diff options
Diffstat (limited to 'modules/server')
| -rw-r--r-- | modules/server/default.nix | 17 | ||||
| -rw-r--r-- | modules/server/networking/caddy.nix | 28 | ||||
| -rw-r--r-- | modules/server/networking/default.nix | 14 | ||||
| -rw-r--r-- | modules/server/system.nix | 4 | ||||
| -rw-r--r-- | modules/server/systemd.nix | 27 | ||||
| -rw-r--r-- | modules/server/users.nix | 10 | ||||
| -rw-r--r-- | modules/server/virtualisation.nix | 76 |
7 files changed, 176 insertions, 0 deletions
diff --git a/modules/server/default.nix b/modules/server/default.nix new file mode 100644 index 0000000..c81450d --- /dev/null +++ b/modules/server/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +{ + imports = [ + ../core/networking/vpn/tailscale.nix + ../core/nix + ./networking + ./system.nix + ./systemd.nix + ./users.nix + ./virtualisation.nix + ]; + + environment.systemPackages = with pkgs; [ + fastfetch + vim + ]; +} diff --git a/modules/server/networking/caddy.nix b/modules/server/networking/caddy.nix new file mode 100644 index 0000000..aae8fb7 --- /dev/null +++ b/modules/server/networking/caddy.nix @@ -0,0 +1,28 @@ +{ + services.caddy = { + enable = true; + + virtualHosts = { + "mayu.due.moe".extraConfig = "reverse_proxy localhost:8098"; + "counter.due.moe".extraConfig = "reverse_proxy localhost:8098"; + "bin.fuwn.me".extraConfig = "reverse_proxy localhost:8090"; + + "fuwn.me".extraConfig = '' + reverse_proxy localhost:8084 + + header Onion-Location http://fuwnme4wbs5x36jjf2usedw2zscozwhazykhyfkjsmudtb7egs3mb7yd.onion{path} + + @blocked { + path /proxy/illegaldrugs.net/cgi-bin/news.php* + path /proxy/scholasticdiversity.us.to/scriptures/* + path /proxy/jsreed5.org/oeis/* + } + respond @blocked 403 + + @no_forwarded_for not header X-Forwarded-For * + request_header @no_forwarded_for X-Forwarded-For {remote_host} + respond /whoami {header.X-Forwarded-For} 200 + ''; + }; + }; +} diff --git a/modules/server/networking/default.nix b/modules/server/networking/default.nix new file mode 100644 index 0000000..c71b072 --- /dev/null +++ b/modules/server/networking/default.nix @@ -0,0 +1,14 @@ +{ + imports = [ ./caddy.nix ]; + services.openssh.enable = true; + + networking = { + hostName = "himeji"; + domain = ""; + + firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/modules/server/system.nix b/modules/server/system.nix new file mode 100644 index 0000000..a779da1 --- /dev/null +++ b/modules/server/system.nix @@ -0,0 +1,4 @@ +{ + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; +} diff --git a/modules/server/systemd.nix b/modules/server/systemd.nix new file mode 100644 index 0000000..acdcef4 --- /dev/null +++ b/modules/server/systemd.nix @@ -0,0 +1,27 @@ +{ secrets, ... }: +let + containerEngine = "podman"; +in +{ + systemd.services.tailscale-up = { + after = [ "tailscaled.service" ]; + requires = [ "tailscaled.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "/run/current-system/sw/bin/tailscale up --authkey ${secrets.tailscale_authentication_key}"; + Restart = "on-failure"; + }; + }; + + systemd.services.ghcr-login = { + after = [ "${containerEngine}.service" ]; + requires = [ "${containerEngine}.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "/run/current-system/sw/bin/${containerEngine} login ghcr.io -u ${secrets.ghcr.username} -p ${secrets.ghcr.token}"; + Restart = "on-failure"; + }; + }; +} diff --git a/modules/server/users.nix b/modules/server/users.nix new file mode 100644 index 0000000..338b510 --- /dev/null +++ b/modules/server/users.nix @@ -0,0 +1,10 @@ +{ secrets, ... }: +{ + users.users.root = { + initialHashedPassword = secrets.initial_hashed_password; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBm/ydlGJiKWMxH6v9SFN3vo/ZkX6eQ+uCmH32gnCkUW" + ]; + }; +} diff --git a/modules/server/virtualisation.nix b/modules/server/virtualisation.nix new file mode 100644 index 0000000..3d8effe --- /dev/null +++ b/modules/server/virtualisation.nix @@ -0,0 +1,76 @@ +{ secrets, ... }: +let + containerEngine = "podman"; +in +{ + virtualisation = { + containers.enable = true; + docker.enable = containerEngine == "docker"; + + podman = { + enable = containerEngine == "podman"; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; + + oci-containers = { + backend = containerEngine; + + containers = { + september = { + image = "fuwn/september"; + autoStart = true; + ports = [ "8084:80" ]; + + environment = { + CONDENSE_LINKS_AT_HEADINGS = "## Quick Links,# Fuwn[.me],## Footer"; + EMBED_IMAGES = "2"; + HEAD = ''<script async src="https://us.umami.is/script.js" data-website-id="fb2fa218-bbfc-419f-8b70-4f0b937df064"></script><link rel="icon" type="image/x-icon" href="https://avatars.githubusercontent.com/u/99055925?s=200&v=4">''; + MATHJAX = "true"; + PLAIN_TEXT_ROUTE = "*.xml,*.txt"; + PRIMARY_COLOUR = "#DCC6BD"; + }; + }; + + momoka = { + image = "fuwn/momoka"; + autoStart = true; + ports = [ "70:70" ]; + }; + + gigi = { + image = "fuwn/gigi"; + autoStart = true; + ports = [ "79:79" ]; + volumes = [ "/mnt/docker/gigi:/gigi/.gigi" ]; + }; + + mayu = { + image = "fuwn/mayu"; + autoStart = true; + ports = [ "8098:3000" ]; + volumes = [ "/mnt/docker/mayu:/mayu/data" ]; + }; + + locus = { + image = "ghcr.io/gemrest/locus"; + autoStart = true; + ports = [ "1965:1965" ]; + volumes = [ "/mnt/docker/locus:/locus/.locus" ]; + + environment = { + FINNHUB_TOKEN = secrets.finnhub_token; + HEADER_IMAGE = "https://ruu.neocities.org/images/animeHeader.gif"; + }; + }; + + bin = { + image = "quxfoo/wastebin"; + autoStart = true; + ports = [ "8090:8088" ]; + volumes = [ "/mnt/docker/bin:/root/db" ]; + }; + }; + }; + }; +} |