diff --git a/.gitignore b/.gitignore index 7f22b60..c128f6d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .envrc .terraform +matrix_reg_key diff --git a/nixos_configs/git.nix b/nixos_configs/git.nix new file mode 100644 index 0000000..1d9f9d9 --- /dev/null +++ b/nixos_configs/git.nix @@ -0,0 +1,43 @@ +{ modulesPath, config, lib, pkgs, ... }: +let + storage-device = "/dev/disk/by-id/scsi-0DO_Volume_git-storage-1"; + storage-dir = "/srv"; +in +{ + imports = [ + "${toString modulesPath}/virtualisation/digital-ocean-image.nix" + ]; + + fileSystems."${storage-dir}" = { + device = storage-device; + }; + + environment.systemPackages = with pkgs; + [ jq git gitolite lighttpd cgit ]; + services.openssh.enable = true; + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile "/home/mike/.ssh/id_mops.pub") + ]; + + services.gitolite = { + enable = true; + adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2PjlhL4sPfuV10BeHGZysX5M9i5mIHwZ4EKi9ArauJ7z1FhGJiqlRoDgRA8RwdENfv+CayoJf6Z3Nu/U/diozqvMaQ6mXQbb3HysZ/w2ntw0d9PFYSfFIIMVUPqcECspgbolAIZHoJDLPG7dlqkJvVfAcA/uQeeLeJr3z6zp3BYs9mGZ6RYmwxo7069QimCfMb5nicLaiUnC1lXNSbK3ioPUgC5ezcgLDylXZ+zsPpZaYcl405SbAVVPYxMmQ8Yn5B+v5NN/MQSiKe3JsElWjTUlzcSKPTNZXeSN2wEILUI6UPNBkZkcycgpuJFbWJkTkNo4oUN9OsdSn7hZMlA1Q0o+JmNQJB2MdwLXb6ELRi8jkvmKeje/QFrwg/p5wBZQATRq8R9NgW7SbdmMZ5/ImD0X8afb8M43P5+5BqOYF4jjBN1MrR5vAB2FGDibgMCXwYo1cvk+VeFzc/c5YVThHArDiNsoDClhEfLaWc70NdF1LkGKhc9fZEsf2mY/1Tw7n8jBbO15nzcG4PKqp7d7d+9IwtLrk7mZ2UP+y6tl40nXCUkd8XXx70TLQZiXlM8jhWQUqLT0yBQAPXB6VUlpN4yCCi2T7Co83fG1ZLjPRxWM9k1IqxjXWVdoy5XVhEyh+eSDpgd3XFeys9gSX2wQlzodTVkMvXw7VKxoPtl8HHw== mike@betamike.com"; + # need an intermediate data directory with permissions for the gitolite user + # otherwise this won't work between instances of the droplet + dataDir = "${storage-dir}/data/gitolite"; + }; + + users.users.lighttpd.extraGroups = [ "gitolite" ]; + + services.lighttpd.enable = true; + services.lighttpd.cgit = { + enable = true; + configText = '' + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + project-list=/srv/data/gitolite/projects.list + scan-path=/srv/data/gitolite/repositories + ''; + }; +} diff --git a/nixos_configs/matrix.nix b/nixos_configs/matrix.nix index adb0217..ae25706 100644 --- a/nixos_configs/matrix.nix +++ b/nixos_configs/matrix.nix @@ -1,8 +1,10 @@ # adapted from https://nixos.org/manual/nixos/stable/index.html#module-services-matrix { modulesPath, config, lib, pkgs, ... }: let + matrix-registration = import ../../matrix-registration/default.nix; storage-device = "/dev/disk/by-id/scsi-0DO_Volume_matrix-storage"; storage-dir = "/opt/matrix-data"; + matrix-reg-dir = "${storage-dir}/matrix-registration"; matrix-reg-key = (builtins.readFile ./matrix_reg_key); fqdn = let @@ -13,7 +15,7 @@ in { "${toString modulesPath}/virtualisation/digital-ocean-image.nix" ]; - environment.systemPackages = [ pkgs.jq ]; + environment.systemPackages = [ pkgs.jq matrix-registration ]; services.openssh.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; @@ -80,8 +82,11 @@ in { return 200 '${builtins.toJSON client}'; ''; locations."/".extraConfig = '' - return 301 https://chat.waffle.farm; + return 301 https://waffle.farm/register; ''; + locations."