libkookie: gaia: import previous configuration

8 files changed, 247 insertions, 0 deletions

diff --git a/infra/libkookie/configuration/server/acme/gaia.nix b/infra/libkookie/configuration/server/acme/gaia.nix
new file mode 100644
index 000000000000..96d25c1162aa
--- /dev/null
+++ b/infra/libkookie/configuration/server/acme/gaia.nix
@@ -0,0 +1,30 @@
+{ config, ... }:
+
+{
+  # HACK (doesn't work): solution to failing ACME services due to
+  # failing DNS // See: https://github.com/NixOS/nixpkgs/issues/106862
+  systemd.services."acme-fixperms".wants = [ "bind.service" ];
+  systemd.services."acme-fixperms".after = [ "bind.service" ];
+  
+  security.acme.acceptTerms = true;
+  security.acme.certs."alarei.kookie.space" = {
+    email = "letsencrypt@spacekookie.de";
+    webroot = "/var/lib/acme/acme-challenge";
+    extraDomainNames = [ 
+      "kookiejar.tech"
+      "media.kookiejar.tech"
+      "media.alarei.kookie.space"
+      "sync.kookiejar.tech"
+      "sync.alarei.kookie.space"
+      "cloud.kookiejar.tech"
+      "could.alarei.kookie.space"
+      "music.kookiejar.tech"
+      "music.alarei.kookie.space"
+    ];
+    group = "nginx";
+  };
+
+  users.users.nginx.extraGroups = [ "core" ];
+
+  services.nginx.clientMaxBodySize = "2048M";
+}
diff --git a/infra/libkookie/configuration/server/datacore/default.nix b/infra/libkookie/configuration/server/datacore/default.nix
new file mode 100644
index 000000000000..34b1e671e8c4
--- /dev/null
+++ b/infra/libkookie/configuration/server/datacore/default.nix
@@ -0,0 +1,11 @@
+/** A special module to handle the datacore zfs storage
+ *
+ * Sets up special archive modes for ZFS and tools to manage the
+ * encrypted data sets.
+ *
+ */
+{ config, ... }:
+
+{
+  users.groups.core = {};
+}
diff --git a/infra/libkookie/configuration/server/ferm2/gaia.nix b/infra/libkookie/configuration/server/ferm2/gaia.nix
new file mode 100644
index 000000000000..2fa6ad5fe63c
--- /dev/null
+++ b/infra/libkookie/configuration/server/ferm2/gaia.nix
@@ -0,0 +1,64 @@
+/** Custom ferm2 configuration on gaia
+ *
+ * This set of configuration options is required to make the wireguard
+ * uplink to osmos.pbb.dev work.  It does so by tagging all packets
+ * coming in over a particular interface (public-ip) with a mark, and
+ * then sorts replies to these connections into a special firewall
+ * table to send them out over this link again as well.
+ *
+ * This module assumes that wireguard is enabled and configured
+ */
+
+{ config, ... }:
+
+{
+  # Main firewall configuration
+  services.ferm2 = {
+    enable = true;
+    extraConfig = ''
+      table mangle {
+        chain PREROUTING {
+          # Mark all connections coming in from public-ip with mark 1312
+          interface public-ip CONNMARK set-mark 1312;
+        }
+
+        chain OUTPUT {
+          # Mark all packets that are responses to incoming public-ip
+          # connetions with mark 1312 (we can filter this in the fw later)
+          CONNMARK restore-mark;
+        }
+      }
+    '';
+  };
+
+  # Additional ip commands to configure the firewall
+  #
+  # FIXME: create a firewall module that wraps around this
+  networking.localCommands = ''
+    set -x
+    ip -6 rule flush
+    ip -4 rule flush
+    ip -6 rule add lookup main prio 32000
+    ip -4 rule add lookup main prio 32000
+
+    # Take packets with fwmark and sort it into 1312 table
+    ip -6 rule add from all fwmark 1312 lookup 1312 pref 9000
+    ip -4 rule add from all fwmark 1312 lookup 1312 pref 9000
+  '';
+
+  networking.wireguard.interfaces."public-ip" = {
+    ips = [ "2a0f:4ac0::18" "195.39.247.18" ];
+    privateKeyFile = "/var/lib/wireguard/keys/milan.private";
+    allowedIPsAsRoutes = true;
+    table = "1312";
+    postSetup = "ip link set dev public-ip mtu 1500";
+    peers = [
+      { publicKey = "kih/GnR4Bov/DM/7Rd21wK+PFQRUNH6sywVuNKkUAkk=";
+        allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        # TODO: Currently telecom ipv6 handling is broken 
+        # endpoint = "2a01:581:1:9::1:51820"; 
+        endpoint = "62.176.250.82:51820";
+        persistentKeepalive = 25; }
+    ];
+  };
+}
diff --git a/infra/libkookie/configuration/server/jellyfin/default.nix b/infra/libkookie/configuration/server/jellyfin/default.nix
new file mode 100644
index 000000000000..b1ad60a98bb7
--- /dev/null
+++ b/infra/libkookie/configuration/server/jellyfin/default.nix
@@ -0,0 +1,45 @@
+{ config, lib, ... }:
+
+{
+  # Default port should be 8096
+  services.jellyfin = {
+    enable = true;
+    group = "core";
+  };
+
+  # Required for chromecast stuff...
