dev.fron.io rc / 1e38e45
legacy::containers: unclassify Tony Olagbaiye 1 year, 1 month ago
28 changed file(s) with 612 addition(s) and 19 deletion(s). Raw diff Collapse all Expand all
0 { config, pkgs, lib, ... }:
1
2 let
3 hostAddress = "10.9.0.1";
4 localAddress = "10.9.0.2";
5 in {
6 containers.anki =
7 {
8 autoStart = true;
9 enableTun = true;
10 privateNetwork = true;
11 inherit hostAddress localAddress;
12
13 config =
14 { config, stdenv, ... }:
15
16 {
17 nixpkgs.pkgs = pkgs;
18
19 environment.systemPackages = with pkgs; [
20 ankisyncd
21 ];
22
23 services.ankisyncd = {
24 enable = true;
25 host = localAddress;
26 openFirewall = false;
27 port = 27701;
28 };
29 };
30 };
31 }
0 { config, pkgs, ... }:
1
2 {
3 environment.systemPackages = with pkgs; [ step-cli ];
4
5 containers.authority = {
6 autoStart = true;
7 enableTun = true;
8 privateNetwork = true;
9 hostAddress = "10.4.0.1";
10 localAddress = "10.4.0.2";
11 config =
12 { config, ... }:
13 {
14 environment.systemPackages = with pkgs; [ step-cli step-ca ];
15
16 systemd.services.step-ca = {
17 description = "Step CA Daemon";
18 script = with pkgs; ''${systemd}/bin/systemd-ask-password --timeout=3600 --no-tty 'CA Password:' | ${step-ca}/bin/step-ca config/ca.json --password-file /dev/stdin'';
19 serviceConfig = {
20 WorkingDirectory = "/var/lib/step/";
21 Restart = "always";
22 };
23 wantedBy = [ "multi-user.target" ];
24 };
25
26 networking.firewall.enable = false;
27 };
28 bindMounts = {
29 "/var/lib/step" = {
30 hostPath = "/var/lib/step";
31 isReadOnly = false;
32 };
33 "/run/systemd/ask-password" = {
34 hostPath = "/run/systemd/ask-password";
35 isReadOnly = false;
36 };
37 "/run/systemd/ask-password-block" = {
38 hostPath = "/run/systemd/ask-password-block";
39 isReadOnly = false;
40 };
41 };
42 };
43 }
0 { config, pkgs, ... }:
1
2 let
3 servers = [
4 "sso.${domains.home}"
5 "torrent.${domains.home}"
6 "search.${domains.home}"
7 "ca.${domains.home}"
8 domains.srvc
9 "u.${domains.srvc}"
10 "ublog.${domains.srvc}"
11 "microblog.${domains.srvc}"
12 "mastodon.${domains.srvc}"
13 "matrix.${domains.srvc}"
14 ];
15 in {
16 security.acme.certs = let
17 mkCert = host: {
18 name = host;
19 value = {
20 allowKeysForGroup = true;
21 #directory = "/var/lib/acme/${host}/";
22 #domain = host;
23 email = "ssl@${domains.home}";
24 extraDomains = { "www.${host}" = null; };
25 group = "keys";
26 #plugins = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ]
27 ## "cert.der", "cert.pem", "chain.pem", "external.sh", "key.der"
28 postRun = "systemctl restart traefik";
29 webroot = "/var/www/${host}/";
30 };
31 };
32 in builtins.listToAttrs (map mkCert servers);
33
34 systemd.services.haproxy.serviceConfig = lib.mkIf config.services.haproxy.enable {
35 SupplementaryGroups = "keys";
36 };
37
38 containers.certmon = {
39 autoStart = true;
40 enableTun = true;
41 privateNetwork = true;
42 hostAddress = "10.3.0.1";
43 localAddress = "10.3.0.2";
44 config =
45 { config, ... }:
46 {
