WIP reactivate nixvps with Terraform and nixos-rebuild on Vultr

15 files changed, 296 insertions, 65 deletions

diff --git a/.env b/.env
new file mode 100644
index 0000000..213d791
--- /dev/null
+++ b/.env
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+TF_VAR_vultr_api_key="$(cat ./secrets/terraform/vultr-api-key.txt ||:)"
+if [ -n "$TF_VAR_vultr_api_key" ]; then
+  export TF_VAR_vultr_api_key
+fi
diff --git a/.envrc b/.envrc
deleted file mode 100644
index 7e350d1..0000000
--- a/.envrc
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/sh -eu
-
-#
-# shared
-#
-VPS_HOSTNAME="$(cat servers/vps/hostname.txt)"
-VPS_TLD="$(cat servers/vps/tld.txt)"
-export TLD
-
-#
-# Terraform
-#
-export TF_VAR_vps_tld="$VPS_TLD"
-export TF_VAR_vps_hostname="$VPS_HOSTNAME"
-export TF_VAR_vps_storage_name="$VPS_HOSTNAME-storage"
-
-TF_VAR_vultr_api_key="$(cat ./secrets/terraform/vultr-api-key.txt ||:)"
-if [ -n "$TF_VAR_vultr_api_key" ]; then
-  export TF_VAR_vultr_api_key
-fi
-
-TF_VAR_vps_dkim_public_key="$(head -n -1 < ./secrets/vps/mail/dkim/tld.pub | tail -n +2 | tr -d '\n')"
-export TF_VAR_vps_dkim_public_key
-
-# Selector: date when it was created
-export TF_VAR_vps_dkim_selector='20201126'
diff --git a/.gitattributes b/.gitattributes
index 4239af9..a500efa 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,2 @@
 secrets/**/* filter=git-crypt diff=git-crypt
+servers/**/*terraform* filter=git-crypt diff=git-crypt
diff --git a/.gitignore b/.gitignore
index 3998dad..e688346 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,8 @@
 # Terraform
-/.terraform/
+.terraform/
 
 # HTML
 /tasks-and-bugs.html
 /tasks-and-bugs.html~
 /tasks-and-bugs.org
-/public/
\ No newline at end of file
+/public/
diff --git a/TODOs.md b/TODOs.md
index e4bd036..98bd7a9 100644
--- a/TODOs.md
+++ b/TODOs.md
@@ -273,3 +273,11 @@ client to talk with Telegram and WhatsApp chats.
 https://news.ycombinator.com/item?id=26005038
 
 https://news.ycombinator.com/item?id=27450364
+
+TURN STUN server
+
+parameterize SSH port
+
+public key is, at the same time, being generated by mailserver and via openssl
+
+Make VPS run on home server?
diff --git a/opt/secrets/mail-user-password-hash.txt b/opt/secrets/mail-user-password-hash.txt
deleted file mode 120000
index c739151..0000000
--- a/opt/secrets/mail-user-password-hash.txt
+++ /dev/null
@@ -1 +0,0 @@
-../../secrets/nixvps/mail-user-password-hash.txt
\ No newline at end of file
diff --git a/scripts/deploy b/scripts/deploy
index 1b37888..d4a0128 100755
--- a/scripts/deploy
+++ b/scripts/deploy
@@ -1,9 +1,20 @@
 #!/bin/sh
 set -eu
 
+usage() {
+	cat <<EOF
+Usage:
+	$0 HOSTNAME
+
+Examples:
+	$0 kuvira
+EOF
+}
+
 NAME="${1:-}"
 if [ -z "$NAME" ]; then
-	printf 'Missing hostname\n' >&2
+	printf 'Missing HOSTNAME\n' >&2
+	usage >&2
 	exit 2
 fi
 
@@ -15,17 +26,22 @@ fi
 
 DIR="$(dirname "$FILE")"
 
-terraform apply "$DIR"
+cd "$DIR"
+. ./tf-env.sh
+terraform init
+terraform apply
+cd - > /dev/null
 
 TLD="$(cat "$DIR"/tld.txt)"
 DIRS='/opt /srv'
 # shellcheck disable=2029
 ssh "$TLD" "\
-sudo mkdir -p $DIRS && \
-sudo chown $USER:users -R $DIRS && \
-chmod -R 755 $DIRS"
+	sudo mkdir -p $DIRS && \
+	sudo chown $USER:users -R $DIRS && \
+	chmod -R 755 $DIRS
+"
 
