diff --git a/Taskfile b/Taskfile index 8fde074..2b78a26 100755 --- a/Taskfile +++ b/Taskfile @@ -34,7 +34,7 @@ get-ip() { deploy() { ip=$(get-ip "$1") - nix-shell -p '(nixos{}).nixos-rebuild' --run \ + TMPDIR=/tmp nix-shell -p '(nixos{}).nixos-rebuild' --run \ 'nixos-rebuild switch --flake .#'"$1"' --target-host admin@"'"$ip"'" --use-remote-sudo' } diff --git a/flake.lock b/flake.lock index 0932dd6..51b517f 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1770172907, - "narHash": "sha256-rqYl9B+4shcM5b6OYjT+qdsdQNJ7SY64/xcPIb96NzU=", + "lastModified": 1770520993, + "narHash": "sha256-ks1ZFBYlBmQ4CAM4WSmCFUtkUJzbmJ0VJH/JkKVMPqY=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "8958a5a4259e1aebf4916823bf463faaf2538566", + "rev": "b32f4325880b4fac47b8736161a8f032dd248b70", "type": "github" }, "original": { @@ -54,16 +54,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1767313136, - "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", + "lastModified": 1770464364, + "narHash": "sha256-z5NJPSBwsLf/OfD8WTmh79tlSU8XgIbwmk6qB1/TFzY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", + "rev": "23d72dabcb3b12469f57b37170fcbc1789bd7457", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 6b8206e..3278dc6 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; }; @@ -31,6 +31,7 @@ outputs = { self, nixpkgs, ... }@inputs: homelab = nixos-vma ./vm-homelab.nix; metrics = nixos-lxc ./lxc-metrics.nix; forge-runner = nixos-lxc ./lxc-forge-runner.nix; + ergo = nixos-lxc ./lxc-ergo.nix; }; packages.${system} = { @@ -38,6 +39,7 @@ outputs = { self, nixpkgs, ... }@inputs: homelab = image "homelab"; metrics = lxc "metrics"; forge-runner = lxc "forge-runner"; + ergo = lxc "ergo"; }; }; } diff --git a/lxc-ergo.nix b/lxc-ergo.nix new file mode 100644 index 0000000..6e98ca7 --- /dev/null +++ b/lxc-ergo.nix @@ -0,0 +1,132 @@ +{ + pkgs, + lib, + ... +}: + +{ + imports = [ + ./lxc-base.nix + ]; + + config = { + my.vm = { + name = "ergo01"; + ip4 = "192.168.0.8"; + }; + + environment.systemPackages = with pkgs; [ + certbot + ]; + + networking.firewall.trustedInterfaces = [ "br-+" ]; + networking.firewall.allowedTCPPorts = [ + 6667 + 6697 + 443 + 80 + ]; + + virtualisation.docker = { + enable = true; + daemon.settings = { + fixed-cidr-v6 = "fd00::/80"; + ipv6 = true; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin+acme@dukeceph.xyz"; + }; + + services.nginx = { + enable = true; + virtualHosts."irc.dukeceph.xyz" = { + addSSL = true; + enableACME = true; + locations."/webirc" = { + proxyPass = "http://unix:/run/ergo/websocket"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 10m; + ''; + }; + }; + }; + + users.groups."ergo" = {}; + users.users."ergo" = { + group = "ergo"; + isSystemUser = true; + }; + + services.ergochat = { + enable = true; + settings = { + network = { + name = "dukeceph.xyz"; + }; + server = { + name = "dukeceph.xyz"; + enforce-utf8 = true; + ip-cloaking = { + enabled = true; + netname = "dukeceph.xyz"; + }; + listeners = { + ":6697" = { + tls = { + cert = "/etc/letsencrypt/live/irc.dukeceph.xyz/fullchain.pem"; + key = "/etc/letsencrypt/live/irc.dukeceph.xyz/privkey.pem"; + }; + }; + }; + }; + oper-classes = { + chat-moderator = { + title = "Chat Moderator"; + capabilities = [ + "kill" # disconnect user sessions + "ban" # ban IPs, CIDRs, NUH masks, and suspend accounts (UBAN / DLINE / KLINE) + "nofakelag" # exempted from "fakelag" restrictions on rate of message sending + "relaymsg" # use RELAYMSG in any channel (see the `relaymsg` config block) + "vhosts" # add and remove vhosts from users + "sajoin" # join arbitrary channels, including private channels + "samode" # modify arbitrary channel and user modes + "snomasks" # subscribe to arbitrary server notice masks + "roleplay" # use the (deprecated) roleplay commands in any channel + ]; + }; + server-admin = { + title = "Server Admin"; + extends = "chat-moderator"; + capabilities = [ + "rehash" # rehash the server, i.e. reload the config at runtime + "accreg" # modify arbitrary account registrations + "chanreg" # modify arbitrary channel registrations + "history" # modify or delete history messages + "defcon" # use the DEFCON command (restrict server capabilities) + "massmessage" # message all users on the server + "metadata" # modify arbitrary metadata on channels and users + ]; + }; + }; + opers = { + duke = { + class = "server-admin"; + whois-line = "is the server administrator"; + password = "$2a$04$eEXmtfM76.qp3D7kJna7k.dF7xeeACwvxwxUM4.ysW5Kndk/S.drG"; + }; + }; + }; + }; + systemd.services.ergochat.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.ergochat.serviceConfig.User = "ergo"; + systemd.services.ergochat.serviceConfig.Group = "ergo"; + }; +} diff --git a/vm-homelab.nix b/vm-homelab.nix index 7fdd341..2de8bc4 100644 --- a/vm-homelab.nix +++ b/vm-homelab.nix @@ -26,6 +26,10 @@ in services.caddy = { enable = true; virtualHosts = { + "dukeceph.xyz".extraConfig = '' + root * /mnt/nfs/public + file_server browse + ''; "feed.rperce.net".extraConfig = '' reverse_proxy http://192.168.0.5:8080 ''; @@ -70,6 +74,12 @@ in "grist.rperce.net".extraConfig = '' reverse_proxy http://192.168.0.2:8484 ''; + "irc.dukeceph.xyz".extraConfig = '' + reverse_proxy 192.168.0.8 + ''; + "irc.dukeceph.xyz/webirc".extraConfig = '' + reverse_proxy 192.168.0.8:8067 + ''; }; };