domain config

misc updates
2024-05-08 20:45:41 +02:00 · 2024-05-08 20:23:42 +02:00
17 changed files with 109 additions and 115 deletions
--- a/authorizedKeys.nix
+++ b/authorizedKeys.nix
@ -3,4 +3,5 @@
 [
  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
 ]
--- a/configuration.nix
+++ b/configuration.nix
@ -1,6 +1,6 @@
 { lib, config, inputs, pkgs, ... }:
 let
-  root_host = "grimmauld.de";
+  inherit (config.networking) domain;
 in {
  imports = [
    ./hardware-configuration.nix    
@ -31,7 +31,6 @@ in {
    extraGroups = [ "wheel" "docker" ];
    shell = pkgs.xonsh;
    packages = with pkgs; [
-      hyfetch
    ];
    openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
  };
@ -39,6 +38,7 @@ in {
  programs.xonsh.enable = true;
  environment.systemPackages = with pkgs; [
    wget
+    hyfetch
    vulnix
    tree
    file
@ -74,12 +74,12 @@ in {
    recommendedTlsSettings = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

-    virtualHosts."${root_host}" = {
+    virtualHosts."${domain}" = {
      forceSSL = true;
      enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
-          root = "/var/www/${root_host}"; 
+          root = "/var/www/${domain}"; 
      };
    };
  };
@ -91,7 +91,7 @@ in {
  system.stateVersion = "unstable";
  zramSwap.enable = true;
  networking.hostName = "grimmauld-nixos-server";
-  networking.domain = "";
+  networking.domain = "grimmauld.de";
  services.openssh.enable = true;
 #  users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
 }
--- a/flake.lock
+++ b/flake.lock
@ -8,11 +8,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1703433843,
-        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "lastModified": 1715101957,
+        "narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "rev": "07479c2e7396acaaaac5925483498154034ea80a",
        "type": "github"
      },
      "original": {
@ -122,14 +122,14 @@
    },
    "nixos-matrix-modules": {
      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1701507532,
-        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "lastModified": 1710311999,
+        "narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
        "ref": "refs/heads/master",
-        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
-        "revCount": 56,
+        "rev": "6c9b67974b839740e2a738958512c7a704481157",
+        "revCount": 63,
        "submodules": true,
        "type": "git",
        "url": "https://github.com/dali99/nixos-matrix-modules"
@ -186,28 +186,13 @@
        "type": "indirect"
      }
    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1673743903,
-        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1706826059,
-        "narHash": "sha256-N69Oab+cbt3flLvYv8fYnEHlBsWwdKciNZHUbynVEOA=",
+        "lastModified": 1714971268,
+        "narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "25e3d4c0d3591c99929b1ec07883177f6ea70c9d",
+        "rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
        "type": "github"
      },
      "original": {
@ -234,11 +219,26 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1706732774,
-        "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=",
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1714906307,
+        "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
        "type": "github"
      },
      "original": {
@ -253,7 +253,7 @@
        "agenix": "agenix",
        "nixos-mailserver": "nixos-mailserver",
        "nixos-matrix-modules": "nixos-matrix-modules",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "nixpkgs-stable": "nixpkgs-stable"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -41,7 +41,6 @@
          ./modules/email.nix
          ./modules/discord-matrix-bridge.nix
          ./modules/mastodon.nix
-          ./modules/folding.nix
          ./modules/toolchains.nix
 #          ./modules/ptero.nix
          agenix.nixosModules.default
--- a/modules/discord-matrix-bridge.nix
+++ b/modules/discord-matrix-bridge.nix
@ -1,5 +1,4 @@
 { config, lib, pkgs, ...}: let
-  root_host = "grimmauld.de";
  bridge_port = 9005; # netstat -nlp | grep 9005
 in {
  nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
@ -27,8 +26,8 @@ in {
      };
      bridge = {
        enableSelfServiceBridging = true;
-        domain = root_host;
-        homeserverUrl = "https://${root_host}";
+        inherit (config.networking) domain;
+        homeserverUrl = "https://${config.networking.domain}";
        disablePresence = true;
        disableTypingNotifications = true;
      };
--- a/modules/email.nix
+++ b/modules/email.nix
@ -1,27 +1,27 @@
-{ ... }: 
+{ config, ... }: 
 let
-  root_host = "grimmauld.de";
-  mail_host = "mail.${root_host}";
+  inherit (config.networking) domain;
+  mail_host = "mail.${domain}";
 in {
-  security.acme.certs."${root_host}".extraDomainNames = [ mail_host ];
+  security.acme.certs."${domain}".extraDomainNames = [ mail_host ];

