWnuVU7EljJ8nFEevNTJEe3kjZ67l+wL/dLiyyQuMIq1oBpcOCq+ew0jWZMfPq3o5r13qsdPkUuqdwWOXhCQtqOHHYXVgFEvEGLWacdgHSIFlP7IdfW1M4k1yFPBUlJUU9Bo+VGSZxSw== tvb@catacomb" + ]; + # Configure nginx to forward to the server at the git subdomain services.nginx.virtualHosts."git.alogoulogoi.com" = { enableACME = true; From dc4377732f47de54582d202e8dbcb5251b7d6a86 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sun, 2 Jan 2022 21:42:04 +0000 Subject: [PATCH 10/19] Remove options deprecated in 21.05 --- configuration.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/configuration.nix b/configuration.nix index 4fd1fd0..9eee6e8 100644 --- a/configuration.nix +++ b/configuration.nix @@ -22,7 +22,6 @@ extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console"; }; boot.kernelParams = ["console=ttyS0"]; - console.extraTTYs = ["ttyS0"]; networking.hostName = "empyrean"; @@ -114,8 +113,6 @@ ]; }; - security.hideProcessInformation = true; - users.users.tvb = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. From 00dbabb5ce83a298aa6e990ab5d08aa2591b1ab7 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sat, 8 Jan 2022 00:06:07 +0000 Subject: [PATCH 11/19] Update to 21.11 --- amanuensis.nix | 2 ++ configuration.nix | 4 ++++ redstring.nix | 2 ++ 3 files changed, 8 insertions(+) diff --git a/amanuensis.nix b/amanuensis.nix index c94236f..1b44eeb 100644 --- a/amanuensis.nix +++ b/amanuensis.nix @@ -13,9 +13,11 @@ in # Create a user for the server process to run under users.users.amanuensis = { isNormalUser = true; + group = "amanuensis"; description = "Amanuensis server user"; packages = [ python3-with-amanuensis-requires ]; }; + users.groups.amanuensis = {}; # Create the server process systemd unit systemd.services.amanuensis = { diff --git a/configuration.nix b/configuration.nix index 9eee6e8..67a2d37 100644 --- a/configuration.nix +++ b/configuration.nix @@ -23,6 +23,8 @@ }; boot.kernelParams = ["console=ttyS0"]; + nix.package = pkgs.nixFlakes; + networking.hostName = "empyrean"; # The global useDHCP flag is deprecated, therefore explicitly set to false here. @@ -115,8 +117,10 @@ users.users.tvb = { isNormalUser = true; + group = "tvb"; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. }; + users.groups.tvb = {}; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/redstring.nix b/redstring.nix index ec5ec04..15ae0a0 100644 --- a/redstring.nix +++ b/redstring.nix @@ -18,6 +18,7 @@ let redstringUser = { name = "redstring"; description = "redstring service user"; + group = "redstring"; isSystemUser = true; }; @@ -71,6 +72,7 @@ let in { users.users.redstring = redstringUser; + users.groups.redstring = {}; # Run the setup script on activation system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh"; From 81da7ac07208f2b1ea0eb0c894a17575d26f2c80 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sat, 8 Jan 2022 00:11:13 +0000 Subject: [PATCH 12/19] Disable redstring temporarily The nix build of mypy ^0.800 seems to have a memory leak and causes an OOM error --- configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 67a2d37..29ec0d9 100644 --- a/configuration.nix +++ b/configuration.nix @@ -9,7 +9,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./amanuensis.nix - ./redstring.nix + #./redstring.nix ./catacomb.nix ./gitea.nix ]; From 60988d86d97bb64546d41cd98fa700e2eeb5b3cf Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sat, 8 Jan 2022 00:14:50 +0000 Subject: [PATCH 13/19] Set vim as default editor --- configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/configuration.nix b/configuration.nix index 29ec0d9..7207475 100644 --- a/configuration.nix +++ b/configuration.nix @@ -53,6 +53,7 @@ vim htop git tinc_pre python3 gitea ]; + environment.variables.EDITOR = "vim"; services.nginx = { enable = true; From de0ec2365a13b527c7f099d555f71e78af09d9e2 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Mon, 24 Jan 2022 03:58:27 +0000 Subject: [PATCH 14/19] Re-enable redstring with updated, working mypy version --- configuration.nix | 2 +- redstring.