parent
13b1f4b6f6
commit
b3317c7cdd
@ -0,0 +1,33 @@ |
||||
{ config, ... }: |
||||
|
||||
{ |
||||
security.acme = { |
||||
email = "letsencrypt@spacekookie.de"; |
||||
acceptTerms = true; |
||||
}; |
||||
|
||||
# `hyperion.kookie.space` needs a cert for IRC |
||||
security.acme.certs."hyperion.kookie.space" = { |
||||
webroot = "/var/lib/acme/acme-challenge"; |
||||
group = "tls"; |
||||
}; |
||||
|
||||
# Other certificates on the spacekookie.de namespace |
||||
security.acme.certs."spacekookie.de" = { |
||||
webroot = "/var/lib/acme/acme-challenge"; |
||||
extraDomainNames = [ |
||||
"www.spacekookie.de" |
||||
|
||||
# Prosody related certificates |
||||
"xmpp.spacekookie.de" |
||||
"guest-xmpp.spacekookie.de" |
||||
"rooms.spacekookie.de" |
||||
|
||||
# Public dev tools |
||||
"git.spacekookie.de" |
||||
"dev.spacekookie.de" |
||||
"stream.spacekookie.de" |
||||
]; |
||||
group = "tls"; |
||||
}; |
||||
} |
@ -0,0 +1,22 @@ |
||||
{ config, pkgs, ... }: |
||||
|
||||
{ |
||||
services.nginx.virtualHosts."spacekookie.de" = { |
||||
serverAliases = [ "www.spacekookie.de" ]; |
||||
enableACME = false; |
||||
useACMEHost = "spacekookie.de"; |
||||
forceSSL = true; |
||||
locations."/" = { |
||||
root = pkgs.spacekookie-de; |
||||
index = "index.html"; |
||||
}; |
||||
locations."/downloads/" = { |
||||
# root = kookiepkgs.spacekookie-de; |
||||
root = "/var/lib"; |
||||
extraConfig = '' |
||||
autoindex on; |
||||
''; |
||||
}; |
||||
}; |
||||
|
||||
} |
@ -0,0 +1,30 @@ |
||||
{ config, pkgs, ... }: |
||||
|
||||
{ |
||||
services.nginx.virtualHosts."stream.spacekookie.de" = { |
||||
serverAliases = [ "spacekookie.de" ]; |
||||
enableACME = false; |
||||
useACMEHost = "spacekookie.de"; |
||||
forceSSL = true; |
||||
locations."/" = { |
||||
root = pkgs.brook-frontend; |
||||
index = "index.html"; |
||||
}; |
||||
locations."/xmpp-bosh" = { |
||||
proxyPass = "http://localhost:5280/http-bind"; |
||||
extraConfig = '' |
||||
proxy_set_header Host guest-xmpp.spacekookie.de; |
||||
proxy_set_header X-Forwarded-For guest-xmpp.spacekookie.de; |
||||
proxy_buffering off; |
||||
tcp_nodelay on; |
||||
''; |
||||
}; |
||||
locations."/dash" = { |
||||
root = "/var/lib"; |
||||
}; |
||||
locations."/metrics" = { |
||||
proxyPass = "http://localhost:7667"; |
||||
}; |
||||
}; |
||||
|
||||
} |
@ -0,0 +1,47 @@ |
||||
{ config, pkgs, ... }: |
||||
|
||||
let port = 15150; |
||||
in |
||||
{ |
||||
services.nginx.virtualHosts."git.spacekookie.de" = { |
||||
enableACME = false; |
||||
useACMEHost = "spacekookie.de"; |
||||
forceSSL = true; |
||||
locations."/" = { |
||||
proxyPass = "http://localhost:${builtins.toString port}"; |
||||
}; |
||||
locations."/static/" = { |
||||
alias = "/var/lib/cgit/"; |
||||
}; |
||||
}; |
||||
|
||||
# cgit server |
||||
services.lighttpd = { |
||||
enable = true; |
||||
inherit port; |
||||
|
||||
cgit = { |
||||
enable = true; |
||||
configText = '' |
||||
clone-prefix=https://git.spacekookie.de |
||||
css=/static/cgit.css |
||||
favicon=/static/favicon.ico |
