summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Bargman2024-11-30 17:46:20 +0000
committerJohn Bargman2024-11-30 17:46:20 +0000
commit6f92df983e55dda4cfbda2887c3f77c4668d06d4 (patch)
treeda4c82ffd38793124d9a58a6c2dad2450329af7c
parente1b05d65451cce58205a2c4b3d84f706b04fb17e (diff)
downloadcrash-web-6f92df983e55dda4cfbda2887c3f77c4668d06d4.tar
crash-web-6f92df983e55dda4cfbda2887c3f77c4668d06d4.tar.gz
crash-web-6f92df983e55dda4cfbda2887c3f77c4668d06d4.tar.bz2
crash-web-6f92df983e55dda4cfbda2887c3f77c4668d06d4.tar.lz
crash-web-6f92df983e55dda4cfbda2887c3f77c4668d06d4.tar.xz
crash-web-6f92df983e55dda4cfbda2887c3f77c4668d06d4.tar.zst
crash-web-6f92df983e55dda4cfbda2887c3f77c4668d06d4.zip
engage secrix
Diffstat
-rw-r--r--flake.lock133
-rw-r--r--flake.nix34
-rw-r--r--secrets/murmursupass7
-rw-r--r--services/cgit.nix51
-rw-r--r--services/mailserver.nix2
-rw-r--r--services/murmur.nix60
6 files changed, 167 insertions, 120 deletions
diff --git a/flake.lock b/flake.lock
index 71343f3..969bfe7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,26 +1,5 @@
{
"nodes": {
- "agenix": {
- "inputs": {
- "darwin": "darwin",
- "home-manager": "home-manager",
- "nixpkgs": "nixpkgs",
- "systems": "systems"
- },
- "locked": {
- "lastModified": 1723293904,
- "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
- "owner": "ryantm",
- "repo": "agenix",
- "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
- "type": "github"
- },
- "original": {
- "owner": "ryantm",
- "repo": "agenix",
- "type": "github"
- }
- },
"blobs": {
"flake": false,
"locked": {
@@ -37,28 +16,6 @@
"type": "gitlab"
}
},
- "darwin": {
- "inputs": {
- "nixpkgs": [
- "agenix",
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1700795494,
- "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
- "owner": "lnl7",
- "repo": "nix-darwin",
- "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
- "type": "github"
- },
- "original": {
- "owner": "lnl7",
- "ref": "master",
- "repo": "nix-darwin",
- "type": "github"
- }
- },
"flake-compat": {
"flake": false,
"locked": {
@@ -75,30 +32,9 @@
"type": "github"
}
},
- "home-manager": {
- "inputs": {
- "nixpkgs": [
- "agenix",
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1703113217,
- "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
- "owner": "nix-community",
- "repo": "home-manager",
- "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
- "type": "github"
- },
- "original": {
- "owner": "nix-community",
- "repo": "home-manager",
- "type": "github"
- }
- },
"nixinate": {
"inputs": {
- "nixpkgs": "nixpkgs_2"
+ "nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1708891350,
@@ -116,15 +52,15 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1703013332,
- "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
- "owner": "NixOS",
+ "lastModified": 1653060744,
+ "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
+ "owner": "nixos",
"repo": "nixpkgs",
- "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+ "rev": "dfd82985c273aac6eced03625f454b334daae2e8",
"type": "github"
},
"original": {
- "owner": "NixOS",
+ "owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
@@ -147,32 +83,32 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1653060744,
- "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
+ "lastModified": 1732749044,
+ "narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "dfd82985c273aac6eced03625f454b334daae2e8",
+ "rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685",
"type": "github"
},
"original": {
"owner": "nixos",
- "ref": "nixos-unstable",
+ "ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
- "lastModified": 1732749044,
- "narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=",
- "owner": "nixos",
+ "lastModified": 1694959747,
+ "narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=",
+ "owner": "NixOS",
"repo": "nixpkgs",
- "rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685",
+ "rev": "970a59bd19eff3752ce552935687100c46e820a5",
"type": "github"
},
"original": {
- "owner": "nixos",
- "ref": "nixos-24.05",
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -210,13 +146,31 @@
},
"root": {
"inputs": {
- "agenix": "agenix",
"nixinate": "nixinate",
- "nixpkgs": "nixpkgs_3",
+ "nixpkgs": "nixpkgs_2",
"nixpkgs_unstable": "nixpkgs_unstable",
+ "secrix": "secrix",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
},
+ "secrix": {
+ "inputs": {
+ "nixpkgs": "nixpkgs_3"
+ },
+ "locked": {
+ "lastModified": 1727012350,
+ "narHash": "sha256-sP4LXXvp9b6hYf/tQMxI+gURf1uXhqb6oytXCFRkw3A=",
+ "owner": "platonic-systems",
+ "repo": "secrix",
+ "rev": "0726d0382d679f983f97ede9da8aaf426e2b5003",
+ "type": "github"
+ },
+ "original": {
+ "owner": "platonic-systems",
+ "repo": "secrix",
+ "type": "github"
+ }
+ },
