From 0bc4de4b8cdb9e7de876dc10f555a84aff16fd68 Mon Sep 17 00:00:00 2001 From: Tasia Iso Date: Sat, 5 Oct 2024 09:59:58 +0200 Subject: [PATCH] set up for real server --- hosts/vulpecula-vps/configuration.nix | 76 +++++++++++++++++++ hosts/vulpecula-vps/forgejo.nix | 60 +++++++++++++++ hosts/vulpecula-vps/grafana.nix | 41 ++++++++++ .../vulpecula-vps/hardware-configuration.nix | 35 +++++++++ hosts/vulpecula-vps/tasiaiso.nix | 7 ++ hosts/vulpecula/configuration.nix | 4 +- hosts/vulpecula/hardware-configuration.nix | 4 +- hosts/yaseen/configuration.nix | 2 +- hosts/yaseen/yubikey.nix | 16 ++-- 9 files changed, 232 insertions(+), 13 deletions(-) create mode 100644 hosts/vulpecula-vps/configuration.nix create mode 100644 hosts/vulpecula-vps/forgejo.nix create mode 100644 hosts/vulpecula-vps/grafana.nix create mode 100644 hosts/vulpecula-vps/hardware-configuration.nix create mode 100644 hosts/vulpecula-vps/tasiaiso.nix diff --git a/hosts/vulpecula-vps/configuration.nix b/hosts/vulpecula-vps/configuration.nix new file mode 100644 index 0000000..5cb871f --- /dev/null +++ b/hosts/vulpecula-vps/configuration.nix @@ -0,0 +1,76 @@ +{ + config, + lib, + inputs, + ... +}: let + sshKeys = import ../../crypto/ssh-keys.nix; +in { + imports = [ + ./hardware-configuration.nix + ../../common/base.nix + + ./forgejo.nix + # ./grafana.nix + ./tasiaiso.nix + ]; + + networking = { + hostName = "vulpecula"; + + firewall = { + allowedTCPPorts = [ + 80 + 443 + # 22 + ]; + allowedUDPPorts = [ + # 8080 # ? + ]; + }; + }; + + # Disable systemd-boot, use grub instead + boot = { + loader.systemd-boot.enable = lib.mkForce false; + initrd = { + enable = lib.mkForce true; + systemd.enable = lib.mkForce false; + }; + }; + + boot.loader.grub.device = "/dev/sda"; + + users.users.tasia = { + isNormalUser = true; + description = "Tasia"; + extraGroups = ["networkmanager" "wheel" "dialout"]; + initialPassword = "correcthorsebatterystaple"; + openssh.authorizedKeys.keys = [ + sshKeys.tasia.yaseen + ]; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."vulpecula.zone" = { + addSSL = true; + enableACME = true; + root = inputs.vulpecula-zone.packages.x86_64-linux.default; + }; + }; + + # change when ppl can make their own website + security.acme = { + acceptTerms = true; + defaults.email = "tasiaiso@proton.me"; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.domain = ""; + # users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@yaseen'' ]; + system.stateVersion = "24.05"; +} diff --git a/hosts/vulpecula-vps/forgejo.nix b/hosts/vulpecula-vps/forgejo.nix new file mode 100644 index 0000000..a050013 --- /dev/null +++ b/hosts/vulpecula-vps/forgejo.nix @@ -0,0 +1,60 @@ +{config, ...}: { + services.nginx.virtualHosts."git.vulpecula.zone" = { + addSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + + services.forgejo = { + enable = true; + database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.vulpecula.zone"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://git.vulpecula.zone/"; + HTTP_PORT = 62101; + # TODO + DISABLE_SSH = true; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + # actions = { + # ENABLED = true; + # DEFAULT_ACTIONS_URL = "github"; + # }; + # Sending emails is completely optional + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + # mailer = { + # ENABLED = true; + # SMTP_ADDR = "mail.example.com"; + # FROM = "noreply@${srv.DOMAIN}"; + # USER = "noreply@${srv.DOMAIN}"; + # }; + }; + # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; + }; + + # services.gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances.default = { + # enable = true; + # name = "monolith"; + # url = "https://git.vulpecula.zone"; + # # Obtaining the path to the runner token file may differ + # tokenFile = config.age.secrets.forgejo-runner-token.path; + # labels = [ + # "ubuntu-latest:docker://node:16-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + # ## optionally provide native execution on the host: + # # "native:host" + # ]; + # }; + # }; +} diff --git a/hosts/vulpecula-vps/grafana.nix b/hosts/vulpecula-vps/grafana.nix new file mode 100644 index 0000000..9a7d87d --- /dev/null +++ b/hosts/vulpecula-vps/grafana.nix @@ -0,0 +1,41 @@ +{config, ...