nix-config/hosts/c3d2-web/default.nix

{ config, hostRegistry, lib, pkgs, ... }:
let
  webroot = "/var/www";
in
{
  microvm = {
    vcpu = 4;
    mem = 2 * 1024; # drone-ssh-runner clones the git repo which requires some RAM
  };
  c3d2.deployment = {
    # /tmp is to small for drone to clone the repo even with depth
    mounts = lib.mkOptionDefault [ "tmp" ];
    server = "server10";
  };

  system.stateVersion = "22.05";

  networking.hostName = "c3d2-web";
  networking.firewall.allowedTCPPorts = [
    # telme10
    23
    # gemini
    1965
  ];

  security.acme.certs = {
    # agate cannot load modern crypto like "ec256" keys
    "www.c3d2.de".keyType = "rsa4096";
  };

  services.nginx = {
    enable = true;
    virtualHosts = {
      "www.c3d2.de" = {
        default = true;
        serverAliases = [
          "c3d2.de"
          "c3dd.de" "www.c3dd.de" "openpgpkey.c3d2.de"
          "cccdd.de" "www.cccdd.de"
          "dresden.ccc.de" "www.dresden.ccc.de"
          "netzbiotop.org" "www.netzbiotop.org"
        ];
        enableACME = true;
        forceSSL = true;
        root = "${webroot}/c3d2";
        extraConfig = ''
          index portal.html index.html;
        '';
        locations = {
          # Mastodon
          "~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3ac3d2%40c3d2.social";

          # Matrix
          "~ ^/.well-known/matrix/server" = {
            return = "200 '{\"m.server\": \"matrix.c3d2.de:443\"}'";
            extraConfig = ''
              default_type application/json;
            '';
          };
          "~ ^/.well-known/matrix/client" = {
            return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.c3d2.de\"}}'";
            extraConfig = ''
              default_type application/json;
              add_header "Access-Control-Allow-Origin" *;
            '';
          };

          # SpaceAPI
          "/status.png".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/status.png";
          "/spaceapi.json".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/spaceapi.json";

          # WKD: Web Key Directory for PGP Keys
          "~ ^/openpgp" = {
            extraConfig = ''
              autoindex off;
              default_type  "application/octet-stream";
              add_header    Access-Control-Allow-Origin "* always";
            '';
          };
        };
      };

      "datenspuren.de" = {
        serverAliases = [
          "www.datenspuren.de"
          "ds.c3d2.de" "datenspuren.c3d2.de"
        ];
        enableACME = true;
        forceSSL = true;
        root = "${webroot}/c3d2/datenspuren";
        extraConfig = ''
          index index.html;
          rewrite ^/$ /2023/ redirect;
        '';
        # Mastodon
        locations."~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3adatenspuren%40c3d2.social";
      };

      "autotopia.c3d2.de" = {
        enableACME = true;
        forceSSL = true;
        root = "${webroot}/c3d2/autotopia";
        extraConfig = ''
          index index.html;
          rewrite ^/$ /2020/ redirect;
        '';
      };

      # temporary redirects for outdated domains
      "dezentrale-jahresendveranstaltungen.fyi" = {
        serverAliases = [
          "rc3.c3d2.de"
          "www.dezentrale-jahresendveranstaltungen.fyi"
        ];
        enableACME = true;
        forceSSL = true;
        locations."/".return = "301 https://datenspuren.de";
      };
    };
  };
  # Gemini server
  services.agate = {
    enable = true;
    addresses = [
      # sysctl net.ipv6.bindv6only = 0
      "[::]:1965"
    ];
    certificatesDir = "/var/lib/agate/certificates";
    contentDir = "/var/www/gemini";
    language = "de";
  };

  systemd = {
    packages = with pkgs; [ telme10 ];
    services = {
      # lets agate access the tls certs
      agate = {
        requires = [ "agate-keys.service" ];
        after = [ "agate-keys.service" ];
        serviceConfig = {
          Group = "keys";
        };
      };
      agate-keys = {
        path = with pkgs; [ openssl ];
        script =
          let
            stateDir = "/var/lib/agate/certificates";
          in
          ''
            mkdir -p ${stateDir}
            openssl x509 \
                -in /var/lib/acme/www.c3d2.de/cert.pem \
                -out ${stateDir}/cert.der \
                -outform DER
            openssl rsa \
                -in /var/lib/acme/www.c3d2.de/key.pem \
                -out ${stateDir}/key.der \
                -outform DER
            chown root:keys ${stateDir}/*
            chmod 0640 ${stateDir}/*
          '';
        serviceConfig = {
          Type = "oneshot";
        };
      };
      telme10 = {
        serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      };
    };

