Merge remote-tracking branch 'gum/master'

2021-01-05 13:36:52 +01:00 · 2021-01-05 13:36:52 +01:00 · 81c31869c2
commit 81c31869c2
parent c56d012b26 d34dc528ee
6 changed files with 100 additions and 204 deletions
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@ -243,6 +243,8 @@ in {
            "wiki.makefu.r"
            "warrior.gum.r"
            "sick.makefu.r"
+            "dl.gum.r"
+            "dl.makefu.r"
          ];
        };
      };
--- a/makefu/0tests/data/secrets/dl.gum-auth.nix
+++ b/makefu/0tests/data/secrets/dl.gum-auth.nix
@ -0,0 +1,2 @@
+{
+}
--- a/makefu/2configs/dcpp/hub.nix
+++ b/makefu/2configs/dcpp/hub.nix
@ -41,7 +41,6 @@ in {
  };

  systemd.services = {
-    redis.serviceConfig.LimitNOFILE=10032;
    ddclient-nsupdate-uhub = {
      wantedBy = [ "multi-user.target" ];
      after = [ "ip-up.target" ];
--- a/makefu/2configs/deployment/owncloud.nix
+++ b/makefu/2configs/deployment/owncloud.nix
@ -1,216 +1,80 @@
 { lib, pkgs, config, ... }:
 with lib;

-# imperative in config.php:
-# #local memcache:
-#     'memcache.local' => '\\OC\\Memcache\\APCu',
-# #local locking:
-#     'memcache.locking' => '\\OC\\Memcache\\Redis',
-#     'redis' =>
-#      array (
-#       'host' => 'localhost',
-#       'port' => 6379,
-#      ),
+# services.redis.enable = true;
+# to enable caching with redis first start up everything, then run:
+# nextcloud-occ config:system:set redis 'host' --value 'localhost' --type string
+# nextcloud-occ config:system:set redis 'port' --value 6379 --type integer
+# nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string
+# nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string

+# services.memcached.enable = true;
+# to enable caching with memcached run:
+# nextcloud-occ config:system:set memcached_servers 0 0 --value 127.0.0.1 --type string
+# nextcloud-occ config:system:set memcached_servers 0 1 --value 11211 --type integer
+# nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\APCu' --type string
+# nextcloud-occ config:system:set memcache.distributed --value '\OC\Memcache\Memcached' --type string

 let
-  phpPackage = let
-      base = pkgs.php74;
-    in
-      base.buildEnv {
-        extensions = { enabled, all }: with all;
-          enabled ++ [
-            apcu redis memcached imagick
-          ];
-      };
+  adminpw = "/run/secret/nextcloud-admin-pw";
+  dbpw = "/run/secret/nextcloud-db-pw";
+in {

-  # TODO: copy-paste from lass/2/websites/util.nix
-  nextcloud = pkgs.nextcloud20;
-  serveCloud = domains:
-    let
-      domain = head domains;
-      root = "/var/www/${domain}/";
-      socket = "/var/run/${domain}-phpfpm.sock";
-    in {
-      system.activationScripts."prepare-nextcloud-${domain}" = ''
-        if test ! -e ${root} ;then
-          echo "copying latest ${nextcloud.name} release to ${root}"
-          mkdir -p $(dirname "${root}")
-          cp -r  ${nextcloud} "${root}"
-          chown -R nginx:nginx "${root}"
-          chmod 770 "${root}"
-        fi
-      '';
-      services.nginx.virtualHosts."${domain}" = {
-        forceSSL = true;
-        enableACME = true;
-        serverAliases = domains;
-        extraConfig = ''
+  krebs.secret.files.nextcloud-db-pw = {
+    path = dbpw;
+    owner.name = "nextcloud";
+    source-path = toString <secrets> + "/nextcloud-db-pw";
+  };

-          # Add headers to serve security related headers
-          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
-          add_header X-Content-Type-Options nosniff;
-          add_header X-Frame-Options "SAMEORIGIN";
-          add_header X-XSS-Protection "1; mode=block";
-          add_header X-Robots-Tag none;
-          add_header X-Download-Options noopen;
-          add_header X-Permitted-Cross-Domain-Policies none;
+  krebs.secret.files.nextcloud-admin-pw = {
+    path = adminpw;
+    owner.name = "nextcloud";
+    source-path = toString <secrets> + "/nextcloud-admin-pw";
+  };

