tsuki: remove a lot of unused services
Removed: - dokuwiki (this was never properly set up) - libvirt (this is already a virtual machine, double virtualization bad) - openldap (this will become the responsibility of keycloak) - openvpn (this will become the responsibility of head/tailscale) - samba (this is now the responsibility of TrueNAS) - searx (I never used this) - gitlab (this has become the responsibility of gitea and hydra) - syncthing (this was never properly set up) The nix cache nginx entry is also paused, as it wasn't functional. In this commit and the previous commit, the nginx config for the minecraft server was also taken down, as the whole host is deleted. The plan is to set it up again, this time using tsuki.
This commit is contained in:
parent
3d088d73be
commit
aea736c2df
|
@ -4,24 +4,16 @@
|
|||
./hardware-configuration.nix
|
||||
|
||||
# ./services/calibre.nix
|
||||
# ./services/dokuwiki.nix
|
||||
./services/gitea
|
||||
# ./services/gitlab
|
||||
./services/grafana
|
||||
./services/hydra.nix
|
||||
# ./services/jitsi.nix
|
||||
./services/jupyter.nix
|
||||
# ./services/keycloak.nix
|
||||
# ./services/libvirt.nix
|
||||
./services/matrix
|
||||
./services/nginx
|
||||
# ./services/openldap.nix
|
||||
# ./services/openvpn.nix
|
||||
./services/plex.nix
|
||||
./services/postgres.nix
|
||||
./services/samba.nix
|
||||
./services/searx.nix
|
||||
# ./services/syncthing.nix
|
||||
./services/vscode-server.nix
|
||||
];
|
||||
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.dokuwiki.sites = {
|
||||
# TODO: research?
|
||||
wiki = {
|
||||
enable = false;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,94 +0,0 @@
|
|||
{ pkgs, lib, config, secrets, ... }:
|
||||
let
|
||||
gitlab-port = secrets.ports.gitlab;
|
||||
gitlab-host = "gitlab.nani.wtf";
|
||||
|
||||
# TODO: this should optimally be extracted out to nix-secrets completely.
|
||||
gitlab-keydir = secrets.hosts.${config.networking.hostName}.keydir + "/gitlab";
|
||||
in
|
||||
{
|
||||
# TODO: Set up gitlab-runner
|
||||
# imports = [ ./runner.nix ];
|
||||
|
||||
services.gitlab = {
|
||||
enable = false;
|
||||
|
||||
host = gitlab-host;
|
||||
port = gitlab-port + 1;
|
||||
|
||||
user = "gitlab";
|
||||
group = "gitlab";
|
||||
|
||||
databaseUsername = "gitlab";
|
||||
|
||||
statePath = "${secrets.hosts.${config.networking.hostName}.dataStatePath}/gitlab";
|
||||
|
||||
# A file containing the initial password of the root gitlab-account.
|
||||
# This file should be readable to the user defined in `services.gitlab.user`,
|
||||
# optimally having only read write permissions for that user.
|
||||
initialRootPasswordFile = secrets.keys.gitlab.root_password;
|
||||
|
||||
secrets = { inherit (secrets.keys.gitlab) secretFile dbFile otpFile jwsFile; };
|
||||
|
||||
|
||||
# TODO: Activate GitLabs Prometheus service
|
||||
# extraGitlabRb = ''
|
||||
# prometheus['enabled'] = true
|
||||
# prometheus['server_address'] = '0.0.0.0:10392'
|
||||
# '';
|
||||
|
||||
smtp = {
|
||||
tls = true;
|
||||
# address = gitlab-host;
|
||||
port = gitlab-port + 2;
|
||||
};
|
||||
|
||||
# TODO: Set up registry
|
||||
# registry = {
|
||||
# enable = true;
|
||||
# # host = gitlab-host;
|
||||
# port = gitlab-port + 3;
|
||||
# externalPort = gitlab-port + 3;
|
||||
