From 7010d98995fea8eda3c578fbfd13aecca918b7d9 Mon Sep 17 00:00:00 2001 From: TheArcaneBrony Date: Tue, 28 Mar 2023 21:03:46 +0200 Subject: Initial commit --- .gitignore | 4 + build.sh | 22 +++++ flake.nix | 28 ++++++ host/Rory-postgres/configuration.nix | 51 ++++++++++ host/Spacebar-nginx/configuration.nix | 37 +++++++ host/Spacebar-nginx/hosts/spacebar.chat/root.nix | 10 ++ host/Spacebar-synapse/configuration.nix | 121 +++++++++++++++++++++++ host/Spacebar-synapse/post-rebuild.sh | 30 ++++++ host/Spacebar-synapse/pre-rebuild.sh | 9 ++ modules/base.nix | 76 ++++++++++++++ modules/monitoring.nix | 51 ++++++++++ modules/users/Rory.nix | 29 ++++++ modules/users/chris.nix | 14 +++ rebuild.sh | 2 + update.sh | 3 + 15 files changed, 487 insertions(+) create mode 100755 .gitignore create mode 100755 build.sh create mode 100755 flake.nix create mode 100755 host/Rory-postgres/configuration.nix create mode 100755 host/Spacebar-nginx/configuration.nix create mode 100755 host/Spacebar-nginx/hosts/spacebar.chat/root.nix create mode 100755 host/Spacebar-synapse/configuration.nix create mode 100755 host/Spacebar-synapse/post-rebuild.sh create mode 100755 host/Spacebar-synapse/pre-rebuild.sh create mode 100755 modules/base.nix create mode 100755 modules/monitoring.nix create mode 100755 modules/users/Rory.nix create mode 100755 modules/users/chris.nix create mode 100755 rebuild.sh create mode 100755 update.sh diff --git a/.gitignore b/.gitignore new file mode 100755 index 0000000..9a4d05c --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +hardware-configuration.nix +.vscode/ +secrets/ +result \ No newline at end of file diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..901d857 --- /dev/null +++ b/build.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env sh +if [ $# -ne 2 ]; then + echo "Usage: $0 " + echo "NOTE: hardware config will be generated from root!" + echo "Defined configs:" + cat flake.nix | grep 'nixpkgs.lib.nixosSystem' | sed 's/ =.*//' | sed 's/^[ \t]*//;s/[ \t]*$//' | while read cfg; do echo " - $cfg"; done + exit 1 +fi +if [ "$1" = "/" ]; then + nixos-generate-config --show-hardware-config > hardware-configuration.nix + git add -f hardware-configuration.nix + nixos-rebuild switch --flake ".#${2}" -j`nproc` --upgrade-all + git rm --cached hardware-configuration.nix + exit +else + nixos-generate-config --show-hardware-config --root "${1}" > hardware-configuration.nix + git add -f hardware-configuration.nix + nixos-install --root "${1}" --flake ".#${2}" + git rm --cached hardware-configuration.nix + cp . "${1}/Spacebar-Open-Architecture" -r + exit +fi diff --git a/flake.nix b/flake.nix new file mode 100755 index 0000000..7c51186 --- /dev/null +++ b/flake.nix @@ -0,0 +1,28 @@ +{ + description = "Spacebar's services"; + + inputs = { + nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + home-manager = { + url = "github:nix-community/home-manager/master"; + }; + }; + + outputs = { self, nixpkgs, home-manager }: { + nixosConfigurations = { + Spacebar-nginx = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./host/Spacebar-nginx/configuration.nix + ./hardware-configuration.nix + home-manager.nixosModules.home-manager + ]; + specialArgs = { + inherit home-manager; + }; + }; + }; + }; +} diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix new file mode 100755 index 0000000..33e4f6b --- /dev/null +++ b/host/Rory-postgres/configuration.nix @@ -0,0 +1,51 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base.nix + ]; + + networking = { + hostName = "Spacebar-postgres"; + interfaces.ens18.ipv4.addresses = [ { + address = "192.168.1.3"; + prefixLength = 24; + } ]; + interfaces.ens19.ipv4.addresses = [ { + address = "10.10.11.3"; + prefixLength = 16; + } ]; + }; + + systemd.tmpfiles.rules = [ "d /data/pg 0750 postgres postgres" ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + enableTCPIP = true; + authentication = pkgs.lib.mkOverride 10 '' + # TYPE, DATABASE, USER, ADDRESS, METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host matrix-synapse-spacebar-chat matrix-synapse-spacebar-chat 192.168.1.5/32 trust + host all all 0.0.0.0/0 md5 + ''; + initialScript = pkgs.writeText "backend-initScript" '' + CREATE ROLE matrix-synapse-spacebar-chat WITH LOGIN PASSWORD '${pkgs.postgresql_14}' CREATEDB; + CREATE DATABASE matrix-synapse-spacebar-chat; + GRANT ALL PRIVILEGES ON DATABASE matrix-synapse-spacebar-chat TO matrix-synapse-spacebar-chat; + ''; + dataDir = "/data/pg"; + settings = { + "max_connections" = "100"; + "shared_buffers" = "128MB"; + "max_wal_size" = "1GB"; + "min_wal_size" = "80MB"; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Spacebar-nginx/configuration.nix b/host/Spacebar-nginx/configuration.nix new file mode 100755 index 0000000..19b8dc0 --- /dev/null +++ b/host/Spacebar-nginx/configuration.nix @@ -0,0 +1,37 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + networking = { + hostName = "Spacebar-nginx"; + interfaces.ens18.ipv4.addresses = [ { + address = "192.168.1.2"; + prefixLength = 24; + } ]; + interfaces.ens19.ipv4.addresses = [ { + address = "10.10.11.2"; + prefixLength = 16; + } ]; + }; + + services = { + nginx = { + enable = true; + package = pkgs.nginxQuic; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "mail.spacebar.chat" = import ./hosts/spacebar.chat/mail.nix; + }; + }; + }; + systemd.services.nginx.requires = [ "data.mount" ]; + security.acme.acceptTerms = true; + security.acme.defaults.email = "chris@spacebar.chat"; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} diff --git a/host/Spacebar-nginx/hosts/spacebar.chat/root.nix b/host/Spacebar-nginx/hosts/spacebar.chat/root.nix new file mode 100755 index 0000000..a859950 --- /dev/null +++ b/host/Spacebar-nginx/hosts/spacebar.chat/root.nix @@ -0,0 +1,10 @@ +{ + root = "/data/nginx/html_boorunav"; + enableACME = true; + addSSL = true; + locations = { + "/" = { + index = "index.html"; + }; + }; +} \ No newline at end of file diff --git a/host/Spacebar-synapse/configuration.nix b/host/Spacebar-synapse/configuration.nix new file mode 100755 index 0000000..a06a83d --- /dev/null +++ b/host/Spacebar-synapse/configuration.nix @@ -0,0 +1,121 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + networking = { + hostName = "Spacebar-synapse"; + interfaces.ens18.ipv4.addresses = [ { + address = "192.168.1.5"; + prefixLength = 24; + } ]; + interfaces.ens19.ipv4.addresses = [ { + address = "10.10.11.5"; + prefixLength = 16; + } ]; + }; + + # Discord bridge + services.matrix-appservice-discord = { + enable = false; # Alicia - figure out secret first... + environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; + settings = { + bridge = { + domain = "spacebar.chat"; + homeserverUrl = "https://matrix.spacebar.chat"; + }; + database = { + connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord"; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + settings = { + server_name = "spacebar.chat"; + enable_registration = false; + registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; + # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410 + listeners = [ + { + port = 8008; + bind_addresses = [ "192.168.1.5" "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" "federation" ]; + compress = true; + } ]; + } + ]; + dynamic_thumbnails = true; + presence = { + enable = true; + update_interval = 60; + }; + url_preview_enabled = true; + + database = { + name = "psycopg2"; + args = { + user = "matrix-synapse-spacebar-chat"; + password = "somepassword"; + database = "matrix-synapse-spacebar-chat"; + host = "192.168.1.3"; + }; + }; + app_service_config_files = [ ]; + }; + + plugins = with pkgs.matrix-synapse-plugins; [ ]; + }; + + # Alicia - doesnt work yet... until in nixpkgs... + services.draupnir = { + enable = true; + + pantalaimon = { + enable = true; + username = "draupnir"; + passwordFile = "/etc/draupnir-password"; + options = { + homeserver = "http://localhost:8008"; + ssl = false; + }; + }; + managementRoom = "#draupnir-mgmt:spacebar.chat"; + homeserverUrl = "http://localhost:8008"; + verboseLogging = false; + settings = { + recordIgnoredInvites = false; + automaticallyRedactForReasons = [ "*" ]; + fasterMembershipChecks = true; + backgroundDelayMS = 100; + pollReports = true; + admin.enableMakeRoomAdminCommand = true; + commands.ban.defaultReasons = [ + "spam" + "harassment" + "transphobia" + "scam" + ]; + protections = { + wordlist = { + words = [ + "tranny" + "faggot" + ]; + minutesBeforeTrusting = 0; + }; + }; + }; + }; + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + diff --git a/host/Spacebar-synapse/post-rebuild.sh b/host/Spacebar-synapse/post-rebuild.sh new file mode 100755 index 0000000..8dc0e7d --- /dev/null +++ b/host/Spacebar-synapse/post-rebuild.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl gnused nix coreutils jq openssl +#set -x +REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt` +LOCALPART='rory.gay' +REACHABLE_DOMAIN='http://localhost:8008' + +# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md +# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat> +# Explicit authorisation to use the code has been granted by the original author +# for use by members of the Rory system (https://rory.gay) + +# the magic function: +register(){ + echo "Registering $1 with password $2" + _nonce=`curl http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce` + #data: nonce, domain, username, password + _hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" | openssl dgst -sha1 -hmac "$REG_KEY" | awk '{print $2}'` + curl -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt +} + +# -- END OF LICENSED CODE + + + +PASSWD=`cat /etc/matrix-user-pass` +for u in {draupnir,rory,chris,maddy,cat} +do + register $u $PASSWD +done diff --git a/host/Spacebar-synapse/pre-rebuild.sh b/host/Spacebar-synapse/pre-rebuild.sh new file mode 100755 index 0000000..32905e3 --- /dev/null +++ b/host/Spacebar-synapse/pre-rebuild.