init

author: polwex <polwex@sortug.com> 2024-07-21 01:09:48 +0700
committer: polwex <polwex@sortug.com> 2024-07-21 01:09:48 +0700
commit: 78907aa98c1af8624a62ca123d088c6c16424f41 (patch)
tree: 477fe923810522acc211b7514e4931af80f33ed7 /hosts/cloud/oldsortug
7 files changed, 294 insertions, 0 deletions
diff --git a/hosts/cloud/oldsortug/configuration.nix b/hosts/cloud/oldsortug/configuration.nix
new file mode 100644
index 0000000..1c1866e
--- /dev/null
+++ b/hosts/cloud/oldsortug/configuration.nix
@@ -0,0 +1,46 @@
+{ modulesPath, lib, ... }:
+{
+  imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
+    ./hardware-configuration.nix
+    ./gitea.nix
+    ./nginx.nix
+    ./coturn.nix
+  ];
+      boot = {
+        growPartition = true;
+        kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
+        initrd.kernelModules = [ "virtio_scsi" ];
+        kernelModules = [ "virtio_pci" "virtio_net" ];
+        loader = {
+          grub.device = "/dev/sda";
+          timeout = 0;
+          grub.configurationLimit = 0;
+        };
+      };
+      services.openssh = {
+        enable = true;
+        passwordAuthentication = false;
+	ports = [5522];
+      };
+      services.do-agent.enable =  true;
+      networking = {
+        hostName =  "sortug"; # use Digital Ocean metadata server
+      };
+      networking.firewall = {
+        enable = true;
+	allowedTCPPorts = [ 40308 80 443 53 51820 5522 ];
+	allowedUDPPorts = [ 40308 80 443 53 51820 5522 
+    50000
+    50001
+    50002
+    50003
+    50004
+    50005
+    50006
+    50007
+    50008
+    50009
+    50010
+  ];
+      };
+}
diff --git a/hosts/cloud/oldsortug/coturn.nix b/hosts/cloud/oldsortug/coturn.nix
new file mode 100644
index 0000000..aaf097c
--- /dev/null
+++ b/hosts/cloud/oldsortug/coturn.nix
@@ -0,0 +1,60 @@
+{ ... }: 
+
+{
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    # use-auth-secret = true;
+    # static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC";
+    realm = "turn.sortug.com";
+    # relay-ips = [
+    #   "<public-server-ip>"
+    # ];
+    # no-tcp-relay = true;
+    extraConfig = "
+      cipher-list=\"HIGH\"
+      no-loopback-peers
+      no-multicast-peers
+    ";
+    # secure-stun = true;
+    cert = "/var/lib/acme/turn.sortug.com/fullchain.pem";
+    pkey = "/var/lib/acme/turn.sortug.com/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+
+  # Open ports in the firewall.
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+    allowedTCPPorts = [
+      5349  # STUN tls
+      5350  # STUN tls alt
+      80    # http
+      443   # https
+    ];
+    allowedUDPPortRanges = [
+      { from=49152; to=49999; } # TURN relay
+    ];
+  };
+
+  # setup certs
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "turn.sortug.com" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+  };
+  users.groups.turnserver.members = ["nginx" "coturn"];
+
+  # share certs with coturn and restart on renewal
+  security.acme.certs = {
+    "turn.sortug.com" = {
+      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
+    };
+  };
+}  
+
diff --git a/hosts/cloud/oldsortug/gitea.nix b/hosts/cloud/oldsortug/gitea.nix
new file mode 100644
index 0000000..a25773a
--- /dev/null
+++ b/hosts/cloud/oldsortug/gitea.nix
@@ -0,0 +1,27 @@
+{ config, ...}:
+{
+  services.gitea = {
+    enable = true;
+    user = "git";
+    appName = "Sortug Git"; 
+    settings.server = {
+      domain = "git.sortug.com";
+      ROOT_URL = "https://git.sortug.com/";
+      SSH_PORT = 5522;
+    };
+    lfs.enable = true;
+  };
+  
+  users.users = {
+    git = {
+      description = "Gitea Service";
+      home = "/var/lib/gitea";
+      useDefaultShell = true;
+      group = "gitea";
+      isSystemUser = true;
+    };
+  };
+
+
+
+}
diff --git a/hosts/cloud/oldsortug/hardware-configuration.nix b/hosts/cloud/oldsortug/hardware-configuration.nix
new file mode 100644
index 0000000..f46db2a
--- /dev/null
+++ b/hosts/cloud/oldsortug/hardware-configuration.nix
@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/32e438fa-ead6-47d5-8ebe-75f6b1d0c1a6";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/cloud/oldsortug/nginx.nix b/hosts/cloud/oldsortug/nginx.nix
