diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix index 43aeaad..ccfd5ad 100644 --- a/hosts/tsuki/configuration.nix +++ b/hosts/tsuki/configuration.nix @@ -4,24 +4,16 @@ ./hardware-configuration.nix # ./services/calibre.nix - # ./services/dokuwiki.nix ./services/gitea - # ./services/gitlab ./services/grafana ./services/hydra.nix # ./services/jitsi.nix ./services/jupyter.nix # ./services/keycloak.nix - # ./services/libvirt.nix ./services/matrix ./services/nginx - # ./services/openldap.nix - # ./services/openvpn.nix ./services/plex.nix ./services/postgres.nix - ./services/samba.nix - ./services/searx.nix - # ./services/syncthing.nix ./services/vscode-server.nix ]; diff --git a/hosts/tsuki/services/dokuwiki.todo.nix b/hosts/tsuki/services/dokuwiki.todo.nix deleted file mode 100644 index ae656f0..0000000 --- a/hosts/tsuki/services/dokuwiki.todo.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - services.dokuwiki.sites = { - # TODO: research? - wiki = { - enable = false; - }; - }; -} diff --git a/hosts/tsuki/services/gitlab/default.nix b/hosts/tsuki/services/gitlab/default.nix deleted file mode 100644 index 56b7c25..0000000 --- a/hosts/tsuki/services/gitlab/default.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ pkgs, lib, config, secrets, ... }: -let - gitlab-port = secrets.ports.gitlab; - gitlab-host = "gitlab.nani.wtf"; - - # TODO: this should optimally be extracted out to nix-secrets completely. - gitlab-keydir = secrets.hosts.${config.networking.hostName}.keydir + "/gitlab"; -in -{ - # TODO: Set up gitlab-runner - # imports = [ ./runner.nix ]; - - services.gitlab = { - enable = false; - - host = gitlab-host; - port = gitlab-port + 1; - - user = "gitlab"; - group = "gitlab"; - - databaseUsername = "gitlab"; - - statePath = "${secrets.hosts.${config.networking.hostName}.dataStatePath}/gitlab"; - - # A file containing the initial password of the root gitlab-account. - # This file should be readable to the user defined in `services.gitlab.user`, - # optimally having only read write permissions for that user. - initialRootPasswordFile = secrets.keys.gitlab.root_password; - - secrets = { inherit (secrets.keys.gitlab) secretFile dbFile otpFile jwsFile; }; - - - # TODO: Activate GitLabs Prometheus service - # extraGitlabRb = '' - # prometheus['enabled'] = true - # prometheus['server_address'] = '0.0.0.0:10392' - # ''; - - smtp = { - tls = true; - # address = gitlab-host; - port = gitlab-port + 2; - }; - - # TODO: Set up registry - # registry = { - # enable = true; - # # host = gitlab-host; - # port = gitlab-port + 3; - # externalPort = gitlab-port + 3; - # certFile = /var/cert.pem; - # keyFile = /var/key.pem; - # }; - - pagesExtraArgs = [ - "-gitlab-server" "http://${gitlab-host}" - "-listen-proxy" "127.0.0.1:${toString (gitlab-port + 4)}" - "-log-format" "text" - ]; - - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitlab.nix - # https://gitlab.com/gitlab-org/gitlab/blob/master/config/gitlab.yml.example - extraConfig = { - # gitlab = {}; - gravatar.enabled = false; - - # TODO: Fix pages API connection - # pages = { - # enabled = true; - # host = gitlab-host; - # secret_file = "${toString gitlab-keydir}/pages_secret"; - # local_store.enabled = true; - # }; - }; - - }; - - # TODO: Set up registry - # services.dockerRegistry = { - # enable = true; - # }; - - # TODO: Connect plantuml to gitlab - services.plantuml-server = { - enable = true; - listenPort = gitlab-port + 5; - }; - - # TODO: Make module for kroki, and connect to gitlab - # services.kroki = { - # - # }; -} diff --git a/hosts/tsuki/services/gitlab/genfiles.sh b/hosts/tsuki/services/gitlab/genfiles.sh deleted file mode 100755 index 6d470f9..0000000 --- a/hosts/tsuki/services/gitlab/genfiles.