252 lines
6.8 KiB
Nix
252 lines
6.8 KiB
Nix
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
{ depot, lib, pkgs, rebuilder, config, ... }:
|
|
let
|
|
inherit (depot.ops) secrets;
|
|
in {
|
|
imports = [
|
|
../../../third_party/nixpkgs/nixos/modules/installer/scan/not-detected.nix
|
|
../lib/client.nix
|
|
../lib/whitby-distributed.nix
|
|
../lib/twitternuke.nix
|
|
];
|
|
|
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
|
boot.kernelModules = lib.mkAfter [ "kvm-intel" ];
|
|
boot.kernelParams = [ "mitigations=off" ];
|
|
|
|
fileSystems = let
|
|
zfs = device: {
|
|
device = device;
|
|
fsType = "zfs";
|
|
};
|
|
in {
|
|
"/" = zfs "zboot/safe/root";
|
|
"/nix" = zfs "zboot/local/nix";
|
|
|
|
"/home" = zfs "tank/safe/home";
|
|
"/export" = zfs "tank/safe/export";
|
|
"/srv" = zfs "tank/safe/srv";
|
|
"/srv/pancake" = zfs "tank/safe/srv/pancake";
|
|
|
|
"/boot" = {
|
|
device = "/dev/disk/by-uuid/D178-4E19";
|
|
fsType = "vfat";
|
|
};
|
|
};
|
|
|
|
# Use the systemd-boot EFI boot loader.
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
nix.maxJobs = lib.mkDefault 8;
|
|
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
|
|
virtualisation = {
|
|
podman.enable = true;
|
|
};
|
|
|
|
# Extra packages.
|
|
environment.systemPackages = with pkgs; [
|
|
oven-media-engine
|
|
(depot.nix.pkgs.secretsync.configure {
|
|
workingDir = "/home/lukegb/depot";
|
|
gitlabAccessToken = secrets.deployer.gitlabAccessToken;
|
|
manifestVariable = "SECRETS_MANIFEST";
|
|
variablesToFile = {
|
|
"OPS_SECRETS_DEFAULT_NIX" = "ops/secrets/default.nix";
|
|
};
|
|
})
|
|
];
|
|
|
|
# Networking!
|
|
networking = {
|
|
hostName = "totoro"; # Define your hostname.
|
|
domain = "lukegb.xyz";
|
|
hostId = "676c08c4";
|
|
useDHCP = false;
|
|
interfaces.br-ext.useDHCP = true;
|
|
bridges.br-ext.interfaces = [ "enp0s31f6" ];
|
|
|
|
interfaces.br-int = {
|
|
virtual = true;
|
|
useDHCP = false;
|
|
ipv4.addresses = [{ address = "10.0.0.2"; prefixLength = 24; }];
|
|
};
|
|
bridges.br-int.interfaces = [];
|
|
};
|
|
my.ip.tailscale = "100.122.86.11";
|
|
|
|
# Virtualisation
|
|
virtualisation.libvirtd = {
|
|
enable = true;
|
|
allowedBridges = [ "virbr0" "br-ext" ];
|
|
};
|
|
users.users.lukegb = {
|
|
packages = with depot.pkgs; [ irssi ];
|
|
extraGroups = lib.mkAfter [ "libvirtd" ];
|
|
};
|
|
users.users.pancake = {
|
|
isSystemUser = true;
|
|
group = "pancake";
|
|
home = "/srv/pancake";
|
|
};
|
|
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
|
|
users.groups.pancake = {
|
|
members = ["pancake" "nginx"];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"L /var/lib/export - - - - /export"
|
|
];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"invoices.lukegb.com" = let
|
|
fastcgi = {
|
|
extraConfig = ''
|
|
rewrite ^(.*)$ /index.php break;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_index index.php;
|
|
fastcgi_pass unix:${config.services.phpfpm.pools.pancake.socket};
|
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
|
'';
|
|
};
|
|
in {
|
|
root = "/srv/pancake/public_html";
|
|
useACMEHost = "invoices.lukegb.com";
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
tryFiles = "$uri $uri/ @router";
|
|
index = "index.html index.php";
|
|
extraConfig = ''
|
|
error_page 403 = @router;
|
|
error_page 404 = @router;
|
|
'';
|
|
};
|
