nyanloutre/nixos-config
1
1
Fork 1
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: nyanloutre:f86ef0518dae498ce5c170c471c8b35096058879
Branches Tags
nyanloutre:master
..
compare: nyanloutre:72d0802b67696909f387980a099805686d843de7
Branches Tags
nyanloutre:master

No commits in common. "f86ef0518dae498ce5c170c471c8b35096058879" and "72d0802b67696909f387980a099805686d843de7" have entirely different histories.
f86ef0518d ... 72d0802b67

6 changed files with 85 additions and 107 deletions
Show stats Expand all files Collapse all files

6
containers/vsftpd.nix
View file

@ -12,7 +12,7 @@
userlistDeny = false; userlistDeny = false;
localUsers = true; localUsers = true;
userlist = ["claire" "manu" "lakeu" "fusil" "stryxion" "nico"]; userlist = ["claire" "manu" "lakeu" "fusil" "stryxion" "nico"];
rsaCertFile = "/var/lib/acme/nyanlout.re/full.pem"; rsaCertFile = "/var/vsftpd/vsftpd.pem";
extraConfig = '' extraConfig = ''
pasv_min_port=64000 pasv_min_port=64000
pasv_max_port=65535 pasv_max_port=65535
@ -59,8 +59,8 @@
}; };
}; };
bindMounts = { bindMounts = {
"/var/lib/acme/nyanlout.re" = { "/var/vsftpd/vsftpd.pem" = {
hostPath = "/var/lib/acme/nyanlout.re"; hostPath = "/var/vsftpd/vsftpd.pem";
}; };
"/mnt/medias" = { "/mnt/medias" = {
hostPath = "/mnt/medias"; hostPath = "/mnt/medias";

22
overlays/riot-web.nix
View file

@ -1,15 +1,17 @@
self: super: self: super:
{ {
riot-web = super.riot-web.override { riot-web = super.riot-web.override {
conf = { conf = ''
default_hs_url = "https://matrix.nyanlout.re"; {
default_is_url = "https://vector.im"; "default_hs_url": "https://matrix.nyanlout.re",
brand = "Nyanloutre"; "default_is_url": "https://vector.im",
default_theme = "dark"; "brand": "Nyanloutre",
integrations_ui_url = "https://dimension.t2bot.io/riot"; "default_theme": "dark",
integrations_rest_url = "https://dimension.t2bot.io/api/v1/scalar"; "integrations_ui_url": "https://dimension.t2bot.io/riot",
integrations_widgets_urls = ["https://dimension.t2bot.io/widgets"]; "integrations_rest_url": "https://dimension.t2bot.io/api/v1/scalar",
integrations_jitsi_widget_url = "https://dimension.t2bot.io/widgets/jitsi"; "integrations_widgets_urls": ["https://dimension.t2bot.io/widgets"],
}; "integrations_jitsi_widget_url": "https://dimension.t2bot.io/widgets/jitsi"
}
'';
}; };
} }

19
services/haproxy-acme.nix
View file

@ -20,28 +20,23 @@ let
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults defaults
mode http
option forwardfor option forwardfor
option http-server-close option http-server-close
option httplog
option dontlognull
timeout client 10s timeout client 10s
timeout connect 4s timeout connect 4s
timeout server 30s timeout server 30s
timeout tunnel 3600s
errorfile 503 ${./errorfiles/503.html} errorfile 503 ${./errorfiles/503.html}
userlist LOUTRE userlist LOUTRE
user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1 user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1
frontend http-in
bind :::80 v4v6
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
redirect scheme https code 301 if !letsencrypt-acl
frontend public frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1 bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
http-response set-header Strict-Transport-Security max-age=15768000 mode http
http-request add-header X-Forwarded-Proto https acl letsencrypt-acl path_beg /.well-known/acme-challenge/
acl haproxy-acl path_beg /haproxy acl haproxy-acl path_beg /haproxy
redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
http-response set-header Strict-Transport-Security max-age=15768000
use_backend letsencrypt-backend if letsencrypt-acl
use_backend haproxy_stats if haproxy-acl use_backend haproxy_stats if haproxy-acl
${concatStrings ( ${concatStrings (
mapAttrsToList (name: value: mapAttrsToList (name: value:
@ -131,7 +126,6 @@ in
}; };
}; };
security.acme.acceptTerms = true;
security.acme.certs = { security.acme.certs = {
${cfg.domaine} = { ${cfg.domaine} = {
extraDomains = mapAttrs' (name: value: extraDomains = mapAttrs' (name: value:
@ -143,7 +137,6 @@ in
group = "acme"; group = "acme";
postRun = '' postRun = ''
systemctl reload haproxy.service systemctl reload haproxy.service
nixos-container run vsftpd -- systemctl restart vsftpd
''; '';
}; };
}; };