    sockets.telme10.wantedBy = [ "sockets.target" ];
  };

  users = {
    groups = {
      c3d2-web = { };
      telme10 = { };
    };
    users = {
      c3d2-web = {
        group = "c3d2-web";
        home = "/var/lib/c3d2-web";
        isSystemUser = true;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
        ];
        packages = with pkgs; [
          libxslt
          libxml2
          rsync
          gnumake
        ];
        # otherwise the the drone ssh runner cannot log in
        useDefaultShell = true;
      };
      telme10 = {
        isSystemUser = true;
        group = "telme10";
      };
    };
  };

  systemd.tmpfiles.rules = with config.users.users.c3d2-web; [
    "d ${webroot}/c3d2 0755 c3d2-web ${group} -"
    "d ${config.services.agate.contentDir} 0755 c3d2-web ${group} -"
    "d ${home} 0700 c3d2-web ${group} -"
  ];

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets."c3d2-web/gitea-token".owner = "c3d2-web";
  };
}
deadnix 2023-03-09 21:47:10 +01:00			`{ config, hostRegistry, lib, pkgs, ... }:`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`let`
			`webroot = "/var/www";`
			`in`
			`{`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`microvm = {`
c3d2-web: reduce cpus, increase ram for deployment 2023-06-14 22:35:56 +02:00			`vcpu = 4;`
			`mem = 2 * 1024; # drone-ssh-runner clones the git repo which requires some RAM`
c3d2-web: microvmify, fix 2022-06-18 02:42:41 +02:00			`};`
Make some room on /tmp for drones build directory 2023-01-30 00:36:01 +01:00			`c3d2.deployment = {`
			`# /tmp is to small for drone to clone the repo even with depth`
c3d2-web: fix evaluation... 2023-02-21 00:14:56 +01:00			`mounts = lib.mkOptionDefault [ "tmp" ];`
Make some room on /tmp for drones build directory 2023-01-30 00:36:01 +01:00			`server = "server10";`
			`};`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00
add system.stateVersion to all the containers that still miss it 2022-06-21 18:32:15 +02:00			`system.stateVersion = "22.05";`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00
c3d2-web: init 2021-10-06 02:55:30 +02:00			`networking.hostName = "c3d2-web";`
c3d2-web: add gemini with molly-brown 2022-03-04 21:56:34 +01:00			`networking.firewall.allowedTCPPorts = [`
Add telme10 2022-12-11 02:07:56 +01:00			`# telme10`
			`23`
c3d2-web: switch gemini server from molly-brown to agate the had been a reason... a few hours and many builds ago... 2022-03-05 01:14:41 +01:00			`# gemini`
c3d2-web: add gemini with molly-brown 2022-03-04 21:56:34 +01:00			`1965`
			`];`
c3d2-web: init 2021-10-06 02:55:30 +02:00
c3d2-web: switch gemini server from molly-brown to agate the had been a reason... a few hours and many builds ago... 2022-03-05 01:14:41 +01:00			`security.acme.certs = {`
Cleanup old pipeline 2023-01-30 00:00:23 +01:00			`# agate cannot load modern crypto like "ec256" keys`
c3d2-web: switch gemini server from molly-brown to agate the had been a reason... a few hours and many builds ago... 2022-03-05 01:14:41 +01:00			`"www.c3d2.de".keyType = "rsa4096";`
			`};`

c3d2-web: init 2021-10-06 02:55:30 +02:00			`services.nginx = {`
			`enable = true;`
			`virtualHosts = {`
			`"www.c3d2.de" = {`
			`default = true;`
			`serverAliases = [`
			`"c3d2.de"`
alias als subdomain 2022-04-25 11:02:17 +02:00			`"c3dd.de" "www.c3dd.de" "openpgpkey.c3d2.de"`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`"cccdd.de" "www.cccdd.de"`
			`"dresden.ccc.de" "www.dresden.ccc.de"`
c3d2-web: serve netzbiotop.org 2022-03-10 16:25:04 +01:00			`"netzbiotop.org" "www.netzbiotop.org"`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`];`
c3d2-web: deploy in full glory 2021-10-06 16:43:36 +02:00			`enableACME = true;`
			`forceSSL = true;`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`root = "${webroot}/c3d2";`
c3d2-web: separate vhost for datenspuren.de 2021-10-06 03:21:22 +02:00			`extraConfig = ''`
c3d2-web: deploy in full glory 2021-10-06 16:43:36 +02:00			`index portal.html index.html;`
c3d2-web: separate vhost for datenspuren.de 2021-10-06 03:21:22 +02:00			`'';`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`locations = {`
web: add mastodon webfinger 2022-12-02 02:11:16 +01:00			`# Mastodon`
web: use regex's to have high priority 2023-03-25 16:05:01 +01:00			`"~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3ac3d2%40c3d2.social";`
web: add mastodon webfinger 2022-12-02 02:11:16 +01:00
c3d2-web: add matrix well-known entries 2023-03-25 16:22:49 +01:00			`# Matrix`
			`"~ ^/.well-known/matrix/server" = {`
			`return = "200 '{\"m.server\": \"matrix.c3d2.de:443\"}'";`
			`extraConfig = ''`
Fix gixy 2023-07-24 21:30:18 +02:00			`default_type application/json;`
c3d2-web: add matrix well-known entries 2023-03-25 16:22:49 +01:00			`'';`
			`};`
			`"~ ^/.well-known/matrix/client" = {`
			`return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.c3d2.de\"}}'";`
			`extraConfig = ''`
Fix gixy 2023-07-24 21:30:18 +02:00			`default_type application/json;`
c3d2-web: add matrix well-known entries 2023-03-25 16:22:49 +01:00			`add_header "Access-Control-Allow-Origin" *;`
			`'';`
			`};`

