From 66ee1bb54132949357d9d113458bc04bbd702213 Mon Sep 17 00:00:00 2001 From: Gerg-L Date: Mon, 18 Sep 2023 22:38:12 -0400 Subject: [PATCH] moved all services out of nixos containers fixed a lot as well --- hosts/gerg-desktop/containers/minecraft.nix_ | 107 --------------- hosts/gerg-desktop/containers/website.nix | 125 ------------------ hosts/gerg-desktop/secrets.yaml | 11 +- hosts/gerg-desktop/services/gitea.nix | 34 +++++ hosts/gerg-desktop/services/minecraft.nix | 101 ++++++++++++++ hosts/gerg-desktop/services/nextcloud.nix | 40 ++++++ hosts/gerg-desktop/{ => services}/nginx.nix | 44 +++--- hosts/gerg-desktop/{ => services}/parrot.nix | 5 +- hosts/gerg-desktop/services/postgresql.nix | 24 ++++ hosts/gerg-desktop/{ => services}/searxng.nix | 22 ++- 10 files changed, 247 insertions(+), 266 deletions(-) delete mode 100644 hosts/gerg-desktop/containers/minecraft.nix_ delete mode 100644 hosts/gerg-desktop/containers/website.nix create mode 100644 hosts/gerg-desktop/services/gitea.nix create mode 100644 hosts/gerg-desktop/services/minecraft.nix create mode 100644 hosts/gerg-desktop/services/nextcloud.nix rename hosts/gerg-desktop/{ => services}/nginx.nix (56%) rename hosts/gerg-desktop/{ => services}/parrot.nix (90%) create mode 100644 hosts/gerg-desktop/services/postgresql.nix rename hosts/gerg-desktop/{ => services}/searxng.nix (52%) diff --git a/hosts/gerg-desktop/containers/minecraft.nix_ b/hosts/gerg-desktop/containers/minecraft.nix_ deleted file mode 100644 index d9701b9..0000000 --- a/hosts/gerg-desktop/containers/minecraft.nix_ +++ /dev/null @@ -1,107 +0,0 @@ -{self, ...}: { - containers."minecraft" = { - ephemeral = true; - autoStart = true; - privateNetwork = true; - hostBridge = "br0"; - localAddress = "192.168.1.10/24"; - bindMounts."/minecraft" = { - hostPath = "/persist/minecraft"; - isReadOnly = false; - }; - config = { - pkgs, - lib, - ... - }: { - nixpkgs.config.allowUnfree = true; - environment.systemPackages = [pkgs.neovim]; - networking = { - defaultGateway = "192.168.1.1"; - nameservers = ["192.168.1.1"]; - useHostResolvConf = lib.mkForce false; - - firewall = { - allowedUDPPorts = [25565]; - allowedTCPPorts = [25565]; - }; - }; - systemd.services.setmacaddr = { - script = '' - /run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:10 - ''; - wantedBy = ["basic.target"]; - after = ["dhcpcd.service"]; - }; - boot.initrd.postDeviceCommands = "mkdir -p /minecraft"; - - system.stateVersion = "unstable"; - users.users.minecraft = { - description = "Minecraft server service user"; - home = "/minecraft"; - createHome = true; - isSystemUser = true; - group = "minecraft"; - }; - users.groups.minecraft = {}; - - systemd.sockets.minecraft-server = { - bindsTo = ["minecraft-server.service"]; - socketConfig = { - ListenFIFO = "/run/minecraft-server.stdin"; - SocketMode = "0660"; - SocketUser = "minecraft"; - SocketGroup = "minecraft"; - RemoveOnStop = true; - FlushPending = true; - }; - }; - - systemd.services.minecraft-server = { - enable = true; - description = "Minecraft Server Service"; - wantedBy = ["multi-user.target"]; - requires = ["minecraft-server.socket"]; - after = ["network.target" "minecraft-server.socket"]; - - serviceConfig = { - ExecStart = "${self.packages.