mastus: mail & git

mastus/configuration.nix

@@ -5,6 +5,9 @@
     [
       /etc/nixos/hardware-configuration.nix
       ../basic-tools.nix
+
+      ./mail.nix
+      ./gogs.nix
     ];
 
   boot.loader.grub.enable = true;
@@ -12,6 +15,7 @@
   boot.loader.grub.device = "/dev/vda";
 
   networking.hostName = "mastus"; # Define your hostname.
+  networking.enableIPv6 = true;
 
   # Select internationalisation properties.
   # i18n = {
@@ -33,4 +37,6 @@
   # The NixOS release to be compatible with for stateful data such as databases.
   system.stateVersion = "15.09";
 
+  services.nginx.enable = true;
+
 }

mastus/gitblit.nix

@@ -0,0 +1,77 @@
+{ config, pkgs, ... }:
+
+let
+  gitblitWar = pkgs.fetchurl {
+    url = "http://dl.bintray.com/gitblit/releases/gitblit-1.6.2.war";
+    sha256 = "01gqarpwqbx1ix5zycfxw4172q5l8hhxvb7f92y3lz8l6x42l7i9";
+  };
+
+  gitHome = "/srv/git.gebner.org";
+in
+{
+  containers.gitblit = {
+    config = { config, pkgs, ... }: {
+      users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
+      users.extraGroups.git = { };
+
+      systemd.services.createGitDir = {
+        wantedBy = [ "winstone-gitblit.service" ];
+        serviceConfig.Type = "oneshot";
+        script = ''
+          mkdir -p ${gitHome}
+          chown git:git -R ${gitHome}
+        '';
+      };
+
+      services.winstone.gitblit = {
+        user = "git";
+        group = "git";
+        warFile = "${gitblitWar}";
+        extraJavaOptions = [ "-DGITBLIT_HOME=${gitHome}" ];
+      };
+    };
+
+    privateNetwork = true;
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.101.10";
+  };
+
+  services.nginx.appendConfig = ''
+  http {
+    server {
+      listen [::]:80;
+      listen 80;
+      server_name git.gebner.org;
+
+      rewrite ^(.*) https://$host$1 permanent;
+    }
+
+    server {
+      listen [::]:443;
+      listen 443;
+      server_name git.gebner.org;
+
+      ssl on;
+      ssl_certificate_key /etc/sslcerts/mastus.key;
+      ssl_certificate /etc/sslcerts/git.cert;
+
+      location / {
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_pass http://gitblit;
+        client_max_body_size 30M;
+        break;
+      }
+    }
+
+    upstream gitblit {
+      server 192.168.100.10:8080;
+    }
+  }
+  '';
+}

mastus/gogs.nix

@@ -0,0 +1,112 @@
+{ config, pkgs, ... }:
+let
+  gitHome = "/srv/git.gebner.org";
+
+  gogs = pkgs.callPackage ../pkgs/gogs.nix { };
+
+  gogsPort = 8001;
+  gogsConfig = pkgs.writeText "gogs.ini" ''
+APP_NAME = Gogs: Go Git Service
+RUN_USER = git
+RUN_MODE = prod
+
+[database]
+DB_TYPE = sqlite3
+HOST = 127.0.0.1:3306
+NAME = gogs
+USER = root
+PASSWD = 
+SSL_MODE = disable
+PATH = ${gitHome}/data/gogs.db
+
+[repository]
+ROOT = ${gitHome}/gogs-repositories
+
+[server]
+DOMAIN = git.gebner.org
+HTTP_PORT = ${toString gogsPort}
+ROOT_URL = https://git.gebner.org/
+DISABLE_SSH = false
+SSH_PORT = 22
+OFFLINE_MODE = true
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+
+[picture]
+DISABLE_GRAVATAR = false
+
+[session]
+PROVIDER = file
+
+[log]
+ROOT_PATH = ${gitHome}/logs
+MODE = file
+LEVEL = Info
+
+[security]
+INSTALL_LOCK = true
+'';
+in
+{
+  users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; };
+  users.extraGroups.git = { };
+
+  systemd.services.gogs = {
+    path = with pkgs; [ git openssh ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      Restart = "always";
+      User = "git";
+      Group = "git";
+      ExecStart = "${gogs}/gogs web -c ${gogsConfig}";
+      WorkingDirectory = gitHome;
+    };
+  };
+
+  services.nginx.appendConfig = ''
+  http {
+    server {
+      listen [::]:80;
+      listen 80;
+      server_name git.gebner.org;
+
+      rewrite ^(.*) https://$host$1 permanent;
+    }
+
+    server {
+      listen [::]:443;
+      listen 443;
+      server_name git.gebner.org;
+
+      ssl on;
+      ssl_certificate_key /etc/sslcerts/mastus.key;
+      ssl_certificate /etc/sslcerts/git.cert;
+
+      location / {
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_pass http://gogs;
+        client_max_body_size 30M;
+        break;
+      }
+    }
+
+    upstream gogs {
+      server 127.0.0.1:${toString gogsPort};
+    }
+  }
+  '';
+}

