aynish/helm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

holy moly we're almost there

Browse Source
This commit is contained in:
Anish Lakhwara
2022-09-19 08:13:50 +10:00
commit 3693732aac
203 changed files with 17247 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/backup.nix
+53
View File
@@ -0,0 +1,53 @@
# TODO:
# This currently works on a per host basis, and the host file has to define all the locations it wants to back up.
# Ideally, this would create a job for each profile instead, so the backup strategy is included in the profile regardless of host
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.mossnet.backup;
in
{
options = {
mossnet.backup = {
enable = mkEnableOption "Backup module using borg for Anish's computer nursery";
name = lib.mkOption {
type = types.str;
default = { };
example = literalExample ''
mossnet
'';
description = ''
name for the backup operator
'';
};
paths = lib.mkOption {
type = with types; listOf str;
default = { };
example = literalExample ''
[ "/home/anish/usr" ];
'';
description = ''
A list of folders to backup
'';
};
};
};
config = mkIf cfg.enable {
services.borgbackup.jobs = {
"${cfg.name}" = {
paths = cfg.paths;
doInit = true;
repo = "20779@hk-s020.rsync.net:${cfg.name}";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/agenix/borg-password";
};
environment = { BORG_RSH = "ssh -i /root/borg/borg-key"; }; # YOU NEED TO PUT THIS HERE MANUALLY
compression = "auto,lzma";
startAt = "daily";
extraArgs = "--remote-path=borg1";
};
};
};
}
modules/gonic.nix
+109
View File
@@ -0,0 +1,109 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gonic;
configFile = "/etc/gonic/config";
dataFolder = "/var/lib/gonic";
in {
options = {
services.gonic = {
enable = mkEnableOption "Gonic music server and streamer";
settings = lib.mkOption {
type = types.str;
default = {};
example = literalExample ''
music-path <path to your music dir>
podcast-path <path to your podcasts dir>
cache-path <path to cache dir>
'';
description = ''
Configuration for Gonic, see <link xlink:href="https://github.com/sentriz/gonic"/> for supported values.
'';
};
user = mkOption {
type = types.str;
default = "gonic";
description = "User account under which gonic runs.";
};
group = mkOption {
type = types.str;
default = "gonic";
description = "Group account under which gonic runs.";
};
};
};
config = mkIf cfg.enable {
environment.etc."gonic/config".text = cfg.settings;
systemd.services.gonic = {
description = "gonic Music Server and Streamer compatible with Subsonic/Airsonic";
after = [ "remote-fs.target" "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
#GONIC_MUSIC_PATH
#GONIC_PODCAST_PATH
#GONIC_CACHE_PATH
#GONIC_DB_PATH
GONIC_SCAN_INTERVAL="800";
#...
};
serviceConfig = {
ExecStart = "${pkgs.gonic}/bin/gonic -config-path /etc/gonic/config";
WorkingDirectory = dataFolder;
TimeoutStopSec = "20";
KillMode = "process";
Restart = "on-failure";
RestartSec = "10";
User = cfg.user;
Group = cfg.group;
DevicePolicy = "closed";
NoNewPrivileges= " yes";
PrivateTmp = "yes";
PrivateUsers = "yes";
ProtectControlGroups = "yes";
ProtectKernelModules = "yes";
ProtectKernelTunables = "yes";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
SystemCallFilter = "~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap";
ReadWritePaths = dataFolder;
StateDirectory = baseNameOf dataFolder;
};
};
users.users = optionalAttrs (cfg.user == "gonic") ({
gonic = {
description = "gonic service user";
name = cfg.user;
group = cfg.group;
isSystemUser = true;
};
});
users.groups = optionalAttrs (cfg.group == "gonic") ({
gonic = {};
});
services.nginx.virtualHosts."music.mossnet.lan" = {
enableACME = false;
forceSSL = false;
locations."/" = {
extraConfig = ''
proxy_pass http://localhost:4747/;
proxy_set_header X-Forwarded-Host $host;
'';
};
};
};
}
modules/heisenbridge.nix.bak
+112
View File
@@ -0,0 +1,112 @@
{ config, lib, pkgs, ... }: with lib; let
cfg = config.services.heisenbridge;
heisenbridgeAppserviceConfig = {
id = "heisenbridge";
url = "http://${cfg.listenAddress}:${toString cfg.listenPort}";
as_token = cfg.appServiceToken;
hs_token = cfg.homeserverToken;
rate_limited = false;
sender_localpart = cfg.senderLocalpart;
namespaces = {
users = [{ regex = "@irc_.*"; exclusive = true; }];
aliases = [ ];
rooms = [ ];
};
};
heisenbridgeConfigYaml = pkgs.writeText "heisenbridge.yaml" (
generators.toYAML { } heisenbridgeAppserviceConfig);
in
{
options = {
services.heisenbridge = {
enable = mkEnableOption "heisenbridge, a bouncer-style Matrix IRC bridge.";
identd.enable = mkEnableOption "identd for heisenbridge" // {
default = true;
};
homeserver = mkOption {
type = types.str;
default = "http://localhost:8008";
description = "The URL of the Matrix homeserver.";
};
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = "The address for heisenbridge to listen on.";
};
listenPort = mkOption {
type = types.int;
default = 9898;
description = "The port for heisenbridge to listen on.";
};
senderLocalpart = mkOption {
type = types.str;
default = "heisenbridge";
description = "The localpart of the heisenbridge admin bot's username.";
};
ownerId = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The owner MXID (for example, @user:homeserver) of the bridge. If
unspecified, the first talking local user will claim the bridge.
