marukuru: add
This commit is contained in:
parent
28e47f9384
commit
2f35c4835b
3 changed files with 342 additions and 1 deletions
|
@ -1 +1,6 @@
|
|||
ops/secrets/
|
||||
|
||||
syntax: glob
|
||||
*.sw?
|
||||
*.pyc
|
||||
*~
|
||||
|
|
|
@ -6,7 +6,7 @@ let
|
|||
configuration = lib.fix
|
||||
(config: foldl' lib.recursiveUpdate { } (map (c: c config) configs));
|
||||
}).system;
|
||||
systems = [ "porcorosso" "ixvm-fra01" ];
|
||||
systems = [ "porcorosso" "ixvm-fra01" "marukuru" ];
|
||||
rebuilder = system:
|
||||
pkgs.writeShellScriptBin "rebuilder" ''
|
||||
set -ue
|
||||
|
|
336
ops/nixos/marukuru/default.nix
Normal file
336
ops/nixos/marukuru/default.nix
Normal file
|
@ -0,0 +1,336 @@
|
|||
{ depot, lib, pkgs, rebuilder, ... }:
|
||||
config:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
in lib.fix (self: {
|
||||
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
|
||||
boot.kernelModules = [ "tcp_bbr" ];
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.default.accept_ra" = 1;
|
||||
"net.ipv6.conf.all.accept_ra" = 1;
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/vda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
nix.maxJobs = lib.mkDefault 2;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
nixpkgs.config = { allowUnfree = true; };
|
||||
|
||||
nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];
|
||||
|
||||
# Use GRUB2.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
# Networking!
|
||||
networking = {
|
||||
hostName = "marukuru"; # Define your hostname.
|
||||
domain = "lukegb.xyz";
|
||||
nameservers = ["2001:4860:4860::8888" "8.8.8.8"];
|
||||
useDHCP = false;
|
||||
defaultGateway = {
|
||||
address = "103.105.48.1"; interface = "eth0";
|
||||
};
|
||||
dhcpcd.enable = false;
|
||||
usePredictableInterfaceNames = true;
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
ipv4.addresses = [
|
||||
{ address="103.105.48.15"; prefixLength=24; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address="2402:28c0:4:104e::1"; prefixLength=64; }
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.udev.extraRules = ''
|
||||
ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0"
|
||||
'';
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console.keyMap = "us";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
mercurial
|
||||
gitAndTools.gitFull
|
||||
php phpPackages.mailparse
|
||||
nodejs
|
||||
rxvt_unicode.terminfo
|
||||
rebuilder
|
||||
];
|
||||
environment.etc."php.d/mailparse.ini".text = ''
|
||||
extension=${pkgs.phpPackages.mailparse}/lib/php/extensions/mailparse.so
|
||||
'';
|
||||
environment.etc."php.d/cache.ini".text = ''
|
||||
zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
|
||||
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
||||
|
||||
opcache.validate_timestamps=0
|
||||
opcache.enable_cli=1
|
||||
'';
|
||||
environment.etc."ssh/phabricator-ssh-hook" = {
|
||||
text = ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
VCSUSER="vcs"
|
||||
ROOT="/srv/http/phab.lukegb.com/phabricator"
|
||||
PATH="${pkgs.php}/bin:$PATH"
|
||||
|
||||
if [ "$1" != "$VCSUSER" ];
|
||||
then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exec "$ROOT/bin/ssh-auth" $@
|
||||
'';
|
||||
mode = "0555";
|
||||
user = "root";
|
||||
group = "root";
|
||||
};
|
||||
environment.etc."phabricator-php" = {
|
||||
text = ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
export PATH="${pkgs.php}/bin:$PATH"
|
||||
exec "${pkgs.php}/bin/php" $@
|
||||
'';
|
||||
mode = "0555";
|
||||
user = "root";
|
||||
group = "root";
|
||||
};
|
||||
environment.etc."ssh/sshd_config.phabricator".text = ''
|
||||
AuthorizedKeysCommand /etc/ssh/phabricator-ssh-hook
|
||||
AuthorizedKeysCommandUser vcs
|
||||
AllowUsers vcs anonvcs
|
||||
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
|
||||
Port 22
|
||||
Protocol 2
|
||||
PermitRootLogin no
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
PrintMotd no
|
||||
PrintLastLog no
|
||||
PasswordAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
AuthorizedKeysFile none
|
||||
|
||||
Match User anonvcs
|
||||
ForceCommand /srv/http/phab.lukegb.com/phabricator/bin/ssh-exec --phabricator-ssh-user anonymous --phabricator-ssh-key 1
|
||||
PasswordAuthentication yes
|
||||
PermitEmptyPasswords yes
|
||||
AuthenticationMethods none password
|
||||
PermitListen none
|
||||
PermitOpen none
|
||||
X11Forwarding no
|
||||
PermitTTY no
|
||||
PermitTunnel no
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
'';
|
||||
systemd.services."sshd-phabricator" = {
|
||||
description = "SSH Daemon for Phabricator";
|
||||
stopIfChanged = false;
|
||||
wantedBy = ["multi-user.target"];
|
||||
path = [ config.programs.ssh.package ];
|
||||
environment.LD_LIBRARY_PATH = config.system.nssModules.path;
|
||||
restartTriggers = [
|
||||
config.environment.etc."ssh/sshd_config".text
|
||||
];
|
||||
serviceConfig = {
|
||||
ExecStart = "${config.programs.ssh.package}/bin/sshd -f /etc/ssh/sshd_config.phabricator";
|
||||
KillMode = "process";
|
||||
Restart = "always";
|
||||
Type = "simple";
|
||||
};
|
||||
};
|
||||
|
||||
programs.mtr.enable = true;
|
||||
services.openssh.enable = true;
|
||||
services.openssh.ports = [ 20022 ];
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 22 80 443 20022 ];
|
||||
# allowedUDPPorts = [];
|
||||
allowPing = true;
|
||||
};
