From e8afd2b6678df475a8a6da4db7d0851606f7b8ac Mon Sep 17 00:00:00 2001 From: yuri Date: Tue, 18 Jul 2023 17:23:46 +0200 Subject: [PATCH] Work on hydra config, fix tor relay config, prepare web-public-2 host --- configuration/common/default.nix | 9 +++++++- configuration/common/nginx.nix | 9 ++++++++ flake.lock | 6 ++--- flake.nix | 31 ++++++++++++++++++++++++++ hosts/hydra/configuration.nix | 14 ++++++++++++ hosts/hydra/default.nix | 10 +++++++++ hosts/hydra/hydra.nix | 14 ++++++++++++ hosts/hydra/nginx.nix | 33 ++++++++++++++++++++++++++++ hosts/hydra/nix-serve.nix | 9 ++++++++ hosts/hydra/secrets.nix | 11 ++++++++++ hosts/netbox/configuration.nix | 2 +- hosts/tor-relay/tor.nix | 10 +++++---- hosts/web-public-2/configuration.nix | 14 ++++++++++++ hosts/web-public-2/default.nix | 7 ++++++ hosts/web-public-2/nginx.nix | 6 +++++ 15 files changed, 176 insertions(+), 9 deletions(-) create mode 100644 configuration/common/nginx.nix create mode 100644 hosts/hydra/configuration.nix create mode 100644 hosts/hydra/default.nix create mode 100644 hosts/hydra/hydra.nix create mode 100644 hosts/hydra/nginx.nix create mode 100644 hosts/hydra/nix-serve.nix create mode 100644 hosts/hydra/secrets.nix create mode 100644 hosts/web-public-2/configuration.nix create mode 100644 hosts/web-public-2/default.nix create mode 100644 hosts/web-public-2/nginx.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 78ac470..b94e91c 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -1,7 +1,8 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { imports = [ ./prometheus-node-exporter.nix + ./nginx.nix ../../users/colmena-deploy ../../users/yuri ]; @@ -36,6 +37,7 @@ services.openssh = { enable = true; + openFirewall = true; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; @@ -43,5 +45,10 @@ }; }; + security.acme = { + defaults.email = "acme@grzb.de"; + acceptTerms = true; + }; + services.fstrim.enable = true; } diff --git a/configuration/common/nginx.nix b/configuration/common/nginx.nix new file mode 100644 index 0000000..60fa3f9 --- /dev/null +++ b/configuration/common/nginx.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.nginx = { + enableReload = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; +} diff --git a/flake.lock b/flake.lock index e5a7558..5ef1dda 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689373857, - "narHash": "sha256-mtBksyvhhT98Zsm9tYHuMKuLwUKDwv+BGTl6K5nOGhY=", + "lastModified": 1689534811, + "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dfdbcc428f365071f0ca3888f6ec8c25c3792885", + "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 928ebc4..bcace6a 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,9 @@ jackett = { site = "vs"; }; + #hydra = { + # site = "vs"; + #}; }; generateColmenaHost = name: host : { @@ -39,5 +42,33 @@ }; }; } // builtins.mapAttrs (self.generateColmenaHost) self.hosts; + + /* generateNixosSystem = { + name, + system ? "x86_64-linux", + group ? null, + modules ? [], + }: + let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; + in localNixpkgs.lib.nixosSystem { + modules = modules ++ [ + ./configuration/common + ./users/yuri + ./users/colmena-deploy + (./hosts + "/${name}") + ]; + }; */ + + hydraJobs = { + nixConfigurations.nitter = let system = "x86_64-linux"; + in nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter + ]; + }; + }; }; } diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix new file mode 100644 index 0000000..6e602ac --- /dev/null +++ b/hosts/hydra/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "hydra"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix new file mode 100644 index 0000000..c33a964 --- /dev/null +++ b/hosts/hydra/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./secrets.nix + ./hydra.nix + ./nix-serve.nix + ./nginx.nix + ]; +} diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix new file mode 100644 index 0000000..c8d4c3f --- /dev/null +++ b/hosts/hydra/hydra.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + services.hydra = { + enable = true; + hydraURL = "https://hydra.nekover.se"; + listenHost = "localhost"; + port = 3001; + useSubstitutes = true; + notificationSender = "hydra@robot.grzb.de"; + extraConfig = " + binary_cache_public_uri = https://nix-cache.nekover.se + "; + }; +} diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix new file mode 100644 index 0000000..7756928 --- /dev/null +++ b/hosts/hydra/nginx.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + + "hydra.nekover.se" = { + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://localhost:3001"; + }; + }; + + "nix-cache.nekover.se" = { + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + }]; + locations."/" = { + proxyPass = "http://localhost:5005"; + }; + }; + + }; + }; +} diff --git a/hosts/hydra/nix-serve.nix b/hosts/hydra/nix-serve.nix new file mode 100644 index 0000000..75c18cb --- /dev/null +++ b/hosts/hydra/nix-serve.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + services.nix-serve = { + enable = true; + port = 5005; + bindAddress = "localhost"; + secretKeyFile = "/secrets/signing-key.secret"; + }; +} diff --git a/hosts/hydra/secrets.nix b/hosts/hydra/secrets.nix new file mode 100644 index 0000000..7ccf047 --- /dev/null +++ b/hosts/hydra/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."signing-key.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix index 637244a..6040caf 100644 --- a/hosts/netbox/configuration.nix +++ b/hosts/netbox/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix index 58efb89..200e1e6 100644 --- a/hosts/tor-relay/tor.nix +++ b/hosts/tor-relay/tor.nix @@ -3,16 +3,18 @@ services.tor = { enable = true; + relay = { + enable = true; + role = "relay"; + }; + settings = { Nickname = "vsm"; ORPort = 9001; - ExitRelay = false; - SOCKSPort = 0; - ControlSocket = null; + DirPort = 9030; ContactInfo = "admin@grzb.de"; RelayBandwidthRate = "40 MBits"; RelayBandwidthBurst = "50 Mbits"; - DirPort = 9030; }; }; } diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix new file mode 100644 index 0000000..dfeb4b0 --- /dev/null +++ b/hosts/web-public-2/configuration.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-02"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/web-public-2/default.nix b/hosts/web-public-2/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/hosts/web-public-2/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix new file mode 100644 index 0000000..5c7acd6 --- /dev/null +++ b/hosts/web-public-2/nginx.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.nginx = { + enable = true; + }; +}