47 services.nginx = {
48 enable = true;
49 group = "root";
50 virtualHosts = let
51 mkHost = host: {
52 name = host;
53 value = {
54 serverName = host;
55 serverAliases = [ "www.${host}" ];
56 root = "/var/www/${host}/";
57 };
58 };
59 in builtins.listToAttrs (map mkHost servers);
60 };
61
62 networking.firewall.enable = false;
63 };
64 bindMounts = {
65 "/var/www" = {
66 hostPath = "/var/www";
67 isReadOnly = true;
68 };
69 };
70 };
71 }
0 { config, pkgs, lib, ... }:
1
2 let
3 hostAddress = "10.8.0.1";
4 localAddress = "10.8.0.2";
5 in {
6 containers.hydroxide =
7 {
8 autoStart = true;
9 enableTun = true;
10 privateNetwork = true;
11 inherit hostAddress localAddress;
12
13 config =
14 { config, stdenv, ... }:
15
16 {
17 imports = [
18 ../modules/services/hydroxide
19 ../profiles/services/hydroxide
20 ];
21
22 nixpkgs.pkgs = pkgs;
23
24 environment.systemPackages = with pkgs; [
25 hydroxide
26 ];
27
28 services.hydroxide.host = localAddress;
29 };
30 };
31 }
0 { config, pkgs, lib, domains, fetchPullRequest, ... }:
1
2 let
3 cfg = config.services.mastodon;
4 securityLimits = config.environment.etc.limits;
5 hostAddress = "10.6.0.1";
6 localAddress = "10.6.0.2";
7 in {
8 services.postgresql.enable = true;
9 services.postgresql.ensureUsers = [
10 {
11 name = cfg.database.user;
12 ensurePermissions."DATABASE ${cfg.database.name}" = "ALL PRIVILEGES";
13 }
14 ];
15 services.postgresql.ensureDatabases = [ cfg.database.name ];
16
17 security.acme.acceptTerms = true;
18
19 containers.mastodon =
20 {
21 autoStart = true;
22 enableTun = true;
23 privateNetwork = true;
24 inherit hostAddress localAddress;
25
26 config =
27 { config, stdenv, ... }:
28
29 {
30 imports = [
31 ../profiles/services/mastodon
32 ];
33
34 nixpkgs.pkgs = pkgs;
35 nixpkgs.config.allowUnfree = true;
36
37 environment.etc.limits = securityLimits;
38 environment.systemPackages = with pkgs; [
39 postgresql redis postfix config.services.mastodon.package
40 ];
41
42 services.elasticsearch.enable = true;
43 services.mastodon.enable = true;
44 services.mastodon.automaticMigrations = false;
45 services.mastodon.extraConfig = {
46 EMAIL_DOMAIN_WHITELIST = lib.concatStringsSep "|" [
47 domains.home
48 #domains.wife
49 ];
50 ALTERNATE_DOMAINS = lib.concatStringsSep "," [
51 "mastodon.${domains.srvc}"
52 "microblog.${domains.srvc}"
53 "ublog.${domains.srvc}"
54 ];
55 WEB_DOMAIN = "u.${domains.srvc}";
56 };
57 services.mastodon.localDomain = domains.srvc;
58 services.mastodon.redis = {
59 createLocally = true;
60 };
61 services.mastodon.database = {
62 createLocally = false;
63 host = hostAddress;
64 };
65 services.mastodon.smtp = {
66 createLocally = true;
67 fromAddress = "mastodon@${domains.srvc}";
68 };
69 services.mastodon.configureNginx = true;
70 services.mastodon.package = with fetchPullRequest {
71 id = 78810;
72 sha256 = "0ksq5dwmlmz1vp40g1hq0bjxyczggi1k0rrkmcyaj8kk85qazx1f";
73 }; mastodon;
74 services.postfix.submissionOptions = {
75 mynetworks = "127.0.0.0/8 10.0.0.0/8";
