10 files changed, 377 insertions, 0 deletions
diff --git a/nixos/cobalt/services/README.md b/nixos/cobalt/services/README.md
new file mode 100644
index 0000000..89d9ca5
--- /dev/null
+++ b/nixos/cobalt/services/README.md
@@ -0,0 +1,5 @@
+# colmena/cobalt/services
+
+A list of 'pluggable' services.
+TODO: this should be moved to /modules/ and
+converted to modules.
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
new file mode 100644
index 0000000..b41ae1c
--- /dev/null
+++ b/nixos/cobalt/services/acme.nix
@@ -0,0 +1,26 @@
+let
+  poorObfuscation = y: x: "${x}@${y}";
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = poorObfuscation "sefidel.com" "postmaster";
+    certs = {
+      "sefidel.com" = {
+        domain = "*.sefidel.com";
+        dnsProvider = "hetzner";
+        dnsPropagationCheck = true;
+        credentialsFile = "/persist/secrets/hetzner.key";
+      };
+    };
+  };
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/acme"
+  ];
+
+  deployment.keys."hetzner.key" = {
+    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
+    destDir = "/persist/secrets";
+  };
+}
diff --git a/nixos/cobalt/services/cgit.nix b/nixos/cobalt/services/cgit.nix
new file mode 100644
index 0000000..4e030c8
--- /dev/null
+++ b/nixos/cobalt/services/cgit.nix
@@ -0,0 +1,105 @@
+{ pkgs, ... }:
+
+{
+  services.uwsgi = {
+    enable = true;
+    user = "nginx";
+    group = "nginx";
+    plugins = [ "cgi" ];
+
+    instance = {
+      type = "emperor";
+      vassals = {
+        cgit = {
+          type = "normal";
+          master = true;
+          socket = "/run/uwsgi/cgit.sock";
+          procname-master = "uwsgi cgit";
+          plugins = [ "cgi" ];
+          cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi";
+        };
+      };
+    };
+  };
+
+  users.extraUsers.nginx.extraGroups = [ "git" ];
+
+  services.nginx.virtualHosts."git.sefidel.com" = {
+    addSSL = true;
+    useACMEHost = "sefidel.com";
+    root = "${pkgs.cgit-pink}/cgit";
+    locations = {
+      "/" = {
+        extraConfig = ''
+          try_files $uri @cgit;
+        '';
+      };
+      "@cgit" = {
+        extraConfig = ''
+          uwsgi_pass unix:/run/uwsgi/cgit.sock;
+          include ${pkgs.nginx}/conf/uwsgi_params;
+          uwsgi_modifier1 9;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.create-cgit-cache = {
+    description = "Create cache directory for cgit";
+    enable = true;
+
+    script = ''
+      mkdir -p /run/cgit
+      chown -R nginx:nginx /run/cgit
+    '';
+
+    wantedBy = [ "uwsgi.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+    };
+  };
+
+  environment.etc."cgitrc".text = ''
+    virtual-root=/
+
+    cache-size=1000
+    cache-root=/run/cgit
+
+    root-title=sefidel git
+    root-desc=Exotic place.
