diff options
author | sefidel <contact@sefidel.net> | 2023-02-06 18:08:33 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2023-02-06 18:08:33 +0900 |
commit | 2788edf8f6ddc0a5ccd141db51321cd21abb5adf (patch) | |
tree | cbca719739f3eeef32dd47cb9d0fa823f09c4915 /colmena/cobalt/services | |
parent | bdf36408a71b1b3993a9552637d86495cb677b86 (diff) | |
download | nixrc-2788edf8f6ddc0a5ccd141db51321cd21abb5adf.tar.gz nixrc-2788edf8f6ddc0a5ccd141db51321cd21abb5adf.zip |
feat: merge colmena to nixos
Diffstat (limited to 'colmena/cobalt/services')
-rw-r--r-- | colmena/cobalt/services/README.md | 5 | ||||
-rw-r--r-- | colmena/cobalt/services/acme.nix | 26 | ||||
-rw-r--r-- | colmena/cobalt/services/cgit.nix | 105 | ||||
-rw-r--r-- | colmena/cobalt/services/fail2ban.nix | 5 | ||||
-rw-r--r-- | colmena/cobalt/services/git-daemon.nix | 15 | ||||
-rw-r--r-- | colmena/cobalt/services/gitolite-noncore/fix-refs | 9 | ||||
-rw-r--r-- | colmena/cobalt/services/gitolite-noncore/rename | 62 | ||||
-rw-r--r-- | colmena/cobalt/services/gitolite.nix | 109 | ||||
-rw-r--r-- | colmena/cobalt/services/nginx.nix | 15 | ||||
-rw-r--r-- | colmena/cobalt/services/soju.nix | 26 |
10 files changed, 0 insertions, 377 deletions
diff --git a/colmena/cobalt/services/README.md b/colmena/cobalt/services/README.md deleted file mode 100644 index 89d9ca5..0000000 --- a/colmena/cobalt/services/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# colmena/cobalt/services - -A list of 'pluggable' services. -TODO: this should be moved to /modules/ and -converted to modules. diff --git a/colmena/cobalt/services/acme.nix b/colmena/cobalt/services/acme.nix deleted file mode 100644 index b41ae1c..0000000 --- a/colmena/cobalt/services/acme.nix +++ /dev/null @@ -1,26 +0,0 @@ -let - poorObfuscation = y: x: "${x}@${y}"; -in -{ - security.acme = { - acceptTerms = true; - defaults.email = poorObfuscation "sefidel.com" "postmaster"; - certs = { - "sefidel.com" = { - domain = "*.sefidel.com"; - dnsProvider = "hetzner"; - dnsPropagationCheck = true; - credentialsFile = "/persist/secrets/hetzner.key"; - }; - }; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/acme" - ]; - - deployment.keys."hetzner.key" = { - keyCommand = [ "pass" "show" "server/hetzner-dns" ]; - destDir = "/persist/secrets"; - }; -} diff --git a/colmena/cobalt/services/cgit.nix b/colmena/cobalt/services/cgit.nix deleted file mode 100644 index 4e030c8..0000000 --- a/colmena/cobalt/services/cgit.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ pkgs, ... }: - -{ - services.uwsgi = { - enable = true; - user = "nginx"; - group = "nginx"; - plugins = [ "cgi" ]; - - instance = { - type = "emperor"; - vassals = { - cgit = { - type = "normal"; - master = true; - socket = "/run/uwsgi/cgit.sock"; - procname-master = "uwsgi cgit"; - plugins = [ "cgi" ]; - cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi"; - }; - }; - }; - }; - - users.extraUsers.nginx.extraGroups = [ "git" ]; - - services.nginx.virtualHosts."git.sefidel.com" = { - addSSL = true; - useACMEHost = "sefidel.com"; - root = "${pkgs.cgit-pink}/cgit"; - locations = { - "/" = { - extraConfig = '' - try_files $uri @cgit; - ''; - }; - "@cgit" = { - extraConfig = '' - uwsgi_pass unix:/run/uwsgi/cgit.sock; - include ${pkgs.nginx}/conf/uwsgi_params; - uwsgi_modifier1 9; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - systemd.services.create-cgit-cache = { - description = "Create cache directory for cgit"; - enable = true; - - script = '' - mkdir -p /run/cgit - chown -R nginx:nginx /run/cgit - ''; - - wantedBy = [ "uwsgi.service" ]; - serviceConfig = { - Type = "oneshot"; - }; - }; - - environment.etc."cgitrc".text = '' - virtual-root=/ - - cache-size=1000 - cache-root=/run/cgit - - root-title=sefidel git - root-desc=Exotic place. - - snapshots=tar.gz zip - - enable-git-config=1 - remove-suffix=1 - - enable-git-clone=1 - enable-index-links=1 - enable-commit-graph=1 - enable-log-filecount=1 - enable-log-linecount=1 - - branch-sort=age - - readme=:README - readme=:readme - readme=:README.md - readme=:readme.md - readme=:README.org - readme=:readme.org - - source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py - about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh - - section-from-path=2 - - project-list=/var/lib/gitolite/projects.list - scan-path=/var/lib/gitolite/repositories - ''; - - imports = [ - ./nginx.nix - ]; -} diff --git a/colmena/cobalt/services/fail2ban.nix b/colmena/cobalt/services/fail2ban.nix deleted file mode 100644 index 9731ef6..0000000 --- a/colmena/cobalt/services/fail2ban.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - services.fail2ban = { - enable = true; - }; -} diff --git a/colmena/cobalt/services/git-daemon.nix b/colmena/cobalt/services/git-daemon.nix deleted file mode 100644 index 21e957e..0000000 --- a/colmena/cobalt/services/git-daemon.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - services.gitDaemon = { - enable = true; - createUserAndGroup = false; - basePath = "/var/lib/gitolite/repositories"; - }; - - networking.firewall.allowedTCPPorts = [ 9418 ]; - - disabledModules = [ "services/networking/git-daemon.nix" ]; - - imports = [ - ../modules/git-daemon.nix - ]; -} diff --git a/colmena/cobalt/services/gitolite-noncore/fix-refs b/colmena/cobalt/services/gitolite-noncore/fix-refs deleted file mode 100644 index 8ffec9e..0000000 --- a/colmena/cobalt/services/gitolite-noncore/fix-refs +++ /dev/null @@ -1,9 +0,0 @@ -[[ $4 == W ]] || exit 0 - -cd $GL_REPO_BASE/$2.git - -head=`git symbolic-ref HEAD` -[[ -f $head ]] || { - set -- refs/heads/* - git symbolic-ref HEAD $1 -} diff --git a/colmena/cobalt/services/gitolite-noncore/rename b/colmena/cobalt/services/gitolite-noncore/rename deleted file mode 100644 index 00aa5ca..0000000 --- a/colmena/cobalt/services/gitolite-noncore/rename +++ /dev/null @@ -1,62 +0,0 @@ - -# Usage: ssh git@host rename [-c] <repo1> <repo2> -# -# Renames repo1 to repo2. You must be the creator of repo1, and have -# create ("C") permissions for repo2, which of course must not exist. -# Alternatively you must be an account admin, that is, you must have -# write access to the gitolite-admin repository. If you have "C" -# permissions for repo2 then you can use the -c option to take over -# as creator of the repository. - -die() { echo "$@" >&2; exit 1; } -usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; } -[ -z "$1" ] && usage -[ "$1" = "-h" ] && usage -[ -z "$GL_USER" ] && die GL_USER not set - -# ---------------------------------------------------------------------- - -if [ "$1" = "-c" ] -then shift - takeover=true -else takeover=false -fi - -from="$1"; shift -to="$1"; shift -[ -z "$to" ] && usage - -topath=$GL_REPO_BASE/$to.git - -checkto() { - gitolite access -q "$to" $GL_USER ^C any || - die "'$to' already exists or you are not allowed to create it" -} - -if gitolite access -q gitolite-admin $GL_USER -then - # the user is an admin so we can avoid most permission checks - if $takeover - then checkto - elif [ -e $topath ] - then die "'$to' already exists" - fi -else - # the user isn't an admin, so do all the checks - checkto - gitolite creator "$from" $GL_USER || - die "'$from' does not exist or you are not allowed to delete it" -fi - -# ---------------------------------------------------------------------- - -mv $GL_REPO_BASE/$from.git $topath -[ $? -ne 0 ] && exit 1 - -$takeover && echo $GL_USER > $topath/gl-creator - -[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list" - -echo "$from renamed to $to" >&2 - -exit diff --git a/colmena/cobalt/services/gitolite.nix b/colmena/cobalt/services/gitolite.nix deleted file mode 100644 index 94c7ac9..0000000 --- a/colmena/cobalt/services/gitolite.