domain config

This commit is contained in:
Grimmauld 2024-05-08 20:45:41 +02:00
parent d136aa65c5
commit 2435182a68
14 changed files with 65 additions and 84 deletions

View file

@ -1,6 +1,6 @@
{ lib, config, inputs, pkgs, ... }:
let
root_host = "grimmauld.de";
inherit (config.networking) domain;
in {
imports = [
./hardware-configuration.nix
@ -31,7 +31,6 @@ in {
extraGroups = [ "wheel" "docker" ];
shell = pkgs.xonsh;
packages = with pkgs; [
hyfetch
];
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
};
@ -39,6 +38,7 @@ in {
programs.xonsh.enable = true;
environment.systemPackages = with pkgs; [
wget
hyfetch
vulnix
tree
file
@ -74,12 +74,12 @@ in {
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."${root_host}" = {
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
root = "/var/www/${root_host}";
root = "/var/www/${domain}";
};
};
};
@ -91,7 +91,7 @@ in {
system.stateVersion = "unstable";
zramSwap.enable = true;
networking.hostName = "grimmauld-nixos-server";
networking.domain = "";
networking.domain = "grimmauld.de";
services.openssh.enable = true;
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}

View file

@ -41,7 +41,6 @@
./modules/email.nix
./modules/discord-matrix-bridge.nix
./modules/mastodon.nix
# ./modules/folding.nix
./modules/toolchains.nix
# ./modules/ptero.nix
agenix.nixosModules.default

View file

@ -1,5 +1,4 @@
{ config, lib, pkgs, ...}: let
root_host = "grimmauld.de";
bridge_port = 9005; # netstat -nlp | grep 9005
in {
nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
@ -27,8 +26,8 @@ in {
};
bridge = {
enableSelfServiceBridging = true;
domain = root_host;
homeserverUrl = "https://${root_host}";
inherit (config.networking) domain;
homeserverUrl = "https://${config.networking.domain}";
disablePresence = true;
disableTypingNotifications = true;
};

View file

@ -1,27 +1,27 @@
{ ... }:
{ config, ... }:
let
root_host = "grimmauld.de";
mail_host = "mail.${root_host}";
inherit (config.networking) domain;
mail_host = "mail.${domain}";
in {
security.acme.certs."${root_host}".extraDomainNames = [ mail_host ];
security.acme.certs."${domain}".extraDomainNames = [ mail_host ];
# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
mailserver = {
enable = true;
fqdn = mail_host;
domains = [ root_host ];
domains = [ domain ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"contact@${root_host}" = {
"contact@${domain}" = {
hashedPasswordFile = ./mailpass/contact;
aliases = ["kontakt@${root_host}"];
aliases = ["kontakt@${domain}"];
};
"admin@${root_host}" = {
"admin@${domain}" = {
hashedPasswordFile = ./mailpass/admin;
};
"grimmauld@${root_host}" = {
"grimmauld@${domain}" = {
hashedPasswordFile = ./mailpass/grimmauld;
};
};
@ -29,8 +29,8 @@ in {
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "manual";
certificateFile = "/var/lib/acme/${root_host}/fullchain.pem";
keyFile = "/var/lib/acme/${root_host}/key.pem";
certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
keyFile = "/var/lib/acme/${domain}/key.pem";
};
services.nginx = {
@ -38,9 +38,9 @@ in {
virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
serverName = mail_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
return = "307 https://${root_host}";
return = "307 https://${domain}";
};
};
};

View file

@ -1,17 +0,0 @@
{ pkgs, stable, ... }: let
inherit (pkgs) fetchurl;
in {
nixpkgs.overlays = [ (final: prev: {
fahclient = prev.pkgs.callPackage (fetchurl {
url = "https://raw.githubusercontent.com/NixOS/nixpkgs/e655eb33b2e83aebf39b30535e8990e45e27588b/pkgs/applications/science/misc/foldingathome/client.nix";
hash = "sha256-LPFWAubPvmCuO25DE3MZ1JCk4MtHA7uhEKdpsAtkbsI=";
}) {};
})];
services.foldingathome = {
enable = true;
daemonNiceLevel = 19;
user = "Grimmauld";
package = pkgs.fahclient;
};
environment.systemPackages = with pkgs; [ fahclient ];
}

View file

@ -1,7 +1,7 @@
{ lib, config, inputs, pkgs, ... }:
let
root_host = "grimmauld.de";
gitea_host = "git.${root_host}";
inherit (config.networking) domain;
gitea_host = "git.${domain}";
gitea_port = 8081;
gitea_ssh_port = 2222;
in {
@ -13,7 +13,7 @@ in {
HTTP_PORT = gitea_port;
ROOT_URL = "https://${gitea_host}/";
DISABLE_SSH = false;
SSH_DOMAIN = root_host;
SSH_DOMAIN = domain;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_PORT = gitea_ssh_port;
@ -28,7 +28,7 @@ in {
};
security.acme.certs."${root_host}".extraDomainNames = [ gitea_host];
security.acme.certs."${domain}".extraDomainNames = [ gitea_host];
networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
services.nginx = {
@ -36,7 +36,7 @@ in {
virtualHosts."${gitea_host}" = {
serverName = gitea_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
};

View file

@ -1,7 +1,7 @@
{ config, ... }:
let
root_host = "grimmauld.de";
grafana_host = "grafana.${root_host}";
inherit (config.networking) domain;
grafana_host = "grafana.${domain}";
grafana_port = 8082;
in {
age.secrets.grafana_admin_pass = {
@ -11,13 +11,13 @@ in {
mode = "0600";
};
security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ];
security.acme.certs."${domain}".extraDomainNames = [ grafana_host ];
services.grafana = {
enable = true;
settings = {
security = {
admin_user = "admin";
admin_email = "admin@${root_host}";
admin_email = "admin@${domain}";
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
};
server = {
@ -33,7 +33,7 @@ in {
virtualHosts."${grafana_host}" = {
serverName = grafana_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;

