Add WIP servers/nixvps/

6 files changed, 362 insertions, 0 deletions

diff --git a/secrets/nixvps/envsubst-configuration.nix b/secrets/nixvps/envsubst-configuration.nix
new file mode 100644
index 0000000..279fa00
--- /dev/null
+++ b/secrets/nixvps/envsubst-configuration.nix
diff --git a/servers/nixvps/configuration.nix b/servers/nixvps/configuration.nix
new file mode 100644
index 0000000..617bdb1
--- /dev/null
+++ b/servers/nixvps/configuration.nix
@@ -0,0 +1,220 @@
+{ config, pkgs, ... }:
+
+let
+  envsubstConfiguration =
+    pkgs.callPackage /etc/nixos/envsubst-configuration.nix { };
+  config = rec {
+    TLD = envsubstConfiguration.TLD;
+    cgitPort = "81";
+    openSSHPort = 23841;
+    docs-projects = [
+      "boneco"
+      "pdfs-da-d-maria"
+
+      "package-repository"
+      "servers"
+
+      "remembering"
+      "autoqemu"
+      "fallible"
+      "sharedc"
+      # "gluilo"
+      # "kongrue"
+      # "libedn"
+      # "eq"
+      "mediator"
+
+      # "songbookgs"
+      # "standardify"
+    ];
+  };
+  site-for-project = project-name: {
+    "${project-name}.${config.TLD}" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/srv/http/${project-name}/";
+    };
+  };
+in {
+  imports = [ ./hardware-configuration.nix ];
+
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    useDHCP = false;
+    interfaces.ens3.useDHCP = true;
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 7d";
+    };
+    # min-free 1G
+    extraOptions = ''
+      min-free = ${toString (1024 * 1024 * 1024)}
+    '';
+  };
+
+  environment = {
+    systemPackages = let
+      c99 = pkgs.tinycc.overrideAttrs (oldAttrs: {
+        postInstall = ''
+          ln -s $out/bin/tcc $out/bin/c99
+        '';
+      });
+    in with pkgs; [ vim git gitAndTools.git-annex gnumake c99 ];
+    shellAliases = { l = "ls -lahF"; };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    # SSH: OpenSSH
+    config.openSSHPort
+
+    # HTTP and HTPPS: NGINX
+    80
+    443
+
+    # Git protocol
+    9418
+  ];
+
+  security = {
+    acme = {
+      acceptTerms = true;
+      email = "eu@euandre.org";
+    };
+    sudo.wheelNeedsPassword = false;
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+      ports = [ config.openSSHPort ];
+    };
+
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts =
+        pkgs.lib.fold (project: acc: acc // site-for-project project) { }
+        config.docs-projects // {
+          "git.${config.TLD}" = {
+            forceSSL = true;
+            enableACME = true;
+            extraConfig = ''
+              location = /favicon.ico {
+                alias ${pkgs.cgit}/cgit/favicon.ico;
+              }
+              location / {
+                proxy_pass http://localhost:${config.cgitPort};
+              }
+            '';
+          };
+        };
+    };
+
+    lighttpd = {
+      enable = true;
+      port = pkgs.lib.toInt config.cgitPort;
+      cgit = {
+        enable = true;
+        subdir = "";
+        configText = ''
+          enable-blame=1
+          enable-commit-graph=1
+          enable-follow-links=1
+          enable-index-owner=0
+          enable-log-filecount=1
+          enable-log-linecount=1
+          root-desc=Patches welcome!
+          readme=:README.md
+          readme=:README
+          max-repodesc-length=120
+          remove-suffix=1
+          root-title=EuAndreh's repositories
+          snapshots=tar.gz zip
+          source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+          about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+          scan-path=/srv/git
+        '';
+      };
+    };
+
+    gitDaemon = {
+      enable = true;
+      basePath = "/srv/git";
+      exportAll = true;
+    };
+
+    cron = {
+      enable = true;
+      systemCronJobs = [
+        "30 1 * * 1 root /opt/bin/gc.sh"
+        "30 0 * * * root /opt/bin/backup.sh"
+      ];
+    };
+  };
+
+  users = {
+    # Improve: make mutable
+    mutableUsers = false;
+    extraUsers = let
+      andrehUser = {
+        andreh = {
+          uid = 1000;
+          isNormalUser = true;
+          extraGroups = [ "wheel" ];
+          hashedPassword = envsubstConfiguration.hashedPassword;
+          openssh.authorizedKeys.keys = [
+						# FIXME: use ~/.ssh/id_rsa
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org"
+          ];
+        };
+      };
+      buildUser = (i: {
+        "guixbuilder${i}" = {
+          group = "guixbuild";
+          extraGroups = [ "guixbuild" ];
+          home = "/var/empty";
+          shell = pkgs.nologin;
+          description = "Guix build user ${i}";
+          isSystemUser = true;
+        };
+      });
+    in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser
+    (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10));
+    extraGroups.guixbuild = { name = "guixbuild"; };
+  };
+
+  systemd = {
+    services = {
+      guix-daemon = {
+        enable = true;
+        description = "Build daemon for GNU Guix";
+        serviceConfig = {
+          ExecStart =
+            "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild";
+        };
+        wantedBy = [ "multi-user.target" ];
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "20.09";
+    autoUpgrade = {
+      enable = true;
+      allowReboot = true;
+    };
+  };
+}
diff --git a/servers/nixvps/envsubst-configuration.nix b/servers/nixvps/envsubst-configuration.nix
new file mode 120000
index 0000000..ab7c446
--- /dev/null
+++ b/servers/nixvps/envsubst-configuration.nix
@@ -0,0 +1 @@
+../../secrets/nixvps/envsubst-configuration.nix
\ No newline at end of file
diff --git a/servers/nixvps/hostname.txt b/servers/nixvps/hostname.txt
new file mode 100644
index 0000000..fbab93b
--- /dev/null
+++ b/servers/nixvps/hostname.txt
@@ -0,0 +1 @@
+kuvira
diff --git a/servers/nixvps/infrastructure.tf b/servers/nixvps/infrastructure.tf
new file mode 100644
index 0000000..2721c56
--- /dev/null
+++ b/servers/nixvps/infrastructure.tf
@@ -0,0 +1,139 @@
+terraform {
+  required_providers {
+    vultr = {
+      source  = "vultr/vultr"
+      version = "~> 2.1.2"
+    }
+  }
+  required_version = ">= 0.13"
+}
+
+# Input variables
+
+variable "vultr_api_key" {
+  type        = string
+  description = "Vultr API key."
+}
+
+variable "vps_tld" {
+  type        = string
+  description = "Root Top-Level Domain. Subdomains will be derived from it."
+}
+
+variable "vps_hostname" {
+  type        = string
+  description = "Human name of the host. This is a pet name, not cattle name :)"
+}
+
+variable "vps_dkim_public_key" {
+  type        = string
+  description = "Public key for the DNS TXT DKIM record."
+}
+
+variable "vps_dkim_selector" {
+  type        = string
+  description = "The DKIM selector that prefixes the domain in the TXT record."
+}
+
+# Vultr
+
+provider "vultr" {
+  api_key = var.vultr_api_key
+}
+
+# Instance
+
+resource "vultr_instance" "vps_server" {
+  enable_ipv6      = true
+  backups          = "enabled"
+  hostname         = var.vps_hostname
+  activation_email = true
+  label            = var.vps_hostname
+  region           = "cdg"
+  plan             = "vc2-1c-1gb"
+  # $ curl -H "Authorization: Bearer $TF_VAR_vultr_api_key" https://api.vultr.com/v2/snapshots  | jq
+  snapshot_id = "8e6aaab6-7973-48a0-aeb5-cb99ab1ff43d"
+}
+
+output "vps_public_ipv4" {
+  value = vultr_instance.vps_server.main_ip
+}
+
+output "vps_public_ipv6" {
+  value = vultr_instance.vps_server.v6_main_ip
+}
+
+# DNS and IP configuration
+
+locals {
+  mail_domain = "mail.${var.vps_tld}"
+}
+
+resource "vultr_dns_domain" "vps_tld" {
+  # The CNAME record is already generated by Vultr
+  domain = var.vps_tld
+  ip     = vultr_instance.vps_server.main_ip
+}
+
+resource "vultr_dns_record" "vps_mail_a_record" {
+  domain = vultr_dns_domain.vps_tld.id
+  name   = "mail"
+  data   = vultr_instance.vps_server.main_ip
+  type   = "A"
+}
+
+resource "vultr_reverse_ipv4" "vps_mail_reverse_ipv4" {
+  instance_id = vultr_instance.vps_server.id
+  ip          = vultr_instance.vps_server.main_ip
+  reverse     = local.mail_domain
+}
+
+resource "vultr_dns_record" "vps_mail_aaaa_record" {
+  domain = vultr_dns_domain.vps_tld.id
+  name   = "mail"
+  data   = vultr_instance.vps_server.v6_main_ip
+  type   = "AAAA"
+}
+
+resource "vultr_reverse_ipv6" "vps_mail_reverse_ipv6" {
+  instance_id = vultr_instance.vps_server.id
+  ip          = vultr_instance.vps_server.v6_main_ip
+  reverse     = local.mail_domain
+}
+
+resource "vultr_dns_record" "vps_mx_record" {
+  domain = vultr_dns_domain.vps_tld.id
+  name   = ""
+  data   = local.mail_domain
+  type   = "MX"
+}
+
+resource "vultr_dns_record" "vps_spf_txt" {
+  domain = vultr_dns_domain.vps_tld.id
+  name   = ""
+  data   = "\"v=spf1 mx -all\""
+  type   = "TXT"
+}
+
+resource "vultr_dns_record" "vps_dkim_txt" {
+  domain = vultr_dns_domain.vps_tld.id
+  name   = "${var.vps_dkim_selector}._domainkey"
+  data   = "\"v=DKIM1;k=rsa;p=${var.vps_dkim_public_key}\""
+  type   = "TXT"
+}
+
+resource "vultr_dns_record" "vps_dmarc_txt" {
+  domain = vultr_dns_domain.vps_tld.id
+  name   = "_dmarc"
+  data   = "\"v=DMARC1;p=none;pct=100;rua=mailto:postmaster@${var.vps_tld};\""
+  type   = "TXT"
+}
+
+# I think this DNS is configured by default
+
+# resource "vultr_dns_record" "vps_cname_start_alias" {
+#   domain = vultr_dns_domain.vps_tld.id
+#   name   = "*"
+#   data   = var.vps_tld
+#   type   = "CNAME"
+# }
diff --git a/servers/nixvps/tld.txt b/servers/nixvps/tld.txt
new file mode 100644
index 0000000..0cb8b8b
--- /dev/null
+++ b/servers/nixvps/tld.txt
@@ -0,0 +1 @@
+euandreh.xyz