c3d2-web: init 2021-10-06 02:55:30 +02:00			`# SpaceAPI`
Fix eval, remove useless attr hosts in hostRegistry, hosts are now directly at hostRegistry 2022-12-20 05:40:58 +01:00			`"/status.png".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/status.png";`
			`"/spaceapi.json".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/spaceapi.json";`
moved nginx config to the right place 2022-04-28 13:52:58 +02:00
Fix mixed intend 2022-12-11 01:38:05 +01:00			`# WKD: Web Key Directory for PGP Keys`
web: use regex's to have high priority 2023-03-25 16:05:01 +01:00			`"~ ^/openpgp" = {`
moved nginx config to the right place 2022-04-28 13:52:58 +02:00			`extraConfig = ''`
			`autoindex off;`
try escaping 2022-05-31 15:38:30 +02:00			`default_type "application/octet-stream";`
			`add_header Access-Control-Allow-Origin "* always";`
moved nginx config to the right place 2022-04-28 13:52:58 +02:00			`'';`
			`};`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`};`
			`};`

c3d2-web: separate vhost for datenspuren.de 2021-10-06 03:21:22 +02:00			`"datenspuren.de" = {`
			`serverAliases = [`
			`"www.datenspuren.de"`
c3d2-web: deploy in full glory 2021-10-06 16:43:36 +02:00			`"ds.c3d2.de" "datenspuren.c3d2.de"`
c3d2-web: separate vhost for datenspuren.de 2021-10-06 03:21:22 +02:00			`];`
c3d2-web: deploy in full glory 2021-10-06 16:43:36 +02:00			`enableACME = true;`
			`forceSSL = true;`
c3d2-web: separate vhost for datenspuren.de 2021-10-06 03:21:22 +02:00			`root = "${webroot}/c3d2/datenspuren";`
			`extraConfig = ''`
			`index index.html;`
c3d2-web: update datenspuren redirect to 2023 2023-01-11 21:53:29 +01:00			`rewrite ^/$ /2023/ redirect;`
c3d2-web: separate vhost for datenspuren.de 2021-10-06 03:21:22 +02:00			`'';`
c3d2-web: add Mastodon Webfinger redirect for datenspuren.de 2023-03-22 23:09:02 +01:00			`# Mastodon`
web: use regex's to have high priority 2023-03-25 16:05:01 +01:00			`locations."~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3adatenspuren%40c3d2.social";`
c3d2-web: separate vhost for datenspuren.de 2021-10-06 03:21:22 +02:00			`};`

c3d2-web: deploy in full glory 2021-10-06 16:43:36 +02:00			`"autotopia.c3d2.de" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`root = "${webroot}/c3d2/autotopia";`
			`extraConfig = ''`
			`index index.html;`
			`rewrite ^/$ /2020/ redirect;`
			`'';`
			`};`

