From 24fe8291c25a73109a28ed0d0d2165f201fac52b Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 8 May 2020 22:24:50 +0000 Subject: [PATCH] marukuru: switch to heptapod --- ops/nixos/marukuru/default.nix | 270 ++++++--------------------------- 1 file changed, 43 insertions(+), 227 deletions(-) diff --git a/ops/nixos/marukuru/default.nix b/ops/nixos/marukuru/default.nix index fa0ef93098..ea87ec32aa 100644 --- a/ops/nixos/marukuru/default.nix +++ b/ops/nixos/marukuru/default.nix @@ -2,7 +2,6 @@ { config, ... }: let inherit (depot.ops) secrets; - myPhp = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu all.mailparse ]); in { imports = [ ]; boot.kernelModules = [ "tcp_bbr" ]; @@ -60,109 +59,23 @@ in { # Set your time zone. time.timeZone = "Etc/UTC"; + nix.useSandbox = true; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ vim mercurial - gitAndTools.gitFull - nodejs rxvt_unicode.terminfo - python37Packages.pygments rebuilder - myPhp ]; - environment.etc."php.d/cache.ini".text = '' - zend_extension=${pkgs.php}/lib/php/extensions/opcache.so - - opcache.validate_timestamps=0 - opcache.enable_cli=1 - ''; - environment.etc."ssh/phabricator-ssh-hook" = { - text = '' - #!${pkgs.stdenv.shell} - VCSUSER="vcs" - ROOT="/srv/http/phab.lukegb.com/phabricator" - PATH="${pkgs.php}/bin:$PATH" - - if [ "$1" != "$VCSUSER" ]; - then - exit 1 - fi - - exec "$ROOT/bin/ssh-auth" $@ - ''; - mode = "0555"; - user = "root"; - group = "root"; - }; - environment.etc."phabricator-php" = { - text = '' - #!${pkgs.stdenv.shell} - export PATH="${pkgs.php}/bin:$PATH" - exec "${pkgs.php}/bin/php" $@ - ''; - mode = "0555"; - user = "root"; - group = "root"; - }; - environment.etc."ssh/sshd_config.phabricator".text = '' - AuthorizedKeysCommand /etc/ssh/phabricator-ssh-hook - AuthorizedKeysCommandUser vcs - AllowUsers vcs anonvcs - - KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - - Port 22 - Protocol 2 - PermitRootLogin no - AllowAgentForwarding no - AllowTcpForwarding no - PrintMotd no - PrintLastLog no - PasswordAuthentication no - ChallengeResponseAuthentication no - AuthorizedKeysFile none - - Match User anonvcs - ForceCommand /srv/http/phab.lukegb.com/phabricator/bin/ssh-exec --phabricator-ssh-user anonymous --phabricator-ssh-key 1 - PasswordAuthentication yes - PermitEmptyPasswords yes - AuthenticationMethods none password - PermitListen none - PermitOpen none - X11Forwarding no - PermitTTY no - PermitTunnel no - AllowAgentForwarding no - AllowTcpForwarding no - AllowStreamLocalForwarding no - ''; - systemd.services."sshd-phabricator" = { - description = "SSH Daemon for Phabricator"; - stopIfChanged = false; - wantedBy = ["multi-user.target"]; - path = [ config.programs.ssh.package ]; - environment.LD_LIBRARY_PATH = config.system.nssModules.path; - restartTriggers = [ - config.environment.etc."ssh/sshd_config".text - ]; - serviceConfig = { - ExecStart = "${config.programs.ssh.package}/bin/sshd -f /etc/ssh/sshd_config.phabricator"; - KillMode = "process"; - Restart = "always"; - Type = "simple"; - }; - }; programs.mtr.enable = true; services.openssh.enable = true; services.openssh.ports = [ 20022 ]; networking.firewall = { + interfaces.docker0.allowedTCPPorts = [ 25 ]; allowedTCPPorts = [ 22 80 443 20022 ]; # allowedUDPPorts = []; allowPing = true; @@ -170,9 +83,6 @@ in { # Define a user account. users.mutableUsers = false; - users.groups = { - phabricator = {}; - }; users.users = { root.hashedPassword = secrets.passwordHashes.root; lukegb = { @@ -181,157 +91,26 @@ in { extraGroups = [ "wheel" ]; hashedPassword = secrets.passwordHashes.root; }; - phabricator = { - isSystemUser = true; - home = "/srv/http/phab.lukegb.com"; - group = "phabricator"; - }; postfix = { extraGroups = [ "opendkim" ]; }; - vcs = { - isSystemUser = true; - hashedPassword = "NP"; - shell = "/bin/sh"; - group = "phabricator"; - }; - anonvcs = { - isSystemUser = true; - hashedPassword = ""; - shell = "/bin/sh"; - group = "phabricator"; - }; - builder1 = { - isSystemUser = true; - hashedPassword = ""; - shell = "/bin/sh"; - openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGXwDOm+ZwWNp97+W1cdzMCzfBzwP0CHt9lxPTSzomU"]; - createHome = true; - home = "/home/builder1"; - }; - }; - security.sudo.extraRules = [{ - users = [ "vcs" "anonvcs" ]; - runAs = "phabricator"; - commands = map (command: { inherit command; options = [ "NOPASSWD" "SETENV" ]; }) [ - "${pkgs.git}/bin/git" - "${pkgs.git}/bin/git-upload-pack" - "${pkgs.git}/bin/git-receive-pack" - "${pkgs.mercurial}/bin/hg" - ]; - }]; - - services.nginx = { - enable = true; - virtualHosts."phab.lukegb.com" = { - serverAliases = [ "phabusercontent.zxcvbnm.ninja" ]; - forceSSL = true; - enableACME = true; - locations."