From d73239251c7382554cf067e18105ed41e6eecd8b Mon Sep 17 00:00:00 2001 From: Jordan Holt Date: Sun, 24 Dec 2023 13:03:38 +0000 Subject: [PATCH] Initial vps1 config migration --- flake.nix | 23 ++- hosts/vps1/README.md | 17 +++ hosts/vps1/default.nix | 195 ++++++++++++++++++++++++++ hosts/vps1/hardware-configuration.nix | 26 ++++ 4 files changed, 255 insertions(+), 6 deletions(-) create mode 100644 hosts/vps1/README.md create mode 100644 hosts/vps1/default.nix create mode 100644 hosts/vps1/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 4ede44b..f41058b 100644 --- a/flake.nix +++ b/flake.nix @@ -68,16 +68,27 @@ helios = nixosSystem { system = "x86_64-linux"; name = "helios"; }; odyssey = nixosSystem { system = "x86_64-linux"; name = "odyssey"; }; pi = nixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; }; + vps1 = nixosSystem { system = "x86_64-linux"; name = "vps1"; }; }; - deploy.nodes.pi = { - hostname = "10.0.1.191"; - sshUser = "root"; - - profiles.system = { + deploy.nodes = { + pi = { + hostname = "10.0.1.191"; + sshUser = "jordan"; user = "root"; - path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi; + + profiles.system = { + user = "root"; + path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi; + }; }; + vps1 = { + magicRollback = true; + autoRollback = true; + hostname = "vps1.mesh.vimium.net"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vps1; }; # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; diff --git a/hosts/vps1/README.md b/hosts/vps1/README.md new file mode 100644 index 0000000..a87c2b7 --- /dev/null +++ b/hosts/vps1/README.md @@ -0,0 +1,17 @@ +# vps1 + +## Overview +VPS hosted in OVH. + +## Specs +* CPU - ?? +* Memory - ?? + +### Disks +Device | Partitions _(filesystem, usage)_ +--- | --- +NVMe | `/dev/sda1` (ext4, NixOS Root) + +### Networks +- DHCP on `10.0.1.0/24` subnet. +- Tailscale on `100.64.0.0/10` subnet. FQDN: `vps1.mesh.vimium.net`. diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix new file mode 100644 index 0000000..238b9f5 --- /dev/null +++ b/hosts/vps1/default.nix @@ -0,0 +1,195 @@ +{ config, lib, pkgs, inputs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../server.nix + ]; + + networking = { + hostId = "???"; + hostName = "vps1"; + domain = "mesh.vimium.net"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22 # SSH + 8448 # Matrix federation + 80 # HTTP + 443 # HTTPS + 5349 # STUN TLS + 5350 # STUN TLS alt + ]; + allowedUDPPortRanges = [ + { from = 49152; to = 49999; } # TURN relay + ]; + }; + }; + + users.users = { + git = { + isSystemUser = true; + useDefaultShell = true; + group = "git"; + extraGroups = [ "gitea" ]; + home = config.services.gitea.stateDir; + }; + jellyfin = { + isSystemUser = true; + group = "jellyfin"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaaS+KMAEAymZhIJGC4LK8aMhUzhpmloUgvP2cxeBH4 jellyfin" + ]; + }; + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com" + ]; + }; + }; + + users.groups = { + git = { }; + jellyfin = { }; + }; + + age.secrets."passwords/services/borg/vps1-passphrase" = { + file = "${inputs.secrets}/passwords/services/borg/vps1-passphrase.age"; + }; + + services.borgmatic = { + enable = true; + settings = { + source_directories = [ + "/home" + "/var/lib" + "/var/www" + ]; + repositories = [ + { label = "borgbase"; path = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo"; } + ]; + storage = { + encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/vps1-passphrase".path}"; + ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key"; + }; + retention = { + keep_daily = 7; + keep_weekly = 4; + keep_monthly = 6; + }; + }; + }; + + # Without this override, `cat` is unavailable for `encryption_passcommand` + systemd.services.borgmatic.confinement.fullUnit = true; + + age.secrets."passwords/services/coturn/shared-secret" = { + file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age"; + }; + + services.coturn = { + enable = true; + lt-cred-mech = true; + use-auth-secret = true; + static-auth-secret = "???"; + realm = "turn.vimium.com"; + relay-ips = [ + "198.244.190.160" + ]; + no-tcp-relay = true; + extraConfig = '' + cipher-list="HIGH" + no-loopback-peers + no-multicast-peers + ''; + secure-stun = true; + cert = "/var/lib/acme/turn.vimium.com/fullchain.pem"; + pkey = "/var/lib/acme/turn.vimium.com/key.pem"; + min-port = 49152; + max-port = 49999; + }; + + services.gitea = rec { + package = pkgs.gitea; + enable = true; + user = "git"; + appName = "Vimium Git"; + stateDir = "/var/lib/gitea"; + repositoryRoot = "${stateDir}/repositories"; + database = { + type = "sqlite3"; + inherit user; + path = "${stateDir}/gitea.db"; + }; + lfs = { + enable = true; + contentDir = "${stateDir}/lfs"; + }; + settings = { + server = { + SSH_USER = "git"; + SSH_DOMAIN = "git.vimium.com"; + SSH_PORT = lib.head config.services.openssh.ports; + OFFLINE_MODE = true; + PROTOCOL = "http+unix"; + DOMAIN = config.networking.domain; + ROOT_URL = "https://git.vimium.com/"; + }; + service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; + log.ROOT_PATH = "${stateDir}/log"; + ui = { + THEMES = "gitea,arc-green,github-dark,bthree-dark"; + DEFAULT_THEME = "github-dark"; + }; + actions.ENABLED = true; + indexer = { + REPO_INDEXER_ENABLED = true; + }; + packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload"; + }; + }; + + services.headscale = { + enable = true; + port = 8080; + settings = { + server_url = "https://headscale.vimium.net"; + dns_config = { + base_domain = "vimium.net"; + }; + logtail.enabled = false; + }; + }; + + services.matrix-synapse = { + enable = true; + settings = { + database.name = "sqlite3"; + enable_registration = false; + server_name = "vimium.com"; + turn_shared_secret = "???"; + turn_uris = [ + "turn:turn.vimium.com:5349?transport=udp" + "turn:turn.vimium.com:5350?transport=udp" + "turn:turn.vimium.com:5349?transport=tcp" + "turn:turn.vimium.com:5350?transport=tcp" + ]; + }; + }; + + services.tailscale.enable = true; + networking.firewall = { + checkReversePath = "loose"; + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + }; + + environment.systemPackages = with pkgs; [ + config.services.headscale.package + ]; + + system.stateVersion = "22.11"; +} + diff --git a/hosts/vps1/hardware-configuration.nix b/hosts/vps1/hardware-configuration.nix new file mode 100644 index 0000000..1f79513 --- /dev/null +++ b/hosts/vps1/hardware-configuration.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + kernelModules = [ "nvme" ]; + }; + loader.grub.device = "/dev/sda"; + tmp.cleanOnBoot = true; + }; + + zramSwap.enable = true; + + fileSystems = { + "/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + }; +} +