about summary refs log tree commit diff
path: root/colmena/cobalt/services
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-02-06 18:08:33 +0900
committersefidel <contact@sefidel.net>2023-02-06 18:08:33 +0900
commit2788edf8f6ddc0a5ccd141db51321cd21abb5adf (patch)
treecbca719739f3eeef32dd47cb9d0fa823f09c4915 /colmena/cobalt/services
parentbdf36408a71b1b3993a9552637d86495cb677b86 (diff)
downloadnixrc-2788edf8f6ddc0a5ccd141db51321cd21abb5adf.tar.gz
nixrc-2788edf8f6ddc0a5ccd141db51321cd21abb5adf.zip
feat: merge colmena to nixos
Diffstat (limited to 'colmena/cobalt/services')
-rw-r--r--colmena/cobalt/services/README.md5
-rw-r--r--colmena/cobalt/services/acme.nix26
-rw-r--r--colmena/cobalt/services/cgit.nix105
-rw-r--r--colmena/cobalt/services/fail2ban.nix5
-rw-r--r--colmena/cobalt/services/git-daemon.nix15
-rw-r--r--colmena/cobalt/services/gitolite-noncore/fix-refs9
-rw-r--r--colmena/cobalt/services/gitolite-noncore/rename62
-rw-r--r--colmena/cobalt/services/gitolite.nix109
-rw-r--r--colmena/cobalt/services/nginx.nix15
-rw-r--r--colmena/cobalt/services/soju.nix26
10 files changed, 0 insertions, 377 deletions
diff --git a/colmena/cobalt/services/README.md b/colmena/cobalt/services/README.md
deleted file mode 100644
index 89d9ca5..0000000
--- a/colmena/cobalt/services/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# colmena/cobalt/services
-
-A list of 'pluggable' services.
-TODO: this should be moved to /modules/ and
-converted to modules.
diff --git a/colmena/cobalt/services/acme.nix b/colmena/cobalt/services/acme.nix
deleted file mode 100644
index b41ae1c..0000000
--- a/colmena/cobalt/services/acme.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-let
-  poorObfuscation = y: x: "${x}@${y}";
-in
-{
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = poorObfuscation "sefidel.com" "postmaster";
-    certs = {
-      "sefidel.com" = {
-        domain = "*.sefidel.com";
-        dnsProvider = "hetzner";
-        dnsPropagationCheck = true;
-        credentialsFile = "/persist/secrets/hetzner.key";
-      };
-    };
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/acme"
-  ];
-
-  deployment.keys."hetzner.key" = {
-    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
-    destDir = "/persist/secrets";
-  };
-}
diff --git a/colmena/cobalt/services/cgit.nix b/colmena/cobalt/services/cgit.nix
deleted file mode 100644
index 4e030c8..0000000
--- a/colmena/cobalt/services/cgit.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.uwsgi = {
-    enable = true;
-    user = "nginx";
-    group = "nginx";
-    plugins = [ "cgi" ];
-
-    instance = {
-      type = "emperor";
-      vassals = {
-        cgit = {
-          type = "normal";
-          master = true;
-          socket = "/run/uwsgi/cgit.sock";
-          procname-master = "uwsgi cgit";
-          plugins = [ "cgi" ];
-          cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi";
-        };
-      };
-    };
-  };
-
-  users.extraUsers.nginx.extraGroups = [ "git" ];
-
-  services.nginx.virtualHosts."git.sefidel.com" = {
-    addSSL = true;
-    useACMEHost = "sefidel.com";
-    root = "${pkgs.cgit-pink}/cgit";
-    locations = {
-      "/" = {
-        extraConfig = ''
-          try_files $uri @cgit;
-        '';
-      };
-      "@cgit" = {
-        extraConfig = ''
-          uwsgi_pass unix:/run/uwsgi/cgit.sock;
-          include ${pkgs.nginx}/conf/uwsgi_params;
-          uwsgi_modifier1 9;
-        '';
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  systemd.services.create-cgit-cache = {
-    description = "Create cache directory for cgit";
-    enable = true;
-
-    script = ''
-      mkdir -p /run/cgit
-      chown -R nginx:nginx /run/cgit
-    '';
-
-    wantedBy = [ "uwsgi.service" ];
-    serviceConfig = {
-      Type = "oneshot";
-    };
-  };
-
-  environment.etc."cgitrc".text = ''
-    virtual-root=/
-
-    cache-size=1000
-    cache-root=/run/cgit
-
-    root-title=sefidel git
-    root-desc=Exotic place.
-
-    snapshots=tar.gz zip
-
-    enable-git-config=1
-    remove-suffix=1
-
-    enable-git-clone=1
-    enable-index-links=1
-    enable-commit-graph=1
-    enable-log-filecount=1
-    enable-log-linecount=1
-
-    branch-sort=age
-
-    readme=:README
-    readme=:readme
-    readme=:README.md
-    readme=:readme.md
-    readme=:README.org
-    readme=:readme.org
-
-    source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py
-    about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh
-
-    section-from-path=2
-
-    project-list=/var/lib/gitolite/projects.list
-    scan-path=/var/lib/gitolite/repositories
-  '';
-
-  imports = [
-    ./nginx.nix
-  ];
-}
diff --git a/colmena/cobalt/services/fail2ban.nix b/colmena/cobalt/services/fail2ban.nix
deleted file mode 100644
index 9731ef6..0000000
--- a/colmena/cobalt/services/fail2ban.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  services.fail2ban = {
-    enable = true;
-  };
-}
diff --git a/colmena/cobalt/services/git-daemon.nix b/colmena/cobalt/services/git-daemon.nix
deleted file mode 100644
index 21e957e..0000000
--- a/colmena/cobalt/services/git-daemon.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  services.gitDaemon = {
-    enable = true;
-    createUserAndGroup = false;
-    basePath = "/var/lib/gitolite/repositories";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 9418 ];
-
-  disabledModules = [ "services/networking/git-daemon.nix" ];
-
-  imports = [
-    ../modules/git-daemon.nix
-  ];
-}
diff --git a/colmena/cobalt/services/gitolite-noncore/fix-refs b/colmena/cobalt/services/gitolite-noncore/fix-refs
deleted file mode 100644
index 8ffec9e..0000000
--- a/colmena/cobalt/services/gitolite-noncore/fix-refs
+++ /dev/null
@@ -1,9 +0,0 @@
-[[ $4 == W ]] || exit 0
-
-cd $GL_REPO_BASE/$2.git
-
-head=`git symbolic-ref HEAD`
-[[ -f $head ]] || {
-  set -- refs/heads/*
-  git symbolic-ref HEAD $1
-}
diff --git a/colmena/cobalt/services/gitolite-noncore/rename b/colmena/cobalt/services/gitolite-noncore/rename
deleted file mode 100644
index 00aa5ca..0000000
--- a/colmena/cobalt/services/gitolite-noncore/rename
+++ /dev/null
@@ -1,62 +0,0 @@
-
-# Usage:    ssh git@host rename [-c] <repo1> <repo2>
-#
-# Renames repo1 to repo2. You must be the creator of repo1, and have
-# create ("C") permissions for repo2, which of course must not exist.
-# Alternatively you must be an account admin, that is, you must have
-# write access to the gitolite-admin repository. If you have "C"
-# permissions for repo2 then you can use the -c option to take over
-# as creator of the repository.
-
-die() { echo "$@" >&2; exit 1; }
-usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; }
-[ -z "$1" ] && usage
-[ "$1" = "-h" ] && usage
-[ -z "$GL_USER" ] && die GL_USER not set
-
-# ----------------------------------------------------------------------
-
-if [ "$1" = "-c" ]
-then	shift
-	takeover=true
-else	takeover=false
-fi
-
-from="$1"; shift
-to="$1"; shift
-[ -z "$to" ] && usage
-
-topath=$GL_REPO_BASE/$to.git
-
-checkto() {
-	gitolite access -q "$to" $GL_USER ^C any ||
-		die "'$to' already exists or you are not allowed to create it"
-}
-
-if gitolite access -q gitolite-admin $GL_USER
-then
-	# the user is an admin so we can avoid most permission checks
-	if $takeover
-	then checkto
-	elif [ -e $topath ]
-	then die "'$to' already exists"
-	fi
-else
-	# the user isn't an admin, so do all the checks
-	checkto
-	gitolite creator "$from" $GL_USER ||
-		die "'$from' does not exist or you are not allowed to delete it"
-fi
-
-# ----------------------------------------------------------------------
-
-mv $GL_REPO_BASE/$from.git $topath
-[ $? -ne 0 ] && exit 1
-
-$takeover && echo $GL_USER > $topath/gl-creator
-
-[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list"
-
-echo "$from renamed to $to" >&2
-
-exit
diff --git a/colmena/cobalt/services/gitolite.nix b/colmena/cobalt/services/gitolite.nix
deleted file mode 100644
index 94c7ac9..0000000
--- a/colmena/cobalt/services/gitolite.nix
+++ /dev/null
@@ -1,109 +0,0 @@
-{ pkgs, ... }:
-
-let
-  # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ
-  fixRefsTrigger = pkgs.writeText "fix-refs" ''
-    [[ $4 == W ]] || exit 0
-
-    cd $GL_REPO_BASE/$2.git
-
-    head=`git symbolic-ref HEAD`
-    [[ -f $head ]] || {
-      set -- refs/heads/*
-      git symbolic-ref HEAD $1
-    }
-  '';
-in
-{
-  services.gitolite = {
-    enable = true;
-    user = "git";
-    group = "git";
-    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F";
-    extraGitoliteRc = ''
-      $RC{UMASK} = 0027;
-      $RC{GIT_CONFIG_KEYS} = '.*';
-      $RC{ROLES}{OWNERS} = 1;
-      $RC{OWNER_ROLENAME} = 'OWNERS';
-      # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct
-      # directory.