-rsync -avzPL opt "$TLD":/
+rsync -avzPL opt "$DIR/opt" "$TLD":/
 
 if [ -f "$DIR"/machines.scm ]; then
 	guix deploy "$DIR"/machines.scm
@@ -33,6 +49,6 @@ elif [ -f "$DIR"/configuration.nix ]; then
 	scp "$DIR"/configuration.nix "$TLD":/etc/nixos/
 	ssh "$TLD" sudo nixos-rebuild switch
 else
-	printf 'Uknown OS type of "%s"\n' "$NAME" >&2
+	printf 'Uknown deploy type for "%s"\n' "$NAME" >&2
 	exit 2
 fi
diff --git a/servers/active/nixvps/.terraform.lock.hcl b/servers/active/nixvps/.terraform.lock.hcl
new file mode 100644
index 0000000..62406b0
--- /dev/null
+++ b/servers/active/nixvps/.terraform.lock.hcl
diff --git a/servers/active/nixvps/configuration.nix b/servers/active/nixvps/configuration.nix
new file mode 100644
index 0000000..4d793db
--- /dev/null
+++ b/servers/active/nixvps/configuration.nix
@@ -0,0 +1,229 @@
+{ config, pkgs, ... }:
+
+let
+  envsubstConfiguration =
+    pkgs.callPackage /opt/secrets/envsubst-configuration.nix { };
+  config = rec {
+    TLD = envsubstConfiguration.TLD;
+    cgitPort = "81";
+    openSSHPort = 23841;
+  };
+in {
+  imports = [
+    ./hardware-configuration.nix
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz";
+    })
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    interfaces.ens3.useDHCP = true;
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 7d";
+    };
+    # min-free 1G
+    extraOptions = ''
+      min-free = ${toString (1024 * 1024 * 1024)}
+    '';
+  };
+
+  environment = {
+    systemPackages = let
+      c99 = pkgs.tinycc.overrideAttrs (oldAttrs: {
+        postInstall = ''
+          ln -s $out/bin/tcc $out/bin/c99
+        '';
+      });
+    in with pkgs; [ vim git gitAndTools.git-annex gnumake gnum4 c99 bpytop ];
+    shellAliases = { l = "ls -lahF"; };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    # SSH: OpenSSH
+    config.openSSHPort
+
+    # HTTP and HTPPS: NGINX
+    80
+    443
+
+    # Git daemon
+    9418
+  ];
+
+  security = {
+    acme = {
+      acceptTerms = true;
+      email = "eu@euandre.org";
+    };
+    sudo.enable = false;
+    doas = {
+      enable = true;
+      extraConfig = ''
+        permit nopass setenv { NIX_PATH } :wheel
+      '';
+    };
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+      ports = [ config.openSSHPort ];
+    };
+
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "${config.TLD}" = {
+          forceSSL = true;
+          enableACME = true;
+          root = "/srv/http/";
+          extraConfig = ''
+            # Allow <script type="module" src="..."> 3rd-party HTML pages
+            add_header 'Access-Control-Allow-Origin' '*';
+            autoindex on;
+          '';
+        };
+        "git.${config.TLD}" = {
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = ''
+            location = /favicon.ico {
+              alias ${pkgs.cgit}/cgit/favicon.ico;
+            }
+            location / {
+              # Allow <script type="module" src="..."> 3rd-party HTML pages
+              add_header 'Access-Control-Allow-Origin' '*';
+              proxy_pass http://localhost:${config.cgitPort};
+            }
+          '';
+        };
+      };
+    };
+
+    lighttpd = {
+      enable = true;
+      port = pkgs.lib.toInt config.cgitPort;
+      cgit = {
+        enable = true;
+        subdir = "";
+        configText = ''
+          enable-blame=1
+          enable-commit-graph=1
+          enable-follow-links=1
+          enable-index-owner=0
+          enable-log-filecount=1
+          enable-log-linecount=1
+          enable-html-serving=1
+          root-desc=Patches welcome!
+          readme=:README.en.md
+          readme=:README.md
+          readme=:README
+          max-repodesc-length=120
+          max-repo-count=999
+          remove-suffix=1
+          root-title=EuAndreh's repositories
+          snapshots=tar.xz
+          source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+          about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+          scan-path=/srv/http
+          mimetype.mjs=text/javascript
+        '';
+      };
+    };
+
+    gitDaemon = {
+      enable = true;
+      basePath = "/srv/http";
+      exportAll = true;
+    };
+
+    cron = {
+      enable = true;
+      systemCronJobs = [
+        "30 1 * * 1 root /opt/bin/gc.sh"
+        "30 0 * * * root /opt/bin/backup.sh"
+      ];
+    };
+  };
+
+  users = {
+    # Improve: make mutable
+    mutableUsers = false;
+    extraUsers = let
+      andrehUser = {
+        andreh = {
+          uid = 1000;
+          isNormalUser = true;
+          extraGroups = [ "wheel" ];
+          hashedPassword = envsubstConfiguration.hashedPassword;
+          openssh.authorizedKeys.keys = [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org"
+          ];
+        };
+      };
+      buildUser = (i: {
+        "guixbuilder${i}" = {
+          group = "guixbuild";
+          extraGroups = [ "guixbuild" ];
+          home = "/var/empty";
+          shell = pkgs.nologin;
+          description = "Guix build user ${i}";
+          isSystemUser = true;
+        };
+      });
+    in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser
+    (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10));
+    extraGroups.guixbuild = { name = "guixbuild"; };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.${config.TLD}";
+    domains = [ config.TLD ];
+    loginAccounts = {
+      "eu@${config.TLD}" = {
+        hashedPasswordFile = "/opt/secrets/mail-user-password-hash.txt";
+      	aliases = [ "@${config.TLD}" ];
+      };
+    };
+    certificateScheme = 3;
+  };
+
+  systemd = {
+    services = {
+      guix-daemon = {
+        enable = true;
+        description = "Build daemon for GNU Guix";
+        serviceConfig = {
+          ExecStart =
+            "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild";
+        };
+        wantedBy = [ "multi-user.target" ];
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "20.09";
+    autoUpgrade = {
+      enable = true;
+      allowReboot = true;
+    };
+  };
+}
diff --git a/servers/active/nixvps/infrastructure.tf b/servers/active/nixvps/infrastructure.tf
index 2721c56..ae37080 100644
--- a/servers/active/nixvps/infrastructure.tf
+++ b/servers/active/nixvps/infrastructure.tf
@@ -15,26 +15,16 @@ variable "vultr_api_key" {
   description = "Vultr API key."
 }
 
