diff --git a/configuration.nix b/configuration.nix index 8d2c65e..7b1a415 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,6 +1,6 @@ { lib, config, inputs, pkgs, ... }: let - root_host = "grimmauld.de"; + inherit (config.networking) domain; in { imports = [ ./hardware-configuration.nix @@ -31,7 +31,6 @@ in { extraGroups = [ "wheel" "docker" ]; shell = pkgs.xonsh; packages = with pkgs; [ - hyfetch ]; openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); }; @@ -39,6 +38,7 @@ in { programs.xonsh.enable = true; environment.systemPackages = with pkgs; [ wget + hyfetch vulnix tree file @@ -74,12 +74,12 @@ in { recommendedTlsSettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - virtualHosts."${root_host}" = { + virtualHosts."${domain}" = { forceSSL = true; enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { - root = "/var/www/${root_host}"; + root = "/var/www/${domain}"; }; }; }; @@ -91,7 +91,7 @@ in { system.stateVersion = "unstable"; zramSwap.enable = true; networking.hostName = "grimmauld-nixos-server"; - networking.domain = ""; + networking.domain = "grimmauld.de"; services.openssh.enable = true; # users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); } diff --git a/flake.nix b/flake.nix index 55ba558..05173c1 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,6 @@ ./modules/email.nix ./modules/discord-matrix-bridge.nix ./modules/mastodon.nix -# ./modules/folding.nix ./modules/toolchains.nix # ./modules/ptero.nix agenix.nixosModules.default diff --git a/modules/discord-matrix-bridge.nix b/modules/discord-matrix-bridge.nix index edb26fc..a854fe4 100644 --- a/modules/discord-matrix-bridge.nix +++ b/modules/discord-matrix-bridge.nix @@ -1,5 +1,4 @@ { config, lib, pkgs, ...}: let - root_host = "grimmauld.de"; bridge_port = 9005; # netstat -nlp | grep 9005 in { nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: { @@ -27,8 +26,8 @@ in { }; bridge = { enableSelfServiceBridging = true; - domain = root_host; - homeserverUrl = "https://${root_host}"; + inherit (config.networking) domain; + homeserverUrl = "https://${config.networking.domain}"; disablePresence = true; disableTypingNotifications = true; }; diff --git a/modules/email.nix b/modules/email.nix index ed4c2bf..fd791eb 100644 --- a/modules/email.nix +++ b/modules/email.nix @@ -1,27 +1,27 @@ -{ ... }: +{ config, ... }: let - root_host = "grimmauld.de"; - mail_host = "mail.${root_host}"; + inherit (config.networking) domain; + mail_host = "mail.${domain}"; in { - security.acme.certs."${root_host}".extraDomainNames = [ mail_host ]; + security.acme.certs."${domain}".extraDomainNames = [ mail_host ]; # services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason mailserver = { enable = true; fqdn = mail_host; - domains = [ root_host ]; + domains = [ domain ]; # A list of all login accounts. To create the password hashes, use # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { - "contact@${root_host}" = { + "contact@${domain}" = { hashedPasswordFile = ./mailpass/contact; - aliases = ["kontakt@${root_host}"]; + aliases = ["kontakt@${domain}"]; }; - "admin@${root_host}" = { + "admin@${domain}" = { hashedPasswordFile = ./mailpass/admin; }; - "grimmauld@${root_host}" = { + "grimmauld@${domain}" = { hashedPasswordFile = ./mailpass/grimmauld; }; }; @@ -29,8 +29,8 @@ in { # Use Let's Encrypt certificates. Note that this needs to set up a stripped # down nginx and opens port 80. certificateScheme = "manual"; - certificateFile = "/var/lib/acme/${root_host}/fullchain.pem"; - keyFile = "/var/lib/acme/${root_host}/key.pem"; + certificateFile = "/var/lib/acme/${domain}/fullchain.pem"; + keyFile = "/var/lib/acme/${domain}/key.pem"; }; services.nginx = { @@ -38,9 +38,9 @@ in { virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P serverName = mail_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { - return = "307 https://${root_host}"; + return = "307 https://${domain}"; }; }; }; diff --git a/modules/folding.nix b/modules/folding.nix deleted file mode 100644 index f3689fb..0000000 --- a/modules/folding.