Commit 7e9358efa507

Vincent Demeester <vincent@sbr.pm>
2020-06-05 11:02:31
systems: migrate kerkouane 👼
- Fix wireguard.server profiles - add govanityurl to services/default.nix Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 6cb5dda
Changed files (5)
modules
profiles
wireguard.server.nixos.nix
services
default.nix
systems
kerkouane.nix
users
vincent
default.nix
hosts.nix
modules/profiles/wireguard.server.nixos.nix
@@ -3,6 +3,12 @@
 with lib;
 let
   cfg = config.profiles.wireguard.server;
+
+  secretPath = ../secrets/machines.nix;
+  secretCondition = (builtins.pathExists secretPath);
+  allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs;
+  listenPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+  peers = lists.optionals secretCondition (import secretPath).wg.peers;
 in
 {
   options = {
@@ -23,12 +29,12 @@ in
     '';
     networking.firewall.allowedUDPPorts = [ 51820 ];
     networking.firewall.trustedInterfaces = [ "wg0" ];
-    networking.wireguard.interfaces = with import ../../assets/machines.nix; {
+    networking.wireguard.interfaces = {
       "wg0" = {
-        ips = wireguard.kerkouane.allowedIPs;
-        listenPort = wg.listenPort;
+        ips = allowedIPs;
+        listenPort = listenPort;
         privateKeyFile = "/etc/nixos/wireguard.private.key";
-        peers = wg.peers;
+        peers = peers;
       };
     };
   };
modules/services/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
-    ./wireguard.client.nixos.nix
+    ./govanityurl.nixos.nix
     ./nix-binary-cache.nixos.nix
+    ./wireguard.client.nixos.nix
   ];
 }
systems/kerkouane.nix
@@ -0,0 +1,130 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+  hostname = "kerkouane";
+
+  networkingConfigPath = ../networking.nix;
+  hasNetworkingConfig = (builtins.pathExists networkingConfigPath);
+  secretPath = ../secrets/machines.nix;
+  secretCondition = (builtins.pathExists secretPath);
+
+  sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22;
+
+  sources = import ../nix/sources.nix;
+in
+{
+  imports = [
+    (sources.nixos + "/nixos/modules/profiles/qemu-guest.nix")
+    #(pkgs + "/nixos/modules/profiles/qemu-guest.nix")
+    #<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    ../modules
+    (import ../users).vincent
+    (import ../users).root
+  ]
+  # digitalocean specifics
+  ++ optionals hasNetworkingConfig [ networkingConfigPath ];
+
+  boot.loader.grub.device = "/dev/vda";
+  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
+  swapDevices = [{ device = "/swapfile"; size = 1024; }];
+
+  core.nix = {
+    # FIXME move this away
+    localCaches = [ ];
+    buildCores = 1;
+  };
+
+  profiles = {
+    git.enable = true;
+    ssh.enable = true;
+    syncthing.enable = true;
+
+    # FIXME remove the need for it
+    users.enable = false;
+
+    wireguard.server.enable = true;
+  };
+
+  networking.firewall.allowPing = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  security = {
+    acme = {
+      acceptTerms = true;
+      email = "vincent@sbr.pm";
+    };
+    #acme.certs = {
+    #  "sbr.pm".email = "vincent@sbr.pm";
+    #};
+  };
+  security.pam.enableSSHAgentAuth = true;
+  services = {
+    govanityurl = {
+      enable = true;
+      user = "nginx";
+      host = "go.sbr.pm";
+      config = ''
+        paths:
+          /ape:
+            repo: https://git.sr.ht/~vdemeester/ape
+          /nr:
+            repo: https://gitlab.com/vdemeester/nr
+          /ram:
+            repo: https://git.sr.ht/~vdemeester/ram
+          /sec:
+            repo: https://gitlab.com/vdemeester/sec
+      '';
+    };
+    nginx = {
+      enable = true;
+      virtualHosts."dl.sbr.pm" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/home/vincent/desktop/sites/dl.sbr.pm";
+        locations."/" = {
+          index = "index.html";
+        };
+      };
+      virtualHosts."paste.sbr.pm" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/home/vincent/desktop/sites/paste.sbr.pm";
+        locations."/" = {
+          index = "index.html";
+        };
+      };
+      virtualHosts."go.sbr.pm" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
+      };
+      virtualHosts."sbr.pm" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/home/vincent/desktop/sites/sbr.pm";
+        locations."/" = {
+          index = "index.html";
+        };
+      };
+      virtualHosts."sbr.systems" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/home/vincent/desktop/sites/sbr.systems";
+        locations."/" = {
+          index = "index.html";
+        };
+      };
+      virtualHosts."vincent.demeester.fr" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/home/vincent/desktop/sites/vincent.demeester.fr";
+        locations."/" = {
+          index = "index.html";
+        };
+      };
+    };
+    openssh.ports = [ sshPort ];
+    openssh.permitRootLogin = "without-password";
+    syncthing.guiAddress = "127.0.0.1:8384";
+  };
+}
users/vincent/default.nix
@@ -10,6 +10,7 @@ let
       (name: value: value.key)
       (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
   );
+
   hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation;
   isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false;
 in
hosts.nix
@@ -1,6 +1,7 @@
 {
   hokkaido = { arch = "x86_64-linux"; type = "unstable"; };
   wakasu = { arch = "x86_64-linux"; type = "unstable"; };
+  kerkouane = { arch = "x86_64-linux"; };
   okinawa = { arch = "x86_64-linux"; };
   sakhalin = { arch = "x86_64-linux"; };
   # mypi = { arch = "aarch64-linux" };