diff --git a/flake.nix b/flake.nix index 1da10edb..f1782a50 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,14 @@ ]; specialArgs = { inherit inputs; }; }; + vultr1 = nixpkgs-stable.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + (import ./nixos/boxes/vultr1) + agenix.nixosModules.age + ]; + specialArgs = { inherit inputs; }; + }; }; }; inputs = { diff --git a/nixos/boxes/brix/default.nix b/nixos/boxes/brix/default.nix index ed653e07..3d3caf3e 100644 --- a/nixos/boxes/brix/default.nix +++ b/nixos/boxes/brix/default.nix @@ -3,10 +3,9 @@ imports = [ ./brix-boot.nix ./real-hardware.nix - ./security.nix - ./cli.nix - ./vpn.nix - ./prometheus-node.nix + ../security.nix + ../cli.nix + ../vpn.nix ./restic-server.nix ./i2p.nix ./print-server.nix diff --git a/nixos/boxes/brix/cli.nix b/nixos/boxes/cli.nix similarity index 100% rename from nixos/boxes/brix/cli.nix rename to nixos/boxes/cli.nix diff --git a/nixos/boxes/brix/security.nix b/nixos/boxes/security.nix similarity index 100% rename from nixos/boxes/brix/security.nix rename to nixos/boxes/security.nix diff --git a/nixos/boxes/brix/vpn.nix b/nixos/boxes/vpn.nix similarity index 100% rename from nixos/boxes/brix/vpn.nix rename to nixos/boxes/vpn.nix diff --git a/nixos/boxes/vultr1/default.nix b/nixos/boxes/vultr1/default.nix new file mode 100644 index 00000000..f159b87a --- /dev/null +++ b/nixos/boxes/vultr1/default.nix @@ -0,0 +1,23 @@ +{ config, pkgs, inputs, lib, ... }: +{ + networking.hostName = "vultr1"; + + imports = [ + ./vultr-boot.nix + ../vpn.nix + ../security.nix + ../cli.nix + ./nginx.nix + ./search.nix + ./folding.nix + ./matrix-front.nix + ]; + + systemd.extraConfig = '' + DefaultTimeoutStartSec=900s + ''; + + security.allowUserNamespaces = true; + time.timeZone = "Europe/London"; + +} diff --git a/nixos/boxes/vultr1/folding.nix b/nixos/boxes/vultr1/folding.nix new file mode 100644 index 00000000..a2699f18 --- /dev/null +++ b/nixos/boxes/vultr1/folding.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: +{ + services.foldingathome = { + enable = true; + user = "cyplo"; + }; + boot.kernel.sysctl = { + "kernel.unprivileged_userns_clone" = 1; + }; +} diff --git a/nixos/boxes/vultr1/matrix-front.nix b/nixos/boxes/vultr1/matrix-front.nix new file mode 100644 index 00000000..02b787f3 --- /dev/null +++ b/nixos/boxes/vultr1/matrix-front.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: +{ + + services.nginx = { + virtualHosts = { + "cyplo.dev" = { + forceSSL = true; + enableACME = true; + locations."= /.well-known/matrix/server".extraConfig = + let + server = { "m.server" = "cyplo.dev:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://cyplo.dev"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + + locations."/".extraConfig = '' + return 404; + ''; + + locations."/_matrix" = { + proxyPass = "http://brix.vpn:8008"; # without a trailing / + }; + }; + }; + }; + + } diff --git a/nixos/boxes/vultr1/nginx.nix b/nixos/boxes/vultr1/nginx.nix new file mode 100644 index 00000000..93c4775a --- /dev/null +++ b/nixos/boxes/vultr1/nginx.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx = { + enable = true; + statusPage = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; +} diff --git a/nixos/boxes/vultr1/search.nix b/nixos/boxes/vultr1/search.nix new file mode 100644 index 00000000..7838ee8e --- /dev/null +++ b/nixos/boxes/vultr1/search.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: +{ + + services.nginx = { + virtualHosts = { + "search.cyplo.dev" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + access_log /dev/null; + error_log /dev/null; + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + ''; + locations."/" = { + proxyPass = "http://localhost:8888"; + }; + }; + }; + }; + + services.searx = { + enable = true; + }; +} + diff --git a/nixos/boxes/vultr1/vultr-boot.nix b/nixos/boxes/vultr1/vultr-boot.nix new file mode 100644 index 00000000..0639ac7d --- /dev/null +++ b/nixos/boxes/vultr1/vultr-boot.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ... }: +{ + + boot = { + initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ]; + initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; + + initrd.postDeviceCommands = '' + # Set the system time from the hardware clock to work around a + # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised + # to the *boot time* of the host). + hwclock -s + ''; + + kernelPackages = pkgs.linuxPackages_latest_hardened; + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/vda"; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/d37c4c81-4807-4b8b-bcd4-05ae76bccbaa"; + fsType = "ext4"; + }; + + swapDevices = [ + { + device = "/swapfile"; + size = 2048; + } + ]; + + } +