Compare commits
No commits in common. "5f9b5516b773f160d88e0ba5412ad0b0ab72b9b1" and "cf5e23eaa7b309e7f6706b7d49122f235682d1d2" have entirely different histories.
5f9b5516b7
...
cf5e23eaa7
44
flake.lock
44
flake.lock
|
@ -1,44 +0,0 @@
|
|||
{
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1669052418,
|
||||
"narHash": "sha256-M1I4BKXBQm2gey1tScemEh5TpHHE3gKptL7BpWUvL8s=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "20fc948445a6c22d4e8d5178e9a6bc6e1f5417c8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "20fc948445a6c22d4e8d5178e9a6bc6e1f5417c8",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-empyrean": {
|
||||
"locked": {
|
||||
"lastModified": 1646588256,
|
||||
"narHash": "sha256-ZHljmNlt19nSm0Mz8fx6QEhddKUkU4hhwFmfNmGn+EY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2ebb6c1e5ae402ba35cca5eec58385e5f1adea04",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2ebb6c1e5ae402ba35cca5eec58385e5f1adea04",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-empyrean": "nixpkgs-empyrean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
17
flake.nix
17
flake.nix
|
@ -1,17 +0,0 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs?rev=20fc948445a6c22d4e8d5178e9a6bc6e1f5417c8";
|
||||
nixpkgs-empyrean.url = "github:NixOS/nixpkgs?rev=2ebb6c1e5ae402ba35cca5eec58385e5f1adea04";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nixpkgs-empyrean }: {
|
||||
nixosConfigurations.catacomb = nixpkgs.lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
modules = [ ./machine/catacomb ];
|
||||
};
|
||||
nixosConfigurations.empyrean = nixpkgs-empyrean.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [ ./machine/empyrean ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDS8T7Vb2z6Xy2XBzy/HCmnRb9R/0gD71tt6m4/MyHCQBoG+zsUcPhTP2tfOeYd8xeAZKiPfunrtTOpICIxsaugeCf9xoOmEag4i965OcUyRpphPc0UtaK7ux5oqT6+rdSuuriGtKlycSn9mX5Uq4Lhwo3mlFOUJtJTrnifHua3pPnBtLwMEFftufhUn+n5UOx9NWL/ItqEPoLiVB5t8ltXhckqrjlnL9lchJN+6nlgXVScwN/EkDqFjVNQ7OjsMShlJPQDYFbJky1ejnn0wkPBJs7xmKgdxwGxlkLrtnhTx0TBIDbRV0YKdcRNm55mhK/3FWBp8IK0vKOpb6BH5CF9fPadwmHC4z9qIgWNI4cjVTjLvxJpBn8tZTzuFeXrPHYkXL1EQCY8uyojIYtMEzUIIsJ42fUEHJ52iFxa1RddvRlxl/zablPH+kfytbCNLJW1DcWMMcRy7VjUlI1U+X1P2pYOFyLxtq6bDNrkdcR3v+n3k2z2CPhKWUP3qoc+bZ8= inquisitor@conduit
|
|
@ -1 +0,0 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzx37PqIaJVWdQs5meVgI4Cg1GRGk6srrix0AUvQeaBS9MOVtJLi+HfnNkcW4GPk9qVlz1E7ciQ7YUw+ny7QbHxcbib2Tawwfk3cx9xiNcN6UI9EzF/rTbNB2Cex8A4sEr5UvoE0BjT5yPaXyrjn8vLksGWq4dlZBM3xeJqe3KP+OxPL0vik3SVGOr/6ZQ7H9cwX5+/p6rCWQuVtwZMcaE6QyXYg5J5FQUaIrFvKbOVklJIkQSbXGzIYQO/QlQC0xWGBapJtGQw/lsQ3YqnFSMkkw8qrKbde07rg8p1FSuqTu+a1ePK+/F4klNel174+39YSobY2/6biPP3Uj/Yhorf4Tw141tIT75e3ebtK5faatQmNOyXcA7LULXK7XemJkZy8PmbNNTeBIKyoI6XQdzk95gpb2C4LEJmV040YMgXhOIiKsHQVgss9FuC+oP5jXWU/JuNXBRHa1IpJjcJhIhg7jnh6ZNZHyK0EpeUs3Zp7usv7mz6CGwb04yvTsWOhZRc+6EoHaHyrNvFPfkPeGsZzxhIbprCyDMtKWsI9GCtztcRhQWBgornUVEs5CurLJBbClQTrZLVv2fn9UnXWPYZTLYL7aFwRIGyKr8ZOOMFxbLOGdeFlqc5TGCP416e8PZvhE+BuDmxiKtQJ/dsQFqVzvOZb2WQRsYRPYvvXbvUw== monitor@isidore
|
|