~ ^/(static|register)" = { + proxyPass = "http://localhost:5000"; + }; }; # Reverse proxy for Matrix client-server and server-server communication @@ -122,6 +127,10 @@ in { enable = true; server_name = config.networking.domain; registration_shared_secret = matrix-reg-key; + extraConfig = '' + auto_join_rooms: + - "#cryptic-chat:waffle.farm" + ''; listeners = [ { @@ -145,4 +154,54 @@ in { "${config.networking.domain}".email = "mike@betamike.com"; "chat.${config.networking.domain}".email = "mike@betamike.com"; }; + users.users.matrix-registration = { + home = matrix-reg-dir; + createHome = true; + }; + + systemd.services.matrix-registration = let + configFile = pkgs.writeText "matrix-reg-config.yaml" '' +server_location: 'https://matrix.waffle.farm:443' +server_name: 'waffle.farm' +shared_secret: '${matrix-reg-key}' +riot_instance: 'chat.waffle.farm' +db: 'sqlite:///${matrix-reg-dir}/db.sqlite3' +host: 'localhost' +port: 5000 +rate_limit: ["100 per day", "10 per minute"] +allow_cors: false +logging: + disable_existing_loggers: False + version: 1 + root: + level: DEBUG + handlers: [console] + formatters: + brief: + format: '%(name)s - %(levelname)s - %(message)s' + precise: + format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s' + handlers: + console: + class: logging.StreamHandler + level: INFO + formatter: brief + stream: ext://sys.stdout +password: + min_length: 8 + ''; + in { + enable = true; + after = [ "matrix-synapse.service" ]; + bindsTo = [ "matrix-synapse.service" ]; + description = "Matrix-registration daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + WorkingDirectory = matrix-registration; + ExecStart = "${matrix-registration}/bin/matrix-registration --config-path ${configFile} serve"; + User = "matrix-registration"; + Restart = "always"; + }; + }; } diff --git a/terraform/git.tf b/terraform/git.tf new file mode 100644 index 0000000..85a33f9 --- /dev/null +++ b/terraform/git.tf @@ -0,0 +1,35 @@ +resource "digitalocean_volume" "git" { + region = "nyc3" + name = "git-storage-1" + size = 1 + initial_filesystem_type = "ext4" +} + +resource "digitalocean_droplet" "git-1" { + name = "git-1" + + image = data.digitalocean_image.nixos_base.id + region = "nyc3" + size = "s-1vcpu-1gb" + + ssh_keys = [data.digitalocean_ssh_key.mops.id] +} + +resource "digitalocean_volume_attachment" "git" { + droplet_id = digitalocean_droplet.git-1.id + volume_id = digitalocean_volume.git.id +} + +module "deploy_nixos_git" { + source = "github.com/tweag/terraform-nixos//deploy_nixos?ref=d055d2180da230e47ba9082fc53a8b7d1fadbc43" + + nixos_config = "../nixos_configs/git.nix" + + target_user = "root" + target_host = digitalocean_droplet.git-1.ipv4_address + + triggers = { + // Also re-deploy whenever the VM is re-created + instance_id = digitalocean_droplet.git-1.id + } +} diff --git a/terraform/matrix.tf b/terraform/matrix.tf index 36e8905..0b7f9ff 100644 --- a/terraform/matrix.tf +++ b/terraform/matrix.tf @@ -14,7 +14,7 @@ resource "digitalocean_droplet" "matrix-0" { image = data.digitalocean_image.nixos_base.id region = "nyc3" - size = "s-1vcpu-1gb" + size = "s-2vcpu-2gb" ssh_keys = [data.digitalocean_ssh_key.mops.id] }