domain config

This commit is contained in:
Grimmauld 2024-05-08 20:45:41 +02:00
parent d136aa65c5
commit 2435182a68
14 changed files with 65 additions and 84 deletions

View file

@ -1,6 +1,6 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
in { in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@ -31,7 +31,6 @@ in {
extraGroups = [ "wheel" "docker" ]; extraGroups = [ "wheel" "docker" ];
shell = pkgs.xonsh; shell = pkgs.xonsh;
packages = with pkgs; [ packages = with pkgs; [
hyfetch
]; ];
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}; };
@ -39,6 +38,7 @@ in {
programs.xonsh.enable = true; programs.xonsh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget wget
hyfetch
vulnix vulnix
tree tree
file file
@ -74,12 +74,12 @@ in {
recommendedTlsSettings = true; recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."${root_host}" = { virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
root = "/var/www/${root_host}"; root = "/var/www/${domain}";
}; };
}; };
}; };
@ -91,7 +91,7 @@ in {
system.stateVersion = "unstable"; system.stateVersion = "unstable";
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "grimmauld-nixos-server"; networking.hostName = "grimmauld-nixos-server";
networking.domain = ""; networking.domain = "grimmauld.de";
services.openssh.enable = true; services.openssh.enable = true;
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); # users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
} }

View file

@ -41,7 +41,6 @@
./modules/email.nix ./modules/email.nix
./modules/discord-matrix-bridge.nix ./modules/discord-matrix-bridge.nix
./modules/mastodon.nix ./modules/mastodon.nix
# ./modules/folding.nix
./modules/toolchains.nix ./modules/toolchains.nix
# ./modules/ptero.nix # ./modules/ptero.nix
agenix.nixosModules.default agenix.nixosModules.default

View file

@ -1,5 +1,4 @@
{ config, lib, pkgs, ...}: let { config, lib, pkgs, ...}: let
root_host = "grimmauld.de";
bridge_port = 9005; # netstat -nlp | grep 9005 bridge_port = 9005; # netstat -nlp | grep 9005
in { in {
nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: { nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
@ -27,8 +26,8 @@ in {
}; };
bridge = { bridge = {
enableSelfServiceBridging = true; enableSelfServiceBridging = true;
domain = root_host; inherit (config.networking) domain;
homeserverUrl = "https://${root_host}"; homeserverUrl = "https://${config.networking.domain}";
disablePresence = true; disablePresence = true;
disableTypingNotifications = true; disableTypingNotifications = true;
}; };

View file

@ -1,27 +1,27 @@
{ ... }: { config, ... }:
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
mail_host = "mail.${root_host}"; mail_host = "mail.${domain}";
in { in {
security.acme.certs."${root_host}".extraDomainNames = [ mail_host ]; security.acme.certs."${domain}".extraDomainNames = [ mail_host ];
# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason # services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = mail_host; fqdn = mail_host;
domains = [ root_host ]; domains = [ domain ];
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = { loginAccounts = {
"contact@${root_host}" = { "contact@${domain}" = {
hashedPasswordFile = ./mailpass/contact; hashedPasswordFile = ./mailpass/contact;
aliases = ["kontakt@${root_host}"]; aliases = ["kontakt@${domain}"];
}; };
"admin@${root_host}" = { "admin@${domain}" = {
hashedPasswordFile = ./mailpass/admin; hashedPasswordFile = ./mailpass/admin;
}; };
"grimmauld@${root_host}" = { "grimmauld@${domain}" = {
hashedPasswordFile = ./mailpass/grimmauld; hashedPasswordFile = ./mailpass/grimmauld;
}; };
}; };
@ -29,8 +29,8 @@ in {
# Use Let's Encrypt certificates. Note that this needs to set up a stripped # Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80. # down nginx and opens port 80.
certificateScheme = "manual"; certificateScheme = "manual";
certificateFile = "/var/lib/acme/${root_host}/fullchain.pem"; certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
keyFile = "/var/lib/acme/${root_host}/key.pem"; keyFile = "/var/lib/acme/${domain}/key.pem";
}; };
services.nginx = { services.nginx = {
@ -38,9 +38,9 @@ in {
virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
serverName = mail_host; serverName = mail_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
return = "307 https://${root_host}"; return = "307 https://${domain}";
}; };
}; };
}; };

View file

@ -1,17 +0,0 @@
{ pkgs, stable, ... }: let
inherit (pkgs) fetchurl;
in {
nixpkgs.overlays = [ (final: prev: {
fahclient = prev.pkgs.callPackage (fetchurl {
url = "https://raw.githubusercontent.com/NixOS/nixpkgs/e655eb33b2e83aebf39b30535e8990e45e27588b/pkgs/applications/science/misc/foldingathome/client.nix";
hash = "sha256-LPFWAubPvmCuO25DE3MZ1JCk4MtHA7uhEKdpsAtkbsI=";
}) {};
})];
services.foldingathome = {
enable = true;
daemonNiceLevel = 19;
user = "Grimmauld";
package = pkgs.fahclient;
};
environment.systemPackages = with pkgs; [ fahclient ];
}

