add vultr

2021-06-02 20:42:32 +01:00 · 2021-06-02 20:42:32 +01:00 · bcc9a8762d
commit bcc9a8762d
parent 642dcbe426
11 changed files with 157 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -40,6 +40,14 @@
        ];
        specialArgs = { inherit inputs; };
      };
+      vultr1 = nixpkgs-stable.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          (import ./nixos/boxes/vultr1)
+          agenix.nixosModules.age
+        ];
+        specialArgs = { inherit inputs; };
+      };
    };
  };
  inputs = {
--- a/nixos/boxes/brix/default.nix
+++ b/nixos/boxes/brix/default.nix
@ -3,10 +3,9 @@
  imports = [
    ./brix-boot.nix
    ./real-hardware.nix
-    ./security.nix
-    ./cli.nix
-    ./vpn.nix
-    ./prometheus-node.nix
+    ../security.nix
+    ../cli.nix
+    ../vpn.nix
    ./restic-server.nix
    ./i2p.nix
    ./print-server.nix
--- a/nixos/boxes/brix/cli.nix
+++ b/nixos/boxes/brix/cli.nix
--- a/nixos/boxes/brix/security.nix
+++ b/nixos/boxes/brix/security.nix
--- a/nixos/boxes/brix/vpn.nix
+++ b/nixos/boxes/brix/vpn.nix
--- a/nixos/boxes/vultr1/default.nix
+++ b/nixos/boxes/vultr1/default.nix
@ -0,0 +1,23 @@
+{ config, pkgs, inputs, lib, ... }:
+{
+  networking.hostName = "vultr1";
+
+  imports = [
+    ./vultr-boot.nix
+    ../vpn.nix
+    ../security.nix
+    ../cli.nix
+    ./nginx.nix
+    ./search.nix
+    ./folding.nix
+    ./matrix-front.nix
+  ];
+
+  systemd.extraConfig = ''
+    DefaultTimeoutStartSec=900s
+  '';
+
+  security.allowUserNamespaces = true;
+  time.timeZone = "Europe/London";
+
+}
--- a/nixos/boxes/vultr1/folding.nix
+++ b/nixos/boxes/vultr1/folding.nix
@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+{
+  services.foldingathome = {
+    enable = true;
+    user = "cyplo";
+  };
+  boot.kernel.sysctl = {
+    "kernel.unprivileged_userns_clone" = 1;
+  };
+}
--- a/nixos/boxes/vultr1/matrix-front.nix
+++ b/nixos/boxes/vultr1/matrix-front.nix
@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+{
+
+  services.nginx = {
+    virtualHosts = {
+      "cyplo.dev" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            server = { "m.server" = "cyplo.dev:443"; };
+          in ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+
+          locations."= /.well-known/matrix/client".extraConfig =
+            let
+              client = {
+                "m.homeserver" =  { "base_url" = "https://cyplo.dev"; };
+                "m.identity_server" =  { "base_url" = "https://vector.im"; };
+              };
+            in ''
+              add_header Content-Type application/json;
+              add_header Access-Control-Allow-Origin *;
+              return 200 '${builtins.toJSON client}';
+            '';
+
+            locations."/".extraConfig = ''
+              return 404;
+            '';
+
+            locations."/_matrix" = {
+              proxyPass = "http://brix.vpn:8008"; # without a trailing /
+            };
+          };
+        };
+      };
+
+    }
--- a/nixos/boxes/vultr1/nginx.nix
+++ b/nixos/boxes/vultr1/nginx.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+  };
+}
--- a/nixos/boxes/vultr1/search.nix
+++ b/nixos/boxes/vultr1/search.nix
@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+{
+
+  services.nginx = {
+    virtualHosts = {
+      "search.cyplo.dev" = {
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          access_log /dev/null;
+          error_log /dev/null;
+          proxy_connect_timeout 60s;
+          proxy_send_timeout 60s;
+          proxy_read_timeout 60s;
+        '';
+        locations."/" = {
+          proxyPass = "http://localhost:8888";
+        };
+      };
+    };
+  };
+
+  services.searx = {
+    enable = true;
+  };
+}
+
--- a/nixos/boxes/vultr1/vultr-boot.nix
+++ b/nixos/boxes/vultr1/vultr-boot.nix
@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+{
+
+  boot = {
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ];
+    initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
+
+    initrd.postDeviceCommands = ''
+      # Set the system time from the hardware clock to work around a
+      # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
+      # to the *boot time* of the host).
+        hwclock -s
+    '';
+
+    kernelPackages = pkgs.linuxPackages_latest_hardened;
+    loader.grub.enable = true;
+    loader.grub.version = 2;
+    loader.grub.device = "/dev/vda";
+    };
+
+    fileSystems."/" =
+      { device = "/dev/disk/by-uuid/d37c4c81-4807-4b8b-bcd4-05ae76bccbaa";
+      fsType = "ext4";
+    };
+
+    swapDevices = [
+      {
+        device = "/swapfile";
+        size = 2048;
+      }
+    ];
+
+  }
+