From 30384e64854b04e1f51ba68c3874765e141e9fc1 Mon Sep 17 00:00:00 2001 From: Florian Schmitt Date: Fri, 13 Dec 2024 14:45:48 +0300 Subject: [PATCH] feat(inventory): declaration of nixin machine wip --- inventory/nixin.nix | 185 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 inventory/nixin.nix diff --git a/inventory/nixin.nix b/inventory/nixin.nix new file mode 100644 index 0000000..f1e170e --- /dev/null +++ b/inventory/nixin.nix @@ -0,0 +1,185 @@ +{ + pkgs, + config, + lib, + ... +}: + +{ + networking.hosts = { + "127.0.0.1" = [ "nixin.chmok.net" ]; + }; + + networking.hostName = "nixin"; + networking.domain = "chmok.net"; + networking.firewall = { + allowedUDPPorts = [ + 53 # forgejo + 8098 # wireguard + ]; + allowedTCPPorts = [ + 22 # ssh + 80 # http + 443 # https + ]; + }; + networking.nameservers = [ + "80.67.169.12" + "2001:910:800::12" + "80.67.169.40" + "2001:910:800::40" + ]; + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.42.0.9/32" ]; + privateKey = "2M0w52jHmX5AgPw4V7Kq1hoZaEWa7H6NBoPfy/RbanQ="; + peers = [ + { + publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY="; + presharedKey = "DjbQfcvrc1cfk0nQNGqak4QZr46MW9WEovNK170mg+A="; + allowedIPs = [ "10.42.0.0/24" ]; + endpoint = "195.201.63.240:8098"; + persistentKeepalive = 15; + } + ]; + }; + }; + + time.timeZone = "UTC"; + i18n.defaultLocale = "en_US.UTF-8"; + + users.users.operator = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + initialPassword = "CHANGE ME !!!"; + }; + + security.sudo.extraRules = [ + { + users = [ "operator" ]; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea + } + ]; + } + ]; + + services.forgejo = { + enable = true; + database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "forge.chmok.net"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://forge.chmok.net/"; + HTTP_PORT = 3000; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + # Sending emails is completely optional + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + mailer = { + ENABLED = true; + SMTP_ADDR = "mail.chmok.net"; + FROM = "noreply@${config.services.forgejo.settings.server.DOMAIN}"; + USER = "noreply@${config.services.forgejo.settings.server.DOMAIN}"; + PASSWD = "CHANGE ME !!!"; + }; + }; + }; + + virtualisation.containers.enable = true; + virtualisation.podman = { + enable = true; + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + # Required for containers under podman-compose to be able to talk to each other. + defaultNetwork.settings.dns_enabled = true; + }; + + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.default = { + enable = true; + name = "nixinrunner"; + url = "https://forge.chmok.net"; + token = "S3uBKr4HsnxILAVA40ikLCNdAdKYxqcIGoqH1ihA"; + labels = [ + # provide a debian base with nodejs for actions + "debian-latest:docker://node:20-bookworm" + # fake the ubuntu name, because node provides no ubuntu builds + "ubuntu-latest:docker://node:20-bookworm" + # nixos + "nixos:docker://nixos/nix:latest" + # provide native execution on the host + #"native:host" + ]; + }; + }; + + services.openssh.enable = true; + services.openssh.ports = [ 22 ]; + services.openssh.settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + security.acme.defaults.email = "contact@nixin.local"; + security.acme.acceptTerms = true; + + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts."forge.chmok.net" = { + extraConfig = '' + client_max_body_size 512M; + ''; + forceSSL = true; + enableACME = true; + locations."/".proxyPass = + "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + }; + + systemd.services.forgejo.preStart = + let + adminCmd = "${lib.getExe config.services.forgejo.package} admin user"; + pwd = "CHANGE ME !!!"; + user = "operator"; + mail = "root@forge.chmok.net"; + in + '' + ${adminCmd} create --admin --email "${mail}" --username ${user} --password "${pwd}" || true + ## uncomment this line to change an admin user which was already created + # ${adminCmd} change-password --username ${user} --password "${pwd}" || true + ''; + + environment.systemPackages = with pkgs; [ + git + wget + tmux + mosh + htop + ]; + + system.stateVersion = "24.05"; +}