about summary refs log tree commit diff
path: root/users/wpcarro/nixos/socrates
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-12-13T22·51+0300
committerVincent Ambo <mail@tazj.in>2021-12-13T23·15+0300
commit019f8fd2113df4c5247c3969c60fd4f0e08f91f7 (patch)
tree76a857f61aa88f62a30e854651e8439db77fd0ea /users/wpcarro/nixos/socrates
parent464bbcb15c09813172c79820bcf526bb10cf4208 (diff)
parent6123e976928ca3d8d93f0b2006b10b5f659eb74d (diff)
subtree(users/wpcarro): docking briefcase at '24f5a642' r/3226
git-subtree-dir: users/wpcarro
git-subtree-mainline: 464bbcb15c09813172c79820bcf526bb10cf4208
git-subtree-split: 24f5a642af3aa1627bbff977f0a101907a02c69f
Change-Id: I6105b3762b79126b3488359c95978cadb3efa789
Diffstat (limited to 'users/wpcarro/nixos/socrates')
-rw-r--r--users/wpcarro/nixos/socrates/default.nix218
-rw-r--r--users/wpcarro/nixos/socrates/hardware.nix30
2 files changed, 248 insertions, 0 deletions
diff --git a/users/wpcarro/nixos/socrates/default.nix b/users/wpcarro/nixos/socrates/default.nix
new file mode 100644
index 000000000000..8b762a56de5f
--- /dev/null
+++ b/users/wpcarro/nixos/socrates/default.nix
@@ -0,0 +1,218 @@
+let
+  briefcase = import <briefcase> {};
+  pkgs = briefcase.third_party.pkgs;
+in {
+  imports = [ ./hardware.nix ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking = {
+    hostName = "socrates";
+    # The global useDHCP flag is deprecated, therefore explicitly set to false
+    # here.  Per-interface useDHCP will be mandatory in the future, so this
+    # generated config replicates the default behaviour.
+    useDHCP = false;
+    networkmanager.enable = true;
+    interfaces.enp2s0f1.useDHCP = true;
+    interfaces.wlp3s0.useDHCP = true;
+    firewall.allowedTCPPorts = [ 9418 80 443 6697 ];
+  };
+
+  time.timeZone = "UTC";
+
+  programs.fish.enable = true;
+  programs.mosh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    direnv
+    emacs26-nox
+    gnupg
+    htop
+    pass
+    vim
+    certbot
+    tree
+    git
+  ];
+
+  users = {
+    # I need a git group to run the git server.
+    groups.git = {};
+
+    users.wpcarro = {
+      isNormalUser = true;
+      extraGroups = [ "git" "wheel" ];
+      shell = pkgs.fish;
+    };
+
+    users.git = {
+      group = "git";
+      isNormalUser = false;
+    };
+  };
+
+  nix = {
+    nixPath = [];
+    trustedUsers = [ "root" "wpcarro" ];
+  };
+
+  ##############################################################################
+  # Services
+  ##############################################################################
+
+  systemd.services.bitlbee-stunnel = {
+    description = "Provides TLS termination for Bitlbee.";
+    wantedBy = [ "multi-user.target" ];
+    unitConfig = {
+      Restart = "always";
+      User = "nginx"; # This is a hack to easily get certificate access.
+    };
+    script = let configFile = builtins.toFile "stunnel.conf" ''
+      foreground = yes
+      debug = 7
+
+      [ircs]
+      accept = 0.0.0.0:6697
+      connect = 6667
+      cert = /var/lib/acme/wpcarro.dev/full.pem
+    ''; in "${pkgs.stunnel}/bin/stunnel ${configFile}";
+  };
+
+  nixpkgs.config.bitlbee.enableLibPurple = true;
+  services.bitlbee = {
+    interface = "0.0.0.0";
+    enable = true;
+    libpurple_plugins = [
+      pkgs.telegram-purple
+    ];
+  };
+
+  services.journaldriver = {
+    enable = true;
+    logStream = "home";
+    googleCloudProject = "wpcarros-infrastructure";
+    applicationCredentials = "/etc/gcp/key.json";
+  };
+
+  services.openssh.enable = true;
+
+  services.gitea = {
+    enable = true;
+    # Without this the links to clone a repository like briefcase will be
+    # "http://localhost:3000/wpcarro/briefcase".
+    rootUrl = "https://git.wpcarro.dev/";
+  };
+
+  services.buildkite-agents = {
+    socrates = {
+      enable = true;
+      tokenPath = "/etc/secrets/buildkite-agent-token";
+      privateSshKeyPath = "/etc/ssh/buildkite_agent_id_rsa";
+    };
+  };
+
+  systemd.services.zoo = {
+    enable = true;
+    description = "Run my monoserver";
+    script = "${briefcase.zoo}/zoo";
+    environment = {};
+    serviceConfig = {
+      Restart = "always";
+    };
+  };
+
+  services.gitDaemon = {
+    enable = true;
+    basePath = "/srv/git";
+    exportAll = true;
+    repositories = [ "/srv/git/briefcase" ];
+  };
+
+  # Since I'm using this laptop as a server in my flat, I'd prefer to close its
+  # lid.
+  services.logind.lidSwitch = "ignore";
+
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      polkit.log("subject.user: " + subject.user + " is attempting action.id: " + action.id);
+    });
+  '';
+
+  # Provision SSL certificates to support HTTPS connections.
+  security.acme.acceptTerms = true;
+  security.acme.email = "wpcarro@gmail.com";
+
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    commonHttpConfig = ''
+      log_format json_combined escape=json
+      '{'
+          '"remote_addr":"$remote_addr",'
+          '"method":"$request_method",'
+          '"host":"$host",'
+          '"uri":"$request_uri",'
+          '"status":$status,'
+          '"request_size":$request_length,'
+          '"response_size":$body_bytes_sent,'
+          '"response_time":$request_time,'
+          '"referrer":"$http_referer",'
+          '"user_agent":"$http_user_agent"'
+      '}';
+
+      access_log syslog:server=unix:/dev/log,nohostname json_combined;
+    '';
+
+    virtualHosts = {
+      "wpcarro.dev" = {
+        addSSL = true;
+        enableACME = true;
+        root = briefcase.website;
+      };
+      "learn.wpcarro.dev" = {
+        addSSL = true;
+        enableACME = true;
+        root = briefcase.website.learn;
+      };
+      "git.wpcarro.dev" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:3000";
+        };
+      };
+      "blog.wpcarro.dev" = {
+        addSSL = true;
+        enableACME = true;
+        root = briefcase.website.blog;
+      };
+      # "sandbox.wpcarro.dev" = {
+      #   addSSL = true;
+      #   enableACME = true;
+      #   root = briefcase.website.sandbox;
+      # };
+      # "learnpianochords.app" = {
+      #   addSSL = true;
+      #   enableACME = true;
+      #   root = briefcase.website.sandbox.learnpianochords;
+      # };
+      "zoo.wpcarro.dev" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:8000";
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "20.09";
+}
diff --git a/users/wpcarro/nixos/socrates/hardware.nix b/users/wpcarro/nixos/socrates/hardware.nix
new file mode 100644
index 000000000000..dde14eb1e627
--- /dev/null
+++ b/users/wpcarro/nixos/socrates/hardware.nix
@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/aadf1a77-1e98-4b5f-8e74-abf8e77bda34";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1613-35B9";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 2;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}