diff options
Diffstat (limited to 'servers/nixvps')
| -rw-r--r-- | servers/nixvps/configuration.nix | 220 | ||||
| l--------- | servers/nixvps/envsubst-configuration.nix | 1 | ||||
| -rw-r--r-- | servers/nixvps/hostname.txt | 1 | ||||
| -rw-r--r-- | servers/nixvps/infrastructure.tf | 139 | ||||
| -rw-r--r-- | servers/nixvps/tld.txt | 1 |
5 files changed, 362 insertions, 0 deletions
diff --git a/servers/nixvps/configuration.nix b/servers/nixvps/configuration.nix new file mode 100644 index 0000000..617bdb1 --- /dev/null +++ b/servers/nixvps/configuration.nix @@ -0,0 +1,220 @@ +{ config, pkgs, ... }: + +let + envsubstConfiguration = + pkgs.callPackage /etc/nixos/envsubst-configuration.nix { }; + config = rec { + TLD = envsubstConfiguration.TLD; + cgitPort = "81"; + openSSHPort = 23841; + docs-projects = [ + "boneco" + "pdfs-da-d-maria" + + "package-repository" + "servers" + + "remembering" + "autoqemu" + "fallible" + "sharedc" + # "gluilo" + # "kongrue" + # "libedn" + # "eq" + "mediator" + + # "songbookgs" + # "standardify" + ]; + }; + site-for-project = project-name: { + "${project-name}.${config.TLD}" = { + forceSSL = true; + enableACME = true; + root = "/srv/http/${project-name}/"; + }; + }; +in { + imports = [ ./hardware-configuration.nix ]; + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + useDHCP = false; + interfaces.ens3.useDHCP = true; + }; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + # min-free 1G + extraOptions = '' + min-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + environment = { + systemPackages = let + c99 = pkgs.tinycc.overrideAttrs (oldAttrs: { + postInstall = '' + ln -s $out/bin/tcc $out/bin/c99 + ''; + }); + in with pkgs; [ vim git gitAndTools.git-annex gnumake c99 ]; + shellAliases = { l = "ls -lahF"; }; + }; + + networking.firewall.allowedTCPPorts = [ + # SSH: OpenSSH + config.openSSHPort + + # HTTP and HTPPS: NGINX + 80 + 443 + + # Git protocol + 9418 + ]; + + security = { + acme = { + acceptTerms = true; + email = "eu@euandre.org"; + }; + sudo.wheelNeedsPassword = false; + }; + + services = { + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + ports = [ config.openSSHPort ]; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = + pkgs.lib.fold (project: acc: acc // site-for-project project) { } + config.docs-projects // { + "git.${config.TLD}" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + location = /favicon.ico { + alias ${pkgs.cgit}/cgit/favicon.ico; + } + location / { + proxy_pass http://localhost:${config.cgitPort}; + } + ''; + }; + }; + }; + + lighttpd = { + enable = true; + port = pkgs.lib.toInt config.cgitPort; + cgit = { + enable = true; + subdir = ""; + configText = '' + enable-blame=1 + enable-commit-graph=1 + enable-follow-links=1 + enable-index-owner=0 + enable-log-filecount=1 + enable-log-linecount=1 + root-desc=Patches welcome! + readme=:README.md + readme=:README + max-repodesc-length=120 + remove-suffix=1 + root-title=EuAndreh's repositories + snapshots=tar.gz zip + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + scan-path=/srv/git + ''; + }; + }; + + gitDaemon = { + enable = true; + basePath = "/srv/git"; + exportAll = true; + }; + + cron = { + enable = true; + systemCronJobs = [ + "30 1 * * 1 root /opt/bin/gc.sh" + "30 0 * * * root /opt/bin/backup.sh" + ]; + }; + }; + + users = { + # Improve: make mutable + mutableUsers = false; + extraUsers = let + andrehUser = { + andreh = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" ]; + hashedPassword = envsubstConfiguration.hashedPassword; + openssh.authorizedKeys.keys = [ + # FIXME: use ~/.ssh/id_rsa + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org" + ]; + }; + }; + buildUser = (i: { + "guixbuilder${i}" = { + group = "guixbuild"; + extraGroups = [ "guixbuild" ]; + home = "/var/empty"; + shell = pkgs.nologin; + description = "Guix build user ${i}"; + isSystemUser = true; + }; + }); + in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser + (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10)); + extraGroups.guixbuild = { name = "guixbuild"; }; + }; + + systemd = { + services = { + guix-daemon = { + enable = true; + description = "Build daemon for GNU Guix"; + serviceConfig = { + ExecStart = + "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + system = { + stateVersion = "20.09"; + autoUpgrade = { + enable = true; + allowReboot = true; + }; + }; +} diff --git a/servers/nixvps/envsubst-configuration.nix b/servers/nixvps/envsubst-configuration.nix new file mode 120000 index 0000000..ab7c446 --- /dev/null +++ b/servers/nixvps/envsubst-configuration.nix @@ -0,0 +1 @@ +../../secrets/nixvps/envsubst-configuration.nix
