From f2c3f279d54f5127c7f0d796d0afc7e57415766f Mon Sep 17 00:00:00 2001
From: Dennis Wuitz <dennish@wuitz.de>
Date: Sat, 23 Dec 2023 07:39:10 +0100
Subject: [PATCH] add system palatine-hill

---
 flake.nix                               |   6 +-
 systems/configuration.nix               |   2 -
 systems/palatine-hill/conf/haproxy.conf | 127 ++++++++++++++++++++++++
 systems/palatine-hill/configuration.nix |  48 +++++++++
 4 files changed, 180 insertions(+), 3 deletions(-)
 create mode 100644 systems/palatine-hill/conf/haproxy.conf
 create mode 100644 systems/palatine-hill/configuration.nix

diff --git a/flake.nix b/flake.nix
index eb4a986..3468c3a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,5 +1,5 @@
 {
-  description = "NixOS configuration for Wavelens Servers";
+  description = "NixOS configuration for RAD-Development Servers";
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
@@ -38,6 +38,10 @@
       photon = constructSystem {
         hostname = "photon"
       };
+
+      palatine-hill = constructSystem {
+        hostname = "palatine-hill"
+      };
     };
   };
 }
diff --git a/systems/configuration.nix b/systems/configuration.nix
index 2f1c738..52eb237 100644
--- a/systems/configuration.nix
+++ b/systems/configuration.nix
@@ -1,7 +1,6 @@
 { pkgs, lib, config, ... }:
 let
 in {
-  time.timeZone = "UTC";
 
   i18n = {
     defaultLocale = "en_US.utf8";
@@ -11,7 +10,6 @@ in {
     ];
   };
 
-  console.keyMap = "de";
 
   networking.firewall.allowedTCPPorts = [ 22 ];
 