c3d2-web: redirect rc3 vhosts to datenspuren.de 2023-01-08 23:10:22 +01:00			`# temporary redirects for outdated domains`
			`"dezentrale-jahresendveranstaltungen.fyi" = {`
			`serverAliases = [`
			`"rc3.c3d2.de"`
			`"www.dezentrale-jahresendveranstaltungen.fyi"`
			`];`
			`enableACME = true;`
			`forceSSL = true;`
Cleanup 2023-03-25 16:04:23 +01:00			`locations."/".return = "301 https://datenspuren.de";`
c3d2-web: redirect rc3 vhosts to datenspuren.de 2023-01-08 23:10:22 +01:00			`};`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`};`
			`};`
c3d2-web: add gemini with molly-brown 2022-03-04 21:56:34 +01:00			`# Gemini server`
c3d2-web: switch gemini server from molly-brown to agate the had been a reason... a few hours and many builds ago... 2022-03-05 01:14:41 +01:00			`services.agate = {`
c3d2-web: add gemini with molly-brown 2022-03-04 21:56:34 +01:00			`enable = true;`
c3d2-web: switch gemini server from molly-brown to agate the had been a reason... a few hours and many builds ago... 2022-03-05 01:14:41 +01:00			`addresses = [`
			`# sysctl net.ipv6.bindv6only = 0`
			`"[::]:1965"`
			`];`
			`certificatesDir = "/var/lib/agate/certificates";`
c3d2-web: move gemini 2023-07-24 21:30:28 +02:00			`contentDir = "/var/www/gemini";`
c3d2-web: switch gemini server from molly-brown to agate the had been a reason... a few hours and many builds ago... 2022-03-05 01:14:41 +01:00			`language = "de";`
			`};`
Add telme10 2022-12-11 02:07:56 +01:00
c3d2-web: fix telme10 startup 2023-06-23 18:13:03 +02:00			`systemd = {`
			`packages = with pkgs; [ telme10 ];`
			`services = {`
			`# lets agate access the tls certs`
			`agate = {`
			`requires = [ "agate-keys.service" ];`
			`after = [ "agate-keys.service" ];`
			`serviceConfig = {`
			`Group = "keys";`
			`};`
Cleanup old pipeline 2023-01-30 00:00:23 +01:00			`};`
c3d2-web: fix telme10 startup 2023-06-23 18:13:03 +02:00			`agate-keys = {`
			`path = with pkgs; [ openssl ];`
			`script =`
			`let`
			`stateDir = "/var/lib/agate/certificates";`
			`in`
			`''`
			`mkdir -p ${stateDir}`
			`openssl x509 \`
			`-in /var/lib/acme/www.c3d2.de/cert.pem \`
			`-out ${stateDir}/cert.der \`
			`-outform DER`
			`openssl rsa \`
			`-in /var/lib/acme/www.c3d2.de/key.pem \`
			`-out ${stateDir}/key.der \`
			`-outform DER`
			`chown root:keys ${stateDir}/*`
			`chmod 0640 ${stateDir}/*`
			`'';`
			`serviceConfig = {`
			`Type = "oneshot";`
			`};`
			`};`
			`telme10 = {`
			`serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";`
Cleanup old pipeline 2023-01-30 00:00:23 +01:00			`};`
c3d2-web: switch gemini server from molly-brown to agate the had been a reason... a few hours and many builds ago... 2022-03-05 01:14:41 +01:00			`};`
c3d2-web: fix telme10 startup 2023-06-23 18:13:03 +02:00
			`sockets.telme10.wantedBy = [ "sockets.target" ];`
c3d2-web: add gemini with molly-brown 2022-03-04 21:56:34 +01:00			`};`
c3d2-web: init 2021-10-06 02:55:30 +02:00
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`users = {`
			`groups = {`
			`c3d2-web = { };`
			`telme10 = { };`
			`};`
			`users = {`
			`c3d2-web = {`
			`group = "c3d2-web";`
			`home = "/var/lib/c3d2-web";`
Cleanup old pipeline 2023-01-30 00:00:23 +01:00			`isSystemUser = true;`
			`openssh.authorizedKeys.keys = [`
c3d2-web: reduce dependencies 2023-03-23 01:31:32 +01:00			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"`
Cleanup old pipeline 2023-01-30 00:00:23 +01:00			`];`
			`packages = with pkgs; [`
			`libxslt`
			`libxml2`
			`rsync`
			`gnumake`
			`];`
			`# otherwise the the drone ssh runner cannot log in`
			`useDefaultShell = true;`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`};`
			`telme10 = {`
			`isSystemUser = true;`
			`group = "telme10";`
			`};`
			`};`
Add telme10 2022-12-11 02:07:56 +01:00			`};`

Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`systemd.tmpfiles.rules = with config.users.users.c3d2-web; [`
			`"d ${webroot}/c3d2 0755 c3d2-web ${group} -"`
Add c3d2 secrets to web 2022-12-26 23:14:54 +01:00			`"d ${config.services.agate.contentDir} 0755 c3d2-web ${group} -"`
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`"d ${home} 0700 c3d2-web ${group} -"`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`];`

Add c3d2 secrets to web 2022-12-26 23:14:54 +01:00			`sops = {`
			`defaultSopsFile = ./secrets.yaml;`
			`secrets."c3d2-web/gitea-token".owner = "c3d2-web";`
			`};`
c3d2-web: init 2021-10-06 02:55:30 +02:00			`}`