+  networking.firewall.allowedTCPPorts = [ 8096 ];
+
+  # Give jellyfin "core" group
+  users.users.jellyfin.extraGroups = [ "core" ];
+  
+  # Enable nginx if not already
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."media.kookiejar.tech" = {
+    serverAliases = [ "media.alarei.kookie.space" "kookiejar.tech" ];
+    useACMEHost = "alarei.kookie.space";
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8096";
+    };
+
+    locations."/socket" = {
+      proxyPass = "http://127.0.0.1:8096";
+      extraConfig = ''
+          # global proxy conf
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header X-Forwarded-Host $host:$server_port;
+          proxy_set_header X-Forwarded-Port $server_port;
+
+          # websocket support
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+        '';
+    };
+  };
+  
+}
diff --git a/infra/libkookie/configuration/server/nextcloud/default.nix b/infra/libkookie/configuration/server/nextcloud/default.nix
new file mode 100644
index 000000000000..545046916599
--- /dev/null
+++ b/infra/libkookie/configuration/server/nextcloud/default.nix
@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."cloud.kookiejar.tech" = {
+    serverAliases = [ "cloud.alarei.kookie.space"];
+    useACMEHost = "alarei.kookie.space";
+    forceSSL = true;
+  };
+
+  # Give nextcloud "core" group
+  users.users.nextcloud.extraGroups = [ "core" ];
+
+  # Enable nextcloud and php settings
+  services.phpfpm.phpPackage = pkgs.php73;
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud19;
+    hostName = "cloud.kookiejar.tech";
+    https = true;
+    autoUpdateApps.enable = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      adminpassFile = "/var/lib/nextcloud.admin.pw";
+      adminuser = "spacekookie";
+    };
+    home = "/datacore/cloud";
+  };
+
+  # Setup postgres (currently only used by nextcloud)
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      { name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+}
diff --git a/infra/libkookie/configuration/server/openssh/default.nix b/infra/libkookie/configuration/server/openssh/default.nix
new file mode 100644
index 000000000000..df15b7128b6d
--- /dev/null
+++ b/infra/libkookie/configuration/server/openssh/default.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+
+{
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "prohibit-password";
+    passwordAuthentication = false;
+
+    # Required for root
+    extraConfig = ''
+      Match Address 127.0.0.1
+        PermitRootLogin yes
+    '';
+  };
+
+  # Also enable mosh because /shrug
+  programs.mosh.enable = true;
+}
diff --git a/infra/libkookie/configuration/server/syncthing/default.nix b/infra/libkookie/configuration/server/syncthing/default.nix
new file mode 100644
index 000000000000..10287d88fa42
--- /dev/null
+++ b/infra/libkookie/configuration/server/syncthing/default.nix
@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+{
+  services.syncthing = {
+    enable = true;
+    user = "spacekookie";
+    group = "core";
+    openDefaultPorts = true;
+    guiAddress = "0.0.0.0:8384";
+  };
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."sync.kookiejar.tech" = {
+    serverAliases = [ "sync.alarei.kookie.space" ];
+    useACMEHost = "alarei.kookie.space";
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8384";
+    };
+  };
+}
diff --git a/infra/libkookie/configuration/server/wireguard/gaia.nix b/infra/libkookie/configuration/server/wireguard/gaia.nix
new file mode 100644
index 000000000000..0f3768fa9bbe
--- /dev/null
+++ b/infra/libkookie/configuration/server/wireguard/gaia.nix
@@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  networking.wireguard.interfaces."intranet" = {
+    ips = [ "10.13.12.2" ];
+    privateKeyFile = "/var/lib/wireguard/keys/private";
+    peers = [
+      { publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ=";
+        allowedIPs = [ "10.13.12.0/24" "10.172.171.0/24" ];
+        endpoint = "hyperion.kookie.space:51820";
+        persistentKeepalive = 25; }
+    ];
+  };
+}