-variable "vps_tld" {
+variable "tld" {
   type        = string
   description = "Root Top-Level Domain. Subdomains will be derived from it."
 }
 
-variable "vps_hostname" {
+variable "hostname" {
   type        = string
   description = "Human name of the host. This is a pet name, not cattle name :)"
 }
 
-variable "vps_dkim_public_key" {
-  type        = string
-  description = "Public key for the DNS TXT DKIM record."
-}
-
-variable "vps_dkim_selector" {
-  type        = string
-  description = "The DKIM selector that prefixes the domain in the TXT record."
-}
-
 # Vultr
 
 provider "vultr" {
@@ -46,9 +36,9 @@ provider "vultr" {
 resource "vultr_instance" "vps_server" {
   enable_ipv6      = true
   backups          = "enabled"
-  hostname         = var.vps_hostname
+  hostname         = var.hostname
   activation_email = true
-  label            = var.vps_hostname
+  label            = var.hostname
   region           = "cdg"
   plan             = "vc2-1c-1gb"
   # $ curl -H "Authorization: Bearer $TF_VAR_vultr_api_key" https://api.vultr.com/v2/snapshots  | jq
@@ -66,17 +56,17 @@ output "vps_public_ipv6" {
 # DNS and IP configuration
 
 locals {
-  mail_domain = "mail.${var.vps_tld}"
+  mail_domain = "mail.${var.tld}"
 }
 
