diff --git a/flake.lock b/flake.lock index d480a69b..3eb394b1 100644 --- a/flake.lock +++ b/flake.lock @@ -23,7 +23,7 @@ }, "fenix_2": { "inputs": { - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "rust-analyzer-src": "rust-analyzer-src_2" }, "locked": { @@ -40,6 +40,23 @@ "type": "github" } }, + "gemini": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1639155521, + "narHash": "sha256-Lh74QEjPIPZSZNvz1zPKEqEjSA6eIci0eDRoZJKIYeE=", + "owner": "nix-community", + "repo": "flake-gemini", + "rev": "2900f752c983974a03e66077f1e6522764486aed", + "type": "github" + }, + "original": { + "id": "gemini", + "type": "indirect" + } + }, "heliwatch": { "inputs": { "fenix": "fenix_2", @@ -65,7 +82,7 @@ }, "naersk": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1639947939, @@ -118,16 +135,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1644278373, - "narHash": "sha256-9riYZyVing7OQUUWELSojlbt9u0xDh0Xm5Eg8FQn0fc=", - "owner": "nixos", + "lastModified": 1639153468, + "narHash": "sha256-AXlstb8jjYs8HKGTLOuSjIdFLyPQSI5aYPN34qUy+Rc=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "60c52a73f1d5858020ac4f161cd5bf1c9650f8b8", + "rev": "cf8f41fe116c8e733c833acd4759d9261ecd6d1f", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", + "ref": "release-21.11", "repo": "nixpkgs", "type": "github" } @@ -179,6 +196,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1644278373, + "narHash": "sha256-9riYZyVing7OQUUWELSojlbt9u0xDh0Xm5Eg8FQn0fc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "60c52a73f1d5858020ac4f161cd5bf1c9650f8b8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1644151317, "narHash": "sha256-TpXGBYCFKvEN7Q+To45rn4kqTbLPY4f56rF6ymUGGRE=", @@ -192,7 +225,7 @@ "type": "indirect" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1644328695, "narHash": "sha256-rK1HXS35XOO3PksBnJzbv93G9wqZsk61gi22j8dtOt0=", @@ -208,7 +241,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1637209424, "narHash": "sha256-oXw75hkCOVtoB+CEElWiTmkC1gNdL3jf0tG2GInytHA=", @@ -224,7 +257,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1638097282, "narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=", @@ -240,7 +273,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1641924320, "narHash": "sha256-DuOpJqoMmQ3Yk4C64QQHFaByhbSIi872He6z5BXY1YM=", @@ -276,10 +309,11 @@ "root": { "inputs": { "fenix": "fenix", + "gemini": "gemini", "heliwatch": "heliwatch", "naersk": "naersk_2", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-mobilizon": "nixpkgs-mobilizon", "nixpkgs-unstable": "nixpkgs-unstable", "scrapers": "scrapers", @@ -344,7 +378,7 @@ }, "secrets": { "inputs": { - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "sops-nix": [ "sops-nix" ] @@ -365,7 +399,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1644240878, @@ -467,7 +501,7 @@ }, "zentralwerk": { "inputs": { - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nixpkgs-master": "nixpkgs-master", "openwrt": "openwrt" }, diff --git a/flake.nix b/flake.nix index 5d8d9613..03a5d4cb 100644 --- a/flake.nix +++ b/flake.nix @@ -28,7 +28,7 @@ fenix.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, sops-nix, naersk, fenix, ... }: + outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, sops-nix, naersk, fenix, gemini, ... }: let inherit (nixpkgs) lib; forAllSystems = lib.genAttrs [ "aarch64-linux" "x86_64-linux" ]; @@ -243,6 +243,16 @@ ]; }; + gemini = nixosSystem' { + nixpkgs = inputs.nixpkgs-unstable; + modules = [ + ./config/lxc-container.nix + ./hosts/containers/gemini + gemini.nixosModules.duckling-proxy + gemini.nixosModules.kineto + ]; + }; + gitea = nixosSystem' { nixpkgs = inputs.nixpkgs-unstable; modules = [ diff --git a/host-registry.nix b/host-registry.nix index 8c0cb92a..254ef1d5 100644 --- a/host-registry.nix +++ b/host-registry.nix @@ -12,6 +12,13 @@ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMFbxHGfBMBjjior1FNRub56O62K++HVnqUH67BeKD7d"; }; + gemini = { + ip6 = "2a00:8180:2c00:223:58f4:2eff:fe48:5216"; + # ygg = "30c:c3d2:b946:76d0:58f4:2eff:fe48:5216"; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvB3MTO5+MJk8/sojF+bX0MBz9BLwo3FRH5SjIbrfeH"; + }; + gitea.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8MmjiiRmiyUqRYs5a07m7qKDwxh2NwvS2h7pm2b+zx"; glotzbert = { diff --git a/hosts/containers/gemini/default.nix b/hosts/containers/gemini/default.nix new file mode 100644 index 00000000..f02d4607 --- /dev/null +++ b/hosts/containers/gemini/default.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +let fqdn = "gemini.c3d2.de"; +in { + imports = [ ./users.nix ]; + + c3d2.hq.statistics.enable = true; + c3d2.autoUpdate = true; + + networking.hostName = "gemini"; + networking.hosts."::1" = [ fqdn ]; + + networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + config.services.molly-brown.settings.Port + config.services.duckling-proxy.port + ]; + + services.duckling-proxy = { + enable = true; + address = "0.0.0.0"; + port = 1966; + serverCert = "/var/lib/acme/${fqdn}/cert.pem"; + serverKey = "/var/lib/acme/${fqdn}/key.pem"; + }; + + services.kineto = { + enable = true; + port = 1967; + geminiDomain = "gemini://${fqdn}"; + }; + + services.molly-brown = { + enable = true; + hostName = fqdn; + certPath = "/var/lib/acme/${fqdn}/cert.pem"; + keyPath = "/var/lib/acme/${fqdn}/key.pem"; + docBase = "/var/gemini"; + settings = { + DefaultLang = "de"; + ReadMollyFiles = true; + }; + }; + + services.nginx = { + enable = true; + virtualHosts.${fqdn} = { + default = true; + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:1967"; + }; + }; + + systemd.services.duckling-proxy.serviceConfig.SupplementaryGroups = + [ config.security.acme.certs.${fqdn}.group ]; + + systemd.services.molly-brown.serviceConfig.SupplementaryGroups = + [ config.security.acme.certs.${fqdn}.group ]; +} diff --git a/hosts/containers/gemini/users.nix b/hosts/containers/gemini/users.nix new file mode 100644 index 00000000..9eca4d42 --- /dev/null +++ b/hosts/containers/gemini/users.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: + +{ + system.activationScripts.gemini = '' + mkdir -p ${config.services.molly-brown.docBase}/users/ + '' + lib.strings.concatStrings (lib.attrsets.mapAttrsToList (name: + { isNormalUser, home, ... }: + lib.strings.optionalString (isNormalUser && home != null) '' + ln -sf ${home}/public_gemini ${config.services.molly-brown.docBase}/users/${name} + '') config.users.users); + + users.users = lib.attrsets.mapAttrs (name: + { sshKeys, ... }: { + createHome = true; + isNormalUser = true; + openssh.authorizedKeys.keys = sshKeys; + }) config.c3d2.users; +}