76 };
77 services.nginx = {
78 enable = true;
79 enableReload = true;
80 virtualHosts."${cfg.localDomain}" = {
81 #enableACME = lib.mkForce false;
82 serverAliases = [
83 "u.${domains.srvc}"
84 domains.srvc
85 "localhost"
86 "127.0.0.1"
87 "10.6.0.2"
88 ];
89 listen = [
90 { addr = "0.0.0.0"; port = 80; }
91 { addr = "0.0.0.0"; port = 443; ssl = true; }
92 ];
93 };
94 };
95
96 networking.firewall.enable = false;
97 networking.nameservers = [ "62.210.16.6" "62.210.16.7" ];
98
99 security.acme.acceptTerms = true;
100 security.acme.email = "ssl@${domains.home}";
101 };
102 bindMounts = {
103 "/var/lib/mastodon" = {
104 hostPath = "/var/lib/mastodon";
105 isReadOnly = false;
106 };
107 "/var/lib/elasticsearch" = {
108 hostPath = "/var/lib/elasticsearch";
109 isReadOnly = false;
110 };
111 };
112 };
113 }
0 { config, pkgs, lib, domains, inputs, ... }:
1
2 let
3 hostAddress = "10.7.0.1";
4 localAddress = "10.7.0.2";
5 in {
6 containers.matrix =
7 {
8 autoStart = true;
9 enableTun = true;
10 privateNetwork = true;
11 inherit hostAddress localAddress;
12
13 config =
14 { ... }:
15
16 {
17 imports = [
18 inputs.construct.nixosModules.matrix-construct
19 ];
20
21 environment.memoryAllocator.provider = "jemalloc";
22
23 services.matrix-construct = {
24 enable = true;
25 useScreen = false;
26 server = "cs.${domains.srvc}";
27 package = pkgs.matrix-construct.overrideAttrs (_: {
28 doInstallCheck = true;
29 });
30 };
31
32 systemd.services.restart-construct = {
33 serviceConfig = {
34 Type = "oneshot";
35 ExecStart = "systemctl restart matrix-construct.service";
36 };
37 };
38 systemd.timers.restart-construct = {
39 timerConfig = {
40 OnStartupSec = "1d";
41 OnUnitActiveSec = "1d";
42 };
43 wantedBy = [ "timers.target" ];
44 };
45
46 networking.firewall.enable = false;
47
48 #users.users.construct.extraGroups = [
49 # "keys"
50 #];
51 };
52 bindMounts = {
53 "/var/lib/construct" = {
54 hostPath = "/var/lib/construct";
55 isReadOnly = false;
56 };
57 "/var/log/construct" = {
58 hostPath = "/var/log/construct";
59 isReadOnly = false;
60 };
61 "/var/lib/acme" = {
62 hostPath = "/var/lib/acme";
63 isReadOnly = true;
64 };
65 };
66 };
67 }
0 { config, pkgs, ... }:
1
2 {
3 systemd.nspawn.sandbox = {
4 aliases = [ "sandbox" ];
5 execConfig = {
6 Boot = true;
7 };
8 filesConfig = {
9 BindReadOnly = [
10 "/home:/var/home/lower"
11 "/etc/sandbox/fstab:/etc/fstab"
12 "/etc/sandbox/hostname:/etc/hostname"
13 ];
14 Bind = [ "/srv" ];
15 };
16 networkConfig = {
17 VirtualEthernet = true;
18 };
19 wantedBy = [
20 "multi-user.target"
21 ];
22 requiredBy = [
23 "network-link-ve-sandbox.service"
24 ];
25 };
26 systemd.units."network-link-ve-sandbox.service".requiredBy = [
27 "systemd-nspawn@sandbox.service"
28 ];
29 networking.interfaces.ve-sandbox = {
30 useDHCP = true;
31 ipv4 = {
32 addresses = [
33 { address = "10.1.0.1"; prefixLength = 32; }
34 ];
35 routes = [
36 { address = "10.1.0.2"; prefixLength = 32; options = { src = "10.1.0.1"; }; }
37 ];
38 };