@ -1 +0,0 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1h/6CedtyFIjFTT7M5e0dEKJkhPbCQ1RLhtj/83H//AK6bzRbWfnKzSH0VXpsHjaU/Ipc1Jl2fQ23r8i/QyKHUKK7xPeGcY5J7oIHVggkEKW2n9R27Ml9BriKxx6ltButnwSOVYk7dyNhz93GYTTEF3ydh4X7HP2Cv7rh5fbca3s69GXRjOVGmIuuVbaJiaMmiWhBI4LYtqwpo1zGXMjfNlXcMFw7VA4EG2UpkJkcWeyN/AI3ZS/YybcTQNCAg+Xnk94CVys/b5wTuGWRplDrRlNR00MUWpr94+u/xk+sC4/6vT7je2W4GjA1jTq4XmewTEV4cxOu+l1jtHZBgvHho5X0fOogdN52MkjuaXzByZB/Br5xTkBRv0tDf5haX4HzuBC29yU9rt62SEQRzvZxObCCGDcIYR/1HTgjDZkRuwgO/1RoRh5SvwbptvPwpBMvx25S//ZJESLO++lqxjgRZSr/05YpZ5diffEIGd1J0Jz0NGv4XBPcMBnSMKFmdwOy+5jnBbW2OjPQaPslXHEKYTfOByzCA8LgppkxvmL08GIjxYfEljioHR5by+Z6SjG1VvifMFA6FN/+DN6ZH0LmeOMa5YM1Zl3bx5RaANpnSNvi6rmxkQa1oMaK0l482FvpVkg6o1h9si/AeNTEbiX9ozHdjekfuzBSk6Jfo6xw+Q== tvb@empyrean
|
|
@ -1 +0,0 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCKsKkD9S2gRlRgdf3JD06dRTGUQkDgBMWn+2kqVEPA/K1W/f083+odyXLVeg4IWV/fOwVKBgi9YNTavM8hkKRDGElkVq6Y8slApgu1k51QiKvAqqj4yJKE28pMCeHGGfTBdXbaRAaAfsD7Oh7dHOoadBIxUcq4RjN84+srhR2/p7xN+5rlp/uljU85uPA6JhW4tFEjsAQPUBnlI2EMf6SjKScuYsf5kiyE740NxPPpFSaKIU09dR/oR/nXORqOTzJbWC5tRlpeRFrKDrTeoAZnsl+vjqtVjJRIVjJoON50u3W9qfFKcPcfgtqUbpi1D8Xk8cibGo/0I8ruIwuZrD4Q9v1zGUGbXnAVwoJ5Yn8uVcHnFCbqndN+bDA5M0Fe7zLk6/ui9Z3LJdTWD2aT7mTSmW+5puHlNsAnqD1du1Yh7QbJSBNPdJCq/hceb4JKxUpFH8AXZ6km8j4GTYw0BhPYk2OFrFOG/KUOo1Ez8KRGIkisRTqJU2kFhQ5oSKmD+JbtDA5L6X8ibAUNh67eBJUXRvG/AWUeDDoVdYmEj6yCEi5MrcNJY+b41ywa8mTjjEJlsg+oUdD+1RA9c3px+98ulauhyFw2WfUVQc0ihCDqqqXYkwl0jK3e9Uwlgn4Lkwj9jTsWRwalAoJTXwIPbaAiwDH+UhfiPoLl5yHuoFXdw== tvb@palamas
|
|
@ -1 +0,0 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAbmOSvKJoW+akurv/tMD/jfaDuDg0S/FvIMAOS9WauBI9JyMaQh5NfV+fhOSbjqmvrdm+dGttthqi56MZ090Qps1340TGjY6mVap36pa+fZWSajnUjCW+Tk5T0CqbWJkeDvKwSxY73lhBG4QG+SUFkDvhR6XZXfVksJZ++3aaoSmw6E0LCVL4+CAjTf7lm6Zs9Tq62Skf/5tKhk9ASk+QwBTKpPj/0ZKtBDLJfzrwvT+6K2jFohWPKMXkgZiVFVhbIMatdyZo+Mi+To4YDicyf4KW8OuE0zYb06naWeCgEKH8nSB6xEnosdzrhNwkyJi1TEJHmsn1+PjJ/KWWBOTDFVgueWF0ql2ERAtY/hbe36lNBf0lLRzxIugbxMdix8Oqjy0E9wI3E9/X7j0JGHkDzbzX6xeaTwIRFEFtKqK4zcqOMbUWVujUEnOvIKS9dP4uP08gH9HaIE/0bTb+6RRLmnDA9T6dVXc+dCGMAeqxhZYwuO9XJNxXp4byPFRC29OdEShNp9Yqt9sgLMepAzzFiIXgzIcjg5AOnn2qv4SId2rslX0hkMN05a+Cxn2qAj1ign3BuYRzMnaHyA+R+oHN9314/hTYF7wlYws6Fu3P229arfE2d4UqvnMRmY8vWAjfJr40FyRCxS/6qdVPgJWVevkPx69MMJ+BKAomc/s7fw== tvb@stagirite
|
|
@ -1 +0,0 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDO+v/xHtA4E7DCMPmQtbCMJOh2DNKU5xyVjLW1nYE0lkIM+bNGGDVU7QSx3DpZHQSQPyXKk0GmCQsRs09NtUuTF6zrWogqbab9vrVFS2cxgSnsiw79gH10lrJGWfIHbRt+P4C/JzWFoy2+s2Jt2C5MTLyeb0E5/+1SL92eVZgmC0WroE3i/IUrhbI5plVJ74juCk7Jsy6tbKbskZqouBaNVZYPIx9s4EBTQLiVLyCOTeFMHu4SYjozfyCD7r0P0vcujKCJRbgN/H23v7uWmFp1DAYgxk3RYTIH0s19MIDRKf6UI47VdspdDUqW1FYoUEjO4q61iLgMFosIAfCPMvP6BJL8DA8AtifchUhUTgRD4J4JToS71zkyxhBkCNlc4EfjWvNO6nfZdKjTz/C+jlFSMYsgexF6Igzee+fvBcT8fRHOfJDK+fgXGj6/m/h1SH9BK2ZaP0rP8VCnWqT0xiIPeOVIKjFQQzYElvEkti8PZUckPOjqHrKEmyy6bBltiJFnRdxf5Vj/dMxNAjtDEaJD8ayuKts2RoRPYzyN5fmBWlIQzedznBFZiE5P67mWWYZWvmDGFOMrylcLXCiEXUnm9KwyV1MsL9WwI/7NZYcZopbxGjmDMfbmfaHhQJ1uX3T7aToPAUUthFdmn+tdYbiEwEL0MK/kVW+WJwZnWpuSmQ== tvb@vagrant
|
|
@ -1,214 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./fileserver.nix
|
||||
];
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
|
||||
grub.enable = false;
|
||||
# Enables the generation of /boot/extlinux/extlinux.conf
|
||||
generic-extlinux-compatible.enable = true;
|
||||
};
|
||||
supportedFilesystems = ["zfs"];
|
||||
