summary refs log tree commit diff
diff options
context:
space:
mode:
authorTheArcaneBrony <myrainbowdash949@gmail.com>2023-03-28 21:03:46 +0200
committerRory& <root@rory.gay>2024-06-05 15:49:34 +0200
commit7010d98995fea8eda3c578fbfd13aecca918b7d9 (patch)
tree37d2add1bf249828a12e820fd6225fe2eb57fd32
downloadSpacebar-Open-Infrastructure-7010d98995fea8eda3c578fbfd13aecca918b7d9.tar.xz
Initial commit
-rwxr-xr-x.gitignore4
-rwxr-xr-xbuild.sh22
-rwxr-xr-xflake.nix28
-rwxr-xr-xhost/Rory-postgres/configuration.nix51
-rwxr-xr-xhost/Spacebar-nginx/configuration.nix37
-rwxr-xr-xhost/Spacebar-nginx/hosts/spacebar.chat/root.nix10
-rwxr-xr-xhost/Spacebar-synapse/configuration.nix121
-rwxr-xr-xhost/Spacebar-synapse/post-rebuild.sh30
-rwxr-xr-xhost/Spacebar-synapse/pre-rebuild.sh9
-rwxr-xr-xmodules/base.nix76
-rwxr-xr-xmodules/monitoring.nix51
-rwxr-xr-xmodules/users/Rory.nix29
-rwxr-xr-xmodules/users/chris.nix14
-rwxr-xr-xrebuild.sh2
-rwxr-xr-xupdate.sh3
15 files changed, 487 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100755
index 0000000..9a4d05c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+hardware-configuration.nix
+.vscode/
+secrets/
+result
\ No newline at end of file
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..901d857
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+if [ $# -ne 2 ]; then
+    echo "Usage: $0 <root> <config>"
+    echo "NOTE: hardware config will be generated from root!"
+    echo "Defined configs:"
+    cat flake.nix | grep 'nixpkgs.lib.nixosSystem' | sed 's/ =.*//' | sed 's/^[ \t]*//;s/[ \t]*$//' | while read cfg; do echo " - $cfg"; done
+    exit 1
+fi
+if [ "$1" = "/" ]; then
+    nixos-generate-config --show-hardware-config > hardware-configuration.nix
+    git add -f hardware-configuration.nix
+    nixos-rebuild switch --flake ".#${2}" -j`nproc` --upgrade-all
+    git rm --cached hardware-configuration.nix
+    exit
+else
+    nixos-generate-config --show-hardware-config --root "${1}" > hardware-configuration.nix
+    git add -f hardware-configuration.nix
+    nixos-install --root "${1}" --flake ".#${2}" 
+    git rm --cached hardware-configuration.nix
+    cp . "${1}/Spacebar-Open-Architecture" -r
+    exit
+fi
diff --git a/flake.nix b/flake.nix
new file mode 100755
index 0000000..7c51186
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,28 @@
+{
+  description = "Spacebar's services";
+
+  inputs = {
+    nixpkgs = {
+      url = "github:NixOS/nixpkgs/nixos-unstable";
+    };
+    home-manager =  {
+      url = "github:nix-community/home-manager/master";
+    };
+  };
+
+  outputs = { self, nixpkgs, home-manager }: {
+    nixosConfigurations = {
+      Spacebar-nginx = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./host/Spacebar-nginx/configuration.nix
+          ./hardware-configuration.nix
+          home-manager.nixosModules.home-manager
+        ];
+        specialArgs = {
+          inherit home-manager;
+        };
+      };     
+    };
+  };
+}
diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix
new file mode 100755
index 0000000..33e4f6b
--- /dev/null
+++ b/host/Rory-postgres/configuration.nix
@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base.nix
+    ];
+
+  networking = {
+    hostName = "Spacebar-postgres";
+    interfaces.ens18.ipv4.addresses = [ { 
+      address = "192.168.1.3";
+      prefixLength = 24;
+    } ];
+    interfaces.ens19.ipv4.addresses = [ {
+      address = "10.10.11.3";
+      prefixLength = 16;
+    } ];
+  };
+  
+  systemd.tmpfiles.rules = [  "d /data/pg 0750 postgres postgres" ];
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_14;
+    enableTCPIP = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      # TYPE, DATABASE, USER, ADDRESS, METHOD
+      local all all trust
+      host all all 127.0.0.1/32 trust
+      host all all ::1/128 trust
+      host matrix-synapse-spacebar-chat matrix-synapse-spacebar-chat 192.168.1.5/32 trust
+      host all all 0.0.0.0/0 md5
+    '';