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, stable, ... }: let - inherit (pkgs) fetchurl; -in { - nixpkgs.overlays = [ (final: prev: { - fahclient = prev.pkgs.callPackage (fetchurl { - url = "https://raw.githubusercontent.com/NixOS/nixpkgs/e655eb33b2e83aebf39b30535e8990e45e27588b/pkgs/applications/science/misc/foldingathome/client.nix"; - hash = "sha256-LPFWAubPvmCuO25DE3MZ1JCk4MtHA7uhEKdpsAtkbsI="; - }) {}; - })]; - services.foldingathome = { - enable = true; - daemonNiceLevel = 19; - user = "Grimmauld"; - package = pkgs.fahclient; - }; - environment.systemPackages = with pkgs; [ fahclient ]; -} diff --git a/modules/gitea.nix b/modules/gitea.nix index 0e62f51..0b1a4ee 100644 --- a/modules/gitea.nix +++ b/modules/gitea.nix @@ -1,7 +1,7 @@ { lib, config, inputs, pkgs, ... }: let - root_host = "grimmauld.de"; - gitea_host = "git.${root_host}"; + inherit (config.networking) domain; + gitea_host = "git.${domain}"; gitea_port = 8081; gitea_ssh_port = 2222; in { @@ -13,7 +13,7 @@ in { HTTP_PORT = gitea_port; ROOT_URL = "https://${gitea_host}/"; DISABLE_SSH = false; - SSH_DOMAIN = root_host; + SSH_DOMAIN = domain; START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; SSH_PORT = gitea_ssh_port; @@ -28,7 +28,7 @@ in { }; - security.acme.certs."${root_host}".extraDomainNames = [ gitea_host]; + security.acme.certs."${domain}".extraDomainNames = [ gitea_host]; networking.firewall.allowedTCPPorts = [ gitea_ssh_port ]; services.nginx = { @@ -36,7 +36,7 @@ in { virtualHosts."${gitea_host}" = { serverName = gitea_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; }; diff --git a/modules/grafana.nix b/modules/grafana.nix index b4ce900..628c142 100644 --- a/modules/grafana.nix +++ b/modules/grafana.nix @@ -1,7 +1,7 @@ { config, ... }: let - root_host = "grimmauld.de"; - grafana_host = "grafana.${root_host}"; + inherit (config.networking) domain; + grafana_host = "grafana.${domain}"; grafana_port = 8082; in { age.secrets.grafana_admin_pass = { @@ -11,13 +11,13 @@ in { mode = "0600"; }; - security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ]; + security.acme.certs."${domain}".extraDomainNames = [ grafana_host ]; services.grafana = { enable = true; settings = { security = { admin_user = "admin"; - admin_email = "admin@${root_host}"; + admin_email = "admin@${domain}"; admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}"; }; server = { @@ -33,7 +33,7 @@ in { virtualHosts."${grafana_host}" = { serverName = grafana_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; diff --git a/modules/letsencrypt.nix b/modules/letsencrypt.nix index c1e5dc7..56113c3 100644 --- a/modules/letsencrypt.nix +++ b/modules/letsencrypt.nix @@ -1,12 +1,12 @@ { lib, config, inputs, pkgs, ... }: let - root_host = "grimmauld.de"; - root_email = "contact@${root_host}"; + inherit (config.networking) domain; + root_email = "contact@${domain}"; in { security.acme = { acceptTerms = true; defaults.email = root_email; - certs."${root_host}" = { + certs."${domain}" = { webroot = "/var/lib/acme/acme-challenge/"; }; }; diff --git a/modules/mastodon.nix b/modules/mastodon.nix index 7035e14..04888cd 100644 --- a/modules/mastodon.nix +++ b/modules/mastodon.nix @@ -1,16 +1,16 @@ { config, ... } : let - root_host = "grimmauld.de"; - mastodon_host = "mastodon.${root_host}"; + inherit (config.networking) domain; + mastodon_host = "mastodon.${domain}"; in { - security.acme.certs."${root_host}".extraDomainNames = [ mastodon_host ]; + security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ]; services.mastodon = { enable = true; localDomain = mastodon_host; streamingProcesses = 7; configureNginx = true; smtp = { - fromAddress = "noreply@${root_host}"; + fromAddress = "noreply@${domain}"; }; extraConfig.SINGLE_USER_MODE = "true"; }; diff --git a/modules/matrix.nix b/modules/matrix.nix index 19e2490..700ea41 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -1,7 +1,7 @@ { lib, config, inputs, pkgs, ... }: let - root_host = "grimmauld.de"; - matrix_host = "matrix.${root_host}"; + inherit (config.networking) domain; + matrix_host = "matrix.${domain}"; in { services.postgresql = { enable = true; @@ -66,8 +66,8 @@ host replication all ::1/128 md5 settings = { suppress_key_server_warning = true; - server_name = root_host; - public_baseurl = "https://${root_host}"; + server_name = domain; + public_baseurl = "https://${domain}"; enable_registration = true; registration_requires_token = true; registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; @@ -114,10 +114,10 @@ host replication all ::1/128 md5 services.nginx = { enable = true; - virtualHosts."