marukuru: switch to heptapod
This commit is contained in:
parent
a68ea0ce27
commit
24fe8291c2
1 changed files with 43 additions and 227 deletions
|
@ -2,7 +2,6 @@
|
||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
let
|
let
|
||||||
inherit (depot.ops) secrets;
|
inherit (depot.ops) secrets;
|
||||||
myPhp = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu all.mailparse ]);
|
|
||||||
in {
|
in {
|
||||||
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
|
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
|
||||||
boot.kernelModules = [ "tcp_bbr" ];
|
boot.kernelModules = [ "tcp_bbr" ];
|
||||||
|
@ -60,109 +59,23 @@ in {
|
||||||
|
|
||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
time.timeZone = "Etc/UTC";
|
time.timeZone = "Etc/UTC";
|
||||||
|
nix.useSandbox = true;
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
vim
|
vim
|
||||||
mercurial
|
mercurial
|
||||||
gitAndTools.gitFull
|
|
||||||
nodejs
|
|
||||||
rxvt_unicode.terminfo
|
rxvt_unicode.terminfo
|
||||||
python37Packages.pygments
|
|
||||||
rebuilder
|
rebuilder
|
||||||
myPhp
|
|
||||||
];
|
];
|
||||||
environment.etc."php.d/cache.ini".text = ''
|
|
||||||
zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
|
|
||||||
|
|
||||||
opcache.validate_timestamps=0
|
|
||||||
opcache.enable_cli=1
|
|
||||||
'';
|
|
||||||
environment.etc."ssh/phabricator-ssh-hook" = {
|
|
||||||
text = ''
|
|
||||||
#!${pkgs.stdenv.shell}
|
|
||||||
VCSUSER="vcs"
|
|
||||||
ROOT="/srv/http/phab.lukegb.com/phabricator"
|
|
||||||
PATH="${pkgs.php}/bin:$PATH"
|
|
||||||
|
|
||||||
if [ "$1" != "$VCSUSER" ];
|
|
||||||
then
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec "$ROOT/bin/ssh-auth" $@
|
|
||||||
'';
|
|
||||||
mode = "0555";
|
|
||||||
user = "root";
|
|
||||||
group = "root";
|
|
||||||
};
|
|
||||||
environment.etc."phabricator-php" = {
|
|
||||||
text = ''
|
|
||||||
#!${pkgs.stdenv.shell}
|
|
||||||
export PATH="${pkgs.php}/bin:$PATH"
|
|
||||||
exec "${pkgs.php}/bin/php" $@
|
|
||||||
'';
|
|
||||||
mode = "0555";
|
|
||||||
user = "root";
|
|
||||||
group = "root";
|
|
||||||
};
|
|
||||||
environment.etc."ssh/sshd_config.phabricator".text = ''
|
|
||||||
AuthorizedKeysCommand /etc/ssh/phabricator-ssh-hook
|
|
||||||
AuthorizedKeysCommandUser vcs
|
|
||||||
AllowUsers vcs anonvcs
|
|
||||||
|
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
||||||
|
|
||||||
Port 22
|
|
||||||
Protocol 2
|
|
||||||
PermitRootLogin no
|
|
||||||
AllowAgentForwarding no
|
|
||||||
AllowTcpForwarding no
|
|
||||||
PrintMotd no
|
|
||||||
PrintLastLog no
|
|
||||||
PasswordAuthentication no
|
|
||||||
ChallengeResponseAuthentication no
|
|
||||||
AuthorizedKeysFile none
|
|
||||||
|
|
||||||
Match User anonvcs
|
|
||||||
ForceCommand /srv/http/phab.lukegb.com/phabricator/bin/ssh-exec --phabricator-ssh-user anonymous --phabricator-ssh-key 1
|
|
||||||
PasswordAuthentication yes
|
|
||||||
PermitEmptyPasswords yes
|
|
||||||
AuthenticationMethods none password
|
|
||||||
PermitListen none
|
|
||||||
PermitOpen none
|
|
||||||
X11Forwarding no
|
|
||||||
PermitTTY no
|
|
||||||
PermitTunnel no
|
|
||||||
AllowAgentForwarding no
|
|
||||||
AllowTcpForwarding no
|
|
||||||
AllowStreamLocalForwarding no
|
|
||||||
'';
|
|
||||||
systemd.services."sshd-phabricator" = {
|
|
||||||
description = "SSH Daemon for Phabricator";
|
|
||||||
stopIfChanged = false;
|
|
||||||
wantedBy = ["multi-user.target"];
|
|
||||||
path = [ config.programs.ssh.package ];
|
|
||||||
environment.LD_LIBRARY_PATH = config.system.nssModules.path;
|
|
||||||
restartTriggers = [
|
|
||||||
config.environment.etc."ssh/sshd_config".text
|
|
||||||
];
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${config.programs.ssh.package}/bin/sshd -f /etc/ssh/sshd_config.phabricator";
|
|
||||||
KillMode = "process";
|
|
||||||
Restart = "always";
|
|
||||||
Type = "simple";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
programs.mtr.enable = true;
|
programs.mtr.enable = true;
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.openssh.ports = [ 20022 ];
|
services.openssh.ports = [ 20022 ];
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
|
interfaces.docker0.allowedTCPPorts = [ 25 ];
|
||||||
allowedTCPPorts = [ 22 80 443 20022 ];
|
allowedTCPPorts = [ 22 80 443 20022 ];
|
||||||
# allowedUDPPorts = [];
|
# allowedUDPPorts = [];
|
||||||
allowPing = true;
|
allowPing = true;
