From 340ec98c0f0381967092bd52dba94332f0458ec2 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Thu, 13 Jan 2022 13:40:18 +0100 Subject: [PATCH] robi migration --- nixos/configs/robi/bitwarden.nix | 12 ++ nixos/configs/robi/codimd.nix | 34 +++++ nixos/configs/robi/configuration.nix | 8 +- nixos/configs/robi/gitea.nix | 33 +++++ nixos/configs/sputnik/configuration.nix | 2 +- nixos/configs/sputnik/nginx.nix | 119 +++++++++--------- nixos/configs/sputnik/tinc.nix | 3 + nixos/configs/sterni/configuration.nix | 12 +- nixos/configs/sterni/packages.nix | 2 +- nixos/configs/sterni/tinc.nix | 4 + nixos/flake.lock | 27 ++-- nixos/flake.nix | 15 ++- nixos/modules/system/font.nix | 4 +- nixos/system/all/borg-jobs.nix | 21 ++-- nixos/system/all/borg-scripts.nix | 4 +- .../desktop/home-manager/doom-emacs.nix | 6 + 16 files changed, 212 insertions(+), 94 deletions(-) create mode 100644 nixos/configs/robi/bitwarden.nix create mode 100644 nixos/configs/robi/codimd.nix create mode 100644 nixos/configs/robi/gitea.nix diff --git a/nixos/configs/robi/bitwarden.nix b/nixos/configs/robi/bitwarden.nix new file mode 100644 index 0000000..24d0c2e --- /dev/null +++ b/nixos/configs/robi/bitwarden.nix @@ -0,0 +1,12 @@ +{ config, pkgs, lib, ... }: { + services.bitwarden_rs = { + enable = true; + config = { + domain = "https://bitwarden.ingolf-wagner.de"; + signupsAllowed = false; + rocketPort = 8222; + rocketLog = "critical"; + }; + }; + #backup.dirs = [ "/var/lib/bitwarden_rs" ]; +} diff --git a/nixos/configs/robi/codimd.nix b/nixos/configs/robi/codimd.nix new file mode 100644 index 0000000..645590f --- /dev/null +++ b/nixos/configs/robi/codimd.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: +let + domain = "md.ingolf-wagner.de"; +in +{ + + services.nginx.enable = true; + services.nginx.virtualHosts.hedgedoc = { + enableACME = true; + forceSSL = true; + serverName = domain; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.hedgedoc.configuration.port}"; + proxyWebsockets = true; + }; + }; + + services.hedgedoc = { + enable = true; + configuration = { + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.sqlite"; + useCDN = false; + }; + allowFreeURL = true; + domain = domain; + port = 3091; + useCDN = false; + }; + }; + +} + diff --git a/nixos/configs/robi/configuration.nix b/nixos/configs/robi/configuration.nix index 92ed7df..75d8b5e 100644 --- a/nixos/configs/robi/configuration.nix +++ b/nixos/configs/robi/configuration.nix @@ -6,16 +6,20 @@ ../../system/server/netdata.nix ./hetzner.nix - ./packages.nix ./tinc.nix ./syncthing.nix ./taskserver.nix ./transmission.nix ./nextcloud.nix + ./codimd.nix + # todo - ./gitlab.nix + ./gitea.nix + #./gitlab.nix + #./bitwarden.nix + #../../system/server diff --git a/nixos/configs/robi/gitea.nix b/nixos/configs/robi/gitea.nix new file mode 100644 index 0000000..b66eb7a --- /dev/null +++ b/nixos/configs/robi/gitea.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: +{ + + services.nginx = { + enable = true; + statusPage = true; + virtualHosts = { + "git.ingolf-wagner.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.gogs.httpPort}"; + }; + }; + }; + }; + + services.gitea = { + enable = true; + appName = "git.ingolf-wagner.de"; + cookieSecure = true; + disableRegistration = true; + domain = "git.ingolf-wagner.de"; + dump.enable = true; + rootUrl = "https://git.ingolf-wagner.de/"; + settings = { + other = { + SHOW_FOOTER_VERSION = false; + }; + }; + + #backup.dirs = [ config.services.gogs.repositoryRoot ]; +} diff --git a/nixos/configs/sputnik/configuration.nix b/nixos/configs/sputnik/configuration.nix index fcd3f44..ae58792 100644 --- a/nixos/configs/sputnik/configuration.nix +++ b/nixos/configs/sputnik/configuration.nix @@ -7,8 +7,8 @@ ../../system/server/packages.nix ./nginx.nix ./tinc.nix - ./codimd.nix ./bitwarden.nix + #./codimd.nix #./syncplay.nix ./grocy.nix diff --git a/nixos/configs/sputnik/nginx.nix b/nixos/configs/sputnik/nginx.nix index 490fea7..1359017 100644 --- a/nixos/configs/sputnik/nginx.nix +++ b/nixos/configs/sputnik/nginx.nix @@ -65,58 +65,57 @@ in }; - "git.ingolf-wagner.de" = { - #listen = [ - # { - # addr = "0.0.0.0"; - # port = 4443; - # ssl = true; - # } - # { - # addr = "0.0.0.0"; - # port = 80; - # ssl = false; - # } - #]; - forceSSL = true; - enableACME = true; - extraConfig = error.extraConfig; - - locations = { - "/" = { - proxyPass = "http://workhorse.private:3000"; - extraConfig = '' - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - # - # Custom headers and headers various browsers *should* be OK with but aren't - # - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - # - # Tell client that this pre-flight info is valid for 20 days - # - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - if ($request_method = 'POST') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; - } - if ($request_method = 'GET') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; - } - ''; - }; - } // error.locations; - }; + #"git.ingolf-wagner.de" = { + # #listen = [ + # # { + # # addr = "0.0.0.0"; + # # port = 4443; + # # ssl = true; + # # } + # # { + # # addr = "0.0.0.0"; + # # port = 80; + # # ssl = false; + # # } + # #]; + # forceSSL = true; + # enableACME = true; + # extraConfig = error.extraConfig; + # locations = { + # "/" = { + # proxyPass = "http://workhorse.private:3000"; + # extraConfig = '' + # if ($request_method = 'OPTIONS') { + # add_header 'Access-Control-Allow-Origin' '*'; + # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # # + # # Custom headers and headers various browsers *should* be OK with but aren't + # # + # add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + # # + # # Tell client that this pre-flight info is valid for 20 days + # # + # add_header 'Access-Control-Max-Age' 1728000; + # add_header 'Content-Type' 'text/plain; charset=utf-8'; + # add_header 'Content-Length' 0; + # return 204; + # } + # if ($request_method = 'POST') { + # add_header 'Access-Control-Allow-Origin' '*'; + # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + # add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + # } + # if ($request_method = 'GET') { + # add_header 'Access-Control-Allow-Origin' '*'; + # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + # add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + # add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + # } + # ''; + # }; + # } // error.locations; + #}; #"grocy.ingolf-wagner.de" = { # listen = [ @@ -447,13 +446,13 @@ in ''; }; - systemd.services."socat-gogs-ssh" = { - wantedBy = [ "multi-user.target" ]; - script = - let port = "2222"; - in '' - ${pkgs.socat}/bin/socat TCP-LISTEN:${port},fork TCP:workhorse.private:${port} - ''; - }; + #systemd.services."socat-gogs-ssh" = { + # wantedBy = [ "multi-user.target" ]; + # script = + # let port = "2222"; + # in '' + # ${pkgs.socat}/bin/socat TCP-LISTEN:${port},fork TCP:workhorse.private:${port} + # ''; + #}; } diff --git a/nixos/configs/sputnik/tinc.nix b/nixos/configs/sputnik/tinc.nix index 38ae53b..0f8bcfb 100644 --- a/nixos/configs/sputnik/tinc.nix +++ b/nixos/configs/sputnik/tinc.nix @@ -10,4 +10,7 @@ }; }; + users.users."tinc.secret".group = "tinc.secret"; + users.groups."tinc.secret" = { }; + } diff --git a/nixos/configs/sterni/configuration.nix b/nixos/configs/sterni/configuration.nix index 35e5011..9cf9243 100644 --- a/nixos/configs/sterni/configuration.nix +++ b/nixos/configs/sterni/configuration.nix @@ -24,8 +24,16 @@ sops.secrets.tinc_retiolum_rsa_key = { }; security.wrappers = { - pmount.source = "${pkgs.pmount}/bin/pmount"; - pumount.source = "${pkgs.pmount}/bin/pumount"; + pmount = { + source = "${pkgs.pmount}/bin/pmount"; + owner = config.users.users.mainUser.name; + group = "nogroup"; + }; + pumount = { + source = "${pkgs.pmount}/bin/pumount"; + owner = config.users.users.mainUser.name; + group = "nogroup"; + }; }; # keybase diff --git a/nixos/configs/sterni/packages.nix b/nixos/configs/sterni/packages.nix index f0ed195..cd871b7 100644 --- a/nixos/configs/sterni/packages.nix +++ b/nixos/configs/sterni/packages.nix @@ -36,7 +36,7 @@ in imagemagick bitwig-studio3 - sononym-crawler + #sononym-crawler darktable # rust development environment diff --git a/nixos/configs/sterni/tinc.nix b/nixos/configs/sterni/tinc.nix index 4161fc2..b17ef47 100644 --- a/nixos/configs/sterni/tinc.nix +++ b/nixos/configs/sterni/tinc.nix @@ -20,5 +20,9 @@ with lib; connectTo = [ "sputnik" ]; }; }; + users.users."tinc.retiolum".group = "tinc.retiolum"; + users.groups."tinc.retiolum" = { }; + users.users."tinc.secret".group = "tinc.secret"; + users.groups."tinc.secret" = { }; } diff --git a/nixos/flake.lock b/nixos/flake.lock index 7b53a66..f1df689 100644 --- a/nixos/flake.lock +++ b/nixos/flake.lock @@ -55,7 +55,9 @@ "inputs": { "doom-emacs": "doom-emacs", "doom-snippets": "doom-snippets", - "emacs-overlay": "emacs-overlay", + "emacs-overlay": [ + "emacs-overlay" + ], "emacs-so-long": "emacs-so-long", "evil-markdown": "evil-markdown", "evil-org-mode": "evil-org-mode", @@ -108,11 +110,11 @@ "emacs-overlay": { "flake": false, "locked": { - "lastModified": 1626972035, - "narHash": "sha256-YhBtnKmLDYiEzP5ZEMEQMg6oMP5EV+ToCkku7ZYfL+A=", + "lastModified": 1642012880, + "narHash": "sha256-TOjm/NVua9SC7t+qi5AWBMwH2J3Sz5jrQBEqw8K+krk=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "be04b45efb35db58e6ac6aa86b84f850c85b5dfe", + "rev": "5db3fa544f264e5b5a11162475228446498827b2", "type": "github" }, "original": { @@ -401,11 +403,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1641528457, - "narHash": "sha256-FyU9E63n1W7Ql4pMnhW2/rO9OftWZ37pLppn/c1aisY=", + "lastModified": 1641887635, + "narHash": "sha256-kDGpufwzVaiGe5e1sBUBPo9f1YN+nYHJlYqCaVpZTQQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ff377a78794d412a35245e05428c8f95fef3951f", + "rev": "b2737d4980a17cc2b7d600d7d0b32fd7333aca88", "type": "github" }, "original": { @@ -417,11 +419,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1641593416, - "narHash": "sha256-Vn/vqQtYnVuZlbGGO0gSzLjmtFwb6OPvakwyoG1D/MY=", + "lastModified": 1641870998, + "narHash": "sha256-6HkxR2WZsm37VoQS7jgp6Omd71iw6t1kP8bDbaqCDuI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "36480448d470bf41bb21267cf9062a1542c4a95f", + "rev": "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb", "type": "github" }, "original": { @@ -569,11 +571,11 @@ "rev": "b39c539f9e720cc144c9ad7fe0d72cd46f793dab", "revCount": 22, "type": "git", - "url": "ssh://gitlab@gitlab.ingolf-wagner.de/palo/polygon-art" + "url": "https://gitlab.ingolf-wagner.de/palo/polygon-art.git" }, "original": { "type": "git", - "url": "ssh://gitlab@gitlab.ingolf-wagner.de/palo/polygon-art" + "url": "https://gitlab.ingolf-wagner.de/palo/polygon-art.git" } }, "revealjs": { @@ -596,6 +598,7 @@ "inputs": { "cluster-module": "cluster-module", "doom-emacs-nix": "doom-emacs-nix", + "emacs-overlay": "emacs-overlay", "grocy-scanner": "grocy-scanner", "home-manager": "home-manager", "home-manager-utils": "home-manager-utils", diff --git a/nixos/flake.nix b/nixos/flake.nix index d58aef9..c521b02 100644 --- a/nixos/flake.nix +++ b/nixos/flake.nix @@ -5,13 +5,16 