 #  services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
  mailserver = {
    enable = true;
    fqdn = mail_host;
-    domains = [ root_host ];
+    domains = [ domain ];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
-      "contact@${root_host}" = {
+      "contact@${domain}" = {
        hashedPasswordFile = ./mailpass/contact;
-        aliases = ["kontakt@${root_host}"];
+        aliases = ["kontakt@${domain}"];
      };
-      "admin@${root_host}" = {
+      "admin@${domain}" = {
        hashedPasswordFile = ./mailpass/admin;
      };
-      "grimmauld@${root_host}" = {
+      "grimmauld@${domain}" = {
        hashedPasswordFile = ./mailpass/grimmauld;
      };
    };
@ -29,8 +29,8 @@ in {
    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "manual";
-    certificateFile = "/var/lib/acme/${root_host}/fullchain.pem";
-    keyFile = "/var/lib/acme/${root_host}/key.pem";
+    certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
+    keyFile = "/var/lib/acme/${domain}/key.pem";
  };

    services.nginx = {
@ -38,9 +38,9 @@ in {
    virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
      serverName = mail_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
-        return = "307 https://${root_host}";
+        return = "307 https://${domain}";
      };
    };
  };
--- a/modules/folding.nix
+++ b/modules/folding.nix
@ -1,17 +0,0 @@
-{ pkgs, stable, ... }: let
-  inherit (pkgs) fetchurl;
-in {
-  nixpkgs.overlays = [ (final: prev: {
-    fahclient = prev.pkgs.callPackage (fetchurl {
-      url = "https://raw.githubusercontent.com/NixOS/nixpkgs/e655eb33b2e83aebf39b30535e8990e45e27588b/pkgs/applications/science/misc/foldingathome/client.nix";
-      hash = "sha256-LPFWAubPvmCuO25DE3MZ1JCk4MtHA7uhEKdpsAtkbsI=";
-    }) {};
-  })];
-  services.foldingathome = {
-    enable = true;
-    daemonNiceLevel = 19;
-    user = "Grimmauld";
-    package = pkgs.fahclient;
-  };
-  environment.systemPackages = with pkgs; [ fahclient ];
-}
--- a/modules/gitea.nix
+++ b/modules/gitea.nix
@ -1,8 +1,9 @@
 { lib, config, inputs, pkgs, ... }:
 let
-  root_host = "grimmauld.de";
-  gitea_host = "git.${root_host}";
+  inherit (config.networking) domain;
+  gitea_host = "git.${domain}";
  gitea_port = 8081;
+  gitea_ssh_port = 2222;
 in {
  services.gitea = {
    enable = true;
@ -11,21 +12,31 @@ in {
      server = {
        HTTP_PORT = gitea_port;
        ROOT_URL = "https://${gitea_host}/";
-        DISABLE_SSH = true;
+        DISABLE_SSH = false;
+        SSH_DOMAIN = domain;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_PORT = gitea_ssh_port;
+#        SSH_LISTEN_HOST="::"; # fixme?
+#         SSH_AUTHORIZED_PRINCIPALS_ALLOW="username";
      };
 #      log.LEVEL = "Debug";
      "ssh.minimum_key_sizes".RSA = 2048;
+      "git.timeout".MIGRATE = 6000;
    };
    lfs.enable = true;
  };
-  security.acme.certs."${root_host}".extraDomainNames = [ gitea_host];
+
+
+  security.acme.certs."${domain}".extraDomainNames = [ gitea_host];
+  networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];