# certFile = /var/cert.pem;
|
||||
# keyFile = /var/key.pem;
|
||||
# };
|
||||
|
||||
pagesExtraArgs = [
|
||||
"-gitlab-server" "http://${gitlab-host}"
|
||||
"-listen-proxy" "127.0.0.1:${toString (gitlab-port + 4)}"
|
||||
"-log-format" "text"
|
||||
];
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitlab.nix
|
||||
# https://gitlab.com/gitlab-org/gitlab/blob/master/config/gitlab.yml.example
|
||||
extraConfig = {
|
||||
# gitlab = {};
|
||||
gravatar.enabled = false;
|
||||
|
||||
# TODO: Fix pages API connection
|
||||
# pages = {
|
||||
# enabled = true;
|
||||
# host = gitlab-host;
|
||||
# secret_file = "${toString gitlab-keydir}/pages_secret";
|
||||
# local_store.enabled = true;
|
||||
# };
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
# TODO: Set up registry
|
||||
# services.dockerRegistry = {
|
||||
# enable = true;
|
||||
# };
|
||||
|
||||
# TODO: Connect plantuml to gitlab
|
||||
services.plantuml-server = {
|
||||
enable = true;
|
||||
listenPort = gitlab-port + 5;
|
||||
};
|
||||
|
||||
# TODO: Make module for kroki, and connect to gitlab
|
||||
# services.kroki = {
|
||||
#
|
||||
# };
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
KEYDIR='/var/keys/gitlab'
|
||||
|
||||
umask u=rwx,g=,o=
|
||||
|
||||
mkdir -p $KEYDIR
|
||||
chmod 755 '/var/keys'
|
||||
|
||||
for FILE in secretFile dbFile otpFile pages_secret; do
|
||||
tr -dc A-Za-z0-9 < /dev/random | head -c 128 > $KEYDIR/$FILE
|
||||
done
|
||||
|
||||
nix-shell -p openssl --run "openssl genrsa 2048 > $KEYDIR/jwsFile"
|
||||
chmod 600 $KEYDIR/jwsFile
|
||||
|
||||
read -s -p "Root password: " ROOTPASS
|
||||
echo $ROOTPASS > $KEYDIR/root_password
|
||||
|
||||
chown -R git:git $KEYDIR
|
|
@ -1,51 +0,0 @@
|
|||
{ ... }:
|
||||
{
|
||||
|
||||
# See https://nixos.wiki/wiki/Gitlab_runner
|
||||
# boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
|
||||
# virtualisation.docker.enable = true;
|
||||
# services.gitlab-runner = {
|
||||
# enable = true;
|
||||
# services= {
|
||||
# # runner for building in docker via host's nix-daemon
|
||||
# # nix store will be readable in runner, might be insecure
|
||||
# nix = with lib;{
|
||||
# # File should contain at least these two variables:
|
||||
# # `CI_SERVER_URL`
|
||||
# # `REGISTRATION_TOKEN`
|
||||
# registrationConfigFile = toString ./path/to/ci-env; # 2
|
||||
# dockerImage = "alpine";
|
||||
# dockerVolumes = [
|
||||
# "/nix/store:/nix/store:ro"
|
||||
# "/nix/var/nix/db:/nix/var/nix/db:ro"
|
||||
# "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
|
||||
# ];
|
||||
# dockerDisableCache = true;
|
||||
# preBuildScript = pkgs.writeScript "setup-container" ''
|
||||
# mkdir -p -m 0755 /nix/var/log/nix/drvs
|
||||
# mkdir -p -m 0755 /nix/var/nix/gcroots
|
||||
# mkdir -p -m 0755 /nix/var/nix/profiles
|
||||
# mkdir -p -m 0755 /nix/var/nix/temproots
|
||||
# mkdir -p -m 0755 /nix/var/nix/userpool
|
||||
# mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
|
||||
# mkdir -p -m 1777 /nix/var/nix/profiles/per-user
|
||||
# mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
|
||||
# mkdir -p -m 0700 "$HOME/.nix-defexpr"
|
||||
# . ${pkgs.nix}/etc/profile.d/nix.sh
|
||||
# ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3
|
||||
# ${pkgs.nix}/bin/nix-channel --update nixpkgs
|
||||
# ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
|
||||
# '';
|
||||
# environmentVariables = {
|
||||
# ENV = "/etc/profile";
|
||||
# USER = "root";
|
||||
# NIX_REMOTE = "daemon";
|
||||
# PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
|
||||
# NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
|
||||
# };
|
||||
# tagList = [ "nix" ];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
}
|
|
@ -94,16 +94,12 @@
|
|||
(host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
|
||||
(proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
|
||||
(host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
|
||||
(host ["cache"] { root = "/var/lib/nix-cache"; })
|
||||
# (host ["cache"] { root = "/var/lib/nix-cache"; })
|
||||
(proxy ["git"] "http://localhost:${s ports.gitea}" {})
|
||||
(proxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" {
|
||||
locations."/".proxyWebsockets = true;
|
||||
})
|
||||
(proxy ["idrac"] "https://${ips.idrac}" {})
|
||||
(proxy ["searx"] "http://localhost:${s ports.searx}" {})
|
||||
(proxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" {
|
||||
# basicAuthFile = keys.htpasswds.default;
|
||||
})
|
||||
(proxy ["log"] "http://localhost:${s ports.grafana}" {
|
||||
locations."/".proxyWebsockets = true;
|
||||
})
|
||||
|
@ -126,7 +122,5 @@
|
|||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
# secrets.ports.openvpn
|
||||
ports.minecraft
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,74 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
# dataDir = "${config.machineVars.dataDrives.default}/var/openldap";
|
||||
urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates)
|
||||
# suffix = "dc=nixos,dc=org";
|
||||
# rootdn = "cn=admin,dc=nixos,dc=org";
|
||||
# rootpwFile = "/var/keys/ldap/rootpw";
|
||||
# See https://www.openldap.org/doc/admin24/slapdconfig.html
|
||||
# extraDatabaseConfig = ''
|
||||
# access to dn.base="dc=nixos,dc=org" by * read
|
||||
# # Add your own ACLs here…
|
||||
|
||||
# # Drop everything that wasn't handled by previous ACLs:
|
||||
# access to * by * none
|
||||
|
||||
# index objectClass eq
|
||||
# index uid eq
|
||||
# index mail sub
|
||||
# # Accelerates replication if you use it
|
||||
# index entryCSN eq
|
||||
# index entryUUID eq
|
||||
# '';
|
||||
|
||||
settings = {
|
||||
attrs.olcLogLevel = [ "stats" ];
|
||||
children = {
|
||||
"cn=schema".includes = [
|
||||
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
];
|
||||
"olcDatabase={-1}frontend" = {
|
||||
attrs = {
|
||||
objectClass = "olcDatabaseConfig";
|
||||
olcDatabase = "{-1}frontend";
|
||||
olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
|
||||
};
|
||||
};
|
||||
"olcDatabase={0}config" = {
|
||||
attrs = {
|
||||
objectClass = "olcDatabaseConfig";
|
||||
olcDatabase = "{0}config";
|
||||
olcAccess = [ "{0}to * by * none break" ];
|
||||
};
|
||||
};
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/data/var/openldap/db";
|
||||
olcDbIndex = [
|
||||
"objectClass eq"
|
||||
"cn pres,eq"
|
||||
"uid pres,eq"
|
||||
"sn pres,eq,subany"
|
||||
];
|
||||
olcSuffix = "dc=example,dc=com";
|
||||
olcAccess = [ "{0}to * by * read break" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Setting this causes OpenLDAP to drop the entire database on startup and write the contents of
