oysteikt/nix-dotfiles
oysteikt
/
nix-dotfiles
2
1
Fork 0
Code Issues Pull Requests Activity

tsuki: remove a lot of unused services 

Removed:
- dokuwiki (this was never properly set up)
- libvirt (this is already a virtual machine, double virtualization bad)
- openldap (this will become the responsibility of keycloak)
- openvpn (this will become the responsibility of head/tailscale)
- samba (this is now the responsibility of TrueNAS)
- searx (I never used this)
- gitlab (this has become the responsibility of gitea and hydra)
- syncthing (this was never properly set up)

The nix cache nginx entry is also paused, as it wasn't functional.

In this commit and the previous commit, the nginx config for the
minecraft server was also taken down, as the whole host is deleted.
The plan is to set it up again, this time using tsuki.
This commit is contained in:
Oystein Kristoffer Tveit 2023-01-03 22:52:24 +01:00
parent 3d088d73be
commit aea736c2df
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
12 changed files with 2 additions and 557 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/tsuki/configuration.nix
View File

@ -4,24 +4,16 @@
./hardware-configuration.nix ./hardware-configuration.nix
# ./services/calibre.nix # ./services/calibre.nix
# ./services/dokuwiki.nix
./services/gitea ./services/gitea
# ./services/gitlab
./services/grafana ./services/grafana
./services/hydra.nix ./services/hydra.nix
# ./services/jitsi.nix # ./services/jitsi.nix
./services/jupyter.nix ./services/jupyter.nix
# ./services/keycloak.nix # ./services/keycloak.nix
# ./services/libvirt.nix
./services/matrix ./services/matrix
./services/nginx ./services/nginx
# ./services/openldap.nix
# ./services/openvpn.nix
./services/plex.nix ./services/plex.nix
./services/postgres.nix ./services/postgres.nix
./services/samba.nix
./services/searx.nix
# ./services/syncthing.nix
./services/vscode-server.nix ./services/vscode-server.nix
]; ];

9
hosts/tsuki/services/dokuwiki.todo.nix
View File

@ -1,9 +0,0 @@
{ ... }:
{
services.dokuwiki.sites = {
# TODO: research?
wiki = {
enable = false;
};
};
}

94
hosts/tsuki/services/gitlab/default.nix
View File

@ -1,94 +0,0 @@
{ pkgs, lib, config, secrets, ... }:
let
gitlab-port = secrets.ports.gitlab;
gitlab-host = "gitlab.nani.wtf";
# TODO: this should optimally be extracted out to nix-secrets completely.
gitlab-keydir = secrets.hosts.${config.networking.hostName}.keydir + "/gitlab";
in
{
# TODO: Set up gitlab-runner
# imports = [ ./runner.nix ];
services.gitlab = {
enable = false;
host = gitlab-host;
port = gitlab-port + 1;
user = "gitlab";
group = "gitlab";
databaseUsername = "gitlab";
statePath = "${secrets.hosts.${config.networking.hostName}.dataStatePath}/gitlab";
# A file containing the initial password of the root gitlab-account.
# This file should be readable to the user defined in `services.gitlab.user`,
# optimally having only read write permissions for that user.
initialRootPasswordFile = secrets.keys.gitlab.root_password;
secrets = { inherit (secrets.keys.gitlab) secretFile dbFile otpFile jwsFile; };
# TODO: Activate GitLabs Prometheus service
# extraGitlabRb = ''
# prometheus['enabled'] = true
# prometheus['server_address'] = '0.0.0.0:10392'
# '';
smtp = {
tls = true;
# address = gitlab-host;
port = gitlab-port + 2;
};
# TODO: Set up registry
# registry = {
# enable = true;
# # host = gitlab-host;
# port = gitlab-port + 3;
# externalPort = gitlab-port + 3;
# certFile = /var/cert.pem;
# keyFile = /var/key.pem;
# };
pagesExtraArgs = [
"-gitlab-server" "http://${gitlab-host}"
"-listen-proxy" "127.0.0.1:${toString (gitlab-port + 4)}"
"-log-format" "text"
];
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitlab.nix
# https://gitlab.com/gitlab-org/gitlab/blob/master/config/gitlab.yml.example
extraConfig = {
# gitlab = {};
gravatar.enabled = false;
# TODO: Fix pages API connection
# pages = {
# enabled = true;
# host = gitlab-host;
# secret_file = "${toString gitlab-keydir}/pages_secret";
# local_store.enabled = true;
# };
};
};
# TODO: Set up registry
# services.dockerRegistry = {
# enable = true;
# };
# TODO: Connect plantuml to gitlab
services.plantuml-server = {
enable = true;
listenPort = gitlab-port + 5;
};
# TODO: Make module for kroki, and connect to gitlab
# services.kroki = {
#
# };
}

