alpha
/
dotfiles
1
0
Fork 0
Code Issues 15 Pull Requests Packages Projects Releases Wiki Activity

[meta] get started on subterranean-animism

Browse Source
pull/37/head
Alpha Chen 3 years ago
parent 00d1635424
commit c82ac1a501
5 changed files with 196 additions and 3 deletions
Show Stats Download Patch File Download Diff File

6
meta/linode/Makefile
Unescape View File

@ -1,4 +1,8 @@
.PHONY: subterranean-animism
subterranean-animism:
rsync -avz --delete subterranean-animism/ subterranean-animism:/etc/nixos
rsync --recursive --perms --compress --delete --progress --human-readable \
subterranean-animism/*.nix subterranean-animism:/etc/nixos
rsync --perms --compress --progress --human-readable \
subterranean-animism/private/* subterranean-animism:/etc/nixos
ssh subterranean-animism chown mysql:mysql /etc/nixos/mysql-config
ssh subterranean-animism nixos-rebuild switch

17
meta/linode/subterranean-animism/configuration.nix
Unescape View File

@ -1,9 +1,14 @@
{ config, pkgs, ... }:
{
let
private = import ./private.nix;
in {
imports =
[ ./hardware-configuration.nix # Include the results of the hardware scan.
./linode.nix
./minio.nix
./mysql.nix
./monica.nix
];
# Use the GRUB 2 boot loader.
@ -30,6 +35,15 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
email = private.acmeEmail;
};
services.nginx.enable = true;
services.openssh = {
enable = true;
permitRootLogin = "yes";
@ -40,4 +54,3 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgX0tA28NO3djYaV++JxggR0t47xou+R0HQVwVjzj8s"
];
}

49
meta/linode/subterranean-animism/minio.nix
Unescape View File

@ -0,0 +1,49 @@
{ config, pkgs, ... }:
let
private = import ./private.nix;
minioCredentialsFile = "/etc/nixos/minio-credentials";
in {
environment.systemPackages = with pkgs; [
minio-client
];
# https://github.com/NixOS/nixpkgs/blob/nixos-21.11/nixos/modules/services/web-servers/minio.nix
services.minio = {
enable = true;
rootCredentialsFile = minioCredentialsFile;
};
services.nginx = {
virtualHosts."${private.minioHost}" = {
addSSL = true;
enableACME = true;
extraConfig = ''
# To allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# To disable buffering
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://localhost:9001";
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
'';
};
};
};
}

91
meta/linode/subterranean-animism/monica.nix
Unescape View File

@ -0,0 +1,91 @@
{ config, pkgs, ... }:
let
private = import ./private.nix;
minioCredentialsFile = "/etc/nixos/minio-credentials";
bucket = "monica";
policy = pkgs.writeText "monica-bucket-policy.json" ''
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Monica",
"Effect": "Allow",
"Action": [ "s3:*" ],
"Resource": [ "arn:aws:s3:::monica", "arn:aws:s3:::monica/*" ]
}
]
}
'';
in {
services.nginx.virtualHosts."${private.minioHost}" = {
locations."/monica" = {
proxyPass = "http://localhost:9000";
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
'';
};
};
services.mysql = {
ensureDatabases = [ "monica" ];
ensureUsers = [
{
name = "monica";
ensurePermissions = {
"monica.*" = "ALL PRIVILEGES";
};
}
];
};
# https://gist.github.com/expipiplus1/1bf5eea2ac58458134a6c0f9c15afd78
systemd.services.monica-minio-config = {
enable = true;
path = [ pkgs.minio pkgs.minio-client ];
requiredBy = [ "multi-user.target" ];
after = [ "minio.service" ];
serviceConfig = {
Type = "simple";
User = "minio";
Group = "minio";
RuntimeDirectory = "minio-config";
EnvironmentFile = minioCredentialsFile;
};
script = ''
set -e
CONFIG_DIR=$RUNTIME_DIRECTORY
mc --config-dir "$CONFIG_DIR" config host add minio http://localhost:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD"
mc --config-dir "$CONFIG_DIR" admin user add minio "$MONICA_ACCESS_KEY" "$MONICA_SECRET_KEY"
mc --config-dir "$CONFIG_DIR" admin policy add minio POLICY "${policy}"
mc --config-dir "$CONFIG_DIR" admin policy set minio POLICY user="$MONICA_ACCESS_KEY"
mc --config-dir "$CONFIG_DIR" mb --ignore-existing minio/monica
'';
};
systemd.services.monica-mysql-config = {
enable = true;
path = [ pkgs.mysql ];
requiredBy = [ "multi-user.target" ];
after = [ "mysql.service" ];
serviceConfig = {
Type = "simple";
User = "mysql";
Group = "mysql";
RuntimeDirectory = "mysql-config";
};
script = ''
set -e
mysql < /etc/nixos/mysql-config
'';
};
}

36
meta/linode/subterranean-animism/mysql.nix
Unescape View File

@ -0,0 +1,36 @@
{ pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 3306 ];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "monica" ];
ensureUsers = [
{
name = "monica";
ensurePermissions = {
"monica.*" = "ALL PRIVILEGES";
};
}
];
};
systemd.services.mysql-config = {
enable = true;
path = [ pkgs.mysql ];
requiredBy = [ "multi-user.target" ];
after = [ "mysql.service" ];
serviceConfig = {
Type = "simple";
User = "mysql";
Group = "mysql";
RuntimeDirectory = "mysql-config";
};
script = ''
set -e
mysql < /etc/nixos/mysql-config
'';
};
}
Write Preview
Loading…
Cancel
Save