From 3541ce53c9e0506837a88c82540dd57190863ab2 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Fri, 13 May 2022 20:28:07 -0400 Subject: [PATCH] Pull in oracles configuration --- flake.nix | 28 ++++++ hardware/oracles.nix | 61 ++++++++++++ machines/oracles.nix | 42 +++++++++ modules/autoupdate.nix | 13 +++ system-specific/oracles/gitea.nix | 91 ++++++++++++++++++ system-specific/oracles/gitlab-runner.nix | 107 ++++++++++++++++++++++ system-specific/oracles/matrix.nix | 65 +++++++++++++ 7 files changed, 407 insertions(+) create mode 100644 hardware/oracles.nix create mode 100644 machines/oracles.nix create mode 100644 modules/autoupdate.nix create mode 100644 system-specific/oracles/gitea.nix create mode 100644 system-specific/oracles/gitlab-runner.nix create mode 100644 system-specific/oracles/matrix.nix diff --git a/flake.nix b/flake.nix index f4d9af0..e1aaa29 100644 --- a/flake.nix +++ b/flake.nix @@ -100,6 +100,12 @@ ./applications/syncthing.nix ./desktop.nix ]; + serverModules = coreModules ++ [ + ./modules/zt.nix + ./modules/autoupdate.nix + ./applications/devel-core.nix + ./applications/devel-core-linux.nix + ]; mozillaOverlay = import "${mozilla}"; in { @@ -123,6 +129,28 @@ ] ++ desktopModules; }; + oracles = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + unstable = import nixpkgs-unstable { + config = { allowUnfree = true; }; + overlays = [ ]; + system = "x86_64-linux"; + }; + fenix = fenix.packages.x86_64-linux; + }; + modules = [ + ./hardware/oracles.nix + ./machines/oracles.nix + ./home-linux.nix + ./applications/devel-rust.nix + ./modules/docker.nix + ./system-specific/oracles/matrix.nix + ./system-specific/oracles/gitlab-runner.nix + ./system-specific/oracles/gitea.nix + ] ++ serverModules; + }; + x86vm = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hardware/oracles.nix b/hardware/oracles.nix new file mode 100644 index 0000000..98c57d4 --- /dev/null +++ b/hardware/oracles.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/882E-B495"; + fsType = "vfat"; + }; + + fileSystems."/var" = + { + device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70"; + fsType = "btrfs"; + options = [ "subvol=var" ]; + }; + + fileSystems."/etc" = + { + device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70"; + fsType = "btrfs"; + options = [ "subvol=etc" ]; + }; + + fileSystems."/nix" = + { + device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + fileSystems."/home" = + { + device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/2c823521-9ab0-44bb-9f40-3963757cf4b5"; }]; + +} diff --git a/machines/oracles.nix b/machines/oracles.nix new file mode 100644 index 0000000..fd8590f --- /dev/null +++ b/machines/oracles.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +{ + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + # Configure networking + networking = { + hostName = "oracles"; + domain = "mccarty.io"; + useDHCP = false; + interfaces.enp1s0f1.ipv4.addresses = [{ + address = "104.238.220.96"; + prefixLength = 24; + }]; + defaultGateway = "104.238.220.1"; + nameservers = [ "172.23.98.121" "1.1.1.1" ]; + }; + + # Open ports in firewall + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.firewall.allowedUDPPorts = [ 22 80 443 ]; + networking.firewall.enable = true; + # Trust zerotier interface + networking.firewall.trustedInterfaces = [ "zt5u4uutwm" ]; + + # Add nginx and acme certs + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + security.acme = { + email = "nathan@mccarty.io"; + acceptTerms = true; + }; + # Redis + services.redis.enable = true; + services.redis.bind = "172.23.108.12"; +} diff --git a/modules/autoupdate.nix b/modules/autoupdate.nix new file mode 100644 index 0000000..e4d6e16 --- /dev/null +++ b/modules/autoupdate.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +{ + # Autoupdate the system + system.autoUpgrade = { + enable = true; + allowReboot = true; + # Update from the flake + flake = "github:nathans-flakes/system"; + # Attempt to update daily at 2AM + dates = "2:00"; + }; +} diff --git a/system-specific/oracles/gitea.nix b/system-specific/oracles/gitea.nix new file mode 100644 index 0000000..640b14f --- /dev/null +++ b/system-specific/oracles/gitea.nix @@ -0,0 +1,91 @@ +{ config, pkgs, lib, ... }: +{ + # Setup gitea + services.gitea = { + enable = true; + appName = "Nathan's Git"; + database = { + type = "sqlite3"; + }; + domain = "git.mccarty.io"; + rootUrl = "https://git.mccarty.io"; + httpPort = 3001; + settings = { + ui = { + DEFAULT_THEME = "arc-green"; + }; + service = { + DISABLE_REGISTRATION = lib.mkForce true; + }; + repository = { + DEFAULT_BRANCH = "main"; + }; + }; + lfs.enable = true; + }; + # Setup the docker networking for woodpecker + systemd.services.init-woodpecker-network-and-files = { + description = "Create the network bridge woodpecker-br for filerun."; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + before = [ "docker-woodpecker-server" ]; + + serviceConfig.Type = "oneshot"; + script = + let dockercli = "${config.virtualisation.docker.package}/bin/docker"; + in + '' + # Put a true at the end to prevent