From b3317c7cdde522f01f56f5a0799163beb0c219b8 Mon Sep 17 00:00:00 2001 From: Mx Kookie Date: Fri, 25 Dec 2020 22:13:56 +0100 Subject: [PATCH] libkookie: hyperion: import configuration from legacy installation --- .../configuration/server/acme/hyperion.nix | 33 ++++++ .../configuration/server/blog/default.nix | 22 ++++ .../configuration/server/brook/default.nix | 30 +++++ .../configuration/server/cgit/default.nix | 47 ++++++++ .../configuration/server/docker/default.nix | 6 + .../configuration/server/ffmpeg/default.nix | 42 +++++++ .../server/gitlab-ci/default.nix | 9 ++ .../configuration/server/nginx/default.nix | 68 +++++++++++ .../configuration/server/prosody/default.nix | 73 ++++++++++++ .../configuration/server/quassel/default.nix | 16 +++ .../configuration/server/tor/default.nix | 19 +++ .../server/wireguard/hyperion.nix | 27 +++++ infra/libkookie/overlays/default.nix | 1 + .../kookie/brook-frontend/default.nix | 22 ++++ .../kookie/spacekookie-de/default.nix | 7 +- infra/libkookie/roots/hyperion.nix | 110 ++++++++++++++++++ 16 files changed, 529 insertions(+), 3 deletions(-) create mode 100644 infra/libkookie/configuration/server/acme/hyperion.nix create mode 100644 infra/libkookie/configuration/server/blog/default.nix create mode 100644 infra/libkookie/configuration/server/brook/default.nix create mode 100644 infra/libkookie/configuration/server/cgit/default.nix create mode 100644 infra/libkookie/configuration/server/docker/default.nix create mode 100644 infra/libkookie/configuration/server/ffmpeg/default.nix create mode 100644 infra/libkookie/configuration/server/gitlab-ci/default.nix create mode 100644 infra/libkookie/configuration/server/nginx/default.nix create mode 100644 infra/libkookie/configuration/server/prosody/default.nix create mode 100644 infra/libkookie/configuration/server/quassel/default.nix create mode 100644 infra/libkookie/configuration/server/tor/default.nix create mode 100644 infra/libkookie/configuration/server/wireguard/hyperion.nix create mode 100644 infra/libkookie/overlays/kookie/brook-frontend/default.nix create mode 100644 infra/libkookie/roots/hyperion.nix diff --git a/infra/libkookie/configuration/server/acme/hyperion.nix b/infra/libkookie/configuration/server/acme/hyperion.nix new file mode 100644 index 00000000000..1f382bf3cce --- /dev/null +++ b/infra/libkookie/configuration/server/acme/hyperion.nix @@ -0,0 +1,33 @@ +{ config, ... }: + +{ + security.acme = { + email = "letsencrypt@spacekookie.de"; + acceptTerms = true; + }; + + # `hyperion.kookie.space` needs a cert for IRC + security.acme.certs."hyperion.kookie.space" = { + webroot = "/var/lib/acme/acme-challenge"; + group = "tls"; + }; + + # Other certificates on the spacekookie.de namespace + security.acme.certs."spacekookie.de" = { + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ + "www.spacekookie.de" + + # Prosody related certificates + "xmpp.spacekookie.de" + "guest-xmpp.spacekookie.de" + "rooms.spacekookie.de" + + # Public dev tools + "git.spacekookie.de" + "dev.spacekookie.de" + "stream.spacekookie.de" + ]; + group = "tls"; + }; +} diff --git a/infra/libkookie/configuration/server/blog/default.nix b/infra/libkookie/configuration/server/blog/default.nix new file mode 100644 index 00000000000..489bed01ea0 --- /dev/null +++ b/infra/libkookie/configuration/server/blog/default.nix @@ -0,0 +1,22 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."spacekookie.de" = { + serverAliases = [ "www.spacekookie.de" ]; + enableACME = false; + useACMEHost = "spacekookie.de"; + forceSSL = true; + locations."/" = { + root = pkgs.spacekookie-de; + index = "index.html"; + }; + locations."/downloads/" = { + # root = kookiepkgs.spacekookie-de; + root = "/var/lib"; + extraConfig = '' + autoindex on; + ''; + }; + }; + +} diff --git a/infra/libkookie/configuration/server/brook/default.nix b/infra/libkookie/configuration/server/brook/default.nix new file mode 100644 index 00000000000..2e88675a1f6 --- /dev/null +++ b/infra/libkookie/configuration/server/brook/default.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."stream.spacekookie.de" = { + serverAliases = [ "spacekookie.de" ]; + enableACME = false; + useACMEHost = "spacekookie.de"; + forceSSL = true; + locations."/" = { + root = pkgs.brook-frontend; + index = "index.html"; + }; + locations."/xmpp-bosh" = { + proxyPass = "http://localhost:5280/http-bind"; + extraConfig = '' + proxy_set_header Host guest-xmpp.spacekookie.de; + proxy_set_header X-Forwarded-For guest-xmpp.spacekookie.de; + proxy_buffering off; + tcp_nodelay on; + ''; + }; + locations."/dash" = { + root = "/var/lib"; + }; + locations."/metrics" = { + proxyPass = "http://localhost:7667"; + }; + }; + +} diff --git a/infra/libkookie/configuration/server/cgit/default.nix b/infra/libkookie/configuration/server/cgit/default.nix new file mode 100644 index 00000000000..2c0e0427e57 --- /dev/null +++ b/infra/libkookie/configuration/server/cgit/default.nix @@ -0,0 +1,47 @@ +{ config, pkgs, ... }: + +let port = 15150; +in +{ + services.nginx.virtualHosts."git.spacekookie.de" = { + enableACME = false; + useACMEHost = "spacekookie.de"; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString port}"; + }; + locations."/static/" = { + alias = "/var/lib/cgit/"; + }; + }; + + # cgit server + services.lighttpd = { + enable = true; + inherit port; + + cgit = { + enable = true; + configText = '' + clone-prefix=https://git.spacekookie.de + css=/static/cgit.css + favicon=/static/favicon.ico + enable-commit-graph=1 + enable-follow-links=1 + enable-log-filecount=1 + enable-log-linecount=1 + enable-git-config=1 + remove-suffix=1 + readme=:README + readme=:README.md + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + root-title=git.spacekookie.de + root-desc=Here be really bad source code yarrr + scan-path=/home/spacekookie/git + ''; + subdir = ""; # be on git.spacekookie.de + }; + }; + +} diff --git a/infra/libkookie/configuration/server/docker/default.nix b/infra/libkookie/configuration/server/docker/default.nix new file mode 100644 index 00000000000..2d95cf45664 --- /dev/null +++ b/infra/libkookie/configuration/server/docker/default.nix @@ -0,0 +1,6 @@ +{ config, ... }: + +{ + virtualisation.docker.enable = true; + virtualisation.docker.storageDriver = "zfs"; +} diff --git a/infra/libkookie/configuration/server/ffmpeg/default.nix b/infra/libkookie/configuration/server/ffmpeg/default.nix new file mode 100644 index 00000000000..24941af7ad4 --- /dev/null +++ b/infra/libkookie/configuration/server/ffmpeg/default.nix @@ -0,0 +1,42 @@ +{ config, ... }: + +{ + # networking.firewall.allowedTCPPorts = [ 1935 7667 ]; + # networking.firewall.allowedUDPPorts = [ 1935 ]; + # + # To use DASH, use ffmpeg directly, without bothering with nginx + # systemd.services.streamffmpeg = { + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # StateDirectory = "dash"; + # Group = "nginx"; + # }; + + + # # -c:v:2 copy -map v:0 -aspect:2 16:9 \ # Ask puck about this! + # # -c:v:0 libx264 -map v:0 -b:v:0 800k -s:0 854x480 -aspect:0 16:9 -preset:0 fast \ + # # -c:v:1 libx264 -map v:0 -b:v:1 1400k -s:1 1280x720 -aspect:1 16:9 -preset:1 fast \ + # script = '' + # ${pkgs.ffmpeg}/bin/ffmpeg -listen 1 -i rtmp://0.0.0.0:1935/kookie.tv/app \ + # -c:v libx264 -x264opts "keyint=24:min-keyint=24:no-scenecut" -r 24 \ + # -c:a aac -b:a 128k \ + # -bf 1 -b_strategy 0 -sc_threshold 0 -pix_fmt yuv420p \ + # -map 0:v:0 -map 0:a:0 -map 0:v:0 -map 0:a:0 -map 0:v:0 -map 0:a:0 \ + # /var/lib/dash/app.mpd + + # # -c:a aac \ + # # -c:v libx264 -crf 23 -preset veryfast \ + # # -g 60 \ + # # -map 0:a \ + # # -f dash \ + # # -init_seg_name 'init$RepresentationID$.