39 };
40 environment.etc.sandbox-fstab = {
41 target = "sandbox/fstab";
42 text = ''
43 # <file system> <dir> <type> <options> <dump> <pass>
44 tmpfs /var/home tmpfs rw,nosuid,noatime,size=512m 0 0
45 overlayfs /home overlay rw,lowerdir=/var/home/lower,upperdir=/var/home/upper,workdir=/var/home/work 0 0
46 /srv/sync/Sources /usr/local/src none rw,bind 0 0
47 '';
48 };
49 }
0 { config, pkgs, ... }:
1
2 {
3 containers.search =
4 {
5 autoStart = true;
6 enableTun = true;
7 privateNetwork = true;
8 hostAddress = "10.5.0.1";
9 localAddress = "10.5.0.2";
10 config =
11 { config, stdenv, ... }:
12
13 {
14 systemd.services.yacy =
15 with pkgs; {
16 description = "Yacy P2P Search Engine";
17 after = [ "network.target" ];
18 path = [
19 which
20 getopt
21 openjdk
22 ];
23 environment = {
24 YACY_DATA_PATH = "${pkgs.yacy}/yacy";
25 YACY_PARENT_DATA_PATH = "${pkgs.yacy}/yacy";
26 };
27 serviceConfig = {
28 WorkingDirectory = "${pkgs.yacy}/yacy";
29 TimeoutStopSec = "50";
30 RestartSec = "3";
31 };
32 script = "set -x; . ${pkgs.yacy}/yacy/env.sh; ${pkgs.openjdk}/bin/java $JAVA_ARGS -classpath $CLASSPATH net.yacy.yacy";
33 preStop = "set -x; . ${pkgs.yacy}/yacy/env.sh; ${pkgs.openjdk}/bin/java $JAVA_ARGS -cp $CLASSPATH net.yacy.yacy -shutdown";
34 wantedBy = [ "multi-user.target" ];
35 };
36
37 networking.firewall.enable = false;
38 };
39 bindMounts = {
40 "/var/lib/yacy" = {
41 hostPath = "/var/lib/yacy";
42 isReadOnly = false;
43 };
44 };
45 };
46 }
0 { config, pkgs, ... }:
1
2 {
3 containers.secure = {
4 autoStart = true;
5 enableTun = true;
6 privateNetwork = true;
7 hostAddress = "10.2.0.1";
8 localAddress = "10.2.0.2";
9 config =
10 { config, ... }:
11 {
12 };
13 };
14 }
0 { config, pkgs, lib, domains, ... }:
1
2 let
3 hostAddress = "10.10.0.1";
4 localAddress = "10.10.0.2";
5
6 databaseUser = "vervis";
7 databaseName = "vervis";
8 in {
9 services.postgresql.enable = true;
10 services.postgresql.ensureUsers = [
11 {
12 name = databaseUser;
13 ensurePermissions."DATABASE ${databaseName}" = "ALL PRIVILEGES";
14 }
15 ];
16 services.postgresql.ensureDatabases = [ databaseName ];
17
18 containers.vervis =
19 {
20 autoStart = true;
21 enableTun = true;
22 privateNetwork = true;
23 inherit hostAddress localAddress;
24
25 config =
26 { config, stdenv, ... }:
27
28 let
29 settingsJson = pkgs.runCommand "vervis-settings.json" {
30 inherit (pkgs.vervis) src;
31 buildInputs = with pkgs; [ yj ];
32 } ''
33 yj -y < $src/config/settings-default.yaml > $out
34 '';
35 in {
36 options = {
37 vervis.settings = lib.mkOption rec {
38 type = (pkgs.formats.yaml {}).type;
39 default = builtins.fromJSON example;
40 example = builtins.readFile settingsJson;
41 };
42 vervis.dataDir = lib.mkOption {
43 type = lib.types.path;
44 default = "/var/lib/vervis";
45 };
46 };
47
48 config = {
49 nixpkgs.pkgs = pkgs;
50
51 networking.firewall.enable = false;
52
53 environment.systemPackages = with pkgs; [
54 vervis yq yj jq
55 ];
56
57 environment.etc = let