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ pkgs, ... }: - -let - # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ - fixRefsTrigger = pkgs.writeText "fix-refs" '' - [[ $4 == W ]] || exit 0 - - cd $GL_REPO_BASE/$2.git - - head=`git symbolic-ref HEAD` - [[ -f $head ]] || { - set -- refs/heads/* - git symbolic-ref HEAD $1 - } - ''; -in -{ - services.gitolite = { - enable = true; - user = "git"; - group = "git"; - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F"; - extraGitoliteRc = '' - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = '.*'; - $RC{ROLES}{OWNERS} = 1; - $RC{OWNER_ROLENAME} = 'OWNERS'; - # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct - # directory. - # $RC{LOCAL_CODE} = '$ENV{HOME}/local'; - $RC{LOCAL_CODE} = '/var/lib/gitolite/local'; - push(@{$RC{ENABLE}}, 'D'); - push(@{$RC{ENABLE}}, 'symbolic-ref'); - push(@{$RC{ENABLE}}, 'rename'); - push(@{$RC{POST_GIT}}, 'fix-refs'); - # push(@{$RC{ENABLE}}, 'set-default-roles'); - # push(@{$RC{ENABLE}}, 'create'); - # push(@{$RC{ENABLE}}, 'fork'); - - ''; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/gitolite" - ]; - - system.activationScripts.gitolite-create-local = '' - mkdir -p /var/lib/gitolite/local/triggers - mkdir -p /var/lib/gitolite/local/commands - chown -R git:git /var/lib/gitolite/local - ''; - - systemd.tmpfiles.rules = [ - "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}" - "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}" - ]; - - - systemd.timers."gitolite-trash-cleanup" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 00:00:00"; - Unit = "gitolite-trash-cleanup.service"; - }; - }; - - systemd.services."gitolite-trash-cleanup" = { - script = '' - set -euo pipefail - if [ ! -d "Trash" ] ; then - echo Trash directory is nonexistent! - echo No operations to perform. Exiting. - exit 0 - fi - - match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$") - processed_entry=0 - removed_entry=0 - - for dir in $match - do - system_timestamp=$(date +%s) - trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s) - age=$(( $system_timestamp - $trash_timestamp )) - # Wipe trashes older than 2w - if [[ age -gt 1209600 ]] ; then - echo "Removing '$dir' (age $age)" - rm -rf $dir - ((removed_entry+=1)) - fi - ((processed_entry+=1)) - done - - echo "Directories that needs cleanup:" - find Trash -type d -empty -print -delete - echo "Cleaned empty directories." - - echo "Done! Removed $removed_entry/$processed_entry" - ''; - - path = with pkgs; [ bash util-linux coreutils ]; - - serviceConfig = { - Type = "oneshot"; - User = "git"; - WorkingDirectory = "/var/lib/gitolite/repositories"; - }; - }; -} diff --git a/colmena/cobalt/services/nginx.nix b/colmena/cobalt/services/nginx.nix deleted file mode 100644 index cb5ced3..0000000 --- a/colmena/cobalt/services/nginx.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - }; - - users.extraUsers.nginx.extraGroups = [ "acme" ]; - - imports = [ - ./acme.nix - ]; -} diff --git a/colmena/cobalt/services/soju.nix b/colmena/cobalt/services/soju.nix deleted file mode 100644 index c150879..0000000 --- a/colmena/cobalt/services/soju.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - services.soju = { - enable = true; - extraGroups = [ "acme" ]; - hostName = "cobalt.sefidel.com"; - listen = [ - ":6697" - ]; - tlsCertificate = "/var/lib/acme/sefidel.com/cert.pem"; - tlsCertificateKey = "/var/lib/acme/sefidel.com/key.pem"; - }; - - networking.firewall.allowedTCPPorts = [ 6697 ]; - - environment.persistence."/persist".directories = [ - "/var/lib/private/soju" - ]; - - # TODO: remove this once merged - disabledModules = [ "services/networking/soju.nix" ]; - - imports = [ - ./acme.nix - ../modules/soju.nix - ]; -} |