libkookie: hyperion: import configuration from legacy installation

infra/libkookie/configuration/server/acme/hyperion.nix

@@ -0,0 +1,33 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    email = "letsencrypt@spacekookie.de";
+    acceptTerms = true;
+  };
+  
+  # `hyperion.kookie.space` needs a cert for IRC  
+  security.acme.certs."hyperion.kookie.space" = {
+    webroot = "/var/lib/acme/acme-challenge";
+    group = "tls";
+  };
+
+  # Other certificates on the spacekookie.de namespace
+  security.acme.certs."spacekookie.de" = {
+    webroot = "/var/lib/acme/acme-challenge";
+    extraDomainNames = [
+      "www.spacekookie.de"
+
+      # Prosody related certificates
+      "xmpp.spacekookie.de"
+      "guest-xmpp.spacekookie.de"
+      "rooms.spacekookie.de"
+
+      # Public dev tools
+      "git.spacekookie.de"
+      "dev.spacekookie.de"
+      "stream.spacekookie.de"
+    ];
+    group = "tls";
+  };
+}

infra/libkookie/configuration/server/blog/default.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."spacekookie.de" = {
+    serverAliases = [ "www.spacekookie.de" ];
+    enableACME = false;
+    useACMEHost = "spacekookie.de";
+    forceSSL = true;
+    locations."/" = {
+      root = pkgs.spacekookie-de;
+      index = "index.html";
+    };
+    locations."/downloads/" = {
+      # root = kookiepkgs.spacekookie-de;
+      root = "/var/lib";
+      extraConfig = ''
+        autoindex on;
+      '';
+    };
+  };
+
+}

infra/libkookie/configuration/server/brook/default.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."stream.spacekookie.de" = {
+    serverAliases = [ "spacekookie.de" ];
+    enableACME = false;
+    useACMEHost = "spacekookie.de";
+    forceSSL = true;
+    locations."/" = {
+      root = pkgs.brook-frontend;
+      index = "index.html";
+    };
+    locations."/xmpp-bosh" = {
+      proxyPass = "http://localhost:5280/http-bind";
+      extraConfig = ''
+        proxy_set_header Host guest-xmpp.spacekookie.de;
+        proxy_set_header X-Forwarded-For guest-xmpp.spacekookie.de;
+        proxy_buffering off;
+        tcp_nodelay on;
+      '';
+    };
+    locations."/dash" = {
+      root = "/var/lib";
+    };
+    locations."/metrics" = {
+      proxyPass = "http://localhost:7667";
+    };
+  };
+  
+}

infra/libkookie/configuration/server/cgit/default.nix

@@ -0,0 +1,47 @@
+{ config, pkgs, ... }:
+
+let port = 15150;
+in
+{
+  services.nginx.virtualHosts."git.spacekookie.de" = {
+    enableACME = false;
+    useACMEHost = "spacekookie.de";
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString port}";
+    };
+    locations."/static/" = {
+      alias = "/var/lib/cgit/";
+    };
+  };
+  
+  # cgit server
+  services.lighttpd = {
+    enable = true;
+    inherit port;
+    
+    cgit = {
+      enable = true;
+      configText = ''
+        clone-prefix=https://git.spacekookie.de
+        css=/static/cgit.css
+        favicon=/static/favicon.ico
+        enable-commit-graph=1
+        enable-follow-links=1
+        enable-log-filecount=1
+        enable-log-linecount=1
+        enable-git-config=1
+        remove-suffix=1
+        readme=:README
+        readme=:README.md
+        about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+        source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+        root-title=git.spacekookie.de
+        root-desc=Here be really bad source code yarrr
+        scan-path=/home/spacekookie/git
+      '';
+      subdir = ""; # be on git.spacekookie.de
+    };
+  };
+
+}

infra/libkookie/configuration/server/docker/default.nix

@@ -0,0 +1,6 @@
+{ config, ... }:
+
+{
+  virtualisation.docker.enable = true;
+  virtualisation.docker.storageDriver = "zfs";
+}

