Work on hydra config, fix tor relay config, prepare web-public-2 host

configuration/common/default.nix

@@ -1,7 +1,8 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./prometheus-node-exporter.nix
+    ./nginx.nix
     ../../users/colmena-deploy
     ../../users/yuri
   ];
@@ -36,6 +37,7 @@
 
   services.openssh = {
     enable = true;
+    openFirewall = true;
     settings = {
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
@@ -43,5 +45,10 @@
     };
   };
 
+  security.acme = {
+    defaults.email = "acme@grzb.de";
+    acceptTerms = true;
+  };
+
   services.fstrim.enable = true;
 }

configuration/common/nginx.nix

@@ -0,0 +1,9 @@
+{ ... }: {
+  services.nginx = {
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1689373857,
-        "narHash": "sha256-mtBksyvhhT98Zsm9tYHuMKuLwUKDwv+BGTl6K5nOGhY=",
+        "lastModified": 1689534811,
+        "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dfdbcc428f365071f0ca3888f6ec8c25c3792885",
+        "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222",
         "type": "github"
       },
       "original": {

flake.nix

@@ -17,6 +17,9 @@
       jackett = {
         site = "vs";
       };
+      #hydra = {
+      #  site = "vs";
+      #};
     };
 
     generateColmenaHost = name: host : {
@@ -39,5 +42,33 @@
         };
       };
     } // builtins.mapAttrs (self.generateColmenaHost) self.hosts;
+
+    /* generateNixosSystem = {
+      name,
+      system ? "x86_64-linux",
+      group ? null,
+      modules ? [],
+    }: 
+    let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
+    in localNixpkgs.lib.nixosSystem {
+      modules = modules ++ [
+        ./configuration/common
+        ./users/yuri
+        ./users/colmena-deploy
+        (./hosts + "/${name}")
+      ];
+    }; */
+
+    hydraJobs = {
+      nixConfigurations.nitter = let system = "x86_64-linux";
+      in nixpkgs.lib.nixosSystem {
+        inherit system;
+        modules = [
+        ./configuration/common
+        ./configuration/proxmox-vm
+        ./hosts/nitter
+        ];
+      };
+    };
   };
 }

hosts/hydra/configuration.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "hydra";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}

hosts/hydra/default.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./secrets.nix
+    ./hydra.nix
+    ./nix-serve.nix
+    ./nginx.nix
+  ];
+}

hosts/hydra/hydra.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.hydra = {
+    enable = true;
+    hydraURL = "https://hydra.nekover.se";
+    listenHost = "localhost";
+    port = 3001;
+    useSubstitutes = true;
+    notificationSender = "hydra@robot.grzb.de";
+    extraConfig = "
+      binary_cache_public_uri = https://nix-cache.nekover.se
+    ";
+  };
+}

hosts/hydra/nginx.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+
+      "hydra.nekover.se" = {
+        enableACME = true;
+        listen = [{
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+        }];
+        locations."/" = {
+          proxyPass = "http://localhost:3001";
+        };
+      };
+
+      "nix-cache.nekover.se" = {
+        enableACME = true;
+        listen = [{
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+        }];
+        locations."/" = {
+          proxyPass = "http://localhost:5005";
+        };
+      };
+      
+    };
+  };
+}

hosts/hydra/nix-serve.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  services.nix-serve = {
+    enable = true;
+    port = 5005;
+    bindAddress = "localhost";
+    secretKeyFile = "/secrets/signing-key.secret";
+  };
+}

hosts/hydra/secrets.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  deployment.keys."signing-key.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}

hosts/netbox/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
 
 {
   imports = [

hosts/tor-relay/tor.nix

@@ -3,16 +3,18 @@
   services.tor = {
     enable = true;
 
+    relay = {
+      enable = true;
+      role = "relay";
+    };
+
     settings = {
       Nickname = "vsm";
       ORPort = 9001;
-      ExitRelay = false;
-      SOCKSPort = 0;
-      ControlSocket = null;
+      DirPort = 9030;
       ContactInfo = "admin@grzb.de";
       RelayBandwidthRate = "40 MBits";
       RelayBandwidthBurst = "50 Mbits";
-      DirPort = 9030;
     };
   };
 }

hosts/web-public-2/configuration.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "web-public-02";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}

hosts/web-public-2/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+  ];
+}

hosts/web-public-2/nginx.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+  };
+}