-      # $RC{LOCAL_CODE} = '$ENV{HOME}/local';
-      $RC{LOCAL_CODE} = '/var/lib/gitolite/local';
-      push(@{$RC{ENABLE}}, 'D');
-      push(@{$RC{ENABLE}}, 'symbolic-ref');
-      push(@{$RC{ENABLE}}, 'rename');
-      push(@{$RC{POST_GIT}}, 'fix-refs');
-      # push(@{$RC{ENABLE}}, 'set-default-roles');
-      # push(@{$RC{ENABLE}}, 'create');
-      # push(@{$RC{ENABLE}}, 'fork');
-
-    '';
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/gitolite"
-  ];
-
-  system.activationScripts.gitolite-create-local = ''
-    mkdir -p /var/lib/gitolite/local/triggers
-    mkdir -p /var/lib/gitolite/local/commands
-    chown -R git:git /var/lib/gitolite/local
-  '';
-
-  systemd.tmpfiles.rules = [
-    "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}"
-    "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}"
-  ];
-
-
-  systemd.timers."gitolite-trash-cleanup" = {
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "*-*-* 00:00:00";
-      Unit = "gitolite-trash-cleanup.service";
-    };
-  };
-
-  systemd.services."gitolite-trash-cleanup" = {
-    script = ''
-      set -euo pipefail
-      if [ ! -d "Trash" ] ; then
-        echo Trash directory is nonexistent!
-        echo No operations to perform. Exiting.
-        exit 0
-      fi
-
-      match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$")
-      processed_entry=0
-      removed_entry=0
-
-      for dir in $match
-      do
-        system_timestamp=$(date +%s)
-        trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s)
-        age=$(( $system_timestamp - $trash_timestamp ))
-        # Wipe trashes older than 2w
-        if [[ age -gt 1209600 ]] ; then
-          echo "Removing '$dir' (age $age)"
-          rm -rf $dir
-          ((removed_entry+=1))
-        fi
-        ((processed_entry+=1))
-      done
-
-      echo "Directories that needs cleanup:"
-      find Trash -type d -empty -print -delete
-      echo "Cleaned empty directories."
-
-      echo "Done! Removed $removed_entry/$processed_entry"
-    '';
-
-    path = with pkgs; [ bash util-linux coreutils ];
-
-    serviceConfig = {
-      Type = "oneshot";
-      User = "git";
-      WorkingDirectory = "/var/lib/gitolite/repositories";
-    };
-  };
-}
diff --git a/colmena/cobalt/services/nginx.nix b/colmena/cobalt/services/nginx.nix
deleted file mode 100644
index cb5ced3..0000000
--- a/colmena/cobalt/services/nginx.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-  };
-
-  users.extraUsers.nginx.extraGroups = [ "acme" ];
-
-  imports = [
-    ./acme.nix
-  ];
-}
diff --git a/colmena/cobalt/services/soju.nix b/colmena/cobalt/services/soju.nix
deleted file mode 100644
index c150879..0000000
--- a/colmena/cobalt/services/soju.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  services.soju = {
-    enable = true;
-    extraGroups = [ "acme" ];
-    hostName = "cobalt.sefidel.com";
-    listen = [
-      ":6697"
-    ];
-    tlsCertificate = "/var/lib/acme/sefidel.com/cert.pem";
-    tlsCertificateKey = "/var/lib/acme/sefidel.com/key.pem";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 6697 ];
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/private/soju"
-  ];
-
-  # TODO: remove this once merged
-  disabledModules = [ "services/networking/soju.nix" ];
-
-  imports = [
-    ./acme.nix
-    ../modules/soju.nix
-  ];
-}