whole entire revamp

2023-08-22 21:49:15 -07:00 · 2023-08-22 21:49:15 -07:00 · 1c86119fbb
commit 1c86119fbb
parent 7b3e28f66d
21 changed files with 652 additions and 272 deletions
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -0,0 +1,81 @@
+{ config, lib, pkgs, options, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.forgejo;
+in {
+  options.modules.services.forgejo = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    domain = mkOption {
+      type = types.str;
+      default = "git.reidlab.online";
+    };
+    port = mkOption {
+      type = types.int;
+      default = 3000;
+    };
+    package = mkOption {
+      type = types.package;
+      default = pkgs.forgejo;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      gitea = {
+        enable = true;
+        package = cfg.package;
+        stateDir = "/var/lib/${cfg.domain}";
+        appName = "reidlab's git instance";
+        database = {
+          type = "postgres";
+          name = "gitea";
+        };
+        settings = {
+          "security" = {
+            INSTALL_LOCK = true;
+            PASSWORD_HASH_ALGO = "argon2";
+            PASSWORD_CHECK_PWN = true;
+          };
+          "ui.meta" = {
+            AUTHOR = "reidlab";
+            DESCRIPTION = "reidlab's git instance";
+          };
+          "server" = {
+            DOMAIN = cfg.domain;
+            HTTP_PORT = cfg.port;
+            ROOT_URL = "https://${cfg.domain}/";
+          };
+          "repository" = {
+            DEFAULT_BRANCH = "main";
+          };
+          "picture" = {
+            DISABLE_GRAVATAR = false;
+            ENABLE_FEDERATED_AVATAR = true;
+          };
+          "service" = {
+            ENABLE_CAPTCHA = false;
+            REGISTER_EMAIL_CONFIRM = false;
+            DEFAULT_KEEP_EMAIL_PRIVATE = true;
+            DEFAULT_ENABLE_TIMETRACING = true;
+            DISABLE_REGISTRATION = true;
+          };
+          "federation" = {
+            ENABLED = true;
+          };
+        };
+      };
+
+      nginx.virtualHosts."${cfg.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/".extraConfig = ''
+          proxy_pass http://127.0.0.1:${toString cfg.port};
+        '';
+      };
+    };
+  };
+}
--- a/modules/services/mosh.nix
+++ b/modules/services/mosh.nix
@ -0,0 +1,19 @@
+{ config, lib, pkgs, options, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.mosh;
+in {
+  options.modules.services.mosh = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    programs.mosh = {
+      enable = true;
+    };
+  };
+}
--- a/modules/services/nginx-conf.nix
+++ b/modules/services/nginx-conf.nix
@ -0,0 +1,109 @@
+{ config, lib, pkgs, options, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.nginx-config;
+in {
+  options.modules.services.nginx-config = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.openresty;
+    };
+
+    defaultLuaPackagePath = mkOption {
+      type = types.path;
+      default = null;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      { assertion = cfg.defaultLuaPackagePath != null;
+        description = "The defaultLuaPackagePath property *must* be explicitly specified.";
+      }
+    ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "reidlab325@gmail.com";
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+
+    services.nginx = {
+      enable = true;
+      package = cfg.package;
+      
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+
+      logError = "stderr warn";
+
+      # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
+      commonHttpConfig = let
+        # lua
+        lua-resty-template = pkgs.fetchFromGitHub {
+          owner = "bungle";
+          repo = "lua-resty-template";
+          rev = "v2.0";
+          sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";      
+        };
+        lua-resty-redis = pkgs.fetchFromGitHub {
+          owner = "openresty";
+          repo = "lua-resty-redis";
+          rev = "v0.29";
+          sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
+        };
+        lua-resty-websocket = pkgs.fetchFromGitHub {
+          owner = "openresty";
+          repo = "lua-resty-websocket";
+          rev = "v0.10";
+          sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
+        };
+
+        # cloudflare
+        realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
+        fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
+        cfipv4 = fileToList (pkgs.fetchurl {
+          url = "https://www.cloudflare.com/ips-v4";
+          sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
+        });
+        cfipv6 = fileToList (pkgs.fetchurl {
+          url = "https://www.cloudflare.com/ips-v6";
+          sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
+        });
+      in ''
+        lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
+
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+        # ^ this above breaks forgejo/gitea so
+
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+
+        # This might create errors
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+
+        ${realIpsFromList cfipv4}
+        ${realIpsFromList cfipv6}
+        real_ip_header CF-Connecting-IP;
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = [ 443 80 ];
+    networking.firewall.allowedUDPPorts = [ 443 80 ];
+  };
+}
--- a/modules/services/postgres.nix
+++ b/modules/services/postgres.nix
@ -0,0 +1,19 @@
+{ config, lib, pkgs, options, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.postgres;
+in {
+  options.modules.services.postgres = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+    };
+  };
+}
--- a/modules/services/redis.nix
+++ b/modules/services/redis.nix
@ -0,0 +1,19 @@
+{ config, lib, pkgs, options, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.redis;
+in {
+  options.modules.services.redis = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.redis.servers."" = {
+      enable = true;
+    };
+  };
+}
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@ -0,0 +1,35 @@
+{ options, config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.ssh;
+in {
+  options.modules.services.ssh = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Provide system SSH support though OpenSSH.";
+    };
+
+    requirePassword = mkOption {
+      type = types.bool;
+      default = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+
+      settings = {
+        PasswordAuthentication = cfg.requirePassword;
+        PermitRootLogin = "no";
+      };
+    };
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+  };
+}