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
@@ -237,21 +191,6 @@
"repo": "nixos-mailserver",
"type": "gitlab"
}
- },
- "systems": {
- "locked": {
- "lastModified": 1681028828,
- "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
- "owner": "nix-systems",
- "repo": "default",
- "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
- "type": "github"
- },
- "original": {
- "owner": "nix-systems",
- "repo": "default",
- "type": "github"
- }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 4f7d5f9..4853a38 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,14 +3,15 @@
# TODO: cgit, ejabber signup
inputs = {
nixinate.url = "github:matthewcroughan/nixinate";
- agenix.url = "github:ryantm/agenix";
+ secrix.url = "github:platonic-systems/secrix";
nixpkgs_unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
};
- outputs = inputs@{ self, nixpkgs, agenix, nixinate, nixpkgs_unstable, simple-nixos-mailserver }:
+ outputs = inputs@{ self, nixpkgs, secrix, nixinate, nixpkgs_unstable, simple-nixos-mailserver }:
let
+ inherit (inputs.secrix) secrix;
pkgs = nixpkgs.legacyPackages.x86_64-linux;
webroot = "${self}/webroot";
fqdn = "crashoverburn.com";
@@ -18,7 +19,7 @@
in
{
formatter.x86_64-linux = pkgs.nixpkgs-fmt;
- apps.x86_64-linux = (inputs.nixinate.nixinate.x86_64-linux inputs.self).nixinate;
+ apps.x86_64-linux = (inputs.nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; });
devShell.x86_64-linux =
pkgs.mkShell {
buildInputs = with pkgs; [ figlet tmux ];
@@ -60,25 +61,34 @@
nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
- agenix.nixosModules.default
simple-nixos-mailserver.nixosModule
+ inputs.secrix.nixosModules.default
./openstack.nix
./users/commander.nix
- (import ./services/cgit.nix { inherit pkgs; inherit fqdn; })
+ (import ./services/cgit.nix { fqdn = "code.${fqdn}"; })
+ (import ./services/murmur.nix { fqdn = "mumble.${fqdn}"; })
(import ./services/website.nix { inherit webroot; })
(import ./services/ejabberd.nix { inherit fqdn; })
- (import ./services/mailserver.nix { inherit pkgs; inherit hashedPasswordFile; })
+ (import ./services/mailserver.nix { inherit hashedPasswordFile; })
./machines/overburn-1.nix
{
+ secrix.hostPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3ElH/WQjW3B2yUBFFPpF8IIHsYrHODwTid6YM2npiw root@web-crash-over-burn";
+ secrix.defaultEncryptKeys = {
+ crash = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com" ];
+ };
imports = [
"${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix"
];
- _module.args.nixinate = {
- host = "193.16.42.36";
- sshUser = "commander";
- substituteOnTarget = true;
- hermetic = true;
- buildOn = "local";
+ _module.args =
+ {
+ inherit self;
+ nixinate = {
+ host = "193.16.42.36";
+ sshUser = "commander";
+ substituteOnTarget = true;
+ hermetic = true;
+ buildOn = "local";
+ };
};
}
];
diff --git a/secrets/murmursupass b/secrets/murmursupass
new file mode 100644
index 0000000..a9cffa1
--- /dev/null
+++ b/secrets/murmursupass
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 fT5adw 2PgQmFD+CnzZ0/2ptUyIuc39bSi4bTUcll/Q6PRQbRM
+62CrUgTJKxXRsqgpy6B+IiHSmQa652/32W3YgI75Z90
+-> ssh-ed25519 N8OrBw TSG0fXyXe2B9KxsppcAdmAx/0L3odsszpdnsCDmSk1w
+IanBoWAfr4ibJqyoPdihmUWuawFzo2I/oUFzlGN5l8s
+--- 6lbDcODAIPRmURPv34jfgmHxDStzwHmsP3XeFkhRZcc
+l˜bI– õxï,sÙî ÖŠÒl…ð[Aÿ«!ð¤'èü4\®wu¿R Ìš \ No newline at end of file
diff --git a/services/cgit.nix b/services/cgit.nix
index a7795ac..fcfa77f 100644
--- a/services/cgit.nix
+++ b/services/cgit.nix
@@ -1,10 +1,10 @@
-{ pkgs, fqdn, ... }:
+{ fqdn } :{ pkgs, ... }:
{
services.uwsgi = {
enable = true;
user = "public";
- group = "users";
- plugins = [ "cgi" ];
+ group = "nginx";
+ plugins = [ "cgi" "python3" ];
instance = {
type = "emperor";
@@ -13,6 +13,7 @@
type = "normal";
master = "true";
socket = "/run/uwsgi/cgit.sock";
+ chmod-socket = 664;
procname-master = "uwsgi cgit";
plugins = [ "cgi" ];
cgi = "${pkgs.cgit}/cgit/cgit.cgi";
@@ -34,11 +35,12 @@
users.extraUsers.public =
{
+ extraGroups = [ "git" "nginx"];
isSystemUser = true;
- group = "git";
+ group = "users";
};
- services.nginx.virtualHosts."code.${fqdn}" = {
+ services.nginx.virtualHosts."${fqdn}" = {
addSSL = true;
enableACME = true;
root = "${pkgs.cgit}/cgit";
@@ -53,6 +55,7 @@
uwsgi_pass unix:/run/uwsgi/cgit.sock;
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_modifier1 9;
+ uwsgi_read_timeout 600;
'';
};
};
@@ -66,8 +69,9 @@
type = "oneshot";
};
script = ''
- mkdir /run/cgit
- chown -R public:users /run/cgit
+ mkdir -p /run/cgit
+ chmod -R 660 /run/cgit
+ chown -R public:nginx /run/cgit
'';
};
@@ -78,11 +82,11 @@
cache-root=/run/cgit
root-title=~/projects
- root-desc=code.${fqdn}
- footer=
+ root-desc=You got overburned, now face the ${fqdn}
+ footer=CrashOverBurn reserves all rights to everything.