${pkgs.system}.papermc}/bin/minecraft-server -Xms8G -Xmx8G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true"; - Restart = "always"; - User = "minecraft"; - WorkingDirectory = "/minecraft"; - - StandardInput = "socket"; - StandardOutput = "journal"; - StandardError = "journal"; - - # Hardening - CapabilityBoundingSet = [""]; - DeviceAllow = [""]; - LockPersonality = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - UMask = "0077"; - }; - preStart = '' - echo "eula=true" > eula.txt - - ''; - }; - }; - }; - _file = ./minecraft.nix; -} diff --git a/hosts/gerg-desktop/containers/website.nix b/hosts/gerg-desktop/containers/website.nix deleted file mode 100644 index 1d18770..0000000 --- a/hosts/gerg-desktop/containers/website.nix +++ /dev/null @@ -1,125 +0,0 @@ -_: { - sops.secrets = { - "website/sql_gitea" = { - mode = "0444"; - }; - "website/sql_nextcloud" = { - mode = "0444"; - }; - "website/nextcloud" = { - mode = "0444"; - }; - }; - containers."website" = { - ephemeral = true; - autoStart = true; - privateNetwork = true; - hostBridge = "br0"; - localAddress = "192.168.1.11/24"; - bindMounts = { - "/var" = { - hostPath = "/persist/website/var"; - isReadOnly = false; - }; - "/etc/ssh" = { - hostPath = "/persist/website/etc/ssh/"; - isReadOnly = false; - }; - "/secrets".hostPath = "/run/secrets/website"; - }; - config = { - pkgs, - config, - lib, - ... - }: let - giteaPort = 3000; - in { - nixpkgs.config.allowUnfree = true; - environment.systemPackages = [pkgs.neovim]; - networking = { - defaultGateway = "192.168.1.1"; - nameservers = ["192.168.1.1"]; - useHostResolvConf = lib.mkForce false; - firewall.allowedTCPPorts = [giteaPort 80 443 22]; - }; - systemd.services.setmacaddr = { - script = '' - /run/current-system/sw/bin/ip link set dev eth0 address 00:00:00:00:00:11 - ''; - wantedBy = ["basic.target"]; - after = ["dhcpcd.service"]; - }; - system.stateVersion = "unstable"; - services = { - gitea = { - enable = true; - appName = "Powered by NixOS"; - settings = { - server = { - DOMAIN = "git.gerg-l.com"; - ROOT_URL = "https://git.gerg-l.com/"; - HTTP_PORT = giteaPort; - LANDING_PAGE = "/explore/repos"; - }; - ui = { - DEFAULT_THEME = "arc-green"; - }; - service = { - DISABLE_REGISTRATION = true; - }; - }; - database = { - type = "postgres"; - passwordFile = "/secrets/sql_gitea"; - }; - }; - nextcloud = { - enable = true; - package = pkgs.nextcloud27; - hostName = "next.gerg-l.com"; - autoUpdateApps.enable = true; - enableBrokenCiphersForSSE = false; - config = { - dbtype = "pgsql"; - dbhost = "/run/postgresql"; - dbpassFile = "/secrets/sql_nextcloud"; - adminpassFile = "/secrets/nextcloud"; - adminuser = "admin-root"; - defaultPhoneRegion = "IL"; - }; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_13; - ensureDatabases = [config.services.nextcloud.config.dbname]; - ensureUsers = [ - { - name = config.services.nextcloud.config.dbuser; - ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES"; - } - ]; - authentication = '' - local gitea all ident map=gitea-users - ''; - identMap = '' - gitea-users gitea gitea - ''; - }; - openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - }; - systemd.services."nextcloud-setup" = { - requires = ["postgresql.service"]; - after = ["postgresql.service"]; - }; - }; - }; - _file = ./website.nix; -} diff --git a/hosts/gerg-desktop/secrets.yaml b/hosts/gerg-desktop/secrets.yaml index 4223490..f1814a7 100644 --- a/hosts/gerg-desktop/secrets.yaml +++ b/hosts/gerg-desktop/secrets.yaml @@ -2,10 +2,9 @@ discordenv: ENC[AES256_GCM,data:dzl1FaBUPiiGR8hOmUVDulGnS9wBwX0ddYYV/euilrrHGO8G searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str] gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str] store_key: ENC[AES256_GCM,data:/1wAHcMZl3loV2IR7mj1z51lwfKmaP24DgEjl2w8qwbrKHBIS09meLXrVTvsvQmFM4AvKig9ADs1aeYoVTTEa4QE9nKJ/LyRI5z8dHe7j7H5Y+UI+Syr0CUKN2I9UuqkOAyWrPM=,iv:5cLxhzNawFMTKn+MT5cHILTvggHmxteycL+2bxUPsoc=,tag:q8voriNRZUL4pYYfOvJT0A==,type:str] -website: - nextcloud: ENC[AES256_GCM,data:JoxSXYzBhXV+h4Ar,iv:jKlAwWfX58DpgGbGOqWBIwcnx8EdIxhFKOUzsDccr7w=,tag:L6UBHh1HU8Je+OczQCypXg==,type:str] - sql_gitea: ENC[AES256_GCM,data:Usfd0QDm/4ntj7kzXXYa3O7H7/E=,iv:3xUD2KuQvJUQtai6C+qAnQ2RbkpN5VLK8BUJFiMpQkY=,tag:E6KNzFIZekgecJCBPlw4YA==,type:str] - sql_nextcloud: ENC[AES256_GCM,data:xkJioAZCCd8aIxS283UhZ2yfLgQ=,iv:7SQ2iSJShX6dDP3qD0KPaJP49CQ6RMHQ6uY5J/WODtI=,tag:HNXYa1L88mGB5uOrmTuFDg==,type:str] +nextcloud: ENC[AES256_GCM,data:CJqcH+l7EMwV8q7S,iv:uiq+lRMYR8APoVCmliAvUEthBUABdPXxs53y8I1WB+M=,tag:ObRMNYp9xIKR4VPxQr3JfA==,type:str] +sql_gitea: ENC[AES256_GCM,data:KX6q1xqCgdAzC+A+HadEIo0JrQ8=,iv:Ljqy5VE6PpqZyS27PXRJbVH4yPE2GQBbVYZimNdF4o0=,tag:/wo72SvCfycb5zZ62O480A==,type:str] +sql_nextcloud: ENC[AES256_GCM,data:LzIJ1ikyxBkmCvInmvxZ2KqYHv8=,iv:t3uYBkbLR1U+IKFkF+myZcPUsA1zQs7hU0JAY0ZBvZc=,tag:xQ7Da2c6s9ZFDq13fT54ew==,type:str] gerg_ssl_key: ENC[AES256_GCM,data:F51mBHbLzfgJ8SdFQwxRIHOfG/iYi35EwOzQ/PlWkI6VzAGoFn3K/Team1dMAS62CxIq96WByqctLhfgNl/sI63LT9KoGAKV/8sLKXav9FtVJlrsqWCCswMRV95ia6vUj6yiqCdX2qgawq+sYO1ztUu5pTfvG2DEO+2r+SXCFPBARJ5CQl39i+clnyjVSsZLHlRwdqSG5uzfNyjMand/0jgQ6yxFExaqahSiyf20H7liK0G8vnv4R4X1Gs+6Cqm2nMRy89rSLVndoX+IH7tvfjxMB+oHJkjdYqcznfUuIDeRMTxeQq6RiQuSmBYgPfYBWenMgMgt0IiuTRxfCdShjveDGXJr1lO8ZkmxPV6VUgL7stbRUs+UkWgpct7cUbgwcsbdgUvo3SiHRDHikqAJgWihV3V8jOUBsJrNbCyam999cZtyTCHRxnpHYR+zEfqA4823c9tW6KYQRr+FW8mHYxGCPLyDgXzCsNYf3bOzkKx6UIw5iNjRfQIPVlQinJtTfcYY20CXn25k+V15wRWMvs2QrOWj7qdssIyPgDalb70mj0lrLbdceHWW6JTmHiSQAjFK1pYEmXIEa9G1jES3Zq3G9Ty0/XUmt3yGUJr2TBQxhDbryr5Kd6PLfIrHBh/msw1QlSbdSv4a4BeGos1qD0HJgXrE/xqHPCUX07wCYpXVeEHR5OXF0SVgc6dCWo+s5iE7AggS4j3dKqZoDV2l0rZGI7RQvf8BoEAl+RwsCgrgY2zo7qeSb12NVP8Kb/wA0hIWT3IFrj4wLyk93vjsHwdbt9QJWf7yAFqIkB3y2MwPGQdn0s88FzZTeZCqDo+Q2vH0+GhzNozg1NV6XorV8kRO5t0hTM8fw8PGFdt7cUm1PGg60Fg5lBOs3t/y9OFDZcfsgEuxnOwZeslzkPmnLHf3DBPizdc2XCXuYmEKGiBiiFSC+zJF6+3S9W9/6uHvHEffJrIRSPxC4ElDfyvpxxY4kA5BMCXALpkYDaDCRPQSpu1EF1bi0mBSONHl6in+aYr1leVG185n+AOR3SsaY8jftN/rU4VxV2W5zszx2KZk/LzAjoDAZbBHgBVgY7KsD8Zs2+TBJppnxg35S4s0+PRQM/0t7mFfSNGv75ih98UX9jzvIpb/evR5vD8ImUJy1BzO1nVyzKHQiILETixxz6kRMDUlvP6OpsBXcAWR0w0AKX4irAXT6xVyaSYfIBIJuwzE/mN68kNhPT62eaFnTUTV7KLf7yM/3+blXHcELtEVO2z1WcC3QJZNTA9WVTli+YTeJ//2M5gyBKOAQ3bfYeNz8mubxJQh0XpZaVdUu6TGVG3bIjbj0ixnnuAt6IVlZQK74h/Ah542oSuqLclrXlmNYn5vU5OdxjRgThZZKhZFoqiY+W79OulXDzSbhlMvI5tiGGjiIc31iFSKS0JYyISt1jdiwogv/b8/d7whQCwh9IvG7loKFsPBP2NgW6hYlixqcdaSpP9S7hrG54BPZe2o2S0Ci3BMasits2WFr6u7Qsx1AvuWyJ/rO+llmuvWVl64WNQxi8EYKiMJx0QI3Pr1Od66wVir/LtAlR04vsNHAvzM6gjuQYefWV9X2cXlklbGJYrE/9DCWr8fvUzmh659/81d2+CCkd7jxxFh8BHTR7oFHhM/H21BEUzOSu35vrMTPwy8y4mLhywNqmbLdOiOIGgkw4g+q5r4v9Byf15PqGcR02K+TmpQpF3HIpnv/3UH3lD4TtjIzWocTIdlKuriHsZcIIlHDxoWj/2mlo6+QxOiiTyR0jhQA372T2tlEo5/v3VFDuWikrBhgnmVe5zngkTqUUghrucbxJDDsehlwzSbrcczvYGwSNYu+DdS+57WDUGoLTJ7oOWovz5XCbV11LOQUNP8TYP597YzeV/eVguYvjUoSqSmo0m6kHGkhLZWbWyZrl7e2F7cOf+S6cdheREkp2Q/Eet8/B9fVWxRBBTXTLnOCC2q/Y1A9Ls+lpW4OXYO7QJjQAx9SKXfrjGgujrXH7oLMxQZfORwjnZzT1LQU7T0wNhQvZLHmUoA0VRZdSxSqEWlEjSF0eJjx/SNoKOacinHTCiT3r0P0cKmIypENef9czRURKgiunmlvSgQ5jOeu2C69KmF9Qau5YnRt6rXjkJzu+lji5ArVfkDxDG+mx5dtVSxwovbdAh065JDHo52ROaXLCb3nfFWKWSgoemYXrsbH9lT4/Ro3P2JC+iDeJFwz4r9OjTvPDWh9YTfzOlhfvg7m+2lg9vV74gmXd+IgSKh,iv:aE4/hxhfju3jJXjwK0TrfI/cbLsFgDEDspg2zTgqo4M=,tag:LAmit77WTZnpoCX1iuhkbQ==,type:str] gerg_ssl_cert: ENC[AES256_GCM,data:ByPI7ACEz9IvUmVcFvnuJ4+GQmccF+REH55/zgf4CpKMW2MB6jEurGjNXKmCxv/ac4CTHxk9iMKCbHm5Nt+C7sfCSBUbgxXOcRnnVkTKUtV8P6bdWFDtWWFx3xcxpNraGXhIoPTTNm4fFkE/wmYOv0nJylYiPO5JOMg86AilAvhVK3g9y/zu4Z6c0P4ZxfmXkXyBJRMXhPCRu/Y8FSNmepXTxBdq4AmmQpcMogCVcmr2X/PH/zWxb+akGaIbxZHngb1YQWrcXiKFN0kteprVaFb2M20sbp5A/jPsZvXc9nUk961oOd9/0UpUmv/ZpwbF8vQQKg9vZu+fKDP2GuWxNJfwASQEEv41t+3wi51rnCPRlzcuhUsHxPv7jtGeQKcjZ1SehgS2SBDnZvCf16c13RIm1HiyBIVJryaHUm0j4hgFOAsrSBzg/D5KJGYmC10AhoL3JNmcK3yOpH1KHvJ/8Yjxkws7QQlIJ8duS0lMcPLDlHi8Bx6safQeAA9MbNEN/cZxy7DluvuqO9pIihpaY7sh3SD6LWZoXP4BPvw7iZgo4oMacchsYB9RRRr6sNCAo1391BOzaB3gYyMkOz9DGjbOk9UXvINhpAWjSGXKxOik179+CAWNIPK5AclyV/2A5DAoXYQi1Ix7dxZ2HFx8p9fVRn8RdtwnXqyq/NtJKHNTKcUCYbgBAkcAcfC8ha75l7VQjPY9pShjf1H4e4k+bPEklC0P/J4liCLAppIu8D1hoQED/wDd3ah1IFrW8ClCyU4oal5y3ezBrzJHbVBibQhaIS/kH9KW4aqlLRWm+Ec/AduHaaUO3iH6yzSrB5bMQblk2B/N/KdySMOJ9ZIusn+iPcjWghgZSAdY8yObqoZkbTOhzkml0Y+tR4BNH8edKNBnN6TdqVYhqh3KqvuNCf6W2v8sQ9YdVnT0mEOH3dvWfGDMg+XIRPEpFF9ukYGfxQzFtKuLc6gA7l4dPRzdkXGwdQsu8YfQBvw1i3Nw6EHe8J05Wa9yEK8b4xSiZiCavnAKivLQAQZiQmaOanbyR2aS6ItN7S2X4GMxJfqazxWJm2y9RI/OdU6bU8xUx/kNi4+UPkh2e9IGo3kmv8eyA5hRtW2poMmHxRaCE0yJqP4llEy5rnW+S3Atfm3axC89ZpD+5wgmtV/BeIexZRUOZVSXSvlBtC4bmyWOfJCck8FoBSXmwvm4u4VB1bi9bTj0IAkTtcgRuNQOVf54XuhIrprMKtbiEa2/HbLcFB5Vox7aWJbq+HrAbVUUqBLSJwv6t6/5y0Gby1LPSicTvQ0tqWzmgPGxO2luvV7PeeqJcKJFAeqq31bgM7w861qz1KbATUsgx3gZD2y3QvtSwdRGYiNPPYnsG8O62tnulF9VgV5DO0fKMLJbE+q5+tWLscux1iyvzAZfgL5pSS+0ODmWCDr9H8RMhxElAEGDbsuhrOq6pyUiNmosKZ85xOf9qFtwgpEk5PDbWF9n/4qc+LXML3X8IOkABI54DtVqDTzssaNjW/rowcAgCOm7/Py1//anTxzD5RgOWfOEk3AO6dURpXwheB+cSdELt4b6vt1lTiEtcFBBc4Xif31/5eDDu7hRk+61medR1GZMEvs6VgnMbxoBia2MjdN5MAHNJFePiuabUsJeCOTVhO+OTRpq3Ni37xnJc2VieGIBwzaYaBE5p5HEkyiX76VYwpkE2C0Zi72DWLLLtyGX+FGFJpzIlNuYaJauzPQgPSbAHlZ8GSMtRiiEszhGvht77G87iBx3rut3YCkN63cLpKv08ah3/C4HBjG25viQR5u1S1e8jnCmzQyQYHrefgJim+nayriZdF2BqsLzOZwrgSEjKpQJ2UlSCQdoJoBf+5ceqz/noxEHjr2b6EIZL/omvMWdolH1BzapAbaAI5iQ0hDGMCVPbGi2C0dmRFKRTfEqR534b2Xy7+FknLifeRCQX4HMiDmYsjlWLlMdIGqtMkodHtPT387PGYJznzUAlWACGbC0qzOdi7Gaaa2AUHpPK9VwgQHeA2MuaK1LuZQoIbq4y4NE47MDdKKZH+/LB71JR7TjrrLZRvFdfp+HpK1YZymoHRgR+1NKWKKP+xpFlAsUa+7IDACBEzcBehkWlM0g22Ii7GEad/kxsQbExNDxg9gTspRPtT7cMAlQON7BRdjTT/emJGI5AOogPR4vkORwODV1cY3TvRDyE1Kqpw4KVRLWhf4e3w==,iv:ncEJNbY/7oUGNKRvhRHLq7Z8J5dCXl91oT5BYuOV5ZE=,tag:Us+lhVE7d5eeix1Iw/08+w==,type:str] nixfu_ssl_key: ENC[AES256_GCM,data:gwMbdsu2mlcZvCFrh6G/SQoIJLcUNyMkInw73+gUqR1EJH/kShqQGkQluE1lEoXobnh6wK5Rqz9yN4EJwWw/u4W6gYnXKOIHlb13faJHpRwTu1RPMmiJdJcCfjmW7sx+Yao1WjPq9h5Wr6CQjsACU4KPpIp0FWkVr5I6gGX91gkXyQgksGOKUcLQJYJDKLYbvTBnSA68Yoho4Tv5USG+GuxE1NQn3mc3cysA8V9sSZiR54cx2zK+u5l+MeC1Kcxh2KU9CER+B43jOonYxPj5EID0ZTv8aovkRcxkTTBzSdUvwCiUUx6IEectW0xtMeHxXrdDXwsxyuVCNPfmtgsqt5jIIJmEy985zLFjXNddG1CBgGTqxGamsMZ+McXCSb9ZD0wiMp9KVa6+ohLnc8PLIiN2qGFg1X2PNYzTTyesM6qja/9cV6A1raoQWhZOFfjEbsLmVtTI99QuBUtVJP6Q5lHeELIVm9ALc2W13P4/4waeCo2lQbI0hmU9FcL5hd3oiot0/DotnlqXhi6a9Qa2OSwBgpTHzZIihAPkMnxSskgymcK6CAX6es9m1v+526XG4gRAcSZ0nQWLRnF3++2g7jNCU/ivAdu1exzQRw6Y3UaluyaY46i67V53zVtddgsQlyRAxtCouJNFFCJp5KJ8+6J6ohF4wuN2L8ABR/DrrZ+piiAfgwnrOevGxRwKyKOzL+SjSLwM/ybxhgSDcM0LffMcs8FdUHgV7Qtr4lBvhluFGKza4N5ZYTe5bJLnm2poIKiXjsUPKSJmuipmYzPbRwOm8Y329J418MXNQNhDr8DV/BzOyzzWSWM//B2FMLTgJrn69VWrsdGGUKv/j5dwRRU1iYpO5Of83JiIJzHbWL35iQ0RsfC/O+oTrjYGNw3Bc3XyIogCW054u6kDjxBDTcG+26kSPujUz1D7DxJ4hZwMnr84/CkR5qmktgn1rpH4caz3bUjJjmrO4jeLYQP3eTEXnahTU2N81SjzCekvYsiIB/nq3oVtxnSFlEiAu5KiqswqBv0j8XOABbPu4elyUi09ekYz2ZQ2DtBLz+I5r6seDykIVL9zWmBEJHawGAC1yRAI4CWe28cCTOnpkt2keewBmZG1QwbINvEc21Q0NutGdZ3s27RHkGnsoda8tk5DipF8k5dyxmLy8jzFmHAwNB7m1UG5IYhFy95+C8ihfQF2tJfmO6VEDHuAviSdso/+wgYVsfp1MbtK9w+ACQvEbO90yRDBQ9VBg326C87kk9pXLal7l94JkBMR7cbLTAKH60ApYpLPVIZDvaHV2jxSrXypK6hdyTjpVnpyyC3SQXo1bn/Ixtd/tfA2fP5/IPB7xdNYEYu7lJWa7sY91BjhnnxRPkfCINt491MIXGqTO6LpGc/hJBukQI7rTr+mxJK5ajkvBpgDg7O+5sS/kmCbcFSAFw/T85n+WDo6QMQbrZqgrqmT6PaRtCLVWAIVX5UBDNUvXf6gUX/8WnSdQZtOPfkTBu3JEyDCkF/ETI+OZDnXVnOXKmYT7SMVHbPWxsTtmBuH1FZYi1aw7wyj/M7IC3k1ytm2YfOtRgO+xUi402gWS09fdENVWQ4fyRkNmwFvi9lBBvi9W2gCFWe53X2GO4Z3MQnKAtVCi0Rv8Xwh+hu8MijMwrs3CSSDAX1C3MAYQ9enzSXPeMQuZ84MQi4P664saNBd3gPRHQT52yH3tobpIwIZ8xUnHJ/Q6Rw6HRMtAqE8XWIxBGf7b0qqYkfwquE1uwiCVuq/j/af6qX3aNro1GyRymcPJN0Ko9JNOSn39SQxCqKawPHaFv7HX3JjEI299KNMGlD7lu8RKorD/+gIoz/7BTe1kmoUZDVPrgzudRvFAOrOATCoV/+FC48OQYoa24CITQx5ymJ1zTLE9d4M8vwNiOCpcVPyjabn8kt8rJmajjSidPAY+OX6lHpNbjcORZmjExZNMO5qApIqdl4WW9/pVq/pZSUwM31WbM0/JpJdws1LX5Ao+G2m/CO2fJqQS53mXMHfF85UWkJ1BuO5Be4Z54AWDDp4ZJzNfnQS/Ee84peTEExJ9mFvWYSlPLtzFOeUvI22RAcUJpQ/2vo8pI8S8h3BYCfSRyRW7ISYBCcRCpw/AkLWkgvOvXDYNj8xvPAtzftiP1GkMwjJSpbX3QGOYgO31KTy8lh836ePrJWsZa1MPD9nxyhajxs4MwKm2384UMtqu53mTtx7s2MchhiqrJoRUJW0Brq/oZM/WhhKHSjWssYrwLx5bymhg//Oa9PBP30j,iv:BbD2i/35D8p0/eEQ6RuM5nsDnQV+x2nTLU890LSju38=,tag:to2mYPiNkdYBHsgG7NJDbQ==,type:str] @@ -25,8 +24,8 @@ sops: dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-17T05:38:47Z" - mac: ENC[AES256_GCM,data:Qf7Xlq2cO+zZQHmf9FYKEVU5MNtjW63EZkUd78bDcACXU8SHjtN9LY6rT8cXdtGdjY/rwG78bhT1uoh22BsUSuLDymMV9oNPnc9OZUb+OTVJ6tI0LMnJguHcKWzIwSjVhpabhkbs9O5VrDQGDX+suuNYjp3Fb0jmudUGgsvhQQM=,iv:6pUVqz46wOauPyrWwwtA6IujviAMgY3UGvgZemqkQwQ=,tag:Ti3HDw8psfPN2+REZGmx4w==,type:str] + lastmodified: "2023-09-18T23:06:30Z" + mac: ENC[AES256_GCM,data:tpG03ndPvbIdNx/YnMLI9nxjhocApV06xqfCo/k1cAeNB6K43chePtEn2pAw49J65xoumIgT3AstRtX7iIEryAGV/wkafRVyU72SzrOXQwl/+FxXxEFqJctzctZ8Ievh1utwXOigSAuZNMVwgaEhXAAmKwPScTELC0JXUMM9HYw=,iv:v6jbcyVioLvAxeuXvtWvPKuwC1/Q0O46TF1DaJR6GYk=,tag:Vp8WwSjqH+KXsw9ANx8Q6w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/hosts/gerg-desktop/services/gitea.nix b/hosts/gerg-desktop/services/gitea.nix new file mode 100644 index 0000000..5124034 --- /dev/null +++ b/hosts/gerg-desktop/services/gitea.nix @@ -0,0 +1,34 @@ +_: {config, ...}: { + sops.secrets.sql_gitea = { + owner = config.services.gitea.user; + inherit (config.services.gitea) group; + }; + users.users = { + ${config.services.gitea.user}.openssh.authorizedKeys.keys = [config.local.keys.gerg_gerg-desktop]; + ${config.services.nginx.user}.extraGroups = [config.services.gitea.group]; + }; + services = { + gitea = { + enable = true; + stateDir = "/persist/services/gitea"; + appName = "Powered by NixOS"; + settings = { + server = { + DOMAIN = "git.gerg-l.com"; + ROOT_URL = "https://git.gerg-l.com/"; + LANDING_PAGE = "/explore/repos"; + HTTP_ADDR = "/run/gitea/gitea.sock"; + PROTOCOL = "http+unix"; + UNIX_SOCKET_PERMISSION = "660"; + }; + ui.DEFAULT_THEME = "arc-green"; + service.DISABLE_REGISTRATION = true; + }; + database = { + type = "postgres"; + passwordFile = config.sops.secrets.sql_gitea.path; + }; + }; + }; + _file = ./gitea.nix; +} diff --git a/hosts/gerg-desktop/services/minecraft.nix b/hosts/gerg-desktop/services/minecraft.nix new file mode 100644 index 0000000..75ce43c --- /dev/null +++ b/hosts/gerg-desktop/services/minecraft.nix @@ -0,0 +1,101 @@ +{self, ...}: { + pkgs, + lib, + ... +}: { + # I manually switch this sometimes + config = lib.mkIf false { + networking.firewall.allowedTCPPorts = [25565]; + + system.stateVersion = "unstable"; + users.users.minecraft = { + description = "Minecraft server service user"; + home = "/persist/minecraft"; + createHome = true; + isSystemUser = true; + group = "minecraft"; + }; + users.groups.minecraft = {}; + + systemd.sockets.minecraft-server = { + bindsTo = ["minecraft-server.service"]; + socketConfig = { + ListenFIFO = "/run/minecraft-server.stdin"; + SocketMode = "0660"; + SocketUser = "minecraft"; + SocketGroup = "minecraft"; + RemoveOnStop = true; + FlushPending = true; + }; + }; + + systemd.services.minecraft-server = { + enable = true; + description = "Minecraft Server Service"; + wantedBy = ["multi-user.target"]; + requires = ["minecraft-server.socket"]; + after = ["network.target" "minecraft-server.socket"]; + path = [self.packages.${pkgs.system}.papermc]; + script = '' + minecraft-server \ + -Xms8G \ + -Xmx8G \ + -XX:+UseG1GC \ + -XX:+ParallelRefProcEnabled \ + -XX:MaxGCPauseMillis=200 \ + -XX:+UnlockExperimentalVMOptions \ + -XX:+DisableExplicitGC \ + -XX:+AlwaysPreTouch \ + -XX:G1NewSizePercent=30 \ + -XX:G1MaxNewSizePercent=40 \ + -XX:G1HeapRegionSize=8M \ + -XX:G1ReservePercent=20 \ + -XX:G1HeapWastePercent=5 \ + -XX:G1MixedGCCountTarget=4 \ + -XX:InitiatingHeapOccupancyPercent=15 \ + -XX:G1MixedGCLiveThresholdPercent=90 \ + -XX:G1RSetUpdatingPauseTimePercent=5 \ + -XX:SurvivorRatio=32 \ + -XX:+PerfDisableSharedMem \ + -XX:MaxTenuringThreshold=1 \ + -Dusing.aikars.flags=https://mcflags.emc.gs-Daikars.new.flags=true \ + ''; + + serviceConfig = { + Restart = "always"; + User = "minecraft"; + WorkingDirectory = "/minecraft"; + + StandardInput = "socket"; + StandardOutput = "journal"; + StandardError = "journal"; + + # Hardening + CapabilityBoundingSet = [""]; + DeviceAllow = [""]; + LockPersonality = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + }; + preStart = '' + echo "eula=true" > eula.txt + ''; + }; + }; + _file = ./minecraft.nix; +} diff --git a/hosts/gerg-desktop/services/nextcloud.nix b/hosts/gerg-desktop/services/nextcloud.nix new file mode 100644 index 0000000..8502e87 --- /dev/null +++ b/hosts/gerg-desktop/services/nextcloud.nix @@ -0,0 +1,40 @@ +_: { + pkgs, + config, + ... +}: { + sops.secrets = { + sql_nextcloud = { + owner = "nextcloud"; + group = "nextcloud"; + }; + nextcloud = { + owner = "nextcloud"; + group = "nextcloud"; + }; + }; + systemd.tmpfiles.rules = [ + "d /persist/services/nextcloud - nextcloud nextcloud - -" + ]; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud27; + datadir = "/persist/services/nextcloud"; + hostName = "next.gerg-l.com"; + autoUpdateApps.enable = false; + enableBrokenCiphersForSSE = false; + config = { + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + dbpassFile = config.sops.secrets.sql_nextcloud.path; + adminpassFile = config.sops.secrets.sql_nextcloud.path; + adminuser = "admin-root"; + defaultPhoneRegion = "US"; + }; + }; + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + _file = ./nextcloud.nix; +} diff --git a/hosts/gerg-desktop/nginx.nix b/hosts/gerg-desktop/services/nginx.nix similarity index 56% rename from hosts/gerg-desktop/nginx.nix rename to hosts/gerg-desktop/services/nginx.nix index 063e92e..b693230 100644 --- a/hosts/gerg-desktop/nginx.nix +++ b/hosts/gerg-desktop/services/nginx.nix @@ -3,17 +3,18 @@ _: { lib, ... }: { - sops.secrets = lib.mapAttrs (_: v: - { - owner = "nginx"; - group = "nginx"; - } - // v) { - nixfu_ssl_cert = {}; - nixfu_ssl_key = {}; - gerg_ssl_key = {}; - gerg_ssl_cert = {}; - }; + sops.secrets = + lib.genAttrs [ + "nixfu_ssl_cert" + "nixfu_ssl_key" + "gerg_ssl_key" + "gerg_ssl_cert" + ] + (_: { + owner = config.services.nginx.user; + inherit (config.services.nginx) group; + }); + services.nginx = { enable = true; recommendedGzipSettings = true; @@ -25,30 +26,29 @@ _: { forceSSL = true; sslCertificate = config.sops.secrets.nixfu_ssl_cert.path; sslCertificateKey = config.sops.secrets.nixfu_ssl_key.path; - serverAliases = ["www.nix-fu.com" "nix-fu.com"]; - locations."/".return = "301 $scheme://www.github.com/Gerg-L$request_uri"; + serverAliases = ["www.nix-fu.com"]; + globalRedirect = "github.com/Gerg-L"; }; - "search.Gerg-L.com" = { + "search.gerg-l.com" = { forceSSL = true; sslCertificate = config.sops.secrets.gerg_ssl_cert.path; sslCertificateKey = config.sops.secrets.gerg_ssl_key.path; - locations."/".proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}"; + locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};"; + extraConfig = "access_log off;"; }; - "git.Gerg-L.com" = { + "git.gerg-l.com" = { forceSSL = true; sslCertificate = config.sops.secrets.gerg_ssl_cert.path; sslCertificateKey = config.sops.secrets.gerg_ssl_key.path; - locations."