|
||||
# of this LDIF string into the database. This ensures that only nix-managed content is found in the
|
||||
# database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt
|
||||
# startup performance.
|
||||
# Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be
|
||||
# lost.
|
||||
# declarativeContents = "…";
|
||||
};
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
{ config, pkgs, secrets, ... }:
|
||||
let
|
||||
inherit (secrets) ips ports;
|
||||
in {
|
||||
services = {
|
||||
openvpn.servers = let
|
||||
inherit (secrets.keys.certificates) openvpn CA server;
|
||||
inherit (secrets.openvpn) ip-range;
|
||||
in {
|
||||
tsuki = {
|
||||
config = ''
|
||||
dev tap
|
||||
server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end}
|
||||
local 0.0.0.0
|
||||
port ${toString ports.openvpn}
|
||||
user nobody
|
||||
group nogroup
|
||||
comp-lzo no
|
||||
push 'comp-lzo no'
|
||||
persist-key
|
||||
persist-tun
|
||||
keepalive 10 120
|
||||
topology subnet
|
||||
push "dhcp-option DNS 1.1.1.1"
|
||||
push "dhcp-option DNS 8.8.8.8"
|
||||
dh none
|
||||
ecdh-curve prime256v1
|
||||
tls-crypt ${openvpn.tls-crypt}
|
||||
ca ${CA.crt}
|
||||
cert ${server.crt}
|
||||
key ${server.key}
|
||||
auth SHA256
|
||||
cipher AES-128-GCM
|
||||
ncp-ciphers AES-128-GCM
|
||||
tls-server
|
||||
tls-version-min 1.2
|
||||
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
|
||||
status /var/openvpn/status.log
|
||||
verb 3
|
||||
'';
|
||||
autoStart = false;
|
||||
updateResolvConf = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ ports.openvpn ];
|
||||
allowedTCPPorts = [ ports.openvpn ];
|
||||
};
|
||||
|
||||
# networking.bridges.br0.interfaces = [ "tap0" "ens18" ];
|
||||
}
|
|
@ -1,73 +0,0 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
services.samba = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
securityType = "user";
|
||||
|
||||
extraConfig = ''
|
||||
workgroup = TSUKI
|
||||
server string = smbnix
|
||||
netbios name = smbnix
|
||||
|
||||
security = user
|
||||
|
||||
use sendfile = yes
|
||||
min protocol = SMB2
|
||||
smb encrypt = desired
|
||||
|
||||
# note: localhost is the ipv6 localhost ::1
|
||||
hosts allow = 10.0.0. 127.0.0.1 localhost
|
||||
hosts deny = 0.0.0.0/0
|
||||
|
||||
guest ok = no
|
||||
map to guest = never
|
||||
'';
|
||||
|
||||
shares = {
|
||||
media = {
|
||||
"path" = "${config.machineVars.dataDrives.default}/media";
|
||||
"read only" = false;
|
||||
"browseable" = "yes";
|
||||
"guest ok" = "no";
|
||||
"force group" = "media";
|
||||
"create mask" = "0644";
|
||||
"directory mask" = "0755";
|
||||
"comment" = "Pictures, music, videos, etc.";
|
||||
};
|
||||
|
||||
momiji = {
|
||||
"path" = config.machineVars.dataDrives.drives.momiji;
|
||||
"read only" = false;
|
||||
"browseable" = "yes";
|
||||
"guest ok" = "no";
|
||||
"valid users" = "h7x4";
|
||||
"create mask" = "0644";
|
||||
"directory mask" = "0755";
|
||||
"comment" = "Momiji data drive.";
|
||||
};
|
||||
|
||||
cirno = {
|
||||
"path" = config.machineVars.dataDrives.drives.cirno;
|
||||
"read only" = false;
|
||||
"browseable" = "yes";
|
||||
"guest ok" = "no";
|
||||
"valid users" = "h7x4";
|
||||
"create mask" = "0644";
|
||||
"directory mask" = "0755";
|
||||
"comment" = "Cirno data drive.";
|
||||
};
|
||||
|
||||
home = {
|
||||
"path" = config.users.users.h7x4.home;
|
||||
"read only" = false;
|
||||
"browseable" = "yes";
|
||||
"guest ok" = "no";
|
||||
"valid users" = "h7x4";
|
||||
"create mask" = "0644";
|
||||
"directory mask" = "0755";
|
||||
"comment" = "Home directory.";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,162 +0,0 @@
|
|||
{ secrets, ... }:
|
||||
{
|
||||
# TODO: Make secret keys.
|
||||
services.searx = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
||||
general = {
|
||||
debug = false;
|
||||
instance_name = "Searx";
|
||||
};
|
||||
|
||||
server = {
|
||||
port = secrets.ports.searx;
|
||||
bind_address = "0.0.0.0";
|
||||
secret_key = secrets.keys.searx.key;
|
||||
};
|
||||
|
||||
ui = {
|
||||
default_theme = "oscar";
|
||||
theme_args.oscar_style = "logicodev-dark";
|
||||
};
|
||||
|
||||
engines = let
|
||||
enable = name: {
|
||||
name = name;
|
||||
disabled = false;
|
||||
};
|
||||
disable = name: {
|
||||
name = name;
|
||||
disabled = true;
|
||||
};
|
||||
in [
|
||||
/* General */
|
||||
(disable "bing")
|
||||
/* --- */
|
||||
(enable "archive is")
|
||||
(enable "wikipedia")
|
||||
(enable "currency")
|
||||
(enable "ddg definitions")
|
||||
(enable "erowid")
|
||||
(enable "wikidata")
|
||||
(enable "duckduckgo")
|
||||
(enable "etymonline")
|
||||
(enable "google")
|
||||
(enable "library genesis")
|
||||
(enable "qwant")
|
||||
(enable "reddit")
|
||||
(enable "wikibooks")
|
||||
(enable "wikiquote")
|
||||
(enable "wikisource")
|
||||
(enable "wiktionary")
|
||||
(enable "wikiversity")
|
||||
# Doesn't work at the time
|
||||
# (enable "wikivoyage")
|
||||
(enable "dictzone")
|
||||
|
||||
/* Files */
|
||||
# (disable "btdigg")
|
||||
(disable "piratebay")
|
||||
(disable "torrentz")
|
||||
/* --- */
|
||||
(enable "apk mirror")
|
||||
(enable "fdroid")
|
||||
(enable "google play apps")
|
||||
(enable "nyaa")
|
||||
(enable "tokyotoshokan")
|
||||
|
||||
/* Images */
|
||||
(disable "bing images")
|
||||
(disable "ccengine")
|
||||
(disable "flickr")
|
||||
(disable "library of congress")
|
||||
/* --- */
|
||||
(enable "deviantart")
|
||||
(enable "google images")
|
||||
(enable "nyaa")
|
||||
# (enable "reddit")
|
||||
(enable "qwant images")
|
||||
(enable "unsplash")
|
||||
|
||||
/* IT */
|
||||
(enable "arch linux wiki")
|
||||
(enable "bitbucket")
|
||||
(enable "free software directory")
|
||||
(enable "gentoo")
|
||||
(enable "gitlab")
|
||||
(enable "github")
|
||||
(enable "codeberg")
|
||||
(enable "hoogle")
|
||||
(enable "npm")
|
||||
(enable "stackoverflow")
|
||||
(enable "searchcode code")
|
||||
|
||||
/* map */
|
||||
(enable "openstreetmap")
|
||||
(enable "photon")
|
||||
|
||||
/* music */
|
||||
(disable "btdigg")
|
||||
/* --- */
|
||||
(enable "deezer")
|
||||
(enable "genius")
|
||||
(enable "mixcloud")
|
||||
# (enable "nyaa")
|
||||
(enable "soundcloud")
|
||||
# (enable "tokyotoshokan")
|
||||
(enable "youtube")
|
||||
|
||||
/* news */
|
||||
(disable "bing news")
|
||||
(disable "digg")
|
||||
(disable "yahoo news")
|
||||
/* --- */
|
||||
(enable "google news")
|
||||
(enable "qwant news")
|
||||
# (enable "reddit")
|
||||
(enable "wikinews")
|
||||
|
||||
/* science */
|
||||
(enable "arxiv")
|
||||
(enable "crossref")
|
||||
(enable "google scholar")
|
||||
(enable "microsoft academic")
|
||||
(enable "openairedatasets")
|
||||
(enable "openairepublications")
|
||||
(enable "pdbe")
|
||||
(enable "pubmed")
|
||||
(enable "semantic scholar")
|
||||
(enable "wolframalpha")
|
||||
|
||||
/* social media */
|
||||
# (disable "digg")
|
||||
# (enable "reddit")
|
||||
|
||||
/* shopping */
|
||||
# (enable "ebay")
|
||||
|
||||
/* videos */
|
||||
(disable "bing videos")
|
||||
# (disable "piratebay")
|
||||
(disable "sepiasearch")
|
||||
(disable "dailymotion")
|
||||
(disable "mediathekviewweb")
|
||||
/* --- */
|
||||
(enable "google videos")
|
||||
# (enable "nyaa")
|
||||
# (enable "tokyotoshokan")
|
||||
# (enable "youtube")
|
||||
(enable "vimeo")
|
||||
(enable "peertube")
|
||||
];
|
||||
};
|
||||
|
||||
# runInUwsgi = true;
|
||||
# uwsgiConfig = {
|
||||
# disable-logging = false;
|
||||
# http = ":11000";
|
||||
# socket = "/run/searx/searx.sock";
|
||||
# };
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue