diff options
Diffstat (limited to 'nixos/cobalt/services')
-rw-r--r-- | nixos/cobalt/services/README.md | 5 | ||||
-rw-r--r-- | nixos/cobalt/services/acme.nix | 33 | ||||
-rw-r--r-- | nixos/cobalt/services/akkoma-assets/blocklist.toml | 163 | ||||
-rw-r--r-- | nixos/cobalt/services/akkoma-assets/logo.png | bin | 1304 -> 0 bytes | |||
-rw-r--r-- | nixos/cobalt/services/akkoma-assets/logo.svg | 71 | ||||
-rw-r--r-- | nixos/cobalt/services/akkoma-assets/robots.txt | 2 | ||||
-rw-r--r-- | nixos/cobalt/services/akkoma.nix | 57 | ||||
-rw-r--r-- | nixos/cobalt/services/cgit.nix | 105 | ||||
-rw-r--r-- | nixos/cobalt/services/dendrite.nix | 157 | ||||
-rw-r--r-- | nixos/cobalt/services/fail2ban.nix | 5 | ||||
-rw-r--r-- | nixos/cobalt/services/git-daemon.nix | 15 | ||||
-rw-r--r-- | nixos/cobalt/services/gitolite-noncore/fix-refs | 9 | ||||
-rw-r--r-- | nixos/cobalt/services/gitolite-noncore/rename | 62 | ||||
-rw-r--r-- | nixos/cobalt/services/gitolite.nix | 109 | ||||
-rw-r--r-- | nixos/cobalt/services/nginx.nix | 15 | ||||
-rw-r--r-- | nixos/cobalt/services/soju.nix | 28 |
16 files changed, 0 insertions, 836 deletions
diff --git a/nixos/cobalt/services/README.md b/nixos/cobalt/services/README.md deleted file mode 100644 index 89d9ca5..0000000 --- a/nixos/cobalt/services/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# colmena/cobalt/services - -A list of 'pluggable' services. -TODO: this should be moved to /modules/ and -converted to modules. diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix deleted file mode 100644 index f8816d4..0000000 --- a/nixos/cobalt/services/acme.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, ... }: - -let - poorObfuscation = y: x: "${x}@${y}"; -in -{ - sops.secrets.hetzner-dns-key = { - owner = "acme"; - }; - - security.acme = { - acceptTerms = true; - defaults.email = poorObfuscation "sefidel.com" "postmaster"; - certs = { - "sefidel.com" = { - domain = "sefidel.com"; - extraDomainNames = [ - "bouncer.sefidel.com" - "git.sefidel.com" - "matrix.sefidel.com" - "social.sefidel.com" - ]; - dnsProvider = "hetzner"; - dnsPropagationCheck = true; - credentialsFile = config.sops.secrets.hetzner-dns-key.path; - }; - }; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/acme" - ]; -} diff --git a/nixos/cobalt/services/akkoma-assets/blocklist.toml b/nixos/cobalt/services/akkoma-assets/blocklist.toml deleted file mode 100644 index e5eac7a..0000000 --- a/nixos/cobalt/services/akkoma-assets/blocklist.toml +++ /dev/null @@ -1,163 +0,0 @@ -[followers_only] - -[media_nsfw] - -[reject] -"*.tk" = "Free TLD" -"*.ml" = "Free TLD" -"*.ga" = "Free TLD" -"*.cf" = "Free TLD" -"*.gq" = "Free TLD" -# Reject list from chaos.social at 2023-02-06 -"activitypub-proxy.cf" = "Only exists to evade instance blocks, details" -"activitypub-troll.cf" = "Spam" -"aethy.com" = "Lolicon" -"bae.st" = "Discrimination, racism, “free speech zone”" -"baraag.net" = "Lolicon" -"banepo.st" = "Homophobia" -"beefyboys.club" = "Discrimination, racism, “free speech zone”" -"beefyboys.win" = "Discrimination, racism, “free speech zone”" -"beta.birdsite.live" = "Twitter crossposter" -"birb.elfenban.de" = "Twitter crossposter" -"bird.evilcyberhacker.net" = "Twitter crossposter" -"bird.froth.zone" = "Twitter crossposter" -"bird.geiger.ee" = "Twitter crossposter" -"bird.im-in.space" = "Twitter crossposter" -"bird.istheguy.com" = "Twitter crossposter" -"bird.karatek.net" = "Twitter