diff options
| -rwxr-xr-x | .gitignore | 2 | ||||
| -rw-r--r-- | flake.lock | 95 | ||||
| -rwxr-xr-x | host/Rory-nginx/configuration.nix | 4 | ||||
| -rwxr-xr-x | host/Rory-nginx/hosts/rory.gay/matrix.nix | 5 | ||||
| -rwxr-xr-x | host/Rory-nginx/hosts/thearcanebrony.net/root.nix | 6 | ||||
| -rwxr-xr-x | host/Rory-nginx/post-rebuild.sh | 32 | ||||
| -rwxr-xr-x | host/Rory-nginx/software.nix | 1 | ||||
| -rwxr-xr-x | host/Rory-synapse/software.nix | 12 | ||||
| -rwxr-xr-x | modules/base-server.nix | 54 | ||||
| -rwxr-xr-x | modules/base.nix | 32 | ||||
| -rwxr-xr-x | modules/users/Rory.nix | 1 | ||||
| -rwxr-xr-x | modules/users/db2k.nix | 16 | ||||
| -rwxr-xr-x | modules/users/levi.nix | 18 |
13 files changed, 264 insertions, 14 deletions
diff --git a/.gitignore b/.gitignore index 0e78cf9..45d5e0e 100755 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ hardware-configuration.nix .vscode/ +matrix-user-tokens.txt +nixpkgs/ diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..10f6a29 --- /dev/null +++ b/flake.lock @@ -0,0 +1,95 @@ +{ + "nodes": { + "botcore-v4": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1683656302, + "narHash": "sha256-I2eu+9/i0ktqNzQwkc0NuczQ2UThCBf8L9xnZ8v3NSM=", + "owner": "BotCore-Devs", + "repo": "BotCore-v4", + "rev": "0e8738ba7df060782df050dc733b0bfc8c499830", + "type": "gitlab" + }, + "original": { + "owner": "BotCore-Devs", + "ref": "staging", + "repo": "BotCore-v4", + "type": "gitlab" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1690982105, + "narHash": "sha256-32AzoLuwhtxBItcULRiCnxRfJcbVXbPZSH9TDVg21mU=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "b2ac1d2c32ac11b8d231d23622cdc4b2f28d07d2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1683408522, + "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1690881714, + "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9e1960bc196baf6881340d53dccb203a951745a2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 0, + "narHash": "sha256-MwJDlUWc8vybt5IAnCYzB0L/NoZLIWDYQ+9cn+MEECU=", + "path": "/Rory-Open-Architecture/nixpkgs", + "type": "path" + }, + "original": { + "path": "/Rory-Open-Architecture/nixpkgs", + "type": "path" + } + }, + "root": { + "inputs": { + "botcore-v4": "botcore-v4", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs_3" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix index c38a1bf..2f2f7cc 100755 --- a/host/Rory-nginx/configuration.nix +++ b/host/Rory-nginx/configuration.nix @@ -4,9 +4,11 @@ imports = [ ../../modules/base-server.nix + ../../modules/users/levi.nix + ../../modules/users/db2k.nix ./software.nix ]; - + users.groups.ocp = {}; networking = { hostName = "Rory-nginx"; interfaces.ens18.ipv4.addresses = [ { diff --git a/host/Rory-nginx/hosts/rory.gay/matrix.nix b/host/Rory-nginx/hosts/rory.gay/matrix.nix index 60a8e2c..46514a2 100755 --- a/host/Rory-nginx/hosts/rory.gay/matrix.nix +++ b/host/Rory-nginx/hosts/rory.gay/matrix.nix @@ -25,6 +25,11 @@ # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker locations."~ ^/_matrix/client/(r0|v3)/sync$" = { proxyPass = "http://generic_workers_upstream$request_uri"; + extraConfig = '' + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + ''; }; locations."~ ^/_matrix/client/(api/v1|r0|v3)/events$" = { proxyPass = "http://generic_workers_upstream$request_uri"; diff --git a/host/Rory-nginx/hosts/thearcanebrony.net/root.nix b/host/Rory-nginx/hosts/thearcanebrony.net/root.nix index 722e989..bd23f10 100755 --- a/host/Rory-nginx/hosts/thearcanebrony.net/root.nix +++ b/host/Rory-nginx/hosts/thearcanebrony.net/root.nix @@ -2,9 +2,11 @@ enableACME = true; addSSL = true; root = "/data/nginx/html_thearcanebrony"; + extraConfig = '' + autoindex on;''; locations = { "/" = { - index = "index.html"; + #index = "index.html"; }; "/destroy" = { return = "301 https://gitlab.com/KinoshitaProductions/SecureDestroyer/-/raw/master/run"; @@ -35,4 +37,4 @@ }'; ''; }; -} \ No newline at end of file +} diff --git a/host/Rory-nginx/post-rebuild.sh b/host/Rory-nginx/post-rebuild.sh new file mode 100755 index 0000000..ea6e013 --- /dev/null +++ b/host/Rory-nginx/post-rebuild.