robi migration

2022-01-13 13:40:18 +01:00 · 2022-01-13 13:40:18 +01:00 · 340ec98c0f
commit 340ec98c0f
parent e8492a17bb
16 changed files with 212 additions and 94 deletions
--- a/nixos/configs/robi/bitwarden.nix
+++ b/nixos/configs/robi/bitwarden.nix
@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }: {
+  services.bitwarden_rs = {
+    enable = true;
+    config = {
+      domain = "https://bitwarden.ingolf-wagner.de";
+      signupsAllowed = false;
+      rocketPort = 8222;
+      rocketLog = "critical";
+    };
+  };
+  #backup.dirs = [ "/var/lib/bitwarden_rs" ];
+}
--- a/nixos/configs/robi/codimd.nix
+++ b/nixos/configs/robi/codimd.nix
@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "md.ingolf-wagner.de";
+in
+{
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts.hedgedoc = {
+    enableACME = true;
+    forceSSL = true;
+    serverName = domain;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.hedgedoc.configuration.port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    configuration = {
+      db = {
+        dialect = "sqlite";
+        storage = "/var/lib/hedgedoc/db.sqlite";
+        useCDN = false;
+      };
+      allowFreeURL = true;
+      domain = domain;
+      port = 3091;
+      useCDN = false;
+    };
+  };
+
+}
+
--- a/nixos/configs/robi/configuration.nix
+++ b/nixos/configs/robi/configuration.nix
@ -6,16 +6,20 @@
    ../../system/server/netdata.nix

    ./hetzner.nix
-
    ./packages.nix
    ./tinc.nix
    ./syncthing.nix
    ./taskserver.nix
    ./transmission.nix
    ./nextcloud.nix
+    ./codimd.nix
+

    # todo
-    ./gitlab.nix
+    ./gitea.nix
+    #./gitlab.nix
+    #./bitwarden.nix
+

    #../../system/server

--- a/nixos/configs/robi/gitea.nix
+++ b/nixos/configs/robi/gitea.nix
@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+{
+
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    virtualHosts = {
+      "git.ingolf-wagner.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.gogs.httpPort}";
+        };
+      };
+    };
+  };
+
+  services.gitea = {
+    enable = true;
+    appName = "git.ingolf-wagner.de";
+    cookieSecure = true;
+    disableRegistration = true;
+    domain = "git.ingolf-wagner.de";
+    dump.enable = true;
+    rootUrl = "https://git.ingolf-wagner.de/";
+    settings = {
+      other = {
+        SHOW_FOOTER_VERSION = false;
+      };
+    };
+
+  #backup.dirs = [ config.services.gogs.repositoryRoot ];
+}
--- a/nixos/configs/sputnik/configuration.nix
+++ b/nixos/configs/sputnik/configuration.nix
@ -7,8 +7,8 @@
    ../../system/server/packages.nix
    ./nginx.nix
    ./tinc.nix
-    ./codimd.nix
    ./bitwarden.nix
+    #./codimd.nix
    #./syncplay.nix
    ./grocy.nix

--- a/nixos/configs/sputnik/nginx.nix
+++ b/nixos/configs/sputnik/nginx.nix
@ -65,58 +65,57 @@ in
      };