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env sh +set -x +mkdir -p /var/lib/matrix-synapse +if [ ! -f "/var/lib/matrix-synapse/registration_shared_secret.txt" ] +then + cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 | tee /var/lib/matrix-synapse/registration_shared_secret.txt +else + echo Not generating key, key exists +fi \ No newline at end of file diff --git a/modules/base.nix b/modules/base.nix new file mode 100755 index 0000000..268ddda --- /dev/null +++ b/modules/base.nix @@ -0,0 +1,76 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./monitoring.nix + ./users/Rory.nix + ./users/chris.nix + ]; + boot = { + kernelPackages = pkgs.linuxPackages_latest; + kernelParams = [ "memory_hotplug.memmap_on_memory=1" "memhp_default_state=online" ]; + loader = { + grub = { + enable = true; + version = 2; + devices = [ "/dev/sda" ]; # nodev for EFI only + # EFI + efiSupport = false; + efiInstallAsRemovable = false; + }; + timeout = 1; + }; + }; + + networking = { + hostName = lib.mkDefault "Spacebar-nix-base-server"; + firewall = { + enable = false; + # allowedTCPPorts = [ ... ]; + # allowedUDPPorts = [ ... ]; + }; + + networkmanager.enable = false; + wireless.enable = false; + enableIPv6 = false; + + useDHCP = false; + nameservers = [ "1.1.1.1" ]; + defaultGateway = "192.168.1.1"; + }; + + services = { + openssh = { + enable = true; + }; + }; + + + environment.systemPackages = with pkgs; [ + wget + neofetch + lnav + git + lsd + htop + btop + duf + kitty.terminfo + neovim + ]; + + systemd.coredump.extraConfig = lib.mkDefault '' + Storage=none + ''; + + documentation.nixos.enable = false; + hardware.pulseaudio.enable = false; + i18n.defaultLocale = "en_US.UTF-8"; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nixpkgs.config.allowUnfree = true; + security.sudo.wheelNeedsPassword = false; + security.polkit.enable = true; + sound.enable = false; + system.stateVersion = "22.11"; # DO NOT EDIT! +} diff --git a/modules/monitoring.nix b/modules/monitoring.nix new file mode 100755 index 0000000..ce7bbcd --- /dev/null +++ b/modules/monitoring.nix @@ -0,0 +1,51 @@ +{ config, pkgs, lib, ... }: + +{ + services = { + prometheus = { + exporters = { + node = { + enable = true; + port = 9100; + enabledCollectors = [ + "logind" + "systemd" + ]; + disabledCollectors = [ + #"textfile" + ]; + }; + }; + }; + promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3031; + grpc_listen_port = 0; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [{ + url = "https://loki.regional.seian.cloud/loki/api/v1/push"; + }]; + scrape_configs = [{ + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${toString config.networking.hostName}"; + }; + }; + relabel_configs = [{ + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + }]; + }]; + }; + }; + }; +} + diff --git a/modules/users/Rory.nix b/modules/users/Rory.nix new file mode 100755 index 0000000..fe51acc --- /dev/null +++ b/modules/users/Rory.nix @@ -0,0 +1,29 @@ +{ config, pkgs, home-manager, ... }: +{ + users.users.Rory = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + packages = with pkgs; [ + ]; + initialPassword = "password"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILF2IuNu//0DP/wKMuDvBgVT3YBS2uULsipbdrhJCTM7 Rory-desktop" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/kNkY/E5b6rvCQLMaSbpLQ/xoyywIwVVu9uo2j/B6p Rory@RoryNix" + ]; + }; + + home-manager.users.Rory = { + programs.git = { + enable = true; + userName = "TheArcaneBrony"; + userEmail = "root@thearcanebrony.net"; + extraConfig = { + safe = { + directory = "/"; + }; + }; + }; + home.stateVersion = "22.11"; + }; +} + diff --git a/modules/users/chris.nix b/modules/users/chris.nix new file mode 100755 index 0000000..bbb4eba --- /dev/null +++ b/modules/users/chris.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: +{ + users.users.chris = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + packages = with pkgs; [ + nano + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd9U0+wKjBG3Q9Qg249xJY+ybYeRV9/VMPjuwKvFBEI" + ]; + }; +} + diff --git a/rebuild.sh b/rebuild.sh new file mode 100755 index 0000000..0e02eab --- /dev/null +++ b/rebuild.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env sh +./build.sh / $HOSTNAME \ No newline at end of file diff --git a/update.sh b/update.sh new file mode 100755 index 0000000..cbec982 --- /dev/null +++ b/update.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +nix flake update +./build.sh / $HOSTNAME \ No newline at end of file -- cgit 1.4.1