diff --git a/README.org b/README.org index 23872ce..9700c62 100755 --- a/README.org +++ b/README.org @@ -67,6 +67,20 @@ Where =default.nix= returns an attrset of form } #+end_src +*** ~modules/~ + +#+begin_example +modules +├── home +│   └── «Various home-manager modules»… +└── nixos + ├── defaults + │   └── «NixOS modules that are *enabled by default*»… + ├── deertopia + │   └── «NixOS modules that are *specific to Deertopia*»… + └── «Various NixOS modules»… +#+end_example + ** Impermanence and persistence I use impermanence to wipe most of my filesystem on boot. diff --git a/hosts/deertopia/configuration.nix b/hosts/deertopia/configuration.nix index 16a3c1a..773d865 100755 --- a/hosts/deertopia/configuration.nix +++ b/hosts/deertopia/configuration.nix @@ -3,7 +3,6 @@ imports = [ ./hardware-configuration.nix ./disko-config.nix - ./services.nix ]; sydnix = { @@ -37,6 +36,25 @@ enable = true; keyFile = "/persist/vault/root/deertopia-key"; }; + + deertopia = { + nginx.enable = true; + git-annex.enable = true; + + # A simple default webpage. This should probably live somewhere else. + nginx.vhosts."www" = { + vhostName = "deertopia.net"; + vhost = { + # addSSL = true; + forceSSL = true; + enableACME = true; + + locations."/" = { + index = "index.html"; + }; + }; + }; + }; }; boot.loader = { diff --git a/hosts/deertopia/services.nix b/hosts/deertopia/services.nix deleted file mode 100755 index f301f34..0000000 --- a/hosts/deertopia/services.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - # ./services/seafile.nix - # ./services/tinydns.nix - ./services/git-annex.nix - ./services/nginx.nix - ]; -} diff --git a/hosts/deertopia/services/git-annex.nix b/hosts/deertopia/services/git-annex.nix deleted file mode 100755 index c85b6fe..0000000 --- a/hosts/deertopia/services/git-annex.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - git-annex - git - rsync - ]; - - # Our files managed by git-annex actually live on a WebDAV server that is - # declared by the following section. - services.nginx = { - # Nginx's WebDAV support is in a separate module we must import. - additionalModules = [ pkgs.nginxModules.dav ]; - - virtualHosts."dav.deertopia.net" = { - addSSL = true; - enableACME = true; - locations."/".extraConfig = '' - alias /persist/web/webdav; - client_body_temp_path /tmp/nginx/webdav; - dav_methods PUT DELETE MKCOL COPY MOVE; - dav_ext_methods PROPFIND OPTIONS; - create_full_put_path on - - auth_basic "Restricted Access"; - auth_basic_user_file /etc/nginx/webdav.passwd; - - # Deny all access unless authenticated - satisfy all; - allow all; # This allows all authenticated users - deny all; # This denies all other users - ''; - }; - }; -} diff --git a/hosts/deertopia/services/nextcloud.nix b/hosts/deertopia/services/nextcloud.nix deleted file mode 100755 index 6870119..0000000 --- a/hosts/deertopia/services/nextcloud.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - sydnix = { - sops.secrets = { - nextcloud-admin = { - owner = "nextcloud"; - group = "nextcloud"; - }; - }; - - impermanence.directories = [ "/var/lib/nextcloud" ]; - }; - - # Setting `services.nextcloud.hostName` automatically sets up a Nginx server - # (on port 80) hosting the Nextcloud services. - networking.firewall.allowedTCPPorts = [ 80 ]; - - services.nextcloud = { - enable = true; - hostName = "cloud.internal.deertopia.net"; - package = pkgs.nextcloud30; - config = { - adminpassFile = "/run/secrets/nextcloud-admin"; - dbtype = "sqlite"; - }; - }; -} diff --git a/hosts/deertopia/services/nginx.nix b/hosts/deertopia/services/nginx.nix deleted file mode 100644 index ceb684b..0000000 --- a/hosts/deertopia/services/nginx.