zfs.enableUnstable = true;
|
||||
};
|
||||
|
||||
system.stateVersion = "22.11"; # Read the usual warning
|
||||
|
||||
swapDevices = [ { device = "/swap"; size = 1024; } ];
|
||||
|
||||
console.keyMap = "us";
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
environment.systemPackages = with pkgs;
|
||||
let
|
||||
py3-packages = python-packages: with python-packages; [
|
||||
flask
|
||||
];
|
||||
py3-with-packages = python3.withPackages py3-packages;
|
||||
in [
|
||||
wget vim curl git htop bash tmux psmisc man-pages pv lsof
|
||||
zip unzip
|
||||
py3-with-packages
|
||||
usbutils
|
||||
hdparm sdparm smartmontools gptfdisk gnufdisk
|
||||
dosfstools
|
||||
mkpasswd samba
|
||||
tinc_pre
|
||||
#file-rename
|
||||
rsync
|
||||
rclone gnupg
|
||||
];
|
||||
|
||||
networking = {
|
||||
hostName = "catacomb";
|
||||
hostId = "beeeeee5";
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowPing = true;
|
||||
allowedTCPPorts = [ 22 139 445 ];
|
||||
allowedUDPPorts = [ 137 138 ];
|
||||
};
|
||||
};
|
||||
|
||||
services.cron = {
|
||||
enable = true;
|
||||
systemCronJobs =
|
||||
let
|
||||
reassertPerms = pkgs.writeShellScript "reassert-nas-permissions.sh" ''
|
||||
${pkgs.coreutils}/bin/chown -v -R tvb:nas /nas
|
||||
${pkgs.findutils}/bin/find /nas -type d -exec ${pkgs.coreutils}/bin/chmod -v 750 {} \;
|
||||
${pkgs.findutils}/bin/find /nas -type f -exec ${pkgs.coreutils}/bin/chmod -v 640 {} \;
|
||||
'';
|
||||
in [
|
||||
"0 20 * * 1 root ${reassertPerms}"
|
||||
"0 0 * * 1 tvb . /etc/profile; /home/tvb/gitea-backup"
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = true;
|
||||
};
|
||||
|
||||
services.ntp = {
|
||||
enable = true;
|
||||
servers = ["time.nist.gov"];
|
||||
};
|
||||
|
||||
services.rsyncd.enable = true;
|
||||
|
||||
/*services.samba =
|
||||
let
|
||||
sambaShare = path: validUsers: {
|
||||
path = path;
|
||||
comment = "Samba share for ${path}";
|
||||
browseable = "yes";
|
||||
"read only" = "no";
|
||||
"guest okay" = "no";
|
||||
"create mask" = "0640";
|
||||
"force create mode" = "0640";
|
||||
"directory mask" = "0750";
|
||||
"force directory mode" = "0750";
|
||||
"valid users" = validUsers;
|
||||
"force group" = ''nas'';
|
||||
};
|
||||
sambaShareRO = path: validUsers: {
|
||||
path = path;
|
||||
comment = "Read-only Samba share for ${path}";
|
||||
browseable = "yes";
|
||||
"read only" = "yes";
|
||||
"guest okay" = "no";
|
||||
"valid users" = validUsers;
|
||||
"force group" = ''nas'';
|
||||
};
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
securityType = "user";
|
||||
extraConfig = ''
|
||||
workgroup = beatific
|
||||
server string = Catacomb Nix SMB
|
||||
netbios name = catacomb
|
||||
deadtime = 300
|
||||
|
||||
local master = yes
|
||||
domain master = yes
|
||||
preferred master = yes
|
||||
|
||||
guest account = nobody
|
||||
map to guest = bad user
|
||||
|
||||
case sensitive = yes
|
||||
veto files = /^.DS_Store$/^.Trash-1000$/
|
||||
|
||||
load printers = no
|
||||
printcap name = /dev/null
|
||||
printing = bsd
|
||||
|
||||
log file = /var/log/samba/client-%m.log
|
||||
log level = 2
|
||||
max log size = 64
|
||||
|
||||
hide dot files = no
|
||||
hosts allow = 10.7.3.
