tvl-depot/ops/nixos/camden/default.nix

# This file configures camden.tazj.in, my homeserver.

{ pkgs, lib, ... }:

config: let
  nixpkgs = import pkgs.third_party.nixpkgsSrc {
    config.allowUnfree = true;
  };
in pkgs.lib.fix(self: {
  imports = [ ../modules/tailscale.nix ];

  # camden is intended to boot unattended, despite having an encrypted
  # root partition.
  #
  # The below configuration uses an externally connected USB drive
  # that contains a LUKS key file to unlock the disk automatically at
  # boot.
  #
  # TODO(tazjin): Configure LUKS unlocking via SSH instead.
  boot = {
    initrd = {
      availableKernelModules = [
        "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"
        "rtsx_usb_sdmmc" "r8169"
      ];

      kernelModules = [ "dm-snapshot" ];

      luks.devices.camden-crypt = {
        fallbackToPassword = true;
        device = "/dev/disk/by-label/camden-crypt";
        keyFile = "/dev/sdb";
        keyFileSize = 4096;
      };
    };

    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    cleanTmpDir = true;
  };

  fileSystems = {
    "/" = {
      device = "/dev/disk/by-label/camden-root";
      fsType = "ext4";
    };

    "/home" = {
      device = "/dev/disk/by-label/camden-home";
      fsType = "ext4";
    };

    "/boot" = {
      device = "/dev/disk/by-label/BOOT";
      fsType = "vfat";
    };
  };

  nix = {
    maxJobs = lib.mkDefault 4;

    nixPath = [
      "depot=/home/tazjin/depot"
      "nixpkgs=${pkgs.third_party.nixpkgsSrc}"
    ];
  };
  nixpkgs.pkgs = nixpkgs;

  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

  networking = {
    hostName = "camden";
    interfaces.enp1s0.useDHCP = true;
    firewall.allowedTCPPorts = [ 22 8080 80 443 ];
  };

  time.timeZone = "UTC";

  # System-wide application setup
  programs.fish.enable = true;
  environment.systemPackages =
    # programs from the depot
    (with pkgs; [
      third_party.git
      third_party.tailscale
    ]) ++

    # programs from nixpkgs
    (with nixpkgs; [
      curl emacs26-nox gnupg pass pciutils direnv
    ]);

  users = {
    # Set up my own user for logging in and doing things ...
    users.tazjin = {
      isNormalUser = true;
      uid = 1000;
      extraGroups = [ "git" "wheel" ];
      shell = nixpkgs.fish;
    };

    # Set up a user & group for general git shenanigans
    groups.git = {};
    users.git = {
      group = "git";
      isNormalUser = false;
    };
  };

  # Services setup
  services.openssh.enable = true;
  services.haveged.enable = true;

  # Join Tailscale into home network
  services.tailscale = {
    enable = true;
    relayConf = "/etc/tailscale.conf";
    package = pkgs.third_party.tailscale;
    aclFile = pkgs.nix.tailscale {
      ACLs = [
        # Allow any traffic from myself
        {
          Action = "accept";
          Users = [ "mail@tazj.in" ];
          Ports = [ "*:*" ];
        }
      ];
    } ;
  };

  # Run cgit for the depot. The onion here is nginx(thttpd(cgit)).
  systemd.services.cgit = {
    wantedBy = [ "multi-user.target" ];
    script = "${pkgs.web.cgit-taz}/bin/cgit-launch";

    serviceConfig = {
      Restart = "on-failure";
      User = "git";
      Group = "git";
    };
  };

  # serve my website
  services.nginx = {
    enable = true;
    enableReload = true;

    # recommendedTlsSettings = true;
    # recommendedGzipSettings = true;
    # recommendedProxySettings = true;

    commonHttpConfig = ''
      log_format json_combined escape=json
      '{'
          '"time_local":"$time_local",'
          '"remote_addr":"$remote_addr",'
          '"remote_user":"$remote_user",'
          '"request":"$request",'
          '"status": "$status",'
          '"body_bytes_sent":"$body_bytes_sent",'
          '"request_time":"$request_time",'
          '"http_referrer":"$http_referer",'
          '"http_user_agent":"$http_user_agent"'
      '}';

      access_log syslog:server=unix:/dev/log json_combined;
    '';

    virtualHosts.homepage = {
      serverName = "camden.tazj.in"; # TODO(tazjin): change to actual host later
      default = true;
      enableACME = true;
      root = pkgs.web.homepage;
      addSSL = true;

      extraConfig = ''
        ${pkgs.web.blog.oldRedirects}

        location ~* \.(webp|woff2)$ {
          add_header Cache-Control "public, max-age=31536000";
        }

        location /blog/ {
          alias ${pkgs.web.blog.rendered}/;

          if ($request_uri ~ ^/(.*)\.html$) {
            return 302 /$1;
          }

          try_files $uri $uri.html $uri/ =404;
        }

        location /blobs/ {
          alias /var/www/blobs/;
        }
      '';
    };
  };

  system.stateVersion = "19.09";
})
feat(ops/nixos): Add initial configuration for host camden 2020-02-11 16:41:00 +01:00			`# This file configures camden.tazj.in, my homeserver.`