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - deertopiaRoot = { - directory = "/persist/deertopia.net/"; - group = "nginx"; - user = "nginx"; - }; -in -{ - services.nginx.enable = true; - - networking.firewall.allowedTCPPorts = [ - 80 # HTTP - 443 # HTTPS - ]; - - # With this section, virtual hosts declared through the Nginx NixOS module - # will automatically request ACME SSL certificates and configure systemd - # timers to renew the certificate if required. See the article on the NixOS - # wiki, from which I've nabbed the following snippet: - # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates - security.acme = { - acceptTerms = true; - defaults.email = "lomiskiam@gmail.com"; - }; - - services.nginx.virtualHosts."deertopia.net" = { - root = "${deertopiaRoot.directory}/www"; - - # addSSL = true; - forceSSL = true; - enableACME = true; - - locations."/" = { - index = "index.html"; - }; - }; - - system.activationScripts.initialiseDeertopiaRoot.text = '' - mkdir -p "${deertopiaRoot.directory}" - chown -R "${deertopiaRoot.user}:${deertopiaRoot.user}" \ - "${deertopiaRoot.directory}" - chmod -R 775 "${deertopiaRoot.directory}" - ''; -} diff --git a/hosts/deertopia/services/seafile.nix b/hosts/deertopia/services/seafile.nix deleted file mode 100755 index 614fcea..0000000 --- a/hosts/deertopia/services/seafile.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - sydnix.impermanence = { - directories = [ - "/var/lib/seafile" - ]; - }; - - services.seafile = { - enable = true; - - adminEmail = "lomiskiam@gmail.com"; - initialAdminPassword = "password123"; - - ccnetSettings.General.SERVICE_URL = "http://files.deertopia.net"; - - seafileSettings = { - fileserver = { - host = "ipv4:127.0.0.1"; - port = 8082; - }; - }; - }; - - services.nginx.virtualHosts."files.deertopia.net" = { - - }; -} diff --git a/hosts/deertopia/services/tinydns.nix b/hosts/deertopia/services/tinydns.nix deleted file mode 100755 index 7cf9045..0000000 --- a/hosts/deertopia/services/tinydns.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.tinydns = { - enable = true; - data = '' - .internal.deertopia.net:192.168.68.79:dns:86400 - =*.internal.deertopia.net:192.168.68.79:86400 - =internal.deertopia.net:192.168.68.79:86400 - - # Redirect everything else to the router's nameservers. - &.::192.168.68.1:86400 - ''; - }; - - networking.firewall.allowedUDPPorts = [ - 53 - ]; - - networking.nameservers = [ "192.168.68.79" ]; -} diff --git a/modules/nixos/deertopia.nix b/modules/nixos/deertopia.nix new file mode 100644 index 0000000..9980413 --- /dev/null +++ b/modules/nixos/deertopia.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +let + # TODO: Move to a fucking utility library already! + listNixFilesInDirectory = dir: + builtins.attrNames + (lib.filterAttrs + (k: _v: lib.hasSuffix ".nix" k) + (builtins.readDir dir)); +in { + imports = + builtins.map + (k: ./deertopia/${k}) + (listNixFilesInDirectory ./deertopia); +} diff --git a/modules/nixos/deertopia/git-annex.nix b/modules/nixos/deertopia/git-annex.nix new file mode 100755 index 0000000..dc15f80 --- /dev/null +++ b/modules/nixos/deertopia/git-annex.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.sydnix.deertopia.git-annex; +in +{ + options.sydnix.deertopia.git-annex = { + enable = lib.mkEnableOption "Git-annex"; + }; + + config = { + environment.systemPackages = with pkgs; [ + git-annex + # git + # rsync + ]; + + # # Our files managed by git-annex actually live on a WebDAV server that is + # # declared by the following section. This is mainly because it's the most + # # convenient way to share files with my iPhone. Apple hates developers! + # services.nginx = { + # # Nginx's WebDAV support is in a separate module we must import. + # additionalModules = [ pkgs.nginxModules.dav ]; + + # virtualHosts."dav.deertopia.net" = { + # addSSL = true; + # enableACME = true; + # locations."