/" = { - root = "/srv/http/phab.lukegb.com/phabricator/webroot"; - extraConfig = '' - client_max_body_size 512M; - - location / { - index index.php; - rewrite ^/(.*)$ /index.php?__path__=/$1 last; - } - location /index.php { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools.phabricator.socket}; - fastcgi_index index.php; - - #required if PHP was built with --enable-force-cgi-redirect - fastcgi_param REDIRECT_STATUS 200; - - #variables to make the $_SERVER populate in PHP - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param QUERY_STRING $query_string; - fastcgi_param REQUEST_METHOD $request_method; - fastcgi_param CONTENT_TYPE $content_type; - fastcgi_param CONTENT_LENGTH $content_length; - - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - - fastcgi_param REMOTE_ADDR $remote_addr; - fastcgi_param HTTPS on; - } - ''; - }; - }; - virtualHosts."phab-ws.lukegb.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:22280/"; - proxyWebsockets = true; - }; - }; - }; - - services.phpfpm.phpOptions = '' - zend_extension=${pkgs.php}/lib/php/extensions/opcache.so - - opcache.validate_timestamps=0 - opcache.enable_cli=1 - ''; - services.phpfpm.pools.phabricator = { - user = "phabricator"; - phpPackage = myPhp; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "syslog"; - "php_admin_flag[log_errors]" = true; - "php_admin_value[date.timezone]" = "Europe/London"; - "php_admin_value[post_max_size]" = "512M"; - "php_admin_value[memory_limit]" = "-1"; - "php_admin_value[max_input_vars]" = "999999999"; - "php_admin_value[upload_max_filesize]" = "512M"; - "catch_workers_output" = true; - }; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; - }; - - services.mysql = { - enable = true; - package = pkgs.mariadb; - settings.mysqld = { - max_allowed_packet = "128M"; - sql_mode = "STRICT_ALL_TABLES"; - innodb_buffer_pool_size = "1600M"; - local_infile = "0"; - }; }; services.postfix = { enable = true; - domain = "phab.lukegb.com"; - hostname = "phab.lukegb.com"; - extraAliases = '' - phabricator: "|${pkgs.php}/bin/php /srv/http/phab.lukegb.com/phabricator/scripts/mail/mail_handler.php" - ''; - virtual = '' - @phab.lukegb.com phabricator@localhost - ''; + domain = "hg.lukegb.com"; + hostname = "hg.lukegb.com"; extraConfig = '' milter_protocol = 2 milter_default_action = accept smtpd_milters = ${config.services.opendkim.socket} non_smtpd_milters = ${config.services.opendkim.socket} ''; + networks = [ "172.17.0.0/16" ]; }; services.opendkim = { enable = true; - domains = "csl:phab.lukegb.com"; + domains = "csl:hg.lukegb.com"; selector = "marukuru"; }; @@ -340,6 +119,43 @@ in { email = "letsencrypt@lukegb.com"; }; + docker-containers.heptapod-runner = { + image = "octobus/heptapod-runner:0.2.0"; + volumes = [ + "/srv/gitlab-runner/config:/etc/gitlab-runner" + "/var/run/docker.sock:/var/run/docker.sock" + ]; + }; + docker-containers.heptapod = { + #image = "octobus/heptapod:0.12.3"; + image = "heptapod:latest"; + ports = [ + # host:container + "22:22" + "80:80" + "443:443" + ]; + volumes = [ + "/srv/gitlab/config:/etc/gitlab" + "/srv/gitlab/logs:/var/log/gitlab" + "/srv/gitlab/data:/var/opt/gitlab" + ]; + environment = { + GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [";"] '' + external_url "https://hg.lukegb.com" + letsencrypt['enable'] = true + letsencrypt['contact_emails'] = ['letsencrypt@lukegb.com'] + nginx['redirect_http_to_https'] = true + + gitlab_rails['smtp_enable'] = true + gitlab_rails['smtp_address'] = '103.105.48.15' + gitlab_rails['smtp_port'] = 25 + gitlab_rails['gitlab_email_from'] = 'heptapod@hg.lukegb.com' + gitlab_rails['gitlab_email_reply_to'] = 'noreply@hg.lukegb.com' + ''; + }; + }; + boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";