			`{ pkgs, lib, ... }:`

			`config: let`
			`nixpkgs = import pkgs.third_party.nixpkgsSrc {`
			`config.allowUnfree = true;`
			`};`
			`in pkgs.lib.fix(self: {`
feat(ops/nixos/camden): Join camden.tazj.in into Tailscale mesh 2020-02-11 17:27:34 +01:00			`imports = [ ../modules/tailscale.nix ];`

feat(ops/nixos): Add initial configuration for host camden 2020-02-11 16:41:00 +01:00			`# camden is intended to boot unattended, despite having an encrypted`
			`# root partition.`
			`#`
			`# The below configuration uses an externally connected USB drive`
			`# that contains a LUKS key file to unlock the disk automatically at`
			`# boot.`
			`#`
			`# TODO(tazjin): Configure LUKS unlocking via SSH instead.`
			`boot = {`
			`initrd = {`
			`availableKernelModules = [`
			`"ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"`
			`"rtsx_usb_sdmmc" "r8169"`
			`];`

			`kernelModules = [ "dm-snapshot" ];`

			`luks.devices.camden-crypt = {`
			`fallbackToPassword = true;`
			`device = "/dev/disk/by-label/camden-crypt";`
			`keyFile = "/dev/sdb";`
			`keyFileSize = 4096;`
			`};`
			`};`

			`loader = {`
			`systemd-boot.enable = true;`
			`efi.canTouchEfiVariables = true;`
			`};`

			`cleanTmpDir = true;`
			`};`

			`fileSystems = {`
			`"/" = {`
			`device = "/dev/disk/by-label/camden-root";`
			`fsType = "ext4";`
			`};`

			`"/home" = {`
			`device = "/dev/disk/by-label/camden-home";`
			`fsType = "ext4";`
			`};`

			`"/boot" = {`
			`device = "/dev/disk/by-label/BOOT";`
			`fsType = "vfat";`
			`};`
			`};`

fix(ops/nixos/camden): Use package set from depot pin 2020-02-11 17:46:15 +01:00			`nix = {`
			`maxJobs = lib.mkDefault 4;`

			`nixPath = [`
			`"depot=/home/tazjin/depot"`
			`"nixpkgs=${pkgs.third_party.nixpkgsSrc}"`
			`];`
			`};`
			`nixpkgs.pkgs = nixpkgs;`
feat(ops/nixos): Add initial configuration for host camden 2020-02-11 16:41:00 +01:00
			`powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";`

			`networking = {`
			`hostName = "camden";`
			`interfaces.enp1s0.useDHCP = true;`
			`firewall.allowedTCPPorts = [ 22 8080 80 443 ];`
			`};`

			`time.timeZone = "UTC";`

			`# System-wide application setup`
			`programs.fish.enable = true;`
feat(ops/nixos/camden): Join camden.tazj.in into Tailscale mesh 2020-02-11 17:27:34 +01:00			`environment.systemPackages =`
			`# programs from the depot`
			`(with pkgs; [`
			`third_party.git`
			`third_party.tailscale`
			`]) ++`

			`# programs from nixpkgs`
			`(with nixpkgs; [`
			`curl emacs26-nox gnupg pass pciutils direnv`
			`]);`
feat(ops/nixos): Add initial configuration for host camden 2020-02-11 16:41:00 +01:00
feat(ops/nixos/camden): Set up cgit service Adds a user & group which are configured to own the local depot copy, and a cgit service to serve it. The depot checkout was configured as: mkdir -p /var/git && chown git: /var/git # now, as the git user, in /var/git git clone --bare ... depot chmod -R g+rw /var/git chmod g+s (find /var/git -type d) git init --bare --shared=all depot My personal user is a member of the git group, which means that after the above configuration I can push to the bare repo as my user and things work. Also, crucially, the `post-update` hook must be enabled as cgit uses the dumb HTTP transport. 2020-02-12 02:04:12 +01:00			`users = {`
			`# Set up my own user for logging in and doing things ...`
			`users.tazjin = {`
			`isNormalUser = true;`
			`uid = 1000;`
			`extraGroups = [ "git" "wheel" ];`
			`shell = nixpkgs.fish;`
			`};`

			`# Set up a user & group for general git shenanigans`
			`groups.git = {};`
			`users.git = {`
			`group = "git";`
			`isNormalUser = false;`
			`};`
feat(ops/nixos): Add initial configuration for host camden 2020-02-11 16:41:00 +01:00			`};`

feat(ops/nixos/camden): Enable haveged entropy "generator" 2020-02-11 21:54:31 +01:00			`# Services setup`
			`services.openssh.enable = true;`
			`services.haveged.enable = true;`

feat(ops/nixos/camden): Join camden.tazj.in into Tailscale mesh 2020-02-11 17:27:34 +01:00			`# Join Tailscale into home network`
			`services.tailscale = {`
			`enable = true;`
			`relayConf = "/etc/tailscale.conf";`
			`package = pkgs.third_party.tailscale;`
fix(nix/tailscale): Fix incorrect Tailscale ACL config type 2020-02-11 22:00:50 +01:00			`aclFile = pkgs.nix.tailscale {`
			`ACLs = [`
			`# Allow any traffic from myself`
			`{`
			`Action = "accept";`
			`Users = [ "mail@tazj.in" ];`
			`Ports = [ ":" ];`
			`}`
			`];`
			`} ;`
feat(ops/nixos/camden): Join camden.tazj.in into Tailscale mesh 2020-02-11 17:27:34 +01:00			`};`

feat(ops/nixos/camden): Set up cgit service Adds a user & group which are configured to own the local depot copy, and a cgit service to serve it. The depot checkout was configured as: mkdir -p /var/git && chown git: /var/git # now, as the git user, in /var/git git clone --bare ... depot chmod -R g+rw /var/git chmod g+s (find /var/git -type d) git init --bare --shared=all depot My personal user is a member of the git group, which means that after the above configuration I can push to the bare repo as my user and things work. Also, crucially, the `post-update` hook must be enabled as cgit uses the dumb HTTP transport. 2020-02-12 02:04:12 +01:00			`# Run cgit for the depot. The onion here is nginx(thttpd(cgit)).`
			`systemd.services.cgit = {`
			`wantedBy = [ "multi-user.target" ];`
			`script = "${pkgs.web.cgit-taz}/bin/cgit-launch";`

			`serviceConfig = {`
			`Restart = "on-failure";`
			`User = "git";`
			`Group = "git";`
			`};`
			`};`

feat(ops/nixos/nugget): Set up nginx serving homepage & blog This nginx does not currently log access correctly because for some impenetrable reason (as is tradition), neither /dev/stdout nor /dev/fd/1 exist for nginx at runtime. This is probably systemd's doing, but I'll debug it later. 2020-02-11 20:32:21 +01:00			`# serve my website`
			`services.nginx = {`
			`enable = true;`
			`enableReload = true;`

			`# recommendedTlsSettings = true;`
			`# recommendedGzipSettings = true;`
			`# recommendedProxySettings = true;`

			`commonHttpConfig = ''`
			`log_format json_combined escape=json`
			`'{'`
			`'"time_local":"$time_local",'`
			`'"remote_addr":"$remote_addr",'`
			`'"remote_user":"$remote_user",'`
			`'"request":"$request",'`
			`'"status": "$status",'`
			`'"body_bytes_sent":"$body_bytes_sent",'`
			`'"request_time":"$request_time",'`
			`'"http_referrer":"$http_referer",'`
			`'"http_user_agent":"$http_user_agent"'`
			`'}';`

feat(ops/nixos/camden): Serve /blobs/ from /var/www/blobs This directory is writeable by me and is intended to make it easy to serve random blobs. 2020-02-11 21:54:50 +01:00			`access_log syslog:server=unix:/dev/log json_combined;`
feat(ops/nixos/nugget): Set up nginx serving homepage & blog This nginx does not currently log access correctly because for some impenetrable reason (as is tradition), neither /dev/stdout nor /dev/fd/1 exist for nginx at runtime. This is probably systemd's doing, but I'll debug it later. 2020-02-11 20:32:21 +01:00			`'';`

			`virtualHosts.homepage = {`
			`serverName = "camden.tazj.in"; # TODO(tazjin): change to actual host later`
			`default = true;`
			`enableACME = true;`
			`root = pkgs.web.homepage;`
			`addSSL = true;`

			`extraConfig = ''`
			`${pkgs.web.blog.oldRedirects}`

			`location ~* \.(webp\|woff2)$ {`
			`add_header Cache-Control "public, max-age=31536000";`
			`}`

			`location /blog/ {`
			`alias ${pkgs.web.blog.rendered}/;`

			`if ($request_uri ~ ^/(.*)\.html$) {`
			`return 302 /$1;`
			`}`

			`try_files $uri $uri.html $uri/ =404;`
			`}`
feat(ops/nixos/camden): Serve /blobs/ from /var/www/blobs This directory is writeable by me and is intended to make it easy to serve random blobs. 2020-02-11 21:54:50 +01:00
			`location /blobs/ {`
			`alias /var/www/blobs/;`
			`}`
feat(ops/nixos/nugget): Set up nginx serving homepage & blog This nginx does not currently log access correctly because for some impenetrable reason (as is tradition), neither /dev/stdout nor /dev/fd/1 exist for nginx at runtime. This is probably systemd's doing, but I'll debug it later. 2020-02-11 20:32:21 +01:00			`'';`
			`};`
			`};`

feat(ops/nixos): Add initial configuration for host camden 2020-02-11 16:41:00 +01:00			`system.stateVersion = "19.09";`
			`})`