merge in local changes from marukuru

This commit is contained in:
Luke Granger-Brown 2020-05-08 23:28:42 +01:00
commit 83cfa93b11

View file

@ -1,7 +1,6 @@
{ depot, lib, pkgs, rebuilder, config, ... }: { depot, lib, pkgs, rebuilder, config, ... }:
let let
inherit (depot.ops) secrets; inherit (depot.ops) secrets;
myPhp = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu all.mailparse ]);
in { in {
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ]; imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.kernelModules = [ "tcp_bbr" ]; boot.kernelModules = [ "tcp_bbr" ];
@ -55,102 +54,14 @@ in {
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [];
gitAndTools.gitFull
nodejs
python37Packages.pygments
myPhp
];
environment.etc."php.d/cache.ini".text = ''
zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
opcache.validate_timestamps=0
opcache.enable_cli=1
'';
environment.etc."ssh/phabricator-ssh-hook" = {
text = ''
#!${pkgs.stdenv.shell}
VCSUSER="vcs"
ROOT="/srv/http/phab.lukegb.com/phabricator"
PATH="${pkgs.php}/bin:$PATH"
if [ "$1" != "$VCSUSER" ];
then
exit 1
fi
exec "$ROOT/bin/ssh-auth" $@
'';
mode = "0555";
user = "root";
group = "root";
};
environment.etc."phabricator-php" = {
text = ''
#!${pkgs.stdenv.shell}
export PATH="${pkgs.php}/bin:$PATH"
exec "${pkgs.php}/bin/php" $@
'';
mode = "0555";
user = "root";
group = "root";
};
environment.etc."ssh/sshd_config.phabricator".text = ''
AuthorizedKeysCommand /etc/ssh/phabricator-ssh-hook
AuthorizedKeysCommandUser vcs
AllowUsers vcs anonvcs
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Port 22
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthorizedKeysFile none
Match User anonvcs
ForceCommand /srv/http/phab.lukegb.com/phabricator/bin/ssh-exec --phabricator-ssh-user anonymous --phabricator-ssh-key 1
PasswordAuthentication yes
PermitEmptyPasswords yes
AuthenticationMethods none password
PermitListen none
PermitOpen none
X11Forwarding no
PermitTTY no
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
'';
systemd.services."sshd-phabricator" = {
description = "SSH Daemon for Phabricator";
stopIfChanged = false;
wantedBy = ["multi-user.target"];
path = [ config.programs.ssh.package ];
environment.LD_LIBRARY_PATH = config.system.nssModules.path;
restartTriggers = [
config.environment.etc."ssh/sshd_config".text
];
serviceConfig = {
ExecStart = "${config.programs.ssh.package}/bin/sshd -f /etc/ssh/sshd_config.phabricator";
KillMode = "process";
Restart = "always";
Type = "simple";
};
};
programs.mtr.enable = true; programs.mtr.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.ports = [ 20022 ]; services.openssh.ports = [ 20022 ];
networking.firewall = { networking.firewall = {
interfaces.docker0.allowedTCPPorts = [ 25 ];
allowedTCPPorts = [ 22 80 443 20022 ]; allowedTCPPorts = [ 22 80 443 20022 ];
# allowedUDPPorts = []; # allowedUDPPorts = [];
allowPing = true; allowPing = true;
@ -158,9 +69,6 @@ in {
# Define a user account. # Define a user account.
users.mutableUsers = false; users.mutableUsers = false;
users.groups = {
phabricator = {};
};
users.users = { users.users = {
root.hashedPassword = secrets.passwordHashes.root; root.hashedPassword = secrets.passwordHashes.root;
lukegb = { lukegb = {
@ -169,157 +77,26 @@ in {
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
hashedPassword = secrets.passwordHashes.root; hashedPassword = secrets.passwordHashes.root;
}; };
phabricator = {
isSystemUser = true;
home = "/srv/http/phab.lukegb.com";
group = "phabricator";
};
postfix = { postfix = {
extraGroups = [ "opendkim" ]; extraGroups = [ "opendkim" ];
}; };
vcs = {
isSystemUser = true;
hashedPassword = "NP";
shell = "/bin/sh";
group = "phabricator";
};
anonvcs = {
isSystemUser = true;
hashedPassword = "";
shell = "/bin/sh";
group = "phabricator";
};
builder1 = {
isSystemUser = true;
hashedPassword = "";
shell = "/bin/sh";
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGXwDOm+ZwWNp97+W1cdzMCzfBzwP0CHt9lxPTSzomU"];