|
||||||
|
@ -170,9 +83,6 @@ in {
|
||||||
|
|
||||||
# Define a user account.
|
# Define a user account.
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
users.groups = {
|
|
||||||
phabricator = {};
|
|
||||||
};
|
|
||||||
users.users = {
|
users.users = {
|
||||||
root.hashedPassword = secrets.passwordHashes.root;
|
root.hashedPassword = secrets.passwordHashes.root;
|
||||||
lukegb = {
|
lukegb = {
|
||||||
|
@ -181,157 +91,26 @@ in {
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "wheel" ];
|
||||||
hashedPassword = secrets.passwordHashes.root;
|
hashedPassword = secrets.passwordHashes.root;
|
||||||
};
|
};
|
||||||
phabricator = {
|
|
||||||
isSystemUser = true;
|
|
||||||
home = "/srv/http/phab.lukegb.com";
|
|
||||||
group = "phabricator";
|
|
||||||
};
|
|
||||||
postfix = {
|
postfix = {
|
||||||
extraGroups = [ "opendkim" ];
|
extraGroups = [ "opendkim" ];
|
||||||
};
|
};
|
||||||
vcs = {
|
|
||||||
isSystemUser = true;
|
|
||||||
hashedPassword = "NP";
|
|
||||||
shell = "/bin/sh";
|
|
||||||
group = "phabricator";
|
|
||||||
};
|
|
||||||
anonvcs = {
|
|
||||||
isSystemUser = true;
|
|
||||||
hashedPassword = "";
|
|
||||||
shell = "/bin/sh";
|
|
||||||
group = "phabricator";
|
|
||||||
};
|
|
||||||
builder1 = {
|
|
||||||
isSystemUser = true;
|
|
||||||
hashedPassword = "";
|
|
||||||
shell = "/bin/sh";
|
|
||||||
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGXwDOm+ZwWNp97+W1cdzMCzfBzwP0CHt9lxPTSzomU"];
|
|
||||||
createHome = true;
|
|
||||||
home = "/home/builder1";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
security.sudo.extraRules = [{
|
|
||||||
users = [ "vcs" "anonvcs" ];
|
|
||||||
runAs = "phabricator";
|
|
||||||
commands = map (command: { inherit command; options = [ "NOPASSWD" "SETENV" ]; }) [
|
|
||||||
"${pkgs.git}/bin/git"
|
|
||||||
"${pkgs.git}/bin/git-upload-pack"
|
|
||||||
"${pkgs.git}/bin/git-receive-pack"
|
|
||||||
"${pkgs.mercurial}/bin/hg"
|
|
||||||
];
|
|
||||||
}];
|
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
virtualHosts."phab.lukegb.com" = {
|
|
||||||
serverAliases = [ "phabusercontent.zxcvbnm.ninja" ];
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
|
||||||
root = "/srv/http/phab.lukegb.com/phabricator/webroot";
|
|
||||||
extraConfig = ''
|
|
||||||
client_max_body_size 512M;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
index index.php;
|
|
||||||
rewrite ^/(.*)$ /index.php?__path__=/$1 last;
|
|
||||||
}
|
|
||||||
location /index.php {
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
fastcgi_pass unix:${config.services.phpfpm.pools.phabricator.socket};
|
|
||||||
fastcgi_index index.php;
|
|
||||||
|
|
||||||
#required if PHP was built with --enable-force-cgi-redirect
|
|
||||||
fastcgi_param REDIRECT_STATUS 200;
|
|
||||||
|
|
||||||
#variables to make the $_SERVER populate in PHP
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
fastcgi_param QUERY_STRING $query_string;
|
|
||||||
fastcgi_param REQUEST_METHOD $request_method;
|
|
||||||
fastcgi_param CONTENT_TYPE $content_type;
|
|
||||||
fastcgi_param CONTENT_LENGTH $content_length;
|
|
||||||
|
|
||||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
|
||||||
|
|
||||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
|
||||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
|
||||||
|
|
||||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
|
||||||
fastcgi_param HTTPS on;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
virtualHosts."phab-ws.lukegb.com" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:22280/";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.phpfpm.phpOptions = ''
|
|
||||||
zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
|
|
||||||
|
|
||||||
opcache.validate_timestamps=0
|
|
||||||
opcache.enable_cli=1
|
|
||||||
'';
|
|
||||||
services.phpfpm.pools.phabricator = {
|
|
||||||
user = "phabricator";
|
|
||||||