|
||||
map archive = no
|
||||
unix extensions = yes
|
||||
|
||||
ntlm auth = yes
|
||||
'';
|
||||
shares = {
|
||||
audioRO = sambaShareRO "/nas/audio" ''@nas'';
|
||||
docRO = sambaShareRO "/nas/doc/" ''@nas'';
|
||||
gameRO = sambaShareRO "/nas/game/" ''@nas'';
|
||||
imageRO = sambaShareRO "/nas/image" ''@nas'';
|
||||
videoRO = sambaShareRO "/nas/video" ''@nas'';
|
||||
#audio = sambaShare "/nas/audio" ''@nas'';
|
||||
#doc = sambaShare "/nas/doc/" ''@nas'';
|
||||
#game = sambaShare "/nas/game/" ''@nas'';
|
||||
#image = sambaShare "/nas/image" ''@nas'';
|
||||
#video = sambaShare "/nas/video" ''@nas'';
|
||||
};
|
||||
};*/
|
||||
|
||||
services.nebula.networks.beatific = {
|
||||
enable = true;
|
||||
|
||||
# Network certificate and host credentials
|
||||
ca = "/etc/nebula/beatific/beatific.crt";
|
||||
cert = "/etc/nebula/beatific/catacomb.crt";
|
||||
key = "/etc/nebula/beatific/catacomb.key";
|
||||
|
||||
listen.port = 4242;
|
||||
|
||||
# Connect to the lighthouse at empyrean
|
||||
# Note that this is a VPN address, not a public address
|
||||
lighthouses = [ "10.22.20.1" ];
|
||||
|
||||
# Map the lighthouse address to its public address
|
||||
staticHostMap = { "10.22.20.1" = [ "vpn.alogoulogoi.com:4242" ]; };
|
||||
|
||||
# Don't filter anything at the VPN level
|
||||
firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
||||
firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
||||
|
||||
settings = {
|
||||
# Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
|
||||
punchy = { punch = true; response = true; };
|
||||
};
|
||||
};
|
||||
|
||||
services.zfs = {
|
||||
autoScrub = {
|
||||
enable = true;
|
||||
pools = ["catapool"];
|
||||
interval = "monthly";
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = {
|
||||
nas = { gid = 1600; };
|
||||
};
|
||||
|
||||
users.users.tvb = {
|
||||
isNormalUser = true;
|
||||
uid = 1001;
|
||||
password = "badpassword";
|
||||
extraGroups = ["wheel" "nas"];
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
../../keys/tvb.palamas.pub
|
||||
../../keys/tvb.stagirite.pub
|
||||
../../keys/tvb.vagrant.pub
|
||||
../../keys/monitor.isidore.pub
|
||||
../../keys/inquisitor.conduit.pub
|
||||
];
|
||||
};
|
||||
#./keys/tvb.empyrean.pub
|
||||
|
||||
nix.settings.cores = 4;
|
||||
nix.extraOptions = "experimental-features = nix-command flakes";
|
||||
}
|
|
@ -1,157 +0,0 @@
|
|||
# nas indexer server module
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
# Build the catacomb server package
|
||||
catacombServerSource = builtins.fetchGit {
|
||||
url = "https://git.alogoulogoi.com/Jaculabilis/catacomb-server.git";
|
||||
ref = "develop-nix";
|
||||
rev = "63574bb39cc777deb56a76548f08789d238fcfec";
|
||||
};
|
||||
catacombServer = pkgs.callPackage catacombServerSource {};
|
||||
|
||||
catacombUser = "tvb";
|
||||
|
||||
# Define the service directory, which pretty much only stores tokens
|
||||
catacombServerDir = "/var/lib/nas-indexer/";
|
||||
|
||||
# The address to bind to
|
||||
bindAddr = "10.22.20.2";
|
||||
|
||||
# Create a setup script to ensure the token directory exists
|
||||
catacombSetup = pkgs.writeShellScriptBin "catacomb-setup.sh" ''
|
||||
${pkgs.coreutils}/bin/mkdir -p ${catacombServerDir}tokens
|
||||
chown -R ${catacombUser} ${catacombServerDir}
|
||||
'';
|
||||
|
||||
# Host-mode server run script
|
||||
hostRun = pkgs.writeShellScriptBin "catacomb-run-host.sh" ''
|
||||
cd ${catacombServerDir}
|
||||
${catacombServer}/bin/gunicorn \
|
||||
--bind=localhost:5000 \
|
||||
--workers=3 \
|
||||
--log-level=debug \
|
||||
--env CATACOMB_ROOT=/nas \
|
||||
--env CATACOMB_TOKENS=${catacombServerDir}tokens \
|
||||
--env CATACOMB_MODE=host \
|
||||
--env CATACOMB_GUEST_HOST=catacomb.alogoulogoi.com \
|
||||
"catacomb.server:wsgi()"
|
||||
'';
|
||||
|
||||
# Guest-mode server run script
|
||||
guestRun = pkgs.writeShellScriptBin "catacomb-run-guest.sh" ''
|
||||
cd ${catacombServerDir}
|
||||
${catacombServer}/bin/gunicorn \
|
||||
--bind=localhost:5001 \
|
||||
--workers=3 \
|
||||
--log-level=debug \
|
||||
--env CATACOMB_ROOT=/nas \
|
||||
--env CATACOMB_TOKENS=${catacombServerDir}tokens \
|
||||
--env CATACOMB_MODE=guest \
|
||||
"catacomb.server:wsgi()"
|
||||
'';
|
||||
|
||||
# Guest-mode auth server for direct nginx file serving
|
||||
accessRun = pkgs.writeShellScriptBin "catacomb-run-access.sh" ''
|
||||
cd ${catacombServerDir}
|
||||
${catacombServer}/bin/gunicorn \
|
||||
--bind=localhost:5002 \
|
||||
--workers=3 \
|
||||
--log-level=debug \
|
||||
--env CATACOMB_TOKENS=${catacombServerDir}tokens \
|
||||
"catacomb.access.nginx:wsgi()"
|
||||
'';
|
||||
|
||||
in
|
||||
{
|
||||
# Run the setup script on activation
|
||||
system.activationScripts.catacombSetup = "${catacombSetup}/bin/catacomb-setup.sh";
|
||||
|
||||
# Set up the host mode service
|
||||
systemd.services."catacomb-host" = {
|
||||
enable = true;
|
||||
description = "catapool host-mode index server";
