diff --git a/README.md b/README.md index 71ce7496..88f19fd2 100644 --- a/README.md +++ b/README.md @@ -24,10 +24,6 @@ details as to what they are for. As an overview: - [`secrets/`](./secrets) contains the secrets that need to get injected into machine configurations. -- [`server/`](./server) contains the configuration of the VM hosting the - website. This should be integrated into `infra/` shortly in the future, as - tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31. - - [`services/`](./services) contains our effort to make Fediverse applications work seemlessly together in our specific setting. diff --git a/infra/README.org b/infra/README.org index 80cbd011..6633ea03 100644 --- a/infra/README.org +++ b/infra/README.org @@ -29,6 +29,7 @@ infrastructure. | Machine | Proxmox | Description | Deployment | |---------+-------------+------------------------+------------| | vm02116 | Procolix | Forgejo | ~git~ | +| vm02117 | Procolix | /unused/ | ~other~ | | vm02179 | Procolix | /unused/ | ~other~ | | vm02186 | Procolix | /unused/ | ~other~ | | vm02187 | Procolix | Wiki | ~web~ | diff --git a/infra/flake-part.nix b/infra/flake-part.nix index cf99d619..ac319753 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -77,6 +77,24 @@ providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local; resources = { + vm02117 = { + type = providers.local.exec; + imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; + ssh = { + host = "185.206.232.106"; + opts = ""; + hostPublicKey = self.keys.systems.vm02117; + }; + nixpkgs = inputs.nixpkgs; + nixos.module = { + imports = [ + ./vm02117 + self.nixosModules.ageSecrets + { fediversity.hostPublicKey = self.keys.systems.vm02117; } + ]; + }; + }; + vm02179 = { type = providers.local.exec; imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; diff --git a/infra/vm02117/default.nix b/infra/vm02117/default.nix new file mode 100644 index 00000000..7096fcd7 --- /dev/null +++ b/infra/vm02117/default.nix @@ -0,0 +1,27 @@ +{ + imports = [ + ../common + ]; + + procolix.vm = { + name = "vm02117"; + ip4 = "185.206.232.106"; + ip6 = "2a00:51c0:12:1201::106"; + }; + + ## vm02117 is running on old hardware based on a Xen VM environment, so it + ## needs these extra options. Once the VM gets moved to a newer node, these + ## two options can safely be removed. + boot.initrd.availableKernelModules = [ "xen_blkfront" ]; + services.xe-guest-utilities.enable = true; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/5aa392a8-c9ba-4181-976f-b3b30db350a1"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/FC6D-610F"; + fsType = "vfat"; + }; +} diff --git a/keys/systems/vm02117.pub b/keys/systems/vm02117.pub new file mode 100644 index 00000000..fa671552 --- /dev/null +++ b/keys/systems/vm02117.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrmZ9eMPLDSiayphFhPi7vry5P2VlEr7BvIjtnpN7Td diff --git a/server/README.md b/server/README.md deleted file mode 100644 index 8b544140..00000000 --- a/server/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# fediversity.eu webserver - -This directory contains the configuration for the server hosting https://fediversity.eu - -Build the configuration: - -```bash -nix-build -A machine -``` - -Deploy via SSH: - -```bash -env SSH_OPTS="..." nix-shell --run deploy-webserver -``` diff --git a/server/configuration.nix b/server/configuration.nix deleted file mode 100644 index 0ffa90ca..00000000 --- a/server/configuration.nix +++ /dev/null @@ -1,275 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - services.nginx.enable = true; - services.nginx.virtualHosts."www.oid.foundation" = { - useACMEHost = "oid.foundation"; - forceSSL = true; - globalRedirect = "oid.foundation"; - }; - services.nginx.virtualHosts."oid.foundation" = { - enableACME = true; - forceSSL = true; - root = "/var/www/oid.foundation"; - - }; - services.nginx.virtualHosts."fediversity.eu" = { - useACMEHost = "www.fediversity.eu"; - forceSSL = true; - globalRedirect = "www.fediversity.eu"; - locations."/.well-known/matrix/client" = { - extraConfig = '' - return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; - add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; - ''; - }; - locations."/.well-known/matrix/server" = { - extraConfig = '' - return 200 '{"m.server": "matrix.fediversity.eu:443"}'; - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; - add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; - ''; - }; - }; - services.nginx.virtualHosts."www.fediversity.eu" = { - enableACME = true; - forceSSL = true; - root = "${(import ../website { }).build}"; - locations."/.well-known/matrix/client" = { - extraConfig = '' - return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}'; - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; - add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; - ''; - }; - locations."