createHome = true;
home = "/home/builder1";
};
};
security.sudo.extraRules = [{
users = [ "vcs" "anonvcs" ];
runAs = "phabricator";
commands = map (command: { inherit command; options = [ "NOPASSWD" "SETENV" ]; }) [
"${pkgs.git}/bin/git"
"${pkgs.git}/bin/git-upload-pack"
"${pkgs.git}/bin/git-receive-pack"
"${pkgs.mercurial}/bin/hg"
];
}];
services.nginx = {
enable = true;
virtualHosts."phab.lukegb.com" = {
serverAliases = [ "phabusercontent.zxcvbnm.ninja" ];
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/srv/http/phab.lukegb.com/phabricator/webroot";
extraConfig = ''
client_max_body_size 512M;
location / {
index index.php;
rewrite ^/(.*)$ /index.php?__path__=/$1 last;
}
location /index.php {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.phabricator.socket};
fastcgi_index index.php;
#required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
#variables to make the $_SERVER populate in PHP
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param HTTPS on;
}
'';
};
};
virtualHosts."phab-ws.lukegb.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:22280/";
proxyWebsockets = true;
};
};
};
services.phpfpm.phpOptions = ''
zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
opcache.validate_timestamps=0
opcache.enable_cli=1
'';
services.phpfpm.pools.phabricator = {
user = "phabricator";
phpPackage = myPhp;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "syslog";
"php_admin_flag[log_errors]" = true;
"php_admin_value[date.timezone]" = "Europe/London";
"php_admin_value[post_max_size]" = "512M";
"php_admin_value[memory_limit]" = "-1";
"php_admin_value[max_input_vars]" = "999999999";
"php_admin_value[upload_max_filesize]" = "512M";
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
settings.mysqld = {
max_allowed_packet = "128M";
sql_mode = "STRICT_ALL_TABLES";
innodb_buffer_pool_size = "1600M";
local_infile = "0";
};
}; };
services.postfix = { services.postfix = {
enable = true; enable = true;
domain = "phab.lukegb.com"; domain = "hg.lukegb.com";
hostname = "phab.lukegb.com"; hostname = "hg.lukegb.com";
extraAliases = ''
phabricator: "|${pkgs.php}/bin/php /srv/http/phab.lukegb.com/phabricator/scripts/mail/mail_handler.php"
'';
virtual = ''
@phab.lukegb.com phabricator@localhost
'';
extraConfig = '' extraConfig = ''
milter_protocol = 2 milter_protocol = 2
milter_default_action = accept milter_default_action = accept
smtpd_milters = ${config.services.opendkim.socket} smtpd_milters = ${config.services.opendkim.socket}
non_smtpd_milters = ${config.services.opendkim.socket} non_smtpd_milters = ${config.services.opendkim.socket}
''; '';
networks = [ "172.17.0.0/16" ];
}; };
services.opendkim = { services.opendkim = {
enable = true; enable = true;
domains = "csl:phab.lukegb.com"; domains = "csl:hg.lukegb.com";
selector = "marukuru"; selector = "marukuru";
}; };
@ -328,6 +105,43 @@ in {
email = "letsencrypt@lukegb.com"; email = "letsencrypt@lukegb.com";
}; };
docker-containers.heptapod-runner = {
image = "octobus/heptapod-runner:0.2.0";
volumes = [
"/srv/gitlab-runner/config:/etc/gitlab-runner"
"/var/run/docker.sock:/var/run/docker.sock"
];
};
docker-containers.heptapod = {
#image = "octobus/heptapod:0.12.3";
image = "heptapod:latest";
ports = [
# host:container
"22:22"
"80:80"
"443:443"
];
volumes = [
"/srv/gitlab/config:/etc/gitlab"
"/srv/gitlab/logs:/var/log/gitlab"
"/srv/gitlab/data:/var/opt/gitlab"
];
environment = {
GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [";"] ''
external_url "https://hg.lukegb.com"
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['letsencrypt@lukegb.com']
nginx['redirect_http_to_https'] = true
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = '103.105.48.15'
gitlab_rails['smtp_port'] = 25
gitlab_rails['gitlab_email_from'] = 'heptapod@hg.lukegb.com'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@hg.lukegb.com'
'';
};
};
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel"; boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";