Grimmauld/grimm-nix-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Grimmauld:main
Branches Tags
Grimmauld:main
Grimmauld:security_patching
Grimmauld:grafana
Grimmauld:config_split
Grimmauld:matrix_testing
..
compare: Grimmauld:security_patching
Branches Tags
Grimmauld:main
Grimmauld:security_patching
Grimmauld:grafana
Grimmauld:config_split
Grimmauld:matrix_testing

No commits in common. "main" and "security_patching" have entirely different histories.
main ... security_p

21 changed files with 119 additions and 440 deletions
Show Stats Expand all files Collapse all files

1
authorizedKeys.nix
View File

@ -3,5 +3,4 @@
[ [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
] ]

71
configuration.nix
View File

@ -1,29 +1,16 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
# git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt
root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0);
in { in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_hardened;
services.logrotate.checkConfig = false; # needed or this explodes
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
users.users.grimmauld = { users.users.grimmauld = {
isNormalUser = true; isNormalUser = true;
@ -31,6 +18,7 @@ in {
extraGroups = [ "wheel" "docker" ]; extraGroups = [ "wheel" "docker" ];
shell = pkgs.xonsh; shell = pkgs.xonsh;
packages = with pkgs; [ packages = with pkgs; [
hyfetch
]; ];
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}; };
@ -38,35 +26,39 @@ in {
programs.xonsh.enable = true; programs.xonsh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget wget
hyfetch vulnix
vulnix #
tree tree
git
file file
git-lfs
util-linux util-linux
btop btop
mkpasswd
linuxPackages.perf linuxPackages.perf
gitea
matrix-synapse-tools.synadm
matrix-synapse
# ffmpeg-full
pufferpanel
(writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
]; ];
environment.sessionVariables = { environment.sessionVariables = {
NIXPKGS_ALLOW_UNFREE="1"; NIXPKGS_ALLOW_UNFREE="1";
OMP_NUM_THREADS = "8"; OMP_NUM_THREADS = "4";
}; };
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 ];
allowPing = true; allowPing = true;
allowedUDPPortRanges = []; allowedUDPPortRanges = [];
}; };
# services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.hostName = "grimmauld-nixos-server";
networking.domain = "grimmauld.de";
services.openssh.enable = true;
system.stateVersion = "23.11";
services.nginx = { services.nginx = {
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
@ -74,21 +66,24 @@ in {
recommendedTlsSettings = true; recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."${domain}" = { virtualHosts."${root_host}" = {
forceSSL = true; forceSSL = true;
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies
useACMEHost = domain; useACMEHost = root_host;
locations."/" = { locations."/" = {
root = "/var/www/${domain}"; root = "/var/www/grimmauld.duckdns.org";
}; };
}; };
}; };
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "unstable";
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "grimmauld-nixos-server";
networking.domain = "";
services.openssh.enable = true;
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
} }

72
flake.lock
View File

@ -8,11 +8,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1715101957, "lastModified": 1703433843,
"narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=", "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "07479c2e7396acaaaac5925483498154034ea80a", "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -106,30 +106,29 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1706872533, "lastModified": 1706219574,
"narHash": "sha256-IeIIhd18Tp1oNipwxmRKnLr4dFxl6VUHWykQ1uVYIWE=", "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
"ref": "Grimmauld-master-patch-84178", "ref": "refs/heads/master",
"rev": "bcd01ccb19e29ce8046962cb22ecfaa78bf1bfdd", "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
"revCount": 577, "revCount": 576,
"type": "git", "type": "git",
"url": "https://gitlab.com/Grimmauld/nixos-mailserver" "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver"
}, },
"original": { "original": {
"ref": "Grimmauld-master-patch-84178",
"type": "git", "type": "git",
"url": "https://gitlab.com/Grimmauld/nixos-mailserver" "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver"
} }
}, },
"nixos-matrix-modules": { "nixos-matrix-modules": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_3" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1710311999, "lastModified": 1701507532,
"narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=", "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "6c9b67974b839740e2a738958512c7a704481157", "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
"revCount": 63, "revCount": 56,
"submodules": true, "submodules": true,
"type": "git", "type": "git",
"url": "https://github.com/dali99/nixos-matrix-modules" "url": "https://github.com/dali99/nixos-matrix-modules"
@ -186,19 +185,18 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1714971268, "lastModified": 1673743903,
"narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=", "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
"owner": "NixOS", "owner": "nix-community",
"repo": "nixpkgs", "repo": "nixpkgs.lib",
"rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c", "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nix-community",
"ref": "nixos-23.11", "repo": "nixpkgs.lib",
"repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
@ -219,26 +217,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1706098335, "lastModified": 1705856552,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651", "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1714906307,
"narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -253,8 +236,7 @@
"agenix": "agenix", "agenix": "agenix",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules", "nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_3"
"nixpkgs-stable": "nixpkgs-stable"
} }
}, },
"systems": { "systems": {