2
systems/LoutreOS/configuration.nix
View file

@ -33,7 +33,7 @@ in
]; ];
nixpkgs.config.allowUnfree = false; nixpkgs.config.allowUnfree = false;
nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem (builtins.parseDrvName pkg.pname).name [ "factorio-headless" "perl5.30.1-slimserver" "minecraft-server" ]); nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem (builtins.parseDrvName pkg.pname).name [ "factorio-headless" "perl5.30.0-slimserver" "minecraft-server" ]);
services.zfs = { services.zfs = {
autoSnapshot.enable = true; autoSnapshot.enable = true;

76
systems/LoutreOS/services.nix
View file

@ -262,47 +262,47 @@ in
}; };
}; };
# systemd.services.minecraft-overviewer = systemd.services.minecraft-overviewer =
# let let
# clientJar = pkgs.fetchurl { clientJar = pkgs.fetchurl {
# url = "https://overviewer.org/textures/1.14"; url = "https://overviewer.org/textures/1.14";
# sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k"; sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k";
# name = "client.jar"; name = "client.jar";
# }; };
# configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } '' configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } ''
# substitute ${./config-overviewer.py} $out \ substitute ${./config-overviewer.py} $out \
# --subst-var CLIENT_JAR --subst-var CLIENT_JAR
# ''; '';
# in in
# { {
# script = '' script = ''
# ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile}
# ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi
# rm /var/www/minecraft-overviewer/progress.json rm /var/www/minecraft-overviewer/progress.json
# ''; '';
# serviceConfig = { serviceConfig = {
# User = "nginx"; User = "nginx";
# Group = "nginx"; Group = "nginx";
# }; };
# }; };
# systemd.timers.minecraft-overviewer = { systemd.timers.minecraft-overviewer = {
# wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
# timerConfig = { timerConfig = {
# OnCalendar = "*-*-* 04:00:00"; OnCalendar = "*-*-* 04:00:00";
# }; };
# }; };
# systemd.packages = with pkgs; [ systemd.packages = with pkgs; [
# tgt tgt
# ]; ];
# environment.etc."tgt/targets.conf".text = '' environment.etc."tgt/targets.conf".text = ''
# <target iqn.2019-11.nyanlout.re:steam> <target iqn.2019-11.nyanlout.re:steam>
# backing-store /dev/zvol/loutrepool/steam-lun backing-store /dev/zvol/loutrepool/steam-lun
# initiator-address 10.30.50.3 initiator-address 10.30.50.3
# </target> </target>
# ''; '';
users.groups.acme.members = [ "matrix-synapse" ]; users.groups.acme.members = [ "matrix-synapse" ];

