Pull in oracles configuration

2022-05-13 20:28:07 -04:00 · 2022-05-13 20:28:07 -04:00 · 3541ce53c9
parent e6e409b77a
commit 3541ce53c9
7 changed files with 407 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -100,6 +100,12 @@
        ./applications/syncthing.nix
        ./desktop.nix
      ];
+      serverModules = coreModules ++ [
+        ./modules/zt.nix
+        ./modules/autoupdate.nix
+        ./applications/devel-core.nix
+        ./applications/devel-core-linux.nix
+      ];
      mozillaOverlay = import "${mozilla}";
    in
    {
@ -123,6 +129,28 @@
          ] ++ desktopModules;
        };

+        oracles = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            unstable = import nixpkgs-unstable {
+              config = { allowUnfree = true; };
+              overlays = [ ];
+              system = "x86_64-linux";
+            };
+            fenix = fenix.packages.x86_64-linux;
+          };
+          modules = [
+            ./hardware/oracles.nix
+            ./machines/oracles.nix
+            ./home-linux.nix
+            ./applications/devel-rust.nix
+            ./modules/docker.nix
+            ./system-specific/oracles/matrix.nix
+            ./system-specific/oracles/gitlab-runner.nix
+            ./system-specific/oracles/gitea.nix
+          ] ++ serverModules;
+        };
+
        x86vm = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
          specialArgs = {
--- a/hardware/oracles.nix
+++ b/hardware/oracles.nix
@ -0,0 +1,61 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/882E-B495";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var" =
+    {
+      device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70";
+      fsType = "btrfs";
+      options = [ "subvol=var" ];
+    };
+
+  fileSystems."/etc" =
+    {
+      device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70";
+      fsType = "btrfs";
+      options = [ "subvol=etc" ];
+    };
+
+  fileSystems."/nix" =
+    {
+      device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/home" =
+    {
+      device = "/dev/disk/by-uuid/26b08694-708a-447d-be16-abc3fc2b0d70";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/2c823521-9ab0-44bb-9f40-3963757cf4b5"; }];
+
+}
--- a/machines/oracles.nix
+++ b/machines/oracles.nix
@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  # Configure networking
+  networking = {
+    hostName = "oracles";
+    domain = "mccarty.io";
+    useDHCP = false;
+    interfaces.enp1s0f1.ipv4.addresses = [{
+      address = "104.238.220.96";
+      prefixLength = 24;
+    }];
+    defaultGateway = "104.238.220.1";
+    nameservers = [ "172.23.98.121" "1.1.1.1" ];
+  };
+
+  # Open ports in firewall
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 22 80 443 ];
+  networking.firewall.enable = true;
+  # Trust zerotier interface
+  networking.firewall.trustedInterfaces = [ "zt5u4uutwm" ];
+
+  # Add nginx and acme certs
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+  };
+  security.acme = {
+    email = "nathan@mccarty.io";
+    acceptTerms = true;
+  };
+  # Redis
+  services.redis.enable = true;
+  services.redis.bind = "172.23.108.12";
+}
--- a/modules/autoupdate.nix
+++ b/modules/autoupdate.nix
@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Autoupdate the system
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = true;
+    # Update from the flake
+    flake = "github:nathans-flakes/system";
+    # Attempt to update daily at 2AM
+    dates = "2:00";
+  };
+}
--- a/system-specific/oracles/gitea.nix
+++ b/system-specific/oracles/gitea.nix
@ -0,0 +1,91 @@
+{ config, pkgs, lib, ... }:
+{
+  # Setup gitea
+  services.gitea = {
+    enable = true;
+    appName = "Nathan's Git";
+    database = {
+      type = "sqlite3";
+    };
+    domain = "git.mccarty.io";
+    rootUrl = "https://git.mccarty.io";
+    httpPort = 3001;
+    settings = {
+      ui = {
+        DEFAULT_THEME = "arc-green";
+      };
+      service = {
+        DISABLE_REGISTRATION = lib.mkForce true;
+      };
+      repository = {
+        DEFAULT_BRANCH = "main";
+      };
+    };
+    lfs.enable = true;
+  };
+  # Setup the docker networking for woodpecker
+  systemd.services.init-woodpecker-network-and-files = {
+    description = "Create the network bridge woodpecker-br for filerun.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    before = [ "docker-woodpecker-server" ];
+
+    serviceConfig.Type = "oneshot";
+    script =
+      let dockercli = "${config.virtualisation.docker.package}/bin/docker";
+      in
+      ''
+         # Put a true at the end to prevent getting non-zero return code, which will
+         # crash the whole service.
