diff --git a/bert/Makefile b/bert/Makefile new file mode 100644 index 0000000..c6583fc --- /dev/null +++ b/bert/Makefile @@ -0,0 +1,16 @@ +# https://stackoverflow.com/a/23324703 +current_dir:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) + +.PHONY: deploy +deploy: + rsync -avz $(current_dir)/ root@bert:config/ + ssh root@bert nixos-rebuild switch --fast -I nixos-config=/root/config/configuration.nix + +.PHONY: local-build-deploy +local-build-deploy: + nixos-rebuild switch --fast -I nixos-config=./configuration.nix --build-host root@bert --target-host root@bert + +.PHONY: deploy-upgrade +deploy-upgrade: + rsync -avz $(current_dir)/ root@bert:config/ + ssh root@bert nixos-rebuild switch --upgrade-all --fast -I nixos-config=/root/config/configuration.nix diff --git a/bert/README.md b/bert/README.md new file mode 100644 index 0000000..5fc22b6 --- /dev/null +++ b/bert/README.md @@ -0,0 +1,23 @@ +# Installation +1. Install NixOS minimal +2. `ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key` +2. Enable SSH server and add root SSH key +3. Deploy updated config with `make` +4. Set up [Remote Disk Unlocking](https://nixos.wiki/wiki/Remote_disk_unlocking) + 1. mkdir -p /etc/secrets/initrd && ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_25519_key +5. Deploy content to web services + +# Notes on Caddy +Until 2.8 is released with 24.11, Caddy has a pretty limited sense of what +content-types should be compressed: + +https://github.com/caddyserver/caddy/blob/v2.7.6/modules/caddyhttp/encode/encode.go#L85-L101 + +Specifically, this doesn't include GeoJSON, which is a bit of a shame for +maps.chandlerswift.com. That said, I'll probably be upgrading to 24.11 as soon +as it comes out, so in the intervening time I'm just not going to worry about +it. + +The list was expanded in this PR: + +https://github.com/caddyserver/caddy/pull/6081 diff --git a/bert/configuration.nix b/bert/configuration.nix new file mode 100644 index 0000000..8004161 --- /dev/null +++ b/bert/configuration.nix @@ -0,0 +1,63 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./services/http/index.nix + ]; + + # Bootloader + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set up SSH unlocking + boot.initrd = { + availableKernelModules = [ "e1000e" ]; + network = { + enable = true; + ssh = { + enable = true; + port = 22; + authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com" ]; + hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; + shell = "/bin/cryptsetup-askpass"; + }; + }; + }; + + boot.initrd.luks.devices."luks-48836129-1aa0-45c7-9fd1-6b053fa620b1".device = "/dev/disk/by-uuid/48836129-1aa0-45c7-9fd1-6b053fa620b1"; + networking.hostName = "bert"; + + # Enable networking + networking.networkmanager.enable = true; + + time.timeZone = "America/Chicago"; + i18n.defaultLocale = "en_US.UTF-8"; + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + environment.systemPackages = with pkgs; [ + rsync + ]; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com'' ]; + + networking.firewall.allowedTCPPorts = [ + 80 # Caddy + 443 # Caddy + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? + +} diff --git a/bert/hardware-configuration.nix b/bert/hardware-configuration.nix new file mode 100644 index 0000000..bd11bff --- /dev/null +++ b/bert/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/5abc0802-3969-460c-8089-5fec9f985c18"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc".device = "/dev/disk/by-uuid/da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/B684-07FB"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/f5d7bb99-03aa-4f7c-9d4a-e264ceb514c6"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/bert/services/http/home.chandlerswift.com.nix b/bert/services/http/home.chandlerswift.com.nix new file mode 100644 index 0000000..7cfb495 --- /dev/null +++ b/bert/services/http/home.chandlerswift.com.nix @@ -0,0 +1,14 @@ + +{ + services.caddy.virtualHosts."home.chandlerswift.com".extraConfig = '' + encode zstd gzip + file_server + root * /srv/home.chandlerswift.com + # hide .git # ??? + ''; + systemd.tmpfiles.settings."10-home-chandlerswift-com" = { + "/srv/home.chandlerswift.com" = { + d = {}; + }; + }; +} diff --git a/bert/services/http/index.nix b/bert/services/http/index.nix new file mode 100644 index 0000000..8c61469 --- /dev/null +++ b/bert/services/http/index.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./home.chandlerswift.com.nix + ./maps.chandlerswift.com.nix + ./stjohnscccc.org.nix + ]; + + services.caddy = { + enable = true; + email = "chandler@chandlerswift.com"; + }; +} diff --git a/bert/services/http/maps.chandlerswift.com.nix b/bert/services/http/maps.chandlerswift.com.nix new file mode 100644 index 0000000..74251bb --- /dev/null +++ b/bert/services/http/maps.chandlerswift.com.nix @@ -0,0 +1,14 @@ + +{ + services.caddy.virtualHosts."maps.chandlerswift.com".extraConfig = '' + encode zstd gzip + file_server + root * /srv/maps.chandlerswift.com + # hide .git # ??? + ''; + systemd.tmpfiles.settings."10-maps-chandlerswift-com" = { + "/srv/maps.chandlerswift.com" = { + d = {}; + }; + }; +} diff --git a/bert/services/http/stjohnscccc.org.nix b/bert/services/http/stjohnscccc.org.nix new file mode 100644 index 0000000..a9309e0 --- /dev/null +++ b/bert/services/http/stjohnscccc.org.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, config, ... }: +let + app = "stjohnscccc"; + domain = "${app}.chandlerswift.com"; # TODO + dataDir = "/srv/http/${domain}"; +in { + services.phpfpm.pools.${app} = { + user = app; + settings = { + "listen.owner" = config.services.caddy.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + # "pm.max_requests" = 500; + "pm.start_servers" = 1; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 4; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + }; + # phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + services.caddy.virtualHosts.${domain}.extraConfig = '' + root * ${dataDir}/public + encode zstd gzip + file_server + php_fastcgi unix//run/php/php-fpm.sock + log + ''; + users.users.${app} = { + isSystemUser = true; + createHome = true; + home = dataDir; + group = app; + }; + users.groups.${app} = {}; + systemd.tmpfiles.settings."10-stjohnscccc.org" = { + "/srv/stjohnscccc.org" = { + d = {}; + }; + }; +}