infra/libkookie/configuration/server/ffmpeg/default.nix

@@ -0,0 +1,42 @@
+{ config, ... }:
+
+{
+  # networking.firewall.allowedTCPPorts = [ 1935 7667 ];
+  # networking.firewall.allowedUDPPorts = [ 1935 ];
+  # 
+  # To use DASH, use ffmpeg directly, without bothering with nginx
+  # systemd.services.streamffmpeg = {
+  #   wantedBy = [ "multi-user.target" ];
+  #   serviceConfig = {
+  #     StateDirectory = "dash";
+  #     Group = "nginx";
+  #   };
+
+    
+  #       # -c:v:2 copy -map v:0 -aspect:2 16:9 \ # Ask puck about this!
+  #       # -c:v:0 libx264  -map v:0 -b:v:0 800k -s:0 854x480 -aspect:0 16:9 -preset:0 fast \
+  #       # -c:v:1 libx264 -map v:0 -b:v:1 1400k -s:1 1280x720 -aspect:1 16:9 -preset:1 fast \
+  #   script = ''
+  #     ${pkgs.ffmpeg}/bin/ffmpeg -listen 1 -i rtmp://0.0.0.0:1935/kookie.tv/app \
+  #       -c:v libx264 -x264opts "keyint=24:min-keyint=24:no-scenecut" -r 24 \
+  #       -c:a aac -b:a 128k \
+  #       -bf 1 -b_strategy 0 -sc_threshold 0 -pix_fmt yuv420p \
+  #       -map 0:v:0 -map 0:a:0 -map 0:v:0 -map 0:a:0 -map 0:v:0 -map 0:a:0 \
+  #       /var/lib/dash/app.mpd
+
+  #       # -c:a aac \              
+  #       # -c:v libx264 -crf 23 -preset veryfast \
+  #       # -g 60 \
+  #       # -map 0:a \
+  #       # -f dash \
+  #       #   -init_seg_name 'init$RepresentationID$.$ext$' \
+  #       #   -media_seg_name 'chunk$RepresentationID$-$Number%05d$.$ext$' \
+  #       #   -use_template 1 -use_timeline 1 \
+  #       #   -seg_duration 2 -window_size 20 -remove_at_exit 1 \
+  #       #   -hls_playlist 1 \
+  #       #   -streaming 1 -ldash 1 \
+  #       #   -adaptation_sets "id=0,streams=v id=1,streams=a" \
+  #       #   /var/lib/dash/app.mpd
+  #   '';
+  # };
+}

infra/libkookie/configuration/server/gitlab-ci/default.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  services.gitlab-runner = {
+    enable = true;
+    configFile = "/var/lib/gitlab-runner/config.toml";
+  };
+
+}

infra/libkookie/configuration/server/nginx/default.nix

@@ -0,0 +1,68 @@
+{ config, pkgs, ... }:
+
+# TODO: split this into an RTMP module?
+{
+  services.nginx.enable = true;
+  services.nginx.package = pkgs.nginxMainline.override {
+    modules = [ pkgs.nginxModules.rtmp ];
+  };
+
+  users.users.nginx.extraGroups = [ "tls" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80 443 /* Regular HTTP(s) */
+
+    11011 11012 /* alyssatv rtmp */
+  ];
+
+  # services.nginx.logError = "stderr debug";
+  services.nginx.appendHttpConfig = ''
+    map $remote_addr $remote_addr_anon {
+      ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.X;
+      ~(?P<ip>[^:]+:[^:]+):       $ip::X;
+      default                     0.0.0.0;
+    }
+    
+    log_format anonymous '$remote_addr_anon - $remote_user [$time_local] '
+                           '"$request" $status $body_bytes_sent '
+                           '"$http_referer" "$http_user_agent"';
+    access_log /var/log/nginx/access.log anonymous;
+    charset UTF-8;
+
+    server {
+      listen 11012;
+      location /stat {
+        rtmp_stat all;
+      }
+    }
+  '';
+
+  services.nginx.appendConfig = ''
+    stream {
+      server {
+        listen 8400 ssl;
+        ssl_certificate /var/lib/acme/hyperion.kookie.space/fullchain.pem;
+        ssl_certificate_key /var/lib/acme/hyperion.kookie.space/key.pem;
+        proxy_pass 127.0.0.1:8412;
+      }
+    }
+
+    rtmp {
+      server {
+        listen 11011;
+        application alyssa.tv {
+          live on;
+          record off;
+          allow publish 10.0.0.0/8;
+          deny publish all;
+
+          record all;
+          record_path /var/lib/rtmp/alyssatv;
+          record_unique on;
+          record_max_size 300000000K;
+        }
+      }
+    }
+  '';
+
+}