13
flake.nix
View File

@ -7,26 +7,22 @@
nixpkgs = { nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable"; url = "github:NixOS/nixpkgs/nixos-unstable";
}; };
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
nixos-matrix-modules = { nixos-matrix-modules = {
url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1"; url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1";
flake = true; flake = true;
}; };
nixos-mailserver = { nixos-mailserver = {
# url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver"; url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver";
url = "git+https://gitlab.com/Grimmauld/nixos-mailserver?ref=Grimmauld-master-patch-84178";
flake = true; flake = true;
}; };
}; };
outputs = { nixos-mailserver, nixos-matrix-modules, self, nixpkgs-stable, nixpkgs, agenix, ... } @ inputs: let outputs = { nixos-mailserver, nixos-matrix-modules, self, nixpkgs, agenix }: let
system = "x86_64-linux"; system = "x86_64-linux";
stable = import nixpkgs-stable { inherit system; config.allowUnfree = true; };
in { in {
nixosConfigurations = { nixosConfigurations = {
grimmauld-nixos-server = nixpkgs.lib.nixosSystem { grimmauld-nixos-server = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs stable; };
modules = [ modules = [
./configuration.nix ./configuration.nix
./modules/matrix.nix ./modules/matrix.nix
@ -36,13 +32,10 @@
./modules/nextcloud.nix ./modules/nextcloud.nix
./modules/prometheus.nix ./modules/prometheus.nix
./modules/letsencrypt.nix ./modules/letsencrypt.nix
# ./modules/mjolnir.nix ./modules/mjolnir.nix
./modules/fail2ban.nix ./modules/fail2ban.nix
./modules/email.nix ./modules/email.nix
./modules/discord-matrix-bridge.nix
./modules/mastodon.nix ./modules/mastodon.nix
./modules/toolchains.nix
# ./modules/ptero.nix
agenix.nixosModules.default agenix.nixosModules.default
nixos-mailserver.nixosModules.default nixos-mailserver.nixosModules.default
nixos-matrix-modules.nixosModules.default nixos-matrix-modules.nixosModules.default

43
modules/discord-matrix-bridge.nix
View File

@ -1,43 +0,0 @@
{ config, lib, pkgs, ...}: let
bridge_port = 9005; # netstat -nlp | grep 9005
in {
nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "t2bot";
repo = "matrix-appservice-discord";
rev = "8361ca6121bf1f0902154baa538cb6d5766e477f";
hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU=";
};
patches = (let oldPatches = old.patches or []; in if oldPatches == null then [] else oldPatches) ++ [ ./patch_bridge_perms.patch ];
doCheck = false;
});})
];
age.secrets.matrix_discord_bridge_token.file = ../secrets/matrix_discord_bridge_token.age;
services.matrix-synapse-next.settings.app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" ];
services.matrix-appservice-discord = {
enable = true;
settings = {
auth = {
usePrivilegedIntents = true; # typing status and stuff
};
bridge = {
enableSelfServiceBridging = true;
inherit (config.networking) domain;
homeserverUrl = "https://${config.networking.domain}";
disablePresence = true;
disableTypingNotifications = true;
};
# logging.console = "silly";
};
serviceDependencies = ["matrix-synapse.target"];
port = bridge_port;
localpart = "_discord_";
package = pkgs.matrix-appservice-discord;
environmentFile = config.age.secrets.matrix_discord_bridge_token.path;
};
}