||||
enable-commit-graph=1 |
||||
enable-follow-links=1 |
||||
enable-log-filecount=1 |
||||
enable-log-linecount=1 |
||||
enable-git-config=1 |
||||
remove-suffix=1 |
||||
readme=:README |
||||
readme=:README.md |
||||
about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh |
||||
source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py |
||||
root-title=git.spacekookie.de |
||||
root-desc=Here be really bad source code yarrr |
||||
scan-path=/home/spacekookie/git |
||||
''; |
||||
subdir = ""; # be on git.spacekookie.de |
||||
}; |
||||
}; |
||||
|
||||
} |
@ -0,0 +1,6 @@ |
||||
{ config, ... }: |
||||
|
||||
{ |
||||
virtualisation.docker.enable = true; |
||||
virtualisation.docker.storageDriver = "zfs"; |
||||
} |
@ -0,0 +1,42 @@ |
||||
{ config, ... }: |
||||
|
||||
{ |
||||
# networking.firewall.allowedTCPPorts = [ 1935 7667 ]; |
||||
# networking.firewall.allowedUDPPorts = [ 1935 ]; |
||||
# |
||||
# To use DASH, use ffmpeg directly, without bothering with nginx |
||||
# systemd.services.streamffmpeg = { |
||||
# wantedBy = [ "multi-user.target" ]; |
||||
# serviceConfig = { |
||||
# StateDirectory = "dash"; |
||||
# Group = "nginx"; |
||||
# }; |
||||
|
||||
|
||||
# # -c:v:2 copy -map v:0 -aspect:2 16:9 \ # Ask puck about this! |
||||
# # -c:v:0 libx264 -map v:0 -b:v:0 800k -s:0 854x480 -aspect:0 16:9 -preset:0 fast \ |
||||
# # -c:v:1 libx264 -map v:0 -b:v:1 1400k -s:1 1280x720 -aspect:1 16:9 -preset:1 fast \ |
||||
# script = '' |
||||
# ${pkgs.ffmpeg}/bin/ffmpeg -listen 1 -i rtmp://0.0.0.0:1935/kookie.tv/app \ |
||||
# -c:v libx264 -x264opts "keyint=24:min-keyint=24:no-scenecut" -r 24 \ |
||||
# -c:a aac -b:a 128k \ |
||||
# -bf 1 -b_strategy 0 -sc_threshold 0 -pix_fmt yuv420p \ |
||||
# -map 0:v:0 -map 0:a:0 -map 0:v:0 -map 0:a:0 -map 0:v:0 -map 0:a:0 \ |
||||
# /var/lib/dash/app.mpd |
||||
|
||||
# # -c:a aac \ |
||||
# # -c:v libx264 -crf 23 -preset veryfast \ |
||||
# # -g 60 \ |
||||
# # -map 0:a \ |
||||
# # -f dash \ |
||||
# # -init_seg_name 'init$RepresentationID$.$ext$' \ |
||||
# # -media_seg_name 'chunk$RepresentationID$-$Number%05d$.$ext$' \ |
||||
# # -use_template 1 -use_timeline 1 \ |
||||
# # -seg_duration 2 -window_size 20 -remove_at_exit 1 \ |
||||
# # -hls_playlist 1 \ |
||||
# # -streaming 1 -ldash 1 \ |
||||
# # -adaptation_sets "id=0,streams=v id=1,streams=a" \ |
||||
# # /var/lib/dash/app.mpd |
||||
# ''; |
||||
# }; |
||||
} |
@ -0,0 +1,9 @@ |
||||
{ config, ... }: |
||||
|
||||
{ |
||||
services.gitlab-runner = { |
||||
enable = true; |
||||
configFile = "/var/lib/gitlab-runner/config.toml"; |
||||
}; |
||||
|
||||
} |
@ -0,0 +1,68 @@ |
||||
{ config, pkgs, ... }: |
||||
|
||||
# TODO: split this into an RTMP module? |
||||
{ |
||||
services.nginx.enable = true; |
||||
services.nginx.package = pkgs.nginxMainline.override { |
||||
modules = [ pkgs.nginxModules.rtmp ]; |
||||
}; |
||||
|
||||
users.users.nginx.extraGroups = [ "tls" ]; |
||||
|
||||
networking.firewall.allowedTCPPorts = [ |
||||
80 443 /* Regular HTTP(s) */ |