  services.nginx = {
    enable = true;
    virtualHosts."${gitea_host}" = {
      serverName = gitea_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
      };
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@ -1,7 +1,7 @@
 { config, ... }:
 let
-  root_host = "grimmauld.de";
-  grafana_host = "grafana.${root_host}";
+  inherit (config.networking) domain;
+  grafana_host = "grafana.${domain}";
  grafana_port = 8082;
 in {
  age.secrets.grafana_admin_pass = {
@ -11,13 +11,13 @@ in {
    mode = "0600";
  };

-  security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ];
+  security.acme.certs."${domain}".extraDomainNames = [ grafana_host ];
  services.grafana = {
    enable = true;
    settings = {
      security = {
        admin_user = "admin";
-        admin_email = "admin@${root_host}";
+        admin_email = "admin@${domain}";
        admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
      };
      server = {
@ -33,7 +33,7 @@ in {
    virtualHosts."${grafana_host}" = {
      serverName = grafana_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
        proxyWebsockets = true;
--- a/modules/letsencrypt.nix
+++ b/modules/letsencrypt.nix
@ -1,12 +1,12 @@
 { lib, config, inputs, pkgs, ... }:
 let
-  root_host = "grimmauld.de";
-  root_email = "contact@${root_host}";
+  inherit (config.networking) domain;
+  root_email = "contact@${domain}";
 in {
  security.acme = {
    acceptTerms = true;
    defaults.email = root_email;
-    certs."${root_host}" = {
+    certs."${domain}" = {
      webroot = "/var/lib/acme/acme-challenge/";
    };
  };
--- a/modules/mastodon.nix
+++ b/modules/mastodon.nix
@ -1,16 +1,16 @@
 { config, ... } :
 let
-  root_host = "grimmauld.de";
-  mastodon_host = "mastodon.${root_host}";
+  inherit (config.networking) domain;
+  mastodon_host = "mastodon.${domain}";
 in {
-  security.acme.certs."${root_host}".extraDomainNames = [ mastodon_host ];
+  security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
  services.mastodon = {
    enable = true;
    localDomain = mastodon_host;
    streamingProcesses = 7;
    configureNginx = true;
    smtp = {
-      fromAddress = "noreply@${root_host}";
+      fromAddress = "noreply@${domain}";
    };
    extraConfig.SINGLE_USER_MODE = "true";
  };
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@ -1,7 +1,7 @@
 { lib, config, inputs, pkgs, ... }:
 let
-  root_host = "grimmauld.de";
-  matrix_host = "matrix.${root_host}";
+  inherit (config.networking) domain;
+  matrix_host = "matrix.${domain}";
 in {
 services.postgresql = {
    enable = true;
@ -66,8 +66,8 @@ host    replication     all             ::1/128                 md5

    settings = {
      suppress_key_server_warning = true;
-      server_name = root_host;
-      public_baseurl = "https://${root_host}";
+      server_name = domain;
+      public_baseurl = "https://${domain}";
      enable_registration = true;
      registration_requires_token = true;
      registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
@ -114,10 +114,10 @@ host    replication     all             ::1/128                 md5

  services.nginx = {
    enable = true;
-    virtualHosts."${root_host}" = {
+    virtualHosts."${domain}" = {
      forceSSL = true;
      enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/.well-known/matrix/server" = {
        return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
        extraConfig = ''
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -1,7 +1,7 @@
 { lib, pkgs, config, ...} :
 let
-  root_host = "grimmauld.de";
-  nextcloud_host = "cloud.${root_host}";
+  inherit (config.networking) domain;
+  nextcloud_host = "cloud.${domain}";
  nextcloud_port = 8083;
 in {
  services.postgresql = {
@ -15,7 +15,7 @@ in {
    ];
  };