+
+    snapshots=tar.gz zip
+
+    enable-git-config=1
+    remove-suffix=1
+
+    enable-git-clone=1
+    enable-index-links=1
+    enable-commit-graph=1
+    enable-log-filecount=1
+    enable-log-linecount=1
+
+    branch-sort=age
+
+    readme=:README
+    readme=:readme
+    readme=:README.md
+    readme=:readme.md
+    readme=:README.org
+    readme=:readme.org
+
+    source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py
+    about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh
+
+    section-from-path=2
+
+    project-list=/var/lib/gitolite/projects.list
+    scan-path=/var/lib/gitolite/repositories
+  '';
+
+  imports = [
+    ./nginx.nix
+  ];
+}
diff --git a/nixos/cobalt/services/fail2ban.nix b/nixos/cobalt/services/fail2ban.nix
new file mode 100644
index 0000000..9731ef6
--- /dev/null
+++ b/nixos/cobalt/services/fail2ban.nix
@@ -0,0 +1,5 @@
+{
+  services.fail2ban = {
+    enable = true;
+  };
+}
diff --git a/nixos/cobalt/services/git-daemon.nix b/nixos/cobalt/services/git-daemon.nix
new file mode 100644
index 0000000..21e957e
--- /dev/null
+++ b/nixos/cobalt/services/git-daemon.nix
@@ -0,0 +1,15 @@
+{
+  services.gitDaemon = {
+    enable = true;
+    createUserAndGroup = false;
+    basePath = "/var/lib/gitolite/repositories";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9418 ];
+
+  disabledModules = [ "services/networking/git-daemon.nix" ];
+
+  imports = [
+    ../modules/git-daemon.nix
+  ];
+}
diff --git a/nixos/cobalt/services/gitolite-noncore/fix-refs b/nixos/cobalt/services/gitolite-noncore/fix-refs
new file mode 100644
index 0000000..8ffec9e
--- /dev/null
+++ b/nixos/cobalt/services/gitolite-noncore/fix-refs
@@ -0,0 +1,9 @@
+[[ $4 == W ]] || exit 0
+
+cd $GL_REPO_BASE/$2.git
+
+head=`git symbolic-ref HEAD`
+[[ -f $head ]] || {
+  set -- refs/heads/*
+  git symbolic-ref HEAD $1
+}
diff --git a/nixos/cobalt/services/gitolite-noncore/rename b/nixos/cobalt/services/gitolite-noncore/rename
new file mode 100644
index 0000000..00aa5ca
--- /dev/null
+++ b/nixos/cobalt/services/gitolite-noncore/rename
@@ -0,0 +1,62 @@
+
+# Usage:    ssh git@host rename [-c] <repo1> <repo2>
+#
+# Renames repo1 to repo2. You must be the creator of repo1, and have
+# create ("C") permissions for repo2, which of course must not exist.
+# Alternatively you must be an account admin, that is, you must have
+# write access to the gitolite-admin repository. If you have "C"
+# permissions for repo2 then you can use the -c option to take over
+# as creator of the repository.
+
+die() { echo "$@" >&2; exit 1; }
+usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; }
+[ -z "$1" ] && usage
+[ "$1" = "-h" ] && usage
+[ -z "$GL_USER" ] && die GL_USER not set
+
+# ----------------------------------------------------------------------
+
+if [ "$1" = "-c" ]
+then	shift
+	takeover=true
+else	takeover=false
+fi
+
+from="$1"; shift
+to="$1"; shift
+[ -z "$to" ] && usage
+
+topath=$GL_REPO_BASE/$to.git
+
+checkto() {
+	gitolite access -q "$to" $GL_USER ^C any ||
+		die "'$to' already exists or you are not allowed to create it"
+}
+
+if gitolite access -q gitolite-admin $GL_USER
+then
+	# the user is an admin so we can avoid most permission checks
+	if $takeover
+	then checkto
+	elif [ -e $topath ]
+	then die "'$to' already exists"
+	fi
+else
+	# the user isn't an admin, so do all the checks
+	checkto
+	gitolite creator "$from" $GL_USER ||
+		die "'$from' does not exist or you are not allowed to delete it"
+fi
+
+# ----------------------------------------------------------------------
+
+mv $GL_REPO_BASE/$from.git $topath
+[ $? -ne 0 ] && exit 1
+
+$takeover && echo $GL_USER > $topath/gl-creator
+
+[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list"
+
+echo "$from renamed to $to" >&2
+
+exit
diff --git a/nixos/cobalt/services/gitolite.nix b/nixos/cobalt/services/gitolite.nix
new file mode 100644
index 0000000..94c7ac9
--- /dev/null
+++ b/nixos/cobalt/services/gitolite.nix
@@ -0,0 +1,109 @@
+{ pkgs, ... }:
+
+let
+  # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ
+  fixRefsTrigger = pkgs.writeText "fix-refs" ''
+    [[ $4 == W ]] || exit 0
+
+    cd $GL_REPO_BASE/$2.git
+
+    head=`git symbolic-ref HEAD`
+    [[ -f $head ]] || {
+      set -- refs/heads/*
+      git symbolic-ref HEAD $1
+    }
+  '';
+in
+{
+  services.gitolite = {
+    enable = true;
+    user = "git";
+    group = "git";
+    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F";
+    extraGitoliteRc = ''
+      $RC{UMASK} = 0027;
+      $RC{GIT_CONFIG_KEYS} = '.*';
+      $RC{ROLES}{OWNERS} = 1;
+      $RC{OWNER_ROLENAME} = 'OWNERS';
+      # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct
+      # directory.