crossposter" -"bird.makeup" = "Twitter crossposter" -"bird.nzbr.de" = "Twitter crossposter" -"bird.r669.live" = "Twitter crossposter" -"bird.seafoam.space" = "Twitter crossposter" -"birdbots.leptonics.com" = "Twitter crossposter" -"birdsite.b93.dece.space" = "Twitter crossposter" -"birdsite.blazelights.dev" = "Twitter crossposter" -"birdsite.frog.fashion" = "Twitter crossposter" -"birdsite.gabeappleton.me" = "Twitter crossposter" -"birdsite.james.moody.name" = "Twitter crossposter" -"birdsite.koyu.space" = "Twitter crossposter" -"birdsite.lakedrops.com" = "Twitter crossposter" -"birdsite.link" = "Twitter crossposter" -"birdsite.monster" = "Twitter crossposter" -"birdsite.oliviaappleton.com" = "Twitter crossposter" -"birdsite.platypush.tech" = "Twitter crossposter" -"birdsite.slashdev.space" = "Twitter crossposter" -"birdsite.tcjc.uk" = "Twitter crossposter" -"birdsite.thorlaksson.com" = "Twitter crossposter" -"birdsite.toot.si" = "Twitter crossposter" -"birdsite.wilde.cloud" = "Twitter crossposter" -"birdsitelive.ffvo.dev" = "Twitter crossposter" -"birdsitelive.kevinyank.com" = "Twitter crossposter" -"birdsitelive.peanutlasko.com" = "Twitter crossposter" -"birdsitelive.treffler.cloud" = "Twitter crossposter" -"bridge.birb.space" = "Twitter crossposter" -"brighteon.social" = "“free speech zone”" -"cawfee.club" = "Discrimination, racism, “free speech zone”" -"childpawn.shop" = "Pedophilia" -"chudbuds.lol" = "Discrimination, racism, “free speech zone”" -"club.darknight-coffee.eu" = "“free speech zone”" -"clubcyberia.co" = "Homophobia" -"clube.social" = "Harassment" -"comfyboy.club" = "Discrimination, racism" -"cum.camp" = "Harassment" -"cum.salon" = "Misogynic, pedophilia" -"daishouri.moe" = "Fascism, openly advertises with swastika" -"detroitriotcity.com" = "Discrimination, racism, “free speech zone”" -"eientei.org" = "Racism, antisemitism" -"eveningzoo.club" = "Discrimination, racism, “free speech zone”" -"f.haeder.net" = "Discrimination" -"freak.university" = "Pedophilia" -"freeatlantis.com" = "Conspiracy theory instance" -"freecumextremist.com" = "Discrimination, racism, “free speech zone”" -"freefedifollowers.ga" = "Follower spam" -"freespeechextremist.com" = "Discrimination, racism, “free speech zone”" -"frennet.link" = "Discrimination, racism, “free speech zone”" -"froth.zone" = "Calls freespeechextremist their local bubble" -"gab.com/.ai, develop.gab.com" = "Discrimination, racism, “free speech zone”" -"gameliberty.club" = "“free speech zone”" -"gegenstimme.tv" = "“free speech zone”" -"genderheretics.xyz" = "Tagline “Now With 41% More Misgendering!”" -"gitmo.life" = "“free speech zone”" -"gleasonator.com" = "Transphobia, TERFs" -"glindr.org" = "Discrimination" -"glowers.club" = "Discrimination, racism, “free speech zone”" -"honkwerx.tech" = "Racism" -"iamterminally.online" = "Discrimination, racism, “free speech zone”" -"iddqd.social" = "Discrimination, racism, “free speech zone”" -"itmslaves.com" = "“free speech zone”, noagenda affiliated" -"jaeger.website" = "Discrimination, racism, “free speech zone”" -"kenfm.quadplay.tv" = "Conspiracy videos" -"kiwifarms.cc" = "Discrimination" -"lgbtfree.zone" = "Racism, transphobia, all that" -"liberdon.com" = "Conspiracy theories, transphobia, racism" -"libre.tube" = "Promotion of violence and murder, multiple other violations of our rules" -"lolicon.rocks" = "Lolicon" -"lolison.top" = "Lolicon, paedophilia" -"mastinator.com" = "Block evasion, unwanted profile mirroring, and more" -"mastodon.network" = "Instance went down, now porn spam" -"mastodon.popps.org" = "Homophobia" -"mastodong.lol" = "Admin maintains and runs activitypub-proxy.cf" -"meta-tube.de" = "Conspiracy, CoVid19 denier videos https://fediblock.org/blocklist/#meta-tube.de" -"midnightride.rs" = "Discrimination" -"misskey-forkbomb.cf" = "Spam" -"morale.ch" = "Antisemitism and more" -"mstdn.foxfam.club" = "Right wing twitter mirror" -"natehiggers.online" = "Racism" -"newjack.city" = "Exclusive to unwanted follow bots" -"nicecrew.digital" = "Discrimination, racism, “free speech zone”" -"noagendasocial.com" = "“free speech zone”, harassment" -"noagendasocial.nl" = "“free speech zone”, harassment" -"noagendatube.com" = "“free speech zone”, harassment" -"ns.auction" = "Racism etc" -"ohai.su" = "Offline" -"pawoo.net" = "Untagged nfsw content, unwanted follow bots, lolicon" -"paypig.org" = "Racism" -"pieville.net" = "Racism, antisemitism" -"pl.serialmay.link" = "Racism, transphobia" -"pl.tkammer.de" = "Transphobia" -"play.xmr.101010.pl" = "Cryptomining" -"pleroma.kitsunemimi.club" = "Discrimination" -"pleroma.narrativerry.xyz" = "Discrimination, racism, “free speech zone”" -"pleroma.nobodyhasthe.biz" = "Doxxing and discrimination" -"pleroma.rareome.ga" = "Doesn’t respect blocks or status privacy, lolicons" -"poa.st" = "Discrimination" -"podcastindex.social" = "noagenda affiliated" -"poster.place" = "Discrimination, racism, “free speech zone”, harassment in response to blocks" -"qoto.org" = "“free speech zone”, harassment" -"rapemeat.solutions" = "Lolicon and also, like, the domain name" -"rdrama.cc" = "Discrimination, “free speech zone”, racism" -"repl.co" = "Spam" -"rojogato.com" = "Harassment, “free speech zone”" -"ryona.agency" = "Alt-right trolls, harassment" -"seal.cafe" = "Discrimination, racism, “free speech zone”" -"shitpost.cloud" = "“Free speech zone”, antisemitism" -"shitposter.club" = "“Free speech zone”" -"shortstackran.ch" = "Racism, homophobia, “free speech zone”" -"shota.house" = "Lolicon" -"skippers-bin.com" = "Same admin as neckbeard.xyz, same behaviour" -"sleepy.cafe" = "Racism, harassment" -"sneak.berlin" = "privacy violation" -"sneed.social" = "Discrimination, racism, “free speech zone”, nationalism, hate speech, completely unmoderated" -"soc.ua-fediland.de" = "Spam" -"social.ancreport.com" = "Discrimination, racism, “free speech zone”" -"social.lovingexpressions.net" = "Transphobia" -"social.teci.world" = "Discrimination, racism, “free speech zone”" -"social.urspringer.de" = "Conspiracy, CoVid19 denier" -"socnet.supes.com" = "Right wing “free speech zone”" -"solagg.com" = "Scammers" -"spinster.xyz" = "Discrimination, TERFs" -"tastingtraffic.net" = "Homophobia" -"truthsocial.co.in" = "Alt-right trolls" -"tube.kenfm.de" = "Right-wing conspiracy videos" -"tube.querdenken-711.de" = "Right-wing onspiracy videos" -"tweet.pasture.moe" = "Twitter crossposter" -"tweetbridge.kogasa.de" = "Twitter crossposter" -"tweets.icu" = "Twitter crossposter" -"twitter.activitypub.actor" = "Twitter crossposter" -"twitter.doesnotexist.club" = "Twitter crossposter" -"twitterbridge.jannis.rocks" = "Twitter crossposter" -"twtr.plus" = "Twitter crossposter" -"varishangout.net" = "Transphobia and racism go unmoderated, aggressive trolling, lolicon permitted in rules" -"wiki-tube.de" = "Right-wing conspiracy videos (initial video welcomes Querdenken and KenFM)" -"wolfgirl.bar" = "Discrimination, homophobia, unmoderated trolling" -"yggdrasil.social" = "Instance rules: “No LGBTQ. Period. No homosexuality. No men who think they’re women or women who think they’re men. No made up genders.”" diff --git a/nixos/cobalt/services/akkoma-assets/logo.png b/nixos/cobalt/services/akkoma-assets/logo.png deleted file mode 100644 index 7744b1a..0000000 --- a/nixos/cobalt/services/akkoma-assets/logo.png +++ /dev/null Binary files differdiff --git a/nixos/cobalt/services/akkoma-assets/logo.svg b/nixos/cobalt/services/akkoma-assets/logo.svg deleted file mode 100644 index 68e647e..0000000 --- a/nixos/cobalt/services/akkoma-assets/logo.svg +++ /dev/null @@ -1,71 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<svg - xmlns:dc="http://purl.org/dc/elements/1.1/" - xmlns:cc="http://creativecommons.org/ns#" - xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" - xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" - version="1.1" - id="svg4485" - width="512" - height="512" - viewBox="0 0 512 512" - sodipodi:docname="logo.svg" - inkscape:version="1.0.1 (3bc2e813f5, 2020-09-07)"> - <metadata - id="metadata4491"> - <rdf:RDF> - <cc:Work - rdf:about=""> - <dc:format>image/svg+xml</dc:format> - <dc:type - rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> - <dc:title /> - </cc:Work> - </rdf:RDF> - </metadata> - <defs - id="defs4489" /> - <sodipodi:namedview - pagecolor="#ffffff" - bordercolor="#666666" - borderopacity="1" - objecttolerance="10" - gridtolerance="10" - guidetolerance="10" - inkscape:pageopacity="0" - inkscape:pageshadow="2" - inkscape:window-width="1274" - inkscape:window-height="1410" - id="namedview4487" - showgrid="false" - inkscape:zoom="1.2636719" - inkscape:cx="305.99333" - inkscape:cy="304.30809" - inkscape:window-x="1280" - inkscape:window-y="22" - inkscape:window-maximized="0" - inkscape:current-layer="g4612" - inkscape:document-rotation="0" /> - <g - id="g4612"> - <g - id="g850" - transform="matrix(0.99659595,0,0,0.99659595,0.37313949,0.87143746)"> - <path - style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#009bff;stroke-width:0;stroke-linecap:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:0.175879" - d="m 194.75841,124.65165 a 20.449443,20.449443 0 0 0 -20.44944,20.44945 v 242.24725 h 65.28091 v -262.6967 z" - id="path4497" /> - <path - style="fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 272.6236,124.65165 V 256 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -110.8989 z" - id="path4516" /> - <path - style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 272.6236,322.06744 v 65.28091 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -44.83146 z" - id="path4516-5" /> - </g> - </g> -</svg> diff --git a/nixos/cobalt/services/akkoma-assets/robots.txt b/nixos/cobalt/services/akkoma-assets/robots.txt deleted file mode 100644 index 1f53798..0000000 --- a/nixos/cobalt/services/akkoma-assets/robots.txt +++ /dev/null @@ -1,2 +0,0 @@ -User-agent: * -Disallow: / diff --git a/nixos/cobalt/services/akkoma.nix b/nixos/cobalt/services/akkoma.nix deleted file mode 100644 index c390e7d..0000000 --- a/nixos/cobalt/services/akkoma.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ pkgs, lib, ... }: - -let - poorObfuscation = y: x: "${x}@${y}"; - federation-blocklist = lib.importTOML ./akkoma-assets/blocklist.toml; - - # ifd3f/infra - wrapFile = name: path: - (pkgs.runCommand name { inherit path; } '' - cp -r "$path" "$out" - ''); -in -{ - services.akkoma = { - enable = true; - initDb.enable = true; - - extraStatic = { - "static/logo.svg" = wrapFile "logo.svg" ./akkoma-assets/logo.svg; - "static/logo.png" = wrapFile "logo.png" ./akkoma-assets/logo.png; - }; - config = let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap; - in { - ":pleroma"."Pleroma.Web.Endpoint".url.host = "social.sefidel.com"; - ":pleroma".":media_proxy".enabled = false; - ":pleroma".":instance" = { - name = "Akkoma on sefidel"; - description = "Private akkoma instance"; - email = poorObfuscation "sefidel.com" "postmaster"; - notify_email = poorObfuscation "sefidel.com" "postmaster"; - - registrations_open = false; - invites_enabled = true; - - limit = 5000; - }; - ":pleroma".":frontend_configurations" = { - pleroma_fe = mkMap { - logo = "/static/logo.png"; - }; - }; - ":pleroma".":mrf" = { - policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ]; - }; - ":pleroma".":mrf_simple" = { - followers_only = mkMap federation-blocklist.followers_only; - media_nsfw = mkMap federation-blocklist.media_nsfw; - reject = mkMap federation-blocklist.reject; - }; - }; - - nginx = { - forceSSL = true; - useACMEHost = "sefidel.com"; - }; - }; -} diff --git a/nixos/cobalt/services/cgit.nix b/nixos/cobalt/services/cgit.nix deleted file mode 100644 index c0cd948..0000000 --- a/nixos/cobalt/services/cgit.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ pkgs, ... }: - -{ - services.uwsgi = { - enable = true; - user = "nginx"; - group = "nginx"; - plugins = [ "cgi" ]; - - instance = { - type = "emperor"; - vassals = { - cgit = { - type = "normal"; - master = true; - socket = "/run/uwsgi/cgit.sock"; - procname-master = "uwsgi cgit"; - plugins = [ "cgi" ]; - cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi"; - }; - }; - }; - }; - - users.extraUsers.nginx.extraGroups = [ "git" ]; - - services.nginx.virtualHosts."git.sefidel.com" = { - forceSSL = true; - useACMEHost = "sefidel.com"; - root = "${pkgs.cgit-pink}/cgit"; - locations = { - "/" = { - extraConfig = '' - try_files $uri @cgit; - ''; - }; - "@cgit" = { - extraConfig = '' - uwsgi_pass unix:/run/uwsgi/cgit.sock; - include ${pkgs.nginx}/conf/uwsgi_params; - uwsgi_modifier1 9; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - systemd.services.create-cgit-cache = { - description = "Create cache directory for cgit"; - enable = true; - - script = '' - mkdir -p /run/cgit - chown -R nginx:nginx /run/cgit - ''; - - wantedBy = [ "uwsgi.service" ]; - serviceConfig = { - Type = "oneshot"; - }; - }; - - environment.etc."cgitrc".text = '' - virtual-root=/ - - cache-size=1000 - cache-root=/run/cgit - - root-title=sefidel git - root-desc=Exotic place. - - snapshots=tar.gz zip - - enable-git-config=1 - remove-suffix=1 - - enable-git-clone=1 - enable-index-links=1 - enable-commit-graph=1 - enable-log-filecount=1 - enable-log-linecount=1 - - branch-sort=age - - readme=:README - readme=:readme - readme=:README.md - readme=:readme.md - readme=:README.org - readme=:readme.org - - source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py - about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh - - section-from-path=2 - - project-list=/var/lib/gitolite/projects.list - scan-path=/var/lib/gitolite/repositories - ''; - - imports = [ - ./nginx.nix - ]; -} diff --git a/nixos/cobalt/services/dendrite.nix b/nixos/cobalt/services/dendrite.nix deleted file mode 100644 index af1af32..0000000 --- a/nixos/cobalt/services/dendrite.nix +++ /dev/null @@ -1,157 +0,0 @@ -{ config, ... }: - -let - database = { - connection_string = "postgres:///dendrite?host=/run/postgresql"; - max_open_conns = 97; - max_idle_conns = 5; - conn_max_lifetime = -1; - }; -in -{ - # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT) - sops.secrets.matrix-server-key = { }; - - services.dendrite = { - enable = true; - settings = { - global = { - server_name = "sefidel.com"; - # `private_key` has the type `path` - # prefix a `/` to make `path` happy - private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; - trusted_third_party_id_servers = [ - "matrix.org" - "vector.im" - ]; - metrics.enable = true; - }; - logging = [ - { - type = "std"; - level = "warn"; - } - ]; - app_service_api = { - inherit database; - config_files = [ ]; - }; - client_api = { - registration_disabled = true; - rate_limiting.enabled = false; - # registration_shared_secret = ""; # Initially set this option to configure the admin user. - }; - media_api = { - inherit database; - dynamic_thumbnails = true; - }; - room_server = { - inherit database; - }; - push_server = { - inherit database; - }; - mscs = { - inherit database; - mscs = [ "msc2836" "msc2946" ]; - }; - sync_api = { - inherit database; - real_ip_header = "X-Real-IP"; - }; - key_server = { - inherit database; - }; - federation_api = { - inherit database; - key_perspectives = [ - { - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - } - ]; - prefer_direct_fetch = false; - }; - user_api = { - account_database = database; - device_database = database; - }; - }; - loadCredential = [ "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" ]; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/private/dendrite" - ]; - - services.postgresql.enable = true; - services.postgresql.ensureDatabases = [ "dendrite" ]; - services.postgresql.ensureUsers = [ - { - name = "dendrite"; - ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; - } - ]; - - - services.nginx.virtualHosts."matrix.sefidel.com" = { - forceSSL = true; - useACMEHost = "sefidel.com"; - listen = [ - { addr = "0.0.0.0"; port = 443; ssl = true; } - { addr = "[::]"; port = 443; ssl = true; } - { addr = "0.0.0.0"; port = 8448; ssl = true; } - { addr = "[::]"; port = 8448; ssl = true; } - - ]; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_read_timeout 600; - client_max_body_size 50M; - ''; - locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - # TODO: web client - }; - - services.nginx.virtualHosts."sefidel.com" = - let - server-hello = { "m.server" = "matrix.sefidel.com:443"; }; - client-hello = { - "m.homeserver"."base_url" = "https://matrix.sefidel.com"; - "m.identity_server"."base_url" = "https://vector.im"; - }; - in - { - forceSSL = true; - useACMEHost = "sefidel.com"; - locations = { - "/.well-known/matrix/server" = { - extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server-hello}'; - ''; - }; - "/.well-known/matrix/client" = { - extraConfig = '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client-hello}'; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8448 ]; -} diff --git a/nixos/cobalt/services/fail2ban.nix b/nixos/cobalt/services/fail2ban.nix deleted file mode 100644 index 9731ef6..0000000 --- a/nixos/cobalt/services/fail2ban.