phpPackage = myPhp;
|
|
||||||
settings = {
|
|
||||||
"listen.owner" = config.services.nginx.user;
|
|
||||||
"pm" = "dynamic";
|
|
||||||
"pm.max_children" = 32;
|
|
||||||
"pm.max_requests" = 500;
|
|
||||||
"pm.start_servers" = 2;
|
|
||||||
"pm.min_spare_servers" = 2;
|
|
||||||
"pm.max_spare_servers" = 5;
|
|
||||||
"php_admin_value[error_log]" = "syslog";
|
|
||||||
"php_admin_flag[log_errors]" = true;
|
|
||||||
"php_admin_value[date.timezone]" = "Europe/London";
|
|
||||||
"php_admin_value[post_max_size]" = "512M";
|
|
||||||
"php_admin_value[memory_limit]" = "-1";
|
|
||||||
"php_admin_value[max_input_vars]" = "999999999";
|
|
||||||
"php_admin_value[upload_max_filesize]" = "512M";
|
|
||||||
"catch_workers_output" = true;
|
|
||||||
};
|
|
||||||
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.mysql = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.mariadb;
|
|
||||||
settings.mysqld = {
|
|
||||||
max_allowed_packet = "128M";
|
|
||||||
sql_mode = "STRICT_ALL_TABLES";
|
|
||||||
innodb_buffer_pool_size = "1600M";
|
|
||||||
local_infile = "0";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.postfix = {
|
services.postfix = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "phab.lukegb.com";
|
domain = "hg.lukegb.com";
|
||||||
hostname = "phab.lukegb.com";
|
hostname = "hg.lukegb.com";
|
||||||
extraAliases = ''
|
|
||||||
phabricator: "|${pkgs.php}/bin/php /srv/http/phab.lukegb.com/phabricator/scripts/mail/mail_handler.php"
|
|
||||||
'';
|
|
||||||
virtual = ''
|
|
||||||
@phab.lukegb.com phabricator@localhost
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
milter_protocol = 2
|
milter_protocol = 2
|
||||||
milter_default_action = accept
|
milter_default_action = accept
|
||||||
smtpd_milters = ${config.services.opendkim.socket}
|
smtpd_milters = ${config.services.opendkim.socket}
|
||||||
non_smtpd_milters = ${config.services.opendkim.socket}
|
non_smtpd_milters = ${config.services.opendkim.socket}
|
||||||
'';
|
'';
|
||||||
|
networks = [ "172.17.0.0/16" ];
|
||||||
};
|
};
|
||||||
services.opendkim = {
|
services.opendkim = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domains = "csl:phab.lukegb.com";
|
domains = "csl:hg.lukegb.com";
|
||||||
selector = "marukuru";
|
selector = "marukuru";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -340,6 +119,43 @@ in {
|
||||||
email = "letsencrypt@lukegb.com";
|
email = "letsencrypt@lukegb.com";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
docker-containers.heptapod-runner = {
|
||||||
|
image = "octobus/heptapod-runner:0.2.0";
|
||||||
|
volumes = [
|
||||||
|
"/srv/gitlab-runner/config:/etc/gitlab-runner"
|
||||||
|
"/var/run/docker.sock:/var/run/docker.sock"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
docker-containers.heptapod = {
|
||||||
|
#image = "octobus/heptapod:0.12.3";
|
||||||
|
image = "heptapod:latest";
|
||||||
|
ports = [
|
||||||
|
# host:container
|
||||||
|
"22:22"
|
||||||
|
"80:80"
|
||||||
|
"443:443"
|
||||||
|
];
|
||||||
|
volumes = [
|
||||||
|
"/srv/gitlab/config:/etc/gitlab"
|
||||||
|
"/srv/gitlab/logs:/var/log/gitlab"
|
||||||
|
"/srv/gitlab/data:/var/opt/gitlab"
|
||||||
|
];
|
||||||
|
environment = {
|
||||||
|
GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [";"] ''
|
||||||
|
external_url "https://hg.lukegb.com"
|
||||||
|
letsencrypt['enable'] = true
|
||||||
|
letsencrypt['contact_emails'] = ['letsencrypt@lukegb.com']
|
||||||
|
nginx['redirect_http_to_https'] = true
|
||||||
|
|
||||||
|
gitlab_rails['smtp_enable'] = true
|
||||||
|
gitlab_rails['smtp_address'] = '103.105.48.15'
|
||||||
|
gitlab_rails['smtp_port'] = 25
|
||||||
|
gitlab_rails['gitlab_email_from'] = 'heptapod@hg.lukegb.com'
|
||||||
|
gitlab_rails['gitlab_email_reply_to'] = 'noreply@hg.lukegb.com'
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
|
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue