zoey/config
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

move to snowfall

Browse source
This commit is contained in:
zackartz 2024-05-23 20:26:30 +00:00
parent 9d7ad7c973
commit 769d4b0df5
No known key found for this signature in database
GPG key ID: 5B53E53A9A514DBA
188 changed files with 2203 additions and 3041 deletions
Download patch file Download diff file Expand all files Collapse all files

157
systems/x86_64-linux/pluto/default.nix Normal file
View file

@ -0,0 +1,157 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
pkgs,
inputs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./services/searxng.nix
./services/nginx.nix
./services/mirror.nix
./services/pterodactyl.nix
./services/gitlab.nix
./services/cv.nix
./services/grafana.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "pluto"; # Define your hostname.
nix.settings.experimental-features = ["nix-command" "flakes"];
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/New_York";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
# Configure keymap in X11
services.xserver = {
layout = "us";
xkbVariant = "";
};
programs.zsh.enable = true;
programs.mosh.enable = true;
environment.systemPackages = [inputs.agenix.packages.${pkgs.system}.agenix];
users.mutableUsers = false;
# Define a user account. Don't forget to set a password with passwd.
users.users.zack = {
isNormalUser = true;
description = "zack";
extraGroups = ["networkmanager" "wheel" "docker"];
shell = pkgs.zsh;
packages = with pkgs; [];
hashedPassword = "$6$rounds=2000000$673Iz4rM8Dr9yz7C$Xq5JXxE7ioUrpZmMf3uTrPN2ODrEu3Sph6EhWyPoM5Ty./FhgB9hU0mz1yYo8sUj7wdUMWfR98haVJ24Wv3BK/";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuUA9KTvcZ+ZTEO90y6VcmQyuwL30I2mOGsm8GZn7BF zack@mars"
];
};
users.users.alfie = {
isNormalUser = true;
description = "alfie";
extraGroups = ["wheel" "docker"];
shell = pkgs.zsh;
hashedPassword = "$6$rounds=2000000$iq6PHGbyILszBS.4$PNjQ8FHJAC6JwwjTns1gxfLrXH0m/yMdFE57O29mGBEKOYm0fDqd1XG/7GjdBgNsxYVVy3LgebOGifSMUwelu1";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtlZMJYa7JrZfUDSgJrxbahZClsbbCB8ahvIk3wmokAPSMzMunVmll0QAliYA+WV4A4zAlecCfVRvBDa3e2M3Yct54Oo6uNPNsPmKS6/5WN293p7r9j9jYLAAPe8OfC24dXb06BmLQ0kPdBWxd8sfINhcDKv+8vtncaTowG4k3UK0w9LJB+91uZM1lMK1MCppC1vbdvDMuJ4m3pidT/0bNEdFWUMXEu3G024d+u5fHyEVGwNWpbMshXRLPpfJtg4qPLXiyf/piE2gXiBdoFWDhspWT2NO8GEpgBTmdmR1qNviOcnJlxwGSNTvL1GYK5DAxqNZBm3GYAheNIpdikxpgUiS28Z4nCBNChLK2fFzS8Ol2OGK0qfe5fNEkjxsi624hG6xvEZqEXsVBV1tzH+cw5iC6jda03HXmMcZ23glI4fhE/RNR6yAMYjj1DwdiILMnWsW3H9YYPQmkRdY028WB6Lpr9k4pD7+O3PEekwEGLe9XahTHndrUMFv68eAgvC8= rotki@DESKTOP-J809N7P"
];
};
virtualisation.docker.enable = true;
home-manager = {
extraSpecialArgs = {inherit inputs;};
users = {
"zack" = {
imports = [../../modules/home-manager/pluto.nix];
_module.args.theme = import ../../core/theme.nix;
home.username = "zack";
home.homeDirectory = "/home/zack";
};
"alfie" = {
imports = [../../modules/home-manager/pluto.nix];
_module.args.theme = import ../../core/theme.nix;
home.username = "alfie";
home.homeDirectory = "/home/alfie";
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "zach@zacharymyers.com";
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "no";
};
zmio.blog.enable = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [80 443 6969 2022];
networking.firewall.allowedTCPPortRanges = [
{
from = 25565;
to = 25575;
}
{
from = 24454;
to = 24464;
}
];
networking.firewall.allowedUDPPorts = [80 443 6969 2022];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