infra/libkookie/configuration/server/prosody/default.nix

@@ -0,0 +1,73 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.prosody.extraGroups = [ "tls" ];
+
+  networking.firewall.allowedTCPPorts = [ 5222 5223 5269 5280 5281 ];
+  
+  services.prosody = let
+    ssl = {
+      cert = "/var/lib/acme/spacekookie.de/fullchain.pem";
+      key = "/var/lib/acme/spacekookie.de/key.pem";
+    };
+  in {
+    enable = true;
+    admins = [ "kookie@spacekookie.de" ];
+    modules = {
+      bosh = true;
+      carbons = true;
+      http_files = true;
+      mam = true;
+      pep = true;
+      proxy65 = true;
+      register = true;
+      websocket = true;
+    };
+    extraModules = ["vcard_legacy"];
+    inherit ssl;
+    virtualHosts."spacekookie.de" = { 
+      domain = "spacekookie.de";
+      # extraConfig = ''
+      #   http_host = "xmpp.spacekookie.de"
+      # '';
+      enabled = true;
+      inherit ssl;
+    };
+
+    # Move this to brook module
+    virtualHosts."guest-xmpp.spacekookie.de" = {
+      enabled = true;
+      domain = "guest-xmpp.spacekookie.de";
+      inherit ssl;
+      extraConfig = ''
+          authentication = "anonymous"
+          http_host = "guest-xmpp.spacekookie.de";
+        '';
+    };
+    
+    package = pkgs.prosody.override {
+      withCommunityModules = [ "http_upload" "smacks" "csi" "conversejs"
+                               "cloud_notify" "bookmarks" "vcard_muc" ];
+    };
+    muc = [{
+      domain = "rooms.spacekookie.de";
+      name = "muc";
+      extraConfig = ''
+                restrict_room_creation = "local"
+                modules_enabled = { "muc_mam" }
+                muc_log_by_default = true
+                muc_log_presences = false
+                log_all_rooms = false
+                muc_log_expires_after = "12w"
+                muc_log_cleanup_interval = 4 * 60 * 60
+      '';
+    }];
+    uploadHttp = {
+      domain = "xmpp.spacekookie.de";
+      uploadFileSizeLimit = "512 * 1024 * 1024"; # 512MB
+    };
+    extraConfig = ''
+      legacy_ssl_ports = { 5223 }
+    '';
+  };
+}

infra/libkookie/configuration/server/quassel/default.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  services.quassel = {
+    enable = true;
+    interfaces = [ "0.0.0.0" "::" ];
+    portNumber = 4242;
+  };
+
+  services.postgresql.enable = true;
+  services.postgresql.package = pkgs.postgresql_11;
+
+  users.users.quassel.extraGroups = [ "tls" ];
+
+  networking.firewall.allowedTCPPorts = [ 4242 ];
+}

infra/libkookie/configuration/server/tor/default.nix

@@ -0,0 +1,19 @@
+{ config, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 143 ];
+  
+  services.tor = {
+    enable = true;
+    relay = {
+      enable = true;
+      role = "relay";
+      nickname = "hyperion";
+      contactInfo = "kookie@spacekookie.de";
+      port = 143;
+    };
+    extraConfig = ''
+      ORPort [2a01:4f9:2b:1148::]:143
+    '';
+  };
+}

infra/libkookie/configuration/server/wireguard/hyperion.nix

@@ -0,0 +1,27 @@
+{ config, ... }:
+
+let listenPort = 51820;
+in
+{
+  networking.firewall.allowedTCPPorts = [ listenPort ];
+  
+  networking.wireguard.interfaces."intranet" = {
+    ips = [ "10.13.12.1" ];
+    inherit listenPort;
+    privateKeyFile = "/var/lib/wireguard/keys/private";
+
+    peers = [
+      { publicKey = "NHMpnZW6h/MwxWcjztpwH5NN44jS9lB1b5T5jby1i1A=";
+        allowedIPs = [ "10.13.12.2/32" ]; }
+      { publicKey = "U/EmC6uMGqrLOd+lqfquDcUShPHgoulN35Dan6RAqyU=";
+        allowedIPs = [ "10.13.12.3/32" ]; }
+      { publicKey = "yh8gU4otkndmSsVBuaPMxxFHem45FE3POvSAWi8LEik=";
+        allowedIPs = [ "10.13.12.4/32" ]; }
+      { publicKey = "cPvj0SPITg1twz3DprtQgehJDOAhOL/hnXlB5ZS6Fi4=";
+        endpoint = "85.119.82.108:51820";
+        allowedIPs = [ "10.172.171.0/24" ]; }
+      # { publicKey = "oQZ3fcb9LsnQj8sDYLHf1+hodnW4XEhsM0rNBgHROz8=";
+      #   allowedIPs = [ "10.172.171.2/32" ]; }
+    ];
+  };
+}

infra/libkookie/overlays/default.nix

@@ -8,6 +8,7 @@
 self: super: {
 
   barrel-blog = self.callPackage ./kookie/barrel-blog { inherit (super); };
+  brook-frontend = self.callPackage ./kookie/brook-frontend { inherit (super); };
   invoice = self.callPackage ./kookie/invoice { inherit (super); };
   spacekookie-de = self.callPackage ./kookie/spacekookie-de { inherit (super); };
   libkookie-emacs = self.callPackage ./kookie/emacs { inherit (super); };

