Skip to content

Commit

Permalink
feat: initial version of Digital Ocean NixOS test server
Browse files Browse the repository at this point in the history
  • Loading branch information
tcarrio committed Aug 31, 2024
1 parent e4007c7 commit bf80e27
Show file tree
Hide file tree
Showing 11 changed files with 84 additions and 20 deletions.
12 changes: 8 additions & 4 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -116,10 +116,13 @@
nuc7 = libx.mkHost { systemType = "server"; hostname = "nuc7"; username = "archon"; };
nuc8 = libx.mkHost { systemType = "server"; hostname = "nuc8"; username = "archon"; };
nuc9 = libx.mkHost { systemType = "server"; hostname = "nuc9"; username = "archon"; };

"dotest.carrio.dev" = libx.mkHost { systemType = "server"; hostname = "dotest.carrio.dev"; username = "archon"; };
};

# Devshell for bootstrapping; acessible via 'nix develop' or 'nix-shell' (legacy)
inherit (devshells) devShells; # libx.forAllSystems (system:
inherit (devshells) devShells;
# libx.forAllSystems (system:
# let pkgs = nixpkgs.legacyPackages.${system};
# in import ./shell.nix { inherit pkgs; }
# );
Expand Down Expand Up @@ -167,9 +170,10 @@
}
)) // {
x86_64-linux = {
# image is still too large: reduce with `qemu-img resize --shrink ./nixos.img 5.5G`
linode-test = libx.mkGeneratorImage { systemType = "server"; hostname = "linode-test"; username = "archon"; format = "linode"; diskSize = 5120; };
digital-ocean-test = libx.mkGeneratorImage { systemType = "server"; hostname = "digital-ocean-test"; username = "archon"; format = "do"; };
# TODO: image is still too large: reduction with `qemu-img resize --shrink ./nixos.img 5.5G` didn't error out but image will not boot
# linode-base-image = libx.mkGeneratorImage { systemType = "server"; hostname = "generic-base-image"; username = "archon"; format = "linode"; diskSize = 5120; };

digital-ocean-base-image = libx.mkGeneratorImage { systemType = "server"; hostname = "generic-base-image"; username = "archon"; format = "do"; };
};
};
# And custom nixos-generators definitions
Expand Down
6 changes: 4 additions & 2 deletions nixos/mixins/services/nextcloud.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

{ config, lib, pkgs, ... }:
let
fqdn = "onlyoffice.${config.domainName}";
fqdn = "nextcloud.${config.domainName}";
in
{
services = {
Expand Down Expand Up @@ -49,8 +49,10 @@ in
defaultPhoneRegion = "PT";
dbtype = "pgsql";
adminuser = "admin";
adminpassFile = "/path/to/nextcloud-admin-pass";
adminpassFile = "/etc/nextcloud/postgres/pswd";
};
};

oxc.services.acme.enable = true;
};
}
2 changes: 2 additions & 0 deletions nixos/mixins/services/onlyoffice.nix
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,6 @@ in
hostname = fqdn;
};
};

oxc.services.acme.enable = true;
}
6 changes: 1 addition & 5 deletions nixos/mixins/users/archon/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,7 @@ in
hashedPassword = "$6$uLtXsdZpgBd/iVao$L3Lk9vmQMOfZrARIyl6Sq6ZbU91d53dWQteZADxkgLJ8FZUet.L4E73LnmVccJUGdAUcMQ1cuISS9j0XygM2Q1";
homeMode = "0755";
isNormalUser = true;
openssh.authorizedKeys.keys = with sshMatrix.systems; [
# Add any authorized keys for SSH access here
glass.tcarrio
sktc0.tcarrio
];
openssh.authorizedKeys.keys = sshMatrix.groups.privileged_users;
packages = [ pkgs.home-manager ];
shell = pkgs.fish;
};
Expand Down
16 changes: 16 additions & 0 deletions nixos/modules/services/acme.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{ pkgs, lib, config, ... }: {
options.oxc.services.acme = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable support for ACME LetsEncrypt protocol";
};
};

config = lib.mkIf config.oxc.services.acme.enable {
security.acme = {
acceptTerms = true;
defaults.email = lib.mkDefault "[email protected]";
};
};
}
1 change: 1 addition & 0 deletions nixos/modules/services/default.nix
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
_: {
imports = [
./acme.nix
./flatpak.nix
./tailscale.nix
./tailscale-autoconnect.nix
Expand Down
2 changes: 0 additions & 2 deletions nixos/server/digital-ocean-test/default.nix

This file was deleted.

47 changes: 47 additions & 0 deletions nixos/server/dotest.carrio.dev/default.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{ ... }: let
webRootHostDir = "/etc/web-server/";
fqdn = "dotest.carrio.dev";
in {
security.acme = {
acceptTerms = true;
defaults.email = "[email protected]";
certs."dotest.carrio.dev" = {
reloadServices = [ "static-web-server" ];
listenHTTP = ":80";
group = "www-data";
# EC is not supported by SWS versions before 2.16.1
keyType = "rsa4096";
};
};

# Now we need to open port 80 for the ACME challenge and port 443 for SWS itself
networking.firewall.allowedTCPPorts = [ 80 443 ];

# Configure hosted web content
etc.web-server.source = ./webroot;

# Configure SWS to use the generated TLS certs
services.static-web-server = {
enable = true;
root = webRootHostDir;
listen = "[::]:443";
configuration = {
general = {
http2 = true;
# Edit the domain name in the file to match your real domain name as configured in the ACME settings
http2-tls-cert = "/var/lib/acme/${fqdn}/fullchain.pem";
http2-tls-key = "/var/lib/acme/${fqdn}/key.pem";
# Info here: https://static-web-server.net/features/security-headers/
# This option is only needed for versions prior to 2.18.0, after which it defaults to true
security-headers = true;
};
};
};

# Now we need to override some things in the systemd unit files to allow access to those TLS certs, starting with creating a new Linux group:
users.groups.www-data = {};

# This strategy can be useful to override other advanced features as-needed
systemd.services.static-web-server.serviceConfig.SupplementaryGroups = pkgs.lib.mkForce [ "" "www-data" ];
systemd.services.static-web-server.serviceConfig.BindReadOnlyPaths = pkgs.lib.mkForce [webRootHostDir "/var/lib/acme/${fqdn}"];
}
4 changes: 4 additions & 0 deletions nixos/server/dotest.carrio.dev/webroot/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<html lang="en">
<head></head>
<body><h1>Test Web Server</h1></body>
</html>
1 change: 1 addition & 0 deletions nixos/server/generic-base-image/default.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
_: {}
7 changes: 0 additions & 7 deletions nixos/server/linode-test/default.nix

This file was deleted.

0 comments on commit bf80e27

Please sign in to comment.