View file

@ -1,7 +1,7 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
gitea_host = "git.${root_host}"; gitea_host = "git.${domain}";
gitea_port = 8081; gitea_port = 8081;
gitea_ssh_port = 2222; gitea_ssh_port = 2222;
in { in {
@ -13,7 +13,7 @@ in {
HTTP_PORT = gitea_port; HTTP_PORT = gitea_port;
ROOT_URL = "https://${gitea_host}/"; ROOT_URL = "https://${gitea_host}/";
DISABLE_SSH = false; DISABLE_SSH = false;
SSH_DOMAIN = root_host; SSH_DOMAIN = domain;
START_SSH_SERVER = true; START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git"; BUILTIN_SSH_SERVER_USER = "git";
SSH_PORT = gitea_ssh_port; SSH_PORT = gitea_ssh_port;
@ -28,7 +28,7 @@ in {
}; };
security.acme.certs."${root_host}".extraDomainNames = [ gitea_host]; security.acme.certs."${domain}".extraDomainNames = [ gitea_host];
networking.firewall.allowedTCPPorts = [ gitea_ssh_port ]; networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
services.nginx = { services.nginx = {
@ -36,7 +36,7 @@ in {
virtualHosts."${gitea_host}" = { virtualHosts."${gitea_host}" = {
serverName = gitea_host; serverName = gitea_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
}; };

View file

@ -1,7 +1,7 @@
{ config, ... }: { config, ... }:
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
grafana_host = "grafana.${root_host}"; grafana_host = "grafana.${domain}";
grafana_port = 8082; grafana_port = 8082;
in { in {
age.secrets.grafana_admin_pass = { age.secrets.grafana_admin_pass = {
@ -11,13 +11,13 @@ in {
mode = "0600"; mode = "0600";
}; };
security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ]; security.acme.certs."${domain}".extraDomainNames = [ grafana_host ];
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {
security = { security = {
admin_user = "admin"; admin_user = "admin";
admin_email = "admin@${root_host}"; admin_email = "admin@${domain}";
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}"; admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
}; };
server = { server = {
@ -33,7 +33,7 @@ in {
virtualHosts."${grafana_host}" = { virtualHosts."${grafana_host}" = {
serverName = grafana_host; serverName = grafana_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}"; proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true; proxyWebsockets = true;

View file

@ -1,12 +1,12 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
root_email = "contact@${root_host}"; root_email = "contact@${domain}";
in { in {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = root_email; defaults.email = root_email;
certs."${root_host}" = { certs."${domain}" = {
webroot = "/var/lib/acme/acme-challenge/"; webroot = "/var/lib/acme/acme-challenge/";
}; };
}; };

View file

@ -1,16 +1,16 @@
{ config, ... } : { config, ... } :
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
mastodon_host = "mastodon.${root_host}"; mastodon_host = "mastodon.${domain}";
in { in {
security.acme.certs."${root_host}".extraDomainNames = [ mastodon_host ]; security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
services.mastodon = { services.mastodon = {
enable = true; enable = true;
localDomain = mastodon_host; localDomain = mastodon_host;
streamingProcesses = 7; streamingProcesses = 7;
configureNginx = true; configureNginx = true;
smtp = { smtp = {
fromAddress = "noreply@${root_host}"; fromAddress = "noreply@${domain}";
}; };
extraConfig.SINGLE_USER_MODE = "true"; extraConfig.SINGLE_USER_MODE = "true";
}; };

View file

@ -1,7 +1,7 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
matrix_host = "matrix.${root_host}"; matrix_host = "matrix.${domain}";
in { in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -66,8 +66,8 @@ host replication all ::1/128 md5
settings = { settings = {
suppress_key_server_warning = true; suppress_key_server_warning = true;
server_name = root_host; server_name = domain;
public_baseurl = "https://${root_host}"; public_baseurl = "https://${domain}";
enable_registration = true; enable_registration = true;
registration_requires_token = true; registration_requires_token = true;
registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
@ -114,10 +114,10 @@ host replication all ::1/128 md5
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."${root_host}" = { virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
useACMEHost = root_host; useACMEHost = domain;
locations."/.well-known/matrix/server" = { locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\":\"${matrix_host}:443\"}'"; return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
extraConfig = '' extraConfig = ''

