depot/ops/nixos/marukuru/default.nix

{ depot, lib, pkgs, rebuilder, ... }:
config:
let
  inherit (depot.ops) secrets;
in lib.fix (self: {
  imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
  boot.kernelModules = [ "tcp_bbr" ];
  boot.kernel.sysctl = {
    "net.ipv6.conf.default.accept_ra" = 1;
    "net.ipv6.conf.all.accept_ra" = 1;
  };

  fileSystems = {
    "/" = {
      device = "/dev/vda1";
      fsType = "ext4";
    };
  };

  nix.maxJobs = lib.mkDefault 2;
  hardware.enableRedistributableFirmware = true;

  nixpkgs.config = { allowUnfree = true; };

  nix.nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ];

  # Use GRUB2.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda";

  # Networking!
  networking = {
    hostName = "marukuru"; # Define your hostname.
    domain = "lukegb.xyz";
    nameservers = ["2001:4860:4860::8888" "8.8.8.8"];
    useDHCP = false;
    defaultGateway = {
      address = "103.105.48.1"; interface = "eth0";
    };
    dhcpcd.enable = false;
    usePredictableInterfaceNames = true;
    interfaces = {
      eth0 = {
        ipv4.addresses = [
          { address="103.105.48.15"; prefixLength=24; }
        ];
        ipv6.addresses = [
          { address="2402:28c0:4:104e::1"; prefixLength=64; }
        ];
      };
    };
  };
  services.udev.extraRules = ''
    ATTR{address}=="52:54:00:84:e2:2a", NAME="eth0"
  '';

  # Select internationalisation properties.
  i18n.defaultLocale = "en_GB.UTF-8";
  console.keyMap = "us";

  # Set your time zone.
  time.timeZone = "Etc/UTC";

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    mercurial
    gitAndTools.gitFull
    php phpPackages.mailparse
    nodejs
    rxvt_unicode.terminfo
    rebuilder
  ];
  environment.etc."php.d/mailparse.ini".text = ''
    extension=${pkgs.phpPackages.mailparse}/lib/php/extensions/mailparse.so
  '';
  environment.etc."php.d/cache.ini".text = ''
    zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so

    opcache.validate_timestamps=0
    opcache.enable_cli=1
  '';
  environment.etc."ssh/phabricator-ssh-hook" = {
    text = ''
      #!${pkgs.stdenv.shell}
      VCSUSER="vcs"
      ROOT="/srv/http/phab.lukegb.com/phabricator"
      PATH="${pkgs.php}/bin:$PATH"

      if [ "$1" != "$VCSUSER" ];
      then
        exit 1
      fi

      exec "$ROOT/bin/ssh-auth" $@
    '';
    mode = "0555";
    user = "root";
    group = "root";
  };
  environment.etc."phabricator-php" = {
    text = ''
      #!${pkgs.stdenv.shell}
      export PATH="${pkgs.php}/bin:$PATH"
      exec "${pkgs.php}/bin/php" $@
    '';
    mode = "0555";
    user = "root";
    group = "root";
  };
  environment.etc."ssh/sshd_config.phabricator".text = ''
    AuthorizedKeysCommand /etc/ssh/phabricator-ssh-hook
    AuthorizedKeysCommandUser vcs
    AllowUsers vcs anonvcs

    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

    Port 22
    Protocol 2
    PermitRootLogin no
    AllowAgentForwarding no
    AllowTcpForwarding no
    PrintMotd no
    PrintLastLog no
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    AuthorizedKeysFile none

    Match User anonvcs
      ForceCommand /srv/http/phab.lukegb.com/phabricator/bin/ssh-exec --phabricator-ssh-user anonymous --phabricator-ssh-key 1
      PasswordAuthentication yes
      PermitEmptyPasswords yes
      AuthenticationMethods none password
      PermitListen none
      PermitOpen none
      X11Forwarding no
      PermitTTY no
      PermitTunnel no
      AllowAgentForwarding no
      AllowTcpForwarding no
      AllowStreamLocalForwarding no
  '';
  systemd.services."sshd-phabricator" = {
    description = "SSH Daemon for Phabricator";
    stopIfChanged = false;
    wantedBy = ["multi-user.target"];
    path = [ config.programs.ssh.package ];
    environment.LD_LIBRARY_PATH = config.system.nssModules.path;
    restartTriggers = [
      config.environment.etc."ssh/sshd_config".text
    ];
    serviceConfig = {
      ExecStart = "${config.programs.ssh.package}/bin/sshd -f /etc/ssh/sshd_config.phabricator";
      KillMode = "process";
      Restart = "always";
      Type = "simple";
    };
  };

  programs.mtr.enable = true;
  services.openssh.enable = true;
  services.openssh.ports = [ 20022 ];

  networking.firewall = {
    allowedTCPPorts = [ 22 80 443 20022 ];
    # allowedUDPPorts = [];
    allowPing = true;
  };