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configuration.nix b/configuration.nix index 7207475..afd0e9e 100644 --- a/configuration.nix +++ b/configuration.nix @@ -9,7 +9,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./amanuensis.nix - #./redstring.nix + ./redstring.nix ./catacomb.nix ./gitea.nix ]; diff --git a/redstring.nix b/redstring.nix index 15ae0a0..5af765d 100644 --- a/redstring.nix +++ b/redstring.nix @@ -6,7 +6,7 @@ let redstringSource = builtins.fetchGit { url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git"; ref = "master"; - rev = "c49d21f6938322da2cd89b9f39bb285161d35272"; + rev = "91dd353ad1d48118452a949b15e100b3035bf297"; }; redstring = pkgs.callPackage redstringSource {}; From 0c19b401c566d0e605c3b4ecd3bc8f1c4d00398b Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Thu, 10 Feb 2022 15:06:16 +0000 Subject: [PATCH 15/19] Add Nebula config --- configuration.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/configuration.nix b/configuration.nix index afd0e9e..232b1ce 100644 --- a/configuration.nix +++ b/configuration.nix @@ -102,6 +102,31 @@ chroot = false; }; + services.nebula.networks.beatific = { + enable = true; + + # Network certificate and host credentials + ca = "/etc/nebula/beatific/ca.crt"; + cert = "/etc/nebula/beatific/empyrean.crt"; + key = "/etc/nebula/beatific/empyrean.key"; + + # This host has a well-known IP at prgmr, so it can function as a lighthouse/entry node + isLighthouse = true; + + # Listen to connection requests from the public Internet + listen.port = 4242; + listen.host = "vpn.alogoulogoi.com"; + + # Don't filter anything at the VPN level. + firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; + + settings = { + # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other + punchy = { punch = true; response = true; }; + }; + }; + networking.firewall = { enable = true; allowPing = true; From 696f58ae17ca395c184d8d4ba01e4fe4103df48a Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sat, 26 Nov 2022 02:49:40 +0000 Subject: [PATCH 16/19] Nebula changes --- configuration.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configuration.nix b/configuration.nix index 232b1ce..3d259ac 100644 --- a/configuration.nix +++ b/configuration.nix @@ -106,18 +106,18 @@ enable = true; # Network certificate and host credentials - ca = "/etc/nebula/beatific/ca.crt"; + ca = "/etc/nebula/beatific/beatific.crt"; cert = "/etc/nebula/beatific/empyrean.crt"; key = "/etc/nebula/beatific/empyrean.key"; - # This host has a well-known IP at prgmr, so it can function as a lighthouse/entry node + # This host has a well-known IP at its VPS host, so it can function as a lighthouse/entry node isLighthouse = true; # Listen to connection requests from the public Internet listen.port = 4242; listen.host = "vpn.alogoulogoi.com"; - # Don't filter anything at the VPN level. + # Don't filter anything at the VPN level firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ]; firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ]; From ee7be1456b055eefd7218df027aebead2b8db525 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sun, 27 Nov 2022 01:38:18 +0000 Subject: [PATCH 17/19] Add inquisitor configs --- configuration.nix | 1 + inquisitor.nix | 138 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 139 insertions(+) create mode 100644 inquisitor.nix diff --git a/configuration.nix b/configuration.nix index 3d259ac..fd171c5 100644 --- a/configuration.nix +++ b/configuration.nix @@ -12,6 +12,7 @@ ./redstring.nix ./catacomb.nix ./gitea.nix + ./inquisitor.nix ]; # Use the GRUB 2 boot loader. diff --git a/inquisitor.nix b/inquisitor.nix new file mode 100644 index 0000000..a266c4f --- /dev/null +++ b/inquisitor.nix @@ -0,0 +1,138 @@ +{pkgs, ...}: + +let + # Import the inquisitor package and build it + inquisitorSource = pkgs.fetchFromGitHub { + owner = "Jaculabilis"; + repo = "Inquisitor"; + rev = "a6d961aba948d3a682dbde12dbaa8805eadbbd84"; + sha256 = "10n6c5zvi27f92b7am0rrdizxz0mlp3rw1y1jyd44b57ykk7x6fr"; + }; + inquisitor = pkgs.callPackage inquisitorSource {}; + + # Define the inquisitor data directory + inquisiDir = "/var/lib/inquisitor"; + + # Define an scp helper for executing in cron jobs + scp-helper = pkgs.writeShellScriptBin "scp-helper" '' + ${pkgs.openssh}/bin/scp -i ${inquisiDir}/inquisitor.key -oStrictHostKeyChecking=no "$@" + ''; + + # Define the inquisitor service user + inquisitorUser = { + name = "inquisitor"; + group = "inquisitor"; + description = "Inquisitor service user"; + isSystemUser = true; + shell = pkgs.bashInteractive; + packages = [ inquisitor pkgs.cron ]; + }; + + # Create the inquisitor config file in the nix store, pointing to /var/lib/ + inquisitorConfig = pkgs.writeTextFile { + name = "inquisitor.conf"; + text = '' + DataPath = ${inquisiDir}/data/ + SourcePath = ${inquisiDir}/sources/ + CachePath = ${inquisiDir}/cache/ + Verbose = false + LogFile = ${inquisiDir}/inquisitor.log + ''; + }; + + # Create a setup script to ensure the service directory state + inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" '' + # Ensure the service directory and the default source directory + ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/ + ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/ + ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/ + if [ ! -f ${inquisiDir}/data/inquisitor/state ]; then + ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state + fi + + # Ensure the service owns the folders + chown -R ${inquisitorUser.name} ${inquisiDir} + + # Ensure the scp helper is present + if [ -f ${inquisiDir}/scp-helper ]; then + rm ${inquisiDir}/scp-helper + fi + ln -s -t ${inquisiDir} ${scp-helper}/bin/scp-helper + ''; + + # Create a run script for the server + inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" '' + cd ${inquisiDir} + ${inquisitor}/bin/gunicorn \ + --bind=localhost:24133 \ + --workers=4 \ + --timeout 120 \ + --log-level debug \ + "inquisitor.app:wsgi()" + ''; + + # Create a wrapper to execute the cli as the service user + inquisitorWrapper = pkgs.writeShellScriptBin "inq" '' + sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@" + ''; +in +{ + users.users.inquisitor = inquisitorUser; + users.groups.inquisitor = {}; + + # Link the config in /etc to avoid envvar shenanigans + environment.etc."inquisitor.conf".source = "${inquisitorConfig}"; + + # Give all users the inq wrapper + environment.systemPackages = [ inquisitorWrapper ]; + + # Allow the sudo in the cli wrapper without password + security.sudo.extraRules = [{ + commands = [{ + command = "${inquisitor}/bin/inquisitor"; + options = [ "NOPASSWD" ]; + }]; + runAs = "${inquisitorUser.name}"; + groups = [ "users" ]; + }]; + + # Run the setup script on activation + system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh"; + + # Set up the inquisitor service + systemd.services.inquisitor = + { + description = "Inquisitor server"; + script = "${inquisitorRun}/bin/inquisitor-run.sh"; + serviceConfig = { + User = "${inquisitorUser.name}"; + Type = "simple"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + enable = true; + }; + + # Set up nginx to reverse proxy from the beatific url to the inq server + services.nginx.enable = true; + services.nginx.virtualHosts.inquisitorHost = { + listen = [ { addr = "10.7.3.1"; port = 80; } ]; + locations."/".extraConfig = '' + access_log /var/log/nginx/access.inquisitor.log; + proxy_buffering off; + proxy_pass http://localhost:24133/; + ''; + }; + + # Allow nginx through the firewall + networking.firewall = { + allowedTCPPorts = [ + 80 # http + 443 # https + ]; + }; + + # Enable cron, but don't set up any system cron jobs + # Inquisitor updates will be managed manually + services.cron.enable = true; +} From 4a777e64e91aed51b31374966c67540bdd136cff Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sun, 27 Nov 2022 01:39:09 +0000 Subject: [PATCH 18/19] Add ktvb.site vhost --- configuration.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/configuration.nix b/configuration.nix index fd171c5..d91f0de 100644 --- a/configuration.nix +++ b/configuration.nix @@ -61,6 +61,15 @@ recommendedProxySettings = true; virtualHosts = { # Static pages + "www.ktvb.site" = { + enableACME = true; + forceSSL = true; + root = "/srv/wedding/"; + extraConfig = '' + access_log /var/log/nginx/access.ktvb.log; + index index.html; + ''; + }; "www.alogoulogoi.com" = { enableACME = true; forceSSL = true; From 4d56cf1cda2552f8f95ddeb3676c61c443c1537e Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Sun, 27 Nov 2022 01:40:04 +0000 Subject: [PATCH 19/19] Enable flakes --- configuration.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index d91f0de..b2407ab 100644 --- a/configuration.nix +++ b/configuration.nix @@ -24,7 +24,15 @@ }; boot.kernelParams = ["console=ttyS0"]; - nix.package = pkgs.nixFlakes; + nix = { + package = pkgs.nixFlakes; + maxJobs = 2; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + swapDevices = [ { device = "/swap"; size = 1024; } ]; networking.hostName = "empyrean";