diff --git a/applications/pelican/nginx.nix b/applications/pelican/nginx.nix index b1bb259..587db71 100644 --- a/applications/pelican/nginx.nix +++ b/applications/pelican/nginx.nix @@ -1,6 +1,10 @@ -{ lib, config, pkgs, ... }: -with lib; -let +{ + lib, + config, + pkgs, + ... +}: +with lib; let appUser = "nginx"; name = "panel"; module = "pelican-panel"; @@ -8,15 +12,14 @@ let serverName = "${name}."; dataDir = "/var/www/pelican/public"; port = 443; -in -{ +in { options.modules.nginx.${name} = { enable = mkEnableOption "Enable ${name}"; }; config = mkIf cfg.enable { modules.${module}.enable = true; - networking.firewall.allowedTCPPorts = [ port ]; + networking.firewall.allowedTCPPorts = [port]; services.phpfpm.pools.${appUser} = { user = appUser; @@ -36,7 +39,13 @@ in services.nginx.virtualHosts."${serverName}" = { root = "${dataDir}"; - listen = [{ inherit port; addr="0.0.0.0"; ssl=true; }]; + listen = [ + { + inherit port; + addr = "0.0.0.0"; + ssl = true; + } + ]; forceSSL = true; enableACME = true; @@ -71,7 +80,7 @@ in extraConfig = '' try_files $uri $uri/ /index.php?$query_string; ''; - }; + }; "/favicon.ico".extraConfig = '' access_log off; @@ -83,7 +92,7 @@ in log_not_found off; ''; - "~ \\.php$" = { + "~ \\.php$" = { extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.${appUser}.socket}; @@ -107,4 +116,4 @@ in }; }; }; -} \ No newline at end of file +} diff --git a/applications/pelican/panel/pelican-install.nix b/applications/pelican/pelican-panel-install.nix similarity index 93% rename from applications/pelican/panel/pelican-install.nix rename to applications/pelican/pelican-panel-install.nix index 75e3f53..da372e4 100644 --- a/applications/pelican/panel/pelican-install.nix +++ b/applications/pelican/pelican-panel-install.nix @@ -1,5 +1,7 @@ -{ pkgs, dir }: - +{ + pkgs, + dir, +}: pkgs.writeShellScriptBin "pelican-install" '' DIR=${dir} @@ -22,7 +24,7 @@ pkgs.writeShellScriptBin "pelican-install" '' echo "Setting permissions ..." chmod -R 755 storage/* bootstrap/cache/ - chown -R nginx:nginx $DIR + chown -R nginx:acme $DIR echo "Pelican panel installed successfully" -'' \ No newline at end of file +'' diff --git a/applications/pelican/panel/pelican-update.nix b/applications/pelican/pelican-panel-update.nix similarity index 95% rename from applications/pelican/panel/pelican-update.nix rename to applications/pelican/pelican-panel-update.nix index d359d44..a159659 100644 --- a/applications/pelican/panel/pelican-update.nix +++ b/applications/pelican/pelican-panel-update.nix @@ -1,5 +1,7 @@ -{ pkgs, dir }: - +{ + pkgs, + dir, +}: pkgs.writeShellScriptBin "pelican-update" '' DIR=${dir} @@ -34,7 +36,7 @@ pkgs.writeShellScriptBin "pelican-update" '' php artisan migrate --seed --force echo "Setting permissions ..." - chown -R nginx:nginx $DIR + chown -R nginx:acme $DIR echo "Restart Pelican queue service ..." systemctl restart pelican-queue.service @@ -43,4 +45,4 @@ pkgs.writeShellScriptBin "pelican-update" '' php artisan up echo "Pelican panel updated successfully" -'' \ No newline at end of file +'' diff --git a/applications/pelican/wings/package.nix b/applications/pelican/pelican-wing-package.nix similarity index 73% rename from applications/pelican/wings/package.nix rename to applications/pelican/pelican-wing-package.nix index fa483e9..088ed4f 100644 --- a/applications/pelican/wings/package.nix +++ b/applications/pelican/pelican-wing-package.nix @@ -1,5 +1,10 @@ -{ stdenv, lib, fetchurl, docker, gnutar }: - +{ + stdenv, + lib, + fetchurl, + docker, + gnutar, +}: stdenv.mkDerivation rec { pname = "pelican-wings"; version = "v1.0.0-beta6"; @@ -9,11 +14,11 @@ stdenv.mkDerivation rec { hash = "sha256-a2T4BjqS8Hy5YqwDEJpbvGqqsrVjdRhxvJLgk3MCXag="; }; - buildInputs = [ docker gnutar ]; + buildInputs = [docker gnutar]; - phases = [ "installPhase" ]; + phases = ["installPhase"]; installPhase = '' install -D $src $out/bin/wings ''; -} \ No newline at end of file +} diff --git a/applications/pelican/pelican.nix b/applications/pelican/pelican.nix new file mode 100644 index 0000000..395f155 --- /dev/null +++ b/applications/pelican/pelican.nix @@ -0,0 +1,244 @@ +{ + inputs, + pkgs, + lib, + config, + ... +}: +with lib; let + name = "pelican"; + cfg = config.services.skynet."${name}"; + php_pool = name; + domain_panel = "${cfg.panel.domain.sub}.${cfg.panel.domain.base}.${cfg.panel.domain.tld}"; +in { + imports = [ + ]; + + options.services.skynet."