From 77e97e84a935ab89e84e0c00a489b5c43402dda8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= Date: Sat, 31 Oct 2020 20:51:25 +0100 Subject: [PATCH] feat(makanek): host codimd, nextcloud --- configs/codimd.nix | 25 +++++++++ configs/nextcloud.nix | 32 +++++------- configs/ssh.nix | 9 +++- deploy.nix | 5 ++ systems/makanek/configuration.nix | 61 ++++++++++++++++++++++ systems/makanek/hardware-configuration.nix | 21 ++++++++ 6 files changed, 132 insertions(+), 21 deletions(-) create mode 100644 configs/codimd.nix create mode 100644 systems/makanek/configuration.nix create mode 100644 systems/makanek/hardware-configuration.nix diff --git a/configs/codimd.nix b/configs/codimd.nix new file mode 100644 index 0000000..2cfad7c --- /dev/null +++ b/configs/codimd.nix @@ -0,0 +1,25 @@ +{ + services.nginx.virtualHosts."pad.xn--kiern-0qa.de" = { + enableACME = true; + addSSL = true; + locations."/".extraConfig = '' + client_max_body_size 4G; + proxy_set_header Host $host; + proxy_pass http://localhost:3091; + ''; + }; + + services.codimd = { + enable = true; + configuration = { + allowAnonymous = false; + allowGravatar = false; + db = { + dialect = "sqlite"; + storage = "/var/lib/codimd/db.codimd.sqlite"; + useCDN = false; + }; + port = 3091; + }; + }; +} diff --git a/configs/nextcloud.nix b/configs/nextcloud.nix index 3783f8b..f346137 100644 --- a/configs/nextcloud.nix +++ b/configs/nextcloud.nix @@ -3,34 +3,22 @@ let inherit (import ) localAddresses; in { - networking.firewall.allowedTCPPorts = [ 80 ]; - - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - }; - services.nextcloud = { enable = true; - package = pkgs.nextcloud19; + package = pkgs.nextcloud20; + + https = true; autoUpdateApps = { enable = true; startAt = "05:00:00"; }; - hostName = localAddresses.toum; + hostName = "cloud.xn--kiern-0qa.de"; - # https = true; config = { - # overwriteProtocol = "https"; + overwriteProtocol = "https"; + dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself @@ -38,7 +26,7 @@ in dbpass = lib.strings.fileContents ; adminpass = lib.strings.fileContents ; adminuser = "admin"; - extraTrustedDomains = [ "toum.r" ]; + # extraTrustedDomains = [ "toum.r" ]; }; }; @@ -53,6 +41,12 @@ in ]; }; + + services.nginx.virtualHosts."cloud.xn--kiern-0qa.de" = { + enableACME = true; + addSSL = true; + }; + # Ensure that postgres is running before running the setup systemd.services."nextcloud-setup" = { requires = ["postgresql.service"]; diff --git a/configs/ssh.nix b/configs/ssh.nix index a6c18d7..7b495ff 100644 --- a/configs/ssh.nix +++ b/configs/ssh.nix @@ -20,8 +20,13 @@ in { port = 443; }; zaatar = { - hostname = "zaatar.r"; - user = "kiosk"; + hostname = "zaatar.local"; + user = "root"; + port = sshPort; + }; + makanek = { + hostname = "88.99.83.173"; + user = "root"; port = sshPort; }; homeros = { diff --git a/deploy.nix b/deploy.nix index 0d881af..b25c75f 100644 --- a/deploy.nix +++ b/deploy.nix @@ -55,4 +55,9 @@ in { name = "toum"; address = "toum.r"; }); + makanek = writeDeploy "deploy-makanek" (regularSystem { + path = systems/makanek; + name = "makanek"; + address = "88.99.83.173"; + }); } diff --git a/systems/makanek/configuration.nix b/systems/makanek/configuration.nix new file mode 100644 index 0000000..34565e7 --- /dev/null +++ b/systems/makanek/configuration.nix @@ -0,0 +1,61 @@ +{ config, pkgs, ... }: +let + inherit (import ) kieran; +in +{ + imports = [ + ./hardware-configuration.nix + + + + + + + + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + + networking.hostName = "makanek"; + + system.stateVersion = "20.03"; + + boot.loader.grub.devices = [ "/dev/sda" ]; + + services.openssh.enable = true; + + networking.retiolum = { + ipv4 = "10.243.2.84"; + ipv6 = "42:0:3c46:56af:d12b:::df22"; + }; + + environment.etc."tinc/retiolum/rsa_key.priv" = { + text = builtins.readFile ; + mode = "400"; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + }; + + security.acme = { + acceptTerms = true; + email = kieran.email; + }; + + environment.systemPackages = [ pkgs.vim pkgs.git ]; +} diff --git a/systems/makanek/hardware-configuration.nix b/systems/makanek/hardware-configuration.nix new file mode 100644 index 0000000..36d4e05 --- /dev/null +++ b/systems/makanek/hardware-configuration.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/9eaeaaa7-b453-4634-8a69-d416f702d3aa"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 2; +}