44
systems/x86_64-linux/pluto/hardware-configuration.nix Normal file
View file

@ -0,0 +1,44 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/2367b8e2-fe40-43e4-bc6a-fa19f78bfca4";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4DC0-0CF8";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp35s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp36s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0u14u3c2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

16
systems/x86_64-linux/pluto/services/cv.nix Normal file
View file

@ -0,0 +1,16 @@
{
inputs,
pkgs,
...
}: {
services.nginx.virtualHosts."cv.zackmyers.io" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "${inputs.resume.packages.${pkgs.system}.default}";
};
extraConfig = ''
index resume.pdf;
'';
};
}

105
systems/x86_64-linux/pluto/services/gitlab.nix Normal file
View file

@ -0,0 +1,105 @@
{
config,
pkgs,
lib,
...
}: let
sec = config.age.secrets;
user = config.services.gitlab.user;
group = config.services.gitlab.group;
in {
age.secrets = {
gitlab_db = {
file = ../../../sec/gitlab_db.age;
owner = user;
group = group;
};
gitlab_initpw = {
file = ../../../sec/gitlab_initpw.age;
owner = user;
group = group;
};
gitlab_otp = {
file = ../../../sec/gitlab_otp.age;
owner = user;
group = group;
};
gitlab_pw = {
file = ../../../sec/gitlab_pw.age;
owner = user;
group = group;
};
gitlab_sec = {
file = ../../../sec/gitlab_sec.age;
owner = user;
group = group;
};
gitlab_runner = {
file = ../../../sec/gitlab_runner.age;
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
services.gitlab-runner = {
enable = true;
services = {
nix = with lib; {
registrationConfigFile = toString sec.gitlab_runner.path; # 2
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3
${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = ["nix"];
};
};
};
services.gitlab = {
enable = true;
databasePasswordFile = sec.gitlab_db.path;
initialRootPasswordFile = sec.gitlab_initpw.path;
port = 443;
https = true;
host = "git.zackmyers.io";
secrets = {
secretFile = sec.gitlab_sec.path;
otpFile = sec.gitlab_otp.path;
dbFile = sec.gitlab_db.path;
jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
};
};
services.nginx.virtualHosts."git.zackmyers.io" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
systemd.services.gitlab-backup.environment.BACKUP = "dump";
}

176
systems/x86_64-linux/pluto/services/grafana.nix Normal file
View file

@ -0,0 +1,176 @@
{config, ...}: {
services.grafana = {
enable = true;
domain = "monitor.zackmyers.io";
port = 2342;
addr = "127.0.0.1";
protocol = "http";
analytics.reporting.enable = false;
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
};
};
services.prometheus = {
enable = true;
port = 9001;
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
};
scrapeConfigs = [
{
job_name = "chrysalis";
scrape_interval = "10s";
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 3030;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
chunk_store_config = {
max_look_back_period = "0s";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
shared_store = "filesystem";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "pluto";
};
};
relabel_configs = [
{
source_labels = ["__journal__systemd_unit"];
target_label = "unit";
}
];
}
];
};
# extraFlags
};
services.nginx.virtualHosts.${config.services.grafana.domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
}

29
systems/x86_64-linux/pluto/services/mirror.nix Normal file
View file

@ -0,0 +1,29 @@
{pkgs, ...}: {
systemd.timers."mirror-update" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "1h";
OnUnitActiveSec = "1h";
Unit = "mirror-update.service";
};
};
systemd.services."mirror-update" = {
script = ''
${pkgs.rsync}/bin/rsync -vPa rsync://mirrors.lug.mtu.edu/archlinux/ /var/www/mirror.zackmyers.io/archlinux/
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
services.nginx.virtualHosts."mirror.zackmyers.io" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mirror.zackmyers.io";
locations."/".extraConfig = ''
autoindex on;
'';
};
}

13
systems/x86_64-linux/pluto/services/nginx.nix Normal file
View file

@ -0,0 +1,13 @@
{pkgs, ...}: {
services.nginx = {
enable = true;
package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
recommendedProxySettings = true;
virtualHosts = {
"node.nyc.zackmyers.io" = {
forceSSL = true;
enableACME = true;
};
};
};
}