\ No newline at end of file diff --git a/servers/nixvps/hostname.txt b/servers/nixvps/hostname.txt new file mode 100644 index 0000000..fbab93b --- /dev/null +++ b/servers/nixvps/hostname.txt @@ -0,0 +1 @@ +kuvira diff --git a/servers/nixvps/infrastructure.tf b/servers/nixvps/infrastructure.tf new file mode 100644 index 0000000..2721c56 --- /dev/null +++ b/servers/nixvps/infrastructure.tf @@ -0,0 +1,139 @@ +terraform { + required_providers { + vultr = { + source = "vultr/vultr" + version = "~> 2.1.2" + } + } + required_version = ">= 0.13" +} + +# Input variables + +variable "vultr_api_key" { + type = string + description = "Vultr API key." +} + +variable "vps_tld" { + type = string + description = "Root Top-Level Domain. Subdomains will be derived from it." +} + +variable "vps_hostname" { + type = string + description = "Human name of the host. This is a pet name, not cattle name :)" +} + +variable "vps_dkim_public_key" { + type = string + description = "Public key for the DNS TXT DKIM record." +} + +variable "vps_dkim_selector" { + type = string + description = "The DKIM selector that prefixes the domain in the TXT record." +} + +# Vultr + +provider "vultr" { + api_key = var.vultr_api_key +} + +# Instance + +resource "vultr_instance" "vps_server" { + enable_ipv6 = true + backups = "enabled" + hostname = var.vps_hostname + activation_email = true + label = var.vps_hostname + region = "cdg" + plan = "vc2-1c-1gb" + # $ curl -H "Authorization: Bearer $TF_VAR_vultr_api_key" https://api.vultr.com/v2/snapshots | jq + snapshot_id = "8e6aaab6-7973-48a0-aeb5-cb99ab1ff43d" +} + +output "vps_public_ipv4" { + value = vultr_instance.vps_server.main_ip +} + +output "vps_public_ipv6" { + value = vultr_instance.vps_server.v6_main_ip +} + +# DNS and IP configuration + +locals { + mail_domain = "mail.${var.vps_tld}" +} + +resource "vultr_dns_domain" "vps_tld" { + # The CNAME record is already generated by Vultr + domain = var.vps_tld + ip = vultr_instance.vps_server.main_ip +} + +resource "vultr_dns_record" "vps_mail_a_record" { + domain = vultr_dns_domain.vps_tld.id + name = "mail" + data = vultr_instance.vps_server.main_ip + type = "A" +} + +resource "vultr_reverse_ipv4" "vps_mail_reverse_ipv4" { + instance_id = vultr_instance.vps_server.id + ip = vultr_instance.vps_server.main_ip + reverse = local.mail_domain +} + +resource "vultr_dns_record" "vps_mail_aaaa_record" { + domain = vultr_dns_domain.vps_tld.id + name = "mail" + data = vultr_instance.vps_server.v6_main_ip + type = "AAAA" +} + +resource "vultr_reverse_ipv6" "vps_mail_reverse_ipv6" { + instance_id = vultr_instance.vps_server.id + ip = vultr_instance.vps_server.v6_main_ip + reverse = local.mail_domain +} + +resource "vultr_dns_record" "vps_mx_record" { + domain = vultr_dns_domain.vps_tld.id + name = "" + data = local.mail_domain + type = "MX" +} + +resource "vultr_dns_record" "vps_spf_txt" { + domain = vultr_dns_domain.vps_tld.id + name = "" + data = "\"v=spf1 mx -all\"" + type = "TXT" +} + +resource "vultr_dns_record" "vps_dkim_txt" { + domain = vultr_dns_domain.vps_tld.id + name = "${var.vps_dkim_selector}._domainkey" + data = "\"v=DKIM1;k=rsa;p=${var.vps_dkim_public_key}\"" + type = "TXT" +} + +resource "vultr_dns_record" "vps_dmarc_txt" { + domain = vultr_dns_domain.vps_tld.id + name = "_dmarc" + data = "\"v=DMARC1;p=none;pct=100;rua=mailto:postmaster@${var.vps_tld};\"" + type = "TXT" +} + +# I think this DNS is configured by default + +# resource "vultr_dns_record" "vps_cname_start_alias" { +# domain = vultr_dns_domain.vps_tld.id +# name = "*" +# data = var.vps_tld +# type = "CNAME" +# } diff --git a/servers/nixvps/tld.txt b/servers/nixvps/tld.txt new file mode 100644 index 0000000..0cb8b8b --- /dev/null +++ b/servers/nixvps/tld.txt @@ -0,0 +1 @@ +euandreh.xyz |