  # Define a user account.
  users.mutableUsers = false;
  users.users = {
    root.hashedPassword = secrets.passwordHashes.root;
    lukegb = {
      isNormalUser = true;
      uid = 1000;
      extraGroups = [ "wheel" ];
      hashedPassword = secrets.passwordHashes.root;
    };
    phabricator = {
      isSystemUser = true;
      home = "/srv/http/phab.lukegb.com";
      group = "phabricator";
    };
    postfix = {
      extraGroups = [ "opendkim" ];
    };
    vcs = {
      isSystemUser = true;
      hashedPassword = "NP";
      shell = "/bin/sh";
      group = "phabricator";
    };
    anonvcs = {
      isSystemUser = true;
      hashedPassword = "";
      shell = "/bin/sh";
      group = "phabricator";
    };
  };
  security.sudo.extraRules = [{
    users = [ "vcs" "anonvcs" ];
    runAs = "phabricator";
    commands = map (command: { inherit command; options = [ "NOPASSWD" "SETENV" ]; }) [
      "${pkgs.git}/bin/git"
      "${pkgs.git}/bin/git-upload-pack"
      "${pkgs.git}/bin/git-receive-pack"
      "${pkgs.mercurial}/bin/hg"
    ];
  }];

  services.nginx = {
    enable = true;
    virtualHosts."phab.lukegb.com" = {
      serverAliases = [ "phabusercontent.zxcvbnm.ninja" ];
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        root = "/srv/http/phab.lukegb.com/phabricator/webroot";
        extraConfig = ''
          client_max_body_size 512M;

          location / {
            index index.php;
            rewrite ^/(.*)$ /index.php?__path__=/$1 last;
          }
          location /index.php {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass            unix:${config.services.phpfpm.pools.phabricator.socket};
            fastcgi_index           index.php;

            #required if PHP was built with --enable-force-cgi-redirect
            fastcgi_param  REDIRECT_STATUS    200;

            #variables to make the $_SERVER populate in PHP
            fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
            fastcgi_param  QUERY_STRING       $query_string;
            fastcgi_param  REQUEST_METHOD     $request_method;
            fastcgi_param  CONTENT_TYPE       $content_type;
            fastcgi_param  CONTENT_LENGTH     $content_length;

            fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;

            fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
            fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

            fastcgi_param  REMOTE_ADDR        $remote_addr;
            fastcgi_param  HTTPS              on;
          }
        '';
      };
    };
    virtualHosts."phab-ws.lukegb.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:22280/";
        proxyWebsockets = true;
      };
    };
  };

  services.phpfpm.phpOptions = ''
    zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
    extension=${pkgs.phpPackages.mailparse}/lib/php/extensions/mailparse.so

    opcache.validate_timestamps=0
    opcache.enable_cli=1
  '';
  services.phpfpm.pools.phabricator = {
    user = "phabricator";
    settings = {
      "listen.owner" = config.services.nginx.user;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 5;
      "php_admin_value[error_log]" = "syslog";
      "php_admin_flag[log_errors]" = true;
      "php_admin_value[date.timezone]" = "Europe/London";
      "php_admin_value[post_max_size]" = "512M";
      "php_admin_value[memory_limit]" = "-1";
      "php_admin_value[max_input_vars]" = "999999999";
      "php_admin_value[upload_max_filesize]" = "512M";
      "catch_workers_output" = true;
    };
    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
  };

  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    extraOptions = ''
      max_allowed_packet = 128M
      sql_mode = STRICT_ALL_TABLES
      innodb_buffer_pool_size = 1600M
      local_infile = 0
    '';
  };

  services.postfix = {
    enable = true;
    domain = "phab.lukegb.com";
    hostname = "phab.lukegb.com";
    extraAliases = ''
      phabricator: "|${pkgs.php}/bin/php /srv/http/phab.lukegb.com/phabricator/scripts/mail/mail_handler.php"
    '';
    virtual = ''
      @phab.lukegb.com phabricator@localhost
    '';
    extraConfig = ''
      milter_protocol = 2
      milter_default_action = accept
      smtpd_milters = ${config.services.opendkim.socket}
      non_smtpd_milters = ${config.services.opendkim.socket}
    '';
  };
  services.opendkim = {
    enable = true;
    domains = "csl:phab.lukegb.com";
    selector = "marukuru";
  };

  security.acme = {
    acceptTerms = true;
    email = "letsencrypt@lukegb.com";
  };

  boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
  boot.kernel.sysctl."net.core.default_qdisc" = "fq_codel";

  system.stateVersion = "20.03";
})