From 4e722ab5ff673b39b2fb9f28e749c685f0609d7f Mon Sep 17 00:00:00 2001 From: zuckerberg <5-zuckerberg@users.noreply.git.neet.dev> Date: Sat, 6 Feb 2021 23:06:05 -0500 Subject: [PATCH] initial --- configuration.nix | 146 ++++++++++++++++++++++++++++++++++++++++++++++ flakes.nix | 10 ++++ gitlab.nix | 112 +++++++++++++++++++++++++++++++++++ mumble.nix | 31 ++++++++++ nsd.nix | 95 ++++++++++++++++++++++++++++++ thelounge.nix | 44 ++++++++++++++ zerobin.nix | 55 +++++++++++++++++ 7 files changed, 493 insertions(+) create mode 100644 configuration.nix create mode 100644 flakes.nix create mode 100644 gitlab.nix create mode 100644 mumble.nix create mode 100644 nsd.nix create mode 100644 thelounge.nix create mode 100644 zerobin.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..90b9a5b --- /dev/null +++ b/configuration.nix @@ -0,0 +1,146 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./flakes.nix + ./hardware-configuration.nix +# ./nsd.nix + ./thelounge.nix + ./mumble.nix +# ./hedgedoc.nix +# ./postgres.nix +# ./zerobin.nix + ./gitlab.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + + networking.hostName = "neetdev"; + networking.wireless.enable = false; + + # Set your time zone. + time.timeZone = "America/New_York"; + + networking.useDHCP = true; # just in case... (todo ensure false doesn't fuck up initrd) + networking.interfaces.eno1.useDHCP = true; + + i18n.defaultLocale = "en_US.UTF-8"; + + users.users.googlebot = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM" + ]; + }; + + environment.systemPackages = with pkgs; [ + wget kakoune + ]; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + security.acme.acceptTerms = true; + security.acme.email = "letsencrypt+5@tar.ninja"; + security.acme.certs = { + "pages.neet.dev" = { + group = "nginx"; + domain = "*.pages.neet.dev"; + dnsProvider = "digitalocean"; + credentialsFile = "/var/lib/secrets/certs.secret"; + }; +# "neet.space" = { +# group = "nginx"; +# domain = "*.neet.space"; +# dnsProvider = "digitalocean"; +# credentialsFile = "/var/lib/secrets/certs.secret"; +# }; +# "neet.cloud" = { +# group = "nginx"; +# domain = "*.neet.cloud"; +# dnsProvider = "digitalocean"; +# credentialsFile = "/var/lib/secrets/certs.secret"; +# }; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 22 53 80 443 4444 ]; + networking.firewall.allowedUDPPorts = [ 53 80 443 4444 ]; + + # LUKS + boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1"; + + # Unlock LUKS disk over ssh + boot.initrd.network.enable = true; + boot.initrd.kernelModules = [ "e1000" "e1000e" "virtio_pci" ]; + boot.initrd.network.ssh = { + enable = true; + port = 22; + hostKeys = [ + "/secret/ssh_host_rsa_key" + "/secret/ssh_host_ed25519_key" + ]; + authorizedKeys = config.users.users.googlebot.openssh.authorizedKeys.keys; + }; + + # TODO is this needed? + boot.initrd.postDeviceCommands = '' + echo 'waiting for root device to be opened...' + mkfifo /crypt-ramfs/passphrase + echo /crypt-ramfs/passphrase >> /dev/null + ''; + + # Make machine accessable over tor for boot unlock + boot.initrd.secrets = { + "/etc/tor/onion/bootup" = /secret/onion; + }; + boot.initrd.extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.tor}/bin/tor + copy_bin_and_libs ${pkgs.haveged}/bin/haveged + ''; + # start tor during boot process + boot.initrd.network.postCommands = let + torRc = (pkgs.writeText "tor.rc" '' + DataDirectory /etc/tor + SOCKSPort 127.0.0.1:9050 IsolateDestAddr + SOCKSPort 127.0.0.1:9063 + HiddenServiceDir /etc/tor/onion/bootup + HiddenServicePort 22 127.0.0.1:22 + ''); + in '' + # Add nice prompt for giving LUKS passphrase over ssh + echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile + + echo "tor: preparing onion folder" + # have to do this otherwise tor does not want to start + chmod -R 700 /etc/tor + + echo "make sure localhost is up" + ip a a 127.0.0.1/8 dev lo + ip link set lo up + + echo "haveged: starting haveged" + haveged -F & + + echo "tor: starting tor" + tor -f ${torRc} --verify-config + tor -f ${torRc} & + ''; + + system.stateVersion = "20.09"; +} + diff --git a/flakes.nix b/flakes.nix new file mode 100644 index 0000000..aa60c1e --- /dev/null +++ b/flakes.