|
||||
script = "${hostRun}/bin/catacomb-run-host.sh";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
WorkingDirectory = "${catacombServerDir}";
|
||||
};
|
||||
requires = [ "zfs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
};
|
||||
|
||||
# Set up the guest mode service
|
||||
systemd.services."catacomb-guest" = {
|
||||
enable = true;
|
||||
description = "catapool guest-mode index server";
|
||||
script = "${guestRun}/bin/catacomb-run-guest.sh";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "${catacombUser}";
|
||||
WorkingDirectory = "${catacombServerDir}";
|
||||
};
|
||||
requires = [ "zfs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
};
|
||||
|
||||
# Set up the access server service
|
||||
systemd.services."catacomb-access" = {
|
||||
enable = true;
|
||||
description = "catapool access token authenticator";
|
||||
script = "${accessRun}/bin/catacomb-run-access.sh";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "${catacombUser}";
|
||||
WorkingDirectory = "${catacombServerDir}";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 7470 7471 7472 ];
|
||||
|
||||
# Set up nginx to reverse proxy to these services
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
# Serve the host server over the internal ip at the default port
|
||||
virtualHosts."catacomb-host-server" = {
|
||||
listen = [ { addr = bindAddr; } ];
|
||||
root = "/nas";
|
||||
locations."/".tryFiles = "\$uri @indexer";
|
||||
locations."@indexer".proxyPass = "http://localhost:5000";
|
||||
};
|
||||
|
||||
# Serve the guest server over the internal ip at a custom port
|
||||
virtualHosts."catacomb-guest-server" = {
|
||||
listen = [ { addr = bindAddr; port = 7472; } ];
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.guest-server.log;
|
||||
'';
|
||||
locations."/".proxyPass = "http://localhost:5001";
|
||||
};
|
||||
|
||||
# Serve the auth server at a custom port internally
|
||||
virtualHosts."catacomb-auth" = {
|
||||
listen = [ { addr = bindAddr; port = 7471; } ];
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.guest-auth.log;
|
||||
'';
|
||||
locations."/".proxyPass = "http://localhost:5002";
|
||||
};
|
||||
|
||||
# Serve files at a custom port internally
|
||||
virtualHosts."catacomb-guest-files" = {
|
||||
listen = [ { addr = bindAddr; port = 7470; } ];
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.guest-files.log;
|
||||
'';
|
||||
locations."/".root = "/nas";
|
||||
};
|
||||
};
|
||||
|
||||
# Allow nginx to read catapool files
|
||||
users.users.nginx.extraGroups = ["nas"];
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
|
@ -1,50 +0,0 @@
|
|||
# Configuration for the Amanuensis service
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
# Set up python
|
||||
with pkgs;
|
||||
let amanuensis-requires = python-packages: with python-packages; [
|
||||
flask flask_login flask_wtf gunicorn
|
||||
];
|
||||
python3-with-amanuensis-requires = python3.withPackages amanuensis-requires;
|
||||
in
|
||||
{
|
||||
# Create a user for the server process to run under
|
||||
users.users.amanuensis = {
|
||||
isNormalUser = true;
|
||||
group = "amanuensis";
|
||||
description = "Amanuensis server user";
|
||||
packages = [ python3-with-amanuensis-requires ];
|
||||
};
|
||||
users.groups.amanuensis = {};
|
||||
|
||||
# Create the server process systemd unit
|
||||
systemd.services.amanuensis = {
|
||||
enable = true;
|
||||
description = "Amanuensis Lexicon server";
|
||||
path = [ python3-with-amanuensis-requires ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "/home/amanuensis/Amanuensis/run.sh";
|
||||
Restart = "on-failure";
|
||||
User = "amanuensis";
|
||||
WorkingDirectory = "/home/amanuensis";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
# Configure nginx to forward to the server at the lexicon subdomain
|
||||
services.nginx.virtualHosts."lexicon.alogoulogoi.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.lexicon.log;
|
||||
'';
|
||||
locations."/".extraConfig = ''
|
||||
proxy_buffering off;
|
||||
proxy_pass http://localhost:8000/;
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
# Configuration for the catacomb forwarder
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
# Configure nginx to forward to the server on catacomb
|
||||
services.nginx.virtualHosts."catacomb.alogoulogoi.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.catacomb.log;
|
||||
'';
|
||||
locations = {
|
||||
# Forwards to the index server
|
||||
"/browse/".proxyPass = "http://10.7.3.16:7472/browse/";
|
||||
# Forwards to nginx via catacomb auth server
|
||||
"/".extraConfig = ''
|
||||
auth_request /auth;
|
||||
proxy_buffering off;
|
||||
proxy_pass http://10.7.3.16:7470/;
|
||||
'';
|
||||
"= /auth".extraConfig = ''
|
||||
internal;
|
||||
proxy_buffering off;
|
||||
proxy_pass_request_body off;
|
||||
proxy_pass http://10.7.3.16:7471/;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,178 +0,0 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./amanuensis.nix
