From 2efae4f888da4815a83baa7ab35bc6b13d80d758 Mon Sep 17 00:00:00 2001 From: derped Date: Mon, 4 Mar 2019 10:35:50 +0100 Subject: [PATCH] Hydra kind of works now. Switched to nixos nextcloud module. Renamed some stuff and added kdeconnect firewall rules. Added gvfs modules environmen variable. --- config/networking.nix | 2 + config/nix.nix | 11 +- machines/Lilim/Lilim.nix | 8 +- machines/Lilim/configuration.nix | 2 + machines/Lilim/hardware-configuration.nix | 7 +- machines/Ophanim/configuration.nix | 5 +- pkgs/pkgsets.nix | 7 +- services/gitea.nix | 2 +- services/hydra.nix | 11 + services/mariaDB.nix | 9 - services/nginx.nix | 321 +++++++--------------- services/openssh.nix | 2 +- services/xserver.nix | 1 + 13 files changed, 144 insertions(+), 244 deletions(-) diff --git a/config/networking.nix b/config/networking.nix index d84a07c..47ff177 100644 --- a/config/networking.nix +++ b/config/networking.nix @@ -11,6 +11,8 @@ in { allowPing = cfg.conf.networking.firewall.allowPing; allowedUDPPorts = cfg.conf.networking.firewall.allowedUDPPorts; allowedTCPPorts = cfg.conf.networking.firewall.allowedTCPPorts; + allowedUDPPortRanges = cfg.conf.networking.firewall.allowedUDPPortRanges; + allowedTCPPortRanges = cfg.conf.networking.firewall.allowedTCPPortRanges; }; }; } diff --git a/config/nix.nix b/config/nix.nix index 189245f..e93241f 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -5,17 +5,20 @@ maxJobs = 4; buildCores = 1; autoOptimiseStore = true; - sshServe.enable = false; - #sshServe.keys = []; useSandbox = true; extraOptions = '' build-timeout = 86400 # 24 hours ''; + sshServe.enable = true; + sshServe.keys = ( if config.networking.hostName == "Ophanim" then [ (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/nix-ssh.pub)) ] else []); + binaryCachePublicKeys = [ (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/hydra_cache.pub)) ]; trustedBinaryCaches = [ - "http://cache.nixos.org" + "https://cache.nixos.org" + "https://cache.ophanim.de" ]; binaryCaches = [ - "http://cache.nixos.org" + "https://cache.nixos.org" + "https://cache.ophanim.de" ]; }; } diff --git a/machines/Lilim/Lilim.nix b/machines/Lilim/Lilim.nix index 1d51419..f9d61c1 100644 --- a/machines/Lilim/Lilim.nix +++ b/machines/Lilim/Lilim.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: -let - cfg = import ./configuration.nix; -in { +{ imports = [ ./hardware-configuration.nix ]; @@ -15,7 +13,7 @@ in { ''; }; - environment.systemPackages = with pkgs; [ surface-firmware xdiskusage ]; + environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ]; - system.stateVersion = "18.09"; + system.stateVersion = "19.03"; } diff --git a/machines/Lilim/configuration.nix b/machines/Lilim/configuration.nix index c6ca10a..9476706 100644 --- a/machines/Lilim/configuration.nix +++ b/machines/Lilim/configuration.nix @@ -24,6 +24,8 @@ allowPing = true; allowedUDPPorts = []; allowedTCPPorts = []; + allowedUDPPortRanges = [ { from = 1714; to = 1764; } ]; + allowedTCPPortRanges = [ { from = 1714; to = 1764; } ]; }; }; }; diff --git a/machines/Lilim/hardware-configuration.nix b/machines/Lilim/hardware-configuration.nix index ec565e9..7854aa9 100644 --- a/machines/Lilim/hardware-configuration.nix +++ b/machines/Lilim/hardware-configuration.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let - surfacepkgs = import {}; + localpkgs = import {}; in { imports = [ ]; @@ -9,8 +9,7 @@ in { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; cleanTmpDir = true; -# kernelPackages = pkgs.linuxPackages_surface; - kernelPackages = surfacepkgs.linuxPackages_surface; + kernelPackages = pkgs.linuxPackages_latest; initrd.kernelModules = [ "hid-multitouch" ]; initrd.availableKernelModules = [ "hid-microsoft" "hid-multitouch" "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; kernelModules = [ "kvm-intel" "hid-microsoft" "hid-multitouch" "uinput" ]; @@ -30,7 +29,7 @@ in { swapDevices = [ ]; hardware = { - firmware = with pkgs; [ firmwareLinuxNonfree surface-firmware ]; + firmware = with pkgs; [ firmwareLinuxNonfree firmware_surface ]; cpu.intel.updateMicrocode = true; enableAllFirmware = true; enableKSM = true; diff --git a/machines/Ophanim/configuration.nix b/machines/Ophanim/configuration.nix index 73d8d8c..af22c35 100644 --- a/machines/Ophanim/configuration.nix +++ b/machines/Ophanim/configuration.nix @@ -10,6 +10,7 @@ ../../services/hydra.nix ../../services/mailserver.nix ../../services/mariaDB.nix + ../../services/nextcloud.nix ../../services/nginx.nix ../../services/openssh.nix ]; @@ -20,7 +21,9 @@ firewall = { allowPing = false; allowedUDPPorts = [ 22 80 443 ]; - allowedTCPPorts = [ 80 443 5222 5269 ]; + allowedTCPPorts = [ 80 443 ]; # 5222 5269 ]; + allowedUDPPortRanges = []; + allowedTCPPortRanges = []; }; }; }; diff --git a/pkgs/pkgsets.nix b/pkgs/pkgsets.nix index fb6a7a6..c0c401e 100644 --- a/pkgs/pkgsets.nix +++ b/pkgs/pkgsets.nix @@ -36,7 +36,7 @@ let nix-update-source nix-zsh-completions nixbang - nixops +# nixops nmap nox ntfs3g @@ -56,7 +56,7 @@ let unzipNLS usbutils vim - vulnix +# vulnix wget whois wirelesstools @@ -232,7 +232,8 @@ let gnome3.dconf gnome3.gnome-terminal gnome3.gvfs - pcmanfm + gvfs + pcmanfm lxmenu-data shared_mime_info pavucontrol xclip xlibs.xkill diff --git a/services/gitea.nix b/services/gitea.nix index dca1c4b..a9c45a0 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -15,7 +15,7 @@ }; extraConfig = '' [repository] - DISABLE_HTTP_GIT = true + DISABLE_HTTP_GIT = false USE_COMPAT_SSH_URI = true [security] diff --git a/services/hydra.nix b/services/hydra.nix index 4c93f62..e36a70b 100644 --- a/services/hydra.nix +++ b/services/hydra.nix @@ -4,6 +4,10 @@ # sudo -u hydra -s # hydra-create-user $USERNAME --password $PASSWORD --role admin +# also for reference some other hydra configs: +# https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix +# https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4 + { # also take a look at ../conf/nix.nix nix.buildMachines = [ @@ -25,5 +29,12 @@ notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service useSubstitutes = true; debugServer = false; + extraConfig = '' + max_output_size = 4294967296 + store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache + server_store_uri = https://cache.ophanim.de + binary_cache_public_uri https://cache.ophanim.de + upload_logs_to_binary_cache = true + ''; }; } diff --git a/services/mariaDB.nix b/services/mariaDB.nix index ade9a80..5eafc3a 100644 --- a/services/mariaDB.nix +++ b/services/mariaDB.nix @@ -1,21 +1,12 @@ { config, pkgs, ... }: let - nextcloudpwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/nextcloud_db)); giteapwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/gitea)); in { services.mysql = { enable = true; package = pkgs.mariadb; initialDatabases = [ { - name = "nextcloud"; - schema = pkgs.writeText "nextcloud.sql" - '' - create user if not exists 'nextcloud'@'localhost' identified by ${nextcloudpwd}; - grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by ${nextcloudpwd}; - ''; - } - { name = "gitea"; schema = pkgs.writeText "gitea.sql" '' diff --git a/services/nginx.nix b/services/nginx.nix index a5a7181..b699010 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -3,11 +3,10 @@ # - Nginx + SSL config # # - Gitea # # - Nextcloud # -# - Heavily based on: https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271 # # - Mail ssl root # ############################################################################################## -{ conf, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let gitpkgs = import /nixpkgs/default.nix {}; @@ -37,171 +36,117 @@ in { } ''; }; + "cache.ophanim.de" = { + enableACME = true; + forceSSL = true; + root = "/var/cache/hydra"; + extraConfig = '' + autoindex on; + ''; + }; "mail.ophanim.de" = { enableACME = true; forceSSL = true; root = "/var/www"; }; - "storage.ophanim.de" = { - enableACME = true; - forceSSL = true; - root = "${gitpkgs.nextcloud}"; - locations = { - "/robots.txt" = { - extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - }; - "~ ^/(?:\.htaccess|config|db_structure\.xml|README)" = { - extraConfig = "deny all;"; - }; + "${config.services.nextcloud.hostName}" = { + root = pkgs.nextcloud; + enableACME = config.services.nextcloud.https; + forceSSL = config.services.nextcloud.https; + locations = { + "= /robots.txt" = { + priority = 100; + extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + }; + "/" = { + priority = 200; + extraConfig = "rewrite ^ /index.php$request_uri;"; + }; + "~ ^/store-apps" = { + priority = 201; + extraConfig = "root ${config.services.nextcloud.home};"; + }; + "= /.well-known/carddav" = { + priority = 210; + extraConfig = "return 301 $scheme://$host/remote.php/dav;"; + }; + "= /.well-known/caldav" = { + priority = 210; + extraConfig = "return 301 $scheme://$host/remote.php/dav;"; + }; + "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/" = { + priority = 300; + extraConfig = "deny all;"; + }; + "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = { + priority = 300; + extraConfig = "deny all;"; + }; + "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\\.php(?:$|/)" = { + priority = 500; + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS ${if config.services.nextcloud.https then "on" else "off"}; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass unix:/run/phpfpm/nextcloud; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_read_timeout 120s; + ''; + }; + "~ ^/(?:updater|ocs-provider|ocm-provider)(?:$|\/)".extraConfig = '' + try_files $uri/ =404; + index index.php; + ''; + "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = '' + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + access_log off; + ''; + "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = '' + try_files $uri /index.php$request_uri; + access_log off; + ''; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + client_max_body_size ${config.services.nextcloud.maxUploadSize}; + fastcgi_buffers 64 4K; + fastcgi_hide_header X-Powered-By; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + ${lib.optionalString config.services.nextcloud.webfinger '' + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''} + ''; + }; - "/" = { - extraConfig = '' - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; - ''; - }; - - "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)" = { - extraConfig = '' - include ${pkgs.nginx}/conf/uwsgi_params; - uwsgi_modifier1 14; - uwsgi_hide_header X-Frame-Options; - uwsgi_hide_header X-XSS-Protection; - uwsgi_hide_header X-Content-Type-Options; - uwsgi_hide_header X-Robots-Tag; - uwsgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; - uwsgi_pass unix:/run/uwsgi/php.sock; - ''; - }; - - "~* \.(?:css|js)$" = { - extraConfig = '' - add_header Cache-Control "public, max-age=7200"; - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - access_log off; - ''; - }; - - "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" = { - extraConfig = '' - access_log off; - ''; - }; - - "^~ /data" = { - extraConfig = '' - internal; - ''; - }; - - "^~ /apps" = { - extraConfig = '' - alias /var/lib/nextcloud/apps; - ''; - }; - }; - -### Settings for new nextcloud module.... does not work yet??? -# locations = { -# "= /robots.txt" = { -# priority = 100; -# extraConfig = '' -# allow all; -# log_not_found off; -# access_log off; -# ''; -# }; -# "/" = { -# priority = 200; -# extraConfig = "rewrite ^ /index.php$uri;"; -# }; -# "~ ^/store-apps" = { -# priority = 201; -# extraConfig = "root /var/lib/nextcloud;"; -# }; -# "= /.well-known/carddav" = { -# priority = 210; -# extraConfig = "return 301 $scheme://$host/remote.php/dav;"; -# }; -# "= /.well-known/caldav" = { -# priority = 210; -# extraConfig = "return 301 $scheme://$host/remote.php/dav;"; -# }; -# "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/" = { -# priority = 300; -# extraConfig = "deny all;"; -# }; -# "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = { -# priority = 300; -# extraConfig = "deny all;"; -# }; -# "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\\.php(?:$|/)" = { -# priority = 500; -# extraConfig = '' -# include ${pkgs.nginxMainline}/conf/fastcgi.conf; -# fastcgi_split_path_info ^(.