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit 1 -fi - -KEYDIR='/var/keys/gitlab' - -umask u=rwx,g=,o= - -mkdir -p $KEYDIR -chmod 755 '/var/keys' - -for FILE in secretFile dbFile otpFile pages_secret; do - tr -dc A-Za-z0-9 < /dev/random | head -c 128 > $KEYDIR/$FILE -done - -nix-shell -p openssl --run "openssl genrsa 2048 > $KEYDIR/jwsFile" -chmod 600 $KEYDIR/jwsFile - -read -s -p "Root password: " ROOTPASS -echo $ROOTPASS > $KEYDIR/root_password - -chown -R git:git $KEYDIR diff --git a/hosts/tsuki/services/gitlab/runner.nix b/hosts/tsuki/services/gitlab/runner.nix deleted file mode 100644 index 9d15b42..0000000 --- a/hosts/tsuki/services/gitlab/runner.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ... }: -{ - - # See https://nixos.wiki/wiki/Gitlab_runner - # boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 - # virtualisation.docker.enable = true; - # services.gitlab-runner = { - # enable = true; - # services= { - # # runner for building in docker via host's nix-daemon - # # nix store will be readable in runner, might be insecure - # nix = with lib;{ - # # File should contain at least these two variables: - # # `CI_SERVER_URL` - # # `REGISTRATION_TOKEN` - # registrationConfigFile = toString ./path/to/ci-env; # 2 - # dockerImage = "alpine"; - # dockerVolumes = [ - # "/nix/store:/nix/store:ro" - # "/nix/var/nix/db:/nix/var/nix/db:ro" - # "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" - # ]; - # dockerDisableCache = true; - # preBuildScript = pkgs.writeScript "setup-container" '' - # mkdir -p -m 0755 /nix/var/log/nix/drvs - # mkdir -p -m 0755 /nix/var/nix/gcroots - # mkdir -p -m 0755 /nix/var/nix/profiles - # mkdir -p -m 0755 /nix/var/nix/temproots - # mkdir -p -m 0755 /nix/var/nix/userpool - # mkdir -p -m 1777 /nix/var/nix/gcroots/per-user - # mkdir -p -m 1777 /nix/var/nix/profiles/per-user - # mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root - # mkdir -p -m 0700 "$HOME/.nix-defexpr" - # . ${pkgs.nix}/etc/profile.d/nix.sh - # ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3 - # ${pkgs.nix}/bin/nix-channel --update nixpkgs - # ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} - # ''; - # environmentVariables = { - # ENV = "/etc/profile"; - # USER = "root"; - # NIX_REMOTE = "daemon"; - # PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; - # NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; - # }; - # tagList = [ "nix" ]; - # }; - # }; - # }; - -} diff --git a/hosts/tsuki/services/libvirt.todo.nix b/hosts/tsuki/services/libvirt.todo.nix deleted file mode 100644 index e69de29..0000000 diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix index 007ebe3..cace7b0 100644 --- a/hosts/tsuki/services/nginx/default.nix +++ b/hosts/tsuki/services/nginx/default.nix @@ -94,16 +94,12 @@ (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; }) (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {}) (host ["madmin"] { root = "${pkgs.synapse-admin}/"; }) - (host ["cache"] { root = "/var/lib/nix-cache"; }) + # (host ["cache"] { root = "/var/lib/nix-cache"; }) (proxy ["git"] "http://localhost:${s ports.gitea}" {}) (proxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" { locations."/".proxyWebsockets = true; }) (proxy ["idrac"] "https://${ips.idrac}" {}) - (proxy ["searx"] "http://localhost:${s ports.searx}" {}) - (proxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" { - # basicAuthFile = keys.htpasswds.default; - }) (proxy ["log"] "http://localhost:${s ports.grafana}" { locations."/".proxyWebsockets = true; }) @@ -116,7 +112,7 @@ ] ++ (let stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix { inherit (inputs) maunium-stickerpicker; - }; + }; in [ (host ["stickers-pingu"] { root = "${stickerpickers.stickers-pingu}/"; }) (host ["stickers-h7x4"] { root = "${stickerpickers.stickers-h7x4}/"; }) @@ -126,7 +122,5 @@ networking.firewall.allowedTCPPorts = [ 80 443 - # secrets.ports.openvpn - ports.minecraft ]; } diff --git a/hosts/tsuki/services/openldap.todo.nix b/hosts/tsuki/services/openldap.todo.nix deleted file mode 100644 index a177155..0000000 --- a/hosts/tsuki/services/openldap.todo.