|
||||
./redstring.nix
|
||||
./catacomb.nix
|
||||
./gitea.nix
|
||||
./inquisitor.nix
|
||||
];
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
device = "/dev/xvda";
|
||||
extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console";
|
||||
};
|
||||
boot.kernelParams = ["console=ttyS0"];
|
||||
|
||||
nix = {
|
||||
package = pkgs.nixFlakes;
|
||||
maxJobs = 2;
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
};
|
||||
|
||||
swapDevices = [ { device = "/swap"; size = 1024; } ];
|
||||
|
||||
networking.hostName = "empyrean";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "us";
|
||||
};
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "UTC";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim htop git tinc_pre python3
|
||||
gitea
|
||||
];
|
||||
environment.variables.EDITOR = "vim";
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
# Static pages
|
||||
"www.ktvb.site" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/srv/wedding/";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.ktvb.log;
|
||||
index index.html;
|
||||
'';
|
||||
};
|
||||
"www.alogoulogoi.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/srv/www/";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.www.log;
|
||||
index index.html;
|
||||
'';
|
||||
};
|
||||
# Deny all other subdomains
|
||||
"alogoulogoi.com" = {
|
||||
default = true;
|
||||
locations."/".return = "444";
|
||||
};
|
||||
};
|
||||
};
|
||||
security.acme = {
|
||||
email = "tim.vanbaak+alogoulogoi@gmail.com";
|
||||
acceptTerms = true;
|
||||
};
|
||||
|
||||
services.gitolite = {
|
||||
enable = true;
|
||||
adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkSvOcY0eFuYqewc73MNHGP/Owzfnt+BZDSOCwr4h+gJenOBmXol695sRKdIw8phgshb6LsNyWeEAr3YISwzjdOvWNKpSsdyH/79VFIffC+/RBhPFhIPHn1zpHIwgthXji8FMmnO6B1bhJvbJxD5bUqhdBLnUeMhNgUkDj4Qi42S8yK1VZkgWRuPOTGqlzkODEdzG6OST7ndL58jEQaK8R2KRC2cZfrjingmPL+ORyf1/lGwyF6MEAmbQuE6UdspMs8FWt2e8jQJS+ZQ8dl+NDFrC1QfPRFpBJWnQceBcfAVZTtDaJpRhc4ClZstBy/bVRjiKeQiNv5NasjKRvvIvot4+LXmBKrXJs81enExtMSHMPuqPRlyVZLMMCVmdLDP/HUYOASDzlUhV/v5Wp0jjY4Wy0IWC7nm7P8EKsp1ZofwU6rJ9XPLpQJt7UUURX71h1FMaqi+lylW6xkD3LqD8oT5Bdp+Vs0bUbPQVRw1Fenjc6G1URU94GOAggyNgsWms= root@empyrean";
|
||||
};
|
||||
|
||||
services.ntp = {
|
||||
enable = true;
|
||||
servers = ["time.nist.gov"];
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
permitRootLogin = "prohibit-password";
|
||||
};
|
||||
|
||||
services.tinc.networks.beatific = {
|
||||
listenAddress = "0.0.0.0";
|
||||
chroot = false;
|
||||
};
|
||||
|
||||
services.nebula.networks.beatific = {
|
||||
enable = true;
|
||||
|
||||
# Network certificate and host credentials
|
||||
ca = "/etc/nebula/beatific/beatific.crt";
|
||||
cert = "/etc/nebula/beatific/empyrean.crt";
|
||||
key = "/etc/nebula/beatific/empyrean.key";
|
||||
|
||||
# This host has a well-known IP at its VPS host, so it can function as a lighthouse/entry node
|
||||
isLighthouse = true;
|
||||
|
||||
# Listen to connection requests from the public Internet
|
||||
listen.port = 4242;
|
||||
listen.host = "vpn.alogoulogoi.com";
|
||||
|
||||
# Don't filter anything at the VPN level
|
||||
firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
||||
firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
||||
|
||||
settings = {
|
||||
# Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
|
||||
punchy = { punch = true; response = true; };
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowPing = true;
|
||||
allowedTCPPorts = [
|
||||
22 # ssh
|
||||
80 # http
|
||||
443 # https
|
||||
655 # tinc
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
655 # tinc
|
||||
];
|
||||
};
|
||||
|
||||
users.users.tvb = {
|
||||
isNormalUser = true;
|
||||
group = "tvb";
|
||||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
};
|
||||
users.groups.tvb = {};
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.03"; # Did you read the comment?
|
||||
|
||||
}
|
||||
|
|
@ -1,68 +0,0 @@
|
|||
# Configuration for Gitea instance
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
# Gitea configuration
|
||||
services.gitea = {
|
||||
# Enable Gitea and configure for reverse proxy
|
||||
enable = true;
|
||||
httpAddress = "127.0.0.1";
|
||||
httpPort = 3300;
|
||||
domain = "git.alogoulogoi.com";
|
||||
rootUrl = "https://git.alogoulogoi.com/";
|
||||
|
||||
# Private server
|
||||
disableRegistration = true;
|
||||
#useWizard = true; # Needed for first-time building
|
||||
|
||||
# Settings
|
||||
appName = "Horse Codes";
|
||||
lfs.enable = true;
|
||||
dump = {
|
||||
enable = true;
|
||||
interval = "weekly";
|
||||
};
|
||||
log.level = "Info";
|
||||
settings = {
|
||||
"repository" = {
|
||||
DEFAULT_PRIVATE = true;
|
||||
};
|
||||
"ui" = {
|
||||
DEFAULT_THEME = "arc-green";
|
||||
SHOW_USER_EMAIL = false;
|
||||
};
|
||||
"ui.meta" = {
|
||||
AUTHOR = "Horse Codes";
|
||||