||||
|
||||
11011 11012 /* alyssatv rtmp */ |
||||
]; |
||||
|
||||
# services.nginx.logError = "stderr debug"; |
||||
services.nginx.appendHttpConfig = '' |
||||
map $remote_addr $remote_addr_anon { |
||||
~(?P<ip>\d+\.\d+\.\d+)\. $ip.X; |
||||
~(?P<ip>[^:]+:[^:]+): $ip::X; |
||||
default 0.0.0.0; |
||||
} |
||||
|
||||
log_format anonymous '$remote_addr_anon - $remote_user [$time_local] ' |
||||
'"$request" $status $body_bytes_sent ' |
||||
'"$http_referer" "$http_user_agent"'; |
||||
access_log /var/log/nginx/access.log anonymous; |
||||
charset UTF-8; |
||||
|
||||
server { |
||||
listen 11012; |
||||
location /stat { |
||||
rtmp_stat all; |
||||
} |
||||
} |
||||
''; |
||||
|
||||
services.nginx.appendConfig = '' |
||||
stream { |
||||
server { |
||||
listen 8400 ssl; |
||||
ssl_certificate /var/lib/acme/hyperion.kookie.space/fullchain.pem; |
||||
ssl_certificate_key /var/lib/acme/hyperion.kookie.space/key.pem; |
||||
proxy_pass 127.0.0.1:8412; |
||||
} |
||||
} |
||||
|
||||
rtmp { |
||||
server { |
||||
listen 11011; |
||||
application alyssa.tv { |
||||
live on; |
||||
record off; |
||||
allow publish 10.0.0.0/8; |
||||
deny publish all; |
||||
|
||||
record all; |
||||
record_path /var/lib/rtmp/alyssatv; |
||||
record_unique on; |
||||
record_max_size 300000000K; |
||||
} |
||||
} |
||||
} |
||||
''; |
||||
|
||||
} |
@ -0,0 +1,73 @@ |
||||
{ config, pkgs, ... }: |
||||
|
||||
{ |
||||
users.users.prosody.extraGroups = [ "tls" ]; |
||||
|
||||
networking.firewall.allowedTCPPorts = [ 5222 5223 5269 5280 5281 ]; |
||||
|
||||
services.prosody = let |
||||
ssl = { |
||||
cert = "/var/lib/acme/spacekookie.de/fullchain.pem"; |
||||
key = "/var/lib/acme/spacekookie.de/key.pem"; |
||||
}; |
||||
in { |
||||
enable = true; |
||||
admins = [ "kookie@spacekookie.de" ]; |
||||
modules = { |
||||
bosh = true; |
||||
carbons = true; |
||||
http_files = true; |
||||
mam = true; |
||||
pep = true; |
||||
proxy65 = true; |
||||
register = true; |
||||
websocket = true; |
||||
}; |
||||
extraModules = ["vcard_legacy"]; |
||||
inherit ssl; |
||||
virtualHosts."spacekookie.de" = { |
||||
domain = "spacekookie.de"; |
||||
# extraConfig = '' |
||||
# http_host = "xmpp.spacekookie.de" |
||||
# ''; |
||||
enabled = true; |
||||
inherit ssl; |
||||
}; |
||||
|
||||
# Move this to brook module |
||||
virtualHosts."guest-xmpp.spacekookie.de" = { |
||||
enabled = true; |
||||
domain = "guest-xmpp.spacekookie.de"; |
||||
inherit ssl; |
||||
extraConfig = '' |
||||
authentication = "anonymous" |
||||
http_host = "guest-xmpp.spacekookie.de"; |
||||
''; |
||||
}; |
||||
|
||||
package = pkgs.prosody.override { |
||||
withCommunityModules = [ "http_upload" "smacks" "csi" "conversejs" |
||||
"cloud_notify" "bookmarks" "vcard_muc" ]; |
||||
}; |
||||
muc = [{ |
||||
domain = "rooms.spacekookie.de"; |
||||
name = "muc"; |
||||
extraConfig = '' |
||||
restrict_room_creation = "local" |
||||
modules_enabled = { "muc_mam" } |
||||
muc_log_by_default = true |
||||
muc_log_presences = false |
