Start setting up bert

bert/Makefile

@@ -0,0 +1,16 @@
+# https://stackoverflow.com/a/23324703
+current_dir:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+.PHONY: deploy
+deploy:
+	rsync -avz $(current_dir)/ root@bert:config/
+	ssh root@bert nixos-rebuild switch --fast -I nixos-config=/root/config/configuration.nix
+
+.PHONY: local-build-deploy
+local-build-deploy:
+	nixos-rebuild switch --fast -I nixos-config=./configuration.nix --build-host root@bert --target-host root@bert
+
+.PHONY: deploy-upgrade
+deploy-upgrade:
+	rsync -avz $(current_dir)/ root@bert:config/
+	ssh root@bert nixos-rebuild switch --upgrade-all --fast -I nixos-config=/root/config/configuration.nix

bert/README.md

@@ -0,0 +1,23 @@
+# Installation
+1. Install NixOS minimal
+2. `ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key`
+2. Enable SSH server and add root SSH key
+3. Deploy updated config with `make`
+4. Set up [Remote Disk Unlocking](https://nixos.wiki/wiki/Remote_disk_unlocking)
+   1. mkdir -p /etc/secrets/initrd && ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_25519_key
+5. Deploy content to web services
+
+# Notes on Caddy
+Until 2.8 is released with 24.11, Caddy has a pretty limited sense of what
+content-types should be compressed:
+
+https://github.com/caddyserver/caddy/blob/v2.7.6/modules/caddyhttp/encode/encode.go#L85-L101
+
+Specifically, this doesn't include GeoJSON, which is a bit of a shame for
+maps.chandlerswift.com. That said, I'll probably be upgrading to 24.11 as soon
+as it comes out, so in the intervening time I'm just not going to worry about
+it.
+
+The list was expanded in this PR:
+
+https://github.com/caddyserver/caddy/pull/6081

bert/configuration.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./services/http/index.nix
+    ];
+
+  # Bootloader
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Set up SSH unlocking
+  boot.initrd = {
+    availableKernelModules = [ "e1000e" ];
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com" ];
+        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+        shell = "/bin/cryptsetup-askpass";
+      };
+    };
+  };
+
+  boot.initrd.luks.devices."luks-48836129-1aa0-45c7-9fd1-6b053fa620b1".device = "/dev/disk/by-uuid/48836129-1aa0-45c7-9fd1-6b053fa620b1";
+  networking.hostName = "bert";
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "America/Chicago";
+  i18n.defaultLocale = "en_US.UTF-8";
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  environment.systemPackages = with pkgs; [
+    rsync
+  ];
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com'' ];
+
+  networking.firewall.allowedTCPPorts = [
+    80 # Caddy
+    443 # Caddy
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}

bert/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5abc0802-3969-460c-8089-5fec9f985c18";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."luks-da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc".device = "/dev/disk/by-uuid/da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B684-07FB";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f5d7bb99-03aa-4f7c-9d4a-e264ceb514c6"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

bert/services/http/home.chandlerswift.com.nix

@@ -0,0 +1,14 @@
+
+{
+  services.caddy.virtualHosts."home.chandlerswift.com".extraConfig = ''
+    encode zstd gzip
+    file_server
+    root * /srv/home.chandlerswift.com
+    # hide .git # ???
+  '';
+  systemd.tmpfiles.settings."10-home-chandlerswift-com" = {
+    "/srv/home.chandlerswift.com" = {
+      d = {};
+    };
+  };
+}

bert/services/http/index.nix

@@ -0,0 +1,12 @@
+{
+  imports = [
+    ./home.chandlerswift.com.nix
+    ./maps.chandlerswift.com.nix
+    ./stjohnscccc.org.nix
+  ];
+
+  services.caddy = {
+    enable = true;
+    email = "chandler@chandlerswift.com";
+  };
+}

bert/services/http/maps.chandlerswift.com.nix

@@ -0,0 +1,14 @@
+
+{
+  services.caddy.virtualHosts."maps.chandlerswift.com".extraConfig = ''
+    encode zstd gzip
+    file_server
+    root * /srv/maps.chandlerswift.com
+    # hide .git # ???
+  '';
+  systemd.tmpfiles.settings."10-maps-chandlerswift-com" = {
+    "/srv/maps.chandlerswift.com" = {
+      d = {};
+    };
+  };
+}

bert/services/http/stjohnscccc.org.nix

@@ -0,0 +1,42 @@
+{ pkgs, lib, config, ... }:
+let
+  app = "stjohnscccc";
+  domain = "${app}.chandlerswift.com"; # TODO
+  dataDir = "/srv/http/${domain}";
+in {
+  services.phpfpm.pools.${app} = {
+    user = app;
+    settings = {
+      "listen.owner" = config.services.caddy.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      # "pm.max_requests" = 500;
+      "pm.start_servers" = 1;
+      "pm.min_spare_servers" = 1;
+      "pm.max_spare_servers" = 4;
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = true;
+      "catch_workers_output" = true;
+    };
+    # phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
+  };
+  services.caddy.virtualHosts.${domain}.extraConfig = ''
+    root * ${dataDir}/public
+    encode zstd gzip
+    file_server
+    php_fastcgi unix//run/php/php-fpm.sock
+    log
+  '';
+  users.users.${app} = {
+    isSystemUser = true;
+    createHome = true;
+    home = dataDir;
+    group = app;
+  };
+  users.groups.${app} = {};
+  systemd.tmpfiles.settings."10-stjohnscccc.org" = {
+    "/srv/stjohnscccc.org" = {
+      d = {};
+    };
+  };
+}