-      "git.ingolf-wagner.de" = {
-        #listen = [
-        #  {
-        #    addr = "0.0.0.0";
-        #    port = 4443;
-        #    ssl = true;
+      #"git.ingolf-wagner.de" = {
+      #  #listen = [
+      #  #  {
+      #  #    addr = "0.0.0.0";
+      #  #    port = 4443;
+      #  #    ssl = true;
+      #  #  }
+      #  #  {
+      #  #    addr = "0.0.0.0";
+      #  #    port = 80;
+      #  #    ssl = false;
+      #  #  }
+      #  #];
+      #  forceSSL = true;
+      #  enableACME = true;
+      #  extraConfig = error.extraConfig;
+      #  locations = {
+      #    "/" = {
+      #      proxyPass = "http://workhorse.private:3000";
+      #      extraConfig = ''
+      #        if ($request_method = 'OPTIONS') {
+      #        add_header 'Access-Control-Allow-Origin' '*';
+      #        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+      #        #
+      #        # Custom headers and headers various browsers *should* be OK with but aren't
+      #        #
+      #        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+      #        #
+      #        # Tell client that this pre-flight info is valid for 20 days
+      #        #
+      #        add_header 'Access-Control-Max-Age' 1728000;
+      #        add_header 'Content-Type' 'text/plain; charset=utf-8';
+      #        add_header 'Content-Length' 0;
+      #        return 204;
      #        }
-        #  {
-        #    addr = "0.0.0.0";
-        #    port = 80;
-        #    ssl = false;
+      #        if ($request_method = 'POST') {
+      #          add_header 'Access-Control-Allow-Origin' '*';
+      #          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+      #          add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+      #          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
      #        }
-        #];
-        forceSSL = true;
-        enableACME = true;
-        extraConfig = error.extraConfig;
-
-        locations = {
-          "/" = {
-            proxyPass = "http://workhorse.private:3000";
-            extraConfig = ''
-              if ($request_method = 'OPTIONS') {
-              add_header 'Access-Control-Allow-Origin' '*';
-              add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-              #
-              # Custom headers and headers various browsers *should* be OK with but aren't
-              #
-              add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-              #
-              # Tell client that this pre-flight info is valid for 20 days
-              #
-              add_header 'Access-Control-Max-Age' 1728000;
-              add_header 'Content-Type' 'text/plain; charset=utf-8';
-              add_header 'Content-Length' 0;
-              return 204;
-              }
-              if ($request_method = 'POST') {
-                add_header 'Access-Control-Allow-Origin' '*';
-                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-                add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-              }
-              if ($request_method = 'GET') {
-                add_header 'Access-Control-Allow-Origin' '*';
-                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-                add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-              }
-            '';
-          };
-        } // error.locations;
-      };
+      #        if ($request_method = 'GET') {
+      #          add_header 'Access-Control-Allow-Origin' '*';
+      #          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+      #          add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+      #          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+      #        }
+      #      '';
+      #    };
+      #  } // error.locations;
+      #};

      #"grocy.ingolf-wagner.de" = {
      #  listen = [
@ -447,13 +446,13 @@ in
      '';
  };

-  systemd.services."socat-gogs-ssh" = {
-    wantedBy = [ "multi-user.target" ];
-    script =
-      let port = "2222";
-      in ''
-        ${pkgs.socat}/bin/socat TCP-LISTEN:${port},fork TCP:workhorse.private:${port}
-      '';
-  };
+  #systemd.services."socat-gogs-ssh" = {
+  #  wantedBy = [ "multi-user.target" ];
+  #  script =
+  #    let port = "2222";
+  #    in ''
+  #      ${pkgs.socat}/bin/socat TCP-LISTEN:${port},fork TCP:workhorse.private:${port}
+  #    '';
+  #};

 }
--- a/nixos/configs/sputnik/tinc.nix
+++ b/nixos/configs/sputnik/tinc.nix
@ -10,4 +10,7 @@
    };
  };

+  users.users."tinc.secret".group = "tinc.secret";
+  users.groups."tinc.secret" = { };
+
 }
--- a/nixos/configs/sterni/configuration.nix
+++ b/nixos/configs/sterni/configuration.nix
@ -24,8 +24,16 @@
  sops.secrets.tinc_retiolum_rsa_key = { };

  security.wrappers = {
-    pmount.source = "${pkgs.pmount}/bin/pmount";
-    pumount.source = "${pkgs.pmount}/bin/pumount";
+    pmount = {
+      source = "${pkgs.pmount}/bin/pmount";
+      owner = config.users.users.mainUser.name;
+      group = "nogroup";
+    };
+    pumount = {
+      source = "${pkgs.pmount}/bin/pumount";
+      owner = config.users.users.mainUser.name;
+      group = "nogroup";
+    };
  };