+      # $RC{LOCAL_CODE} = '$ENV{HOME}/local';
+      $RC{LOCAL_CODE} = '/var/lib/gitolite/local';
+      push(@{$RC{ENABLE}}, 'D');
+      push(@{$RC{ENABLE}}, 'symbolic-ref');
+      push(@{$RC{ENABLE}}, 'rename');
+      push(@{$RC{POST_GIT}}, 'fix-refs');
+      # push(@{$RC{ENABLE}}, 'set-default-roles');
+      # push(@{$RC{ENABLE}}, 'create');
+      # push(@{$RC{ENABLE}}, 'fork');
+
+    '';
+  };
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/gitolite"
+  ];
+
+  system.activationScripts.gitolite-create-local = ''
+    mkdir -p /var/lib/gitolite/local/triggers
+    mkdir -p /var/lib/gitolite/local/commands
+    chown -R git:git /var/lib/gitolite/local
+  '';
+
+  systemd.tmpfiles.rules = [
+    "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}"
+    "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}"
+  ];
+
+
+  systemd.timers."gitolite-trash-cleanup" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "*-*-* 00:00:00";
+      Unit = "gitolite-trash-cleanup.service";
+    };
+  };
+
+  systemd.services."gitolite-trash-cleanup" = {
+    script = ''
+      set -euo pipefail
+      if [ ! -d "Trash" ] ; then
+        echo Trash directory is nonexistent!
+        echo No operations to perform. Exiting.
+        exit 0
+      fi
+
+      match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$")
+      processed_entry=0
+      removed_entry=0
+
+      for dir in $match
+      do
+        system_timestamp=$(date +%s)
+        trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s)
+        age=$(( $system_timestamp - $trash_timestamp ))
+        # Wipe trashes older than 2w
+        if [[ age -gt 1209600 ]] ; then
+          echo "Removing '$dir' (age $age)"
+          rm -rf $dir
+          ((removed_entry+=1))
+        fi
+        ((processed_entry+=1))
+      done
+
+      echo "Directories that needs cleanup:"
+      find Trash -type d -empty -print -delete
+      echo "Cleaned empty directories."
+
+      echo "Done! Removed $removed_entry/$processed_entry"
+    '';
+
+    path = with pkgs; [ bash util-linux coreutils ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "git";
+      WorkingDirectory = "/var/lib/gitolite/repositories";
+    };
+  };
+}
diff --git a/nixos/cobalt/services/nginx.nix b/nixos/cobalt/services/nginx.nix
new file mode 100644
index 0000000..cb5ced3
--- /dev/null
+++ b/nixos/cobalt/services/nginx.nix
@@ -0,0 +1,15 @@
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+  };
+
+  users.extraUsers.nginx.extraGroups = [ "acme" ];
+
+  imports = [
+    ./acme.nix
+  ];
+}
diff --git a/nixos/cobalt/services/soju.nix b/nixos/cobalt/services/soju.nix
new file mode 100644
index 0000000..c150879
--- /dev/null
+++ b/nixos/cobalt/services/soju.nix
@@ -0,0 +1,26 @@
+{
+  services.soju = {
+    enable = true;
+    extraGroups = [ "acme" ];
+    hostName = "cobalt.sefidel.com";
+    listen = [
+      ":6697"
+    ];
+    tlsCertificate = "/var/lib/acme/sefidel.com/cert.pem";
+    tlsCertificateKey = "/var/lib/acme/sefidel.com/key.pem";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 6697 ];
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/private/soju"
+  ];
+
+  # TODO: remove this once merged
+  disabledModules = [ "services/networking/soju.nix" ];
+
+  imports = [
+    ./acme.nix
+    ../modules/soju.nix
+  ];
+}