diff --git a/systems/palatine-hill/conf/haproxy.conf b/systems/palatine-hill/conf/haproxy.conf
new file mode 100644
index 0000000..1074127
--- /dev/null
+++ b/systems/palatine-hill/conf/haproxy.conf
@@ -0,0 +1,127 @@
+global
+#  stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
+ # log stdout format raw local0 info
+  log stdout format raw local0
+  crt-base /etc/ssl/certs/
+
+defaults
+  log global
+  mode http
+  timeout client 2000m
+  timeout connect 200s
+  timeout server 2000m
+  timeout http-request 2000m
+
+#Application Setup
+frontend ContentSwitching
+  bind *:80
+ # bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
+  bind *:443 ssl crt /ZFS/ZFS-primary/docker/haproxy/certs/origin_ca_ecc_root_new.pem
+  mode  http
+  option httplog
+
+  # max-age is mandatory 
+  # 16000000 seconds is a bit more than 6 months
+  #http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+
+  # Front-end acess control list
+#  acl host_www hdr(host) -i www.alicehuston.xyz
+#  acl host_www hdr(host) -i alicehuston.xyz
+#  acl host_ldapui hdr(host) -i authui.alicehuston.xyz
+  acl host_glances hdr(host) -i monit.alicehuston.xyz
+  acl host_glances hdr(host) -i glances.alicehuston.xyz
+#  acl host_netdata hdr(host) -i netdata.alicehuston.xyz
+  #acl host_terraria hdr(host) -i terraria.alicehuston.xyz
+  acl host_nextcloud hdr(host) -i nextcloud.alicehuston.xyz
+  #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
+#  acl host_collabora hdr(host) -i collabora.alicehuston.xyz
+  # Backend-forwarding
+#  use_backend www_nodes if host_www
+#  use_backend ldapui_nodes if host_ldapui
+  use_backend glances_nodes if host_glances
+#  use_backend netdata_nodes if host_netdata
+ # use_backend terraria_nodes if host_terraria
+  use_backend nextcloud_nodes if host_nextcloud
+  #use_backend nextcloud_vol_nodes if host_nextcloud_vol
+#  use_backend collabora_nodes if host_collabora
+
+#frontend ldap
+#  bind *:389
+#  bind *:636 ssl crt /etc/ssl/certs/cloudflare.pem
+#  mode tcp
+#  option tcplog
+#  acl host_ldap hdr(host) -i auth.alicehuston.xyz
+#  use_backend ldap_nodes if host_ldap
+
+backend nextcloud_nodes
+  mode http
+  server server 127.0.0.1:9999
+  acl url_discovery path /.well-known/caldav /.well-known/carddav
+  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+  acl h_xfh_exists req.hdr(X-Forwarded-Host) -m found
+  http-request set-header X-Forwarded-Host %[req.hdr(host)] unless h_xfh_exists
+  acl h_xfport_exists req.hdr(X-Forwarded-Port) -m found
+  http-request set-header X-Forwarded-Port %[dst_port] unless h_xfport_exists
+  acl h_xfproto_exists req.hdr(X-Forwarded-Proto) -m found
+  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !h_xfproto_exists
+  http-request set-header X-Forwarded-Proto https if { ssl_fc } !h_xfproto_exists
+
+#backend nextcloud_nodes
+#  mode http
+#  server nxserver nextcloud:80
+#  acl url_discovery path /.well-known/caldav /.well-known/carddav
+#  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+#  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+#backend nextcloud_vol_nodes
+#  mode http
+#  server server nextcloud-vol:80
+#  acl url_discovery path /.well-known/caldav /.well-known/carddav
+#  http-request redirect location /remote.php/dav/ code 301 if url_discovery
+#  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+#backend terraria_nodes
+#  mode http
+#  server server terraria:6526
+
+#backend collabora_nodes
+#  mode http
+#  server server collabora:9980
+
+#backend www_nodes
+#  mode http
+#  server server grafana:3000
+
+#backend ldap_nodes
+#  mode tcp
+#  balance roundrobin
+#  option ldap-check
+#  server ldap1 192.168.76.2:1636 ssl ca-file /etc/ssl/certs/origin_ca_rsa_root.pem
+#
+#backend ldapui_nodes
+#  mode http
+#  server server 192.168.76.2:18081
+
+backend glances_nodes
+  mode http
+  server server 127.0.0.1:61208
+
+#backend netdata_nodes
+#  mode http
+#  server server 192.168.76.2:19999
+
+# backend dnd_nodes
+#   mode http
+#   server server foundry:30000
+#   acl host_www hdr(host) -i www.tmmworkshop.com
+
+
+#frontend minecraft
+#  mode tcp
+#  bind :25565
+#  default_backend router_nodes
+  
+
+#backend router_nodes
+#   mode tcp
+#   server s1 mc-router:25565
\ No newline at end of file
diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix
new file mode 100644
index 0000000..d2337f0
--- /dev/null
+++ b/systems/palatine-hill/configuration.nix
@@ -0,0 +1,48 @@
+{ pkgs, lib, config, ... }:
+let
+in {
+  time.timeZone = "America/New_York";
+  console.keyMap = "us";
+
+  virtualisation = {
+    docker = {
+      enable = true;
+      recommendedDefaults = true;
+      logDriver = "local";
+      daemon."settings" = {
+        exec-opts = [ "native.cgroupdriver=systemd" ];
+        log-opts = {
+          max-size = "10m";
+          max-file = "5";
+        };
+        data-root = "/var/lib/docker2";
+      };
+      storageDriver = "overlay2";
+    };
+
+    podman = {
+      enable = true;
+      recommendedDefaults = true;
+    };
+  };
+
+  users.users.brain = {
+    extraGroups = [ "docker" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    docker-compose
+  ];
+
+  services = {
+    samba.enable = true;
+    nfs.server.enable = true;
+
+    haproxy = {
+      enable = true;
+      config = builtins.readFile ./conf/haproxy.conf;
+    };
+  };
+
+  networking.firewall.enable = false;
+}
\ No newline at end of file