${root_host}" = { + virtualHosts."${domain}" = { forceSSL = true; enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies - useACMEHost = root_host; + useACMEHost = domain; locations."/.well-known/matrix/server" = { return = "200 '{\"m.server\":\"${matrix_host}:443\"}'"; extraConfig = '' diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 33e2d05..6b51e22 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, ...} : let - root_host = "grimmauld.de"; - nextcloud_host = "cloud.${root_host}"; + inherit (config.networking) domain; + nextcloud_host = "cloud.${domain}"; nextcloud_port = 8083; in { services.postgresql = { @@ -15,7 +15,7 @@ in { ]; }; - security.acme.certs."${root_host}".extraDomainNames = [ nextcloud_host ]; + security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ]; age.secrets = { nextcloud_admin_pass = { file = ../secrets/nextcloud_admin_pass.age; @@ -76,7 +76,7 @@ in { virtualHosts."${nextcloud_host}" = { serverName = nextcloud_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; }; }; } diff --git a/modules/prometheus.nix b/modules/prometheus.nix index ede357f..9c525c0 100644 --- a/modules/prometheus.nix +++ b/modules/prometheus.nix @@ -1,10 +1,10 @@ { config, ... } : let - root_host = "grimmauld.de"; - prometheus_host = "prometheus.${root_host}"; + inherit (config.networking) domain; + prometheus_host = "prometheus.${domain}"; prometheus_port = 9090; # netstat -nlp | grep 9090 in { - security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host]; + security.acme.certs."${domain}".extraDomainNames = [ prometheus_host]; services.prometheus = { enable = true; @@ -42,10 +42,10 @@ in { virtualHosts."${prometheus_host}" = { serverName = prometheus_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { # proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}"; - return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you! + return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you! }; }; }; diff --git a/modules/ptero.nix b/modules/ptero.nix index 85dabfa..9c326a2 100644 --- a/modules/ptero.nix +++ b/modules/ptero.nix @@ -1,7 +1,7 @@ {config, pkgs, ...}: let - root_host = "grimmauld.de"; - root_email = "contact@${root_host}"; - ptero_host = "ptero.${root_host}"; + inherit (config.networking) domain; + root_email = "contact@${domain}"; + ptero_host = "ptero.${domain}"; DATA_DIR = "/var/lib/pterodactylpanel"; panel_user = "pterodactyl"; local_bridge = "ptero-local-br"; @@ -88,7 +88,7 @@ chmod +777 -R ${DATA_DIR} "APP_TIMEZONE" = "Europe/Berlin"; "APP_SERVICE_AUTHOR" = root_email; - "MAIL_FROM" = "noreply@${root_host}"; + "MAIL_FROM" = "noreply@${domain}"; "MAIL_DRIVER" = "smtp"; "MAIL_HOST" = "mail"; "MAIL_PORT" = "25"; @@ -111,13 +111,13 @@ chmod +777 -R ${DATA_DIR} environmentFiles = [ config.age.secrets.ptero_env.path ]; }; - security.acme.certs."${root_host}".extraDomainNames = [ ptero_host ]; + security.acme.certs."${domain}".extraDomainNames = [ ptero_host ]; services.nginx = { enable = true; virtualHosts."${ptero_host}" = { serverName = ptero_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${ptero_port}"; }; diff --git a/modules/puffer.nix b/modules/puffer.nix index e04513d..0b9ce66 100644 --- a/modules/puffer.nix +++ b/modules/puffer.nix @@ -1,10 +1,10 @@ { lib, config, inputs, pkgs, ... }: let - root_host = "grimmauld.de"; + inherit (config.networking) domain; puffer_port = 8080; puffer_sftp_port = 5657; - puffer_host = "puffer.${root_host}"; - tlemap_host = "tlemap.${root_host}"; + puffer_host = "puffer.${domain}"; + tlemap_host = "tlemap.${domain}"; tlemap_port = 8100; in { services.pufferpanel = { @@ -22,7 +22,7 @@ in { virtualHosts."${puffer_host}" = { serverName = puffer_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; }; @@ -30,14 +30,14 @@ in { virtualHosts."${tlemap_host}" = { serverName = tlemap_host; forceSSL = true; - useACMEHost = root_host; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}"; }; }; }; - security.acme.certs."${root_host}".extraDomainNames = [ puffer_host tlemap_host ]; + security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ]; networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ]; # virtualisation.podman.enable = true;