diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/hosts/tente/default.nix | 121 | ||||
-rw-r--r-- | nixos/hosts/tente/git.nix | 55 | ||||
-rw-r--r-- | nixos/hosts/tente/headscale.nix | 35 | ||||
-rw-r--r-- | nixos/hosts/tente/matrix.nix | 39 | ||||
-rw-r--r-- | nixos/hosts/tente/web-personal.nix | 40 |
5 files changed, 181 insertions, 109 deletions
diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix index 7885ff4..e6ec7ec 100644 --- a/nixos/hosts/tente/default.nix +++ b/nixos/hosts/tente/default.nix @@ -4,16 +4,7 @@ # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). let - domains = - let - domain = "push-f.com"; - in - { - personalWebsite = domain; - tailscaleControlServer = "tailscale.${domain}"; - gitWebsite = "git.${domain}"; - matrixServer = "matrix.${domain}"; - }; + domain = "push-f.com"; acmeEmail = "martin@push-f.com"; in { config, lib, pkgs, ... }: @@ -22,8 +13,19 @@ in imports = [ ./hardware-configuration.nix <top/profiles/server> + ./web-personal.nix + ./git.nix + ./headscale.nix + ./matrix.nix ]; + web-personal.domain = domain; + web-personal.matrixApiDomain = config.matrix.apiDomain; + git.webUiDomain = "git.${domain}"; + headscale.domain = "tailscale.${domain}"; + matrix.serverName = domain; + matrix.apiDomain = "matrix.${domain}"; + # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; # boot.loader.grub.efiSupport = true; @@ -91,45 +93,11 @@ in ]; services = { - gitolite = { - enable = true; - adminPubkey = ""; # TODO: submit PR to nixpkgs to make this option optional - user = "git"; - group = "git"; - dataDir = "/srv/gitolite"; - extraGitoliteRc = '' - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = 'cgit.* gitweb.*'; - - # not working for some reason? still getting `FATAL: git config 'gitweb.description' not allowed` if gitweb.* is omitted in GIT_CONFIG_KEYS - # push( @{$RC{ENABLE}}, 'cgit' ); # update description files instead of gitweb.description config - ''; - }; - nginx = { enable = true; group = "www-data"; }; - headscale = { - enable = true; - port = 8080; - # TODO: make dataDir configurable and set it to /srv/ - settings = { - server_url = "https://${domains.tailscaleControlServer}"; - dns = { base_domain = "tailnet"; }; - }; - }; - - nginx.virtualHosts.${domains.tailscaleControlServer} = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.headscale.port}"; - proxyWebsockets = true; - }; - }; - postgresql = { enable = true; authentication = pkgs.lib.mkOverride 10 '' @@ -137,71 +105,6 @@ in local sameuser all peer ''; }; - - matrix-synapse = { - enable = true; - settings = { - server_name = domains.personalWebsite; - }; - }; - - nginx.virtualHosts.${domains.matrixServer} = { - enableACME = true; - forceSSL = true; - - # TODO: add locations."/" with some message - - # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash - # *must not* be used here. - locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; - # Forward requests for e.g. SSO and password-resets. - locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008"; - }; - - nginx.virtualHosts.${domains.personalWebsite} = - let - mkWellKnown = data: '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; - in - { - enableACME = true; - forceSSL = true; - root = "/srv/www/${domains.personalWebsite}"; - - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown { - "m.server" = "${domains.matrixServer}:443"; - }; - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown { - "m.homeserver" = { base_url = "https://${domains.matrixServer}"; }; - }; - }; - - nginx.virtualHosts.${domains.gitWebsite} = { - enableACME = true; - forceSSL = true; - }; - - cgit.main = { - enable = true; - # running as the gitolite user because otherwise cloning a repo via cgit fails with: - # fatal: detected dubious ownership in repository - user = config.services.gitolite.user; - group = config.services.gitolite.group; - nginx.virtualHost = domains.gitWebsite; - scanPath = "${config.services.gitolite.dataDir}/repositories"; - settings = { - remove-suffix = 1; - enable-git-config = 1; - root-title = "push-f.com repositories"; - root-desc = "My various repositories."; - enable-index-owner = 0; - source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; - clone-prefix = "https://${domains.gitWebsite}"; - }; - }; }; security.acme = { diff --git a/nixos/hosts/tente/git.nix b/nixos/hosts/tente/git.nix new file mode 100644 index 0000000..0e005c7 --- /dev/null +++ b/nixos/hosts/tente/git.