||||
log_all_rooms = false |
||||
muc_log_expires_after = "12w" |
||||
muc_log_cleanup_interval = 4 * 60 * 60 |
||||
''; |
||||
}]; |
||||
uploadHttp = { |
||||
domain = "xmpp.spacekookie.de"; |
||||
uploadFileSizeLimit = "512 * 1024 * 1024"; # 512MB |
||||
}; |
||||
extraConfig = '' |
||||
legacy_ssl_ports = { 5223 } |
||||
''; |
||||
}; |
||||
} |
@ -0,0 +1,16 @@ |
||||
{ config, pkgs, ... }: |
||||
|
||||
{ |
||||
services.quassel = { |
||||
enable = true; |
||||
interfaces = [ "0.0.0.0" "::" ]; |
||||
portNumber = 4242; |
||||
}; |
||||
|
||||
services.postgresql.enable = true; |
||||
services.postgresql.package = pkgs.postgresql_11; |
||||
|
||||
users.users.quassel.extraGroups = [ "tls" ]; |
||||
|
||||
networking.firewall.allowedTCPPorts = [ 4242 ]; |
||||
} |
@ -0,0 +1,19 @@ |
||||
{ config, ... }: |
||||
|
||||
{ |
||||
networking.firewall.allowedTCPPorts = [ 143 ]; |
||||
|
||||
services.tor = { |
||||
enable = true; |
||||
relay = { |
||||
enable = true; |
||||
role = "relay"; |
||||
nickname = "hyperion"; |
||||
contactInfo = "kookie@spacekookie.de"; |
||||
port = 143; |
||||
}; |
||||
extraConfig = '' |
||||
ORPort [2a01:4f9:2b:1148::]:143 |
||||
''; |
||||
}; |
||||
} |
@ -0,0 +1,27 @@ |
||||
{ config, ... }: |
||||
|
||||
let listenPort = 51820; |
||||
in |
||||
{ |
||||
networking.firewall.allowedTCPPorts = [ listenPort ]; |
||||
|
||||
networking.wireguard.interfaces."intranet" = { |
||||
ips = [ "10.13.12.1" ]; |
||||
inherit listenPort; |
||||
privateKeyFile = "/var/lib/wireguard/keys/private"; |
||||
|
||||
peers = [ |
||||
{ publicKey = "NHMpnZW6h/MwxWcjztpwH5NN44jS9lB1b5T5jby1i1A="; |
||||
allowedIPs = [ "10.13.12.2/32" ]; } |
||||
{ publicKey = "U/EmC6uMGqrLOd+lqfquDcUShPHgoulN35Dan6RAqyU="; |
||||
allowedIPs = [ "10.13.12.3/32" ]; } |
||||
{ publicKey = "yh8gU4otkndmSsVBuaPMxxFHem45FE3POvSAWi8LEik="; |
||||
allowedIPs = [ "10.13.12.4/32" ]; } |
||||
{ publicKey = "cPvj0SPITg1twz3DprtQgehJDOAhOL/hnXlB5ZS6Fi4="; |
||||
endpoint = "85.119.82.108:51820"; |
||||
allowedIPs = [ "10.172.171.0/24" ]; } |
||||
# { publicKey = "oQZ3fcb9LsnQj8sDYLHf1+hodnW4XEhsM0rNBgHROz8="; |
||||
# allowedIPs = [ "10.172.171.2/32" ]; } |
||||
]; |
||||
}; |
||||
} |
@ -0,0 +1,22 @@ |
||||
{ stdenv, lib }: |
||||
|
||||
stdenv.mkDerivation rec { |
||||
name = "brook-frontend"; |
||||
|
||||
src = ./.; |
||||
|
||||
buildPhase = '' |
||||
|
||||
''; |
||||
|
||||
installPhase = '' |
||||
mkdir $out |
||||
''; |
||||
|
||||
meta = with stdenv.lib; { |
||||
description = "The brook streaming web frontend"; |
||||
homepage = "https://git.spacekookie.de/kookienomicon/apps/servers/brook"; |
||||
license = licenses.agpl3; |
||||
}; |
||||
} |
||||
|
@ -0,0 +1,110 @@ |
||||
/* TOP LEVEL DEVICE CONFIGURATION FOR |
||||
* |
||||
* hyperion (hetzner root server) |
||||
* |
||||
* |
||||
* This file is part of LIBKOOKIE, a collection of nix expressions. |
||||
* LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE |
||||
*/ |
||||
|
||||
{ lib, config, pkgs, ... } @ args: |
||||
|
||||