|
||||
|
||||
# Define a user account.
|
||||
users.mutableUsers = false;
|
||||
users.users = {
|
||||
root.hashedPassword = secrets.passwordHashes.root;
|
||||
lukegb = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPassword = secrets.passwordHashes.root;
|
||||
};
|
||||
phabricator = {
|
||||
isSystemUser = true;
|
||||
home = "/srv/http/phab.lukegb.com";
|
||||
group = "phabricator";
|
||||
};
|
||||
postfix = {
|
||||
extraGroups = [ "opendkim" ];
|
||||
};
|
||||
vcs = {
|
||||
isSystemUser = true;
|
||||
hashedPassword = "NP";
|
||||
shell = "/bin/sh";
|
||||
group = "phabricator";
|
||||
};
|
||||
anonvcs = {
|
||||
isSystemUser = true;
|
||||
hashedPassword = "";
|
||||
shell = "/bin/sh";
|
||||
group = "phabricator";
|
||||
};
|
||||
};
|
||||
security.sudo.extraRules = [{
|
||||
users = [ "vcs" "anonvcs" ];
|
||||
runAs = "phabricator";
|
||||
commands = map (command: { inherit command; options = [ "NOPASSWD" "SETENV" ]; }) [
|
||||
"${pkgs.git}/bin/git"
|
||||
"${pkgs.git}/bin/git-upload-pack"
|
||||
"${pkgs.git}/bin/git-receive-pack"
|
||||
"${pkgs.mercurial}/bin/hg"
|
||||
];
|
||||
}];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."phab.lukegb.com" = {
|
||||
serverAliases = [ "phabusercontent.zxcvbnm.ninja" ];
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
root = "/srv/http/phab.lukegb.com/phabricator/webroot";
|
||||
extraConfig = ''
|
||||
client_max_body_size 512M;
|
||||
|
||||
location / {
|
||||
index index.php;
|
||||
rewrite ^/(.*)$ /index.php?__path__=/$1 last;
|
||||
}
|
||||
location /index.php {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.phabricator.socket};
|
||||
fastcgi_index index.php;
|
||||
|
||||
#required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
||||
|
||||
#variables to make the $_SERVER populate in PHP
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param HTTPS on;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
virtualHosts."phab-ws.lukegb.com" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:22280/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.phpfpm.phpOptions = ''
|
||||
zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
|
||||
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
||||
extension=${pkgs.phpPackages.mailparse}/lib/php/extensions/mailparse.so
|
||||
|
||||
opcache.validate_timestamps=0
|
||||
opcache.enable_cli=1
|
||||
'';
|
||||
services.phpfpm.pools.phabricator = {
|
||||
user = "phabricator";
|
||||
settings = {
|
||||
"listen.owner" = config.services.nginx.user;
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 32;
|
||||
"pm.max_requests" = 500;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 2;
|
||||
"pm.max_spare_servers" = 5;
|
||||
"php_admin_value[error_log]" = "syslog";
|
||||
"php_admin_flag[log_errors]" = true;
|
||||
"php_admin_value[date.timezone]" = "Europe/London";
|
||||
"php_admin_value[post_max_size]" = "512M";
|
||||
"php_admin_value[memory_limit]" = "-1";
|
||||
"php_admin_value[max_input_vars]" = "999999999";
|
||||
"php_admin_value[upload_max_filesize]" = "512M";
|
||||
"catch_workers_output" = true;
|
||||
};
|
||||
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||
};
|
||||
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
package = pkgs.mariadb;
|
||||
extraOptions = ''
|
||||
max_allowed_packet = 128M
|
||||
sql_mode = STRICT_ALL_TABLES
|
||||
innodb_buffer_pool_size = 1600M
|
||||
local_infile = 0
|
||||
'';
|
||||
};
|
||||
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
domain = "phab.lukegb.com";
|
||||
hostname = "phab.lukegb.com";
|
||||
extraAliases = ''
|
||||
phabricator: "|${pkgs.php}/bin/php /srv/http/phab.lukegb.com/phabricator/scripts/mail/mail_handler.php"
|
||||
'';
|
||||
virtual = ''
|
||||
@phab.lukegb.com phabricator@localhost
|
||||
'';
|
||||
extraConfig = ''
|
||||
milter_protocol = 2
|
||||
milter_default_action = accept
|
||||
smtpd_milters = ${config.services.opendkim.socket}
|
||||
non_smtpd_milters = ${config.services.opendkim.socket}
|
||||
'';
|
||||
};
|
||||
services.opendkim = {
|
||||
enable = true;
|
||||
domains = "csl:phab.lukegb.com";
|
||||
selector = "marukuru";
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
|
||||
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";
|
||||
|
||||
system.stateVersion = "20.03";
|
||||
})
|
Loading…
Reference in a new issue