$ext$' \ + # # -media_seg_name 'chunk$RepresentationID$-$Number%05d$.$ext$' \ + # # -use_template 1 -use_timeline 1 \ + # # -seg_duration 2 -window_size 20 -remove_at_exit 1 \ + # # -hls_playlist 1 \ + # # -streaming 1 -ldash 1 \ + # # -adaptation_sets "id=0,streams=v id=1,streams=a" \ + # # /var/lib/dash/app.mpd + # ''; + # }; +} diff --git a/infra/libkookie/configuration/server/gitlab-ci/default.nix b/infra/libkookie/configuration/server/gitlab-ci/default.nix new file mode 100644 index 00000000000..3aa4f2bb2a3 --- /dev/null +++ b/infra/libkookie/configuration/server/gitlab-ci/default.nix @@ -0,0 +1,9 @@ +{ config, ... }: + +{ + services.gitlab-runner = { + enable = true; + configFile = "/var/lib/gitlab-runner/config.toml"; + }; + +} diff --git a/infra/libkookie/configuration/server/nginx/default.nix b/infra/libkookie/configuration/server/nginx/default.nix new file mode 100644 index 00000000000..5c1e3c99cdf --- /dev/null +++ b/infra/libkookie/configuration/server/nginx/default.nix @@ -0,0 +1,68 @@ +{ config, pkgs, ... }: + +# TODO: split this into an RTMP module? +{ + services.nginx.enable = true; + services.nginx.package = pkgs.nginxMainline.override { + modules = [ pkgs.nginxModules.rtmp ]; + }; + + users.users.nginx.extraGroups = [ "tls" ]; + + networking.firewall.allowedTCPPorts = [ + 80 443 /* Regular HTTP(s) */ + + 11011 11012 /* alyssatv rtmp */ + ]; + + # services.nginx.logError = "stderr debug"; + services.nginx.appendHttpConfig = '' + map $remote_addr $remote_addr_anon { + ~(?P\d+\.\d+\.\d+)\. $ip.X; + ~(?P[^:]+:[^:]+): $ip::X; + default 0.0.0.0; + } + + log_format anonymous '$remote_addr_anon - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log anonymous; + charset UTF-8; + + server { + listen 11012; + location /stat { + rtmp_stat all; + } + } + ''; + + services.nginx.appendConfig = '' + stream { + server { + listen 8400 ssl; + ssl_certificate /var/lib/acme/hyperion.kookie.space/fullchain.pem; + ssl_certificate_key /var/lib/acme/hyperion.kookie.space/key.pem; + proxy_pass 127.0.0.1:8412; + } + } + + rtmp { + server { + listen 11011; + application alyssa.tv { + live on; + record off; + allow publish 10.0.0.0/8; + deny publish all; + + record all; + record_path /var/lib/rtmp/alyssatv; + record_unique on; + record_max_size 300000000K; + } + } + } + ''; + +} diff --git a/infra/libkookie/configuration/server/prosody/default.nix b/infra/libkookie/configuration/server/prosody/default.nix new file mode 100644 index 00000000000..aeee20431a7 --- /dev/null +++ b/infra/libkookie/configuration/server/prosody/default.nix @@ -0,0 +1,73 @@ +{ config, pkgs, ... }: + +{ + users.users.prosody.extraGroups = [ "tls" ]; + + networking.firewall.allowedTCPPorts = [ 5222 5223 5269 5280 5281 ]; + + services.prosody = let + ssl = { + cert = "/var/lib/acme/spacekookie.de/fullchain.pem"; + key = "/var/lib/acme/spacekookie.de/key.pem"; + }; + in { + enable = true; + admins = [ "kookie@spacekookie.de" ]; + modules = { + bosh = true; + carbons = true; + http_files = true; + mam = true; + pep = true; + proxy65 = true; + register = true; + websocket = true; + }; + extraModules = ["vcard_legacy"]; + inherit ssl; + virtualHosts."spacekookie.de" = { + domain = "spacekookie.de"; + # extraConfig = '' + # http_host = "xmpp.spacekookie.de" + # ''; + enabled = true; + inherit ssl; + }; + + # Move this to brook module + virtualHosts."guest-xmpp.spacekookie.de" = { + enabled = true; + domain = "guest-xmpp.spacekookie.de"; + inherit ssl; + extraConfig = '' + authentication = "anonymous" + http_host = "guest-xmpp.spacekookie.de"; + ''; + }; + + package = pkgs.prosody.override { + withCommunityModules = [ "http_upload" "smacks" "csi" "conversejs" + "cloud_notify" "bookmarks" "vcard_muc" ]; + }; + muc = [{ + domain = "rooms.spacekookie.de"; + name = "muc"; + extraConfig = '' + restrict_room_creation = "local" + modules_enabled = { "muc_mam" } + muc_log_by_default = true + muc_log_presences = false + log_all_rooms = false + muc_log_expires_after = "12w" + muc_log_cleanup_interval = 4 * 60 * 60 + ''; + }]; + uploadHttp = { + domain = "xmpp.spacekookie.de"; + uploadFileSizeLimit = "512 * 1024 * 1024"; # 512MB + }; + extraConfig = '' + legacy_ssl_ports = { 5223 } + ''; + }; +} diff --git a/infra/libkookie/configuration/server/quassel/default.nix b/infra/libkookie/configuration/server/quassel/default.nix new file mode 100644 index 00000000000..c437ff3572d --- /dev/null +++ b/infra/libkookie/configuration/server/quassel/default.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: + +{ + services.quassel = { + enable = true; + interfaces = [ "0.0.0.0" "::" ]; + portNumber = 4242; + }; + + services.postgresql.enable = true; + services.postgresql.package = pkgs.postgresql_11; + + users.users.quassel.extraGroups = [ "tls" ]; + + networking.firewall.allowedTCPPorts = [ 4242 ]; +} diff --git a/infra/libkookie/configuration/server/tor/default.nix b/infra/libkookie/configuration/server/tor/default.nix new file mode 100644 index 00000000000..cbd4d8e3032 --- /dev/null +++ b/infra/libkookie/configuration/server/tor/default.nix @@ -0,0 +1,19 @@ +{ config, ... }: + +{ + networking.firewall.allowedTCPPorts = [ 143 ]; + + services.tor = { + enable = true; + relay = { + enable = true; + role = "relay"; + nickname = "hyperion"; + contactInfo = "kookie@spacekookie.de"; + port = 143; + }; + extraConfig = '' + ORPort [2a01:4f9:2b:1148::]:143 + ''; + }; +} diff --git a/infra/libkookie/configuration/server/wireguard/hyperion.nix b/infra/libkookie/configuration/server/wireguard/hyperion.nix new file mode 100644 index 00000000000..2a20f6ee553 --- /dev/null +++ b/infra/libkookie/configuration/server/wireguard/hyperion.nix @@ -0,0 +1,27 @@ +{ config, ... }: + +let listenPort = 51820; +in +{ + networking.firewall.allowedTCPPorts = [ listenPort ]; + + networking.wireguard.interfaces."intranet" = { + ips = [ "10.13.12.1" ]; + inherit listenPort; + privateKeyFile = "/var/lib/wireguard/keys/private"; + + peers = [ + { publicKey = "NHMpnZW6h/MwxWcjztpwH5NN44jS9lB1b5T5jby1i1A="; + allowedIPs = [ "10.13.12.2/32" ]; } + { publicKey = "U/EmC6uMGqrLOd+lqfquDcUShPHgoulN35Dan6RAqyU="; + allowedIPs = [ "10.13.12.3/32" ]; } + { publicKey = "yh8gU4otkndmSsVBuaPMxxFHem45FE3POvSAWi8LEik="; + allowedIPs = [ "10.13.12.4/32" ]; } + { publicKey = "cPvj0SPITg1twz3DprtQgehJDOAhOL/hnXlB5ZS6Fi4="; + endpoint = "85.119.82.108:51820"; + allowedIPs = [ "10.172.171.0/24" ]; } + # { publicKey = "oQZ3fcb9LsnQj8sDYLHf1+hodnW4XEhsM0rNBgHROz8="; + # allowedIPs = [ "10.172.171.2/32" ]; } + ]; + }; +} diff --git a/infra/libkookie/overlays/default.nix b/infra/libkookie/overlays/default.nix index 32ba5d21ed5..c632570bfd4 100644 --- a/infra/libkookie/overlays/default.nix +++ b/infra/libkookie/overlays/default.nix @@ -8,6 +8,7 @@ self: super: { barrel-blog = self.callPackage ./kookie/barrel-blog { inherit (super); }; + brook-frontend = self.callPackage ./kookie/brook-frontend { inherit (super); }; invoice = self.callPackage ./kookie/invoice { inherit (super); }; spacekookie-de = self.callPackage ./kookie/spacekookie-de { inherit (super); }; libkookie-emacs = self.callPackage ./kookie/emacs { inherit (super); }; diff --git a/infra/libkookie/overlays/kookie/brook-frontend/default.nix b/infra/libkookie/overlays/kookie/brook-frontend/default.nix new file mode 100644 index 00000000000..6d8c8a1a174 --- /dev/null +++ b/infra/libkookie/overlays/kookie/brook-frontend/default.nix @@ -0,0 +1,22 @@ +{ stdenv, lib }: + +stdenv.mkDerivation rec { + name = "brook-frontend"; + + src = ./.; + + buildPhase = '' + + ''; + + installPhase = '' + mkdir $out + ''; + + meta = with stdenv.lib; { + description = "The brook streaming web frontend"; + homepage = "https://git.spacekookie.de/kookienomicon/apps/servers/brook"; + license = licenses.agpl3; + }; +} + diff --git a/infra/libkookie/overlays/kookie/spacekookie-de/default.nix b/infra/libkookie/overlays/kookie/spacekookie-de/default.nix index 38ac94dbf55..f010368cf95 100644 --- a/infra/libkookie/overlays/kookie/spacekookie-de/default.nix +++ b/infra/libkookie/overlays/kookie/spacekookie-de/default.nix @@ -9,11 +9,12 @@ stdenv.mkDerivation rec { sha256 = "0414351da5hy1096lrmmpm2jwdrxb8j5v59ccz6ayzpv1vwxk5qd"; }; - buildInputs = with python3Packages; [ pelican webassets markdown ]; + buildInputs = with python3Packages; [ webassets markdown ]; installPhase = '' - pelican content - cp -rv output $out + #pelican content + #cp -rv output $out + mkdir $out ''; meta = with stdenv.lib; { diff --git a/infra/libkookie/roots/hyperion.nix b/infra/libkookie/roots/hyperion.nix new file mode 100644 index 00000000000..03955e62c3b --- /dev/null +++ b/infra/libkookie/roots/hyperion.nix @@ -0,0 +1,110 @@ +/* TOP LEVEL DEVICE CONFIGURATION FOR + * + * hyperion (hetzner root server) + * + * + * This file is part of LIBKOOKIE, a collection of nix expressions. + * LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE + */ + +{ lib, config, pkgs, ... } @ args: + +let klib = (import ) args; +in +{ + ################################################################### + # libkookie configuration + # + # + # + + imports = with klib; [ + # Load base modules required to bootstrap libkookie + + + (loadModule "default") + + + + + + + + + + + + + ]; + + # TODO: build a klib function to patch cfg here + libkookie.activeUsers = with klib; [ (load ) + (load ) ]; + + + # + # + # + # + ################################################################### + + boot.zfs.devNodes = "/dev"; + boot.loader.grub = { + enable = true; + copyKernels = true; + version = 2; + + efiSupport = false; + zfsSupport = true; + device = "/dev/sdb"; + }; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "tank/nix"; + fsType = "zfs"; + }; + + swapDevices = [ { device = "/dev/zd0"; } ]; + + nix.maxJobs = lib.mkDefault 8; + + hardware.cpu.intel.updateMicrocode = true; + + networking = { + defaultGateway = "95.216.98.1"; + defaultGateway6 = { address = "fe80::1"; interface = "enp0s31f6"; }; + nameservers = [ "1.1.1.1" ]; + interfaces.enp0s31f6 = { + ipv4.addresses = [ { address = "95.216.98.55"; prefixLength = 26; } ]; + ipv6.addresses = [ { address = "2a01:4f9:2b:1148::"; prefixLength = 64; } ]; + }; + dhcpcd.enable = false; # We have a static IP + useDHCP = false; + }; + + networking.hostName = "hyperion"; # Define your hostname. + networking.hostId = "d83bebd1"; + + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "intranet" ]; + + time.timeZone = "Europe/Berlin"; + + # Tools that are impotant for everybody to have + environment.systemPackages = with pkgs; [ + curl git htop kakoune links tmux vim wget wireguard + ]; + + programs.zsh.enable = true; + + services.zfs.autoScrub.enable = true; + + users.groups.tls = {}; + + system.stateVersion = "19.03"; # Did you read the comment? +}