-  security.acme.certs."${root_host}".extraDomainNames = [ nextcloud_host ];
+  security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ];
  age.secrets = {
    nextcloud_admin_pass = {
      file = ../secrets/nextcloud_admin_pass.age;
@ -76,7 +76,7 @@ in {
    virtualHosts."${nextcloud_host}" = {
      serverName = nextcloud_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
    };
  };
 }
--- a/modules/prometheus.nix
+++ b/modules/prometheus.nix
@ -1,10 +1,10 @@
 { config, ... } :
 let
-  root_host = "grimmauld.de";
-  prometheus_host = "prometheus.${root_host}";
+  inherit (config.networking) domain;
+  prometheus_host = "prometheus.${domain}";
  prometheus_port = 9090; # netstat -nlp | grep 9090
 in {
-  security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host];
+  security.acme.certs."${domain}".extraDomainNames = [ prometheus_host];

  services.prometheus = {
    enable = true;
@ -42,10 +42,10 @@ in {
    virtualHosts."${prometheus_host}" = {
      serverName = prometheus_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
 #        proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
-        return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you!
+        return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
      };
    };
  };
--- a/modules/ptero.nix
+++ b/modules/ptero.nix
@ -1,7 +1,7 @@
 {config, pkgs, ...}: let
-  root_host = "grimmauld.de";
-  root_email = "contact@${root_host}";
-  ptero_host = "ptero.${root_host}";
+  inherit (config.networking) domain;
+  root_email = "contact@${domain}";
+  ptero_host = "ptero.${domain}";
  DATA_DIR = "/var/lib/pterodactylpanel";
  panel_user = "pterodactyl";
  local_bridge = "ptero-local-br";
@ -88,7 +88,7 @@ chmod +777 -R ${DATA_DIR}
      "APP_TIMEZONE" =  "Europe/Berlin";
      "APP_SERVICE_AUTHOR" = root_email;

-      "MAIL_FROM" = "noreply@${root_host}";
+      "MAIL_FROM" = "noreply@${domain}";
      "MAIL_DRIVER" = "smtp";
      "MAIL_HOST" = "mail";
      "MAIL_PORT" = "25";
@ -111,13 +111,13 @@ chmod +777 -R ${DATA_DIR}
    environmentFiles = [ config.age.secrets.ptero_env.path ];
  };

-  security.acme.certs."${root_host}".extraDomainNames = [ ptero_host ];
+  security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
  services.nginx = {
    enable = true;
    virtualHosts."${ptero_host}" = {
      serverName = ptero_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${ptero_port}";
      };
--- a/modules/puffer.nix
+++ b/modules/puffer.nix
@ -1,10 +1,10 @@
 { lib, config, inputs, pkgs, ... }:
 let
-  root_host = "grimmauld.de";
+  inherit (config.networking) domain;
  puffer_port = 8080;
  puffer_sftp_port = 5657;
-  puffer_host = "puffer.${root_host}";
-  tlemap_host = "tlemap.${root_host}";
+  puffer_host = "puffer.${domain}";
+  tlemap_host = "tlemap.${domain}";
  tlemap_port = 8100;
 in {
  services.pufferpanel = {
@ -22,7 +22,7 @@ in {
    virtualHosts."${puffer_host}" = {
      serverName = puffer_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
      };
@ -30,15 +30,15 @@ in {
    virtualHosts."${tlemap_host}" = {
      serverName = tlemap_host;
      forceSSL = true;
-      useACMEHost = root_host;
+      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
      };
    };

  };
-  security.acme.certs."${root_host}".extraDomainNames = [ puffer_host tlemap_host ];
-  networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568];
+  security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ];
+  networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ];

 #  virtualisation.podman.enable = true;
  virtualisation.docker.enable = true;
--- a/modules/toolchains.nix
+++ b/modules/toolchains.nix
@ -6,6 +6,7 @@ in {
    (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
    (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
    mkpasswd
+    node2nix
  ];

  programs.git = {
Author	SHA1	Message	Date
Grimmauld	2435182a68	domain config	2024-05-08 20:45:41 +02:00
Grimmauld	d136aa65c5	misc updates	2024-05-08 20:23:42 +02:00