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: + +{ + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; +} diff --git a/gitlab.nix b/gitlab.nix new file mode 100644 index 0000000..5b0a6bf --- /dev/null +++ b/gitlab.nix @@ -0,0 +1,112 @@ +{ config, pkgs, ... }: + +{ + services.gitlab = { + enable = true; + databasePasswordFile = "/var/keys/gitlab/db_password"; + initialRootPasswordFile = "/var/keys/gitlab/root_password"; + https = true; + host = "git.neet.dev"; + port = 443; + user = "git"; + group = "git"; + databaseUsername = "git"; + smtp = { + enable = true; + address = "localhost"; + port = 25; + }; + secrets = { + dbFile = "/var/keys/gitlab/db"; + secretFile = "/var/keys/gitlab/secret"; + otpFile = "/var/keys/gitlab/otp"; + jwsFile = "/var/keys/gitlab/jws"; + }; + extraConfig = { + gitlab = { + email_from = "gitlab-no-reply@neet.dev"; + email_display_name = "neet.dev GitLab"; + email_reply_to = "gitlab-no-reply@neet.dev"; + }; + pages = { + enabled = true; + host = "pages.neet.dev"; + port = 443; + https = true; + }; + }; + pagesExtraArgs = [ "-listen-proxy" "127.0.0.1:8090" ]; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = true; + services.gitlab-runner = { + enable = true; + services = { + # runner for building in docker via host's nix-daemon + # nix store will be readable in runner, might be insecure + nix = { + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + + . ${pkgs.nix}/etc/profile.d/nix.sh + + ${pkgs.nix}/bin/nix-env -i ${builtins.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} + + ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable + ${pkgs.nix}/bin/nix-channel --update nixpkgs + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = [ "nix" ]; + }; + # runner for building docker images + docker-images = { + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "docker:stable"; + dockerVolumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + tagList = [ "docker-images" ]; + }; + # runner for everything else + default = { + registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + dockerImage = "debian:stable"; + }; + }; + }; + + services.nginx.virtualHosts = { + "git.neet.dev" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + "*.pages.neet.dev" = { + forceSSL = true; + useACMEHost = "pages.neet.dev"; + locations."/".proxyPass = "http://localhost:8090"; + }; + }; +} diff --git a/mumble.nix b/mumble.nix new file mode 100644 index 0000000..7dcec97 --- /dev/null +++ b/mumble.nix @@ -0,0 +1,31 @@ +{ config, ... }: + +let + murmurPort = 23563; + domain = "voice.neet.space"; + certs = config.security.acme.certs; +in { + config.networking.firewall.allowedTCPPorts = [ murmurPort ]; + config.networking.firewall.allowedUDPPorts = [ murmurPort ]; + + config.services.murmur = { + enable = true; + port = murmurPort; + sslCa = "${certs.${domain}.directory}/chain.pem"; + sslKey = "${certs.${domain}.directory}/key.pem"; + sslCert = "${certs.${domain}.directory}/fullchain.pem"; + welcometext = "Welcome to ${domain}"; + }; + + config.services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + }; + + # give mumble access to acme certs + config.security.acme.certs.