diff --git a/infra/README.org b/infra/README.org index d7c5ffc..a03701b 100644 --- a/infra/README.org +++ b/infra/README.org @@ -24,3 +24,4 @@ infrastructure. | vm02116 | Forgejo | /none/ | | vm02179 | Forgejo actions runner | actions-runners | | vm02186 | Forgejo actions runner | actions-runners | +| vm02187 | Wiki | /none/ | diff --git a/wiki/configuration.nix b/infra/vm02187/configuration.nix similarity index 85% rename from wiki/configuration.nix rename to infra/vm02187/configuration.nix index ffdcce6..0c5a6d2 100644 --- a/wiki/configuration.nix +++ b/infra/vm02187/configuration.nix @@ -1,15 +1,14 @@ - # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: +{ pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -22,7 +21,7 @@ services.mediawiki = { enable = true; - name = "Fediversity Wiki"; + name = "Fediversity Wiki"; webserver = "nginx"; nginx.hostName = "wiki.fediversity.eu"; passwordFile = pkgs.writeText "password" "eiM9etha8ohmo9Ohphahpesiux0ahda6"; @@ -35,7 +34,7 @@ $wgMaxShellMemory = 524288; $wgSVGMetadataCutoff = 1024*1024; $wgAllowExternalImages = false; - + ## Permissions $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createaccount'] = false; @@ -48,21 +47,23 @@ # 1 GB ought to be enough for everyone $wgUploadSizeWarning = 1024*1024*512; $wgMaxUploadSize = 1024*1024*1024; - + $wgHeadScriptCode = <<<'END' END; - ''; + ''; - extensions = { - VisualEditor = null; - }; + extensions = { + VisualEditor = null; + }; }; services.nginx = { enable = true; virtualHosts."wiki.fediversity.eu" = { - basicAuth = { fediv = "SecretSauce123!"; }; + basicAuth = { + fediv = "SecretSauce123!"; + }; forceSSL = true; enableACME = true; }; @@ -75,7 +76,7 @@ users.users.nginx.extraGroups = [ "acme" ]; - networking = { + networking = { hostName = "vm02187"; domain = "procolix.com"; interfaces = { @@ -106,15 +107,18 @@ address = "2a00:51c0:12:1201::1"; interface = "eth0"; }; - nameservers = [ "95.215.185.6" "95.215.185.7" ]; + nameservers = [ + "95.215.185.6" + "95.215.185.7" + ]; firewall.enable = false; nftables = { enable = true; ruleset = '' #!/usr/sbin/nft -f - + flush ruleset - + ########### define usefull variables here ##################### define wan = eth0 define ssh_allow = { @@ -131,21 +135,21 @@ define nrpe_allow = { 95.215.185.34/32, # nagios2 ipv4 } - + ########### here starts the automated bit ##################### table inet filter { chain input { type filter hook input priority 0; policy drop; - + # established/related connections ct state established,related accept ct state invalid drop - + # Limit ping requests. ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - + # loopback interface iifname lo accept @@ -153,16 +157,16 @@ ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - + # open tcp ports: sshd (22) ip saddr $ssh_allow tcp dport {ssh} accept - + # open tcp ports: snmp (161) ip saddr $snmp_allow udp dport {snmp} accept - + # open tcp ports: nrpe (5666) ip saddr $nrpe_allow tcp dport {nrpe} accept - + # open tcp ports: http (80,443) tcp dport {http,https} accept } @@ -173,7 +177,7 @@ type filter hook output priority 0; } } - + table ip nat { chain postrouting { } @@ -184,7 +188,6 @@ }; }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -199,11 +202,10 @@ extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. hashedPassword = "$y$j9T$UH8Dh/poTCCZ3PXk43au6/$iYen8VUEVvv7SIPqteNtTPKktLxny3TbqvjUwhvi.6B"; openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" - ]; - packages = with pkgs; [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" ]; + packages = with pkgs; [ ]; }; # List packages installed in system profile. To search, run: @@ -245,4 +247,3 @@ system.stateVersion = "24.05"; # Did you read the comment? } - diff --git a/wiki/hardware-configuration.nix b/infra/vm02187/hardware-configuration.nix similarity index 63% rename from wiki/hardware-configuration.nix rename to infra/vm02187/hardware-configuration.nix index d18784a..79f182e 100644 --- a/wiki/hardware-configuration.nix +++ b/infra/vm02187/hardware-configuration.nix @@ -1,28 +1,36 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ lib, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6AB5-4FA8"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6AB5-4FA8"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; swapDevices = [ ];