'';
};
appServiceToken = mkOption {
type = types.str;
description = ''
This is the token that the app service should use as its access_token
when using the Client-Server API. This can be anything you want.
'';
};
homeserverToken = mkOption {
type = types.str;
description = ''
This is the token that the homeserver will use when sending requests
to the app service. This can be anything you want.
'';
};
};
};
config = mkIf cfg.enable {
meta.maintainers = [ maintainers.sumnerevans ];
services.matrix-synapse.app_service_config_files = [
heisenbridgeConfigYaml
];
# Create a user for heisenbridge.
users.users.heisenbridge = {
group = "heisenbridge";
isSystemUser = true;
};
users.groups.heisenbridge = { };
# Open ports for identd.
networking.firewall.allowedTCPPorts = mkIf cfg.identd.enable [ 113 ];
systemd.services.heisenbridge = {
description = "Heisenbridge Matrix IRC bridge";
after = [ "matrix-synapse.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.heisenbridge}/bin/heisenbridge \
--config ${heisenbridgeConfigYaml} \
--verbose --verbose \
--listen-address ${cfg.listenAddress} \
--listen-port ${toString cfg.listenPort} \
--uid heisenbridge \
--gid heisenbridge \
${optionalString cfg.identd.enable "--identd"} \
${optionalString (cfg.ownerId != null) "--owner ${cfg.ownerId}"} \
${cfg.homeserver}
'';
Restart = "on-failure";
};
};
};
}
modules/hm-system-defaults.nix
+11
View File
@@ -0,0 +1,11 @@
{ config, ... }: {
home-manager.sharedModules = [
{
home.sessionVariables = {
inherit (config.environment.sessionVariables) NIX_PATH;
};
xdg.configFile."nix/registry.json".text =
config.environment.etc."nix/registry.json".text;
}
];
}
modules/nix-path.nix
+7
View File
@@ -0,0 +1,7 @@
{ channel, inputs, ... }: {
nix.nixPath = [
"nixpkgs=${channel.input}"
"nixos-config=${../lib/compat/nixos}"
"home-manager=${inputs.home}"
];
}
modules/wallabag.nix
+200
View File
@@ -0,0 +1,200 @@
{ config, options, lib, pkgs, ... }:
with lib;
let
cfg = config.services.wallabag;
poolName = "wallabag";
configFile = pkgs.writeTextFile {
name = "wallabag-config";
text = cfg.conf;
destination = "/config/parameters.yml";
};
appDir = pkgs.buildEnv {
name = "wallabag-app-dir";
ignoreCollisions = true;
checkCollisionContents = false;
paths = [ configFile "${cfg.package}/app" ];
};
in
{
options = {
services.wallabag = {
enable = mkEnableOption "wallabag";
user = mkOption {
type = types.str;
default = "nginx";
description = ''
User account under which both the update daemon and the web-application run.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/wallabag";
description = ''
Data directory.
'';
};
package = mkOption {
type = types.package;
default = pkgs.wallabag;
description = ''
Wallabag package to use.
'';
};
hostName = mkOption {
type = types.str;
description = ''
Name of the nginx virtualhost to use and setup.
