summaryrefslogtreecommitdiff
path: root/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'nixos')
-rw-r--r--nixos/hosts/tente/default.nix121
-rw-r--r--nixos/hosts/tente/git.nix55
-rw-r--r--nixos/hosts/tente/headscale.nix35
-rw-r--r--nixos/hosts/tente/matrix.nix39
-rw-r--r--nixos/hosts/tente/web-personal.nix40
5 files changed, 181 insertions, 109 deletions
diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix
index 7885ff4..e6ec7ec 100644
--- a/nixos/hosts/tente/default.nix
+++ b/nixos/hosts/tente/default.nix
@@ -4,16 +4,7 @@
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
let
- domains =
- let
- domain = "push-f.com";
- in
- {
- personalWebsite = domain;
- tailscaleControlServer = "tailscale.${domain}";
- gitWebsite = "git.${domain}";
- matrixServer = "matrix.${domain}";
- };
+ domain = "push-f.com";
acmeEmail = "martin@push-f.com";
in
{ config, lib, pkgs, ... }:
@@ -22,8 +13,19 @@ in
imports = [
./hardware-configuration.nix
<top/profiles/server>
+ ./web-personal.nix
+ ./git.nix
+ ./headscale.nix
+ ./matrix.nix
];
+ web-personal.domain = domain;
+ web-personal.matrixApiDomain = config.matrix.apiDomain;
+ git.webUiDomain = "git.${domain}";
+ headscale.domain = "tailscale.${domain}";
+ matrix.serverName = domain;
+ matrix.apiDomain = "matrix.${domain}";
+
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
@@ -91,45 +93,11 @@ in
];
services = {
- gitolite = {
- enable = true;
- adminPubkey = ""; # TODO: submit PR to nixpkgs to make this option optional
- user = "git";
- group = "git";
- dataDir = "/srv/gitolite";
- extraGitoliteRc = ''
- $RC{UMASK} = 0027;
- $RC{GIT_CONFIG_KEYS} = 'cgit.* gitweb.*';
-
- # not working for some reason? still getting `FATAL: git config 'gitweb.description' not allowed` if gitweb.* is omitted in GIT_CONFIG_KEYS
- # push( @{$RC{ENABLE}}, 'cgit' ); # update description files instead of gitweb.description config
- '';
- };
-
nginx = {
enable = true;
group = "www-data";
};
- headscale = {
- enable = true;
- port = 8080;
- # TODO: make dataDir configurable and set it to /srv/
- settings = {
- server_url = "https://${domains.tailscaleControlServer}";
- dns = { base_domain = "tailnet"; };
- };
- };
-
- nginx.virtualHosts.${domains.tailscaleControlServer} = {
- enableACME = true;
- forceSSL = true;
- locations."/" = {
- proxyPass = "http://localhost:${toString config.services.headscale.port}";
- proxyWebsockets = true;
- };
- };
-
postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
@@ -137,71 +105,6 @@ in
local sameuser all peer
'';
};
-
- matrix-synapse = {
- enable = true;
- settings = {
- server_name = domains.personalWebsite;
- };
- };
-
- nginx.virtualHosts.${domains.matrixServer} = {
- enableACME = true;
- forceSSL = true;
-
- # TODO: add locations."/" with some message
-
- # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
- # *must not* be used here.
- locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
- # Forward requests for e.g. SSO and password-resets.
- locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
- };
-
- nginx.virtualHosts.${domains.personalWebsite} =
- let
- mkWellKnown = data: ''
- default_type application/json;
- add_header Access-Control-Allow-Origin *;
- return 200 '${builtins.toJSON data}';
- '';
- in
- {
- enableACME = true;
- forceSSL = true;
- root = "/srv/www/${domains.personalWebsite}";
-
- locations."= /.well-known/matrix/server".extraConfig = mkWellKnown {
- "m.server" = "${domains.matrixServer}:443";
- };
- locations."= /.well-known/matrix/client".extraConfig = mkWellKnown {
- "m.homeserver" = { base_url = "https://${domains.matrixServer}"; };
- };
- };
-
- nginx.virtualHosts.${domains.gitWebsite} = {
- enableACME = true;
- forceSSL = true;
- };
-
- cgit.main = {
- enable = true;
- # running as the gitolite user because otherwise cloning a repo via cgit fails with:
- # fatal: detected dubious ownership in repository
- user = config.services.gitolite.user;
- group = config.services.gitolite.group;
- nginx.virtualHost = domains.gitWebsite;
- scanPath = "${config.services.gitolite.dataDir}/repositories";
- settings = {
- remove-suffix = 1;
- enable-git-config = 1;
- root-title = "push-f.com repositories";
- root-desc = "My various repositories.";
- enable-index-owner = 0;
- source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
