zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

initial

Browse Source
This commit is contained in:
zuckerberg 2021-02-06 23:06:05 -05:00
commit 4e722ab5ff
7 changed files with 493 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
configuration.nix Normal file
View File

@ -0,0 +1,146 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./flakes.nix
./hardware-configuration.nix
# ./nsd.nix
./thelounge.nix
./mumble.nix
# ./hedgedoc.nix
# ./postgres.nix
# ./zerobin.nix
./gitlab.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "neetdev";
networking.wireless.enable = false;
# Set your time zone.
time.timeZone = "America/New_York";
networking.useDHCP = true; # just in case... (todo ensure false doesn't fuck up initrd)
networking.interfaces.eno1.useDHCP = true;
i18n.defaultLocale = "en_US.UTF-8";
users.users.googlebot = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
];
};
environment.systemPackages = with pkgs; [
wget kakoune
];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
security.acme.acceptTerms = true;
security.acme.email = "letsencrypt+5@tar.ninja";
security.acme.certs = {
"pages.neet.dev" = {
group = "nginx";
domain = "*.pages.neet.dev";
dnsProvider = "digitalocean";
credentialsFile = "/var/lib/secrets/certs.secret";
};
# "neet.space" = {
# group = "nginx";
# domain = "*.neet.space";
# dnsProvider = "digitalocean";
# credentialsFile = "/var/lib/secrets/certs.secret";
# };
# "neet.cloud" = {
# group = "nginx";
# domain = "*.neet.cloud";
# dnsProvider = "digitalocean";
# credentialsFile = "/var/lib/secrets/certs.secret";
# };
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 53 80 443 4444 ];
networking.firewall.allowedUDPPorts = [ 53 80 443 4444 ];
# LUKS
boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
# Unlock LUKS disk over ssh
boot.initrd.network.enable = true;
boot.initrd.kernelModules = [ "e1000" "e1000e" "virtio_pci" ];
boot.initrd.network.ssh = {
enable = true;
port = 22;
hostKeys = [
"/secret/ssh_host_rsa_key"
"/secret/ssh_host_ed25519_key"
];
authorizedKeys = config.users.users.googlebot.openssh.authorizedKeys.keys;
};
# TODO is this needed?
boot.initrd.postDeviceCommands = ''
echo 'waiting for root device to be opened...'
mkfifo /crypt-ramfs/passphrase
echo /crypt-ramfs/passphrase >> /dev/null
'';
# Make machine accessable over tor for boot unlock
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = /secret/onion;
};
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
copy_bin_and_libs ${pkgs.haveged}/bin/haveged
'';
# start tor during boot process
boot.initrd.network.postCommands = let
torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
'');
in ''
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "haveged: starting haveged"
haveged -F &
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
'';
system.stateVersion = "20.09";
}

10
flakes.nix Normal file
View File

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
}

112
gitlab.nix Normal file
View File

@ -0,0 +1,112 @@
{ config, pkgs, ... }:
{
services.gitlab = {
enable = true;
databasePasswordFile = "/var/keys/gitlab/db_password";
initialRootPasswordFile = "/var/keys/gitlab/root_password";
https = true;
host = "git.neet.dev";
port = 443;
user = "git";
group = "git";
databaseUsername = "git";
smtp = {
enable = true;
address = "localhost";
port = 25;
};
secrets = {
dbFile = "/var/keys/gitlab/db";
secretFile = "/var/keys/gitlab/secret";
otpFile = "/var/keys/gitlab/otp";
jwsFile = "/var/keys/gitlab/jws";
};
extraConfig = {
gitlab = {
email_from = "gitlab-no-reply@neet.dev";
email_display_name = "neet.dev GitLab";
email_reply_to = "gitlab-no-reply@neet.dev";
};
pages = {
enabled = true;
host = "pages.neet.dev";
port = 443;
https = true;
};
};
pagesExtraArgs = [ "-listen-proxy" "127.0.0.1:8090" ];
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
services.gitlab-runner = {
enable = true;
services = {
# runner for building in docker via host's nix-daemon
# nix store will be readable in runner, might be insecure
nix = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix.sh
${pkgs.nix}/bin/nix-env -i ${builtins.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
${pkgs.nix}/bin/nix-channel --update nixpkgs
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = [ "nix" ];
};
# runner for building docker images
docker-images = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "docker:stable";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
tagList = [ "docker-images" ];
};
# runner for everything else
default = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "debian:stable";
};
};
};
services.nginx.virtualHosts = {
"git.neet.dev" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
"*.pages.neet.dev" = {
forceSSL = true;
useACMEHost = "pages.neet.dev";
locations."/".proxyPass = "http://localhost:8090";
};
};
}

31
mumble.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, ... }:
let
murmurPort = 23563;
domain = "voice.neet.space";
certs = config.security.acme.certs;
in {
config.networking.firewall.allowedTCPPorts = [ murmurPort ];
config.networking.firewall.allowedUDPPorts = [ murmurPort ];
config.services.murmur = {
enable = true;
port = murmurPort;
sslCa = "${certs.${domain}.directory}/chain.pem";
sslKey = "${certs.${domain}.directory}/key.pem";
sslCert = "${certs.${domain}.directory}/fullchain.pem";
welcometext = "Welcome to ${domain}";
};
config.services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
};
# give mumble access to acme certs
config.security.acme.certs.${domain} = {
group = "murmur";
postRun = "systemctl reload-or-restart murmur";
};
config.users.users.nginx.extraGroups = [ "murmur" ];
}