DESCRIPTION = "Alogoulogoi Gitea instance";
|
||||
KEYWORDS = "";
|
||||
};
|
||||
"security" = {
|
||||
INSTALL_LOCK = true;
|
||||
};
|
||||
"picture" = {
|
||||
DISABLE_GRAVATAR = true;
|
||||
};
|
||||
"cron.archive_cleanup".ENABLED = false;
|
||||
"cron.sync_external_users".ENABLED = false;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.gitea.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYr3Y4waQA4Qb9Vv29APxqkAE6E8KSoTcK1L+NSKOEAb3IxlqitMMnDFfWENXuQlEkkxkqszGA3oe2uchN89UckBFIkm8oEBNE2ZQ0SnuVv+ETHRYMmGvhfOnsnEzpD/j6qSk/0/ea2eJpzfUazMVNTDP7aX6pI0F0n6lXFty0vVan/gN6lM41aNatlQPGxY2XDJQ/e2IJJeOubb2YwH/Vj7/t25yuKiQ5AmaX9fVheM4xA1xfNTs42UfoHzU7Pk3gT6D6L1DGHjsbO0FD4lKPe030XYcPVvpqSiEKGTAYvcWnPH/RDXuz6cEQpN3kMajEtvKUcu0FM/3NPJhvUuxEX0wJnvPPRuY30tcD2WuYemQjm5OCGewdIr1a7mMJ/5zEAzRq4AttEdw7PtTjoj8O+0S6pFrFnv6Dp5TOrg9jyRLICEv7SPb76OhPWWr2uf3TllfXJcQMdsEd3gnTxaUUgJRmD3hfAQO5fOR0MFuVw+bVgleeYctBCW5UjbWZqE1lzEU8xwVYKB05HnWI5tgeh/pkdjg9AfdWnuVU7EljJ8nFEevNTJEe3kjZ67l+wL/dLiyyQuMIq1oBpcOCq+ew0jWZMfPq3o5r13qsdPkUuqdwWOXhCQtqOHHYXVgFEvEGLWacdgHSIFlP7IdfW1M4k1yFPBUlJUU9Bo+VGSZxSw== tvb@catacomb"
|
||||
];
|
||||
|
||||
# Configure nginx to forward to the server at the git subdomain
|
||||
services.nginx.virtualHosts."git.alogoulogoi.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.git.log;
|
||||
'';
|
||||
locations."/".extraConfig = ''
|
||||
proxy_buffering off;
|
||||
proxy_pass http://localhost:3300/;
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "sr_mod" "xen_blkfront" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/60aa6f09-f77f-472e-beb1-3441423a5d6d";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 1;
|
||||
}
|
|
@ -1,138 +0,0 @@
|
|||
{pkgs, ...}:
|
||||
|
||||
let
|
||||
# Import the inquisitor package and build it
|
||||
inquisitorSource = pkgs.fetchFromGitHub {
|
||||
owner = "Jaculabilis";
|
||||
repo = "Inquisitor";
|
||||
rev = "a6d961aba948d3a682dbde12dbaa8805eadbbd84";
|
||||
sha256 = "10n6c5zvi27f92b7am0rrdizxz0mlp3rw1y1jyd44b57ykk7x6fr";
|
||||
};
|
||||
inquisitor = pkgs.callPackage inquisitorSource {};
|
||||
|
||||
# Define the inquisitor data directory
|
||||
inquisiDir = "/var/lib/inquisitor";
|
||||
|
||||
# Define an scp helper for executing in cron jobs
|
||||
scp-helper = pkgs.writeShellScriptBin "scp-helper" ''
|
||||
${pkgs.openssh}/bin/scp -i ${inquisiDir}/inquisitor.key -oStrictHostKeyChecking=no "$@"
|
||||
'';
|
||||
|
||||
# Define the inquisitor service user
|
||||
inquisitorUser = {
|
||||
name = "inquisitor";
|
||||
group = "inquisitor";
|
||||
description = "Inquisitor service user";
|
||||
isSystemUser = true;
|
||||
shell = pkgs.bashInteractive;
|
||||
packages = [ inquisitor pkgs.cron ];
|
||||
};
|
||||
|
||||
# Create the inquisitor config file in the nix store, pointing to /var/lib/
|
||||
inquisitorConfig = pkgs.writeTextFile {
|
||||
name = "inquisitor.conf";
|
||||
text = ''
|
||||
DataPath = ${inquisiDir}/data/
|
||||
SourcePath = ${inquisiDir}/sources/
|
||||
CachePath = ${inquisiDir}/cache/
|
||||
Verbose = false
|
||||
LogFile = ${inquisiDir}/inquisitor.log
|
||||
'';
|
||||
};
|
||||
|
||||
# Create a setup script to ensure the service directory state
|
||||
inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
|
||||
# Ensure the service directory and the default source directory
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
|
||||
if [ ! -f ${inquisiDir}/data/inquisitor/state ]; then
|
||||
${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
|
||||
fi
|
||||
|
||||
# Ensure the service owns the folders
|
||||
chown -R ${inquisitorUser.name} ${inquisiDir}
|
||||
|
||||
# Ensure the scp helper is present
|
||||
if [ -f ${inquisiDir}/scp-helper ]; then
|
||||
rm ${inquisiDir}/scp-helper
|
||||
fi
|
||||
ln -s -t ${inquisiDir} ${scp-helper}/bin/scp-helper
|
||||
'';
|
||||
|
||||
# Create a run script for the server
|
||||
inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
|
||||
cd ${inquisiDir}
|
||||
${inquisitor}/bin/gunicorn \
|
||||
--bind=localhost:24133 \
|
||||
--workers=4 \
|
||||
--timeout 120 \
|
||||
--log-level debug \
|
||||
"inquisitor.app:wsgi()"
|
||||
'';
|
||||
|
||||
# Create a wrapper to execute the cli as the service user
|
||||
inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
|
||||
sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
users.users.inquisitor = inquisitorUser;
|
||||
users.groups.inquisitor = {};
|
||||
|
||||
# Link the config in /etc to avoid envvar shenanigans
|
||||
environment.etc."inquisitor.conf".source = "${inquisitorConfig}";
|
||||
|
||||
# Give all users the inq wrapper
|
||||
environment.systemPackages = [ inquisitorWrapper ];
|
||||
|
||||
# Allow the sudo in the cli wrapper without password
|
||||
security.sudo.extraRules = [{
|
||||
commands = [{
|
||||
command = "${inquisitor}/bin/inquisitor";
|
||||
options = [ "NOPASSWD" ];
|
||||
}];
|
||||
runAs = "${inquisitorUser.name}";
|
||||
groups = [ "users" ];
|
||||
}];
|