/".proxyPass = "http://192.168.1.11:3000"; + locations."/".proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}"; }; - "next.Gerg-L.com" = { + "next.gerg-l.com" = { forceSSL = true; sslCertificate = config.sops.secrets.gerg_ssl_cert.path; sslCertificateKey = config.sops.secrets.gerg_ssl_key.path; - locations."/".proxyPass = "http://192.168.1.11:80"; }; }; }; - networking.firewall = { - allowedTCPPorts = [80 443]; - }; + networking.firewall.allowedTCPPorts = [80 443]; + _file = ./nginx.nix; } diff --git a/hosts/gerg-desktop/parrot.nix b/hosts/gerg-desktop/services/parrot.nix similarity index 90% rename from hosts/gerg-desktop/parrot.nix rename to hosts/gerg-desktop/services/parrot.nix index c0f4aa5..7743ec9 100644 --- a/hosts/gerg-desktop/parrot.nix +++ b/hosts/gerg-desktop/services/parrot.nix @@ -4,7 +4,7 @@ _: { lib, ... }: { - #discord bot stuff + sops.secrets.discordenv = {}; systemd.services.parrot = { enable = true; wantedBy = ["multi-user.target"]; @@ -17,6 +17,5 @@ _: { RestartSec = "30s"; }; }; - sops.secrets.discordenv = {}; - _file = ./sops.nix; + _file = ./parrot.nix; } diff --git a/hosts/gerg-desktop/services/postgresql.nix b/hosts/gerg-desktop/services/postgresql.nix new file mode 100644 index 0000000..5aac23a --- /dev/null +++ b/hosts/gerg-desktop/services/postgresql.nix @@ -0,0 +1,24 @@ +_: { + config, + pkgs, + ... +}: { + services.postgresql = { + enable = true; + package = pkgs.postgresql_13; + dataDir = "/persist/services/postgresql"; + ensureDatabases = [config.services.nextcloud.config.dbname]; + ensureUsers = [ + { + name = config.services.nextcloud.config.dbuser; + ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES"; + } + { + name = config.services.gitea.database.user; + + ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES"; + } + ]; + }; + _file = ./postgresql.nix; +} diff --git a/hosts/gerg-desktop/searxng.nix b/hosts/gerg-desktop/services/searxng.nix similarity index 52% rename from hosts/gerg-desktop/searxng.nix rename to hosts/gerg-desktop/services/searxng.nix index ffa5e58..d6eaba6 100644 --- a/hosts/gerg-desktop/searxng.nix +++ b/hosts/gerg-desktop/services/searxng.nix @@ -3,16 +3,31 @@ _: { pkgs, ... }: { - sops.secrets.searxngenv = {}; + sops.secrets.searxngenv = { + owner = "searx"; + group = "searx"; + }; + users.users.${config.services.nginx.user}.extraGroups = ["searx"]; services.searx = { enable = true; - runInUwsgi = false; package = pkgs.searxng; + #Later + /* + redisCreateLocally = true; + limiterSettings = {}; + */ + runInUwsgi = true; + uwsgiConfig = { + socket = "/run/searx/searx.sock"; + chmod-socket = "660"; + disable-logging = true; + }; environmentFile = config.sops.secrets.searxngenv.path; settings = { + general.instance_name = "Gerg search"; server = { - port = 8765; secret_key = "@SEARXNG_SECRET@"; + base_url = "https://search.gerg-l.com"; }; search.formats = [ "html" @@ -31,4 +46,5 @@ _: { ui.theme_args.simple_style = "dark"; }; }; + _file = ./searxng.nix; }