|
locations."~ (.php|\\/[^./]+)$" = fastcgi;
|
|
locations."@router" = fastcgi;
|
|
};
|
|
};
|
|
};
|
|
services.phpfpm = let settingsBase = {
|
|
"listen.owner" = config.services.nginx.user;
|
|
"pm" = "dynamic";
|
|
"pm.max_children" = 32;
|
|
"pm.max_requests" = 500;
|
|
"pm.start_servers" = 2;
|
|
"pm.min_spare_servers" = 2;
|
|
"pm.max_spare_servers" = 5;
|
|
"php_admin_value[error_log]" = "stderr";
|
|
"php_admin_flag[log_errors]" = true;
|
|
"catch_workers_output" = true;
|
|
}; in {
|
|
pools.pancake = {
|
|
user = "pancake";
|
|
group = "pancake";
|
|
settings = settingsBase;
|
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
|
};
|
|
};
|
|
services.mysql = {
|
|
enable = true;
|
|
package = pkgs.mariadb;
|
|
ensureDatabases = ["pancake"];
|
|
ensureUsers = [{
|
|
name = "pancake";
|
|
ensurePermissions = {
|
|
"pancake.*" = "ALL PRIVILEGES";
|
|
};
|
|
}];
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
email = "letsencrypt@lukegb.com";
|
|
certs."invoices.lukegb.com" = {
|
|
domain = "invoices.lukegb.com";
|
|
dnsProvider = "cloudflare";
|
|
credentialsFile = secrets.cloudflareCredentials;
|
|
postRun = ''
|
|
systemctl reload nginx
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.prometheus = {
|
|
enable = true;
|
|
stateDir = "export/monitoring/prometheus";
|
|
alertmanagers = [{
|
|
scheme = "http";
|
|
static_configs = [{
|
|
targets = ["localhost:${toString config.services.prometheus.alertmanager.port}"];
|
|
}];
|
|
}];
|
|
scrapeConfigs = builtins.attrValues depot.ops.nixos.systemExporters;
|
|
|
|
pushgateway.enable = true;
|
|
|
|
alertmanager = {
|
|
enable = true;
|
|
configuration = {
|
|
global = {};
|
|
route = {
|
|
receiver = "default-receiver";
|
|
};
|
|
receivers = [{
|
|
name = "default-receiver";
|
|
slack_configs = [{
|
|
send_resolved = true;
|
|
api_url = secrets.monitoring.alertmanager.discord.api_url;
|
|
channel = "#alerts";
|
|
}];
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
services.grafana = {
|
|
enable = true;
|
|
addr = "0.0.0.0";
|
|
port = 3000;
|
|
domain = "grafana.int.lukegb.com";
|
|
rootUrl = "https://grafana.int.lukegb.com/";
|
|
|
|
extraOptions = let
|
|
convertName = name: lib.toUpper (builtins.replaceStrings ["." "-"] ["_" "_"] name);
|
|
convertOptionSection = sectionName: lib.mapAttrsToList (name: value: { name = "${convertName sectionName}_${convertName name}"; inherit value; });
|
|
convertOptions = opts: builtins.listToAttrs (builtins.concatLists (lib.mapAttrsToList convertOptionSection opts));
|
|
in convertOptions {
|
|
"auth.proxy" = {
|
|
enabled = "true";
|
|
header_name = "X-Pomerium-Claim-Email";
|
|
header_property = "email";
|
|
headers = "username:X-Pomerium-Claim-User";
|
|
auto_sign_up = "true";
|
|
};
|
|
security.cookie_secure = "true";
|
|
};
|
|
};
|
|
systemd.services.grafana.preStart = let
|
|
cfg = config.services.grafana;
|
|
plugins = with depot.pkgs.grafana-plugins; [
|
|
grafana-piechart-panel
|
|
grafana-clock-panel
|
|
grafana-worldmap-panel
|
|
grafana-polystat-panel
|
|
];
|
|
pluginLines = lib.concatMapStringsSep "\n" (pkg: ''
|
|
ln -sf ${pkg} ${cfg.dataDir}/plugins/${pkg.pname}
|
|
'') plugins;
|
|
in lib.mkAfter ''
|
|
rm -rf ${cfg.dataDir}/plugins
|
|
mkdir ${cfg.dataDir}/plugins
|
|
${pluginLines}
|
|
'';
|
|
|
|
system.stateVersion = "20.03";
|
|
}
|