From 2f35c4835b942b713ddd68b9026d033e8f49155e Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 3 May 2020 17:56:16 +0100 Subject: [PATCH] marukuru: add --- .hgignore | 5 + ops/nixos/default.nix | 2 +- ops/nixos/marukuru/default.nix | 336 +++++++++++++++++++++++++++++++++ 3 files changed, 342 insertions(+), 1 deletion(-) create mode 100644 ops/nixos/marukuru/default.nix diff --git a/.hgignore b/.hgignore index 2014ef0cc5..0ad40cbf44 100644 --- a/.hgignore +++ b/.hgignore @@ -1 +1,6 @@ ops/secrets/ + +syntax: glob +*.sw? +*.pyc +*~ diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index 73a5371125..359574786a 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -6,7 +6,7 @@ let configuration = lib.fix (config: foldl' lib.recursiveUpdate { } (map (c: c config) configs)); }).system; - systems = [ "porcorosso" "ixvm-fra01" ]; + systems = [ "porcorosso" "ixvm-fra01" "marukuru" ]; rebuilder = system: pkgs.writeShellScriptBin "rebuilder" '' set -ue diff --git a/ops/nixos/marukuru/default.nix b/ops/nixos/marukuru/default.nix new file mode 100644 index 0000000000..158a5b3973 --- /dev/null +++ b/ops/nixos/marukuru/default.nix @@ -0,0 +1,336 @@ +{ depot, lib, pkgs, rebuilder, ... }: +config: +let + inherit (depot.ops) secrets; +in lib.fix (self: { + imports = [ ]; + boot.kernelModules = [ "tcp_bbr" ]; + boot.kernel.sysctl = { + "net.ipv6.conf.default.accept_ra" = 1; + "net.ipv6.conf.all.accept_ra" = 1; + }; + + fileSystems = { + "/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + }; + + nix.maxJobs = lib.mkDefault 2; + hardware.enableRedistributableFirmware = true; + + nixpkgs.config = { allowUnfree = true; }; + + nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; + + # Use GRUB2. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + + # Networking! + networking = { + hostName = "marukuru"; # Define your hostname. + domain = "lukegb.xyz"; + nameservers = ["2001:4860:4860::8888" "8.8.8.8"]; + useDHCP = false; + defaultGateway = { + address = "103.105.48.1"; interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = true; + interfaces = { + eth0 = { + ipv4.addresses = [ + { address="103.105.48.15"; prefixLength=24; } + ]; + ipv6.addresses = [ + { address="2402:28c0:4:104e::1"; prefixLength=64; } + ]; + }; + }; + }; + services.udev.extraRules = '' + ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0" + ''; + + # Select internationalisation properties. + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "us"; + + # Set your time zone. + time.timeZone = "Etc/UTC"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + mercurial + gitAndTools.gitFull + php phpPackages.mailparse + nodejs + rxvt_unicode.terminfo + rebuilder + ]; + environment.etc."php.d/mailparse.ini".text = '' + extension=${pkgs.phpPackages.mailparse}/lib/php/extensions/mailparse.so + ''; + environment.etc."php.d/cache.ini".text = '' + zend_extension=${pkgs.php}/lib/php/extensions/opcache.so + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + + opcache.validate_timestamps=0 + opcache.enable_cli=1 + ''; + environment.etc."ssh/phabricator-ssh-hook" = { + text = '' + #!${pkgs.stdenv.shell} + VCSUSER="vcs" + ROOT="/srv/http/phab.lukegb.com/phabricator" + PATH="${pkgs.php}/bin:$PATH" + + if [ "$1" != "$VCSUSER" ]; + then + exit 1 + fi + + exec "$ROOT/bin/ssh-auth" $@ + ''; + mode = "0555"; + user = "root"; + group = "root"; + }; + environment.etc."phabricator-php" = { + text = '' + #!${pkgs.stdenv.shell} + export PATH="${pkgs.php}/bin:$PATH" + exec "${pkgs.php}/bin/php" $@ + ''; + mode = "0555"; + user = "root"; + group = "root"; + }; + environment.etc."ssh/sshd_config.phabricator".text = '' + AuthorizedKeysCommand /etc/ssh/phabricator-ssh-hook + AuthorizedKeysCommandUser vcs + AllowUsers vcs anonvcs + + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + + Port 22 + Protocol 2 + PermitRootLogin no + AllowAgentForwarding no + AllowTcpForwarding no + PrintMotd no + PrintLastLog no + PasswordAuthentication no + ChallengeResponseAuthentication no + AuthorizedKeysFile none + + Match User anonvcs + ForceCommand /srv/http/phab.lukegb.com/phabricator/bin/ssh-exec --phabricator-ssh-user anonymous --phabricator-ssh-key 1 + PasswordAuthentication yes + PermitEmptyPasswords yes + AuthenticationMethods none password + PermitListen none + PermitOpen none + X11Forwarding no + PermitTTY