95
nsd.nix Normal file
View File

@ -0,0 +1,95 @@
{ config, ... }:
{
services.nsd = let
self = "142.4.210.222";
secondary = "167.114.154.31";
in {
enable = true;
interfaces = [ "0.0.0.0" ];
roundRobin = true;
ipTransparent = true;
zones.neet = rec {
provideXFR = [ "${secondary} NOKEY" ];
notify = provideXFR;
children = {
"neet.dev.".data = ''
$TTL 300
@ IN SOA ns1.neet.dev. contact.neet.dev. (
2011072000 ;Serial
300 ;Refresh
300 ;Retry
604800 ;Expire
300 ;Minimum TTL
)
@ IN NS ns1.neet.dev.
@ IN NS ns2.neet.dev.
@ IN A ${self}
www IN A ${self}
irc IN A ${self}
wiki IN A ${self}
ns1 IN A ${self}
ns2 IN A 167.114.154.31
ragnarok IN A 155.138.219.146
coder IN A ${self}
git IN A ${self}
@ IN TXT "rizon_vhost=Googlebot"
ownercheck IN TXT "dc97b3fd"
'';
"neet.space.".data = ''
$TTL 300
@ IN SOA ns1.neet.dev. contact.neet.dev. (
2011071017 ;Serial
300 ;Refresh
300 ;Retry
604800 ;Expire
300 ;Minimum TTL
)
@ IN NS ns1.neet.dev.
@ IN NS ns2.neet.dev.
@ IN A ${self}
www IN A ${self}
voice IN A ${self}
stream IN A ${self}
radio IN A ${self}
tube IN A ${self}
sock.tube IN A ${self}
mural IN A ${self}
_minecraft._tcp IN SRV 0 5 23589 neet.space.
_mumble._tcp IN SRV 0 5 23563 voice.neet.space.
_mumble._tcp.voice IN SRV 0 5 23563 voice.neet.space.
@ IN TXT "rizon_vhost=Googlebot"
ownercheck IN TXT "dc97b3fd"
'';
"neet.cloud.".data = ''
$TTL 300
@ IN SOA ns1.neet.dev. contact.neet.dev. (
2011071011 ;Serial
300 ;Refresh
300 ;Retry
604800 ;Expire
300 ;Minimum TTL
)
@ IN NS ns1.neet.dev.
@ IN NS ns2.neet.dev.
@ IN A ${self}
www IN A ${self}
paste IN A ${self}
globie-info IN A ${self}
files IN A ${self}
ownercheck IN TXT "dc97b3fd"
'';
};
};
};
}

44
thelounge.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, ... }:
{
services.thelounge = {
enable = true;
port = 9000;
private = true;
extraConfig = {
reverseProxy = true;
maxHistory = -1;
https.enable = false;
# theme = "thelounge-theme-solarized";
prefetch = false;
prefetchStorage = false;
fileUpload = {
enable = true;
maxFileSize = -1;
baseUrl = "https://files.neet.cloud/irc/";
};
transports = [ "websocket" "polling" ];
leaveMessage = "leaving";
messageStorage = [ "sqlite" "text" ];
};
};
# the lounge client
services.nginx.virtualHosts."irc.neet.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.thelounge.port}";
proxyWebsockets = true;
};
};
# the lounge files
services.nginx.virtualHosts."files.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/irc" = {
proxyPass = "http://localhost:${toString config.services.thelounge.port}/uploads";
};
};
}

55
zerobin.nix Normal file
View File

@ -0,0 +1,55 @@
{ config, pkgs, ... }:
let
zerobin_config = pkgs.writeText "zerobin-config.py" ''
PASTE_FILES_ROOT = "/var/lib/zerobin"
'';
in {
# services.zerobin = {
# enable = true;
# listenAddress = "0.0.0.0";
# listenPort = 9002;
# };
nixpkgs.config.packageOverrides = pkgs:
with pkgs;
{
python38Packages.cherrypy = python38Packages.cherrypy.overrideAttrs (attrs: rec {
src = fetchPypi {
pname = "CherryPy";
version = "8.9.1";
sha256 = "";
};
});
};
services.nginx.virtualHosts."paste.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:9002";
};
};
users.users.zerobin = {
isSystemUser = true;
group = "zerobin";
home = "/var/lib/zerobin";
createHome = true;
};
users.groups.zerobin = {};
systemd.services.zerobin = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.python38Packages.zerobin}/bin/zerobin 0.0.0.0 9002 false zerobin zerobin ${zerobin_config}";
serviceConfig.PrivateTmp="yes";
serviceConfig.User = "zerobin";
serviceConfig.Group = "zerobin";
preStart = ''
mkdir -p "/var/lib/zerobin"
chown zerobin "/var/lib/zerobin"
'';
};
}