diff options
author | Mx Kookie <kookie@spacekookie.de> | 2020-12-25 17:55:09 +0100 |
---|---|---|
committer | Mx Kookie <kookie@spacekookie.de> | 2020-12-25 17:56:00 +0100 |
commit | 2757a4e9d5cd44b1d0ef6f9faf4e00f2d332ea4a (patch) | |
tree | 6f7faf572776ca9e13b04908d3fe85662355a1f5 /infra/libkookie/configuration | |
parent | 2550dbda72172ffa298e359f0151d9a2c597dae4 (diff) |
libkookie: gaia: import previous configuration
Diffstat (limited to 'infra/libkookie/configuration')
8 files changed, 247 insertions, 0 deletions
diff --git a/infra/libkookie/configuration/server/acme/gaia.nix b/infra/libkookie/configuration/server/acme/gaia.nix new file mode 100644 index 000000000000..96d25c1162aa --- /dev/null +++ b/infra/libkookie/configuration/server/acme/gaia.nix @@ -0,0 +1,30 @@ +{ config, ... }: + +{ + # HACK (doesn't work): solution to failing ACME services due to + # failing DNS // See: https://github.com/NixOS/nixpkgs/issues/106862 + systemd.services."acme-fixperms".wants = [ "bind.service" ]; + systemd.services."acme-fixperms".after = [ "bind.service" ]; + + security.acme.acceptTerms = true; + security.acme.certs."alarei.kookie.space" = { + email = "letsencrypt@spacekookie.de"; + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ + "kookiejar.tech" + "media.kookiejar.tech" + "media.alarei.kookie.space" + "sync.kookiejar.tech" + "sync.alarei.kookie.space" + "cloud.kookiejar.tech" + "could.alarei.kookie.space" + "music.kookiejar.tech" + "music.alarei.kookie.space" + ]; + group = "nginx"; + }; + + users.users.nginx.extraGroups = [ "core" ]; + + services.nginx.clientMaxBodySize = "2048M"; +} diff --git a/infra/libkookie/configuration/server/datacore/default.nix b/infra/libkookie/configuration/server/datacore/default.nix new file mode 100644 index 000000000000..34b1e671e8c4 --- /dev/null +++ b/infra/libkookie/configuration/server/datacore/default.nix @@ -0,0 +1,11 @@ +/** A special module to handle the datacore zfs storage + * + * Sets up special archive modes for ZFS and tools to manage the + * encrypted data sets. + * + */ +{ config, ... }: + +{ + users.groups.core = {}; +} diff --git a/infra/libkookie/configuration/server/ferm2/gaia.nix b/infra/libkookie/configuration/server/ferm2/gaia.nix new file mode 100644 index 000000000000..2fa6ad5fe63c --- /dev/null +++ b/infra/libkookie/configuration/server/ferm2/gaia.nix @@ -0,0 +1,64 @@ +/** Custom ferm2 configuration on gaia + * + * This set of configuration options is required to make the wireguard + * uplink to osmos.pbb.dev work. It does so by tagging all packets + * coming in over a particular interface (public-ip) with a mark, and + * then sorts replies to these connections into a special firewall + * table to send them out over this link again as well. + * + * This module assumes that wireguard is enabled and configured + */ + +{ config, ... }: + +{ + # Main firewall configuration + services.ferm2 = { + enable = true; + extraConfig = '' + table mangle { + chain PREROUTING { + # Mark all connections coming in from public-ip with mark 1312 + interface public-ip CONNMARK set-mark 1312; + } + + chain OUTPUT { + # Mark all packets that are responses to incoming public-ip + # connetions with mark 1312 (we can filter this in the fw later) + CONNMARK restore-mark; + } + } + ''; + }; + + # Additional ip commands to configure the firewall + # + # FIXME: create a firewall module that wraps around this + networking.localCommands = '' + set -x + ip -6 rule flush + ip -4 rule flush + ip -6 rule add lookup main prio 32000 + ip -4 rule add lookup main prio 32000 + + # Take packets with fwmark and sort it into 1312 table + ip -6 rule add from all fwmark 1312 lookup 1312 pref 9000 + ip -4 rule add from all fwmark 1312 lookup 1312 pref 9000 + ''; + + networking.wireguard.interfaces."public-ip" = { + ips = [ "2a0f:4ac0::18" "195.39.247.18" ]; + privateKeyFile = "/var/lib/wireguard/keys/milan.private"; + allowedIPsAsRoutes = true; + table = "1312"; + postSetup = "ip link set dev public-ip mtu 1500"; + peers = [ + { publicKey = "kih/GnR4Bov/DM/7Rd21wK+PFQRUNH6sywVuNKkUAkk="; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + # TODO: Currently telecom ipv6 handling is broken + # endpoint = "2a01:581:1:9::1:51820"; + endpoint = "62.176.250.82:51820"; + persistentKeepalive = 25; } + ]; + }; +} diff --git a/infra/libkookie/configuration/server/jellyfin/default.nix b/infra/libkookie/configuration/server/jellyfin/default.nix new file mode 100644 index 000000000000..b1ad60a98bb7 --- /dev/null +++ b/infra/libkookie/configuration/server/jellyfin/default.nix @@ -0,0 +1,45 @@ +{ config, lib, ... }: + +{ + # Default port should be 8096 + services.jellyfin = { + enable = true; + group = "core"; + }; + + # Required for chromecast stuff... + networking.firewall.allowedTCPPorts = [ 8096 ]; + + # Give jellyfin "core" group + users.users.jellyfin.extraGroups = [ "core" ]; + + # Enable nginx if not already + services.nginx.enable = true; + services.nginx.virtualHosts."media.kookiejar.tech" = { + serverAliases = [ "media.alarei.kookie.space" "kookiejar.tech" ]; + useACMEHost = "alarei.kookie.space"; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + }; + + locations."/socket" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + # global proxy conf + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + + # websocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + }; + +} diff --git a/infra/libkookie/configuration/server/nextcloud/default.nix b/infra/libkookie/configuration/server/nextcloud/default.nix new file mode 100644 index 000000000000..545046916599 --- /dev/null +++ b/infra/libkookie/configuration/server/nextcloud/default.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +{ + services.nginx.enable = true; + services.nginx.virtualHosts."cloud.kookiejar.tech" = { + serverAliases = [ "cloud.alarei.kookie.space"]; + useACMEHost = "alarei.kookie.space"; + forceSSL = true; + }; + + # Give nextcloud "core" group + users.users.nextcloud.extraGroups = [ "core" ]; + + # Enable nextcloud and php settings + services.phpfpm.phpPackage = pkgs.php73; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud19; + hostName = "cloud.kookiejar.tech"; + https = true; + autoUpdateApps.enable = true; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + adminpassFile = "/var/lib/nextcloud.admin.pw"; + adminuser = "spacekookie"; + }; + home = "/datacore/cloud"; + }; + + # Setup postgres (currently only used by nextcloud) + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + +} diff --git a/infra/libkookie/configuration/server/openssh/default.nix b/infra/libkookie/configuration/server/openssh/default.nix new file mode 100644 index 000000000000..df15b7128b6d --- /dev/null +++ b/infra/libkookie/configuration/server/openssh/default.nix @@ -0,0 +1,18 @@ +{ config, ... }: + +{ + services.openssh = { + enable = true; + permitRootLogin = "prohibit-password"; + passwordAuthentication = false; + + # Required for root + extraConfig = '' + Match Address 127.0.0.1 + PermitRootLogin yes + ''; + }; + + # Also enable mosh because /shrug + programs.mosh.enable = true; +} diff --git a/infra/libkookie/configuration/server/syncthing/default.nix b/infra/libkookie/configuration/server/syncthing/default.nix new file mode 100644 index 000000000000..10287d88fa42 --- /dev/null +++ b/infra/libkookie/configuration/server/syncthing/default.nix @@ -0,0 +1,21 @@ +{ config, lib, ... }: + +{ + services.syncthing = { + enable = true; + user = "spacekookie"; + group = "core"; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."sync.kookiejar.tech" = { + serverAliases = [ "sync.alarei.kookie.space" ]; + useACMEHost = "alarei.kookie.space"; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8384"; + }; + }; +} diff --git a/infra/libkookie/configuration/server/wireguard/gaia.nix b/infra/libkookie/configuration/server/wireguard/gaia.nix new file mode 100644 index 000000000000..0f3768fa9bbe --- /dev/null +++ b/infra/libkookie/configuration/server/wireguard/gaia.nix @@ -0,0 +1,14 @@ +{ config, ... }: + +{ + networking.wireguard.interfaces."intranet" = { + ips = [ "10.13.12.2" ]; + privateKeyFile = "/var/lib/wireguard/keys/private"; + peers = [ + { publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ="; + allowedIPs = [ "10.13.12.0/24" "10.172.171.0/24" ]; + endpoint = "hyperion.kookie.space:51820"; + persistentKeepalive = 25; } + ]; + }; +} |