mastus/mail.nix

@@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+
+{
+  # services.opensmtpd = {
+  #   enable = true;
+  #   serverConfiguration = ''
+  #     listen on 0.0.0.0
+  #     filter sa spamassassin "-s accept"
+  #     accept for any deliver to lmtp localhost:24
+  #   '';
+  #   procPackages = [ pkgs.opensmtpd-extras ];
+  # };
+
+  services.postfix = {
+    enable = true;
+    postmasterAlias = "gebner";
+    rootAlias = "gebner";
+    extraAliases = ''
+      ge: gebner
+      cutintro: gebner
+    '';
+    sslCACert = "/etc/sslcerts/startssl.cert";
+    sslCert = "/etc/sslcerts/mail.cert";
+    sslKey = "/etc/sslcerts/mail-postfix.key";
+
+    extraConfig = ''
+      mailbox_command = ${pkgs.procmail}/bin/procmail
+    '';
+  };
+
+  services.dovecot2 = {
+    enable = true;
+    enablePop3 = false;
+    mailLocation = "maildir:~/mail";
+    sslCACert = "/etc/sslcerts/startssl.cert";
+    sslServerCert = "/etc/sslcerts/mail.cert";
+    sslServerKey = "/etc/sslcerts/mail-dovecot.key";
+  };
+
+  services.spamassassin.enable = true;
+  systemd.services.setupSpamassassin = {
+    wantedBy = [ "spamd.service" ];
+    after = [ "network.target" ];
+    path = [ pkgs.spamassassin ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+    };
+    script = ''
+      if [ ! -d /etc/spamassassin ]; then
+        cp -rv ${pkgs.spamassassin}/share/spamassassin /etc/
+        sa-update
+      fi
+    '';
+  };
+}

mastus/vmtest.nix

@@ -5,9 +5,76 @@ let
 
     users.extraUsers.gebner.password = "";
     users.users.root.password = "";
+
+    boot.enableContainers = true;
+
+    systemd.services.createSSLKeys = {
+      path = [ pkgs.easyrsa ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = "yes";
+      };
+      script = ''
+rm -rf /etc/sslcerts
+mkdir -p /etc/sslcerts/keys
+cd /etc/sslcerts
+
+# export PKCS11TOOL="pkcs11-tool"
+export KEY_CONFIG=`${pkgs.easyrsa}/share/easy-rsa/whichopensslcnf ${pkgs.easyrsa}/share/easy-rsa/`
+export KEY_DIR="$PWD/keys"
+
+# PKCS11 fixes
+# export PKCS11_MODULE_PATH="dummy"
+# export PKCS11_PIN="dummy"
+
+export KEY_SIZE=1024
+
+export CA_EXPIRE=3650
+export KEY_EXPIRE=3650
+
+export KEY_COUNTRY="AT"
+export KEY_PROVINCE="AT"
+export KEY_CITY="Vienna"
+export KEY_ORG="Gabriel"
+export KEY_EMAIL="testing@gebner.org"
+export KEY_CN=testing.gebner.org
+export KEY_NAME=testing.gebner.org
+export KEY_OU=testing
+# export PKCS11_MODULE_PATH=changeme
+# export PKCS11_PIN=1234
+
+clean-all
+build-dh
+pkitool --initca
+
+KEY_CN=git.gebner.org pkitool --server git
+KEY_CN=mail.gebner.org pkitool --server mail
+
+cp keys/ca.crt startssl.cert
+cp keys/mail.crt mail.cert
+cp keys/mail.key mail-postfix.key
+cp keys/mail.key mail-dovecot.key
+cp keys/git.crt git.cert
+cp keys/git.key mastus.key
+
+      '';
+    };
+
+    systemd.services.setupVM = rec {
+      wantedBy = [ "gogs.service" "dovecot2.service" ];
+      before = wantedBy;
+      wants = [ "createSSLKeys.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = "yes";
+      };
+      script = ''
+        mkdir -p /srv/git.gebner.org
+        chown git:git -R /srv/git.gebner.org
+      '';
+    };
   };
 
   nixos = import <nixpkgs/nixos> { configuration = configuration; };
 
-in
+in nixos.vm
-  nixos.vm

pkgs/gogs.nix

@@ -0,0 +1,21 @@
+{ nixpkgs ? import <nixpkgs> {} }: with nixpkgs;
+stdenv.mkDerivation rec {
+  name = "gogs-${version}";
+  version = "0.6.9";
+
+  src = fetchzip {
+    url = "https://github.com/gogits/gogs/releases/download/v${version}/linux_amd64.zip";
+    sha256 = "14aim9mww6ypz1y7n8x2vwbl98p6ga8l2z6b6ndmds5i6x3m3bxv";
+  };
+
+  buildPhase = ''
+    patchelf \
+      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+      --set-rpath ${pam}/lib \
+      gogs
+  '';
+
+  installPhase = ''
+    cp -ra ./ $out/
+  '';
+}