58 toYaml = lib.generators.toYAML {};
59 settings = lib.foldl (json: update: lib.recursiveUpdate json update)
60 (builtins.fromJSON (builtins.readFile settingsJson)) [
61 config.vervis.settings
62 ];
63 in {
64 "vervis/settings.yml".text = toYaml settings;
65 "vervis/ssh-host-key".source = "/etc/ssh/ssh_host_rsa_key";
66 };
67
68 vervis.settings = {
69 registration = true;
70 max-accounts = 1;
71 federation = true;
72 };
73
74 systemd.services.vervis = {
75 environment = {
76 HOME = config.vervis.dataDir;
77
78 PORT = "3000";
79 INSTANCE_HOST = "dev.${domains.home}";
80 IP_FROM_HEADER = "true";
81
82 PGUSER = databaseUser;
83 #PGPASS = "";
84 PGHOST = hostAddress;
85 PGPORT = toString 5432;
86 PGDATABASE = "vervis";
87 };
88 serviceConfig = {
89 ExecStartPre = pkgs.writeShellScript "vervis-init" ''
90 mkdir -p ${config.vervis.dataDir}/static
91 if [ ! -x ${config.vervis.dataDir}/config ]; then
92 ln -sf /etc/vervis ${config.vervis.dataDir}/config
93 fi
94 mkdir -p ${config.vervis.dataDir}/repos
95 '';
96 ExecStart = "${pkgs.vervis}/bin/vervis";
97 WorkingDirectory = config.vervis.dataDir;
98 };
99 wantedBy = [ "default.target" ];
100 };
101 };
102 };
103 bindMounts = {
104 "/var/lib/vervis" = {
105 hostPath = "/var/lib/vervis";
106 isReadOnly = false;
107 };
108 "/etc/ssh" = {
109 hostPath = "/etc/ssh";
110 isReadOnly = true;
111 };
112 };
113 };
114
115 system.activationScripts.var-lib-vervis = ''
116 mkdir -p /var/lib/vervis
117 '';
118 }
152152 (pkgs: lib.const {
153153 inherit (inputs.stable.legacyPackages.${system}) firefox thunderbird; # slow
154154 inherit (inputs.stable.legacyPackages.${system}) nheko; # anticipating pr94942
155 graalvm8 = builtins.trace "graalvm8: suspended - too big and not cached" pkgs.hello;
155 graalvm8 = builtins.trace "pkgs.graalvm8: suspended - too big and not cached" pkgs.hello;
156156 inherit (inputs.pr93457.legacyPackages.${system}) apparmor apparmor-utils lvm2; # pullreq
157157 })
158158 (final: prev: {
9696
9797 virtualisation.libvirtd.enable = true;
9898 virtualisation.virtualbox.host.enable = false;
99 virtualisation.anbox.enable = builtins.trace "anbox: still f****d by kernel updates" false;
99 virtualisation.anbox.enable = builtins.trace "${config.networking.hostName} - anbox: still f****d by kernel updates" false;
100100 systemd.network.networks = {
101101 "40-anbox0".networkConfig.ConfigureWithoutCarrier = true;
102102 };
2222 certs = genAttrs (builtins.attrValues domains) mkCertFor;
2323 };
2424
25 systemd.services.haproxy.serviceConfig = lib.mkIf config.services.haproxy.enable {
25 systemd.services.haproxy.serviceConfig = lib.mkIf config.services.traefik.enable {
2626 SupplementaryGroups = "keys";
2727 };
2828 }
11
22 {
33 imports = [
4 ../../legacy/containers/secure.nix # 10. 1.0.x
5 ../../legacy/containers/sandbox.nix # 10. 2.0.x
6 #../../legacy/containers/certmon.nix # 10. 3.0.x
7 ../../legacy/containers/authority.nix # 10. 4.0.x
8 ../../legacy/containers/search.nix # 10. 5.0.x