+    initialScript = pkgs.writeText "backend-initScript" ''
+      CREATE ROLE matrix-synapse-spacebar-chat WITH LOGIN PASSWORD '${pkgs.postgresql_14}' CREATEDB;
+      CREATE DATABASE matrix-synapse-spacebar-chat;
+      GRANT ALL PRIVILEGES ON DATABASE matrix-synapse-spacebar-chat TO matrix-synapse-spacebar-chat;
+    '';
+    dataDir = "/data/pg";
+    settings = {
+      "max_connections" = "100";
+      "shared_buffers" = "128MB";
+      "max_wal_size" = "1GB";
+      "min_wal_size" = "80MB";
+    };
+  };
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Spacebar-nginx/configuration.nix b/host/Spacebar-nginx/configuration.nix
new file mode 100755
index 0000000..19b8dc0
--- /dev/null
+++ b/host/Spacebar-nginx/configuration.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  networking = {
+    hostName = "Spacebar-nginx";
+    interfaces.ens18.ipv4.addresses = [ { 
+      address = "192.168.1.2";
+      prefixLength = 24;
+    } ];
+    interfaces.ens19.ipv4.addresses = [ {
+      address = "10.10.11.2";
+      prefixLength = 16;
+    } ];
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      package = pkgs.nginxQuic;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "mail.spacebar.chat" = import ./hosts/spacebar.chat/mail.nix;
+      };
+    };
+  };
+  systemd.services.nginx.requires = [ "data.mount" ];
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "chris@spacebar.chat";
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Spacebar-nginx/hosts/spacebar.chat/root.nix b/host/Spacebar-nginx/hosts/spacebar.chat/root.nix
new file mode 100755
index 0000000..a859950
--- /dev/null
+++ b/host/Spacebar-nginx/hosts/spacebar.chat/root.nix
@@ -0,0 +1,10 @@
+{
+  root = "/data/nginx/html_boorunav";
+  enableACME = true;
+  addSSL = true;
+  locations = {
+    "/" = {
+      index = "index.html";
+    };
+  };
+}
\ No newline at end of file
diff --git a/host/Spacebar-synapse/configuration.nix b/host/Spacebar-synapse/configuration.nix
new file mode 100755
index 0000000..a06a83d
--- /dev/null
+++ b/host/Spacebar-synapse/configuration.nix
@@ -0,0 +1,121 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  networking = {
+    hostName = "Spacebar-synapse";
+    interfaces.ens18.ipv4.addresses = [ { 
+      address = "192.168.1.5";
+      prefixLength = 24;
+    } ];
+    interfaces.ens19.ipv4.addresses = [ {
+      address = "10.10.11.5";
+      prefixLength = 16;
+    } ];
+  };
+
+  # Discord bridge
+  services.matrix-appservice-discord = {
+    enable = false; # Alicia - figure out secret first...
+    environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
+    settings = {
+      bridge = {
+        domain = "spacebar.chat";
+        homeserverUrl = "https://matrix.spacebar.chat";
+      };
+      database = {
+        connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord";
+      };
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "spacebar.chat";
+      enable_registration = false;
+      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
+      # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410
+      listeners = [
+        { 
+          port = 8008;
+          bind_addresses = [ "192.168.1.5" "127.0.0.1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [ {
+            names = [ "client" "federation" ];
+            compress = true;
+          } ];
+        }
+      ];
+      dynamic_thumbnails = true;
+      presence = {
+        enable = true;
+        update_interval = 60;
+      };
+      url_preview_enabled = true;
+      
+      database = {
+        name = "psycopg2";
+        args = {
+          user = "matrix-synapse-spacebar-chat";
+          password = "somepassword";
+          database = "matrix-synapse-spacebar-chat";
+          host = "192.168.1.3";
+        };
+      };
+      app_service_config_files = [ ];
+    };
+
+    plugins = with pkgs.matrix-synapse-plugins; [ ];
+  };
+
+  # Alicia - doesnt work yet... until in nixpkgs...
