diff --git a/common/home/default.nix b/common/home/default.nix deleted file mode 100644 index d179928..0000000 --- a/common/home/default.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ - pkgs, - inputs, - lib, - ... -}: let - spicePkgs = inputs.spicetify-nix.packages.${pkgs.system}.default; -in { - imports = [ - ./swayidle.nix - ./vim/default.nix - ./firefox.nix - - ../rice/ags - ../rice/hyprland - # ../rice/sway - ../rice/gtk.nix - ../rice/kitty.nix - # ../rice/waybar - # ../rice/dunst.nix - ../rice/anyrun - ../rice/rio.nix - ../rice/wofi.nix - ../shell - - inputs.spicetify-nix.homeManagerModule - inputs.catppuccin.homeManagerModules.catppuccin - ]; - - nixpkgs = { - config = { - allowUnfree = true; - allowUnfreePredicate = _: true; - }; - overlays = [ - inputs.neovim-nightly-overlay.overlay - ]; - }; - - gtk.catppuccin.cursor.enable = false; - - nix.gc = { - automatic = true; - frequency = "weekly"; - options = "--delete-older-than 30d"; - }; - - catppuccin.flavor = "mocha"; - - # This value determines the Home Manager release that your configuration is - # compatible with. This helps avoid breakage when a new Home Manager release - # introduces backwards incompatible changes. - # - # You should not change this value, even if you update Home Manager. If you do - # want to update the value, then make sure to first check the Home Manager - # release notes. - home.stateVersion = "23.11"; # Please read the comment before changing it. - - home.packages = [ - pkgs.wofi - pkgs.dconf - pkgs.wl-clipboard - pkgs.swaybg - pkgs.pavucontrol - pkgs.wlogout - pkgs.sway-audio-idle-inhibit - pkgs.grim - pkgs.slurp - - pkgs.xfce.thunar - pkgs.feh - pkgs.nitch - pkgs.nix-output-monitor - pkgs.fastfetch - - pkgs.nh - pkgs.dwl - - pkgs.killall - ]; - - home.sessionVariables = { - EDITOR = "nvim"; - }; - - xdg.enable = true; - # programs.nixvim = ./vim.nix; - - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; -} diff --git a/modules/home/apps/tools/neovim/config/lua/plugins/editor/nvim-cmp.lua b/modules/home/apps/tools/neovim/config/lua/plugins/editor/nvim-cmp.lua index 79213e3..dab3c87 100644 --- a/modules/home/apps/tools/neovim/config/lua/plugins/editor/nvim-cmp.lua +++ b/modules/home/apps/tools/neovim/config/lua/plugins/editor/nvim-cmp.lua @@ -6,6 +6,47 @@ return { build = "make install_jsregexp", config = function() require("luasnip.loaders.from_vscode").lazy_load() + + local ls = require("luasnip") + local s = ls.snippet + local i = ls.insert_node + local t = ls.text_node + local fmt = require("luasnip.extras.fmt").fmt -- Import the fmt function + + -- Define a new snippet for your specific use case + ls.add_snippets("nix", { -- Assuming the snippet is for Nix files, adjust the filetype as necessary + s( + "nixcfg", + fmt( + [[ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with lib.custom; let + cfg = config.{<>}; +in { + options.{<>} = with types; { + enable = mkBoolOpt false "<>"; + }; + + config = mkIf cfg.enable { +<> + }; +}]], + { + i(1), -- Cursor point 1, after config. + i(2), -- Cursor point 2, after options. + i(3), -- Cursor point 3, for the option description inside mkBoolOpt + i(4), -- Cursor point 4, inside the mkIf cfg.enable block + }, + { delimiters = "<>" } + ) + ), -- Ensure to specify the delimiters if they differ from the default + }) end, }, diff --git a/modules/nixos/services/web/nginx/default.nix b/modules/nixos/services/web/nginx/default.nix new file mode 100644 index 0000000..25295d9 --- /dev/null +++ b/modules/nixos/services/web/nginx/default.nix @@ -0,0 +1,28 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with lib.custom; let + cfg = config.services.web.nginx; +in { + options.services.web.nginx = with types; { + enable = mkBoolOpt false "Enable NGINX Service"; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + package = pkgs.nginxStable.override {openssl = pkgs.libressl;}; + recommendedProxySettings = true; + virtualHosts = { + "node.nyc.zackmyers.io" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + }; +} diff --git a/modules/nixos/sites/cv/default.nix b/modules/nixos/sites/cv/default.nix new file mode 100644 index 0000000..8c2a176 --- /dev/null +++ b/modules/nixos/sites/cv/default.nix @@ -0,0 +1,34 @@ +{ + lib, + config, + pkgs, + inputs, + ... +}: +with lib; +with lib.custom; let + cfg = config.sites.cv; +in { + options.sites.cv = with types; { + enable = mkBoolOpt false "Enable CV site"; + + domain = mkStringOpt "cv.zackster.zip" "The domain for the site"; + }; + + config = mkIf cfg.enable { + warnings = + lib.optional (!config.services.nginx.enable) + "CV site is enabled, but it depends on Nginx which is not enabled."; + + services.nginx.virtualHosts.${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + root = "${inputs.resume.packages.${pkgs.system}.default}"; + }; + extraConfig = '' + index resume.pdf; + ''; + }; + }; +} diff --git a/modules/nixos/sites/gitlab/default.nix b/modules/nixos/sites/gitlab/default.nix new file mode 100644 index 0000000..8a1ff77 --- /dev/null +++ b/modules/nixos/sites/gitlab/default.nix @@ -0,0 +1,117 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with lib.custom; let + cfg = config.sites.gitlab; + + sec = config.age.secrets; + user = config.services.gitlab.user; + group = config.services.gitlab.group; +in { + options.sites.gitlab = with types; { + enable = mkBoolOpt false "Enable GitLab"; + + domain = mkStringOpt "git.zackster.zip" "Domain for GitLab"; + }; + + config = mkIf cfg.enable { + age.secrets = { + gitlab_db = { + file = ../../../sec/gitlab_db.age; + owner = user; + group = group; + }; + gitlab_initpw = { + file = ../../../sec/gitlab_initpw.age; + owner = user; + group = group; + }; + gitlab_otp = { + file = ../../../sec/gitlab_otp.age; + owner = user; + group = group; + }; + gitlab_pw = { + file = ../../../sec/gitlab_pw.age; + owner = user; + group = group; + }; + gitlab_sec = { + file = ../../../sec/gitlab_sec.age; + owner = user; + group = group; + }; + gitlab_runner = { + file = ../../../sec/gitlab_runner.age; + }; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 + + services.gitlab-runner = { + enable = true; + services = { + nix = with lib; { + registrationConfigFile = toString sec.gitlab_runner.path; # 2 + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + . ${pkgs.nix}/etc/profile.d/nix-daemon.sh + ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3 + ${pkgs.nix}/bin/nix-channel --update nixpkgs + ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])} + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = ["nix"]; + }; + }; + }; + + services.gitlab = { + enable = true; + databasePasswordFile = sec.gitlab_db.path; + initialRootPasswordFile = sec.gitlab_initpw.path; + port = 443; + https = true; + host = "git.zackmyers.io"; + secrets = { + secretFile = sec.gitlab_sec.path; + otpFile = sec.gitlab_otp.path; + dbFile = sec.gitlab_db.path; + jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; + }; + }; + + services.nginx.virtualHosts.${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + + systemd.services.gitlab-backup.environment.BACKUP = "dump"; + }; +} diff --git a/modules/nixos/sites/grafana/default.nix b/modules/nixos/sites/grafana/default.nix new file mode 100644 index 0000000..b25c53b --- /dev/null +++ b/modules/nixos/sites/grafana/default.nix @@ -0,0 +1,193 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with lib.custom; let + cfg = config.sites.grafana; +in { + options.sites.grafana = with types; { + enable = mkBoolOpt false "Enable grafana"; + + domain = mkStringOpt "monitor.zackmyers.io" "The domain for grafana"; + }; + + config = mkIf cfg.enable { + services.grafana = { + enable = true; + domain = cfg.domain; + port = 2342; + addr = "127.0.0.1"; + protocol = "http"; + analytics.reporting.enable = false; + + provision = { + enable = true; + datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; + } + { + name = "Loki"; + type = "loki"; + access = "proxy"; + url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}"; + } + ]; + }; + }; + + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = ["systemd"]; + port = 9002; + }; + }; + + scrapeConfigs = [ + { + job_name = "chrysalis"; + scrape_interval = "10s"; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + ]; + }; + + services.loki = { + enable = true; + configuration = { + server.http_listen_port = 3030; + auth_enabled = false; + + ingester = { + lifecycler = { + address = "127.0.0.1"; + ring = { + kvstore = { + store = "inmemory"; + }; + replication_factor = 1; + }; + }; + chunk_idle_period = "1h"; + max_chunk_age = "1h"; + chunk_target_size = 999999; + chunk_retain_period = "30s"; + max_transfer_retries = 0; + }; + + schema_config = { + configs = [ + { + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v11"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + + storage_config = { + boltdb_shipper = { + active_index_directory = "/var/lib/loki/boltdb-shipper-active"; + cache_location = "/var/lib/loki/boltdb-shipper-cache"; + cache_ttl = "24h"; + shared_store = "filesystem"; + }; + + filesystem = { + directory = "/var/lib/loki/chunks"; + }; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + }; + + chunk_store_config = { + max_look_back_period = "0s"; + }; + + table_manager = { + retention_deletes_enabled = false; + retention_period = "0s"; + }; + + compactor = { + working_directory = "/var/lib/loki"; + shared_store = "filesystem"; + compactor_ring = { + kvstore = { + store = "inmemory"; + }; + }; + }; + }; + }; + + services.promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3031; + grpc_listen_port = 0; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [ + { + url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "pluto"; + }; + }; + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + # extraFlags + }; + + services.nginx.virtualHosts.${config.services.grafana.domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; + recommendedProxySettings = true; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/modules/nixos/sites/mirror/default.nix b/modules/nixos/sites/mirror/default.nix new file mode 100644 index 0000000..d8344a7 --- /dev/null +++ b/modules/nixos/sites/mirror/default.nix @@ -0,0 +1,44 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with lib.custom; let + cfg = config.sites.mirror; +in { + options.sites.mirror = with types; { + enable = mkBoolOpt false "Enable ArchLinux Mirror"; + }; + + config = mkIf cfg.enable { + systemd.timers."mirror-update" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; + OnUnitActiveSec = "1h"; + Unit = "mirror-update.service"; + }; + }; + + systemd.services."mirror-update" = { + script = '' + ${pkgs.rsync}/bin/rsync -vPa rsync://mirrors.lug.mtu.edu/archlinux/ /var/www/mirror.zackmyers.io/archlinux/ + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + services.nginx.virtualHosts."mirror.zackmyers.io" = { + forceSSL = true; + enableACME = true; + root = "/var/www/mirror.zackmyers.io"; + locations."/".extraConfig = '' + autoindex on; + ''; + }; + }; +} diff --git a/modules/nixos/sites/pterodactyl/default.nix b/modules/nixos/sites/pterodactyl/default.nix new file mode 100644 index 0000000..a669afb --- /dev/null +++ b/modules/nixos/sites/pterodactyl/default.nix @@ -0,0 +1,183 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with lib.custom; let + cfg = config.sites.pterodactyl; + + wings = pkgs.stdenv.mkDerivation { + name = "wings"; + + src = pkgs.fetchurl { + name = "wings"; + url = "https://github.com/pterodactyl/wings/releases/latest/download/wings_linux_amd64"; + sha256 = "sha256-S8vTpxvtmv7TfRMpgKxVPkvTmji1rlPEd9ApM3Rt6FY="; + }; + + phases = ["installPhase"]; + + installPhase = '' + install -D $src $out/bin/wings + ''; + }; +in { + options.sites.pterodactyl = with types; { + enable = mkBoolOpt false "Enable Pterodactyl Site"; + }; + + config = mkIf cfg.enable { + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + + systemd.timers."p_artisan-run" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1m"; + OnUnitActiveSec = "1m"; + Unit = "p_artisan-run.service"; + }; + }; + + systemd.services."p_artisan-run" = { + script = '' + ${pkgs.php}/bin/php /var/www/pterodactyl/artisan schedule:run >> /dev/null 2>&1 + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + systemd.services."wings" = { + after = ["docker.service"]; + requires = ["docker.service"]; + partOf = ["docker.service"]; + script = '' + #!/usr/bin/env bash + export PATH=${pkgs.shadow}/bin:$PATH + ${wings}/bin/wings + ''; + wantedBy = ["multi-user.target"]; + serviceConfig = { + User = "root"; + WorkingDirectory = "/etc/pterodactyl"; + LimitNOFILE = 4096; + PIDFile = /var/run/wings/daemon.pid; + Restart = "on-failure"; + StartLimitInterval = 180; + StartLimitBurst = 30; + RestartSec = "5s"; + }; + }; + + systemd.services."p_queue-worker" = { + after = ["redis.service"]; + wantedBy = ["multi-user.target"]; + script = '' + ${pkgs.php}/bin/php /var/www/pterodactyl/artisan queue:work --queue=high,standard,low --sleep=3 --tries=3 + ''; + serviceConfig = { + User = "nginx"; + Group = "nginx"; + Restart = "always"; + StartLimitInterval = 180; + StartLimitBurst = 30; + RestartSec = "5s"; + }; + }; + + services.nginx.virtualHosts."pterodactyl.zackmyers.io" = { + forceSSL = true; + enableACME = true; + root = "/var/www/pterodactyl/public"; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php?$query_string; + ''; + locations."/favicon.ico".extraConfig = '' + access_log off; log_not_found off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; log_not_found off; + ''; + locations."~ \\.php$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.pterodactyl.socket}; + fastcgi_index index.php; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param HTTP_PROXY ""; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + fastcgi_connect_timeout 300; + fastcgi_send_timeout 300; + fastcgi_read_timeout 300; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + + locations."~ /\\.ht".extraConfig = '' + deny all; + ''; + + extraConfig = '' + index index.html index.htm index.php; + charset utf-8; + + access_log off; + error_log /var/log/nginx/pterodactyl.app-error.log error; + + # allow larger file uploads and longer script runtimes + client_max_body_size 100m; + client_body_timeout 120s; + + sendfile off; + ''; + }; + + services.phpfpm = { + phpOptions = '' + extension=${pkgs.php81Extensions.openssl}/lib/php/extensions/openssl.so + extension=${pkgs.php81Extensions.gd}/lib/php/extensions/gd.so + extension=${pkgs.php81Extensions.mysqlnd}/lib/php/extensions/mysqlnd.so + extension=${pkgs.php81Extensions.mbstring}/lib/php/extensions/mbstring.so + extension=${pkgs.php81Extensions.tokenizer}/lib/php/extensions/tokenizer.so + extension=${pkgs.php81Extensions.bcmath}/lib/php/extensions/bcmath.so + extension=${pkgs.php81Extensions.xml}/lib/php/extensions/xml.so + extension=${pkgs.php81Extensions.dom}/lib/php/extensions/dom.so + extension=${pkgs.php81Extensions.curl}/lib/php/extensions/curl.so + extension=${pkgs.php81Extensions.zip}/lib/php/extensions/zip.so + ''; + pools.pterodactyl = { + user = config.services.nginx.user; + phpPackage = pkgs.php81; + settings = { + "pm" = "dynamic"; + "listen.owner" = config.services.nginx.user; + "pm.max_children" = 5; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + "pm.max_requests" = 500; + }; + }; + }; + + services.redis = { + enable = true; + }; + }; +} diff --git a/modules/nixos/sites/search/default.nix b/modules/nixos/sites/search/default.nix new file mode 100644 index 0000000..cf21fcf --- /dev/null +++ b/modules/nixos/sites/search/default.nix @@ -0,0 +1,41 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +with lib.custom; let + cfg = config.sites.search; +in { + options.sites.search = with types; { + enable = mkBoolOpt false "Enable Search (Searxng)"; + + domain = mkStringOpt "search.zackmyers.io" "The domain of the search instance"; + }; + + config = mkIf cfg.enable { + services.searx = { + enable = true; + package = pkgs.searxng; + runInUwsgi = true; + settings = { + # server.port = 8080; + # server.bind_addres = "0.0.0.0"; + server.secret_key = "6f6bf40218f239718cacbc2cd837792be828e840b48ac72a8e0a9d0ddb9d0b00"; # you can know this i don't care + server.base_url = "https://${cfg.domain}/searx/"; + }; + uwsgiConfig = { + http = ":8080"; + }; + }; + + services.nginx.virtualHosts.${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/searx/" = { + proxyPass = "http://localhost:8080"; + }; + }; + }; +} diff --git a/systems/x86_64-linux/earth/default.nix b/systems/x86_64-linux/earth/default.nix index 24a24a1..da22a03 100644 --- a/systems/x86_64-linux/earth/default.nix +++ b/systems/x86_64-linux/earth/default.nix @@ -81,9 +81,6 @@ home = { enable = true; - config = { - # home-manager.stateVersion = "23.11"; - }; }; }; diff --git a/systems/x86_64-linux/pluto/default.nix b/systems/x86_64-linux/pluto/default.nix index bd63d64..7f871a8 100644 --- a/systems/x86_64-linux/pluto/default.nix +++ b/systems/x86_64-linux/pluto/default.nix @@ -9,14 +9,6 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - - ./services/searxng.nix - ./services/nginx.nix - ./services/mirror.nix - ./services/pterodactyl.nix - ./services/gitlab.nix - ./services/cv.nix - ./services/grafana.nix ]; # Bootloader. @@ -25,6 +17,19 @@ networking.hostName = "pluto"; # Define your hostname. + services.web.nginx.enable = true; + sites = { + cv.enable = true; + gitlab.enable = true; + grafana.enable = true; + mirror.enable = true; + pterodactyl.enable = true; + search.enable = true; + }; + + zmio.blog.enable = true; + zmio.blog.domain = "zackster.zip"; + nix.settings.experimental-features = ["nix-command" "flakes"]; # Enable networking @@ -87,23 +92,21 @@ virtualisation.docker.enable = true; - home-manager = { - extraSpecialArgs = {inherit inputs;}; - users = { - "zack" = { - imports = [../../modules/home-manager/pluto.nix]; - _module.args.theme = import ../../core/theme.nix; + snowfallorg.users.zack = { + create = true; + admin = false; - home.username = "zack"; - home.homeDirectory = "/home/zack"; - }; - "alfie" = { - imports = [../../modules/home-manager/pluto.nix]; - _module.args.theme = import ../../core/theme.nix; + home = { + enable = true; + }; + }; - home.username = "alfie"; - home.homeDirectory = "/home/alfie"; - }; + snowfallorg.users.alfie = { + create = true; + admin = false; + + home = { + enable = true; }; }; @@ -129,8 +132,6 @@ permitRootLogin = "no"; }; - zmio.blog.enable = true; - # Open ports in the firewall. networking.firewall.allowedTCPPorts = [80 443 6969 2022]; networking.firewall.allowedTCPPortRanges = [ diff --git a/systems/x86_64-linux/pluto/services/cv.nix b/systems/x86_64-linux/pluto/services/cv.nix deleted file mode 100644 index 6fab9c7..0000000 --- a/systems/x86_64-linux/pluto/services/cv.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - inputs, - pkgs, - ... -}: { - services.nginx.virtualHosts."cv.zackmyers.io" = { - forceSSL = true; - enableACME = true; - locations."/" = { - root = "${inputs.resume.packages.${pkgs.system}.default}"; - }; - extraConfig = '' - index resume.pdf; - ''; - }; -} diff --git a/systems/x86_64-linux/pluto/services/gitlab.nix b/systems/x86_64-linux/pluto/services/gitlab.nix deleted file mode 100644 index 4020a5f..0000000 --- a/systems/x86_64-linux/pluto/services/gitlab.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: let - sec = config.age.secrets; - user = config.services.gitlab.user; - group = config.services.gitlab.group; -in { - age.secrets = { - gitlab_db = { - file = ../../../sec/gitlab_db.age; - owner = user; - group = group; - }; - gitlab_initpw = { - file = ../../../sec/gitlab_initpw.age; - owner = user; - group = group; - }; - gitlab_otp = { - file = ../../../sec/gitlab_otp.age; - owner = user; - group = group; - }; - gitlab_pw = { - file = ../../../sec/gitlab_pw.age; - owner = user; - group = group; - }; - gitlab_sec = { - file = ../../../sec/gitlab_sec.age; - owner = user; - group = group; - }; - gitlab_runner = { - file = ../../../sec/gitlab_runner.age; - }; - }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 - - services.gitlab-runner = { - enable = true; - services = { - nix = with lib; { - registrationConfigFile = toString sec.gitlab_runner.path; # 2 - dockerImage = "alpine"; - dockerVolumes = [ - "/nix/store:/nix/store:ro" - "/nix/var/nix/db:/nix/var/nix/db:ro" - "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" - ]; - dockerDisableCache = true; - preBuildScript = pkgs.writeScript "setup-container" '' - mkdir -p -m 0755 /nix/var/log/nix/drvs - mkdir -p -m 0755 /nix/var/nix/gcroots - mkdir -p -m 0755 /nix/var/nix/profiles - mkdir -p -m 0755 /nix/var/nix/temproots - mkdir -p -m 0755 /nix/var/nix/userpool - mkdir -p -m 1777 /nix/var/nix/gcroots/per-user - mkdir -p -m 1777 /nix/var/nix/profiles/per-user - mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root - mkdir -p -m 0700 "$HOME/.nix-defexpr" - . ${pkgs.nix}/etc/profile.d/nix-daemon.sh - ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3 - ${pkgs.nix}/bin/nix-channel --update nixpkgs - ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])} - ''; - environmentVariables = { - ENV = "/etc/profile"; - USER = "root"; - NIX_REMOTE = "daemon"; - PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; - NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; - }; - tagList = ["nix"]; - }; - }; - }; - - services.gitlab = { - enable = true; - databasePasswordFile = sec.gitlab_db.path; - initialRootPasswordFile = sec.gitlab_initpw.path; - port = 443; - https = true; - host = "git.zackmyers.io"; - secrets = { - secretFile = sec.gitlab_sec.path; - otpFile = sec.gitlab_otp.path; - dbFile = sec.gitlab_db.path; - jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; - }; - }; - - services.nginx.virtualHosts."git.zackmyers.io" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; - }; - - systemd.services.gitlab-backup.environment.BACKUP = "dump"; -} diff --git a/systems/x86_64-linux/pluto/services/grafana.nix b/systems/x86_64-linux/pluto/services/grafana.nix deleted file mode 100644 index 6eb025c..0000000 --- a/systems/x86_64-linux/pluto/services/grafana.nix +++ /dev/null @@ -1,176 +0,0 @@ -{config, ...}: { - services.grafana = { - enable = true; - domain = "monitor.zackmyers.io"; - port = 2342; - addr = "127.0.0.1"; - protocol = "http"; - analytics.reporting.enable = false; - - provision = { - enable = true; - datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - url = "http://127.0.0.1:${toString config.services.prometheus.port}"; - } - { - name = "Loki"; - type = "loki"; - access = "proxy"; - url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}"; - } - ]; - }; - }; - - services.prometheus = { - enable = true; - port = 9001; - exporters = { - node = { - enable = true; - enabledCollectors = ["systemd"]; - port = 9002; - }; - }; - - scrapeConfigs = [ - { - job_name = "chrysalis"; - scrape_interval = "10s"; - static_configs = [ - { - targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; - } - ]; - } - ]; - }; - - services.loki = { - enable = true; - configuration = { - server.http_listen_port = 3030; - auth_enabled = false; - - ingester = { - lifecycler = { - address = "127.0.0.1"; - ring = { - kvstore = { - store = "inmemory"; - }; - replication_factor = 1; - }; - }; - chunk_idle_period = "1h"; - max_chunk_age = "1h"; - chunk_target_size = 999999; - chunk_retain_period = "30s"; - max_transfer_retries = 0; - }; - - schema_config = { - configs = [ - { - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v11"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; - - storage_config = { - boltdb_shipper = { - active_index_directory = "/var/lib/loki/boltdb-shipper-active"; - cache_location = "/var/lib/loki/boltdb-shipper-cache"; - cache_ttl = "24h"; - shared_store = "filesystem"; - }; - - filesystem = { - directory = "/var/lib/loki/chunks"; - }; - }; - - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - }; - - chunk_store_config = { - max_look_back_period = "0s"; - }; - - table_manager = { - retention_deletes_enabled = false; - retention_period = "0s"; - }; - - compactor = { - working_directory = "/var/lib/loki"; - shared_store = "filesystem"; - compactor_ring = { - kvstore = { - store = "inmemory"; - }; - }; - }; - }; - }; - - services.promtail = { - enable = true; - configuration = { - server = { - http_listen_port = 3031; - grpc_listen_port = 0; - }; - positions = { - filename = "/tmp/positions.yaml"; - }; - clients = [ - { - url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; - } - ]; - scrape_configs = [ - { - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "pluto"; - }; - }; - relabel_configs = [ - { - source_labels = ["__journal__systemd_unit"]; - target_label = "unit"; - } - ]; - } - ]; - }; - # extraFlags - }; - - services.nginx.virtualHosts.${config.services.grafana.domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; - recommendedProxySettings = true; - proxyWebsockets = true; - }; - }; -} diff --git a/systems/x86_64-linux/pluto/services/mirror.nix b/systems/x86_64-linux/pluto/services/mirror.nix deleted file mode 100644 index a2d2a2c..0000000 --- a/systems/x86_64-linux/pluto/services/mirror.nix +++ /dev/null @@ -1,29 +0,0 @@ -{pkgs, ...}: { - systemd.timers."mirror-update" = { - wantedBy = ["timers.target"]; - timerConfig = { - OnBootSec = "1h"; - OnUnitActiveSec = "1h"; - Unit = "mirror-update.service"; - }; - }; - - systemd.services."mirror-update" = { - script = '' - ${pkgs.rsync}/bin/rsync -vPa rsync://mirrors.lug.mtu.edu/archlinux/ /var/www/mirror.zackmyers.io/archlinux/ - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - services.nginx.virtualHosts."mirror.zackmyers.io" = { - forceSSL = true; - enableACME = true; - root = "/var/www/mirror.zackmyers.io"; - locations."/".extraConfig = '' - autoindex on; - ''; - }; -} diff --git a/systems/x86_64-linux/pluto/services/nginx.nix b/systems/x86_64-linux/pluto/services/nginx.nix deleted file mode 100644 index ad968ae..0000000 --- a/systems/x86_64-linux/pluto/services/nginx.nix +++ /dev/null @@ -1,13 +0,0 @@ -{pkgs, ...}: { - services.nginx = { - enable = true; - package = pkgs.nginxStable.override {openssl = pkgs.libressl;}; - recommendedProxySettings = true; - virtualHosts = { - "node.nyc.zackmyers.io" = { - forceSSL = true; - enableACME = true; - }; - }; - }; -} diff --git a/systems/x86_64-linux/pluto/services/pterodactyl.nix b/systems/x86_64-linux/pluto/services/pterodactyl.nix deleted file mode 100644 index 9d6dcd7..0000000 --- a/systems/x86_64-linux/pluto/services/pterodactyl.nix +++ /dev/null @@ -1,172 +0,0 @@ -{ - pkgs, - config, - ... -}: let - wings = pkgs.stdenv.mkDerivation { - name = "wings"; - - src = pkgs.fetchurl { - name = "wings"; - url = "https://github.com/pterodactyl/wings/releases/latest/download/wings_linux_amd64"; - sha256 = "sha256-S8vTpxvtmv7TfRMpgKxVPkvTmji1rlPEd9ApM3Rt6FY="; - }; - - phases = ["installPhase"]; - - installPhase = '' - install -D $src $out/bin/wings - ''; - }; -in { - services.mysql = { - enable = true; - package = pkgs.mariadb; - }; - - systemd.timers."p_artisan-run" = { - wantedBy = ["timers.target"]; - timerConfig = { - OnBootSec = "1m"; - OnUnitActiveSec = "1m"; - Unit = "p_artisan-run.service"; - }; - }; - - systemd.services."p_artisan-run" = { - script = '' - ${pkgs.php}/bin/php /var/www/pterodactyl/artisan schedule:run >> /dev/null 2>&1 - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - systemd.services."wings" = { - after = ["docker.service"]; - requires = ["docker.service"]; - partOf = ["docker.service"]; - script = '' - #!