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.git; +in +{ + options.git = { + webUiDomain = lib.mkOption { + type = lib.types.str; + }; + }; + + config = { + services = { + gitolite = { + enable = true; + adminPubkey = ""; # TODO: submit PR to nixpkgs to make this option optional + user = "git"; + group = "git"; + dataDir = "/srv/gitolite"; + extraGitoliteRc = '' + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = 'cgit.* gitweb.*'; + + # not working for some reason? still getting `FATAL: git config 'gitweb.description' not allowed` if gitweb.* is omitted in GIT_CONFIG_KEYS + # push( @{$RC{ENABLE}}, 'cgit' ); # update description files instead of gitweb.description config + ''; + }; + + nginx.virtualHosts.${cfg.webUiDomain} = { + enableACME = true; + forceSSL = true; + }; + + cgit.main = { + enable = true; + # running as the gitolite user because otherwise cloning a repo via cgit fails with: + # fatal: detected dubious ownership in repository + user = config.services.gitolite.user; + group = config.services.gitolite.group; + nginx.virtualHost = cfg.webUiDomain; + scanPath = "${config.services.gitolite.dataDir}/repositories"; + settings = { + remove-suffix = 1; + enable-git-config = 1; + root-title = "push-f.com repositories"; + root-desc = "My various repositories."; + enable-index-owner = 0; + source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + clone-prefix = "https://${cfg.webUiDomain}"; + }; + }; + }; + }; +} diff --git a/nixos/hosts/tente/headscale.nix b/nixos/hosts/tente/headscale.nix new file mode 100644 index 0000000..6faea12 --- /dev/null +++ b/nixos/hosts/tente/headscale.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.headscale; +in +{ + options.headscale = { + domain = lib.mkOption { + type = lib.types.str; + }; + }; + + config = { + services = { + headscale = { + enable = true; + port = 8080; + # TODO: make dataDir configurable and set it to /srv/ + settings = { + server_url = "https://${cfg.domain}"; + dns = { base_domain = "tailnet"; }; + }; + }; + + nginx.virtualHosts.${cfg.domain} = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/nixos/hosts/tente/matrix.nix b/nixos/hosts/tente/matrix.nix new file mode 100644 index 0000000..b60f3cd --- /dev/null +++ b/nixos/hosts/tente/matrix.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.matrix; +in +{ + options.matrix = { + serverName = lib.mkOption { + type = lib.types.str; + }; + apiDomain = lib.mkOption { + type = lib.types.str; + }; + }; + + config = { + services = { + matrix-synapse = { + enable = true; + settings = { + server_name = cfg.serverName; + }; + }; + + nginx.virtualHosts.${cfg.apiDomain} = { + enableACME = true; + forceSSL = true; + + # TODO: add locations."/" with some message + + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; + # Forward requests for e.g. SSO and password-resets. + locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008"; + }; + }; + }; +} diff --git a/nixos/hosts/tente/web-personal.nix b/nixos/hosts/tente/web-personal.nix new file mode 100644 index 0000000..7c17063 --- /dev/null +++ b/nixos/hosts/tente/web-personal.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.web-personal; +in +{ + options.web-personal = { + domain = lib.mkOption { + type = lib.types.str; + }; + matrixApiDomain = lib.mkOption { + type = lib.types.str; + }; + }; + + config = { + services = { + nginx.virtualHosts.${cfg.domain} = + let + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + in + { + enableACME = true; + forceSSL = true; + root = "/srv/www/${cfg.domain}"; + + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown { + "m.server" = "${cfg.matrixApiDomain}:443"; + }; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown { + "m.homeserver" = { base_url = "https://${cfg.matrixApiDomain}"; }; + }; + }; + }; + }; +} |