enable-index-owner=0
- enable-http-clone=1
+ enable-http-clone=0
noplainemail=1
max-atom-items=50
@@ -93,6 +97,33 @@
snapshots=all
readme=master:README.md
+ readme=:readme.md
+ readme=:README.mkd
+ readme=:readme.mkd
+ readme=:README.rst
+ readme=:readme.rst
+ readme=:README.html
+ readme=:readme.html
+ readme=:README.htm
+ readme=:readme.htm
+ readme=:README.txt
+ readme=:readme.txt
+ readme=:README
+ readme=:readme
+ readme=:INSTALL.md
+ readme=:install.md
+ readme=:INSTALL.mkd
+ readme=:install.mkd
+ readme=:INSTALL.rst
+ readme=:install.rst
+ readme=:INSTALL.html
+ readme=:install.html
+ readme=:INSTALL.htm
+ readme=:install.htm
+ readme=:INSTALL.txt
+ readme=:install.txt
+ readme=:INSTALL
+ readme=:install
source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 7d6f1d8..3bd75a4 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,4 +1,4 @@
-{ pkgs, hashedPasswordFile, ... }:
+{ hashedPasswordFile } :{ pkgs,... }:
{
mailserver = {
fqdn = "mail.crashoverburn.com";
diff --git a/services/murmur.nix b/services/murmur.nix
new file mode 100644
index 0000000..ec8d2f3
--- /dev/null
+++ b/services/murmur.nix
@@ -0,0 +1,60 @@
+{ fqdn } :{ pkgs, config, self, ... }:
+let
+ certs = config.security.acme.certs;
+ certDirectory = "${certs.${fqdn}.directory}";
+ port = config.services.murmur.port;
+ dbfolder = "/persist/replicable/murmur/murmur.sqlite";
+in
+{
+ secrix.services.murmur = {
+ additionalRuntimeDirNames = [ "murmur" ];
+ forceRuntimeDirs = true;
+ secrets.murmursupass.encrypted.file = "${self}/secrets/murmursupass";
+ };
+
+
+ services.murmur = {
+ enable = true;
+ openFirewall = true;
+ welcometext = ''crashoverburn.com Mumble'';
+ users = 50;
+ textMsgLength = 10000;
+ imgMsgLength = 12000000;
+ bandwidth = 6400000;
+ clientCertRequired = true;
+ hostName = "${fqdn}";
+ registerHostname = "${fqdn}";
+ registerName = "crashoverburn.com";
+ sslCert = "${certDirectory}/fullchain.pem";
+ sslKey = "${certDirectory}/key.pem";
+ sslCa = "${certDirectory}/full.pem";
+ extraConfig = ''
+ database=${dbfolder}
+ '';
+ };
+
+
+ systemd.services.murmur.postStart = ''
+ ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
+ '';
+ security.acme.certs.${fqdn} = {
+ group = "murmur-cert";
+ postRun = "systemctl restart murmur.service";
+ };
+ users.groups.murmur-cert.members = [ "murmur" "nginx" ];
+
+ services.nginx = {
+ enable = true;
+ virtualHosts.${fqdn} = {
+ listenAddresses = [
+ "10.0.1.30"
+ ];
+ #useACMEHost = "crashoverburn.com";
+ enableACME = true;
+ forceSSL = true;
+ locations."/".return = "301 https://crashoverburn.com";
+ };
+ };
+}
+
+