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ pkgs, ... }: -{ - services.openldap = { - enable = true; - # dataDir = "${config.machineVars.dataDrives.default}/var/openldap"; - urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates) - # suffix = "dc=nixos,dc=org"; - # rootdn = "cn=admin,dc=nixos,dc=org"; - # rootpwFile = "/var/keys/ldap/rootpw"; - # See https://www.openldap.org/doc/admin24/slapdconfig.html - # extraDatabaseConfig = '' - # access to dn.base="dc=nixos,dc=org" by * read - # # Add your own ACLs here… - - # # Drop everything that wasn't handled by previous ACLs: - # access to * by * none - - # index objectClass eq - # index uid eq - # index mail sub - # # Accelerates replication if you use it - # index entryCSN eq - # index entryUUID eq - # ''; - - settings = { - attrs.olcLogLevel = [ "stats" ]; - children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - ]; - "olcDatabase={-1}frontend" = { - attrs = { - objectClass = "olcDatabaseConfig"; - olcDatabase = "{-1}frontend"; - olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ]; - }; - }; - "olcDatabase={0}config" = { - attrs = { - objectClass = "olcDatabaseConfig"; - olcDatabase = "{0}config"; - olcAccess = [ "{0}to * by * none break" ]; - }; - }; - "olcDatabase={1}mdb" = { - attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/data/var/openldap/db"; - olcDbIndex = [ - "objectClass eq" - "cn pres,eq" - "uid pres,eq" - "sn pres,eq,subany" - ]; - olcSuffix = "dc=example,dc=com"; - olcAccess = [ "{0}to * by * read break" ]; - }; - }; - }; - }; - - # Setting this causes OpenLDAP to drop the entire database on startup and write the contents of - # of this LDIF string into the database. This ensures that only nix-managed content is found in the - # database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt - # startup performance. - # Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be - # lost. - # declarativeContents = "…"; - }; -} diff --git a/hosts/tsuki/services/openvpn.nix b/hosts/tsuki/services/openvpn.nix deleted file mode 100644 index ff3d7ae..0000000 --- a/hosts/tsuki/services/openvpn.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, pkgs, secrets, ... }: -let - inherit (secrets) ips ports; -in { - services = { - openvpn.servers = let - inherit (secrets.keys.certificates) openvpn CA server; - inherit (secrets.openvpn) ip-range; - in { - tsuki = { - config = '' - dev tap - server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end} - local 0.0.0.0 - port ${toString ports.openvpn} - user nobody - group nogroup - comp-lzo no - push 'comp-lzo no' - persist-key - persist-tun - keepalive 10 120 - topology subnet - push "dhcp-option DNS 1.1.1.1" - push "dhcp-option DNS 8.8.8.8" - dh none - ecdh-curve prime256v1 - tls-crypt ${openvpn.tls-crypt} - ca ${CA.crt} - cert ${server.crt} - key ${server.key} - auth SHA256 - cipher AES-128-GCM - ncp-ciphers AES-128-GCM - tls-server - tls-version-min 1.2 - tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 - status /var/openvpn/status.log - verb 3 - ''; - autoStart = false; - updateResolvConf = true; - }; - }; - }; - - networking.firewall = { - allowedUDPPorts = [ ports.openvpn ]; - allowedTCPPorts = [ ports.openvpn ]; - }; - - # networking.bridges.br0.interfaces = [ "tap0" "ens18" ]; -} diff --git a/hosts/tsuki/services/samba.nix b/hosts/tsuki/services/samba.nix deleted file mode 100644 index 0cd888c..0000000 --- a/hosts/tsuki/services/samba.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, ... }: -{ - services.samba = { - enable = true; - openFirewall = true; - securityType = "user"; - - extraConfig = '' - workgroup = TSUKI - server string = smbnix - netbios name = smbnix - - security = user - - use sendfile = yes - min protocol = SMB2 - smb encrypt = desired - - # note: localhost is the ipv6 localhost ::1 - hosts allow = 10.0.0. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - - guest ok = no - map to guest = never - ''; - - shares = { - media = { - "path" = "${config.machineVars.dataDrives.default}/media"; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "force group" = "media"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Pictures, music, videos, etc."; - }; - - momiji = { - "path" = config.machineVars.dataDrives.drives.momiji; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "valid users" = "h7x4"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Momiji data drive."; - }; - - cirno = { - "path" = config.machineVars.dataDrives.drives.cirno; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "valid users" = "h7x4"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Cirno data drive."; - }; - - home = { - "path" = config.users.users.h7x4.home; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "valid users" = "h7x4"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Home directory."; - }; - }; - }; -} diff --git a/hosts/tsuki/services/searx.nix b/hosts/tsuki/services/searx.nix deleted file mode 100644 index 72956d6..0000000 --- a/hosts/tsuki/services/searx.nix +++ /dev/null @@ -1,162 +0,0 @@ -{ secrets, ... }: -{ - # TODO: Make secret keys. - services.searx = { - enable = true; - settings = { - - general = { - debug = false; - instance_name = "Searx"; - }; - - server = { - port = secrets.ports.searx; - bind_address = "0.0.0.0"; - secret_key = secrets.keys.searx.key; - }; - - ui = { - default_theme = "oscar"; - theme_args.oscar_style = "logicodev-dark"; - }; - - engines = let - enable = name: { - name = name; - disabled = false; - }; - disable = name: { - name = name; - disabled = true; - }; - in [ - /* General */ - (disable "bing") - /* --- */ - (enable "archive is") - (enable "wikipedia") - (enable "currency") - (enable "ddg definitions") - (enable "erowid") - (enable "wikidata") - (enable "duckduckgo") - (enable "etymonline") - (enable "google") - (enable "library genesis") - (enable "qwant") - (enable "reddit") - (enable "wikibooks") - (enable "wikiquote") - (enable "wikisource") - (enable "wiktionary") - (enable "wikiversity") - # Doesn't work at the time - # (enable "wikivoyage") - (enable "dictzone") - - /* Files */ - # (disable "btdigg") - (disable "piratebay") - (disable "torrentz") - /* --- */ - (enable "apk mirror") - (enable "fdroid") - (enable "google play apps") - (enable "nyaa") - (enable "tokyotoshokan") - - /* Images */ - (disable "bing images") - (disable "ccengine") - (disable "flickr") - (disable "library of congress") - /* --- */ - (enable "deviantart") - (enable "google images") - (enable "nyaa") - # (enable "reddit") - (enable "qwant images") - (enable "unsplash") - - /* IT */ - (enable "arch linux wiki") - (enable "bitbucket") - (enable "free software directory") - (enable "gentoo") - (enable "gitlab") - (enable "github") - (enable "codeberg") - (enable "hoogle") - (enable "npm") - (enable "stackoverflow") - (enable "searchcode code") - - /* map */ - (enable "openstreetmap") - (enable "photon") - - /* music */ - (disable "btdigg") - /* --- */ - (enable "deezer") - (enable "genius") - (enable "mixcloud") - # (enable "nyaa") - (enable "soundcloud") - # (enable "tokyotoshokan") - (enable "youtube") - - /* news */ - (disable "bing news") - (disable "digg") - (disable "yahoo news") - /* --- */ - (enable "google news") - (enable "qwant news") - # (enable "reddit") - (enable "wikinews") - - /* science */ - (enable "arxiv") - (enable "crossref") - (enable "google scholar") - (enable "microsoft academic") - (enable "openairedatasets") - (enable "openairepublications") - (enable "pdbe") - (enable "pubmed") - (enable "semantic scholar") - (enable "wolframalpha") - - /* social media */ - # (disable "digg") - # (enable "reddit") - - /* shopping */ - # (enable "ebay") - - /* videos */ - (disable "bing videos") - # (disable "piratebay") - (disable "sepiasearch") - (disable "dailymotion") - (disable "mediathekviewweb") - /* --- */ - (enable "google videos") - # (enable "nyaa") - # (enable "tokyotoshokan") - # (enable "youtube") - (enable "vimeo") - (enable "peertube") - ]; - }; - - # runInUwsgi = true; - # uwsgiConfig = { - # disable-logging = false; - # http = ":11000"; - # socket = "/run/searx/searx.sock"; - # }; - }; -} diff --git a/hosts/tsuki/services/syncthing.todo.nix b/hosts/tsuki/services/syncthing.todo.nix deleted file mode 100644 index e69de29..0000000