View file

@ -1,7 +1,7 @@
{ lib, pkgs, config, ...} : { lib, pkgs, config, ...} :
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
nextcloud_host = "cloud.${root_host}"; nextcloud_host = "cloud.${domain}";
nextcloud_port = 8083; nextcloud_port = 8083;
in { in {
services.postgresql = { services.postgresql = {
@ -15,7 +15,7 @@ in {
]; ];
}; };
security.acme.certs."${root_host}".extraDomainNames = [ nextcloud_host ]; security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ];
age.secrets = { age.secrets = {
nextcloud_admin_pass = { nextcloud_admin_pass = {
file = ../secrets/nextcloud_admin_pass.age; file = ../secrets/nextcloud_admin_pass.age;
@ -76,7 +76,7 @@ in {
virtualHosts."${nextcloud_host}" = { virtualHosts."${nextcloud_host}" = {
serverName = nextcloud_host; serverName = nextcloud_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
}; };
}; };
} }

View file

@ -1,10 +1,10 @@
{ config, ... } : { config, ... } :
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
prometheus_host = "prometheus.${root_host}"; prometheus_host = "prometheus.${domain}";
prometheus_port = 9090; # netstat -nlp | grep 9090 prometheus_port = 9090; # netstat -nlp | grep 9090
in { in {
security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host]; security.acme.certs."${domain}".extraDomainNames = [ prometheus_host];
services.prometheus = { services.prometheus = {
enable = true; enable = true;
@ -42,10 +42,10 @@ in {
virtualHosts."${prometheus_host}" = { virtualHosts."${prometheus_host}" = {
serverName = prometheus_host; serverName = prometheus_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}"; # proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you! return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
}; };
}; };
}; };

View file

@ -1,7 +1,7 @@
{config, pkgs, ...}: let {config, pkgs, ...}: let
root_host = "grimmauld.de"; inherit (config.networking) domain;
root_email = "contact@${root_host}"; root_email = "contact@${domain}";
ptero_host = "ptero.${root_host}"; ptero_host = "ptero.${domain}";
DATA_DIR = "/var/lib/pterodactylpanel"; DATA_DIR = "/var/lib/pterodactylpanel";
panel_user = "pterodactyl"; panel_user = "pterodactyl";
local_bridge = "ptero-local-br"; local_bridge = "ptero-local-br";
@ -88,7 +88,7 @@ chmod +777 -R ${DATA_DIR}
"APP_TIMEZONE" = "Europe/Berlin"; "APP_TIMEZONE" = "Europe/Berlin";
"APP_SERVICE_AUTHOR" = root_email; "APP_SERVICE_AUTHOR" = root_email;
"MAIL_FROM" = "noreply@${root_host}"; "MAIL_FROM" = "noreply@${domain}";
"MAIL_DRIVER" = "smtp"; "MAIL_DRIVER" = "smtp";
"MAIL_HOST" = "mail"; "MAIL_HOST" = "mail";
"MAIL_PORT" = "25"; "MAIL_PORT" = "25";
@ -111,13 +111,13 @@ chmod +777 -R ${DATA_DIR}
environmentFiles = [ config.age.secrets.ptero_env.path ]; environmentFiles = [ config.age.secrets.ptero_env.path ];
}; };
security.acme.certs."${root_host}".extraDomainNames = [ ptero_host ]; security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."${ptero_host}" = { virtualHosts."${ptero_host}" = {
serverName = ptero_host; serverName = ptero_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${ptero_port}"; proxyPass = "http://127.0.0.1:${ptero_port}";
}; };

View file

@ -1,10 +1,10 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
root_host = "grimmauld.de"; inherit (config.networking) domain;
puffer_port = 8080; puffer_port = 8080;
puffer_sftp_port = 5657; puffer_sftp_port = 5657;
puffer_host = "puffer.${root_host}"; puffer_host = "puffer.${domain}";
tlemap_host = "tlemap.${root_host}"; tlemap_host = "tlemap.${domain}";
tlemap_port = 8100; tlemap_port = 8100;
in { in {
services.pufferpanel = { services.pufferpanel = {
@ -22,7 +22,7 @@ in {
virtualHosts."${puffer_host}" = { virtualHosts."${puffer_host}" = {
serverName = puffer_host; serverName = puffer_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
}; };
@ -30,14 +30,14 @@ in {
virtualHosts."${tlemap_host}" = { virtualHosts."${tlemap_host}" = {
serverName = tlemap_host; serverName = tlemap_host;
forceSSL = true; forceSSL = true;
useACMEHost = root_host; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}"; proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
}; };
}; };
}; };
security.acme.certs."${root_host}".extraDomainNames = [ puffer_host tlemap_host ]; security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ];
networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ]; networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ];
# virtualisation.podman.enable = true; # virtualisation.podman.enable = true;