29
modules/email.nix
View File

@ -1,36 +1,33 @@
{ config, ... }: { ... }:
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
mail_host = "mail.${domain}"; mail_host = "mail.${root_host}";
in { in {
security.acme.certs."${domain}".extraDomainNames = [ mail_host ]; security.acme.certs."${root_host}".extraDomainNames = [ mail_host ];
# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = mail_host; fqdn = mail_host;
domains = [ domain ]; domains = [ root_host ];
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = { loginAccounts = {
"contact@${domain}" = { "contact@${root_host}" = {
hashedPasswordFile = ./mailpass/contact; hashedPasswordFile = ./mailpass/contact;
aliases = ["kontakt@${domain}"]; aliases = ["kontakt@${root_host}"];
}; };
"admin@${domain}" = { "admin@${root_host}" = {
hashedPasswordFile = ./mailpass/admin; hashedPasswordFile = ./mailpass/admin;
}; };
"grimmauld@${domain}" = {
hashedPasswordFile = ./mailpass/grimmauld;
};
}; };
# Use Let's Encrypt certificates. Note that this needs to set up a stripped # Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80. # down nginx and opens port 80.
certificateScheme = "manual"; certificateScheme = "manual";
certificateFile = "/var/lib/acme/${domain}/fullchain.pem"; certificateFile = "/var/lib/acme/${root_host}/fullchain.pem";
keyFile = "/var/lib/acme/${domain}/key.pem"; keyFile = "/var/lib/acme/${root_host}/key.pem";
}; };
services.nginx = { services.nginx = {
@ -38,9 +35,9 @@ in {
virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
serverName = mail_host; serverName = mail_host;
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = root_host;
locations."/" = { locations."/" = {
return = "307 https://${domain}"; return = "307 https://${root_host}";
}; };
}; };
}; };

26
modules/gitea.nix
View File

@ -1,9 +1,8 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
gitea_host = "git.${domain}"; gitea_host = "git.${root_host}";
gitea_port = 8081; gitea_port = 8081;
gitea_ssh_port = 2222;
in { in {
services.gitea = { services.gitea = {
enable = true; enable = true;
@ -12,35 +11,20 @@ in {
server = { server = {
HTTP_PORT = gitea_port; HTTP_PORT = gitea_port;
ROOT_URL = "https://${gitea_host}/"; ROOT_URL = "https://${gitea_host}/";
DISABLE_SSH = false; DISABLE_SSH = true;
SSH_DOMAIN = domain;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_PORT = gitea_ssh_port;
# SSH_LISTEN_HOST="::"; # fixme?
# SSH_AUTHORIZED_PRINCIPALS_ALLOW="username";
}; };
# log.LEVEL = "Debug"; # log.LEVEL = "Debug";
"ssh.minimum_key_sizes".RSA = 2048;
"git.timeout".MIGRATE = 6000;
}; };
lfs.enable = true; lfs.enable = true;
}; };
security.acme.certs."${root_host}".extraDomainNames = [ gitea_host];
environment.systemPackages = with pkgs; [
gitea
];
security.acme.certs."${domain}".extraDomainNames = [ gitea_host];
networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."${gitea_host}" = { virtualHosts."${gitea_host}" = {
serverName = gitea_host; serverName = gitea_host;
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = root_host;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
}; };

10
modules/grafana.nix
View File

@ -1,7 +1,7 @@
{ config, ... }: { config, ... }:
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
grafana_host = "grafana.${domain}"; grafana_host = "grafana.${root_host}";
grafana_port = 8082; grafana_port = 8082;
in { in {
age.secrets.grafana_admin_pass = { age.secrets.grafana_admin_pass = {
@ -11,13 +11,13 @@ in {
mode = "0600"; mode = "0600";
}; };
security.acme.certs."${domain}".extraDomainNames = [ grafana_host ]; security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ];
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {
security = { security = {
admin_user = "admin"; admin_user = "admin";
admin_email = "admin@${domain}"; admin_email = "admin@${root_host}";
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}"; admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
}; };
server = { server = {
@ -33,7 +33,7 @@ in {
virtualHosts."${grafana_host}" = { virtualHosts."${grafana_host}" = {
serverName = grafana_host; serverName = grafana_host;
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = root_host;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}"; proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true; proxyWebsockets = true;

6
modules/letsencrypt.nix
View File

@ -1,12 +1,12 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
root_email = "contact@${domain}"; root_email = "contact@${root_host}";
in { in {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = root_email; defaults.email = root_email;
certs."${domain}" = { certs."${root_host}" = {
webroot = "/var/lib/acme/acme-challenge/"; webroot = "/var/lib/acme/acme-challenge/";
}; };
}; };

