From aea736c2df29087f415f390e2e847a2ba13716d0 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Jan 2023 22:52:24 +0100 Subject: [PATCH] tsuki: remove a lot of unused services Removed: - dokuwiki (this was never properly set up) - libvirt (this is already a virtual machine, double virtualization bad) - openldap (this will become the responsibility of keycloak) - openvpn (this will become the responsibility of head/tailscale) - samba (this is now the responsibility of TrueNAS) - searx (I never used this) - gitlab (this has become the responsibility of gitea and hydra) - syncthing (this was never properly set up) The nix cache nginx entry is also paused, as it wasn't functional. In this commit and the previous commit, the nginx config for the minecraft server was also taken down, as the whole host is deleted. The plan is to set it up again, this time using tsuki. --- hosts/tsuki/configuration.nix | 8 -- hosts/tsuki/services/dokuwiki.todo.nix | 9 -- hosts/tsuki/services/gitlab/default.nix | 94 -------------- hosts/tsuki/services/gitlab/genfiles.sh | 25 ---- hosts/tsuki/services/gitlab/runner.nix | 51 -------- hosts/tsuki/services/libvirt.todo.nix | 0 hosts/tsuki/services/nginx/default.nix | 10 +- hosts/tsuki/services/openldap.todo.nix | 74 ----------- hosts/tsuki/services/openvpn.nix | 53 -------- hosts/tsuki/services/samba.nix | 73 ----------- hosts/tsuki/services/searx.nix | 162 ------------------------ hosts/tsuki/services/syncthing.todo.nix | 0 12 files changed, 2 insertions(+), 557 deletions(-) delete mode 100644 hosts/tsuki/services/dokuwiki.todo.nix delete mode 100644 hosts/tsuki/services/gitlab/default.nix delete mode 100755 hosts/tsuki/services/gitlab/genfiles.sh delete mode 100644 hosts/tsuki/services/gitlab/runner.nix delete mode 100644 hosts/tsuki/services/libvirt.todo.nix delete mode 100644 hosts/tsuki/services/openldap.todo.nix delete mode 100644 hosts/tsuki/services/openvpn.nix delete mode 100644 hosts/tsuki/services/samba.nix delete mode 100644 hosts/tsuki/services/searx.nix delete mode 100644 hosts/tsuki/services/syncthing.todo.nix diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix index 43aeaad..ccfd5ad 100644 --- a/hosts/tsuki/configuration.nix +++ b/hosts/tsuki/configuration.nix @@ -4,24 +4,16 @@ ./hardware-configuration.nix # ./services/calibre.nix - # ./services/dokuwiki.nix ./services/gitea - # ./services/gitlab ./services/grafana ./services/hydra.nix # ./services/jitsi.nix ./services/jupyter.nix # ./services/keycloak.nix - # ./services/libvirt.nix ./services/matrix ./services/nginx - # ./services/openldap.nix - # ./services/openvpn.nix ./services/plex.nix ./services/postgres.nix - ./services/samba.nix - ./services/searx.nix - # ./services/syncthing.nix ./services/vscode-server.nix ]; diff --git a/hosts/tsuki/services/dokuwiki.todo.nix b/hosts/tsuki/services/dokuwiki.todo.nix deleted file mode 100644 index ae656f0..0000000 --- a/hosts/tsuki/services/dokuwiki.todo.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - services.dokuwiki.sites = { - # TODO: research? - wiki = { - enable = false; - }; - }; -} diff --git a/hosts/tsuki/services/gitlab/default.nix b/hosts/tsuki/services/gitlab/default.nix deleted file mode 100644 index 56b7c25..0000000 --- a/hosts/tsuki/services/gitlab/default.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ pkgs, lib, config, secrets, ... }: -let - gitlab-port = secrets.ports.gitlab; - gitlab-host = "gitlab.nani.wtf"; - - # TODO: this should optimally be extracted out to nix-secrets completely. - gitlab-keydir = secrets.hosts.${config.networking.hostName}.keydir + "/gitlab"; -in -{ - # TODO: Set up gitlab-runner - # imports = [ ./runner.nix ]; - - services.gitlab = { - enable = false; - - host = gitlab-host; - port = gitlab-port + 1; - - user = "gitlab"; - group = "gitlab"; - - databaseUsername = "gitlab"; - - statePath = "${secrets.hosts.${config.networking.hostName}.dataStatePath}/gitlab"; - - # A file containing the initial password of the root gitlab-account. - # This file should be readable to the user defined in `services.gitlab.user`, - # optimally having only read write permissions for that user. - initialRootPasswordFile = secrets.keys.gitlab.root_password; - - secrets = { inherit (secrets.keys.gitlab) secretFile dbFile otpFile jwsFile; }; - - - # TODO: Activate GitLabs Prometheus service - # extraGitlabRb = '' - # prometheus['enabled'] = true - # prometheus['server_address'] = '0.0.0.0:10392' - # ''; - - smtp = { - tls = true; - # address = gitlab-host; - port = gitlab-port + 2; - }; - - # TODO: Set up registry - # registry = { - # enable = true; - # # host = gitlab-host; - # port = gitlab-port + 3; - # externalPort = gitlab-port + 3; - # certFile = /var/cert.pem; - # keyFile = /var/key.pem; - # }; - - pagesExtraArgs = [ - "-gitlab-server" "http://${gitlab-host}" - "-listen-proxy" "127.0.0.1:${toString (gitlab-port + 4)}" - "-log-format" "text" - ]; - - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitlab.nix - # https://gitlab.com/gitlab-org/gitlab/blob/master/config/gitlab.yml.example - extraConfig = { - # gitlab = {}; - gravatar.enabled = false; - - # TODO: Fix pages API connection - # pages = { - # enabled = true; - # host = gitlab-host; - # secret_file = "${toString gitlab-keydir}/pages_secret"; - # local_store.enabled = true; - # }; - }; - - }; - - # TODO: Set up registry - # services.dockerRegistry = { - # enable = true; - # }; - - # TODO: Connect plantuml to gitlab - services.plantuml-server = { - enable = true; - listenPort = gitlab-port + 5; - }; - - # TODO: Make module for kroki, and connect to gitlab - # services.kroki = { - # - # }; -} diff --git a/hosts/tsuki/services/gitlab/genfiles.sh b/hosts/tsuki/services/gitlab/genfiles.sh deleted file mode 100755 index 6d470f9..0000000 --- a/hosts/tsuki/services/gitlab/genfiles.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -if [ "$EUID" -ne 0 ]; then - echo "Please run as root" - exit 1 -fi - -KEYDIR='/var/keys/gitlab' - -umask u=rwx,g=,o= - -mkdir -p $KEYDIR -chmod 755 '/var/keys' - -for FILE in secretFile dbFile otpFile pages_secret; do - tr -dc A-Za-z0-9 < /dev/random | head -c 128 > $KEYDIR/$FILE -done - -nix-shell -p openssl --run "openssl genrsa 2048 > $KEYDIR/jwsFile" -chmod 600 $KEYDIR/jwsFile - -read -s -p "Root password: " ROOTPASS -echo $ROOTPASS > $KEYDIR/root_password - -chown -R git:git $KEYDIR diff --git a/hosts/tsuki/services/gitlab/runner.nix b/hosts/tsuki/services/gitlab/runner.nix deleted file mode 100644 index 9d15b42..0000000 --- a/hosts/tsuki/services/gitlab/runner.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ... }: -{ - - # See https://nixos.wiki/wiki/Gitlab_runner - # boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 - # virtualisation.docker.enable = true; - # services.gitlab-runner = { - # enable = true; - # services= { - # # runner for building in docker via host's nix-daemon - # # nix store will be readable in runner, might be insecure - # nix = with lib;{ - # # File should contain at least these two variables: - # # `CI_SERVER_URL` - # # `REGISTRATION_TOKEN` - # registrationConfigFile = toString ./path/to/ci-env; # 2 - # dockerImage = "alpine"; - # dockerVolumes = [ - # "/nix/store:/nix/store:ro" - # "/nix/var/nix/db:/nix/var/nix/db:ro" - # "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" - # ]; - # dockerDisableCache = true; - # preBuildScript = pkgs.writeScript "setup-container" '' - # mkdir -p -m 0755 /nix/var/log/nix/drvs - # mkdir -p -m 0755 /nix/var/nix/gcroots - # mkdir -p -m 0755 /nix/var/nix/profiles - # mkdir -p -m 0755 /nix/var/nix/temproots - # mkdir -p -m 0755 /nix/var/nix/userpool - # mkdir -p -m 1777 /nix/var/nix/gcroots/per-user - # mkdir -p -m 1777 /nix/var/nix/profiles/per-user - # mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root - # mkdir -p -m 0700 "$HOME/.nix-defexpr" - # . ${pkgs.nix}/etc/profile.d/nix.sh - # ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3 - # ${pkgs.nix}/bin/nix-channel --update nixpkgs - # ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} - # ''; - # environmentVariables = { - # ENV = "/etc/profile"; - # USER = "root"; - # NIX_REMOTE = "daemon"; - # PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; - # NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; - # }; - # tagList = [ "nix" ]; - # }; - # }; - # }; - -} diff --git a/hosts/tsuki/services/libvirt.todo.nix b/hosts/tsuki/services/libvirt.todo.nix deleted file mode 100644 index e69de29..0000000 diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix index 007ebe3..cace7b0 100644 --- a/hosts/tsuki/services/nginx/default.nix +++ b/hosts/tsuki/services/nginx/default.nix @@ -94,16 +94,12 @@ (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; }) (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {}) (host ["madmin"] { root = "${pkgs.synapse-admin}/"; }) - (host ["cache"] { root = "/var/lib/nix-cache"; }) + # (host ["cache"] { root = "/var/lib/nix-cache"; }) (proxy ["git"] "http://localhost:${s ports.gitea}" {}) (proxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" { locations."/".proxyWebsockets = true; }) (proxy ["idrac"] "https://${ips.idrac}" {}) - (proxy ["searx"] "http://localhost:${s ports.searx}" {}) - (proxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" { - # basicAuthFile = keys.htpasswds.default; - }) (proxy ["log"] "http://localhost:${s ports.grafana}" { locations."/".proxyWebsockets = true; }) @@ -116,7 +112,7 @@ ] ++ (let stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix { inherit (inputs) maunium-stickerpicker; - }; + }; in [ (host ["stickers-pingu"] { root = "${stickerpickers.stickers-pingu}/"; }) (host ["stickers-h7x4"] { root = "${stickerpickers.stickers-h7x4}/"; }) @@ -126,7 +122,5 @@ networking.firewall.allowedTCPPorts = [ 80 443 - # secrets.ports.openvpn - ports.minecraft ]; } diff --git a/hosts/tsuki/services/openldap.todo.nix b/hosts/tsuki/services/openldap.todo.nix deleted file mode 100644 index a177155..0000000 --- a/hosts/tsuki/services/openldap.todo.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ pkgs, ... }: -{ - services.openldap = { - enable = true; - # dataDir = "${config.machineVars.dataDrives.default}/var/openldap"; - urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates) - # suffix = "dc=nixos,dc=org"; - # rootdn = "cn=admin,dc=nixos,dc=org"; - # rootpwFile = "/var/keys/ldap/rootpw"; - # See https://www.openldap.org/doc/admin24/slapdconfig.html - # extraDatabaseConfig = '' - # access to dn.base="dc=nixos,dc=org" by * read - # # Add your own ACLs here… - - # # Drop everything that wasn't handled by previous ACLs: - # access to * by * none - - # index objectClass eq - # index uid eq - # index mail sub - # # Accelerates replication if you use it - # index entryCSN eq - # index entryUUID eq - # ''; - - settings = { - attrs.olcLogLevel = [ "stats" ]; - children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - ]; - "olcDatabase={-1}frontend" = { - attrs = { - objectClass = "olcDatabaseConfig"; - olcDatabase = "{-1}frontend"; - olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ]; - }; - }; - "olcDatabase={0}config" = { - attrs = { - objectClass = "olcDatabaseConfig"; - olcDatabase = "{0}config"; - olcAccess = [ "{0}to * by * none break" ]; - }; - }; - "olcDatabase={1}mdb" = { - attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/data/var/openldap/db"; - olcDbIndex = [ - "objectClass eq" - "cn pres,eq" - "uid pres,eq" - "sn pres,eq,subany" - ]; - olcSuffix = "dc=example,dc=com"; - olcAccess = [ "{0}to * by * read break" ]; - }; - }; - }; - }; - - # Setting this causes OpenLDAP to drop the entire database on startup and write the contents of - # of this LDIF string into the database. This ensures that only nix-managed content is found in the - # database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt - # startup performance. - # Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be - # lost. - # declarativeContents = "…"; - }; -} diff --git a/hosts/tsuki/services/openvpn.nix b/hosts/tsuki/services/openvpn.nix deleted file mode 100644 index ff3d7ae..0000000 --- a/hosts/tsuki/services/openvpn.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, pkgs, secrets, ... }: -let - inherit (secrets) ips ports; -in { - services = { - openvpn.servers = let - inherit (secrets.keys.certificates) openvpn CA server; - inherit (secrets.openvpn) ip-range; - in { - tsuki = { - config = '' - dev tap - server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end} - local 0.0.0.0 - port ${toString ports.openvpn} - user nobody - group nogroup - comp-lzo no - push 'comp-lzo no' - persist-key - persist-tun - keepalive 10 120 - topology subnet - push "dhcp-option DNS 1.1.1.1" - push "dhcp-option DNS 8.8.8.8" - dh none - ecdh-curve prime256v1 - tls-crypt ${openvpn.tls-crypt} - ca ${CA.crt} - cert ${server.crt} - key ${server.key} - auth SHA256 - cipher AES-128-GCM - ncp-ciphers AES-128-GCM - tls-server - tls-version-min 1.2 - tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 - status /var/openvpn/status.log - verb 3 - ''; - autoStart = false; - updateResolvConf = true; - }; - }; - }; - - networking.firewall = { - allowedUDPPorts = [ ports.openvpn ]; - allowedTCPPorts = [ ports.openvpn ]; - }; - - # networking.bridges.br0.interfaces = [ "tap0" "ens18" ]; -} diff --git a/hosts/tsuki/services/samba.nix b/hosts/tsuki/services/samba.nix deleted file mode 100644 index 0cd888c..0000000 --- a/hosts/tsuki/services/samba.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, ... }: -{ - services.samba = { - enable = true; - openFirewall = true; - securityType = "user"; - - extraConfig = '' - workgroup = TSUKI - server string = smbnix - netbios name = smbnix - - security = user - - use sendfile = yes - min protocol = SMB2 - smb encrypt = desired - - # note: localhost is the ipv6 localhost ::1 - hosts allow = 10.0.0. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - - guest ok = no - map to guest = never - ''; - - shares = { - media = { - "path" = "${config.machineVars.dataDrives.default}/media"; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "force group" = "media"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Pictures, music, videos, etc."; - }; - - momiji = { - "path" = config.machineVars.dataDrives.drives.momiji; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "valid users" = "h7x4"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Momiji data drive."; - }; - - cirno = { - "path" = config.machineVars.dataDrives.drives.cirno; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "valid users" = "h7x4"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Cirno data drive."; - }; - - home = { - "path" = config.users.users.h7x4.home; - "read only" = false; - "browseable" = "yes"; - "guest ok" = "no"; - "valid users" = "h7x4"; - "create mask" = "0644"; - "directory mask" = "0755"; - "comment" = "Home directory."; - }; - }; - }; -} diff --git a/hosts/tsuki/services/searx.nix b/hosts/tsuki/services/searx.nix deleted file mode 100644 index 72956d6..0000000 --- a/hosts/tsuki/services/searx.nix +++ /dev/null @@ -1,162 +0,0 @@ -{ secrets, ... }: -{ - # TODO: Make secret keys. - services.searx = { - enable = true; - settings = { - - general = { - debug = false; - instance_name = "Searx"; - }; - - server = { - port = secrets.ports.searx; - bind_address = "0.0.0.0"; - secret_key = secrets.keys.searx.key; - }; - - ui = { - default_theme = "oscar"; - theme_args.oscar_style = "logicodev-dark"; - }; - - engines = let - enable = name: { - name = name; - disabled = false; - }; - disable = name: { - name = name; - disabled = true; - }; - in [ - /* General */ - (disable "bing") - /* --- */ - (enable "archive is") - (enable "wikipedia") - (enable "currency") - (enable "ddg definitions") - (enable "erowid") - (enable "wikidata") - (enable "duckduckgo") - (enable "etymonline") - (enable "google") - (enable "library genesis") - (enable "qwant") - (enable "reddit") - (enable "wikibooks") - (enable "wikiquote") - (enable "wikisource") - (enable "wiktionary") - (enable "wikiversity") - # Doesn't work at the time - # (enable "wikivoyage") - (enable "dictzone") - - /* Files */ - # (disable "btdigg") - (disable "piratebay") - (disable "torrentz") - /* --- */ - (enable "apk mirror") - (enable "fdroid") - (enable "google play apps") - (enable "nyaa") - (enable "tokyotoshokan") - - /* Images */ - (disable "bing images") - (disable "ccengine") - (disable "flickr") - (disable "library of congress") - /* --- */ - (enable "deviantart") - (enable "google images") - (enable "nyaa") - # (enable "reddit") - (enable "qwant images") - (enable "unsplash") - - /* IT */ - (enable "arch linux wiki") - (enable "bitbucket") - (enable "free software directory") - (enable "gentoo") - (enable "gitlab") - (enable "github") - (enable "codeberg") - (enable "hoogle") - (enable "npm") - (enable "stackoverflow") - (enable "searchcode code") - - /* map */ - (enable "openstreetmap") - (enable "photon") - - /* music */ - (disable "btdigg") - /* --- */ - (enable "deezer") - (enable "genius") - (enable "mixcloud") - # (enable "nyaa") - (enable "soundcloud") - # (enable "tokyotoshokan") - (enable "youtube") - - /* news */ - (disable "bing news") - (disable "digg") - (disable "yahoo news") - /* --- */ - (enable "google news") - (enable "qwant news") - # (enable "reddit") - (enable "wikinews") - - /* science */ - (enable "arxiv") - (enable "crossref") - (enable "google scholar") - (enable "microsoft academic") - (enable "openairedatasets") - (enable "openairepublications") - (enable "pdbe") - (enable "pubmed") - (enable "semantic scholar") - (enable "wolframalpha") - - /* social media */ - # (disable "digg") - # (enable "reddit") - - /* shopping */ - # (enable "ebay") - - /* videos */ - (disable "bing videos") - # (disable "piratebay") - (disable "sepiasearch") - (disable "dailymotion") - (disable "mediathekviewweb") - /* --- */ - (enable "google videos") - # (enable "nyaa") - # (enable "tokyotoshokan") - # (enable "youtube") - (enable "vimeo") - (enable "peertube") - ]; - }; - - # runInUwsgi = true; - # uwsgiConfig = { - # disable-logging = false; - # http = ":11000"; - # socket = "/run/searx/searx.sock"; - # }; - }; -} diff --git a/hosts/tsuki/services/syncthing.todo.nix b/hosts/tsuki/services/syncthing.todo.nix deleted file mode 100644 index e69de29..0000000