Add host bekkalokk

`bekkalokk` is a new machine, meant to host web services and eventually miscellaneous services.
2023-01-29 01:51:35 +01:00
parent 387794fbe0
commit 796155481f
12 changed files with 279 additions and 19 deletions
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -0,0 +1,42 @@
+{ pkgs, values, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    ../../base.nix
+
+    # TODO: set up authentication for the following:
+    # ./services/website/website.nix
+    # ./services/website/nginx.nix
+    # ./services/website/gitea.nix
+    # ./services/website/mediawiki.nix
+  ];
+
+  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "bekkalokk";
+
+  networking.interfaces.ens33 = {
+    useDHCP = false;
+
+    ipv4.addresses = [{
+      address = values.hosts.bekkalokk.ipv4;
+      prefixLength = 25;
+    }];
+
+    ipv6.addresses = [{
+      address = values.hosts.bekkalokk.ipv6;
+      prefixLength = 64;
+    }];
+  };
+
+  # Do not change, even during upgrades.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "22.11";
+}
--- a/hosts/bekkalokk/hardware-configuration.nix
+++ b/hosts/bekkalokk/hardware-configuration.nix
@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/cdcafe3a-01d8-4bdf-9a3d-78705b581090";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1CB4-280D";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/3eaace48-91ec-4d46-be86-fd26877d8b86"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens33.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/bekkalokk/services/metrics/loki.nix
+++ b/hosts/bekkalokk/services/metrics/loki.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}
--- a/hosts/bekkalokk/services/metrics/prometheus.nix
+++ b/hosts/bekkalokk/services/metrics/prometheus.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}
--- a/hosts/bekkalokk/services/website/gitea.nix
+++ b/hosts/bekkalokk/services/website/gitea.nix
@@ -0,0 +1,26 @@
+{ config, values, ... }:
+{
+  sops.secrets."postgres/gitea/password" = { };
+
+  services.gitea = {
+    enable = true;
+    rootUrl = "https://git2.pvv.ntnu.no/";
+    stateDir = "/data/gitea";
+    appName = "PVV Git";
+
+    enableUnixSocket = true;
+
+    database = {
+      type = "postgres";
+      host = values.bicep.ipv4;
+      port = config.services.postgresql.port;
+      passwordFile = config.sops.secrets."postgres/gitea/password".path;
+      createDatabase = false;
+    };
+
+    settings = {
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+    };
+  };
+}
--- a/hosts/bekkalokk/services/website/mediawiki.nix
+++ b/hosts/bekkalokk/services/website/mediawiki.nix
@@ -0,0 +1,23 @@
+{ values, config, ... }:
+{
+  sops.secrets = {
+    "mediawiki/password" = { };
+    "postgres/mediawiki/password" = { };
+  };
+
+  services.mediawiki = {
+    enable = true;
+    name = "PVV";
+    passwordFile = config.sops.secrets."mediawiki/password".path;
+
+    virtualHost = {
+    };
+
+    database = {
+      type = "postgres";
+      host = values.bicep.ipv4;
+      port = config.services.postgresql.port;
+      passwordFile = config.sops.secrets."postgres/mediawiki/password".path;
+    };
+  };
+}
--- a/hosts/bekkalokk/services/website/nginx.nix
+++ b/hosts/bekkalokk/services/website/nginx.nix
@@ -0,0 +1,30 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts = {
+      "www.pvv.ntnu.no" = {
+        forceSSL = true;
+
+        locations = {
+          "/pvv" = {
+            proxyPass = "http://localhost:${config.services.mediawiki.virtualHost.listen.pvv.port}";
+          };
+        };
+      };
+
+      "git.pvv.ntnu.no" = {
+        locations."/" = {
+          proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}
--- a/hosts/bekkalokk/services/website/website.nix
+++ b/hosts/bekkalokk/services/website/website.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}