+         check=$(${dockercli} network ls | grep "woodpecker-br" || true)
+         if [ -z "$check" ]; then
+           ${dockercli} network create woodpecker-br
+        else
+          echo "woodpecker-br already exists in docker"
+        fi
+      '';
+  };
+  # Setup woodpecker
+  virtualisation.oci-containers.containers = {
+    woodpecker-server = {
+      image = "woodpeckerci/woodpecker-server:latest";
+      ports = [ "8000:8000" ];
+      volumes = [ "woodpecker-server-data:/var/lib/drone" ];
+      environment = {
+        WOODPECKER_OPEN = "true";
+        WOODPECKER_GITEA = "true";
+        WOODPECKER_HOST = "https://ci.mccarty.io";
+        WOODPECKER_GITEA_URL = "https://git.mccarty.io";
+        WOODPECKER_LIMIT_CPU_QUOTA = "400000";
+        WOODPECKER_LIMIT_MEM = "2147483648";
+      };
+      environmentFiles = [ "/var/lib/secret/woodpecker-server" ];
+      extraOptions = [ "--network=woodpecker-br" ];
+    };
+    woodpecker-agent = {
+      image = "woodpeckerci/woodpecker-agent:latest";
+      dependsOn = [ "woodpecker-server" ];
+      volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+      environment = {
+        WOODPECKER_SERVER = "woodpecker-server:9000";
+        WOODPECKER_MAX_PROCS = "2";
+      };
+      environmentFiles = [ "/var/lib/secret/woodpecker-agent" ];
+      extraOptions = [ "--network=woodpecker-br" ];
+    };
+  };
+
+
+  services.nginx = {
+    virtualHosts."git.mccarty.io" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://localhost:3001";
+    };
+    virtualHosts."ci.mccarty.io" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://localhost:8000";
+    };
+  };
+}
--- a/system-specific/oracles/gitlab-runner.nix
+++ b/system-specific/oracles/gitlab-runner.nix
@ -0,0 +1,107 @@
+{ config, pkgs, lib, ... }:
+{
+  # Make sure docker containers can reach the network
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
+  # Make sure docker is enabled
+  virtualisation.docker.enable = true;
+  # Enable binfmt-misc so we can run aarch64 containers
+  boot.binfmt.emulatedSystems = [ "wasm32-wasi" "aarch64-linux" ];
+  services.gitlab-runner = {
+    enable = true;
+    concurrent = 4;
+    checkInterval = 1;
+    services = {
+      default-asuran = {
+        registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
+        dockerImage = "debian:stable";
+        dockerVolumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ];
+        dockerPrivileged = true;
+        tagList = [ "linux-own" ];
+      };
+
+      nix = with lib;{
+        # File should contain at least these two variables:
+        # `CI_SERVER_URL`
+        # `REGISTRATION_TOKEN`
+        registrationConfigFile = "/var/lib/secret/gitlab-runner/rcm-nix"; # 2
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+          "/var/lib/secret/cache:/var/lib/secret/cache"
+        ];
+        dockerDisableCache = true;
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          . ${pkgs.nix}/etc/profile.d/nix.sh
+          ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs # 3
+          ${pkgs.nix}/bin/nix-channel --update nixpkgs
+          ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nixUnstable cacert git openssh ])}
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+          NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+        };
+        tagList = [ "nix" ];
+        requestConcurrency = 8;
+        limit = 4;
+        runUntagged = true;
+      };
+
+      nix-asuran = with lib;{
+        # File should contain at least these two variables:
+        # `CI_SERVER_URL`
+        # `REGISTRATION_TOKEN`
+        registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-nix"; # 2
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+          "/var/lib/secret/cache:/var/lib/secret/cache"
+        ];
+        dockerDisableCache = true;
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          . ${pkgs.nix}/etc/profile.d/nix.sh
+          ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs # 3
+          ${pkgs.nix}/bin/nix-channel --update nixpkgs
+          ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nixUnstable cacert git openssh ])}
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+          NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+        };
+        tagList = [ "nix" ];
+        requestConcurrency = 8;
+        limit = 4;
+        runUntagged = true;
+      };
+    };
+  };
+}
--- a/system-specific/oracles/matrix.nix
+++ b/system-specific/oracles/matrix.nix
@ -0,0 +1,65 @@
+{ pkgs, lib, config, unstable, ... }:
+{
+  services.postgresql.enable = true;
+  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'matrix-synapse';
+    CREATE DATABASE "synapse" WITH OWNER "synapse"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
+  '';
+
+  services.nginx = {
+    virtualHosts = {
+      "matrix.mccarty.io" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/".extraConfig = ''
+          rewrite ^(.*)$ http://element.mccarty.io$1 redirect;
+        '';
+
+        # forward all Matrix API calls to the synapse Matrix homeserver
+        locations."/_matrix" = {
+          proxyPass = "http://[::1]:8008"; # without a trailing /
+        };
+        locations."/_synapse" = {
+          proxyPass = "http://[::1]:8008"; # without a trailing /
+        };
+      };
+      "element.mccarty.io" = {
+        enableACME = true;
+        forceSSL = true;
+        root = unstable.element-web;
+      };
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    enable_registration = true;
+    server_name = "mccarty.io";
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "::1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+    database_user = "matrix-synapse";
+    database_name = "synapse";
+    extraConfig = ''
+      ip_range_whitelist:
+        - '172.23.0.0/16'
+      registration_requires_token: true
+    '';
+  };
+}