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - services.fail2ban = { - enable = true; - }; -} diff --git a/nixos/cobalt/services/git-daemon.nix b/nixos/cobalt/services/git-daemon.nix deleted file mode 100644 index 21e957e..0000000 --- a/nixos/cobalt/services/git-daemon.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - services.gitDaemon = { - enable = true; - createUserAndGroup = false; - basePath = "/var/lib/gitolite/repositories"; - }; - - networking.firewall.allowedTCPPorts = [ 9418 ]; - - disabledModules = [ "services/networking/git-daemon.nix" ]; - - imports = [ - ../modules/git-daemon.nix - ]; -} diff --git a/nixos/cobalt/services/gitolite-noncore/fix-refs b/nixos/cobalt/services/gitolite-noncore/fix-refs deleted file mode 100644 index 8ffec9e..0000000 --- a/nixos/cobalt/services/gitolite-noncore/fix-refs +++ /dev/null @@ -1,9 +0,0 @@ -[[ $4 == W ]] || exit 0 - -cd $GL_REPO_BASE/$2.git - -head=`git symbolic-ref HEAD` -[[ -f $head ]] || { - set -- refs/heads/* - git symbolic-ref HEAD $1 -} diff --git a/nixos/cobalt/services/gitolite-noncore/rename b/nixos/cobalt/services/gitolite-noncore/rename deleted file mode 100644 index 00aa5ca..0000000 --- a/nixos/cobalt/services/gitolite-noncore/rename +++ /dev/null @@ -1,62 +0,0 @@ - -# Usage: ssh git@host rename [-c] <repo1> <repo2> -# -# Renames repo1 to repo2. You must be the creator of repo1, and have -# create ("C") permissions for repo2, which of course must not exist. -# Alternatively you must be an account admin, that is, you must have -# write access to the gitolite-admin repository. If you have "C" -# permissions for repo2 then you can use the -c option to take over -# as creator of the repository. - -die() { echo "$@" >&2; exit 1; } -usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; } -[ -z "$1" ] && usage -[ "$1" = "-h" ] && usage -[ -z "$GL_USER" ] && die GL_USER not set - -# ---------------------------------------------------------------------- - -if [ "$1" = "-c" ] -then shift - takeover=true -else takeover=false -fi - -from="$1"; shift -to="$1"; shift -[ -z "$to" ] && usage - -topath=$GL_REPO_BASE/$to.git - -checkto() { - gitolite access -q "$to" $GL_USER ^C any || - die "'$to' already exists or you are not allowed to create it" -} - -if gitolite access -q gitolite-admin $GL_USER -then - # the user is an admin so we can avoid most permission checks - if $takeover - then checkto - elif [ -e $topath ] - then die "'$to' already exists" - fi -else - # the user isn't an admin, so do all the checks - checkto - gitolite creator "$from" $GL_USER || - die "'$from' does not exist or you are not allowed to delete it" -fi - -# ---------------------------------------------------------------------- - -mv $GL_REPO_BASE/$from.git $topath -[ $? -ne 0 ] && exit 1 - -$takeover && echo $GL_USER > $topath/gl-creator - -[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list" - -echo "$from renamed to $to" >&2 - -exit diff --git a/nixos/cobalt/services/gitolite.nix b/nixos/cobalt/services/gitolite.nix deleted file mode 100644 index 94c7ac9..0000000 --- a/nixos/cobalt/services/gitolite.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ pkgs, ... }: - -let - # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ - fixRefsTrigger = pkgs.writeText "fix-refs" '' - [[ $4 == W ]] || exit 0 - - cd $GL_REPO_BASE/$2.git - - head=`git symbolic-ref HEAD` - [[ -f $head ]] || { - set -- refs/heads/* - git symbolic-ref HEAD $1 - } - ''; -in -{ - services.gitolite = { - enable = true; - user = "git"; - group = "git"; - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F"; - extraGitoliteRc = '' - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = '.*'; - $RC{ROLES}{OWNERS} = 1; - $RC{OWNER_ROLENAME} = 'OWNERS'; - # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct - # directory. - # $RC{LOCAL_CODE} = '$ENV{HOME}/local'; - $RC{LOCAL_CODE} = '/var/lib/gitolite/local'; - push(@{$RC{ENABLE}}, 'D'); - push(@{$RC{ENABLE}}, 'symbolic-ref'); - push(@{$RC{ENABLE}}, 'rename'); - push(@{$RC{POST_GIT}}, 'fix-refs'); - # push(@{$RC{ENABLE}}, 'set-default-roles'); - # push(@{$RC{ENABLE}}, 'create'); - # push(@{$RC{ENABLE}}, 'fork'); - - ''; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/gitolite" - ]; - - system.activationScripts.gitolite-create-local = '' - mkdir -p /var/lib/gitolite/local/triggers - mkdir -p /var/lib/gitolite/local/commands - chown -R git:git /var/lib/gitolite/local - ''; - - systemd.tmpfiles.rules = [ - "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}" - "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}" - ]; - - - systemd.timers."gitolite-trash-cleanup" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 00:00:00"; - Unit = "gitolite-trash-cleanup.service"; - }; - }; - - systemd.services."gitolite-trash-cleanup" = { - script = '' - set -euo pipefail - if [ ! -d "Trash" ] ; then - echo Trash directory is nonexistent! - echo No operations to perform. Exiting. - exit 0 - fi - - match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$") - processed_entry=0 - removed_entry=0 - - for dir in $match - do - system_timestamp=$(date +%s) - trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s) - age=$(( $system_timestamp - $trash_timestamp )) - # Wipe trashes older than 2w - if [[ age -gt 1209600 ]] ; then - echo "Removing '$dir' (age $age)" - rm -rf $dir - ((removed_entry+=1)) - fi - ((processed_entry+=1)) - done - - echo "Directories that needs cleanup:" - find Trash -type d -empty -print -delete - echo "Cleaned empty directories." - - echo "Done! Removed $removed_entry/$processed_entry" - ''; - - path = with pkgs; [ bash util-linux coreutils ]; - - serviceConfig = { - Type = "oneshot"; - User = "git"; - WorkingDirectory = "/var/lib/gitolite/repositories"; - }; - }; -} diff --git a/nixos/cobalt/services/nginx.nix b/nixos/cobalt/services/nginx.nix deleted file mode 100644 index cb5ced3..0000000 --- a/nixos/cobalt/services/nginx.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - }; - - users.extraUsers.nginx.extraGroups = [ "acme" ]; - - imports = [ - ./acme.nix - ]; -} diff --git a/nixos/cobalt/services/soju.nix b/nixos/cobalt/services/soju.nix deleted file mode 100644 index bab8a5b..0000000 --- a/nixos/cobalt/services/soju.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -{ - services.soju = { - enable = true; - extraGroups = [ "acme" ]; - hostName = "cobalt.sefidel.com"; - listen = [ - ":6697" - ]; - tlsCertificate = "${config.security.acme.certs."sefidel.com".directory}/cert.pem"; - tlsCertificateKey = "${config.security.acme.certs."sefidel.com".directory}/key.pem"; - }; - - networking.firewall.allowedTCPPorts = [ 6697 ]; - - environment.persistence."/persist".directories = [ - "/var/lib/private/soju" - ]; - - # TODO: remove this once merged - disabledModules = [ "services/networking/soju.nix" ]; - - imports = [ - ./acme.nix - ../modules/soju.nix - ]; -} |