diff options
| -rw-r--r-- | hosts/ahmed/cloudflare-proxy/default.nix | 35 | ||||
| -rw-r--r-- | hosts/ahmed/configuration.nix | 31 | ||||
| -rw-r--r-- | hosts/ahmed/duksebot/default.nix | 27 | ||||
| -rw-r--r-- | hosts/ahmed/forsvarsarper/default.nix | 11 | ||||
| -rw-r--r-- | hosts/ahmed/git.linus.onl/default.nix | 43 | ||||
| -rw-r--r-- | hosts/ahmed/hellohtml.linus.onl/default.nix | 23 | ||||
| -rw-r--r-- | hosts/ahmed/linus.onl/default.nix | 19 | ||||
| -rw-r--r-- | hosts/ahmed/nofitications.linus.onl/default.nix | 24 |
8 files changed, 56 insertions, 157 deletions
diff --git a/hosts/ahmed/cloudflare-proxy/default.nix b/hosts/ahmed/cloudflare-proxy/default.nix index 657722d..07489db 100644 --- a/hosts/ahmed/cloudflare-proxy/default.nix +++ b/hosts/ahmed/cloudflare-proxy/default.nix @@ -1,15 +1,13 @@ # This module adds some extra configuration useful when running behid a Cloudflare Proxy. -# +# Mainly, it blocks all incomming conncections on relevant ports that aren't +# coming from an official CloudFlare domain. { config, lib, pkgs, + metadata, ... }: let - inherit (lib.options) mkEnableOption mkOption; - inherit (lib.modules) mkIf; - inherit (lib.types) listOf nonEmptyStr port; - # TODO: What happens when these get out of date??? Huh??? You little pissbaby fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); cfipv4 = fileToList (pkgs.fetchurl { @@ -21,27 +19,10 @@ hash = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk="; }); - cfg = config.modules.cloudflare-proxy; + IPv4Whitelist = []; + IPv6Whitelist = [metadata.hosts.muhammed.ipAddress]; in { - options.modules.cloudflare-proxy = { - enable = mkEnableOption "Cloudflare proxy IP extraction for NGINX"; - - firewall = { - IPv4Whitelist = mkOption { - description = "List of IPv4 addresses (or ranges) added to the whitelist."; - type = listOf nonEmptyStr; - default = []; - }; - - IPv6Whitelist = mkOption { - description = "List of IPv6 addresses (or ranges) added to the whitelist."; - type = listOf nonEmptyStr; - default = []; - }; - }; - }; - - config = mkIf cfg.enable { + config = { # Teach NGINX how to extract the proxied IP from proxied requests. # # See: https://nixos.wiki/wiki/Nginx#Using_realIP_when_behind_CloudFlare_or_other_CDN @@ -76,8 +57,8 @@ in { ${allow-interface config.networking.firewall.trustedInterfaces} # Allow local whitelisted IPs through - ${allow-ip "iptables" cfg.firewall.IPv4Whitelist} - ${allow-ip "ip6tables" cfg.firewall.IPv6Whitelist} + ${allow-ip "iptables" IPv4Whitelist} + ${allow-ip "ip6tables" IPv6Whitelist} # Allow Cloudflare's IP ranges through. ${allow-ip "iptables" cfipv4} diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix index 43a170c..27c35eb 100644 --- a/hosts/ahmed/configuration.nix +++ b/hosts/ahmed/configuration.nix @@ -3,7 +3,6 @@ { config, pkgs, - metadata, ... }: { imports = [ @@ -57,31 +56,11 @@ }; services.cloudflare-dyndns.domains = ["minecraft.linus.onl"]; - # Set up dukse server. Det er satme hårdt at være overduksepåmindelsesansvarlig. - services.duksebot.enable = true; - # Virtual hosts. + # Each module for a HTTP service will register a virtual host. services.nginx.enable = true; - modules."linus.onl" = { - enable = true; - useACME = true; - }; - modules."notifications.linus.onl" = { - enable = true; - useACME = true; - }; - modules."git.linus.onl" = { - enable = true; - useACME = true; - }; - modules."hellohtml.linus.onl" = { - enable = true; - useACME = true; - }; - - services.forsvarsarper.enable = true; - # Configure ACME for various HTTPS services. + # Configure ACME. This is used by various HTTP services through the NGINX virtual hosts. security.acme = { acceptTerms = true; defaults.email = "linusvejlo+${config.networking.hostName}[email protected]"; @@ -104,12 +83,6 @@ # Listen for HTTP connections. networking.firewall.allowedTCPPorts = [80 443]; - # We are running behind CF proxy. - modules.cloudflare-proxy = { - enable = true; - firewall.IPv4Whitelist = [metadata.hosts.muhammed.ipAddress]; - }; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave diff --git a/hosts/ahmed/duksebot/default.nix b/hosts/ahmed/duksebot/default.nix index 4c10cd8..f15b0ff 100644 --- a/hosts/ahmed/duksebot/default.nix +++ b/hosts/ahmed/duksebot/default.nix @@ -1,27 +1,16 @@ -# This module defines an on-demand minecraft server service which turns off the -# server when it's not being used. +# This module defines systemd unit which runs a script that sends Discrord +# messages. I use it to notify my classmates about who's on cleaning duty. You +# are probably not interested in this. + { config, - lib, pkgs, - modulesPath, ... }: let - inherit (lib) mkIf mkOption mkEnableOption types; - - cfg = config.services.duksebot; + # What script to run. + package = pkgs.duksebot; in { - options.services.duksebot = { - enable = mkEnableOption "duksebot daily reminder"; - - package = mkOption { - description = "What package to use"; - default = pkgs.duksebot; - type = types.package; - }; - }; - - config = mkIf cfg.enable { + config = { # Create a user to run the server under. users.users.duksebot = { description = "Runs daily dukse reminder"; @@ -53,7 +42,7 @@ in { # Load the secret environment variables. export $(grep -v '^#' ${config.age.secrets.duksebot-env.path} | xargs) # Kick off. - exec "${cfg.package}"/bin/duksebot + exec "${package}"/bin/duksebot ''; }; diff --git a/hosts/ahmed/forsvarsarper/default.nix b/hosts/ahmed/forsvarsarper/default.nix index 7052f04..c1c6163 100644 --- a/hosts/ahmed/forsvarsarper/default.nix +++ b/hosts/ahmed/forsvarsarper/default.nix @@ -2,17 +2,10 @@ # server when it's not being used. { config, - lib, pkgs, ... -}: let - inherit (lib) mkIf mkEnableOption; - - cfg = config.services.forsvarsarper; -in { - options.services.forsvarsarper.enable = mkEnableOption "daily scan for tests"; - - config = mkIf cfg.enable { +}:{ + config = { # Create a user to run the server under. users.users.forsvarsarper = { description = "Runs daily scan for tests"; diff --git a/hosts/ahmed/git.linus.onl/default.nix b/hosts/ahmed/git.linus.onl/default.nix index 88e4f6f..46c74e9 100644 --- a/hosts/ahmed/git.linus.onl/default.nix +++ b/hosts/ahmed/git.linus.onl/default.nix @@ -1,30 +1,18 @@ { - lib, config, pkgs, - options, metadata, ... }: let - inherit (lib) mkEnableOption mkOption types mkIf; - git-shell = "${pkgs.gitMinimal}/bin/git-shell"; - cfg = config.modules."git.linus.onl"; -in { - options.modules."git.linus.onl" = { - enable = mkEnableOption "git.linus.onl static site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; + # Enables HTTPS stuff. + useACME = true; - location = mkOption { - description = "Where repositories will be stored."; - type = types.path; - default = "/srv/git"; - }; - }; - - config = mkIf cfg.enable { + # Where repositories will be stored. + location = "/srv/git"; +in { + config = { # Create a user which # See: https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server users.users.git = { @@ -33,7 +21,7 @@ in { group = "git"; # FIXME: Is serving the home-directory of a user (indirectly through CGit) a bad idea? - home = cfg.location; + home = location; createHome = false; # Restrict this user to Git-related activities. @@ -54,18 +42,19 @@ in { environment.shells = [git-shell]; # Create repo directory. It must be readable to NGINX. + # NOTE: If location != "/srv/git" you may want to change this! # See: https://git.zx2c4.com/cgit/about/faq#why-doesnt-cgit-findshow-my-repo - system.activationScripts.create-cgit-scan-path = mkIf (cfg.location == options.modules."git.linus.onl".location.default) '' - mkdir -p ${cfg.location} - chown ${toString config.users.users.git.name} ${cfg.location} - chgrp ${toString config.users.groups.git.name} ${cfg.location} - chmod 755 ${cfg.location} + system.activationScripts.create-cgit-scan-path = '' + mkdir -p ${location} + chown ${toString config.users.users.git.name} ${location} + chgrp ${toString config.users.groups.git.name} ${location} + chmod 755 ${location} ''; # Public git viewer. services.cgit."git.linus.onl" = { enable = true; - scanPath = cfg.location; + scanPath = location; settings = { root-title = "Linus' public projects"; root-desc = "hello yes this is the git server"; @@ -88,8 +77,8 @@ in { # The CGit service creates the virtual host, but it does not enable ACME. services.nginx.virtualHosts."git.linus.onl" = { - enableACME = cfg.useACME; - forceSSL = cfg.useACME; + enableACME = useACME; + forceSSL = useACME; }; }; } diff --git a/hosts/ahmed/hellohtml.linus.onl/default.nix b/hosts/ahmed/hellohtml.linus.onl/default.nix index feb56ba..2d09788 100644 --- a/hosts/ahmed/hellohtml.linus.onl/default.nix +++ b/hosts/ahmed/hellohtml.linus.onl/default.nix @@ -1,19 +1,10 @@ -{ - lib, - config, - ... -}: let - inherit (lib) mkEnableOption mkIf; +# This module defines the HelloHTML web server. It extends the NGINX config +# with a virtual server that proxies the local HelloHTML service. - cfg = config.modules."hellohtml.linus.onl"; +{ ... }: let + useACME = true; in { - options.modules."hellohtml.linus.onl" = { - enable = mkEnableOption "hellohtml.linus.onl site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; - }; - - config = mkIf cfg.enable { + config = { # Start service listening on socket /tmp/hellohtml.sock services.hellohtml = { enable = true; @@ -24,8 +15,8 @@ in { # Use NGINX as reverse proxy. services.nginx.virtualHosts."hellohtml.linus.onl" = { - enableACME = cfg.useACME; - forceSSL = cfg.useACME; + enableACME = useACME; + forceSSL = useACME; locations."/" = rec { proxyPass = "http://localhost:8538"; # Disable settings that might mess with the text/event-stream response of the /listen/:id endpoint. diff --git a/hosts/ahmed/linus.onl/default.nix b/hosts/ahmed/linus.onl/default.nix index 52703fe..c31eb73 100644 --- a/hosts/ahmed/linus.onl/default.nix +++ b/hosts/ahmed/linus.onl/default.nix @@ -1,22 +1,15 @@ { pkgs, lib, - config, ... }: let - inherit (lib) mkEnableOption mkOption types mkIf optional; - + # The domain to serve. Also kinda embedded in the name of the module?? domain = "linus.onl"; - cfg = config.modules."${domain}"; + # Enable HTTPS stuff. + useACME = true; in { - options.modules."${domain}" = { - enable = mkEnableOption "${domain} static site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; - }; - - config = mkIf cfg.enable { + config = { # Create a user to run the build script under. users.users."${domain}-builder" = { description = "builds ${domain}"; @@ -91,8 +84,8 @@ in { services.nginx = { virtualHosts."${domain}" = { # NOTE: 'forceSSL' will cause an infite loop, if the cloudflare proxy does NOT connect over HTTPS. - enableACME = cfg.useACME; - forceSSL = cfg.useACME; + enableACME = useACME; + forceSSL = useACME; root = "/var/www/${domain}"; }; }; diff --git a/hosts/ahmed/nofitications.linus.onl/default.nix b/hosts/ahmed/nofitications.linus.onl/default.nix index c050ef4..f3ab04f 100644 --- a/hosts/ahmed/nofitications.linus.onl/default.nix +++ b/hosts/ahmed/nofitications.linus.onl/default.nix @@ -1,19 +1,9 @@ -{ - lib, - config, - ... -}: let - inherit (lib) mkEnableOption mkIf; - - cfg = config.modules."notifications.linus.onl"; +{ ... }: let + # Enable HTTPS stuff. + useACME = true; in { - options.modules."notifications.linus.onl" = { - enable = mkEnableOption "notifications.linus.onl static site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; - }; - - config = mkIf cfg.enable { + config = { + # Start the proxied service. services.push-notification-api = { enable = true; }; @@ -23,8 +13,8 @@ in { # Use NGINX as reverse proxy. services.nginx.virtualHosts."notifications.linus.onl" = { - enableACME = cfg.useACME; - forceSSL = cfg.useACME; + enableACME = useACME; + forceSSL = useACME; locations."/" = { recommendedProxySettings = true; proxyPass = "http://unix:/run/push-notification-api.sock"; |