Add vps capabilities

author: Preston Pan <ret2pop@gmail.com> 2025-02-13 00:29:25 -0800
committer: Preston Pan <ret2pop@gmail.com> 2025-02-13 00:29:25 -0800
commit: 5e02cdc7ed82ac10375cacfca6920f20f5729059 (patch)
tree: 53466f89296545a8df26fbc2e30a37a395a0613a /nix
parent: f10285de4d0b5c69d026e948a9d9d7278a2ffb64 (diff)
11 files changed, 128 insertions, 38 deletions
diff --git a/nix/modules/cgit.nix b/nix/modules/cgit.nix
new file mode 100644
index 0000000..cfb9158
--- /dev/null
+++ b/nix/modules/cgit.nix
@@ -0,0 +1,6 @@
+{ config, lib, ... }:
+{
+  services.cgit = {
+    enable = true;
+  };
+}
diff --git a/nix/modules/conduit.nix b/nix/modules/conduit.nix
new file mode 100644
index 0000000..954e5fc
--- /dev/null
+++ b/nix/modules/conduit.nix
@@ -0,0 +1,12 @@
+{ config, lib, ... }:
+{
+  services.matrix-conduit = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    # random comment
+    settings.global = {
+      server_name = "matrix.ret2pop.net";
+      address = "0.0.0.0";
+      port = 6167;
+    };
+  };
+}
diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index 6f8f314..bd37c77 100644
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -14,6 +14,8 @@
     ./dovecot.nix
     ./ollama.nix
     ./i2pd.nix
+    ./gitweb.nix
+    ./conduit.nix
   ];
 
   documentation = {
@@ -241,6 +243,10 @@
   };
 
   security = {
+    acme = {
+      acceptTerms = true;
+      defaults.email = "ret2pop@gmail.com";
+    };
     apparmor = {
   	  enable = true;
   	  killUnconfinedConfinables = true;
@@ -280,16 +286,39 @@
     config.common.default = "*";
   };
 
+  environment.etc."gitconfig".text = ''
+  [init]
+  defaultBranch = main
+  '';
+  environment.extraInit = ''
+  umask 0022
+  '';
   environment.systemPackages = with pkgs; [
     restic
     sbctl
     git
     vim
     curl
+    nmap
+    (writeShellScriptBin "new-repo"
+      ''
+  #!/bin/bash
+  cd /srv/git
+  git init --bare "$1"
+  vim "$1/description"
+  chown -R git:git "$1"
+  ''
+    )
   ];
 
-  users.groups.git = {};
+  users.groups.nginx = lib.mkDefault {};
+  users.groups.git = lib.mkDefault {};
   users.users = {
+    nginx.group = "nginx";
+    nginx.isSystemUser = lib.mkDefault true;
+    nginx.extraGroups = [
+      "acme"
+    ];
     root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
     ];
@@ -299,8 +328,14 @@
   	  home = "/srv/git";
   	  shell = "${pkgs.git}/bin/git-shell";
       group = "git";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
+      ];
     };
     "${config.monorepo.vars.userName}" = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
+      ];
   	  initialPassword = "${config.monorepo.vars.userName}";
   	  isNormalUser = true;
   	  description = config.monorepo.vars.fullName;
@@ -314,7 +349,12 @@
     "olm-3.2.16"
   ];
 
-  nix.settings.experimental-features = "nix-command flakes";
+  nix = {
+    settings = {
+      experimental-features = "nix-command flakes";
+      trusted-users = [ "@wheel" ];
+    };
+  };
   time.timeZone = config.monorepo.vars.timeZone;
   i18n.defaultLocale = "en_CA.UTF-8";
   system.stateVersion = "24.11";
diff --git a/nix/modules/git-daemon.nix b/nix/modules/git-daemon.nix
index e71356e..e5e2192 100644
--- a/nix/modules/git-daemon.nix
+++ b/nix/modules/git-daemon.nix
@@ -3,7 +3,6 @@
   services.gitDaemon = {
     enable = lib.mkDefault config.monorepo.profiles.server.enable;
     exportAll = true;
-    listenAddress = "0.0.0.0";
     basePath = "/srv/git";
   };
 }
diff --git a/nix/modules/gitweb.nix b/nix/modules/gitweb.nix
new file mode 100644
index 0000000..51cff87
--- /dev/null
+++ b/nix/modules/gitweb.nix
@@ -0,0 +1,7 @@
+{ lib, config, ... }:
+{
+  services.gitweb = {
+    gitwebTheme = true;
+    projectroot = "/srv/git/";
+  };
+}
diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix
index 85b6a70..7872d53 100644
--- a/nix/modules/home/user.nix
+++ b/nix/modules/home/user.nix
@@ -65,7 +65,8 @@
       (writeShellScriptBin "remote-build"
         ''
 #!/bin/bash
-nixos-rebuild --target-host "$1" switch --flake .#spontaneity
+cd ~/monorepo/nix
+nixos-rebuild --use-remote-sudo --target-host "$1" switch --flake .#spontaneity
 ''
       )
       (writeShellScriptBin "install-vps"
diff --git a/nix/modules/home/zsh.nix b/nix/modules/home/zsh.nix
index fc041e9..0c5bced 100644
--- a/nix/modules/home/zsh.nix
+++ b/nix/modules/home/zsh.nix
@@ -3,7 +3,7 @@
   programs.zsh = {
     enable = true;
     initExtra = ''
-    umask 0077
+    umask 0022
     export EXTRA_CCFLAGS="-I/usr/include"
     source ${pkgs.zsh-vi-mode}/share/zsh-vi-mode/zsh-vi-mode.plugin.zsh
     export QT_QPA_PLATFORM="wayland"
diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix
index 18becfe..af2d42f 100644
--- a/nix/modules/nginx.nix
+++ b/nix/modules/nginx.nix
@@ -2,7 +2,7 @@
 {
   services.nginx = {
     enable = lib.mkDefault config.monorepo.profiles.server.enable;
-
+    user = "nginx";
     # Use recommended settings
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
@@ -10,37 +10,58 @@
     recommendedTlsSettings = true;
 