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl gnused nix coreutils jq openssl +#set -x +REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt` +LOCALPART='rory.gay' +REACHABLE_DOMAIN='http://localhost:8008' + +# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md +# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> +# Explicit authorisation to use the code has been granted by the original author +# for use by members of the Rory system (https://rory.gay) + + +# the magic function: +register(){ + echo "Registering $1" + _nonce=`curl -s http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce` + #data: nonce, domain, username, password + _hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" | openssl dgst -sha1 -hmac "$REG_KEY" | awk '{print $2}'` + curl -s -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt + echo +} + +# -- END OF LICENSED CODE + + + +PASSWD=`cat /etc/matrix-user-pass` +for u in {draupnir,Alicia,Emma,Rory,root,Quetzelle} +do + register $u $PASSWD +done diff --git a/host/Rory-nginx/software.nix b/host/Rory-nginx/software.nix index 6423c08..56b09f4 100755 --- a/host/Rory-nginx/software.nix +++ b/host/Rory-nginx/software.nix @@ -27,6 +27,7 @@ ''; appendHttpConfig = '' #sendfile on; + disable_symlinks off; ''; upstreams = import ./matrix/upstreams.nix; additionalModules = with pkgs.nginxModules; [ diff --git a/host/Rory-synapse/software.nix b/host/Rory-synapse/software.nix index ea24c91..5db557b 100755 --- a/host/Rory-synapse/software.nix +++ b/host/Rory-synapse/software.nix @@ -93,11 +93,11 @@ allow_device_name_lookup_over_federation = true; federation = { - client_timeout = "10s"; - max_short_retries = 3; - max_short_retry_delay = "30s"; + client_timeout = "60s"; + max_short_retries = 6; + max_short_retry_delay = "10s"; max_long_retries = 5; - max_long_retry_delay = "5m"; + max_long_retry_delay = "30s"; }; event_cache_size = "30K"; #defaults to 10K @@ -114,7 +114,7 @@ # Alicia - figure this out later... #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; - #registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; + registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; listeners = [ { @@ -145,7 +145,7 @@ host = "127.0.0.1"; application_name = "matrix-synapse (rory.gay)"; cp_min = 5; - cp_max = 15; + cp_max = 50; #cp_reconnect_interval = "True"; }; }; diff --git a/modules/base-server.nix b/modules/base-server.nix index d577306..76f5947 100755 --- a/modules/base-server.nix +++ b/modules/base-server.nix @@ -7,6 +7,56 @@ ./users/chris.nix ]; documentation.nixos.enable = false; + documentation.enable = false; + documentation.info.enable = false; + documentation.man.enable = false; + + + environment.variables.BROWSER = "echo"; + + nix.settings.trusted-users = [ "root" "@wheel" ]; + + time.timeZone = lib.mkDefault "UTC"; + systemd = { + # Given that our systems are headless, emergency mode is useless. + # We prefer the system to attempt to continue booting so + # that we can hopefully still access it remotely. + enableEmergencyMode = false; + + # For more detail, see: + # https://0pointer.de/blog/projects/watchdog.html + watchdog = { + # systemd will send a signal to the hardware watchdog at half + # the interval defined here, so every 10s. + # If the hardware watchdog does not get a signal for 20s, + # it will forcefully reboot the system. + runtimeTime = "20s"; + # Forcefully reboot if the final stage of the reboot + # hangs without progress for more than 30s. + # For more info, see: + # https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog + rebootTime = "30s"; + }; + + sleep.extraConfig = '' + AllowSuspend=no + AllowHibernation=no + ''; + }; + + systemd.services.NetworkManager-wait-online.enable = false; + systemd.network.wait-online.enable = false; + systemd.services.systemd-networkd.stopIfChanged = false; + systemd.services.systemd-resolved.stopIfChanged = false; + nix.settings.max-free = lib.mkDefault (1000 * 1000 * 1000); + nix.settings.min-free = lib.mkDefault (128 * 1000 * 1000); + + # TODO: cargo culted. + nix.daemonCPUSchedPolicy = lib.mkDefault "batch"; + nix.daemonIOSchedClass = lib.mkDefault "idle"; + nix.daemonIOSchedPriority = lib.mkDefault 7; + + # My servers always use /dev/sda as boot disk... boot = { kernelPackages = pkgs.linuxPackages_latest; @@ -26,6 +76,7 @@ networking = { hostName = lib.mkDefault "Rory-nix-base-server"; networkmanager.enable = false; + useNetworkd = true; wireless.enable = false; enableIPv6 = false; firewall = { @@ -35,7 +86,8 @@ }; useDHCP = false; - nameservers = [ "1.1.1.1" ]; +# nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" "8.4.4.8" ]; + nameservers = [ "10.10.0.4" "10.10.0.5" ]; defaultGateway = "192.168.1.1"; }; diff --git a/modules/base.nix b/modules/base.nix index b0e1d95..ffc08f9 100755 --- a/modules/base.nix +++ b/modules/base.nix @@ -6,7 +6,12 @@ ./packages/vim.nix ./users/Rory.nix ]; - boot.kernelParams = [ "memory_hotplug.memmap_on_memory=1" "memhp_default_state=online" ]; + boot.kernelParams = [ + "memory_hotplug.memmap_on_memory=1" + "memhp_default_state=online" + "net.core.default_qdisc=fq" + "net.ipv4.tcp_congestion_control=bbr" + ]; networking = { hostName = lib.mkDefault "Rory-nix-base"; firewall = { @@ -29,8 +34,13 @@ }; }; - sound.enable = lib.mkDefault true; - hardware.pulseaudio.enable = lib.mkDefault true; + + systemd = { + sleep.extraConfig = '' + AllowSuspend=no + AllowHibernation=no + ''; + }; environment.systemPackages = with pkgs; [ wget @@ -47,12 +57,26 @@ neovim # vimPlugins.vim-nix tmux + jq + yq + pv + dig + cloud-utils ]; systemd.coredump.extraConfig = lib.mkDefault '' Storage=none ''; - + nix.settings.trusted-substituters = [ + "https://nix-community.cachix.org" + "https://cache.garnix.io" + "https://numtide.cachix.org" + ]; + nix.settings.trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nixpkgs.config.allowUnfree = true; security.sudo.wheelNeedsPassword = false; diff --git a/modules/users/Rory.nix b/modules/users/Rory.nix index 3079f7b..b9c5722 100755 --- a/modules/users/Rory.nix +++ b/modules/users/Rory.nix @@ -13,6 +13,7 @@ #"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT+53Hy3wbIlNVIomK2RroaimMWrTlUkndjHt1dFuyh root@pfSense-arcane-home.localdomain" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILF2IuNu//0DP/wKMuDvBgVT3YBS2uULsipbdrhJCTM7 thearcanebrony@tab-linux-desktop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/kNkY/E5b6rvCQLMaSbpLQ/xoyywIwVVu9uo2j/B6p Rory@RoryNix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNhsYWo5pEilXQGcn2SOuvzIdy67QpdtC7vnmlJB9WX Administrator@nt-6mnnvobcjimo" ]; }; diff --git a/modules/users/db2k.nix b/modules/users/db2k.nix new file mode 100755 index 0000000..a6dc7cd --- /dev/null +++ b/modules/users/db2k.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: + +{ + users.groups.db2k = {}; + users.users.db2k = { + isSystemUser = true; + extraGroups = [ "ocp" ]; + group = "db2k"; + home = "/data/nginx/html_git/.ocp"; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMfXA4Oh0LZqY8LAS/lnANKVDBlemHGPWdtep1GE/LId garyzipperer09@gmail.com" + ]; + }; +} + diff --git a/modules/users/levi.nix b/modules/users/levi.nix new file mode 100755 index 0000000..bb28656 --- /dev/null +++ b/modules/users/levi.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: + +{ + users.groups.levi = {}; + users.users.levi = { + isSystemUser = true; + extraGroups = [ "ocp" ]; + group = "levi"; + home = "/data/nginx/html_git/.ocp"; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/DfjjvYlNVRSwuhxYq3MkUNQch5UJ4ktpDAAAYUTVa" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5c7dxZ3eOYxNo4pB5c/EdtR5E8RSqG4jJEjrIvVPws0Ab2zJ9tyzDmLMuUZqUWljbj/fVQhXRWuL92NtQUYnhwhdTC+hCf+hxWXahX6KU+mMUtlaLGD3BGGWKM6NO9uJq0wGIKemCX8dXfCSgVewV2Y6WBHnu5JLrnemStEMy67AT8uffVAgPiIKoIWhKxkSVqiWWQNhX/TPq1aOl+7igH9bV7Zc3eu1ST7SnNuR+Ma4OxDZUMV66Ovl5543vmNBbiTpRgs7nsOWTPT3oIMRL9bIMjwXh5GA0qUA1jXx+QFMyqsaReco9RtcM7tSp2KxP+ekYjWWthaa1JVzeuLFuR90NqASpUyXyWfZmwAZlimralBkWGx2fxviOu80h9HPUjYQEzoYBokSQVx/6H6O/na6IASw0GUTmQWINVhuFEcRJDXRs5nXPnZXp5aKgZjBDgK7T4U3M1fGdv/94oWPZG+BqcuM/JHeNGnqaitCobRXDprB0TTVefDsj+E0uJV8= levijordan007@gmail.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILF2IuNu//0DP/wKMuDvBgVT3YBS2uULsipbdrhJCTM7 thearcanebrony@tab-linux-desktop" + ]; + }; +} + |