no + PermitTunnel no + AllowAgentForwarding no + AllowTcpForwarding no + AllowStreamLocalForwarding no + ''; + systemd.services."sshd-phabricator" = { + description = "SSH Daemon for Phabricator"; + stopIfChanged = false; + wantedBy = ["multi-user.target"]; + path = [ config.programs.ssh.package ]; + environment.LD_LIBRARY_PATH = config.system.nssModules.path; + restartTriggers = [ + config.environment.etc."ssh/sshd_config".text + ]; + serviceConfig = { + ExecStart = "${config.programs.ssh.package}/bin/sshd -f /etc/ssh/sshd_config.phabricator"; + KillMode = "process"; + Restart = "always"; + Type = "simple"; + }; + }; + + programs.mtr.enable = true; + services.openssh.enable = true; + services.openssh.ports = [ 20022 ]; + + networking.firewall = { + allowedTCPPorts = [ 22 80 443 20022 ]; + # allowedUDPPorts = []; + allowPing = true; + }; + + # Define a user account. + users.mutableUsers = false; + users.users = { + root.hashedPassword = secrets.passwordHashes.root; + lukegb = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" ]; + hashedPassword = secrets.passwordHashes.root; + }; + phabricator = { + isSystemUser = true; + home = "/srv/http/phab.lukegb.com"; + group = "phabricator"; + }; + postfix = { + extraGroups = [ "opendkim" ]; + }; + vcs = { + isSystemUser = true; + hashedPassword = "NP"; + shell = "/bin/sh"; + group = "phabricator"; + }; + anonvcs = { + isSystemUser = true; + hashedPassword = ""; + shell = "/bin/sh"; + group = "phabricator"; + }; + }; + security.sudo.extraRules = [{ + users = [ "vcs" "anonvcs" ]; + runAs = "phabricator"; + commands = map (command: { inherit command; options = [ "NOPASSWD" "SETENV" ]; }) [ + "${pkgs.git}/bin/git" + "${pkgs.git}/bin/git-upload-pack" + "${pkgs.git}/bin/git-receive-pack" + "${pkgs.mercurial}/bin/hg" + ]; + }]; + + services.nginx = { + enable = true; + virtualHosts."phab.lukegb.com" = { + serverAliases = [ "phabusercontent.zxcvbnm.ninja" ]; + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/srv/http/phab.lukegb.com/phabricator/webroot"; + extraConfig = '' + client_max_body_size 512M; + + location / { + index index.php; + rewrite ^/(.*)$ /index.php?__path__=/$1 last; + } + location /index.php { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.phabricator.socket}; + fastcgi_index index.php; + + #required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + + #variables to make the $_SERVER populate in PHP + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param HTTPS on; + } + ''; + }; + }; + virtualHosts."phab-ws.lukegb.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:22280/"; + proxyWebsockets = true; + }; + }; + }; + + services.phpfpm.phpOptions = '' + zend_extension=${pkgs.php}/lib/php/extensions/opcache.so + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + extension=${pkgs.phpPackages.mailparse}/lib/php/extensions/mailparse.so + + opcache.validate_timestamps=0 + opcache.enable_cli=1 + ''; + services.phpfpm.pools.phabricator = { + user = "phabricator"; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "syslog"; + "php_admin_flag[log_errors]" = true; + "php_admin_value[date.timezone]" = "Europe/London"; + "php_admin_value[post_max_size]" = "512M"; + "php_admin_value[memory_limit]" = "-1"; + "php_admin_value[max_input_vars]" = "999999999"; + "php_admin_value[upload_max_filesize]" = "512M"; + "catch_workers_output" = true; + }; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + extraOptions = '' + max_allowed_packet = 128M + sql_mode = STRICT_ALL_TABLES + innodb_buffer_pool_size = 1600M + local_infile = 0 + ''; + }; + + services.postfix = { + enable = true; + domain = "phab.lukegb.com"; + hostname = "phab.lukegb.com"; + extraAliases = '' + phabricator: "|${pkgs.php}/bin/php /srv/http/phab.lukegb.com/phabricator/scripts/mail/mail_handler.php" + ''; + virtual = '' + @phab.lukegb.com phabricator@localhost + ''; + extraConfig = '' + milter_protocol = 2 + milter_default_action = accept + smtpd_milters = ${config.services.opendkim.socket} + non_smtpd_milters = ${config.services.opendkim.socket} + ''; + }; + services.opendkim = { + enable = true; + domains = "csl:phab.lukegb.com"; + selector = "marukuru"; + }; + + boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; + boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel"; + + system.stateVersion = "20.03"; +})