9 ../../legacy/containers/mastodon.nix # 10. 6.0.x
10 ../../legacy/containers/matrix.nix # 10. 7.0.x
11 ../../legacy/containers/hydroxide.nix # 10. 8.0.x
12 ../../legacy/containers/anki.nix # 10. 9.0.x
13 ../../legacy/containers/vervis.nix # 10.10.0.x
14 #../../legacy/containers/lemmy.nix # 10.11.0.x
4 ../../containers/secure.nix # 10. 1.0.x
5 ../../containers/sandbox.nix # 10. 2.0.x
6 #../../containers/certmon.nix # 10. 3.0.x
7 ../../containers/authority.nix # 10. 4.0.x
8 ../../containers/search.nix # 10. 5.0.x
9 ../../containers/mastodon.nix # 10. 6.0.x
10 ../../containers/matrix.nix # 10. 7.0.x
11 ../../containers/hydroxide.nix # 10. 8.0.x
12 ../../containers/anki.nix # 10. 9.0.x
13 ../../containers/vervis.nix # 10.10.0.x
14 #../../containers/lemmy.nix # 10.11.0.x
1515 ../../profiles/meta/fatal-warnings.nix
1616 ../../profiles/misc/qemu.nix
1717 ../../profiles/security/sudo.nix
6161 '';
6262 };
6363
64 qemu-user.arm = builtins.trace "pkgs.qemu-user-arm: disabled for now due to new build error" false;
64 qemu-user.arm = builtins.trace "${config.networking.hostName} - pkgs.qemu-user-arm: disabled for now due to new build error" false;
6565
6666 fileSystems."/" =
6767 { device = "/dev/sda3";
legacy/containers/anki.nix less more
Binary diff not shown
legacy/containers/authority.nix less more
Binary diff not shown
legacy/containers/certmon.nix less more
Binary diff not shown
legacy/containers/hydroxide.nix less more
Binary diff not shown
legacy/containers/mastodon.nix less more
Binary diff not shown
legacy/containers/matrix.nix less more
Binary diff not shown
legacy/containers/sandbox.nix less more
Binary diff not shown
legacy/containers/search.nix less more
Binary diff not shown
legacy/containers/secure.nix less more
Binary diff not shown
legacy/containers/vervis.nix less more
Binary diff not shown
3333 serviceConfig = {
3434 Type = "oneshot";
3535 ExecStartPre = builtins.trace
36 "nix-update-index.timer: suspended cause it breaks my net"
36 "${config.networking.hostName} - nix-update-index.timer: suspended cause it breaks my net"
3737 "false";
3838 ExecStart = "${package}/bin/nix-index";
3939 StandardOutput = "journal";
9797 };
9898 };
9999
100 systemd.services.ipfs = builtins.trace "ipfs config permissions still broken" {
100 systemd.services.ipfs = builtins.trace "${config.networking.hostName} - ipfs config permissions still broken" {
101101 serviceConfig.ExecStartPost = "${pkgs.coreutils}/bin/chmod g+r /var/lib/ipfs/config";
102102 wantedBy = [ "local-fs.target" ];
103103 };
Binary diff not shown
0 { config, lib, pkgs, ... }:
0 { super, config, lib, pkgs, ... }:
11
22 with lib; let
33 cfg = config.services.gpg-agent;
2626 extraConfig = ''
2727 allow-emacs-pinentry
2828 allow-preset-passphrase
29 '' + (builtins.trace "gpg-agent: disabled scdaemon due to weird behaviour" ''
29 '' + (builtins.trace "${super.networking.hostName} - gpg-agent: disabled scdaemon due to weird behaviour" ''
3030 disable-scdaemon
3131 '');
3232 verbose = true;