[meta] get started on subterranean-animism

meta/linode/Makefile

@@ -1,4 +1,8 @@
 .PHONY: subterranean-animism
 subterranean-animism:
-	rsync -avz --delete subterranean-animism/ subterranean-animism:/etc/nixos
+	rsync --recursive --perms --compress --delete --progress --human-readable \
+		subterranean-animism/*.nix subterranean-animism:/etc/nixos
+	rsync --perms --compress --progress --human-readable \
+		subterranean-animism/private/* subterranean-animism:/etc/nixos
+	ssh subterranean-animism chown mysql:mysql /etc/nixos/mysql-config
 	ssh subterranean-animism nixos-rebuild switch

meta/linode/subterranean-animism/configuration.nix

@@ -1,9 +1,14 @@
 { config, pkgs, ... }:
 
-{
+let
+  private = import ./private.nix;
+in {
   imports =
     [ ./hardware-configuration.nix # Include the results of the hardware scan.
       ./linode.nix
+      ./minio.nix
+      ./mysql.nix
+      ./monica.nix
     ];
 
   # Use the GRUB 2 boot loader.
@@ -30,6 +35,15 @@
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "21.11"; # Did you read the comment?
 
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    email = private.acmeEmail;
+  };
+
+  services.nginx.enable = true;
+
   services.openssh = {
     enable = true;
     permitRootLogin = "yes";
@@ -40,4 +54,3 @@
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgX0tA28NO3djYaV++JxggR0t47xou+R0HQVwVjzj8s"
   ];
 }
-

meta/linode/subterranean-animism/minio.nix

@@ -0,0 +1,49 @@
+{ config, pkgs, ... }:
+
+let
+  private = import ./private.nix;
+  minioCredentialsFile = "/etc/nixos/minio-credentials";
+in {
+  environment.systemPackages = with pkgs; [
+    minio-client
+  ];
+
+  # https://github.com/NixOS/nixpkgs/blob/nixos-21.11/nixos/modules/services/web-servers/minio.nix
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = minioCredentialsFile;
+  };
+
+  services.nginx = {
+    virtualHosts."${private.minioHost}" = {
+      addSSL = true;
+      enableACME = true;
+
+      extraConfig = ''
+        # To allow special characters in headers
+        ignore_invalid_headers off;
+        # Allow any size file to be uploaded.
+        # Set to a value such as 1000m; to restrict file size to a specific value
+        client_max_body_size 0;
+        # To disable buffering
+        proxy_buffering off;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://localhost:9001";
+        extraConfig = ''
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $host;
+
+          proxy_connect_timeout 300;
+          # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+          proxy_http_version 1.1;
+          proxy_set_header Connection "";
+          chunked_transfer_encoding off;
+        '';
+      };
+    };
+  };
+}

meta/linode/subterranean-animism/monica.nix

@@ -0,0 +1,91 @@
+{ config, pkgs, ... }:
+
+let
+  private = import ./private.nix;
+  minioCredentialsFile = "/etc/nixos/minio-credentials";
+  bucket = "monica";
+  policy = pkgs.writeText "monica-bucket-policy.json" ''
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "Monica",
+          "Effect": "Allow",
+          "Action": [ "s3:*" ],
+          "Resource": [ "arn:aws:s3:::monica", "arn:aws:s3:::monica/*" ]
+        }
+      ]
+    }
+  '';
+in {
+  services.nginx.virtualHosts."${private.minioHost}" = {
+    locations."/monica" = {
+      proxyPass = "http://localhost:9000";
+      extraConfig = ''
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        proxy_connect_timeout 300;
+        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        chunked_transfer_encoding off;
+      '';
+    };
+  };
+
+  services.mysql = {
+    ensureDatabases = [ "monica" ];
+    ensureUsers = [
+      {
+        name = "monica";
+        ensurePermissions = {
+          "monica.*" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+  };
+
+  # https://gist.github.com/expipiplus1/1bf5eea2ac58458134a6c0f9c15afd78
+  systemd.services.monica-minio-config = {
+    enable = true;
+    path = [ pkgs.minio pkgs.minio-client ];
+    requiredBy = [ "multi-user.target" ];
+    after = [ "minio.service" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "minio";
+      Group = "minio";
+      RuntimeDirectory = "minio-config";
+      EnvironmentFile = minioCredentialsFile;
+    };
+    script = ''
+      set -e
+      CONFIG_DIR=$RUNTIME_DIRECTORY
+      mc --config-dir "$CONFIG_DIR" config host add minio http://localhost:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD"
+      mc --config-dir "$CONFIG_DIR" admin user add minio "$MONICA_ACCESS_KEY" "$MONICA_SECRET_KEY"
+      mc --config-dir "$CONFIG_DIR" admin policy add minio POLICY "${policy}"
+      mc --config-dir "$CONFIG_DIR" admin policy set minio POLICY user="$MONICA_ACCESS_KEY"
+      mc --config-dir "$CONFIG_DIR" mb --ignore-existing minio/monica
+    '';
+  };
+
+  systemd.services.monica-mysql-config = {
+    enable = true;
+    path = [ pkgs.mysql ];
+    requiredBy = [ "multi-user.target" ];
+    after = [ "mysql.service" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "mysql";
+      Group = "mysql";
+      RuntimeDirectory = "mysql-config";
+    };
+    script = ''
+      set -e
+      mysql < /etc/nixos/mysql-config
+    '';
+  };
+}

meta/linode/subterranean-animism/mysql.nix

@@ -0,0 +1,36 @@
+{ pkgs, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 3306 ];
+
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    ensureDatabases = [ "monica" ];
+    ensureUsers = [
+      {
+        name = "monica";
+        ensurePermissions = {
+          "monica.*" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+  };
+
+  systemd.services.mysql-config = {
+    enable = true;
+    path = [ pkgs.mysql ];
+    requiredBy = [ "multi-user.target" ];
+    after = [ "mysql.service" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "mysql";
+      Group = "mysql";
+      RuntimeDirectory = "mysql-config";
+    };
+    script = ''
+      set -e
+      mysql < /etc/nixos/mysql-config
+    '';
+  };
+}