let klib = (import <modules/harness/lib.nix>) args; |
||||
in |
||||
{ |
||||
################################################################### |
||||
# libkookie configuration |
||||
# |
||||
# |
||||
# |
||||
|
||||
imports = with klib; [ |
||||
# Load base modules required to bootstrap libkookie |
||||
<home-manager/nixos> <modules> <configuration/nix> |
||||
|
||||
(loadModule <configuration/base> "default") |
||||
|
||||
<configuration/server/acme/hyperion.nix> |
||||
<configuration/server/blog> |
||||
<configuration/server/brook> |
||||
<configuration/server/cgit> |
||||
<configuration/server/docker> |
||||
<configuration/server/gitlab-ci> |
||||
<configuration/server/openssh> |
||||
<configuration/server/prosody> |
||||
<configuration/server/quassel> |
||||
<configuration/server/tor> |
||||
<configuration/server/wireguard/hyperion.nix> |
||||
]; |
||||
|
||||
# TODO: build a klib function to patch cfg here |
||||
libkookie.activeUsers = with klib; [ (load <configuration/users/spacekookie>) |
||||
(load <configuration/users/qyliss>) ]; |
||||
|
||||
|
||||
# |
||||
# |
||||
# |
||||
# |
||||
################################################################### |
||||
|
||||
boot.zfs.devNodes = "/dev"; |
||||
boot.loader.grub = { |
||||
enable = true; |
||||
copyKernels = true; |
||||
version = 2; |
||||
|
||||
efiSupport = false; |
||||
zfsSupport = true; |
||||
device = "/dev/sdb"; |
||||
}; |
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; |
||||
boot.kernelModules = [ "kvm-intel" ]; |
||||
boot.extraModulePackages = [ ]; |
||||
|
||||
fileSystems."/" = |
||||
{ device = "tank/nix"; |
||||
fsType = "zfs"; |
||||
}; |
||||
|
||||
swapDevices = [ { device = "/dev/zd0"; } ]; |
||||
|
||||
nix.maxJobs = lib.mkDefault 8; |
||||
|
||||
hardware.cpu.intel.updateMicrocode = true; |
||||
|
||||
networking = { |
||||
defaultGateway = "95.216.98.1"; |
||||
defaultGateway6 = { address = "fe80::1"; interface = "enp0s31f6"; }; |
||||
nameservers = [ "1.1.1.1" ]; |
||||
interfaces.enp0s31f6 = { |
||||
ipv4.addresses = [ { address = "95.216.98.55"; prefixLength = 26; } ]; |
||||
ipv6.addresses = [ { address = "2a01:4f9:2b:1148::"; prefixLength = 64; } ]; |
||||
}; |
||||
dhcpcd.enable = false; # We have a static IP |
||||
useDHCP = false; |
||||
}; |
||||
|
||||
networking.hostName = "hyperion"; # Define your hostname. |
||||
networking.hostId = "d83bebd1"; |
||||
|
||||
networking.nat.enable = true; |
||||
networking.nat.externalInterface = "eth0"; |
||||
networking.nat.internalInterfaces = [ "intranet" ]; |
||||
|
||||
time.timeZone = "Europe/Berlin"; |
||||
|
||||
# Tools that are impotant for everybody to have |
||||
environment.systemPackages = with pkgs; [ |
||||
curl git htop kakoune links tmux vim wget wireguard |
||||
]; |
||||
|
||||
programs.zsh.enable = true; |
||||
|
||||
services.zfs.autoScrub.enable = true; |
||||
|
||||
users.groups.tls = {}; |
||||
|
||||
system.stateVersion = "19.03"; # Did you read the comment? |
||||
} |
Loading…
Reference in new issue