From 7833632a7961038e8898ef287fd2dedf8fa7f33b Mon Sep 17 00:00:00 2001 From: William Carroll Date: Mon, 17 Aug 2020 09:48:47 +0100 Subject: Attempt nix-build instead of nixos-rebuild switch I've encountered a few problems with attempting to support nixos-rebuild: - the activation step requires `sudo` privileges - the `buildkite-agent` runs on the same machine, socrates, that is rebuilding itself. This means that when the activation step runs, it will attempt to restart `buildkite-agent` when the agent is still working I'm slowly removing places in my nix code that rely on '' notation, so that I no longer depend on NIX_PATH being set. I still have more work to do. {covid-uk,sandbox}/default.nix are breaking when I attempt to run my build-socrates.sh script locally, so I'm temporarily disabling them until I can get CI working as I expect. --- nixos/socrates/configuration.nix | 253 --------------------------------------- nixos/socrates/default.nix | 239 ++++++++++++++++++++++++++++++++++++ nixos/socrates/hardware.nix | 2 +- 3 files changed, 240 insertions(+), 254 deletions(-) delete mode 100644 nixos/socrates/configuration.nix create mode 100644 nixos/socrates/default.nix (limited to 'nixos/socrates') diff --git a/nixos/socrates/configuration.nix b/nixos/socrates/configuration.nix deleted file mode 100644 index 58b3c64cfee2..000000000000 --- a/nixos/socrates/configuration.nix +++ /dev/null @@ -1,253 +0,0 @@ -{ ... }: - -let - # TODO(wpcarro): Instead of importing these dependencies as parameters that - # readTree will expose I need to import these dependencies manually because - # I'm building this using `nixos-rebuild`. When I better understand how to - # build socrates using readTree, prefer defining this as an anonymous - # function. - briefcase = import {}; - pkgs = briefcase.third_party.pkgs; - - trimNewline = x: pkgs.lib.removeSuffix "\n" x; - readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x)); -in { - imports = [ ./hardware.nix ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking = { - hostName = "socrates"; - # The global useDHCP flag is deprecated, therefore explicitly set to false - # here. Per-interface useDHCP will be mandatory in the future, so this - # generated config replicates the default behaviour. - useDHCP = false; - networkmanager.enable = true; - interfaces.enp2s0f1.useDHCP = true; - interfaces.wlp3s0.useDHCP = true; - firewall.allowedTCPPorts = [ 9418 80 443 6697 ]; - }; - - time.timeZone = "UTC"; - - programs.fish.enable = true; - programs.mosh.enable = true; - - environment.systemPackages = with pkgs; [ - curl - direnv - emacs26-nox - gnupg - htop - pass - vim - certbot - tree - git - ]; - - users = { - # I need a git group to run the git server. - groups.git = {}; - - users.wpcarro = { - isNormalUser = true; - extraGroups = [ "git" "wheel" ]; - shell = pkgs.fish; - }; - - users.buildkite-agent = { - # TODO: Consider setting this to `false` when you better understand the - # implications. - isNormalUser = true; - extraGroups = [ "git" ]; - }; - - users.git = { - group = "git"; - isNormalUser = false; - }; - }; - - nix = { - # Expose depot as , nixpkgs as - nixPath = [ - "briefcase=/home/wpcarro/briefcase" - "depot=/home/wpcarro/depot" - "nixpkgs=/home/wpcarro/nixpkgs" - ]; - - trustedUsers = [ "root" "wpcarro" ]; - }; - - ############################################################################## - # Services - ############################################################################## - - systemd.services.bitlbee-stunnel = { - description = "Provides TLS termination for Bitlbee."; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - Restart = "always"; - User = "nginx"; # This is a hack to easily get certificate access. - }; - script = let configFile = builtins.toFile "stunnel.conf" '' - foreground = yes - debug = 7 - - [ircs] - accept = 0.0.0.0:6697 - connect = 6667 - cert = /var/lib/acme/wpcarro.dev/full.pem - ''; in "${pkgs.stunnel}/bin/stunnel ${configFile}"; - }; - - nixpkgs.config.bitlbee.enableLibPurple = true; - services.bitlbee = { - interface = "0.0.0.0"; - enable = true; - libpurple_plugins = [ - pkgs.telegram-purple - ]; - }; - - services.journaldriver = { - enable = true; - logStream = "home"; - googleCloudProject = "wpcarros-infrastructure"; - applicationCredentials = "/etc/gcp/key.json"; - }; - - services.openssh.enable = true; - - services.gitea = { - enable = true; - # Without this the links to clone a repository like briefcase will be - # "http://localhost:3000/wpcarro/briefcase". - rootUrl = "https://git.wpcarro.dev/"; - }; - - # systemd.services.monzo-token-server = { - # enable = true; - # description = "Ensure my Monzo access token is valid"; - # script = "${briefcase.monzo_ynab.tokens}/bin/token-server"; - # # TODO(wpcarro): I'm unsure of the size of this security risk, but if a - # # non-root user runs `systemctl cat monzo-token-server`, they could read the - # # following, sensitive environment variables. - # environment = { - # store_path = "/var/cache/monzo_ynab"; - # monzo_client_id = readSecret "monzo-client-id"; - # monzo_client_secret = readSecret "monzo-client-secret"; - # ynab_personal_access_token = readSecret "ynab-personal-access-token"; - # ynab_account_id = readSecret "ynab-account-id"; - # ynab_budget_id = readSecret "ynab-budget-id"; - # }; - # serviceConfig = { - # Type = "simple"; - # }; - # }; - - systemd.services.zoo = { - enable = true; - description = "Run my monoserver"; - script = "${briefcase.zoo}/zoo"; - environment = {}; - serviceConfig = { - Restart = "always"; - }; - }; - - services.gitDaemon = { - enable = true; - basePath = "/srv/git"; - exportAll = true; - repositories = [ "/srv/git/briefcase" ]; - }; - - # Since I'm using this laptop as a server in my flat, I'd prefer to close its - # lid. - services.logind.lidSwitch = "ignore"; - - security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - polkit.log("subject.user: " + subject.user + " is attempting action.id: " + action.id); - }); - ''; - - # Provision SSL certificates to support HTTPS connections. - security.acme.acceptTerms = true; - security.acme.email = "wpcarro@gmail.com"; - - services.nginx = { - enable = true; - enableReload = true; - - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - commonHttpConfig = '' - log_format json_combined escape=json - '{' - '"remote_addr":"$remote_addr",' - '"method":"$request_method",' - '"host":"$host",' - '"uri":"$request_uri",' - '"status":$status,' - '"request_size":$request_length,' - '"response_size":$body_bytes_sent,' - '"response_time":$request_time,' - '"referrer":"$http_referer",' - '"user_agent":"$http_user_agent"' - '}'; - - access_log syslog:server=unix:/dev/log,nohostname json_combined; - ''; - - virtualHosts = { - "wpcarro.dev" = { - addSSL = true; - enableACME = true; - root = briefcase.website; - }; - "learn.wpcarro.dev" = { - addSSL = true; - enableACME = true; - root = briefcase.website.learn; - }; - "git.wpcarro.dev" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:3000"; - }; - }; - "blog.wpcarro.dev" = { - addSSL = true; - enableACME = true; - root = briefcase.website.blog; - }; - "sandbox.wpcarro.dev" = { - addSSL = true; - enableACME = true; - root = briefcase.website.sandbox; - }; - "learnpianochords.app" = { - addSSL = true; - enableACME = true; - root = briefcase.website.sandbox.learnpianochords; - }; - "zoo.wpcarro.dev" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:8000"; - }; - }; - }; - }; - - system.stateVersion = "20.09"; -} diff --git a/nixos/socrates/default.nix b/nixos/socrates/default.nix new file mode 100644 index 000000000000..d98cdb993300 --- /dev/null +++ b/nixos/socrates/default.nix @@ -0,0 +1,239 @@ +let + briefcase = import /home/wpcarro/briefcase {}; + pkgs = briefcase.third_party.pkgs; + trimNewline = x: pkgs.lib.removeSuffix "\n" x; + readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x)); +in { + imports = [ ./hardware.nix ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "socrates"; + # The global useDHCP flag is deprecated, therefore explicitly set to false + # here. Per-interface useDHCP will be mandatory in the future, so this + # generated config replicates the default behaviour. + useDHCP = false; + networkmanager.enable = true; + interfaces.enp2s0f1.useDHCP = true; + interfaces.wlp3s0.useDHCP = true; + firewall.allowedTCPPorts = [ 9418 80 443 6697 ]; + }; + + time.timeZone = "UTC"; + + programs.fish.enable = true; + programs.mosh.enable = true; + + environment.systemPackages = with pkgs; [ + curl + direnv + emacs26-nox + gnupg + htop + pass + vim + certbot + tree + git + ]; + + users = { + # I need a git group to run the git server. + groups.git = {}; + + users.wpcarro = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + }; + + users.buildkite-agent = { + # TODO: Consider setting this to `false` when you better understand the + # implications. + isNormalUser = true; + extraGroups = [ "git" ]; + }; + + users.git = { + group = "git"; + isNormalUser = false; + }; + }; + + nix = { + nixPath = []; + trustedUsers = [ "root" "wpcarro" ]; + }; + + ############################################################################## + # Services + ############################################################################## + + systemd.services.bitlbee-stunnel = { + description = "Provides TLS termination for Bitlbee."; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Restart = "always"; + User = "nginx"; # This is a hack to easily get certificate access. + }; + script = let configFile = builtins.toFile "stunnel.conf" '' + foreground = yes + debug = 7 + + [ircs] + accept = 0.0.0.0:6697 + connect = 6667 + cert = /var/lib/acme/wpcarro.dev/full.pem + ''; in "${pkgs.stunnel}/bin/stunnel ${configFile}"; + }; + + nixpkgs.config.bitlbee.enableLibPurple = true; + services.bitlbee = { + interface = "0.0.0.0"; + enable = true; + libpurple_plugins = [ + pkgs.telegram-purple + ]; + }; + + services.journaldriver = { + enable = true; + logStream = "home"; + googleCloudProject = "wpcarros-infrastructure"; + applicationCredentials = "/etc/gcp/key.json"; + }; + + services.openssh.enable = true; + + services.gitea = { + enable = true; + # Without this the links to clone a repository like briefcase will be + # "http://localhost:3000/wpcarro/briefcase". + rootUrl = "https://git.wpcarro.dev/"; + }; + + # systemd.services.monzo-token-server = { + # enable = true; + # description = "Ensure my Monzo access token is valid"; + # script = "${briefcase.monzo_ynab.tokens}/bin/token-server"; + # # TODO(wpcarro): I'm unsure of the size of this security risk, but if a + # # non-root user runs `systemctl cat monzo-token-server`, they could read the + # # following, sensitive environment variables. + # environment = { + # store_path = "/var/cache/monzo_ynab"; + # monzo_client_id = readSecret "monzo-client-id"; + # monzo_client_secret = readSecret "monzo-client-secret"; + # ynab_personal_access_token = readSecret "ynab-personal-access-token"; + # ynab_account_id = readSecret "ynab-account-id"; + # ynab_budget_id = readSecret "ynab-budget-id"; + # }; + # serviceConfig = { + # Type = "simple"; + # }; + # }; + + systemd.services.zoo = { + enable = true; + description = "Run my monoserver"; + script = "${briefcase.zoo}/zoo"; + environment = {}; + serviceConfig = { + Restart = "always"; + }; + }; + + services.gitDaemon = { + enable = true; + basePath = "/srv/git"; + exportAll = true; + repositories = [ "/srv/git/briefcase" ]; + }; + + # Since I'm using this laptop as a server in my flat, I'd prefer to close its + # lid. + services.logind.lidSwitch = "ignore"; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + polkit.log("subject.user: " + subject.user + " is attempting action.id: " + action.id); + }); + ''; + + # Provision SSL certificates to support HTTPS connections. + security.acme.acceptTerms = true; + security.acme.email = "wpcarro@gmail.com"; + + services.nginx = { + enable = true; + enableReload = true; + + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + commonHttpConfig = '' + log_format json_combined escape=json + '{' + '"remote_addr":"$remote_addr",' + '"method":"$request_method",' + '"host":"$host",' + '"uri":"$request_uri",' + '"status":$status,' + '"request_size":$request_length,' + '"response_size":$body_bytes_sent,' + '"response_time":$request_time,' + '"referrer":"$http_referer",' + '"user_agent":"$http_user_agent"' + '}'; + + access_log syslog:server=unix:/dev/log,nohostname json_combined; + ''; + + virtualHosts = { + "wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website; + }; + "learn.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website.learn; + }; + "git.wpcarro.dev" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + }; + }; + "blog.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website.blog; + }; + # "sandbox.wpcarro.dev" = { + # addSSL = true; + # enableACME = true; + # root = briefcase.website.sandbox; + # }; + # "learnpianochords.app" = { + # addSSL = true; + # enableACME = true; + # root = briefcase.website.sandbox.learnpianochords; + # }; + "zoo.wpcarro.dev" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8000"; + }; + }; + }; + }; + + system.stateVersion = "20.09"; +} diff --git a/nixos/socrates/hardware.nix b/nixos/socrates/hardware.nix index dde14eb1e627..d13ffd7e401d 100644 --- a/nixos/socrates/hardware.nix +++ b/nixos/socrates/hardware.nix @@ -5,7 +5,7 @@ { imports = - [ + [ /home/wpcarro/nixpkgs/nixos/modules/installer/scan/not-detected.nix ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; -- cgit 1.4.1