${name}" = { + panel = { + enable = mkEnableOption "Pelican Panel"; + + dir = mkOption { + type = types.str; + default = "/var/www/pelican"; + }; + + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + #default = name; + default = "panel-test"; + }; + }; + }; + + wing = { + enable = mkEnableOption "Pelican Wing"; + }; + }; + + config = mkMerge [ + (mkIf cfg.panel.enable { + services.skynet.acme.domains = [ + domain_panel + ]; + + # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide + services.skynet.dns.records = [ + { + record = cfg.panel.domain.sub; + r_type = "CNAME"; + value = config.services.skynet.host.name; + } + ]; + + environment.systemPackages = let + dir = cfg.panel.dir; + in [ + pkgs.curl + pkgs.gnutar + pkgs.unzip + pkgs.php83 + pkgs.php83Packages.composer + pkgs.php83Extensions.gd + pkgs.php83Extensions.mysqli + pkgs.php83Extensions.mbstring + pkgs.php83Extensions.bcmath + pkgs.php83Extensions.xml + pkgs.php83Extensions.curl + pkgs.php83Extensions.zip + pkgs.php83Extensions.intl + pkgs.php83Extensions.sqlite3 + (import ./pelican-panel-install.nix { + inherit pkgs; + inherit dir; + }) + (import ./pelican-panel-update.nix { + inherit pkgs; + inherit dir; + }) + ]; + + systemd.timers."pelican-cron" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "5m"; + OnUnitActiveSec = "1m"; + Unit = "pelican-cron.service"; + }; + }; + + systemd.services."pelican-cron" = { + script = '' + ${pkgs.php83}/bin/php ${cfg.panel.dir}/artisan schedule:run >> /dev/null 2>&1 + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; + + systemd.services.pelican-queue = { + wantedBy = ["multi-user.target"]; + serviceConfig = { + User = config.services.nginx.user; + Group = config.services.nginx.group; + Restart = "always"; + ExecStart = "${pkgs.php83}/bin/php -q ${cfg.panel.dir}/artisan queue:work --tries=3"; + startLimitInterval = 180; + startLimitBurst = 30; + RestartSec = "5"; + }; + }; + + services.phpfpm.pools.${php_pool} = { + user = config.services.nginx.user; + group = config.services.nginx.group; + settings = { + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + "listen.mode" = "0600"; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + "catch_workers_output" = 1; + }; + }; + + services.nginx.virtualHosts."${domain_panel}" = { + root = "${cfg.panel.dir}/public"; + + forceSSL = true; + useACMEHost = "skynet"; + + extraConfig = '' + index index.html index.htm index.php; + charset utf-8; + + access_log off; + error_log /var/log/nginx/pelican.app-error.log error; + + client_max_body_size 100m; + client_body_timeout 120s; + + sendfile off; + + ssl_session_cache shared:SSL:10m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + ssl_prefer_server_ciphers on; + + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header Content-Security-Policy "frame-ancestors 'self'"; + add_header X-Frame-Options DENY; + add_header Referrer-Policy same-origin; + ''; + + locations = { + "/" = { + extraConfig = '' + try_files $uri $uri/ /index.php?$query_string; + ''; + }; + + "/favicon.ico".extraConfig = '' + access_log off; + log_not_found off; + ''; + + "/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + "~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket}; + fastcgi_index index.php; + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param HTTP_PROXY ""; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + fastcgi_connect_timeout 300; + fastcgi_send_timeout 300; + fastcgi_read_timeout 300; + ''; + }; + + "~ /\\.ht".extraConfig = '' + deny all; + ''; + }; + }; + }) + + (mkIf cfg.wing.enable { + networking.firewall.allowedTCPPorts = [8080 8443]; + + virtualisation.docker.enable = true; + + environment.systemPackages = [ + (pkgs.callPackage ./pelican-wing-package.nix {}) + ]; + + systemd.services.pelican-wings = { + description = "Wings Daemon"; + after = ["docker.service"]; + requires = ["docker.service"]; + partOf = ["docker.service"]; + + serviceConfig = { + User = "root"; + WorkingDirectory = "/etc/pelican"; + LimitNOFILE = 4096; + PIDFile = "/var/run/wings/daemon.pid"; + ExecStart = "/run/current-system/sw/bin/wings"; + Restart = "on-failure"; + startLimitInterval = 180; + startLimitBurst = 30; + RestartSec = "5"; + }; + + wantedBy = ["multi-user.target"]; + }; + }) + ]; +} diff --git a/flake.nix b/flake.nix index 6ae4c98..bf876fe 100644 --- a/flake.nix +++ b/flake.nix @@ -148,6 +148,10 @@ # metrics ariia = import ./machines/ariia.nix; + + + # games server - panel/host + optimus = import ./machines/optimus.nix; }; }; } diff --git a/machines/retired/optimus.nix b/machines/optimus.nix similarity index 79% rename from machines/retired/optimus.nix rename to machines/optimus.nix index 6f36726..e766795 100644 --- a/machines/retired/optimus.nix +++ b/machines/optimus.nix @@ -16,8 +16,8 @@ Notes: ... }: let # name of the server, sets teh hostname and record for it - name = "optimus"; - ip_pub = "193.1.99.112"; + name = "optimus-test"; + ip_pub = "193.1.99.85"; hostname = "${name}.skynet.ie"; host = { ip = ip_pub; @@ -26,7 +26,7 @@ Notes: }; in { imports = [ - ../applications/games.nix + ../applications/pelican/pelican.nix ]; deployment = { @@ -39,7 +39,7 @@ in { services.skynet = { host = host; - backup.enable = true; - games.enable = true; + #backup.enable = true; + pelican.panel.enable = true; }; }