67
systems/LoutreOS/web.nix
View file

@ -2,17 +2,6 @@
with lib; with lib;
#### VHost table ####
# 10000 riot.nyanlout.re
# 10001 factorio.nyanlout.re
# 10002 minecraft.nyanlout.re
# 10003 nyanlout.re
# 10004 musique-meyenheim.fr
# 10005 social.nyanlout.re
# 10006 pgmanage.nyanlout.re
# 10007 maxspiegel.fr
####
let let
domaine = "nyanlout.re"; domaine = "nyanlout.re";
@ -43,16 +32,16 @@ in
"syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; }; "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
"jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; }; "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
"searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; }; "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
"riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot.nyanlout.re"; auth = false; }; "riot.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "riot"; auth = false; };
"matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; }; "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; }; "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; }; "gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; };
"ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; }; "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
"factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio.nyanlout.re"; auth = false; }; "factorio.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "factorio"; auth = false; };
"airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; }; "airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; };
"${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "nyanlout.re"; auth = false; }; "${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "wkd"; auth = false; };
"musique-meyenheim.fr" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "musique-meyenheim.fr"; auth = false; }; "musique-meyenheim.fr" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "musique-meyenheim.fr"; auth = false; };
"minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft.nyanlout.re"; auth = false; }; "minecraft.${domaine}" = { ip = "127.0.0.1"; port = nginxGetFirstLocalPort "minecraft-overviewer"; auth = false; };
}; };
}; };
@ -60,43 +49,37 @@ in
nginx = { nginx = {
enable = true; enable = true;
recommendedProxySettings = true;
appendHttpConfig = ''
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
'';
virtualHosts = { virtualHosts = {
"riot.nyanlout.re" = { "riot" = {
listen = [ { addr = "127.0.0.1"; port = 10000; } ]; listen = [ { addr = "127.0.0.1"; port = 52345; } ];
locations = { "/" = { root = pkgs.riot-web; }; }; locations = { "/" = { root = pkgs.riot-web; }; };
}; };
"factorio.nyanlout.re" = { "factorio" = {
listen = [ { addr = "127.0.0.1"; port = 10001; } ]; listen = [ { addr = "127.0.0.1"; port = 52351; } ];
locations = { "/" = { root = "/var/www/factorio"; }; }; locations = { "/" = { root = "/var/www/factorio"; }; };
}; };
"minecraft.nyanlout.re" = { "minecraft-overviewer" = {
listen = [ { addr = "127.0.0.1"; port = 10002; } ]; listen = [ { addr = "127.0.0.1"; port = 52354; } ];
locations = { "/" = { root = "/var/www/minecraft-overviewer"; }; }; locations = { "/" = { root = "/var/www/minecraft-overviewer"; }; };
}; };
"nyanlout.re" = { "wkd" = {
listen = [ { addr = "127.0.0.1"; port = 10003; } ]; listen = [ { addr = "127.0.0.1"; port = 52352; } ];
locations = { locations = { "/.well-known/openpgpkey/" = {
"/" = { alias = "/var/lib/gnupg/wks/nyanlout.re";
alias = "/var/www/site-perso/"; extraConfig = ''
}; add_header Access-Control-Allow-Origin * always;
"/.well-known/openpgpkey/" = { '';
alias = "/var/lib/gnupg/wks/nyanlout.re"; }; };
extraConfig = ''
add_header Access-Control-Allow-Origin * always;
'';
};
};
}; };
"musique-meyenheim.fr" = { "musique-meyenheim.fr" = {
listen = [ { addr = "127.0.0.1"; port = 10004; } ]; listen = [ { addr = "127.0.0.1"; port = 52353; } ];
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://unix:/run/site-musique.sock"; proxyPass = "http://unix:/run/site-musique.sock";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
'';
}; };
"/static/" = { "/static/" = {
alias = "/var/www/site-musique/staticfiles/"; alias = "/var/www/site-musique/staticfiles/";
@ -113,7 +96,7 @@ in
pgmanage = { pgmanage = {
enable = true; enable = true;
port = 10006; port = 52347;
connections = { connections = {
localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres"; localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
}; };
@ -143,7 +126,7 @@ in
site-max = { site-max = {
enable = true; enable = true;
port = 10007; port = 52348;
domaine = "maxspiegel.fr"; domaine = "maxspiegel.fr";
}; };
}; };