diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index f83bef9..a18926a 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -1,4 +1,9 @@ +<<<<<<< HEAD { config, hostAddress, localAddress, subvolumes, targetPathSuffix ? "" }: +======= +{ config, hostAddress, localAddress, subvolumes, targetPathSuffix ? "" +, autoStart ? false }: +>>>>>>> 82ff04b (chore: nixfmt *) let passwords = import ../../variables/passwords.crypt.nix; @@ -108,6 +113,11 @@ in { modifier = "rw"; }]; +<<<<<<< HEAD +======= + extraFlags = [ "--resolv-conf=bind-host" ]; + +>>>>>>> 82ff04b (chore: nixfmt *) privateNetwork = true; forwardPorts = [ ]; diff --git a/nix/os/containers/ipxe.nix b/nix/os/containers/ipxe.nix new file mode 100644 index 0000000..fdcc481 --- /dev/null +++ b/nix/os/containers/ipxe.nix @@ -0,0 +1,163 @@ +{ hostAddress, localAddress, httpPort ? 80, httpsPort ? 443 }: + +let passwords = import ../../variables/passwords.crypt.nix; +in { + config = { config, pkgs, lib, ... }: { + imports = [ ../profiles/containers/configuration.nix ]; + + networking.firewall.enable = false; + + services.ddclientovh = { + enable = true; + domain = "www.stefanjunker.de"; + }; + + security.acme = { + acceptTerms = true; + certs."www.stefanjunker.de".email = "mail@stefanjunker.de"; + preliminarySelfsigned = true; + + # can be used for debugging + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + + services.nginx.enable = true; + services.nginx.recommendedProxySettings = true; + services.nginx.virtualHosts."www.stefanjunker.de" = { + default = true; + addSSL = true; + listen = [ + { + addr = "0.0.0.0"; + port = httpPort; + ssl = false; + } + { + addr = "0.0.0.0"; + port = httpsPort; + ssl = true; + } + ]; + + root = "/var/www/stefanjunker.de/htdocs"; + + enableACME = true; + # serverAliases = [ + # "www.stefanjunker.de" + # ]; + # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + locations."/fi" = { index = "index.php"; }; + + locations."~ ^(.+.php)(.*)$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(.*)$; + + fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; + fastcgi_index index.php; + ''; + + locations."/hedgedoc/" = { proxyPass = "http://127.0.0.1:3000/"; }; + + locations."/hedgedoc/socket.io/" = { + proxyPass = "http://127.0.0.1:3000/socket.io/"; + proxyWebsockets = true; + }; + + }; + + services.phpfpm.pools.mypool = { + user = "nobody"; + phpPackage = pkgs.php5; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 5; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + "pm.max_requests" = 500; + + "php_admin_value[error_reporting]" = + "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED"; + }; + }; + + # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work + systemd.services."phpfpm-mypool" = { + serviceConfig = { Type = lib.mkForce "simple"; }; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + + services.hedgedoc = { + enable = true; + configuration = { + domain = "www.stefanjunker.de"; + urlPath = "hedgedoc"; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/codimd/db.codimd.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + allowEmailRegister = false; + + # oauth2 provider config + inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox; + + uploadsPath = "/var/lib/codimd/uploads"; + }; + }; + }; + + autoStart = true; + + bindMounts = { + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + isReadOnly = true; + }; + + "/var/www" = { + hostPath = "/var/lib/container-volumes/webserver/var-www"; + isReadOnly = false; + }; + + "/var/lib/mysql" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; + isReadOnly = false; + }; + + "/var/lib/codimd" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-codimd"; + isReadOnly = false; + }; + }; + + privateNetwork = true; + forwardPorts = [ + { + # http + containerPort = 80; + hostPort = httpPort; + protocol = "tcp"; + } + { + # https + containerPort = 443; + hostPort = httpsPort; + protocol = "tcp"; + } + ]; + + inherit hostAddress localAddress; +} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index b4941e6..3d19ddb 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -1,6 +1,6 @@ { pkgs, lib, config, ... }: -let +let keys = import ../../../variables/keys.nix; in { diff --git a/nix/os/devices/steveej-t14/versions.nix b/nix/os/devices/steveej-t14/versions.nix index 9be3669..b7b9250 100644 --- a/nix/os/devices/steveej-t14/versions.nix +++ b/nix/os/devices/steveej-t14/versions.nix @@ -2,8 +2,7 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.05"; - rev = '' - 26eb67abc9a7370a51fcb86ece18eaf19ae9207f''; + rev = "26eb67abc9a7370a51fcb86ece18eaf19ae9207f"; }; in { @@ -13,25 +12,21 @@ in { "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - fdebb81f45a1ba2c4afca5fd9f526e1653ad0949''; + rev = "fdebb81f45a1ba2c4afca5fd9f526e1653ad0949"; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = '' - 83018dd5d795a7f0729c94c2d234986f2858c300''; + rev = "83018dd5d795a7f0729c94c2d234986f2858c300"; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - 06e2c42ae411d57087217096cacb409ade96ac74''; + rev = "06e2c42ae411d57087217096cacb409ade96ac74"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.05"; - rev = '' - b81e128fc053ab3159d7b464d9b7dedc9d6a6891''; + rev = "b81e128fc053ab3159d7b464d9b7dedc9d6a6891"; }; } diff --git a/nix/os/devices/vmd32387.contaboserver.net/versions.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.nix index ee8fc44..2a08164 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/versions.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/versions.nix @@ -2,8 +2,7 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.05"; - rev = '' - b3a8f7ed267e0a7ed100eb7d716c9137ff120fe3''; + rev = "b3a8f7ed267e0a7ed100eb7d716c9137ff120fe3"; }; in { @@ -12,13 +11,11 @@ in { "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - 6b10854c8194f1ebaa5bce623e71c6da1c008861''; + rev = "6b10854c8194f1ebaa5bce623e71c6da1c008861"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.05"; - rev = '' - f0ecd4b1db5e15103e955b18cb94bea4296e5c45''; + rev = "f0ecd4b1db5e15103e955b18cb94bea4296e5c45"; }; } diff --git a/shell.nix b/shell.nix index 814c9ea..1595779 100644 --- a/shell.nix +++ b/shell.nix @@ -45,6 +45,7 @@ in pkgs.stdenv.mkDerivation { ripgrep neovim glxinfo + nixfmt ntfy