  # keybase
--- a/nixos/configs/sterni/packages.nix
+++ b/nixos/configs/sterni/packages.nix
@ -36,7 +36,7 @@ in
    imagemagick

    bitwig-studio3
-    sononym-crawler
+    #sononym-crawler
    darktable

    # rust development environment
--- a/nixos/configs/sterni/tinc.nix
+++ b/nixos/configs/sterni/tinc.nix
@ -20,5 +20,9 @@ with lib;
      connectTo = [ "sputnik" ];
    };
  };
+  users.users."tinc.retiolum".group = "tinc.retiolum";
+  users.groups."tinc.retiolum" = { };
+  users.users."tinc.secret".group = "tinc.secret";
+  users.groups."tinc.secret" = { };

 }
--- a/nixos/flake.lock
+++ b/nixos/flake.lock
@ -55,7 +55,9 @@
      "inputs": {
        "doom-emacs": "doom-emacs",
        "doom-snippets": "doom-snippets",
-        "emacs-overlay": "emacs-overlay",
+        "emacs-overlay": [
+          "emacs-overlay"
+        ],
        "emacs-so-long": "emacs-so-long",
        "evil-markdown": "evil-markdown",
        "evil-org-mode": "evil-org-mode",
@ -108,11 +110,11 @@
    "emacs-overlay": {
      "flake": false,
      "locked": {
-        "lastModified": 1626972035,
-        "narHash": "sha256-YhBtnKmLDYiEzP5ZEMEQMg6oMP5EV+ToCkku7ZYfL+A=",
+        "lastModified": 1642012880,
+        "narHash": "sha256-TOjm/NVua9SC7t+qi5AWBMwH2J3Sz5jrQBEqw8K+krk=",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "be04b45efb35db58e6ac6aa86b84f850c85b5dfe",
+        "rev": "5db3fa544f264e5b5a11162475228446498827b2",
        "type": "github"
      },
      "original": {
@ -401,11 +403,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1641528457,
-        "narHash": "sha256-FyU9E63n1W7Ql4pMnhW2/rO9OftWZ37pLppn/c1aisY=",
+        "lastModified": 1641887635,
+        "narHash": "sha256-kDGpufwzVaiGe5e1sBUBPo9f1YN+nYHJlYqCaVpZTQQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ff377a78794d412a35245e05428c8f95fef3951f",
+        "rev": "b2737d4980a17cc2b7d600d7d0b32fd7333aca88",
        "type": "github"
      },
      "original": {
@ -417,11 +419,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1641593416,
-        "narHash": "sha256-Vn/vqQtYnVuZlbGGO0gSzLjmtFwb6OPvakwyoG1D/MY=",
+        "lastModified": 1641870998,
+        "narHash": "sha256-6HkxR2WZsm37VoQS7jgp6Omd71iw6t1kP8bDbaqCDuI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "36480448d470bf41bb21267cf9062a1542c4a95f",
+        "rev": "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb",
        "type": "github"
      },
      "original": {
@ -569,11 +571,11 @@
        "rev": "b39c539f9e720cc144c9ad7fe0d72cd46f793dab",
        "revCount": 22,
        "type": "git",
-        "url": "ssh://gitlab@gitlab.ingolf-wagner.de/palo/polygon-art"
+        "url": "https://gitlab.ingolf-wagner.de/palo/polygon-art.git"
      },
      "original": {
        "type": "git",
-        "url": "ssh://gitlab@gitlab.ingolf-wagner.de/palo/polygon-art"
+        "url": "https://gitlab.ingolf-wagner.de/palo/polygon-art.git"
      }
    },
    "revealjs": {
@ -596,6 +598,7 @@
      "inputs": {
        "cluster-module": "cluster-module",
        "doom-emacs-nix": "doom-emacs-nix",
+        "emacs-overlay": "emacs-overlay",
        "grocy-scanner": "grocy-scanner",
        "home-manager": "home-manager",
        "home-manager-utils": "home-manager-utils",
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@ -5,13 +5,16 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    polygon-art = {
-      url = "git+ssh://gitlab@gitlab.ingolf-wagner.de/palo/polygon-art";
-      #url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
-      #inputs.nixpkgs.follows = "nixpkgs";
+      url = "git+https://gitlab.ingolf-wagner.de/palo/polygon-art.git";
+    };
+    emacs-overlay = {
+      url = "github:nix-community/emacs-overlay";
+      flake = false;
    };
    doom-emacs-nix = {
      url = "github:vlaci/nix-doom-emacs";
      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.emacs-overlay.follows = "emacs-overlay";
    };
    home-manager = {
      url = "github:nix-community/home-manager/release-21.11";
@ -40,6 +43,7 @@
    , nixpkgs
    , home-manager
    , home-manager-utils
+    , emacs-overlay
    , doom-emacs-nix
    , nixpkgs-unstable
    , cluster-module
@ -82,7 +86,10 @@
      desktopModules = [
        {
          home-manager.users.mainUser = {
-            imports = [ doom-emacs-nix.hmModule home-manager-utils.hmModule ];
+            imports = [
+              doom-emacs-nix.hmModule
+              home-manager-utils.hmModule
+            ];
          };
          environment.systemPackages = [
            nixpkgs-fmt.defaultPackage."x86_64-linux"
--- a/nixos/modules/system/font.nix
+++ b/nixos/modules/system/font.nix
@ -25,6 +25,8 @@ in
  # see https://nixos.wiki/wiki/Fonts
  config = mkIf cfg.enable {

+    services.xserver.dpi = cfg.dpi;
+
    fonts = {

      enableDefaultFonts = true;
@ -32,7 +34,7 @@ in
      fontDir.enable = true;

      fontconfig = {
-        dpi = cfg.dpi;
+        #dpi = cfg.dpi;
        subpixel = {
          lcdfilter = "default";
          rgba = "rgb";
--- a/nixos/system/all/borg-jobs.nix
+++ b/nixos/system/all/borg-jobs.nix
@ -1,4 +1,9 @@
-{ config, lib, ... }: {
+{ config, lib, ... }:
+# borg core setup
+# ---------------
+# provides an easy interface for all services
+# to append it's files to be backuped
+{

  options = {
    backup.dirs = lib.mkOption {
@ -24,10 +29,10 @@
    let

      servers = [
-        {
-          name = "workhorse";
-          host = "workhorse.private";
-        }
+        #{
+        #  name = "robi";
+        #  host = "robi.private";
+        #}
        {
          name = "pepe";
          host = "pepe.private";
@ -45,11 +50,9 @@
        repo = "borg@${server}:./${myHostname}";
        encryption = {
          mode = "repokey-blake2";
-          passCommand =
-            "cat ${config.sops.secrets.backup_repository_passphrase.path}";
+          passCommand = "cat ${config.sops.secrets.backup_repository_passphrase.path}";
        };
-        environment.BORG_RSH =
-          "ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}";
+        environment.BORG_RSH = "ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}";
        compression = "auto,lzma";
        startAt = "daily";
        prune.keep = {
--- a/nixos/system/all/borg-scripts.nix
+++ b/nixos/system/all/borg-scripts.nix
@ -10,8 +10,8 @@
            --rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \
            "$@"
        '';
-      hosts = [ "workhorse" "pepe" ];
-      repositories = [ "workhorse" "pepe" "sterni" "workout" ];
+      hosts = [ "pepe" "robi" ];
+      repositories = [ "pepe" "sterni" "robi" ];
      commands = [ "list" ];
    in
    lib.flatten (map
--- a/nixos/system/desktop/home-manager/doom-emacs.nix
+++ b/nixos/system/desktop/home-manager/doom-emacs.nix
@ -3,6 +3,12 @@
    programs.doom-emacs = {
      enable = true;
      doomPrivateDir = ./doom.d;
+
+      emacsPackagesOverlay = self: super: {
+        # fixes https://github.com/vlaci/nix-doom-emacs/issues/394
+        gitignore-mode = pkgs.emacsPackages.git-modes;
+        gitconfig-mode = pkgs.emacsPackages.git-modes;
+      };
    };
  };
  environment.systemPackages = [