-          # Path to the root of your installation
-          root ${root};
-          # set max upload size
-          client_max_body_size 10G;
-          fastcgi_buffers 64 4K;
-          fastcgi_read_timeout 120;
+  services.nginx.virtualHosts."o.euer.krebsco.de" = {
+    forceSSL = true;
+    enableACME = true;
+  };
+  state = [ "${config.services.nextcloud.home}/config" ];
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud20;
+    hostName = "o.euer.krebsco.de";
+    # Use HTTPS for links
+    https = true;
+    # Auto-update Nextcloud Apps
+    autoUpdateApps.enable = true;
+    # Set what time makes sense for you
+    autoUpdateApps.startAt = "05:00:00";

-          # Disable gzip to avoid the removal of the ETag header
-          gzip off;
+    caching.redis = true;
+    # caching.memcached = true;
+    config = {
+      # Further forces Nextcloud to use HTTPS
+      overwriteProtocol = "https";

-          # Uncomment if your server is build with the ngx_pagespeed module
-          # This module is currently not supported.
-          #pagespeed off;
-
-          index index.php;
-          error_page 403 /core/templates/403.php;
-          error_page 404 /core/templates/404.php;
-
-          rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
-          rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
-
-          # The following 2 rules are only needed for the user_webfinger app.
-          # Uncomment it if you're planning to use this app.
-          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-        '';
-        locations."/robots.txt".extraConfig = ''
-          allow all;
-          log_not_found off;
-          access_log off;
-        '';
-        locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
-          deny all;
-        '';
-
-        locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig =  ''
-          deny all;
-        '';
-
-        locations."/".extraConfig = ''
-          rewrite ^/remote/(.*) /remote.php last;
-          rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-          try_files $uri $uri/ =404;
-        '';
-
-        locations."~ \.php(?:$|/)".extraConfig =  ''
-          fastcgi_split_path_info ^(.+\.php)(/.+)$;
-          include ${pkgs.nginx}/conf/fastcgi_params;
-          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-          fastcgi_param PATH_INFO $fastcgi_path_info;
-          fastcgi_param HTTPS on;
-          fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
-          fastcgi_pass unix:${config.services.phpfpm.pools.${domain}.socket};
-          fastcgi_intercept_errors on;
-        '';
-
-        # Adding the cache control header for js and css files
-        # Make sure it is BELOW the location ~ \.php(?:$|/) block
-        locations."~* \.(?:css|js)$".extraConfig = ''
-          add_header Cache-Control "public, max-age=7200";
-          # Add headers to serve security related headers
-          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
-          add_header X-Content-Type-Options nosniff;
-          add_header X-XSS-Protection "1; mode=block";
-          add_header X-Robots-Tag none;
-          add_header X-Frame-Options SAMEORIGIN;
-          add_header X-Download-Options noopen;
-          add_header X-Permitted-Cross-Domain-Policies none;
-
-          # Optional: Don't log access to assets
-          access_log off;
-        '';
-        # Optional: Don't log access to other assets
-        locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
-          access_log off;
-        '';
-      };
-      services.phpfpm.pools."${domain}" = {
-          user = "nginx";
-          group = "nginx";
-          phpPackage = phpPackage;
-          settings = {
-            "listen.owner" = "nginx";
-            "pm" = "dynamic";
-            "pm.max_children" = 32;
-            "pm.max_requests" = 500;
-            "pm.start_servers" = 2;
-            "pm.min_spare_servers" = 2;
-            "pm.max_spare_servers" = 5;
-            "php_admin_value[error_log]" = "stderr";
-            "php_admin_flag[log_errors]" = "on";
-            "catch_workers_output" = true;
-          };
-          phpEnv."PATH" = lib.makeBinPath [ phpPackage ];
-      };
-      services.phpfpm.phpOptions = ''
-        opcache.enable=1
-        opcache.enable_cli=1
-        opcache.interned_strings_buffer=8
-        opcache.max_accelerated_files=10000
-        opcache.memory_consumption=128
-        opcache.save_comments=1
-        opcache.revalidate_freq=1
-        opcache.file_cache = .opcache
-        zend_extension=${phpPackage}/lib/php/extensions/opcache.so
-
-        display_errors = on
-        display_startup_errors = on
-        always_populate_raw_post_data = -1
-        error_reporting = E_ALL | E_STRICT
-        html_errors = On
-        date.timezone = "Europe/Berlin"
-        extension=${phpPackage}/lib/php/extensions/memcached.so
-        extension=${phpPackage}/lib/php/extensions/redis.so
-        extension=${phpPackage}/lib/php/extensions/apcu.so
-        '';
-
-      systemd.services."nextcloud-cron-${domain}" = {
-        serviceConfig = {
-          User = "nginx";
-          ExecStart = "${phpPackage}/bin/php -f ${root}/cron.php";
-        };
-        startAt = "*:0/15";
-      };
+      # Nextcloud PostegreSQL database configuration, recommended over using SQLite
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      dbpassFile = dbpw;
+      adminpassFile = adminpw;
+      adminuser = "admin";
    };
-in  {
-  imports = [
-    ( serveCloud [ "o.euer.krebsco.de" ] )
-  ];
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
  services.redis.enable = true;
+  systemd.services.redis.serviceConfig.LimitNOFILE=65536;
+  services.postgresql = {
+    enable = true;
+    # Ensure the database, user, and permissions always exist
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [ { name = "nextcloud"; ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; } ];
+  };