${domain} = { + group = "murmur"; + postRun = "systemctl reload-or-restart murmur"; + }; + config.users.users.nginx.extraGroups = [ "murmur" ]; +} diff --git a/nsd.nix b/nsd.nix new file mode 100644 index 0000000..00f7272 --- /dev/null +++ b/nsd.nix @@ -0,0 +1,95 @@ +{ config, ... }: + +{ + services.nsd = let + self = "142.4.210.222"; + secondary = "167.114.154.31"; + in { + enable = true; + interfaces = [ "0.0.0.0" ]; + roundRobin = true; + ipTransparent = true; + zones.neet = rec { + provideXFR = [ "${secondary} NOKEY" ]; + notify = provideXFR; + children = { + "neet.dev.".data = '' +$TTL 300 +@ IN SOA ns1.neet.dev. contact.neet.dev. ( + 2011072000 ;Serial + 300 ;Refresh + 300 ;Retry + 604800 ;Expire + 300 ;Minimum TTL +) + +@ IN NS ns1.neet.dev. +@ IN NS ns2.neet.dev. + +@ IN A ${self} +www IN A ${self} +irc IN A ${self} +wiki IN A ${self} +ns1 IN A ${self} +ns2 IN A 167.114.154.31 +ragnarok IN A 155.138.219.146 +coder IN A ${self} +git IN A ${self} + +@ IN TXT "rizon_vhost=Googlebot" +ownercheck IN TXT "dc97b3fd" + ''; + "neet.space.".data = '' +$TTL 300 +@ IN SOA ns1.neet.dev. contact.neet.dev. ( + 2011071017 ;Serial + 300 ;Refresh + 300 ;Retry + 604800 ;Expire + 300 ;Minimum TTL +) + +@ IN NS ns1.neet.dev. +@ IN NS ns2.neet.dev. + +@ IN A ${self} +www IN A ${self} +voice IN A ${self} +stream IN A ${self} +radio IN A ${self} +tube IN A ${self} +sock.tube IN A ${self} +mural IN A ${self} + +_minecraft._tcp IN SRV 0 5 23589 neet.space. +_mumble._tcp IN SRV 0 5 23563 voice.neet.space. +_mumble._tcp.voice IN SRV 0 5 23563 voice.neet.space. + +@ IN TXT "rizon_vhost=Googlebot" +ownercheck IN TXT "dc97b3fd" + ''; + "neet.cloud.".data = '' +$TTL 300 +@ IN SOA ns1.neet.dev. contact.neet.dev. ( + 2011071011 ;Serial + 300 ;Refresh + 300 ;Retry + 604800 ;Expire + 300 ;Minimum TTL +) + +@ IN NS ns1.neet.dev. +@ IN NS ns2.neet.dev. + +@ IN A ${self} +www IN A ${self} +paste IN A ${self} +globie-info IN A ${self} +files IN A ${self} + +ownercheck IN TXT "dc97b3fd" + ''; + }; + }; + }; +} diff --git a/thelounge.nix b/thelounge.nix new file mode 100644 index 0000000..510dc40 --- /dev/null +++ b/thelounge.nix @@ -0,0 +1,44 @@ +{ config, ... }: + +{ + services.thelounge = { + enable = true; + port = 9000; + private = true; + extraConfig = { + reverseProxy = true; + maxHistory = -1; + https.enable = false; +# theme = "thelounge-theme-solarized"; + prefetch = false; + prefetchStorage = false; + fileUpload = { + enable = true; + maxFileSize = -1; + baseUrl = "https://files.neet.cloud/irc/"; + }; + transports = [ "websocket" "polling" ]; + leaveMessage = "leaving"; + messageStorage = [ "sqlite" "text" ]; + }; + }; + + # the lounge client + services.nginx.virtualHosts."irc.neet.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.thelounge.port}"; + proxyWebsockets = true; + }; + }; + + # the lounge files + services.nginx.virtualHosts."files.neet.cloud" = { + enableACME = true; + forceSSL = true; + locations."/irc" = { + proxyPass = "http://localhost:${toString config.services.thelounge.port}/uploads"; + }; + }; +} diff --git a/zerobin.nix b/zerobin.nix new file mode 100644 index 0000000..0723664 --- /dev/null +++ b/zerobin.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: + +let + zerobin_config = pkgs.writeText "zerobin-config.py" '' + PASTE_FILES_ROOT = "/var/lib/zerobin" + ''; +in { +# services.zerobin = { +# enable = true; +# listenAddress = "0.0.0.0"; +# listenPort = 9002; +# }; + + nixpkgs.config.packageOverrides = pkgs: + with pkgs; + { + python38Packages.cherrypy = python38Packages.cherrypy.overrideAttrs (attrs: rec { + src = fetchPypi { + pname = "CherryPy"; + version = "8.9.1"; + sha256 = ""; + }; + }); + }; + + services.nginx.virtualHosts."paste.neet.cloud" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:9002"; + }; + }; + + users.users.zerobin = { + isSystemUser = true; + group = "zerobin"; + home = "/var/lib/zerobin"; + createHome = true; + }; + users.groups.zerobin = {}; + + systemd.services.zerobin = { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.python38Packages.zerobin}/bin/zerobin 0.0.0.0 9002 false zerobin zerobin ${zerobin_config}"; + serviceConfig.PrivateTmp="yes"; + serviceConfig.User = "zerobin"; + serviceConfig.Group = "zerobin"; + preStart = '' + mkdir -p "/var/lib/zerobin" + chown zerobin "/var/lib/zerobin" + ''; + }; +}