/usr/bin/env bash - export PATH=${pkgs.shadow}/bin:$PATH - ${wings}/bin/wings - ''; - wantedBy = ["multi-user.target"]; - serviceConfig = { - User = "root"; - WorkingDirectory = "/etc/pterodactyl"; - LimitNOFILE = 4096; - PIDFile = /var/run/wings/daemon.pid; - Restart = "on-failure"; - StartLimitInterval = 180; - StartLimitBurst = 30; - RestartSec = "5s"; - }; - }; - - systemd.services."p_queue-worker" = { - after = ["redis.service"]; - wantedBy = ["multi-user.target"]; - script = '' - ${pkgs.php}/bin/php /var/www/pterodactyl/artisan queue:work --queue=high,standard,low --sleep=3 --tries=3 - ''; - serviceConfig = { - User = "nginx"; - Group = "nginx"; - Restart = "always"; - StartLimitInterval = 180; - StartLimitBurst = 30; - RestartSec = "5s"; - }; - }; - - services.nginx.virtualHosts."pterodactyl.zackmyers.io" = { - forceSSL = true; - enableACME = true; - root = "/var/www/pterodactyl/public"; - - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$query_string; - ''; - locations."/favicon.ico".extraConfig = '' - access_log off; log_not_found off; - ''; - locations."/robots.txt".extraConfig = '' - access_log off; log_not_found off; - ''; - locations."~ \\.php$".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools.pterodactyl.socket}; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M"; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param HTTP_PROXY ""; - fastcgi_intercept_errors off; - fastcgi_buffer_size 16k; - fastcgi_buffers 4 16k; - fastcgi_connect_timeout 300; - fastcgi_send_timeout 300; - fastcgi_read_timeout 300; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - ''; - - locations."~ /\\.ht".extraConfig = '' - deny all; - ''; - - extraConfig = '' - index index.html index.htm index.php; - charset utf-8; - - access_log off; - error_log /var/log/nginx/pterodactyl.app-error.log error; - - # allow larger file uploads and longer script runtimes - client_max_body_size 100m; - client_body_timeout 120s; - - sendfile off; - ''; - }; - - services.phpfpm = { - phpOptions = '' - extension=${pkgs.php81Extensions.openssl}/lib/php/extensions/openssl.so - extension=${pkgs.php81Extensions.gd}/lib/php/extensions/gd.so - extension=${pkgs.php81Extensions.mysqlnd}/lib/php/extensions/mysqlnd.so - extension=${pkgs.php81Extensions.mbstring}/lib/php/extensions/mbstring.so - extension=${pkgs.php81Extensions.tokenizer}/lib/php/extensions/tokenizer.so - extension=${pkgs.php81Extensions.bcmath}/lib/php/extensions/bcmath.so - extension=${pkgs.php81Extensions.xml}/lib/php/extensions/xml.so - extension=${pkgs.php81Extensions.dom}/lib/php/extensions/dom.so - extension=${pkgs.php81Extensions.curl}/lib/php/extensions/curl.so - extension=${pkgs.php81Extensions.zip}/lib/php/extensions/zip.so - ''; - pools.pterodactyl = { - user = config.services.nginx.user; - phpPackage = pkgs.php81; - settings = { - "pm" = "dynamic"; - "listen.owner" = config.services.nginx.user; - "pm.max_children" = 5; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - "pm.max_requests" = 500; - }; - }; - }; - - services.redis = { - enable = true; - }; -} diff --git a/systems/x86_64-linux/pluto/services/searxng.nix b/systems/x86_64-linux/pluto/services/searxng.nix deleted file mode 100644 index 2e2570e..0000000 --- a/systems/x86_64-linux/pluto/services/searxng.nix +++ /dev/null @@ -1,24 +0,0 @@ -{pkgs, ...}: { - services.searx = { - enable = true; - package = pkgs.searxng; - runInUwsgi = true; - settings = { - # server.port = 8080; - # server.bind_addres = "0.0.0.0"; - server.secret_key = "6f6bf40218f239718cacbc2cd837792be828e840b48ac72a8e0a9d0ddb9d0b00"; - server.base_url = "https://search.zackmyers.io/searx/"; - }; - uwsgiConfig = { - http = ":8080"; - }; - }; - - services.nginx.virtualHosts."search.zackmyers.io" = { - forceSSL = true; - enableACME = true; - locations."/searx/" = { - proxyPass = "http://localhost:8080"; - }; - }; -}