/".extraConfig = '' + # alias /persist/web/webdav; + # client_body_temp_path /tmp/nginx/webdav; + # dav_methods PUT DELETE MKCOL COPY MOVE; + # dav_ext_methods PROPFIND OPTIONS; + # create_full_put_path on + + # auth_basic "Restricted Access"; + # auth_basic_user_file /etc/nginx/webdav.passwd; + + # # Deny all access unless authenticated + # satisfy all; + # allow all; # This allows all authenticated users + # deny all; # This denies all other users + # ''; + # }; + # }; + }; +} diff --git a/modules/nixos/deertopia/nginx.nix b/modules/nixos/deertopia/nginx.nix new file mode 100644 index 0000000..f3f5a6c --- /dev/null +++ b/modules/nixos/deertopia/nginx.nix @@ -0,0 +1,119 @@ +{ config, lib, options, pkgs, ... }: + +let + cfg = config.sydnix.deertopia.nginx; +in +{ + options.sydnix.deertopia.nginx = { + enable = lib.mkEnableOption "Nginx"; + + root = lib.mkOption { + type = lib.types.path; + description = "deertopia.net's root directory."; + default = "/persist/deertopia.net"; + }; + + group = lib.mkOption { + type = lib.types.str; + description = + "The owning group of deertopia.net's root directory."; + default = "nginx"; + }; + + user = lib.mkOption { + type = lib.types.str; + description = + "The owning user of deertopia.net's root directory."; + default = "nginx"; + }; + + vhosts = lib.mkOption { + # NOTE: `name` shouldn't contain spaces. + type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { + options = { + enable = lib.mkOption { + description = "Enable ${name}.deertopia.net."; + default = true; + type = lib.types.boolean; + }; + directory = lib.mkOption { + description = "Host's root directory."; + type = lib.types.str; + default = "${cfg.root}/${name}"; + }; + vhostName = lib.mkOption { + type = lib.types.str; + default = "${name}.deertopia.net"; + }; + vhost = lib.mkOption { + description = '' + Virtual host settings, passed directly to the NixOS's Nginx + module. + ''; + type = lib.types.anything; + }; + }; + })); + }; + }; + + config = lib.mkIf cfg.enable { + services.nginx.enable = true; + + networking.firewall.allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPS + ]; + + # With this section, virtual hosts declared through the Nginx NixOS module + # will automatically request ACME SSL certificates and configure systemd + # timers to renew the certificate if required. See the article on the NixOS + # wiki, from which I've nabbed the following snippet: + # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates + security.acme = { + acceptTerms = true; + defaults.email = "lomiskiam@gmail.com"; + }; + + services.nginx.virtualHosts = + builtins.listToAttrs + (builtins.map + (k: { + name = cfg.vhosts.${k}.vhostName; + value = cfg.vhosts.${k}.vhost // { + root = cfg.vhosts.${k}.directory; + }; + }) + (builtins.attrNames cfg.vhosts)); + + # services.nginx.virtualHosts."deertopia.net" = { + # root = "${cfg.www.root}/www"; + + # # addSSL = true; + # forceSSL = true; + # enableACME = true; + + # locations."/" = { + # index = "index.html"; + # }; + # }; + + system.activationScripts.initialiseDeertopiaRoot.text = + let + directories = + builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts); + inherit (cfg) root group user; + in '' + mkdir -p "${root}" + chown -R "${user}:${group}" "${root}" + chmod -R 775 "${root}" + + dirs=(${builtins.concatStringsSep " " (map (x: "'${x}'") directories)}) + for i in "''${dirs[@]}"; do + mkdir -p "$i" + chown -R "${user}:${group}" "$i" + chmod -R 775 "$i" + done + ''; + }; +}