diff --git a/infra/README.org b/infra/README.org index 2998682..d7c5ffc 100644 --- a/infra/README.org +++ b/infra/README.org @@ -21,5 +21,6 @@ infrastructure. | Machine | Description | Deployment | |---------+------------------------+-----------------| +| vm02116 | Forgejo | /none/ | | vm02179 | Forgejo actions runner | actions-runners | | vm02186 | Forgejo actions runner | actions-runners | diff --git a/forgejo/configuration.nix b/infra/vm02116/configuration.nix similarity index 93% rename from forgejo/configuration.nix rename to infra/vm02116/configuration.nix index 9158f3c..061919c 100644 --- a/forgejo/configuration.nix +++ b/infra/vm02116/configuration.nix @@ -2,15 +2,15 @@ # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config, lib, pkgs, ... }: +{ pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - # This will install and configure Forgejo - ./forgejo.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + # This will install and configure Forgejo + ./forgejo.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -22,7 +22,7 @@ # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Networking - networking = { + networking = { hostName = "vm02116"; domain = "procolix.com"; interfaces = { @@ -53,15 +53,18 @@ address = "2a00:51c0:12:1201::1"; interface = "eth0"; }; - nameservers = [ "2a00:51c0::5fd7:b906" "95.215.185.7" ]; + nameservers = [ + "2a00:51c0::5fd7:b906" + "95.215.185.7" + ]; firewall.enable = false; nftables = { enable = true; ruleset = '' #!/usr/sbin/nft -f - + flush ruleset - + ########### define usefull variables here ##################### define wan = eth0 define ssh_allow = { @@ -77,21 +80,21 @@ define nrpe_allow = { 95.215.185.34/32, # nagios2 ipv4 } - + ########### here starts the automated bit ##################### table inet filter { chain input { type filter hook input priority 0; policy drop; - + # established/related connections ct state established,related accept ct state invalid drop - + # Limit ping requests. ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - + # loopback interface iifname lo accept @@ -99,17 +102,17 @@ ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - + # open tcp ports: sshd (22) #ip saddr $ssh_allow tcp dport {ssh} accept tcp dport {ssh} accept - + # open tcp ports: snmp (161) ip saddr $snmp_allow udp dport {snmp} accept - + # open tcp ports: nrpe (5666) ip saddr $nrpe_allow tcp dport {nrpe} accept - + # open tcp ports: http (80,443) tcp dport {http,https} accept } @@ -120,7 +123,7 @@ type filter hook output priority 0; } } - + table ip nat { chain postrouting { } @@ -131,7 +134,6 @@ }; }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -150,9 +152,6 @@ # Enable the X11 windowing system. # services.xserver.enable = true; - - - # Configure keymap in X11 # services.xserver.xkb.layout = "us"; # services.xserver.xkb.options = "eurosign:e,caps:escape"; @@ -175,7 +174,7 @@ openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" - ]; + ]; }; }; @@ -183,9 +182,9 @@ # $ nix search wget environment.systemPackages = with pkgs; [ (pkgs.vim_configurable.customize { - name = "vim"; - vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { - start = [ vim-nix ]; # load plugin on startup + name = "vim"; + vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { + start = [ vim-nix ]; # load plugin on startup }; vimrcConfig.customRC = '' " your custom vimrc @@ -196,7 +195,8 @@ " ... ''; }) - wget subversion + wget + subversion ]; # Some programs need SUID wrappers, can be configured further or are @@ -244,7 +244,6 @@ # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.05"; + system.stateVersion = "24.05"; } - diff --git a/forgejo/forgejo.nix b/infra/vm02116/forgejo.nix similarity index 97% rename from forgejo/forgejo.nix rename to infra/vm02116/forgejo.nix index 3b54301..32c3381 100644 --- a/forgejo/forgejo.nix +++ b/infra/vm02116/forgejo.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ pkgs, ... }: let domain = "git.fediversity.eu"; in @@ -32,7 +32,7 @@ in }; users.groups.keys.members = [ "forgejo" ]; - + services.mysql = { enable = true; package = pkgs.mariadb; @@ -61,7 +61,7 @@ in clientMaxBodySize = "500m"; appendHttpConfig = '' - + map $uri $forgejo_access_log { default 1; /api/actions/runner.v1.RunnerService/FetchTask 0; @@ -73,12 +73,12 @@ in https "max-age=31536000; includeSubdomains; always"; } add_header Strict-Transport-Security $hsts_header; - ''; + ''; virtualHosts.${domain} = { listenAddresses = [ "185.206.232.34" "[2a00:51c0:12:1201::20]" - ]; + ]; enableACME = true; forceSSL = true; locations."/" = { @@ -91,4 +91,3 @@ in }; }; } - diff --git a/forgejo/hardware-configuration.nix b/infra/vm02116/hardware-configuration.nix similarity index 70% rename from forgejo/hardware-configuration.nix rename to infra/vm02116/hardware-configuration.nix index b6f60e3..82d1356 100644 --- a/forgejo/hardware-configuration.nix +++ b/infra/vm02116/hardware-configuration.nix @@ -1,25 +1,30 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ lib, ... }: { imports = [ ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" "xen_blkfront" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "sr_mod" + "xen_blkfront" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/2CE2-1173"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2CE2-1173"; + fsType = "vfat"; + }; swapDevices = [ ];