||||
|
||||
# Run the setup script on activation
|
||||
system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";
|
||||
|
||||
# Set up the inquisitor service
|
||||
systemd.services.inquisitor =
|
||||
{
|
||||
description = "Inquisitor server";
|
||||
script = "${inquisitorRun}/bin/inquisitor-run.sh";
|
||||
serviceConfig = {
|
||||
User = "${inquisitorUser.name}";
|
||||
Type = "simple";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
enable = true;
|
||||
};
|
||||
|
||||
# Set up nginx to reverse proxy from the beatific url to the inq server
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts.inquisitorHost = {
|
||||
listen = [ { addr = "10.7.3.1"; port = 80; } ];
|
||||
locations."/".extraConfig = ''
|
||||
access_log /var/log/nginx/access.inquisitor.log;
|
||||
proxy_buffering off;
|
||||
proxy_pass http://localhost:24133/;
|
||||
'';
|
||||
};
|
||||
|
||||
# Allow nginx through the firewall
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [
|
||||
80 # http
|
||||
443 # https
|
||||
];
|
||||
};
|
||||
|
||||
# Enable cron, but don't set up any system cron jobs
|
||||
# Inquisitor updates will be managed manually
|
||||
services.cron.enable = true;
|
||||
}
|
|
@ -1,120 +0,0 @@
|
|||
# redstring server module
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
# Import package
|
||||
redstringSource = builtins.fetchGit {
|
||||
url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git";
|
||||
ref = "master";
|
||||
rev = "91dd353ad1d48118452a949b15e100b3035bf297";
|
||||
};
|
||||
redstring = pkgs.callPackage redstringSource {};
|
||||
|
||||
# Define the data directory
|
||||
redstringDir = "/var/lib/redstring/";
|
||||
redstringData = "${redstringDir}docs/";
|
||||
|
||||
# Define the service user
|
||||
redstringUser = {
|
||||
name = "redstring";
|
||||
description = "redstring service user";
|
||||
group = "redstring";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
# Create the public server config file in the nix store
|
||||
publicConfigAttrs = {
|
||||
root = redstringData;
|
||||
edit = false;
|
||||
};
|
||||
publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); };
|
||||
|
||||
# Create the private server config file in the nix store
|
||||
privateConfig = pkgs.writeTextFile {
|
||||
name = "redstring-config-internal.json";
|
||||
text = (builtins.toJSON {
|
||||
root = redstringData;
|
||||
edit = true;
|
||||
});
|
||||
};
|
||||
|
||||
# Create a setup script to ensure the data directory exists
|
||||
redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" ''
|
||||
# Ensure the service directory
|
||||
${pkgs.coreutils}/bin/mkdir -p ${redstringData}
|
||||
|
||||
# Ensure ownership
|
||||
chown -R ${redstringUser.name} ${redstringDir}
|
||||
chmod 700 ${redstringDir}
|
||||
'';
|
||||
|
||||
# Create a run script for the public server
|
||||
publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" ''
|
||||
cd ${redstringDir}
|
||||
${redstring}/bin/gunicorn \
|
||||
--bind=localhost:24144 \
|
||||
--workers=3 \
|
||||
--log-level debug \
|
||||
--env REDSTRING_CONFIG=${publicConfig} \
|
||||
"redstring.server:wsgi()"
|
||||
'';
|
||||
|
||||
# Create a run script for the private server
|
||||
privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" ''
|
||||
cd ${redstringDir};
|
||||
${redstring}/bin/gunicorn \
|
||||
--bind=10.7.3.1:24145 \
|
||||
--workers=3 \
|
||||
--log-level debug \
|
||||
--env REDSTRING_CONFIG=${privateConfig} \
|
||||
"redstring.server:wsgi()"
|
||||
'';
|
||||
in
|
||||
{
|
||||
users.users.redstring = redstringUser;
|
||||
users.groups.redstring = {};
|
||||
|
||||
# Run the setup script on activation
|
||||
system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh";
|
||||
|
||||
# Set up the public redstring service
|
||||
systemd.services."redstring-public" =
|
||||
{
|
||||
description = "redstring public read-only server";
|
||||
script = "${publicRun}/bin/redstring-run-external.sh";
|
||||
serviceConfig = {
|
||||
User = "${redstringUser.name}";
|
||||
Type = "simple";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
enable = true;
|
||||
};
|
||||
|
||||
# Set up the private redstring service
|
||||
systemd.services."redstring-private" =
|
||||
{
|
||||
description = "redstring private editable server";
|
||||
script = "${privateRun}/bin/redstring-run-internal.sh";
|
||||
serviceConfig = {
|
||||
User = redstringUser.name;
|
||||
Type = "simple";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
enable = true;
|
||||
};
|
||||
|
||||
# Configure nginx to forward to the public server at the docs subdomain
|
||||
services.nginx.virtualHosts."docs.alogoulogoi.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.docs.log;
|
||||
'';
|
||||
locations."/".proxyPass = "http://localhost:24144";
|
||||
};
|
||||
|
||||
# Open the firewall to the private server's port
|
||||
networking.firewall.allowedTCPPorts = [ 24145 ];
|
||||
}
|
Loading…
Reference in New Issue