getting non-zero return code, which will + # crash the whole service. + check=$(${dockercli} network ls | grep "woodpecker-br" || true) + if [ -z "$check" ]; then + ${dockercli} network create woodpecker-br + else + echo "woodpecker-br already exists in docker" + fi + ''; + }; + # Setup woodpecker + virtualisation.oci-containers.containers = { + woodpecker-server = { + image = "woodpeckerci/woodpecker-server:latest"; + ports = [ "8000:8000" ]; + volumes = [ "woodpecker-server-data:/var/lib/drone" ]; + environment = { + WOODPECKER_OPEN = "true"; + WOODPECKER_GITEA = "true"; + WOODPECKER_HOST = "https://ci.mccarty.io"; + WOODPECKER_GITEA_URL = "https://git.mccarty.io"; + WOODPECKER_LIMIT_CPU_QUOTA = "400000"; + WOODPECKER_LIMIT_MEM = "2147483648"; + }; + environmentFiles = [ "/var/lib/secret/woodpecker-server" ]; + extraOptions = [ "--network=woodpecker-br" ]; + }; + woodpecker-agent = { + image = "woodpeckerci/woodpecker-agent:latest"; + dependsOn = [ "woodpecker-server" ]; + volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; + environment = { + WOODPECKER_SERVER = "woodpecker-server:9000"; + WOODPECKER_MAX_PROCS = "2"; + }; + environmentFiles = [ "/var/lib/secret/woodpecker-agent" ]; + extraOptions = [ "--network=woodpecker-br" ]; + }; + }; + + + services.nginx = { + virtualHosts."git.mccarty.io" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:3001"; + }; + virtualHosts."ci.mccarty.io" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:8000"; + }; + }; +} diff --git a/system-specific/oracles/gitlab-runner.nix b/system-specific/oracles/gitlab-runner.nix new file mode 100644 index 0000000..6fb4007 --- /dev/null +++ b/system-specific/oracles/gitlab-runner.nix @@ -0,0 +1,107 @@ +{ config, pkgs, lib, ... }: +{ + # Make sure docker containers can reach the network + boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 + # Make sure docker is enabled + virtualisation.docker.enable = true; + # Enable binfmt-misc so we can run aarch64 containers + boot.binfmt.emulatedSystems = [ "wasm32-wasi" "aarch64-linux" ]; + services.gitlab-runner = { + enable = true; + concurrent = 4; + checkInterval = 1; + services = { + default-asuran = { + registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default"; + dockerImage = "debian:stable"; + dockerVolumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + dockerPrivileged = true; + tagList = [ "linux-own" ]; + }; + + nix = with lib;{ + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/var/lib/secret/gitlab-runner/rcm-nix"; # 2 + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + "/var/lib/secret/cache:/var/lib/secret/cache" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + . ${pkgs.nix}/etc/profile.d/nix.sh + ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs # 3 + ${pkgs.nix}/bin/nix-channel --update nixpkgs + ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nixUnstable cacert git openssh ])} + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = [ "nix" ]; + requestConcurrency = 8; + limit = 4; + runUntagged = true; + }; + + nix-asuran = with lib;{ + # File should contain at least these two variables: + # `CI_SERVER_URL` + # `REGISTRATION_TOKEN` + registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-nix"; # 2 + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + "/var/lib/secret/cache:/var/lib/secret/cache" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + . ${pkgs.nix}/etc/profile.d/nix.sh + ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs # 3 + ${pkgs.nix}/bin/nix-channel --update nixpkgs + ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nixUnstable cacert git openssh ])} + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = [ "nix" ]; + requestConcurrency = 8; + limit = 4; + runUntagged = true; + }; + }; + }; +} diff --git a/system-specific/oracles/matrix.nix b/system-specific/oracles/matrix.nix new file mode 100644 index 0000000..095ae3e --- /dev/null +++ b/system-specific/oracles/matrix.nix @@ -0,0 +1,65 @@ +{ pkgs, lib, config, unstable, ... }: +{ + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'matrix-synapse'; + CREATE DATABASE "synapse" WITH OWNER "synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.nginx = { + virtualHosts = { + "matrix.mccarty.io" = { + enableACME = true; + forceSSL = true; + + locations."/".extraConfig = '' + rewrite ^(.*)$ http://element.mccarty.io$1 redirect; + ''; + + # forward all Matrix API calls to the synapse Matrix homeserver + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; # without a trailing / + }; + locations."/_synapse" = { + proxyPass = "http://[::1]:8008"; # without a trailing / + }; + }; + "element.mccarty.io" = { + enableACME = true; + forceSSL = true; + root = unstable.element-web; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + enable_registration = true; + server_name = "mccarty.io"; + listeners = [ + { + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + database_user = "matrix-synapse"; + database_name = "synapse"; + extraConfig = '' + ip_range_whitelist: + - '172.23.0.0/16' + registration_requires_token: true + ''; + }; +}