{ depot, lib, pkgs, rebuilder, ... }: { config, ... }: let inherit (depot.ops) secrets; myPhp = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu all.mailparse ]); in { imports = [ ]; boot.kernelModules = [ "tcp_bbr" ]; boot.kernel.sysctl = { "net.ipv6.conf.default.accept_ra" = 1; "net.ipv6.conf.all.accept_ra" = 1; }; fileSystems = { "/" = { device = "/dev/vda1"; fsType = "ext4"; }; }; nix.maxJobs = lib.mkDefault 2; hardware.enableRedistributableFirmware = true; nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; # Use GRUB2. boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; # Networking! networking = { hostName = "marukuru"; # Define your hostname. domain = "lukegb.xyz"; nameservers = ["2001:4860:4860::8888" "8.8.8.8"]; useDHCP = false; defaultGateway = { address = "103.105.48.1"; interface = "eth0"; }; dhcpcd.enable = false; usePredictableInterfaceNames = true; interfaces = { eth0 = { ipv4.addresses = [ { address="103.105.48.15"; prefixLength=24; } ]; ipv6.addresses = [ { address="2402:28c0:4:104e::1"; prefixLength=64; } ]; }; }; }; services.udev.extraRules = '' ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0" ''; # Select internationalisation properties. i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "us"; # Set your time zone. time.timeZone = "Etc/UTC"; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ vim mercurial gitAndTools.gitFull nodejs rxvt_unicode.terminfo python37Packages.pygments rebuilder ]; environment.etc."php.d/cache.ini".text = '' zend_extension=${pkgs.php}/lib/php/extensions/opcache.so opcache.validate_timestamps=0 opcache.enable_cli=1 ''; environment.etc."ssh/phabricator-ssh-hook" = { text = '' #!${pkgs.stdenv.shell} VCSUSER="vcs" ROOT="/srv/http/phab.lukegb.com/phabricator" PATH="${pkgs.php}/bin:$PATH" if [ "$1" != "$VCSUSER" ]; then exit 1 fi exec "$ROOT/bin/ssh-auth" $@ ''; mode = "0555"; user = "root"; group = "root"; }; environment.etc."phabricator-php" = { text = '' #!${pkgs.stdenv.shell} export PATH="${pkgs.php}/bin:$PATH" exec "${pkgs.php}/bin/php" $@ ''; mode = "0555"; user = "root"; group = "root"; }; environment.etc."ssh/sshd_config.phabricator".text = '' AuthorizedKeysCommand /etc/ssh/phabricator-ssh-hook AuthorizedKeysCommandUser vcs AllowUsers vcs anonvcs KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Port 22 Protocol 2 PermitRootLogin no AllowAgentForwarding no AllowTcpForwarding no PrintMotd no PrintLastLog no PasswordAuthentication no ChallengeResponseAuthentication no AuthorizedKeysFile none Match User anonvcs ForceCommand /srv/http/phab.lukegb.com/phabricator/bin/ssh-exec --phabricator-ssh-user anonymous --phabricator-ssh-key 1 PasswordAuthentication yes PermitEmptyPasswords yes AuthenticationMethods none password PermitListen none PermitOpen none X11Forwarding no PermitTTY no PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no AllowStreamLocalForwarding no ''; systemd.services."sshd-phabricator" = { description = "SSH Daemon for Phabricator"; stopIfChanged = false; wantedBy = ["multi-user.target"]; path = [ config.programs.ssh.package ]; environment.LD_LIBRARY_PATH = config.system.nssModules.path; restartTriggers = [ config.environment.etc."ssh/sshd_config".text ]; serviceConfig = { ExecStart = "${config.programs.ssh.package}/bin/sshd -f /etc/ssh/sshd_config.phabricator"; KillMode = "process"; Restart = "always"; Type = "simple"; }; }; programs.mtr.enable = true; services.openssh.enable = true; services.openssh.ports = [ 20022 ]; networking.firewall = { allowedTCPPorts = [ 22 80 443 20022 ]; # allowedUDPPorts = []; allowPing = true; }; # Define a user account. users.mutableUsers = false; users.groups = { phabricator = {}; }; users.users = { root.hashedPassword = secrets.passwordHashes.root; lukegb = { isNormalUser = true; uid = 1000; extraGroups = [ "wheel" ]; hashedPassword = secrets.passwordHashes.root; }; phabricator = { isSystemUser = true; home = "/srv/http/phab.lukegb.com"; group = "phabricator"; }; postfix = { extraGroups = [ "opendkim" ]; }; vcs = { isSystemUser = true; hashedPassword = "NP"; shell = "/bin/sh"; group = "phabricator"; }; anonvcs = { isSystemUser = true; hashedPassword = ""; shell = "/bin/sh"; group = "phabricator"; }; }; security.sudo.extraRules = [{ users = [ "vcs" "anonvcs" ]; runAs = "phabricator"; commands = map (command: { inherit command; options = [ "NOPASSWD" "SETENV" ]; }) [ "${pkgs.git}/bin/git" "${pkgs.git}/bin/git-upload-pack" "${pkgs.git}/bin/git-receive-pack" "${pkgs.mercurial}/bin/hg" ]; }]; services.nginx = { enable = true; virtualHosts."phab.lukegb.com" = { serverAliases = [ "phabusercontent.zxcvbnm.ninja" ]; forceSSL = true; enableACME = true; locations."/" = { root = "/srv/http/phab.lukegb.com/phabricator/webroot"; extraConfig = '' client_max_body_size 512M; location / { index index.php; rewrite ^/(.*)$ /index.php?__path__=/$1 last; } location /index.php { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.phabricator.socket}; fastcgi_index index.php; #required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; #variables to make the $_SERVER populate in PHP fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param HTTPS on; } ''; }; }; virtualHosts."phab-ws.lukegb.com" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:22280/"; proxyWebsockets = true; }; }; }; services.phpfpm.phpOptions = '' zend_extension=${pkgs.php}/lib/php/extensions/opcache.so opcache.validate_timestamps=0 opcache.enable_cli=1 ''; services.phpfpm.pools.phabricator = { user = "phabricator"; phpPackage = myPhp; settings = { "listen.owner" = config.services.nginx.user; "pm" = "dynamic"; "pm.max_children" = 32; "pm.max_requests" = 500; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 5; "php_admin_value[error_log]" = "syslog"; "php_admin_flag[log_errors]" = true; "php_admin_value[date.timezone]" = "Europe/London"; "php_admin_value[post_max_size]" = "512M"; "php_admin_value[memory_limit]" = "-1"; "php_admin_value[max_input_vars]" = "999999999"; "php_admin_value[upload_max_filesize]" = "512M"; "catch_workers_output" = true; }; phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; }; services.mysql = { enable = true; package = pkgs.mariadb; settings.mysqld = { max_allowed_packet = "128M"; sql_mode = "STRICT_ALL_TABLES"; innodb_buffer_pool_size = "1600M"; local_infile = "0"; }; }; services.postfix = { enable = true; domain = "phab.lukegb.com"; hostname = "phab.lukegb.com"; extraAliases = '' phabricator: "|${pkgs.php}/bin/php /srv/http/phab.lukegb.com/phabricator/scripts/mail/mail_handler.php" ''; virtual = '' @phab.lukegb.com phabricator@localhost ''; extraConfig = '' milter_protocol = 2 milter_default_action = accept smtpd_milters = ${config.services.opendkim.socket} non_smtpd_milters = ${config.services.opendkim.socket} ''; }; services.opendkim = { enable = true; domains = "csl:phab.lukegb.com"; selector = "marukuru"; }; security.acme = { acceptTerms = true; email = "letsencrypt@lukegb.com"; }; boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel"; system.stateVersion = "20.03"; }