-resource "vultr_dns_domain" "vps_tld" {
+resource "vultr_dns_domain" "tld" {
   # The CNAME record is already generated by Vultr
-  domain = var.vps_tld
+  domain = var.tld
   ip     = vultr_instance.vps_server.main_ip
 }
 
 resource "vultr_dns_record" "vps_mail_a_record" {
-  domain = vultr_dns_domain.vps_tld.id
+  domain = vultr_dns_domain.tld.id
   name   = "mail"
   data   = vultr_instance.vps_server.main_ip
   type   = "A"
@@ -89,7 +79,7 @@ resource "vultr_reverse_ipv4" "vps_mail_reverse_ipv4" {
 }
 
 resource "vultr_dns_record" "vps_mail_aaaa_record" {
-  domain = vultr_dns_domain.vps_tld.id
+  domain = vultr_dns_domain.tld.id
   name   = "mail"
   data   = vultr_instance.vps_server.v6_main_ip
   type   = "AAAA"
@@ -102,38 +92,38 @@ resource "vultr_reverse_ipv6" "vps_mail_reverse_ipv6" {
 }
 
 resource "vultr_dns_record" "vps_mx_record" {
-  domain = vultr_dns_domain.vps_tld.id
+  domain = vultr_dns_domain.tld.id
   name   = ""
   data   = local.mail_domain
   type   = "MX"
 }
 
 resource "vultr_dns_record" "vps_spf_txt" {
-  domain = vultr_dns_domain.vps_tld.id
+  domain = vultr_dns_domain.tld.id
   name   = ""
   data   = "\"v=spf1 mx -all\""
   type   = "TXT"
 }
 
 resource "vultr_dns_record" "vps_dkim_txt" {
-  domain = vultr_dns_domain.vps_tld.id
-  name   = "${var.vps_dkim_selector}._domainkey"
-  data   = "\"v=DKIM1;k=rsa;p=${var.vps_dkim_public_key}\""
+  domain = vultr_dns_domain.tld.id
+  name   = "mail._domainkey"
+  data   = "\"v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgxJoKIUUzm1/4b507UQnO2gzJU5haFUhjLK2Vsx3eEGZ83XNj1NkI40IstWsR1VXNUkYcnuCGYwwoDwu397PBRK3qi62MV85rtLQ3ZbUoCkEtPgdoLome/87TU1sziMgadGVwK5QeV4bfFQYCY8dinM9QzIpfUo3UyB6s9mrCbQIDAQAB\""
   type   = "TXT"
 }
 
 resource "vultr_dns_record" "vps_dmarc_txt" {
-  domain = vultr_dns_domain.vps_tld.id
+  domain = vultr_dns_domain.tld.id
   name   = "_dmarc"
-  data   = "\"v=DMARC1;p=none;pct=100;rua=mailto:postmaster@${var.vps_tld};\""
+  data   = "\"v=DMARC1; p=quarantine\""
   type   = "TXT"
 }
 
 # I think this DNS is configured by default
 
 # resource "vultr_dns_record" "vps_cname_start_alias" {
-#   domain = vultr_dns_domain.vps_tld.id
+#   domain = vultr_dns_domain.tld.id
 #   name   = "*"
-#   data   = var.vps_tld
+#   data   = var.tld
 #   type   = "CNAME"
 # }
diff --git a/servers/active/nixvps/opt/secrets b/servers/active/nixvps/opt/secrets
new file mode 120000
index 0000000..54184b4
--- /dev/null
+++ b/servers/active/nixvps/opt/secrets
@@ -0,0 +1 @@
+../../../../secrets/nixvps
\ No newline at end of file
diff --git a/servers/active/nixvps/terraform.tfstate b/servers/active/nixvps/terraform.tfstate
new file mode 100644
index 0000000..69d33a2
--- /dev/null
+++ b/servers/active/nixvps/terraform.tfstate
diff --git a/servers/active/nixvps/terraform.tfstate.backup b/servers/active/nixvps/terraform.tfstate.backup
new file mode 100644
index 0000000..409f268
--- /dev/null
+++ b/servers/active/nixvps/terraform.tfstate.backup
diff --git a/servers/active/nixvps/tf-env.sh b/servers/active/nixvps/tf-env.sh
new file mode 100644
index 0000000..1ad643e
--- /dev/null
+++ b/servers/active/nixvps/tf-env.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+TF_VAR_hostname="$(cat hostname.txt)"
+export TF_VAR_hostname
+
+TF_VAR_tld="$(cat tld.txt)"
+export TF_VAR_tld
diff --git a/servers/active/nixvps/tld.txt b/servers/active/nixvps/tld.txt
index 0cb8b8b..1aaed8d 100644
--- a/servers/active/nixvps/tld.txt
+++ b/servers/active/nixvps/tld.txt
@@ -1 +1 @@
-euandreh.xyz
+arrobaponto.org