     # Only allow PFS-enabled ciphers with AES256
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
-    appendHttpConfig = ''
-  # Add HSTS header with preloading to HTTPS requests.
-  # Adding this header to HTTP requests is discouraged
-  map $scheme $hsts_header {
-	https   "max-age=31536000; includeSubdomains; preload";
-  }
-  add_header Strict-Transport-Security $hsts_header;
-
-  # Enable CSP for your services.
-  #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-  # Minimize information leaked to other domains
-  add_header 'Referrer-Policy' 'origin-when-cross-origin';
+    # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
-  # Disable embedding as a frame
-  add_header X-Frame-Options DENY;
+    appendHttpConfig = '''';
 
-  # Prevent injection of code in other mime types (XSS Attacks)
-  add_header X-Content-Type-Options nosniff;
-
-  # This might create errors
-  proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-'';
+    gitweb = {
+      enable = true;
+      virtualHost = "ret2pop.net";
+    };
 
     virtualHosts = {
-	    "ret2pop.nullring.xyz" = {
-	      # addSSL = true;
-	      # enableACME = true;
-	      root = "/home/preston/ret2pop-website/";
+      "matrix.ret2pop.net" = {
+        enableACME = true;
+        forceSSL = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations."/_matrix/" = {
+          proxyPass = "http://127.0.0.1:6167";
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffers 32 16k;
+            proxy_read_timeout 5m;
+          '';
+        };
+
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+	    "ret2pop.net" = {
+        serverName = "ret2pop.net";
+	      root = "/var/www/ret2pop-website/";
+	      addSSL = true;
+	      enableACME = true;
 	    };
     };
   };
diff --git a/nix/modules/ssh.nix b/nix/modules/ssh.nix
index 5c705c9..076ee47 100644
--- a/nix/modules/ssh.nix
+++ b/nix/modules/ssh.nix
@@ -1,11 +1,11 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
   services.openssh = {
     enable = true;
     settings = {
-      PasswordAuthentication = true;
-      AllowUsers = [ config.monorepo.vars.userName ];
-      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = lib.mkDefault (! config.monorepo.profiles.server.enable);
+      AllowUsers = [ config.monorepo.vars.userName "root" "git" ];
+      PermitRootLogin = "yes";
       KbdInteractiveAuthentication = false;
     };
   };
diff --git a/nix/systems/installer/default.nix b/nix/systems/installer/default.nix
index d3d1693..90a58db 100644
--- a/nix/systems/installer/default.nix
+++ b/nix/systems/installer/default.nix
@@ -21,7 +21,7 @@ in
     enable = true;
     ports = [ 22 ];
     settings = {
-      PasswordAuthentication = true;
+      PasswordAuthentication = false;
       AllowUsers = null;
       UseDns = true;
       PermitRootLogin = lib.mkForce "prohibit-password";
diff --git a/nix/systems/spontaneity/default.nix b/nix/systems/spontaneity/default.nix
index df3dc6b..a40c53a 100644
--- a/nix/systems/spontaneity/default.nix
+++ b/nix/systems/spontaneity/default.nix
@@ -17,4 +17,8 @@
       grub.enable = true;
     };
   };
+  config.networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 }
author	Preston Pan <ret2pop@gmail.com>	2025-02-13 00:29:25 -0800
committer	Preston Pan <ret2pop@gmail.com>	2025-02-13 00:29:25 -0800
commit	5e02cdc7ed82ac10375cacfca6920f20f5729059 (patch)
tree	53466f89296545a8df26fbc2e30a37a395a0613a /nix
parent	f10285de4d0b5c69d026e948a9d9d7278a2ffb64 (diff)