- clone-prefix = "https://${domains.gitWebsite}";
- };
- };
};
security.acme = {
diff --git a/nixos/hosts/tente/git.nix b/nixos/hosts/tente/git.nix
new file mode 100644
index 0000000..0e005c7
--- /dev/null
+++ b/nixos/hosts/tente/git.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.git;
+in
+{
+ options.git = {
+ webUiDomain = lib.mkOption {
+ type = lib.types.str;
+ };
+ };
+
+ config = {
+ services = {
+ gitolite = {
+ enable = true;
+ adminPubkey = ""; # TODO: submit PR to nixpkgs to make this option optional
+ user = "git";
+ group = "git";
+ dataDir = "/srv/gitolite";
+ extraGitoliteRc = ''
+ $RC{UMASK} = 0027;
+ $RC{GIT_CONFIG_KEYS} = 'cgit.* gitweb.*';
+
+ # not working for some reason? still getting `FATAL: git config 'gitweb.description' not allowed` if gitweb.* is omitted in GIT_CONFIG_KEYS
+ # push( @{$RC{ENABLE}}, 'cgit' ); # update description files instead of gitweb.description config
+ '';
+ };
+
+ nginx.virtualHosts.${cfg.webUiDomain} = {
+ enableACME = true;
+ forceSSL = true;
+ };
+
+ cgit.main = {
+ enable = true;
+ # running as the gitolite user because otherwise cloning a repo via cgit fails with:
+ # fatal: detected dubious ownership in repository
+ user = config.services.gitolite.user;
+ group = config.services.gitolite.group;
+ nginx.virtualHost = cfg.webUiDomain;
+ scanPath = "${config.services.gitolite.dataDir}/repositories";
+ settings = {
+ remove-suffix = 1;
+ enable-git-config = 1;
+ root-title = "push-f.com repositories";
+ root-desc = "My various repositories.";
+ enable-index-owner = 0;
+ source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+ clone-prefix = "https://${cfg.webUiDomain}";
+ };
+ };
+ };
+ };
+}
diff --git a/nixos/hosts/tente/headscale.nix b/nixos/hosts/tente/headscale.nix
new file mode 100644
index 0000000..6faea12
--- /dev/null
+++ b/nixos/hosts/tente/headscale.nix
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.headscale;
+in
+{
+ options.headscale = {
+ domain = lib.mkOption {
+ type = lib.types.str;
+ };
+ };
+
+ config = {
+ services = {
+ headscale = {
+ enable = true;
+ port = 8080;
+ # TODO: make dataDir configurable and set it to /srv/
+ settings = {
+ server_url = "https://${cfg.domain}";
+ dns = { base_domain = "tailnet"; };
+ };
+ };
+
+ nginx.virtualHosts.${cfg.domain} = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://localhost:${toString config.services.headscale.port}";
+ proxyWebsockets = true;
+ };
+ };
+ };
+ };
+}
diff --git a/nixos/hosts/tente/matrix.nix b/nixos/hosts/tente/matrix.nix
new file mode 100644
index 0000000..b60f3cd
--- /dev/null
+++ b/nixos/hosts/tente/matrix.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.matrix;
+in
+{
+ options.matrix = {
+ serverName = lib.mkOption {
+ type = lib.types.str;
+ };
+ apiDomain = lib.mkOption {
+ type = lib.types.str;
+ };
+ };
+
+ config = {
+ services = {
+ matrix-synapse = {
+ enable = true;
+ settings = {
+ server_name = cfg.serverName;
+ };
+ };
+
+ nginx.virtualHosts.${cfg.apiDomain} = {
+ enableACME = true;
+ forceSSL = true;
+
+ # TODO: add locations."/" with some message
+
+ # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+ # *must not* be used here.
+ locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+ # Forward requests for e.g. SSO and password-resets.
+ locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+ };
+ };
+ };
+}
diff --git a/nixos/hosts/tente/web-personal.nix b/nixos/hosts/tente/web-personal.nix
new file mode 100644
index 0000000..7c17063
--- /dev/null
+++ b/nixos/hosts/tente/web-personal.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.web-personal;
+in
+{
+ options.web-personal = {
+ domain = lib.mkOption {
+ type = lib.types.str;
+ };
+ matrixApiDomain = lib.mkOption {
+ type = lib.types.str;
+ };
+ };
+
+ config = {
+ services = {
+ nginx.virtualHosts.${cfg.domain} =
+ let
+ mkWellKnown = data: ''
+ default_type application/json;
+ add_header Access-Control-Allow-Origin *;
+ return 200 '${builtins.toJSON data}';
+ '';
+ in
+ {
+ enableACME = true;
+ forceSSL = true;
+ root = "/srv/www/${cfg.domain}";
+
+ locations."= /.well-known/matrix/server".extraConfig = mkWellKnown {
+ "m.server" = "${cfg.matrixApiDomain}:443";
+ };
+ locations."= /.well-known/matrix/client".extraConfig = mkWellKnown {
+ "m.homeserver" = { base_url = "https://${cfg.matrixApiDomain}"; };
+ };
+ };
+ };
+ };
+}