Work on hydra config, fix tor relay config, prepare web-public-2 host

2023-07-18 17:23:46 +02:00 · 2023-07-18 17:23:46 +02:00 · c6f4780ccd
commit c6f4780ccd
parent 64d9dbd4b0
15 changed files with 176 additions and 9 deletions
--- a/hosts/hydra/configuration.nix
+++ b/hosts/hydra/configuration.nix
@ -0,0 +1,14 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "hydra";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./secrets.nix
+    ./hydra.nix
+    ./nix-serve.nix
+    ./nginx.nix
+  ];
+}
--- a/hosts/hydra/hydra.nix
+++ b/hosts/hydra/hydra.nix
@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.hydra = {
+    enable = true;
+    hydraURL = "https://hydra.nekover.se";
+    listenHost = "localhost";
+    port = 3001;
+    useSubstitutes = true;
+    notificationSender = "hydra@robot.grzb.de";
+    extraConfig = "
+      binary_cache_public_uri = https://nix-cache.nekover.se
+    ";
+  };
+}
--- a/hosts/hydra/nginx.nix
+++ b/hosts/hydra/nginx.nix
@ -0,0 +1,33 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+
+      "hydra.nekover.se" = {
+        enableACME = true;
+        listen = [{
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+        }];
+        locations."/" = {
+          proxyPass = "http://localhost:3001";
+        };
+      };
+
+      "nix-cache.nekover.se" = {
+        enableACME = true;
+        listen = [{
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+        }];
+        locations."/" = {
+          proxyPass = "http://localhost:5005";
+        };
+      };
+      
+    };
+  };
+}
--- a/hosts/hydra/nix-serve.nix
+++ b/hosts/hydra/nix-serve.nix
@ -0,0 +1,9 @@
+{ ... }:
+{
+  services.nix-serve = {
+    enable = true;
+    port = 5005;
+    bindAddress = "localhost";
+    secretKeyFile = "/secrets/signing-key.secret";
+  };
+}
--- a/hosts/hydra/secrets.nix
+++ b/hosts/hydra/secrets.nix
@ -0,0 +1,11 @@
+{ ... }:
+{
+  deployment.keys."signing-key.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
--- a/hosts/netbox/configuration.nix
+++ b/hosts/netbox/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:

 {
  imports = [
--- a/hosts/tor-relay/tor.nix
+++ b/hosts/tor-relay/tor.nix
@ -3,16 +3,18 @@
  services.tor = {
    enable = true;

+    relay = {
+      enable = true;
+      role = "relay";
+    };
+
    settings = {
      Nickname = "vsm";
      ORPort = 9001;
-      ExitRelay = false;
-      SOCKSPort = 0;
-      ControlSocket = null;
+      DirPort = 9030;
      ContactInfo = "admin@grzb.de";
      RelayBandwidthRate = "40 MBits";
      RelayBandwidthBurst = "50 Mbits";
-      DirPort = 9030;
    };
  };
 }
--- a/hosts/web-public-2/configuration.nix
+++ b/hosts/web-public-2/configuration.nix
@ -0,0 +1,14 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "web-public-02";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/web-public-2/default.nix
+++ b/hosts/web-public-2/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+  ];
+}
--- a/hosts/web-public-2/nginx.nix
+++ b/hosts/web-public-2/nginx.nix
@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+  };
+}