25
hosts/tsuki/services/gitlab/genfiles.sh
View File

@ -1,25 +0,0 @@
#!/usr/bin/env bash
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit 1
fi
KEYDIR='/var/keys/gitlab'
umask u=rwx,g=,o=
mkdir -p $KEYDIR
chmod 755 '/var/keys'
for FILE in secretFile dbFile otpFile pages_secret; do
tr -dc A-Za-z0-9 < /dev/random | head -c 128 > $KEYDIR/$FILE
done
nix-shell -p openssl --run "openssl genrsa 2048 > $KEYDIR/jwsFile"
chmod 600 $KEYDIR/jwsFile
read -s -p "Root password: " ROOTPASS
echo $ROOTPASS > $KEYDIR/root_password
chown -R git:git $KEYDIR

51
hosts/tsuki/services/gitlab/runner.nix
View File

@ -1,51 +0,0 @@
{ ... }:
{
# See https://nixos.wiki/wiki/Gitlab_runner
# boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
# virtualisation.docker.enable = true;
# services.gitlab-runner = {
# enable = true;
# services= {
# # runner for building in docker via host's nix-daemon
# # nix store will be readable in runner, might be insecure
# nix = with lib;{
# # File should contain at least these two variables:
# # `CI_SERVER_URL`
# # `REGISTRATION_TOKEN`
# registrationConfigFile = toString ./path/to/ci-env; # 2
# dockerImage = "alpine";
# dockerVolumes = [
# "/nix/store:/nix/store:ro"
# "/nix/var/nix/db:/nix/var/nix/db:ro"
# "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
# ];
# dockerDisableCache = true;
# preBuildScript = pkgs.writeScript "setup-container" ''
# mkdir -p -m 0755 /nix/var/log/nix/drvs
# mkdir -p -m 0755 /nix/var/nix/gcroots
# mkdir -p -m 0755 /nix/var/nix/profiles
# mkdir -p -m 0755 /nix/var/nix/temproots
# mkdir -p -m 0755 /nix/var/nix/userpool
# mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
# mkdir -p -m 1777 /nix/var/nix/profiles/per-user
# mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
# mkdir -p -m 0700 "$HOME/.nix-defexpr"
# . ${pkgs.nix}/etc/profile.d/nix.sh
# ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3
# ${pkgs.nix}/bin/nix-channel --update nixpkgs
# ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
# '';
# environmentVariables = {
# ENV = "/etc/profile";
# USER = "root";
# NIX_REMOTE = "daemon";
# PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
# NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
# };
# tagList = [ "nix" ];
# };
# };
# };
}

0
hosts/tsuki/services/libvirt.todo.nix
View File

10
hosts/tsuki/services/nginx/default.nix
View File

@ -94,16 +94,12 @@
(host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; }) (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
(proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {}) (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
(host ["madmin"] { root = "${pkgs.synapse-admin}/"; }) (host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
(host ["cache"] { root = "/var/lib/nix-cache"; }) # (host ["cache"] { root = "/var/lib/nix-cache"; })
(proxy ["git"] "http://localhost:${s ports.gitea}" {}) (proxy ["git"] "http://localhost:${s ports.gitea}" {})
(proxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" { (proxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" {
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
}) })
(proxy ["idrac"] "https://${ips.idrac}" {}) (proxy ["idrac"] "https://${ips.idrac}" {})
(proxy ["searx"] "http://localhost:${s ports.searx}" {})
(proxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" {
# basicAuthFile = keys.htpasswds.default;
})
(proxy ["log"] "http://localhost:${s ports.grafana}" { (proxy ["log"] "http://localhost:${s ports.grafana}" {
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
}) })
@ -116,7 +112,7 @@
] ++ (let ] ++ (let
stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix { stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {
inherit (inputs) maunium-stickerpicker; inherit (inputs) maunium-stickerpicker;
}; };
in [ in [
(host ["stickers-pingu"] { root = "${stickerpickers.stickers-pingu}/"; }) (host ["stickers-pingu"] { root = "${stickerpickers.stickers-pingu}/"; })
(host ["stickers-h7x4"] { root = "${stickerpickers.stickers-h7x4}/"; }) (host ["stickers-h7x4"] { root = "${stickerpickers.stickers-h7x4}/"; })
@ -126,7 +122,5 @@
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443
# secrets.ports.openvpn
ports.minecraft
]; ];
} }

74
hosts/tsuki/services/openldap.todo.nix
View File

@ -1,74 +0,0 @@
{ pkgs, ... }:
{
services.openldap = {
enable = true;
# dataDir = "${config.machineVars.dataDrives.default}/var/openldap";
urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates)
# suffix = "dc=nixos,dc=org";
# rootdn = "cn=admin,dc=nixos,dc=org";
# rootpwFile = "/var/keys/ldap/rootpw";
# See https://www.openldap.org/doc/admin24/slapdconfig.html
# extraDatabaseConfig = ''
# access to dn.base="dc=nixos,dc=org" by * read
# # Add your own ACLs here…
# # Drop everything that wasn't handled by previous ACLs:
# access to * by * none
# index objectClass eq
# index uid eq
# index mail sub
# # Accelerates replication if you use it
# index entryCSN eq
# index entryUUID eq
# '';
settings = {
attrs.olcLogLevel = [ "stats" ];
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={-1}frontend" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{-1}frontend";
olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
};
};
"olcDatabase={0}config" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [ "{0}to * by * none break" ];
};
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/data/var/openldap/db";
olcDbIndex = [
"objectClass eq"
"cn pres,eq"
"uid pres,eq"
"sn pres,eq,subany"
];
olcSuffix = "dc=example,dc=com";
olcAccess = [ "{0}to * by * read break" ];
};
};
};
};
# Setting this causes OpenLDAP to drop the entire database on startup and write the contents of
# of this LDIF string into the database. This ensures that only nix-managed content is found in the
# database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt
# startup performance.
# Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be
# lost.
# declarativeContents = "…";
};
}

53
hosts/tsuki/services/openvpn.nix
View File

@ -1,53 +0,0 @@
{ config, pkgs, secrets, ... }:
let
inherit (secrets) ips ports;
in {
services = {
openvpn.servers = let
inherit (secrets.keys.certificates) openvpn CA server;
inherit (secrets.openvpn) ip-range;
in {
tsuki = {
config = ''
dev tap
server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end}
local 0.0.0.0
port ${toString ports.openvpn}
user nobody
group nogroup
comp-lzo no
push 'comp-lzo no'
persist-key
persist-tun
keepalive 10 120
topology subnet
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
dh none
ecdh-curve prime256v1
tls-crypt ${openvpn.tls-crypt}
ca ${CA.crt}
cert ${server.crt}
key ${server.key}
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/openvpn/status.log
verb 3
'';
autoStart = false;
updateResolvConf = true;
};
};
};
networking.firewall = {
allowedUDPPorts = [ ports.openvpn ];
allowedTCPPorts = [ ports.openvpn ];
};
# networking.bridges.br0.interfaces = [ "tap0" "ens18" ];
}

73
hosts/tsuki/services/samba.nix
View File

@ -1,73 +0,0 @@
{ config, ... }:
{
services.samba = {
enable = true;
openFirewall = true;
securityType = "user";
extraConfig = ''
workgroup = TSUKI
server string = smbnix
netbios name = smbnix
security = user
use sendfile = yes
min protocol = SMB2
smb encrypt = desired
# note: localhost is the ipv6 localhost ::1
hosts allow = 10.0.0. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest ok = no
map to guest = never
'';
shares = {
media = {
"path" = "${config.machineVars.dataDrives.default}/media";
"read only" = false;
"browseable" = "yes";
"guest ok" = "no";
"force group" = "media";
"create mask" = "0644";
"directory mask" = "0755";
"comment" = "Pictures, music, videos, etc.";
};
momiji = {
"path" = config.machineVars.dataDrives.drives.momiji;
"read only" = false;
"browseable" = "yes";
"guest ok" = "no";
"valid users" = "h7x4";
"create mask" = "0644";
"directory mask" = "0755";
"comment" = "Momiji data drive.";
};
cirno = {
"path" = config.machineVars.dataDrives.drives.cirno;
"read only" = false;
"browseable" = "yes";
"guest ok" = "no";
"valid users" = "h7x4";
"create mask" = "0644";
"directory mask" = "0755";
"comment" = "Cirno data drive.";
};
home = {
"path" = config.users.users.h7x4.home;
"read only" = false;
"browseable" = "yes";
"guest ok" = "no";
"valid users" = "h7x4";
"create mask" = "0644";
"directory mask" = "0755";
"comment" = "Home directory.";
};
};
};
}

162
hosts/tsuki/services/searx.nix
View File

@ -1,162 +0,0 @@
{ secrets, ... }:
{
# TODO: Make secret keys.
services.searx = {
enable = true;
settings = {
general = {
debug = false;
instance_name = "Searx";
};
server = {
port = secrets.ports.searx;
bind_address = "0.0.0.0";
secret_key = secrets.keys.searx.key;
};
ui = {
default_theme = "oscar";
theme_args.oscar_style = "logicodev-dark";
};
engines = let
enable = name: {
name = name;
disabled = false;
};
disable = name: {
name = name;
disabled = true;
};
in [
/* General */
(disable "bing")
/* --- */
(enable "archive is")
(enable "wikipedia")
(enable "currency")
(enable "ddg definitions")
(enable "erowid")
(enable "wikidata")
(enable "duckduckgo")
(enable "etymonline")
(enable "google")
(enable "library genesis")
(enable "qwant")
(enable "reddit")
(enable "wikibooks")
(enable "wikiquote")
(enable "wikisource")
(enable "wiktionary")
(enable "wikiversity")
# Doesn't work at the time
# (enable "wikivoyage")
(enable "dictzone")
/* Files */
# (disable "btdigg")
(disable "piratebay")
(disable "torrentz")
/* --- */
(enable "apk mirror")
(enable "fdroid")
(enable "google play apps")
(enable "nyaa")
(enable "tokyotoshokan")
/* Images */
(disable "bing images")
(disable "ccengine")
(disable "flickr")
(disable "library of congress")
/* --- */
(enable "deviantart")
(enable "google images")
(enable "nyaa")
# (enable "reddit")
(enable "qwant images")
(enable "unsplash")
/* IT */
(enable "arch linux wiki")
(enable "bitbucket")
(enable "free software directory")
(enable "gentoo")
(enable "gitlab")
(enable "github")
(enable "codeberg")
(enable "hoogle")
(enable "npm")
(enable "stackoverflow")
(enable "searchcode code")
/* map */
(enable "openstreetmap")
(enable "photon")
/* music */
(disable "btdigg")
/* --- */
(enable "deezer")
(enable "genius")
(enable "mixcloud")
# (enable "nyaa")
(enable "soundcloud")
# (enable "tokyotoshokan")
(enable "youtube")
/* news */
(disable "bing news")
(disable "digg")
(disable "yahoo news")
/* --- */
(enable "google news")
(enable "qwant news")
# (enable "reddit")
(enable "wikinews")
/* science */
(enable "arxiv")
(enable "crossref")
(enable "google scholar")
(enable "microsoft academic")
(enable "openairedatasets")
(enable "openairepublications")
(enable "pdbe")
(enable "pubmed")
(enable "semantic scholar")
(enable "wolframalpha")
/* social media */
# (disable "digg")
# (enable "reddit")
/* shopping */
# (enable "ebay")
/* videos */
(disable "bing videos")
# (disable "piratebay")
(disable "sepiasearch")
(disable "dailymotion")
(disable "mediathekviewweb")
/* --- */
(enable "google videos")
# (enable "nyaa")
# (enable "tokyotoshokan")
# (enable "youtube")
(enable "vimeo")
(enable "peertube")
];
};
# runInUwsgi = true;
# uwsgiConfig = {
# disable-logging = false;
# http = ":11000";
# socket = "/run/searx/searx.sock";
# };
};
}

0
hosts/tsuki/services/syncthing.todo.nix
View File