diff options
Diffstat (limited to 'nixos/cobalt/services')
-rw-r--r-- | nixos/cobalt/services/README.md | 5 | ||||
-rw-r--r-- | nixos/cobalt/services/acme.nix | 26 | ||||
-rw-r--r-- | nixos/cobalt/services/cgit.nix | 105 | ||||
-rw-r--r-- | nixos/cobalt/services/fail2ban.nix | 5 | ||||
-rw-r--r-- | nixos/cobalt/services/git-daemon.nix | 15 | ||||
-rw-r--r-- | nixos/cobalt/services/gitolite-noncore/fix-refs | 9 | ||||
-rw-r--r-- | nixos/cobalt/services/gitolite-noncore/rename | 62 | ||||
-rw-r--r-- | nixos/cobalt/services/gitolite.nix | 109 | ||||
-rw-r--r-- | nixos/cobalt/services/nginx.nix | 15 | ||||
-rw-r--r-- | nixos/cobalt/services/soju.nix | 26 |
10 files changed, 377 insertions, 0 deletions
diff --git a/nixos/cobalt/services/README.md b/nixos/cobalt/services/README.md new file mode 100644 index 0000000..89d9ca5 --- /dev/null +++ b/nixos/cobalt/services/README.md @@ -0,0 +1,5 @@ +# colmena/cobalt/services + +A list of 'pluggable' services. +TODO: this should be moved to /modules/ and +converted to modules. diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix new file mode 100644 index 0000000..b41ae1c --- /dev/null +++ b/nixos/cobalt/services/acme.nix @@ -0,0 +1,26 @@ +let + poorObfuscation = y: x: "${x}@${y}"; +in +{ + security.acme = { + acceptTerms = true; + defaults.email = poorObfuscation "sefidel.com" "postmaster"; + certs = { + "sefidel.com" = { + domain = "*.sefidel.com"; + dnsProvider = "hetzner"; + dnsPropagationCheck = true; + credentialsFile = "/persist/secrets/hetzner.key"; + }; + }; + }; + + environment.persistence."/persist".directories = [ + "/var/lib/acme" + ]; + + deployment.keys."hetzner.key" = { + keyCommand = [ "pass" "show" "server/hetzner-dns" ]; + destDir = "/persist/secrets"; + }; +} diff --git a/nixos/cobalt/services/cgit.nix b/nixos/cobalt/services/cgit.nix new file mode 100644 index 0000000..4e030c8 --- /dev/null +++ b/nixos/cobalt/services/cgit.nix @@ -0,0 +1,105 @@ +{ pkgs, ... }: + +{ + services.uwsgi = { + enable = true; + user = "nginx"; + group = "nginx"; + plugins = [ "cgi" ]; + + instance = { + type = "emperor"; + vassals = { + cgit = { + type = "normal"; + master = true; + socket = "/run/uwsgi/cgit.sock"; + procname-master = "uwsgi cgit"; + plugins = [ "cgi" ]; + cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi"; + }; + }; + }; + }; + + users.extraUsers.nginx.extraGroups = [ "git" ]; + + services.nginx.virtualHosts."git.sefidel.com" = { + addSSL = true; + useACMEHost = "sefidel.com"; + root = "${pkgs.cgit-pink}/cgit"; + locations = { + "/" = { + extraConfig = '' + try_files $uri @cgit; + ''; + }; + "@cgit" = { + extraConfig = '' + uwsgi_pass unix:/run/uwsgi/cgit.sock; + include ${pkgs.nginx}/conf/uwsgi_params; + uwsgi_modifier1 9; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + systemd.services.create-cgit-cache = { + description = "Create cache directory for cgit"; + enable = true; + + script = '' + mkdir -p /run/cgit + chown -R nginx:nginx /run/cgit + ''; + + wantedBy = [ "uwsgi.service" ]; + serviceConfig = { + Type = "oneshot"; + }; + }; + + environment.etc."cgitrc".text = '' + virtual-root=/ + + cache-size=1000 + cache-root=/run/cgit + + root-title=sefidel git + root-desc=Exotic place. + + snapshots=tar.gz zip + + enable-git-config=1 + remove-suffix=1 + + enable-git-clone=1 + enable-index-links=1 + enable-commit-graph=1 + enable-log-filecount=1 + enable-log-linecount=1 + + branch-sort=age + + readme=:README + readme=:readme + readme=:README.md + readme=:readme.md + readme=:README.org + readme=:readme.org + + source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh + + section-from-path=2 + + project-list=/var/lib/gitolite/projects.list + scan-path=/var/lib/gitolite/repositories + ''; + + imports = [ + ./nginx.nix + ]; +} diff --git a/nixos/cobalt/services/fail2ban.nix b/nixos/cobalt/services/fail2ban.nix new file mode 100644 index 0000000..9731ef6 --- /dev/null +++ b/nixos/cobalt/services/fail2ban.nix @@ -0,0 +1,5 @@ +{ + services.fail2ban = { + enable = true; + }; +} diff --git a/nixos/cobalt/services/git-daemon.nix b/nixos/cobalt/services/git-daemon.nix new file mode 100644 index 0000000..21e957e --- /dev/null +++ b/nixos/cobalt/services/git-daemon.nix @@ -0,0 +1,15 @@ +{ + services.gitDaemon = { + enable = true; + createUserAndGroup = false; + basePath = "/var/lib/gitolite/repositories"; + }; + + networking.firewall.allowedTCPPorts = [ 9418 ]; + + disabledModules = [ "services/networking/git-daemon.nix" ]; + + imports = [ + ../modules/git-daemon.nix + ]; +} diff --git a/nixos/cobalt/services/gitolite-noncore/fix-refs b/nixos/cobalt/services/gitolite-noncore/fix-refs new file mode 100644 index 0000000..8ffec9e --- /dev/null +++ b/nixos/cobalt/services/gitolite-noncore/fix-refs @@ -0,0 +1,9 @@ +[[ $4 == W ]] || exit 0 + +cd $GL_REPO_BASE/$2.git + +head=`git symbolic-ref HEAD` +[[ -f $head ]] || { + set -- refs/heads/* + git symbolic-ref HEAD $1 +} diff --git a/nixos/cobalt/services/gitolite-noncore/rename b/nixos/cobalt/services/gitolite-noncore/rename new file mode 100644 index 0000000..00aa5ca --- /dev/null +++ b/nixos/cobalt/services/gitolite-noncore/rename @@ -0,0 +1,62 @@ + +# Usage: ssh git@host rename [-c] <repo1> <repo2> +# +# Renames repo1 to repo2. You must be the creator of repo1, and have +# create ("C") permissions for repo2, which of course must not exist. +# Alternatively you must be an account admin, that is, you must have +# write access to the gitolite-admin repository. If you have "C" +# permissions for repo2 then you can use the -c option to take over +# as creator of the repository. + +die() { echo "$@" >&2; exit 1; } +usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; } +[ -z "$1" ] && usage +[ "$1" = "-h" ] && usage +[ -z "$GL_USER" ] && die GL_USER not set + +# ---------------------------------------------------------------------- + +if [ "$1" = "-c" ] +then shift + takeover=true +else takeover=false +fi + +from="$1"; shift +to="$1"; shift +[ -z "$to" ] && usage + +topath=$GL_REPO_BASE/$to.git + +checkto() { + gitolite access -q "$to" $GL_USER ^C any || + die "'$to' already exists or you are not allowed to create it" +} + +if gitolite access -q gitolite-admin $GL_USER +then + # the user is an admin so we can avoid most permission checks + if $takeover + then checkto + elif [ -e $topath ] + then die "'$to' already exists" + fi +else + # the user isn't an admin, so do all the checks + checkto + gitolite creator "$from" $GL_USER || + die "'$from' does not exist or you are not allowed to delete it" +fi + +# ---------------------------------------------------------------------- + +mv $GL_REPO_BASE/$from.git $topath +[ $? -ne 0 ] && exit 1 + +$takeover && echo $GL_USER > $topath/gl-creator + +[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list" + +echo "$from renamed to $to" >&2 + +exit diff --git a/nixos/cobalt/services/gitolite.nix b/nixos/cobalt/services/gitolite.nix new file mode 100644 index 0000000..94c7ac9 --- /dev/null +++ b/nixos/cobalt/services/gitolite.nix @@ -0,0 +1,109 @@ +{ pkgs, ... }: + +let + # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ + fixRefsTrigger = pkgs.writeText "fix-refs" '' + [[ $4 == W ]] || exit 0 + + cd $GL_REPO_BASE/$2.git + + head=`git symbolic-ref HEAD` + [[ -f $head ]] || { + set -- refs/heads/* + git symbolic-ref HEAD $1 + } + ''; +in +{ + services.gitolite = { + enable = true; + user = "git"; + group = "git"; + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F"; + extraGitoliteRc = '' + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = '.*'; + $RC{ROLES}{OWNERS} = 1; + $RC{OWNER_ROLENAME} = 'OWNERS'; + # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct + # directory. + # $RC{LOCAL_CODE} = '$ENV{HOME}/local'; + $RC{LOCAL_CODE} = '/var/lib/gitolite/local'; + push(@{$RC{ENABLE}}, 'D'); + push(@{$RC{ENABLE}}, 'symbolic-ref'); + push(@{$RC{ENABLE}}, 'rename'); + push(@{$RC{POST_GIT}}, 'fix-refs'); + # push(@{$RC{ENABLE}}, 'set-default-roles'); + # push(@{$RC{ENABLE}}, 'create'); + # push(@{$RC{ENABLE}}, 'fork'); + + ''; + }; + + environment.persistence."/persist".directories = [ + "/var/lib/gitolite" + ]; + + system.activationScripts.gitolite-create-local = '' + mkdir -p /var/lib/gitolite/local/triggers + mkdir -p /var/lib/gitolite/local/commands + chown -R git:git /var/lib/gitolite/local + ''; + + systemd.tmpfiles.rules = [ + "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}" + "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}" + ]; + + + systemd.timers."gitolite-trash-cleanup" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*-*-* 00:00:00"; + Unit = "gitolite-trash-cleanup.service"; + }; + }; + + systemd.services."gitolite-trash-cleanup" = { + script = '' + set -euo pipefail + if [ ! -d "Trash" ] ; then + echo Trash directory is nonexistent! + echo No operations to perform. Exiting. + exit 0 + fi + + match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$") + processed_entry=0 + removed_entry=0 + + for dir in $match + do + system_timestamp=$(date +%s) + trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s) + age=$(( $system_timestamp - $trash_timestamp )) + # Wipe trashes older than 2w + if [[ age -gt 1209600 ]] ; then + echo "Removing '$dir' (age $age)" + rm -rf $dir + ((removed_entry+=1)) + fi + ((processed_entry+=1)) + done + + echo "Directories that needs cleanup:" + find Trash -type d -empty -print -delete + echo "Cleaned empty directories." + + echo "Done! Removed $removed_entry/$processed_entry" + ''; + + path = with pkgs; [ bash util-linux coreutils ]; + + serviceConfig = { + Type = "oneshot"; + User = "git"; + WorkingDirectory = "/var/lib/gitolite/repositories"; + }; + }; +} diff --git a/nixos/cobalt/services/nginx.nix b/nixos/cobalt/services/nginx.nix new file mode 100644 index 0000000..cb5ced3 --- /dev/null +++ b/nixos/cobalt/services/nginx.nix @@ -0,0 +1,15 @@ +{ + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + }; + + users.extraUsers.nginx.extraGroups = [ "acme" ]; + + imports = [ + ./acme.nix + ]; +} diff --git a/nixos/cobalt/services/soju.nix b/nixos/cobalt/services/soju.nix new file mode 100644 index 0000000..c150879 --- /dev/null +++ b/nixos/cobalt/services/soju.nix @@ -0,0 +1,26 @@ +{ + services.soju = { + enable = true; + extraGroups = [ "acme" ]; + hostName = "cobalt.sefidel.com"; + listen = [ + ":6697" + ]; + tlsCertificate = "/var/lib/acme/sefidel.com/cert.pem"; + tlsCertificateKey = "/var/lib/acme/sefidel.com/key.pem"; + }; + + networking.firewall.allowedTCPPorts = [ 6697 ]; + + environment.persistence."/persist".directories = [ + "/var/lib/private/soju" + ]; + + # TODO: remove this once merged + disabledModules = [ "services/networking/soju.nix" ]; + + imports = [ + ./acme.nix + ../modules/soju.nix + ]; +} |