}: { + services.nginx.virtualHosts."grafana.vulpecula.zone" = { + addSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + }; + + services.grafana = { + enable = false; + settings.server = { + domain = "grafana.vulpecula.zone"; + http_port = 62102; + http_addr = "0.0.0.0"; + }; + }; + + services.prometheus = { + enable = false; + port = 62103; + retentionTime = "60d"; + + exporters = { + node = { + enable = false; + enabledCollectors = ["systemd"]; + port = 62104; + }; + }; + + scrapeConfigs = [ + { + job_name = "vulpecula"; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + ]; + }; +} diff --git a/hosts/vulpecula-vps/hardware-configuration.nix b/hosts/vulpecula-vps/hardware-configuration.nix new file mode 100644 index 0000000..d2b4c1c --- /dev/null +++ b/hosts/vulpecula-vps/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/b908efa0-fa9b-498e-9553-7346d9169fee"; + fsType = "ext4"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/vulpecula-vps/tasiaiso.nix b/hosts/vulpecula-vps/tasiaiso.nix new file mode 100644 index 0000000..d83ea7e --- /dev/null +++ b/hosts/vulpecula-vps/tasiaiso.nix @@ -0,0 +1,7 @@ +{inputs, ...}: { + services.nginx.virtualHosts."tasiaiso.vulpecula.zone" = { + addSSL = true; + enableACME = true; + root = inputs.tasiaiso-vulpecula-zone.packages.x86_64-linux.default; + }; +} diff --git a/hosts/vulpecula/configuration.nix b/hosts/vulpecula/configuration.nix index 5cb871f..15fa4ec 100644 --- a/hosts/vulpecula/configuration.nix +++ b/hosts/vulpecula/configuration.nix @@ -48,6 +48,8 @@ in { initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ sshKeys.tasia.yaseen + sshKeys.tasia.yubi-primary + sshKeys.tasia.yubi-spare ]; }; @@ -71,6 +73,6 @@ in { boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.domain = ""; - # users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@yaseen'' ]; + system.stateVersion = "24.05"; } diff --git a/hosts/vulpecula/hardware-configuration.nix b/hosts/vulpecula/hardware-configuration.nix index d2b4c1c..93cc9e6 100644 --- a/hosts/vulpecula/hardware-configuration.nix +++ b/hosts/vulpecula/hardware-configuration.nix @@ -12,13 +12,13 @@ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"]; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; boot.initrd.kernelModules = []; boot.kernelModules = []; boot.extraModulePackages = []; fileSystems."/" = { - device = "/dev/disk/by-uuid/b908efa0-fa9b-498e-9553-7346d9169fee"; + device = "/dev/disk/by-uuid/07fc2564-a32c-48d7-a324-fc4a2b9a6c6a"; fsType = "ext4"; }; diff --git a/hosts/yaseen/configuration.nix b/hosts/yaseen/configuration.nix index 61f2e8e..bf6a58c 100644 --- a/hosts/yaseen/configuration.nix +++ b/hosts/yaseen/configuration.nix @@ -168,7 +168,7 @@ in { services.printing.drivers = [pkgs.cnijfilter2]; - services.uptime-kuma.enable = true; + # services.uptime-kuma.enable = true; nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" "electron-27.3.11" diff --git a/hosts/yaseen/yubikey.nix b/hosts/yaseen/yubikey.nix index 497e3cb..dae7ce6 100644 --- a/hosts/yaseen/yubikey.nix +++ b/hosts/yaseen/yubikey.nix @@ -1,10 +1,8 @@ -{ pkgs, ... -}: { -# services.udev.packages = [ pkgs.yubikey-personalization ]; +{pkgs, ...}: { + # services.udev.packages = [ pkgs.yubikey-personalization ]; -# programs.gnupg.agent = { -# enable = true; -# enableSSHSupport = true; -# }; - -} \ No newline at end of file + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; +}