/.well-known/matrix/server" = { - extraConfig = '' - return 200 '{"m.server": "matrix.fediversity.eu:443"}'; - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; - add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; - ''; - }; - }; - security.acme = { - acceptTerms = true; - defaults.email = "beheer@procolix.com"; - certs."www.fediversity.eu".extraDomainNames = [ "fediversity.eu" ]; - certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ]; - }; - - networking = { - hostName = "vm02117"; - domain = "procolix.com"; - interfaces = { - eth0 = { - ipv4 = { - addresses = [ - { - address = "185.206.232.106"; - prefixLength = 24; - } - ]; - }; - ipv6 = { - addresses = [ - { - address = "2a00:51c0:12:1201::106"; - prefixLength = 64; - } - ]; - }; - }; - }; - defaultGateway = { - address = "185.206.232.1"; - interface = "eth0"; - }; - defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; - interface = "eth0"; - }; - nameservers = [ "95.215.185.6" "95.215.185.7" ]; - firewall.enable = false; - nftables = { - enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235, # ansible-hq - 185.206.232.76, # vpn4 - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - ip saddr $ssh_allow tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; - }; - }; - - - # Set your time zone. - time.timeZone = "Europe/Amsterdam"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - security.sudo.wheelNeedsPassword = false; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.procolix = { - isNormalUser = true; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" - ]; - packages = with pkgs; [ - ]; - }; - users.users.laurens = { - isNormalUser = true; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local" - ]; - packages = with pkgs; [ - ]; - }; - users.users.valentin = { - isNormalUser = true; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg" - ]; - packages = with pkgs; [ - ]; - }; - users.users.niols = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY" - ]; - }; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - (pkgs.vim_configurable.customize { - name = "vim"; - vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { - start = [ vim-nix ]; # load plugin on startup - }; - vimrcConfig.customRC = '' - " your custom vimrc - set nocompatible - set backspace=indent,eol,start - " Turn on syntax highlighting by default - syntax on - " ... - ''; - }) - wget - git - ]; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.settings.PasswordAuthentication = false; - - # Enable xe-guest-utilities - services.xe-guest-utilities.enable = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? - -} diff --git a/server/default.nix b/server/default.nix deleted file mode 100644 index cfdae5bd..00000000 --- a/server/default.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ sources ? import ../website/npins -, system ? builtins.currentSystem -, pkgs ? import sources.nixpkgs { - inherit system; - config = { }; - overlays = [ ]; - } -, lib ? import "${sources.nixpkgs}/lib" -}: -let - # TODO: don't hard code target hosts; wire all of it up with NixOps4 - host = "vm02117.procolix.com"; - deploy = pkgs.writeShellApplication { - name = "deploy-webserver"; - text = '' - # HACK: decouple system evaluation from shell evaluation - # the structured way for using this hack is encoded in https://github.com/fricklerhandwerk/lazy-drv - result="$(nix-build ${toString ./.} -A machine --no-out-link --eval-store auto --store ssh-ng://${host})" - # shellcheck disable=SC2087 - ssh ${host} << EOF - sudo nix-env -p /nix/var/nix/profiles/system --set "$result" - sudo "$result"/bin/switch-to-configuration switch - EOF - ''; - }; - nixos-configuration = config: - import "${pkgs.path}/nixos/lib/eval-config.nix" { - modules = [ - config - ]; - system = null; - }; -in -rec { - nixos = nixos-configuration ./configuration.nix; - machine = nixos.config.system.build.toplevel; - shell = pkgs.mkShellNoCC { - packages = with pkgs; [ - deploy - ]; - env = { - # TODO: reusing other pins for now; wire up the whole repo to use the same dependencies - NPINS_DIRECTORY = toString ../website/npins; - }; - }; -} diff --git a/server/hardware-configuration.nix b/server/hardware-configuration.nix deleted file mode 100644 index c14f4759..00000000 --- a/server/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" "xen_blkfront" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/5aa392a8-c9ba-4181-976f-b3b30db350a1"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/FC6D-610F"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enX0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/server/shell.nix b/server/shell.nix deleted file mode 100644 index a6bdf202..00000000 --- a/server/shell.nix +++ /dev/null @@ -1 +0,0 @@ -(import ./. { }).shell