home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 7e9358efa507789ac51ecdf3811e016468ada7a2
parent 6cb5dda6af94bc9d8bb77143bbe9fbb4fab814aa
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Fri,  5 Jun 2020 11:02:31 +0200

systems: migrate kerkouane 👼

- Fix wireguard.server profiles
- add govanityurl to services/default.nix

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Mhosts.nix | 1+
Mmodules/profiles/wireguard.server.nixos.nix | 14++++++++++----
Mmodules/services/default.nix | 3++-
Asystems/kerkouane.nix | 130+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Musers/vincent/default.nix | 1+
5 files changed, 144 insertions(+), 5 deletions(-)

diff --git a/hosts.nix b/hosts.nix @@ -1,6 +1,7 @@ { hokkaido = { arch = "x86_64-linux"; type = "unstable"; }; wakasu = { arch = "x86_64-linux"; type = "unstable"; }; + kerkouane = { arch = "x86_64-linux"; }; okinawa = { arch = "x86_64-linux"; }; sakhalin = { arch = "x86_64-linux"; }; # mypi = { arch = "aarch64-linux" }; diff --git a/modules/profiles/wireguard.server.nixos.nix b/modules/profiles/wireguard.server.nixos.nix @@ -3,6 +3,12 @@ with lib; let cfg = config.profiles.wireguard.server; + + secretPath = ../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs; + listenPort = if secretCondition then (import secretPath).wg.listenPort else 0; + peers = lists.optionals secretCondition (import secretPath).wg.peers; in { options = { @@ -23,12 +29,12 @@ in ''; networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.trustedInterfaces = [ "wg0" ]; - networking.wireguard.interfaces = with import ../../assets/machines.nix; { + networking.wireguard.interfaces = { "wg0" = { - ips = wireguard.kerkouane.allowedIPs; - listenPort = wg.listenPort; + ips = allowedIPs; + listenPort = listenPort; privateKeyFile = "/etc/nixos/wireguard.private.key"; - peers = wg.peers; + peers = peers; }; }; }; diff --git a/modules/services/default.nix b/modules/services/default.nix @@ -1,6 +1,7 @@ { imports = [ - ./wireguard.client.nixos.nix + ./govanityurl.nixos.nix ./nix-binary-cache.nixos.nix + ./wireguard.client.nixos.nix ]; } diff --git a/systems/kerkouane.nix b/systems/kerkouane.nix @@ -0,0 +1,130 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "kerkouane"; + + networkingConfigPath = ../networking.nix; + hasNetworkingConfig = (builtins.pathExists networkingConfigPath); + secretPath = ../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22; + + sources = import ../nix/sources.nix; +in +{ + imports = [ + (sources.nixos + "/nixos/modules/profiles/qemu-guest.nix") + #(pkgs + "/nixos/modules/profiles/qemu-guest.nix") + #<nixpkgs/nixos/modules/profiles/qemu-guest.nix> + ../modules + (import ../users).vincent + (import ../users).root + ] + # digitalocean specifics + ++ optionals hasNetworkingConfig [ networkingConfigPath ]; + + boot.loader.grub.device = "/dev/vda"; + fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; + swapDevices = [{ device = "/swapfile"; size = 1024; }]; + + core.nix = { + # FIXME move this away + localCaches = [ ]; + buildCores = 1; + }; + + profiles = { + git.enable = true; + ssh.enable = true; + syncthing.enable = true; + + # FIXME remove the need for it + users.enable = false; + + wireguard.server.enable = true; + }; + + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security = { + acme = { + acceptTerms = true; + email = "vincent@sbr.pm"; + }; + #acme.certs = { + # "sbr.pm".email = "vincent@sbr.pm"; + #}; + }; + security.pam.enableSSHAgentAuth = true; + services = { + govanityurl = { + enable = true; + user = "nginx"; + host = "go.sbr.pm"; + config = '' + paths: + /ape: + repo: https://git.sr.ht/~vdemeester/ape + /nr: + repo: https://gitlab.com/vdemeester/nr + /ram: + repo: https://git.sr.ht/~vdemeester/ram + /sec: + repo: https://gitlab.com/vdemeester/sec + ''; + }; + nginx = { + enable = true; + virtualHosts."dl.sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/dl.sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."paste.sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/paste.sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."go.sbr.pm" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:8080"; }; + }; + virtualHosts."sbr.pm" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/sbr.pm"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."sbr.systems" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/sbr.systems"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."vincent.demeester.fr" = { + enableACME = true; + forceSSL = true; + root = "/home/vincent/desktop/sites/vincent.demeester.fr"; + locations."/" = { + index = "index.html"; + }; + }; + }; + openssh.ports = [ sshPort ]; + openssh.permitRootLogin = "without-password"; + syncthing.guiAddress = "127.0.0.1:8384"; + }; +} diff --git a/users/vincent/default.nix b/users/vincent/default.nix @@ -10,6 +10,7 @@ let (name: value: value.key) (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) ); + hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation; isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false; in