'';
};
poolConfig = mkOption {
type = types.lines;
default = ''
pm = dynamic
pm.max_children = 75
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 20
pm.max_requests = 500
catch_workers_output = 1
'';
description = ''
Options for wallabag's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
'';
};
conf = mkOption {
type = types.str;
description = ''
Contents of the wallabag configuration file (parameters.yml)
'';
};
};
};
config = mkIf cfg.enable {
services.phpfpm.pools."${poolName}" = {
user = "${cfg.user}";
group = "nginx";
phpPackage = pkgs.php74;
settings = {
"listen.owner" = "nginx";
"listen.group" = "nginx";
"listen.mode" = "0600";
"user" = "${cfg.user}";
"group" = "nginx";
"env[WALLABAG_DATA]" = "${cfg.dataDir}";
"pm" = "dynamic";
"pm.max_children" = "75";
"pm.min_spare_servers" = "5";
"pm.max_spare_servers" = "20";
"pm.max_requests" = "10";
"catch_workers_output" = "1";
"php_admin_value[error_log]" = "/var/log/nginx/${poolName}-phpfpm-error.log";
};
};
services.phpfpm.phpOptions = ''
max_execution_time = 120
'';
services.nginx.enable = mkDefault true;
services.nginx.virtualHosts."${cfg.hostName}" = {
enableACME = false;
forceSSL = false;
root = "${cfg.package}/web";
extraConfig = ''
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
'';
locations."/" = {
extraConfig = ''
try_files $uri /app.php$is_args$args;
'';
};
locations."/assets".root = "${cfg.dataDir}/web";
locations."~ ^/app\\.php(/|$)" = {
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools."${poolName}".socket};
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME ${cfg.package}/web/$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT ${cfg.package}/web;
fastcgi_read_timeout 120;
internal;
'';
};
locations."~ /(?!app)\\.php$" = {
extraConfig = ''
return 404;
'';
};
};
systemd.services.wallabag-install = {
description = "Wallabag install service";
wantedBy = [ "multi-user.target" ];
before = [ "phpfpm-wallabag.service" ];
after = [ "mysql.service" "postgresql.service" ];
path = with pkgs; [ coreutils php74 php74Packages.composer ];
serviceConfig = {
User = cfg.user;
Type = "oneshot";
RemainAfterExit = "yes";
PermissionsStartOnly = true;
};
preStart = ''
mkdir -p "${cfg.dataDir}"
chown ${cfg.user}:nginx "${cfg.dataDir}"
'';
script = ''
echo "Setting up wallabag files in ${cfg.dataDir} ..."
cd "${cfg.dataDir}"
rm -rf var/cache/*
rm -f app
ln -sf ${appDir} app
ln -sf ${cfg.package}/composer.{json,lock} .
export WALLABAG_DATA="${cfg.dataDir}"
if [ ! -f installed ]; then
echo "Install file not found, installing ..."
php ${cfg.package}/bin/console --env=prod doctrine:database:create --if-not-exists --no-interaction
php ${cfg.package}/bin/console --env=prod doctrine:migrations:migrate --no-interaction
# Until https://github.com/wallabag/wallabag/issues/3662 is fixed
# yes no | php ${cfg.package}/bin/console --env=prod wallabag:install
touch installed
else
php ${cfg.package}/bin/console --env=prod doctrine:migrations:migrate --no-interaction
fi
php ${cfg.package}/bin/console --env=prod cache:clear
'';
};
};
meta = with stdenv.lib; {
maintainers = with maintainers; [ nadrieril ];
};
}
modules/wireguard.nix
+54
View File
@@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.mossnet.wg;
in
{
options = {
mossnet.wg = {
enable = mkEnableOption "Gain access to all mossnet systems through wireguard";
ips = lib.mkOption {
type = with types; listOf str;
default = { };
example = literalExample ''
[ "10.0.69.2/24" ];
'';
description = ''
The IP this machine is allowed to connect to
'';
};
privateKeyFile = lib.mkOption {
type = types.path;
default = { };
example = literalExample ''
/run/agenix/wg-curve
'';
description = ''
The private ssh key file to use to connect!
Remember set age.secrets.*.file and age.secrets.*.user
'';
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedUDPPorts = [ 60990 ];
networking.wireguard.interfaces = {
wg0 = {
ips = cfg.ips;
listenPort = 60990; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = cfg.privateKeyFile;
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
publicKey = "c1J4p63rD3IlszugMZiki7UBV3YmDdqa3DU4UejXzAI=";
allowedIPs = [ "10.0.69.0/24" ];
# Set this to the server IP and port.
endpoint = "149.28.163.78:60990"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
persistentKeepalive = 25;
}
];
};
};
};
}