-  #services.mysql = {
-  #  enable = false;
-  #  package = pkgs.mariadb;
-  #  rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
-  #  initialDatabases = [
-  #    # Or use writeText instead of literalExample?
-  #    #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; }
-  #    {
-  #      name = "nextcloud";
-  #      schema = pkgs.writeText "nextcloud.sql"
-  #      ''
-  #      create user if not exists 'nextcloud'@'localhost' identified by 'password';
-  #      grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password';
-  #      '';
-  #    }
-  #  ];
-  #};
-
-  # dataDir is only defined after mysql is enabled
-  #krebs.secret.files.mysql_rootPassword = {
-  #  path = "${config.services.mysql.dataDir}/mysql_rootPassword";
-  #  owner.name = "root";
-  #  source-path = toString <secrets> + "/mysql_rootPassword";
-  #};
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
 }
--- a/makefu/2configs/nginx/dl.euer.krebsco.de.nix
+++ b/makefu/2configs/nginx/dl.euer.krebsco.de.nix
@ -1,9 +1,8 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
 {
  services.nginx = {
-    enable = mkDefault true;
+    enable = lib.mkDefault true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    virtualHosts."dl.euer.krebsco.de" = {
@ -13,5 +12,11 @@ with import <stockholm/lib>;
        enableACME = true;
        basicAuth = import <secrets/dl.euer.krebsco.de-auth.nix>;
    };
+    virtualHosts."dl.gum.r" = {
+        serverAliases = [ "dl.gum" "dl.makefu.r" "dl.makefu" ];
+        root = config.makefu.dl-dir;
+        extraConfig = "autoindex on;";
+        basicAuth = import <secrets/dl.gum-auth.nix>;
+    };
  };
 }
--- a/makefu/2configs/systemdultras/ircbot.nix
+++ b/makefu/2configs/systemdultras/ircbot.nix
@ -0,0 +1,24 @@
+{
+  krebs.brockman = {
+    enable = true;
+    config = {
+      irc = {
+        host = "irc.freenode.net";
+        port = 6667;
+      };
+      bots = {
+        r-systemdultras-rss = {
+          feed = "https://www.reddit.com/r/systemdultras/.rss";
+          delay = 136;
+          channels = [ "#systemdultras" ];
+        };
+        r-systemd-rss = {
+          feed = "https://www.reddit.com/r/systemd/.rss";
+          delay = 172;
+          channels = [ "#systemdultras" ];
+        };
+      };
+    };
+
+  };
+}