+  services.draupnir = {
+    enable = true;
+    
+    pantalaimon = {
+      enable = true;
+      username = "draupnir";
+      passwordFile = "/etc/draupnir-password";
+      options = {
+        homeserver = "http://localhost:8008";
+        ssl = false;
+      };
+    };
+    managementRoom = "#draupnir-mgmt:spacebar.chat";
+    homeserverUrl = "http://localhost:8008";
+    verboseLogging = false;
+    settings = {
+      recordIgnoredInvites = false;
+      automaticallyRedactForReasons = [ "*" ];
+      fasterMembershipChecks = true;
+      backgroundDelayMS = 100;
+      pollReports = true;
+      admin.enableMakeRoomAdminCommand = true;
+      commands.ban.defaultReasons = [
+        "spam"
+        "harassment"
+        "transphobia"
+        "scam"
+      ];
+      protections = {
+        wordlist = {
+          words = [
+            "tranny"
+            "faggot"
+          ];
+          minutesBeforeTrusting = 0;
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Spacebar-synapse/post-rebuild.sh b/host/Spacebar-synapse/post-rebuild.sh
new file mode 100755
index 0000000..8dc0e7d
--- /dev/null
+++ b/host/Spacebar-synapse/post-rebuild.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnused nix coreutils jq openssl
+#set -x
+REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt`
+LOCALPART='rory.gay'
+REACHABLE_DOMAIN='http://localhost:8008'
+
+# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md
+# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat>
+# Explicit authorisation to use the code has been granted by the original author
+#  for use by members of the Rory system (https://rory.gay)
+
+# the magic function:
+register(){
+	echo "Registering $1 with password $2"
+	_nonce=`curl http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce`
+	#data: nonce, domain, username, password
+	_hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" |  openssl dgst -sha1 -hmac "$REG_KEY" |  awk '{print $2}'`
+	curl -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt
+}
+
+# -- END OF LICENSED CODE
+
+
+
+PASSWD=`cat /etc/matrix-user-pass`
+for u in {draupnir,rory,chris,maddy,cat}
+do 
+	register $u $PASSWD
+done
diff --git a/host/Spacebar-synapse/pre-rebuild.sh b/host/Spacebar-synapse/pre-rebuild.sh
new file mode 100755
index 0000000..32905e3
--- /dev/null
+++ b/host/Spacebar-synapse/pre-rebuild.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+set -x
+mkdir -p /var/lib/matrix-synapse
+if [ ! -f "/var/lib/matrix-synapse/registration_shared_secret.txt" ]
+then
+    cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 | tee /var/lib/matrix-synapse/registration_shared_secret.txt
+else
+    echo Not generating key, key exists
+fi
\ No newline at end of file
diff --git a/modules/base.nix b/modules/base.nix
new file mode 100755
index 0000000..268ddda
--- /dev/null
+++ b/modules/base.nix
@@ -0,0 +1,76 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./monitoring.nix
+      ./users/Rory.nix
+      ./users/chris.nix
+    ];
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [ "memory_hotplug.memmap_on_memory=1" "memhp_default_state=online" ];
+    loader = {
+      grub = {
+        enable = true;
+        version = 2;
+        devices = [ "/dev/sda" ]; # nodev for EFI only
+        # EFI
+        efiSupport = false;
+        efiInstallAsRemovable = false;
+      };
+      timeout = 1;
+    };
+  };
+
+  networking = {
+    hostName = lib.mkDefault "Spacebar-nix-base-server";
+    firewall = {
+      enable = false;
+      # allowedTCPPorts = [ ... ];
+      # allowedUDPPorts = [ ... ];
+    };
+    
+    networkmanager.enable = false;
+    wireless.enable = false;
+    enableIPv6 = false;
+
+    useDHCP = false;
+    nameservers = [ "1.1.1.1" ];