172
systems/x86_64-linux/pluto/services/pterodactyl.nix Normal file
View file

@ -0,0 +1,172 @@
{
pkgs,
config,
...
}: let
wings = pkgs.stdenv.mkDerivation {
name = "wings";
src = pkgs.fetchurl {
name = "wings";
url = "https://github.com/pterodactyl/wings/releases/latest/download/wings_linux_amd64";
sha256 = "sha256-S8vTpxvtmv7TfRMpgKxVPkvTmji1rlPEd9ApM3Rt6FY=";
};
phases = ["installPhase"];
installPhase = ''
install -D $src $out/bin/wings
'';
};
in {
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
systemd.timers."p_artisan-run" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "1m";
OnUnitActiveSec = "1m";
Unit = "p_artisan-run.service";
};
};
systemd.services."p_artisan-run" = {
script = ''
${pkgs.php}/bin/php /var/www/pterodactyl/artisan schedule:run >> /dev/null 2>&1
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
systemd.services."wings" = {
after = ["docker.service"];
requires = ["docker.service"];
partOf = ["docker.service"];
script = ''
#!/usr/bin/env bash
export PATH=${pkgs.shadow}/bin:$PATH
${wings}/bin/wings
'';
wantedBy = ["multi-user.target"];
serviceConfig = {
User = "root";
WorkingDirectory = "/etc/pterodactyl";
LimitNOFILE = 4096;
PIDFile = /var/run/wings/daemon.pid;
Restart = "on-failure";
StartLimitInterval = 180;
StartLimitBurst = 30;
RestartSec = "5s";
};
};
systemd.services."p_queue-worker" = {
after = ["redis.service"];
wantedBy = ["multi-user.target"];
script = ''
${pkgs.php}/bin/php /var/www/pterodactyl/artisan queue:work --queue=high,standard,low --sleep=3 --tries=3
'';
serviceConfig = {
User = "nginx";
Group = "nginx";
Restart = "always";
StartLimitInterval = 180;
StartLimitBurst = 30;
RestartSec = "5s";
};
};
services.nginx.virtualHosts."pterodactyl.zackmyers.io" = {
forceSSL = true;
enableACME = true;
root = "/var/www/pterodactyl/public";
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$query_string;
'';
locations."/favicon.ico".extraConfig = ''
access_log off; log_not_found off;
'';
locations."/robots.txt".extraConfig = ''
access_log off; log_not_found off;
'';
locations."~ \\.php$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.pterodactyl.socket};
fastcgi_index index.php;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
'';
locations."~ /\\.ht".extraConfig = ''
deny all;
'';
extraConfig = ''
index index.html index.htm index.php;
charset utf-8;
access_log off;
error_log /var/log/nginx/pterodactyl.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
'';
};
services.phpfpm = {
phpOptions = ''
extension=${pkgs.php81Extensions.openssl}/lib/php/extensions/openssl.so
extension=${pkgs.php81Extensions.gd}/lib/php/extensions/gd.so
extension=${pkgs.php81Extensions.mysqlnd}/lib/php/extensions/mysqlnd.so
extension=${pkgs.php81Extensions.mbstring}/lib/php/extensions/mbstring.so
extension=${pkgs.php81Extensions.tokenizer}/lib/php/extensions/tokenizer.so
extension=${pkgs.php81Extensions.bcmath}/lib/php/extensions/bcmath.so
extension=${pkgs.php81Extensions.xml}/lib/php/extensions/xml.so
extension=${pkgs.php81Extensions.dom}/lib/php/extensions/dom.so
extension=${pkgs.php81Extensions.curl}/lib/php/extensions/curl.so
extension=${pkgs.php81Extensions.zip}/lib/php/extensions/zip.so
'';
pools.pterodactyl = {
user = config.services.nginx.user;
phpPackage = pkgs.php81;
settings = {
"pm" = "dynamic";
"listen.owner" = config.services.nginx.user;
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
};
services.redis = {
enable = true;
};
}

24
systems/x86_64-linux/pluto/services/searxng.nix Normal file
View file

@ -0,0 +1,24 @@
{pkgs, ...}: {
services.searx = {
enable = true;
package = pkgs.searxng;
runInUwsgi = true;
settings = {
# server.port = 8080;
# server.bind_addres = "0.0.0.0";
server.secret_key = "6f6bf40218f239718cacbc2cd837792be828e840b48ac72a8e0a9d0ddb9d0b00";
server.base_url = "https://search.zackmyers.io/searx/";
};
uwsgiConfig = {
http = ":8080";
};
};
services.nginx.virtualHosts."search.zackmyers.io" = {
forceSSL = true;
enableACME = true;
locations."/searx/" = {
proxyPass = "http://localhost:8080";
};
};
}