ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Feature/factorio (#109)

Browse Source 
* add factorio

* add factorio server

* add new user

* fixed typo
This commit is contained in:
Dennis
2024-02-19 22:15:50 +01:00
committed by Dennis Wuitz
parent d28098ac8d
commit e732499201
8 changed files with 4 additions and 507 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
modules/backup.nix
View File

@ -1,136 +0,0 @@
{ config, lib, pkgs, ... }:
let cfg = config.services.backup;
in {
options.services.backup = {
enable = lib.mkEnableOption "backup";
offsite = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = "Offsite backup hostnames.";
};
paths = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = "Extra paths to include in backup.";
};
exclude = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = "Extra paths to exclude in backup.";
};
backup_at = lib.mkOption {
type = lib.types.int;
default = 2;
description = "Time to run backup.";
};
};
config = {
assertions = [
{
assertion = cfg.paths != [ ] -> cfg.enable;
message = "Configuring backup services.backup.paths without enabling services.backup.enable is useless!";
}
{
assertion = cfg.backup_at < 24;
message = "Backup time must be less than 24 hours!";
}
];
services = {
postgresqlBackup = {
inherit (config.services.postgresql) enable;
backupAll = true;
startAt = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:00:00";
};
restic.backups =
let
commonOpts = {
initialize = true;
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
passwordFile = config.sops.secrets."restic/password".path;
paths = [
"/etc/group"
"/etc/machine-id"
"/etc/passwd"
"/etc/shadow"
"/etc/ssh/ssh_host_ecdsa_key"
"/etc/ssh/ssh_host_ecdsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/subgid"
"/etc/subuid"
"/var/lib/nixos/"
] ++ cfg.paths
++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/"
++ lib.optional config.services.mysql.enable "/var/lib/mysql/"
++ lib.optional config.services.gitea.enable "/var/lib/gitea/"
++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/"
++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"
++ lib.optional config.mailserver.enable config.mailserver.mailDirectory;
exclude = lib.mkIf config.services.gitea.enable [
"/var/lib/gitea/data/indexers/"
"/var/lib/gitea/data/repo-archive"
"/var/lib/gitea/data/queues"
"/var/lib/gitea/data/tmp/"
];
timerConfig = {
OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00";
RandomizedDelaySec = "5m";
};
};
in
lib.mkIf cfg.enable {
local = commonOpts // { repository = "/var/backup"; };
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; };
};
};
sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) {
"restic/offsite/private" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup";
sopsFile = ./backup.yaml;
};
"restic/offsite/public" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup.pub";
sopsFile = ./backup.yaml;
};
"restic/offsite/ssh-config" = {
owner = "root";
path = "/root/.ssh/config";
sopsFile = ./backup.yaml;
};
} // lib.mkIf cfg.enable { "restic/password".owner = "root"; };
system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) ''
echo "Linking restic ssh config..."
mkdir -m700 -p /home/root/.ssh/
ln -fs {,/home}/root/.ssh/id_offsite-backup
ln -fs {,/home}/root/.ssh/id_offsite-backup.pub
ln -fs {,/home}/root/.ssh/config
'';
systemd = lib.mkIf cfg.enable {
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
services = {
restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666";
restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666";
};
};
};
}

199
modules/website.nix
View File

@ -1,199 +0,0 @@
{ config, pkgs, lib, ... }:
let
eachSite = config.services.staticpage.sites;
siteOpts = { lib, ... }: {
options = {
package = lib.mkPackageOption pkgs "page" { };
root = lib.mkOption {
type = lib.types.str;
description = "The Document-Root folder in /var/lib";
};
domain = lib.mkOption {
type = lib.types.str;
example = "example.com";
description = "The staticpage's domain.";
};
subdomain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "app";
description = "The staticpage subdomain.";
};
usePHP = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Configure the Nginx Server to use PHP";
};
configureNginx = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Configure the Nginx Server to serve the site with acne";
};
};
};
in
{
options.services.staticpage = {
enable = lib.mkEnableOption "staticpage";
sites = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule siteOpts);
default = { };
description = lib.mdDoc "Specification of one or more Staticpages sites to serve";
};
};
config = lib.mkIf (eachSite != { }) (lib.mkMerge [{
services.nginx = {
virtualHosts = lib.mkMerge [
(lib.mapAttrs'
(name: cfg: {
name = "${(if (cfg.subdomain == null) then "${cfg.domain}" else "${cfg.subdomain}.${cfg.domain}")}";
value = {
root = "/var/lib/www/${cfg.root}";
forceSSL = true;
enableACME = true;
serverAliases = lib.mkIf (cfg.subdomain == null) [ "www.${cfg.domain}" ];
locations."= /favicon.ico" = {
extraConfig = ''
log_not_found off;
access_log off;
'';
};
locations."= /robots.txt" = {
extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
};
locations."~* ^/.well-known/" = {
extraConfig = ''
allow all;
'';
};
locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
extraConfig = ''
try_files $uri @rewrite;
expires max;
log_not_found off;
'';
};
locations."~ ^/sites/.*/files/styles/" = {
extraConfig = ''
try_files $uri @rewrite;
'';
};
} // lib.optionalAttrs cfg.usePHP {
locations."~ '.php$|^/update.php'" = {
extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.${name}.socket};
fastcgi_index index.php;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
# Ensure the php file exists. Mitigates CVE-2019-11043
try_files $fastcgi_script_name =404;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
'';
};
locations."~ ..*/.*.php$" = {
extraConfig = ''
return 403;
'';
};
locations."~ ^/sites/.*/private/" = {
extraConfig = ''
return 403;
'';
};
locations."~ ^/sites/[^/]+/files/.*.php$" = {
extraConfig = ''
deny all;
'';
};
locations."/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
'';
};
locations."@rewrite" = {
extraConfig = ''
rewrite ^ /index.php;
'';
};
locations."~ /vendor/.*.php$" = {
extraConfig = ''
deny all;
return 404;
'';
};
locations."~ ^/sites/.*/files/styles/" = {
extraConfig = ''
try_files $uri @rewrite;
'';
};
locations."~ ^(/[a-z-]+)?/system/files/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
'';
};
} // lib.optionalAttrs (!cfg.usePHP) {
locations."/" = {
extraConfig = ''
index index.html;
try_files $uri $uri/ $uri.html =404;
'';
};
};
})
(lib.filterAttrs (n: v: v.configureNginx) eachSite))
];
};
services.phpfpm.pools = lib.mkMerge [
(lib.mapAttrs
(name: cfg: {
user = "nginx";
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
})
(lib.filterAttrs (n: v: v.usePHP) eachSite))
];
}]);
}