new file mode 100644
index 0000000..ba64539
--- /dev/null
+++ b/hosts/cloud/oldsortug/nginx.nix
@@ -0,0 +1,21 @@
+{ ... }: {
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@sortug.com";
+  users.users.y.homeMode = "750";
+  services.nginx = {
+    enable = true;
+    virtualHosts."old.sortug.com" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:9000";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+         proxy_set_header Host $Host;
+        '';
+        # actually important
+      };
+    };
+  };
+}
diff --git a/hosts/cloud/oldsortug/packages.nix b/hosts/cloud/oldsortug/packages.nix
new file mode 100644
index 0000000..6985acb
--- /dev/null
+++ b/hosts/cloud/oldsortug/packages.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, ... }:
+
+{
+   nixpkgs.config = {
+     allowUnfree = true;
+   };
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    fish
+    # unix utilities
+    tmux
+    bat # cat replacement written in Rust
+    colordiff
+    direnv # Per-directory environment variables
+    lsd
+    fd # find replacement written in Rust
+    fzf # Fuzzy finder
+    git
+    glibcLocales
+    gnumake
+    htop # Resource monitoring
+    jq # JSON parsing for the CLI
+    lsof
+    ripgrep # grep replacement written in Rust
+    sd # Fancy sed replacement
+    silver-searcher
+    skim # High-powered fuzzy finder written in Rust
+    strace # debug stack trace
+    tealdeer # tldr for various shell tools
+    testdisk
+    tokei # Handy tool to see lines of code by language
+    watchexec # Fileystem watcher/executor useful for speedy development
+    xsv # CSV file parsing utility
+    just # Intriguing new make replacement
+    mdcat # Markdown converter/reader for the CLI
+    tree
+    unzip
+    zip
+
+    # networking
+    curl
+    caddy # simple web server made with go
+    innernet
+    
+    # s3
+    minio
+    # databases
+   # postgresql
+   # sqlite
+  ];
+}
+
diff --git a/hosts/cloud/oldsortug/users.nix b/hosts/cloud/oldsortug/users.nix
new file mode 100644
index 0000000..b3515c1
--- /dev/null
+++ b/hosts/cloud/oldsortug/users.nix
@@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+
+
+let shellAliases = {
+  l = "lsd -lAh";
+  la = "lsd -lAh";
+  ports = "sudo lsof -i -P -n | grep LISTEN";
+  gco = "git checkout";
+  gcob = "git checkout -b";
+};
+
+in {
+  programs.fish = {
+  inherit shellAliases;
+  enable = true;
+#   plugins = [{
+#      name="foreign-env";
+#      src = pkgs.fetchFromGitHub {
+#          owner = "oh-my-fish";
+#          repo = "plugin-foreign-env";
+#          rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc";
+#          sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs";
+#      };
+#  }];
+};
+
+  users = {
+    extraUsers = {
+      y = {
+        group = "users";
+        isNormalUser = true;
+        extraGroups = [
+          "systemd-journal"
+          "wheel"
+        ];
+        createHome = true;
+        home = "/home/y";
+        isSystemUser = false;
+        shell = pkgs.fish;
+        openssh.authorizedKeys.keys =
+          [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ];
+     };
+#     urbit = {
+#       group = "users";
+#       isNormalUser = true;
+#       createHome = true;
+#       isSystemUser = false;
+#       openssh.authorizedKeys.keys = 
+#       [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/VzXbaX1CLqQfPCkRdMHzAKsbS//2B0qlw3ROnR74tgl7jrBP2qeYhydcNECqC5WWO+KLZrbOWdVLATLW6z6oLlMx6E6WCfRVx/F7coMd/FBYqHwJ2Z1PbG0YSjWH07GyVYU2Nc9HfW459aXpGQ2LlTjYP14i7DqvSesCIkfbPfHzwAkyDxj4oIMXS3LMQlh4u69YKoXS/LPU+1Qv+bT5alRc2Uw+/9/q1IfDDxIiKqt3EVNEM6p5QssXtlFhk0+7zXRApWbpYLbjAVHDHbFoPAXeKLQvpgnz1K84fOGNlXj9nISYfDba8NVWQbetKnVxmQNDUKk3jOcBFmjgHvYv pkova@Pyrys-MacBook-Pro.local" ];
+#     };
+    };
+  };
+}
+
+
+
author	polwex <polwex@sortug.com>	2024-07-21 01:09:48 +0700
committer	polwex <polwex@sortug.com>	2024-07-21 01:09:48 +0700
commit	78907aa98c1af8624a62ca123d088c6c16424f41 (patch)
tree	477fe923810522acc211b7514e4931af80f33ed7 /hosts/cloud/oldsortug