View file

@ -1,12 +1,12 @@
{ lib, config, inputs, pkgs, ... }:
let
root_host = "grimmauld.de";
root_email = "contact@${root_host}";
inherit (config.networking) domain;
root_email = "contact@${domain}";
in {
security.acme = {
acceptTerms = true;
defaults.email = root_email;
certs."${root_host}" = {
certs."${domain}" = {
webroot = "/var/lib/acme/acme-challenge/";
};
};

View file

@ -1,16 +1,16 @@
{ config, ... } :
let
root_host = "grimmauld.de";
mastodon_host = "mastodon.${root_host}";
inherit (config.networking) domain;
mastodon_host = "mastodon.${domain}";
in {
security.acme.certs."${root_host}".extraDomainNames = [ mastodon_host ];
security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
services.mastodon = {
enable = true;
localDomain = mastodon_host;
streamingProcesses = 7;
configureNginx = true;
smtp = {
fromAddress = "noreply@${root_host}";
fromAddress = "noreply@${domain}";
};
extraConfig.SINGLE_USER_MODE = "true";
};

View file

@ -1,7 +1,7 @@
{ lib, config, inputs, pkgs, ... }:
let
root_host = "grimmauld.de";
matrix_host = "matrix.${root_host}";
inherit (config.networking) domain;
matrix_host = "matrix.${domain}";
in {
services.postgresql = {
enable = true;
@ -66,8 +66,8 @@ host replication all ::1/128 md5
settings = {
suppress_key_server_warning = true;
server_name = root_host;
public_baseurl = "https://${root_host}";
server_name = domain;
public_baseurl = "https://${domain}";
enable_registration = true;
registration_requires_token = true;
registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
@ -114,10 +114,10 @@ host replication all ::1/128 md5
services.nginx = {
enable = true;
virtualHosts."${root_host}" = {
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
useACMEHost = root_host;
useACMEHost = domain;
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
extraConfig = ''

View file

@ -1,7 +1,7 @@
{ lib, pkgs, config, ...} :
let
root_host = "grimmauld.de";
nextcloud_host = "cloud.${root_host}";
inherit (config.networking) domain;
nextcloud_host = "cloud.${domain}";
nextcloud_port = 8083;
in {
services.postgresql = {
@ -15,7 +15,7 @@ in {
];
};
security.acme.certs."${root_host}".extraDomainNames = [ nextcloud_host ];
security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ];
age.secrets = {
nextcloud_admin_pass = {
file = ../secrets/nextcloud_admin_pass.age;
@ -76,7 +76,7 @@ in {
virtualHosts."${nextcloud_host}" = {
serverName = nextcloud_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
};
};
}

View file

@ -1,10 +1,10 @@
{ config, ... } :
let
root_host = "grimmauld.de";
prometheus_host = "prometheus.${root_host}";
inherit (config.networking) domain;
prometheus_host = "prometheus.${domain}";
prometheus_port = 9090; # netstat -nlp | grep 9090
in {
security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host];
security.acme.certs."${domain}".extraDomainNames = [ prometheus_host];
services.prometheus = {
enable = true;
@ -42,10 +42,10 @@ in {
virtualHosts."${prometheus_host}" = {
serverName = prometheus_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you!
return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
};
};
};

View file

@ -1,7 +1,7 @@
{config, pkgs, ...}: let
root_host = "grimmauld.de";
root_email = "contact@${root_host}";
ptero_host = "ptero.${root_host}";
inherit (config.networking) domain;
root_email = "contact@${domain}";
ptero_host = "ptero.${domain}";
DATA_DIR = "/var/lib/pterodactylpanel";
panel_user = "pterodactyl";
local_bridge = "ptero-local-br";
@ -88,7 +88,7 @@ chmod +777 -R ${DATA_DIR}
"APP_TIMEZONE" = "Europe/Berlin";
"APP_SERVICE_AUTHOR" = root_email;
"MAIL_FROM" = "noreply@${root_host}";
"MAIL_FROM" = "noreply@${domain}";
"MAIL_DRIVER" = "smtp";
"MAIL_HOST" = "mail";
"MAIL_PORT" = "25";
@ -111,13 +111,13 @@ chmod +777 -R ${DATA_DIR}
environmentFiles = [ config.age.secrets.ptero_env.path ];
};
security.acme.certs."${root_host}".extraDomainNames = [ ptero_host ];
security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
services.nginx = {
enable = true;
virtualHosts."${ptero_host}" = {
serverName = ptero_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${ptero_port}";
};

View file

@ -1,10 +1,10 @@
{ lib, config, inputs, pkgs, ... }:
let
root_host = "grimmauld.de";
inherit (config.networking) domain;
puffer_port = 8080;
puffer_sftp_port = 5657;
puffer_host = "puffer.${root_host}";
tlemap_host = "tlemap.${root_host}";
puffer_host = "puffer.${domain}";
tlemap_host = "tlemap.${domain}";
tlemap_port = 8100;
in {
services.pufferpanel = {
@ -22,7 +22,7 @@ in {
virtualHosts."${puffer_host}" = {
serverName = puffer_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
};
@ -30,14 +30,14 @@ in {
virtualHosts."${tlemap_host}" = {
serverName = tlemap_host;
forceSSL = true;
useACMEHost = root_host;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
};
};
};
security.acme.certs."${root_host}".extraDomainNames = [ puffer_host tlemap_host ];
security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ];
networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ];
# virtualisation.podman.enable = true;