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; polygon-art = { - url = "git+ssh://gitlab@gitlab.ingolf-wagner.de/palo/polygon-art"; - #url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git"; - #inputs.nixpkgs.follows = "nixpkgs"; + url = "git+https://gitlab.ingolf-wagner.de/palo/polygon-art.git"; + }; + emacs-overlay = { + url = "github:nix-community/emacs-overlay"; + flake = false; }; doom-emacs-nix = { url = "github:vlaci/nix-doom-emacs"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.emacs-overlay.follows = "emacs-overlay"; }; home-manager = { url = "github:nix-community/home-manager/release-21.11"; @@ -40,6 +43,7 @@ , nixpkgs , home-manager , home-manager-utils + , emacs-overlay , doom-emacs-nix , nixpkgs-unstable , cluster-module @@ -82,7 +86,10 @@ desktopModules = [ { home-manager.users.mainUser = { - imports = [ doom-emacs-nix.hmModule home-manager-utils.hmModule ]; + imports = [ + doom-emacs-nix.hmModule + home-manager-utils.hmModule + ]; }; environment.systemPackages = [ nixpkgs-fmt.defaultPackage."x86_64-linux" diff --git a/nixos/modules/system/font.nix b/nixos/modules/system/font.nix index f8d10c3..46a7158 100644 --- a/nixos/modules/system/font.nix +++ b/nixos/modules/system/font.nix @@ -25,6 +25,8 @@ in # see https://nixos.wiki/wiki/Fonts config = mkIf cfg.enable { + services.xserver.dpi = cfg.dpi; + fonts = { enableDefaultFonts = true; @@ -32,7 +34,7 @@ in fontDir.enable = true; fontconfig = { - dpi = cfg.dpi; + #dpi = cfg.dpi; subpixel = { lcdfilter = "default"; rgba = "rgb"; diff --git a/nixos/system/all/borg-jobs.nix b/nixos/system/all/borg-jobs.nix index 5275b75..388abca 100644 --- a/nixos/system/all/borg-jobs.nix +++ b/nixos/system/all/borg-jobs.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: { +{ config, lib, ... }: +# borg core setup +# --------------- +# provides an easy interface for all services +# to append it's files to be backuped +{ options = { backup.dirs = lib.mkOption { @@ -24,10 +29,10 @@ let servers = [ - { - name = "workhorse"; - host = "workhorse.private"; - } + #{ + # name = "robi"; + # host = "robi.private"; + #} { name = "pepe"; host = "pepe.private"; @@ -45,11 +50,9 @@ repo = "borg@${server}:./${myHostname}"; encryption = { mode = "repokey-blake2"; - passCommand = - "cat ${config.sops.secrets.backup_repository_passphrase.path}"; + passCommand = "cat ${config.sops.secrets.backup_repository_passphrase.path}"; }; - environment.BORG_RSH = - "ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}"; + environment.BORG_RSH = "ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}"; compression = "auto,lzma"; startAt = "daily"; prune.keep = { diff --git a/nixos/system/all/borg-scripts.nix b/nixos/system/all/borg-scripts.nix index 8ad58b0..1f195d3 100644 --- a/nixos/system/all/borg-scripts.nix +++ b/nixos/system/all/borg-scripts.nix @@ -10,8 +10,8 @@ --rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \ "$@" ''; - hosts = [ "workhorse" "pepe" ]; - repositories = [ "workhorse" "pepe" "sterni" "workout" ]; + hosts = [ "pepe" "robi" ]; + repositories = [ "pepe" "sterni" "robi" ]; commands = [ "list" ]; in lib.flatten (map diff --git a/nixos/system/desktop/home-manager/doom-emacs.nix b/nixos/system/desktop/home-manager/doom-emacs.nix index 1db016b..35bfa8d 100644 --- a/nixos/system/desktop/home-manager/doom-emacs.nix +++ b/nixos/system/desktop/home-manager/doom-emacs.nix @@ -3,6 +3,12 @@ programs.doom-emacs = { enable = true; doomPrivateDir = ./doom.d; + + emacsPackagesOverlay = self: super: { + # fixes https://github.com/vlaci/nix-doom-emacs/issues/394 + gitignore-mode = pkgs.emacsPackages.git-modes; + gitconfig-mode = pkgs.emacsPackages.git-modes; + }; }; }; environment.systemPackages = [