infra/libkookie/overlays/kookie/brook-frontend/default.nix

@@ -0,0 +1,22 @@
+{ stdenv, lib }:
+
+stdenv.mkDerivation rec {
+  name = "brook-frontend";
+
+  src = ./.;
+
+  buildPhase = ''
+
+  '';
+
+  installPhase = ''
+    mkdir $out
+  '';
+  
+  meta = with stdenv.lib; {
+    description = "The brook streaming web frontend";
+    homepage = "https://git.spacekookie.de/kookienomicon/apps/servers/brook";
+    license = licenses.agpl3;
+  };
+}
+

infra/libkookie/overlays/kookie/spacekookie-de/default.nix

@@ -9,11 +9,12 @@ stdenv.mkDerivation rec {
     sha256 = "0414351da5hy1096lrmmpm2jwdrxb8j5v59ccz6ayzpv1vwxk5qd";
   }; 
 
-  buildInputs = with python3Packages; [ pelican webassets markdown ];
+  buildInputs = with python3Packages; [ webassets markdown ];
 
   installPhase = ''
-      pelican content
-      cp -rv output $out
+      #pelican content
+      #cp -rv output $out
+      mkdir $out
     '';
 
   meta = with stdenv.lib; {

infra/libkookie/roots/hyperion.nix

@@ -0,0 +1,110 @@
+/* TOP LEVEL DEVICE CONFIGURATION FOR
+ * 
+ *    hyperion (hetzner root server)
+ *
+ *
+ * This file is part of LIBKOOKIE, a collection of nix expressions.
+ * LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE
+ */
+
+{ lib, config, pkgs, ... } @ args:
+
+let klib = (import <modules/harness/lib.nix>) args;
+in
+{
+  ###################################################################
+  #                    libkookie configuration
+  #
+  #
+  #
+
+  imports = with klib; [
+    # Load base modules required to bootstrap libkookie
+    <home-manager/nixos> <modules> <configuration/nix>
+
+    (loadModule <configuration/base> "default")
+
+    <configuration/server/acme/hyperion.nix>
+    <configuration/server/blog>
+    <configuration/server/brook>
+    <configuration/server/cgit>
+    <configuration/server/docker>
+    <configuration/server/gitlab-ci>
+    <configuration/server/openssh>
+    <configuration/server/prosody>
+    <configuration/server/quassel>
+    <configuration/server/tor>
+    <configuration/server/wireguard/hyperion.nix>
+  ];
+
+  # TODO: build a klib function to patch cfg here
+  libkookie.activeUsers = with klib; [ (load <configuration/users/spacekookie>)
+                                       (load <configuration/users/qyliss>) ];
+  
+
+  #
+  #
+  #
+  #
+  ###################################################################
+
+  boot.zfs.devNodes = "/dev";
+  boot.loader.grub = {
+    enable = true;
+    copyKernels = true;
+    version = 2;
+
+    efiSupport = false;
+    zfsSupport = true;
+    device = "/dev/sdb";
+  };
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "tank/nix";
+      fsType = "zfs";
+    };
+
+  swapDevices = [ { device = "/dev/zd0"; } ];
+
+  nix.maxJobs = lib.mkDefault 8;
+  
+  hardware.cpu.intel.updateMicrocode = true;
+
+  networking = {
+    defaultGateway = "95.216.98.1";
+    defaultGateway6 = { address = "fe80::1"; interface = "enp0s31f6"; };
+    nameservers = [ "1.1.1.1" ];
+    interfaces.enp0s31f6 = {
+      ipv4.addresses = [ { address = "95.216.98.55"; prefixLength = 26; } ];
+      ipv6.addresses = [ { address = "2a01:4f9:2b:1148::"; prefixLength = 64; } ];
+    };
+    dhcpcd.enable = false; # We have a static IP
+    useDHCP = false;
+  };
+
+  networking.hostName = "hyperion"; # Define your hostname.
+  networking.hostId = "d83bebd1";
+
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "eth0";
+  networking.nat.internalInterfaces = [ "intranet" ];
+
+  time.timeZone = "Europe/Berlin";
+
+  # Tools that are impotant for everybody to have
+  environment.systemPackages = with pkgs; [ 
+    curl git htop kakoune links tmux vim wget wireguard
+  ];
+
+  programs.zsh.enable = true;
+
+  services.zfs.autoScrub.enable = true;
+
+  users.groups.tls = {};
+  
+  system.stateVersion = "19.03"; # Did you read the comment?
+}