+\.php)(/.*)$; -# fastcgi_param PATH_INFO $fastcgi_path_info; -# fastcgi_param HTTPS on; -# fastcgi_param modHeadersAvailable true; -# fastcgi_param front_controller_active true; -# fastcgi_pass unix:/run/phpfpm/nextcloud; -# fastcgi_intercept_errors on; -# fastcgi_request_buffering off; -# fastcgi_read_timeout 120s; -# ''; -# }; -# "~ ^/(?:updater|ocs-provider)(?:$|/)".extraConfig = '' -# try_files $uri/ =404; -# index index.php; -# ''; -# "~ \\.(?:css|js|woff|svg|gif)$".extraConfig = '' -# try_files $uri /index.php$uri$is_args$args; -# add_header Cache-Control "public, max-age=15778463"; -# add_header X-Content-Type-Options nosniff; -# add_header X-XSS-Protection "1; mode=block"; -# add_header X-Robots-Tag none; -# add_header X-Download-Options noopen; -# add_header X-Permitted-Cross-Domain-Policies none; -# access_log off; -# ''; -# "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = '' -# try_files $uri /index.php$uri$is_args$args; -# access_log off; -# ''; -# }; -# extraConfig = '' -# add_header X-Content-Type-Options nosniff; -# add_header X-XSS-Protection "1; mode=block"; -# add_header X-Robots-Tag none; -# add_header X-Download-Options noopen; -# add_header X-Permitted-Cross-Domain-Policies none; -# error_page 403 /core/templates/403.php; -# error_page 404 /core/templates/404.php; -# client_max_body_size 1024M; -# fastcgi_buffers 64 4K; -# gzip on; -# gzip_vary on; -# gzip_comp_level 4; -# gzip_min_length 256; -# gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; -# gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; -# ''; - }; "git.ophanim.de" = { enableACME = true; forceSSL = true; @@ -227,60 +172,4 @@ in { }; }; }; - - # Nextcloud system cron - users.users.nginx.useDefaultShell = true; - systemd.services.nextcloudcron = { - description = "Nextcloud cron"; - after = [ "network.target" ]; - script = '' - ${pkgs.php}/bin/php ${gitpkgs.nextcloud}/cron.php - ${gitpkgs.nextcloud-news-updater}/bin/nextcloud-news-updater -t 2 -i 30 --mode singlerun ${gitpkgs.nextcloud} - ''; - environment = { NEXTCLOUD_CONFIG_DIR = "/var/lib/nextcloud/config"; }; - serviceConfig.User = "nginx"; - }; - systemd.timers.nextcloudcron = { - enable = true; - description = "Nextcloud cron timer"; - wantedBy = [ "timers.target" ]; - partOf = [ "Nextcloudcron.service" ]; - timerConfig = { - RandomizedDelaySec = "5min"; - OnCalendar = "*-*-* *:00,30:00"; # every 1/2h - Persistent = true; - }; - }; - - services.uwsgi = { - enable = true; - user = "nginx"; - group = "nginx"; - instance = { - type = "emperor"; - vassals = { - php = { - type = "normal"; - socket = "/run/uwsgi/php.sock"; - master = true; - vacuum = true; - - processes = 16; - cheaper = 1; - php-sapi-name = "apache"; # opcode caching tweak - - php-allowed-ext = [ ".php" ".inc" ]; - socket-modifier1 = 14; - php-index = "index.php"; - - php-set = "date.timezone=Europe/Berlin"; - env = [ - "NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config" - ]; - plugins = [ "php" ]; - }; - }; - }; - plugins = [ "php" ]; - }; } diff --git a/services/openssh.nix b/services/openssh.nix index 205b146..174adc8 100644 --- a/services/openssh.nix +++ b/services/openssh.nix @@ -12,7 +12,7 @@ passwordAuthentication = false; permitRootLogin = "no"; extraConfig = '' - AllowUsers derped git + AllowUsers derped git nix-ssh ''; }; } diff --git a/services/xserver.nix b/services/xserver.nix index 0e4bca9..3eb071f 100644 --- a/services/xserver.nix +++ b/services/xserver.nix @@ -2,6 +2,7 @@ { services.gnome3.gvfs.enable = true; + environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gnome3.gvfs}/lib/gio/modules" ]; services.xserver = { enable = true; layout = "de";