+    defaultGateway = "192.168.1.1";
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+    };	
+  };
+
+
+  environment.systemPackages = with pkgs; [
+    wget
+    neofetch
+    lnav
+    git
+    lsd
+    htop
+    btop
+    duf
+    kitty.terminfo
+    neovim
+  ];
+
+  systemd.coredump.extraConfig = lib.mkDefault ''
+    Storage=none
+  '';
+
+  documentation.nixos.enable = false;
+  hardware.pulseaudio.enable = false;
+  i18n.defaultLocale = "en_US.UTF-8";
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nixpkgs.config.allowUnfree = true;
+  security.sudo.wheelNeedsPassword = false;
+  security.polkit.enable = true;
+  sound.enable = false;
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
new file mode 100755
index 0000000..ce7bbcd
--- /dev/null
+++ b/modules/monitoring.nix
@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services = {
+    prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          port = 9100;
+          enabledCollectors = [
+            "logind"
+            "systemd"
+          ];
+          disabledCollectors = [
+            #"textfile"
+          ];
+        };
+      };
+    };
+    promtail = {
+      enable = true;
+      configuration = {
+        server = {
+          http_listen_port = 3031;
+          grpc_listen_port = 0;
+        };
+        positions = {
+          filename = "/tmp/positions.yaml";
+        };
+        clients = [{
+          url = "https://loki.regional.seian.cloud/loki/api/v1/push";
+        }];
+        scrape_configs = [{
+          job_name = "journal";
+          journal = {
+            max_age = "12h";
+            labels = {
+              job = "systemd-journal";
+              host = "${toString config.networking.hostName}";
+            };
+          };
+          relabel_configs = [{
+            source_labels = [ "__journal__systemd_unit" ];
+            target_label = "unit";
+          }];
+        }];
+      };
+    };
+  };
+}
+
diff --git a/modules/users/Rory.nix b/modules/users/Rory.nix
new file mode 100755
index 0000000..fe51acc
--- /dev/null
+++ b/modules/users/Rory.nix
@@ -0,0 +1,29 @@
+{ config, pkgs, home-manager, ... }:
+{
+  users.users.Rory = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    packages = with pkgs; [
+    ];
+    initialPassword = "password";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILF2IuNu//0DP/wKMuDvBgVT3YBS2uULsipbdrhJCTM7 Rory-desktop"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/kNkY/E5b6rvCQLMaSbpLQ/xoyywIwVVu9uo2j/B6p Rory@RoryNix"
+    ];
+  };
+
+  home-manager.users.Rory = {
+    programs.git = {
+      enable = true;
+      userName = "TheArcaneBrony";
+      userEmail = "root@thearcanebrony.net";
+      extraConfig = {
+        safe = {
+          directory = "/";
+        };
+      };
+    };
+    home.stateVersion = "22.11";
+  };
+}
+
diff --git a/modules/users/chris.nix b/modules/users/chris.nix
new file mode 100755
index 0000000..bbb4eba
--- /dev/null
+++ b/modules/users/chris.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+{
+  users.users.chris = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    packages = with pkgs; [
+      nano
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd9U0+wKjBG3Q9Qg249xJY+ybYeRV9/VMPjuwKvFBEI"
+    ];
+  };
+}
+
diff --git a/rebuild.sh b/rebuild.sh
new file mode 100755
index 0000000..0e02eab
--- /dev/null
+++ b/rebuild.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env sh
+./build.sh / $HOSTNAME
\ No newline at end of file
diff --git a/update.sh b/update.sh
new file mode 100755
index 0000000..cbec982
--- /dev/null
+++ b/update.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env sh
+nix flake update
+./build.sh / $HOSTNAME
\ No newline at end of file