1
modules/mailpass/grimmauld
View File

@ -1 +0,0 @@
$2b$05$nmY9QnYyOhhhXn3OOalxkeWWLZtlaxD2vGwr0f6gtHNUz5EfZXvsa

8
modules/mastodon.nix
View File

@ -1,16 +1,16 @@
{ config, ... } : { config, ... } :
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
mastodon_host = "mastodon.${domain}"; mastodon_host = "mastodon.${root_host}";
in { in {
security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ]; security.acme.certs."${root_host}".extraDomainNames = [ mastodon_host ];
services.mastodon = { services.mastodon = {
enable = true; enable = true;
localDomain = mastodon_host; localDomain = mastodon_host;
streamingProcesses = 7; streamingProcesses = 7;
configureNginx = true; configureNginx = true;
smtp = { smtp = {
fromAddress = "noreply@${domain}"; fromAddress = "noreply@${root_host}";
}; };
extraConfig.SINGLE_USER_MODE = "true"; extraConfig.SINGLE_USER_MODE = "true";
}; };

16
modules/matrix.nix
View File

@ -1,7 +1,7 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
matrix_host = "matrix.${domain}"; matrix_host = "matrix.${root_host}";
in { in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -66,8 +66,8 @@ host replication all ::1/128 md5
settings = { settings = {
suppress_key_server_warning = true; suppress_key_server_warning = true;
server_name = domain; server_name = root_host;
public_baseurl = "https://${domain}"; public_baseurl = "https://${root_host}";
enable_registration = true; enable_registration = true;
registration_requires_token = true; registration_requires_token = true;
registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
@ -111,17 +111,13 @@ host replication all ::1/128 md5
mode = "0600"; mode = "0600";
}; };
environment.systemPackages = with pkgs; [
matrix-synapse-tools.synadm
matrix-synapse
];
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."${domain}" = { virtualHosts."${root_host}" = {
forceSSL = true; forceSSL = true;
enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
useACMEHost = domain; useACMEHost = root_host;
locations."/.well-known/matrix/server" = { locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\":\"${matrix_host}:443\"}'"; return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
extraConfig = '' extraConfig = ''

19
modules/nextcloud.nix
View File

@ -1,7 +1,7 @@
{ lib, pkgs, config, ...} : { lib, pkgs, config, ...} :
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
nextcloud_host = "cloud.${domain}"; nextcloud_host = "cloud.${root_host}";
nextcloud_port = 8083; nextcloud_port = 8083;
in { in {
services.postgresql = { services.postgresql = {
@ -15,7 +15,7 @@ in {
]; ];
}; };
security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ]; security.acme.certs."${root_host}".extraDomainNames = [ nextcloud_host ];
age.secrets = { age.secrets = {
nextcloud_admin_pass = { nextcloud_admin_pass = {
file = ../secrets/nextcloud_admin_pass.age; file = ../secrets/nextcloud_admin_pass.age;
@ -55,19 +55,20 @@ in {
dbhost= "localhost:${builtins.toString config.services.postgresql.port}"; dbhost= "localhost:${builtins.toString config.services.postgresql.port}";
dbtype = "pgsql"; dbtype = "pgsql";
}; };
settings = { extraOptions = {
overwriteProtocol = "https"; overwriteProtocol = "https";
defaultPhoneRegion = "DE"; defaultPhoneRegion = "DE";
};
phpOptions = {
"opcache.interned_strings_buffer" = "12";
};
extraOptions = {
filelocking.enabled = true; filelocking.enabled = true;
redis = { redis = {
host = "localhost"; host = "localhost";
port = 6379; port = 6379;
timeout = 0.0; timeout = 0.0;
}; };
};
phpOptions = {
"opcache.interned_strings_buffer" = "12";
}; };
}; };
@ -76,7 +77,7 @@ in {
virtualHosts."${nextcloud_host}" = { virtualHosts."${nextcloud_host}" = {
serverName = nextcloud_host; serverName = nextcloud_host;
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = root_host;
}; };
}; };
} }

12
modules/patch_bridge_perms.patch
View File

@ -1,12 +0,0 @@
diff --git a/src/util.ts b/src/util.ts
index f09190e..c7bc841 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -353,6 +353,7 @@ export class Util {
if (res && res.users && res.users[userId] !== undefined) {
haveLevel = res.users[userId];
}
+ requiredLevel = 50;
return haveLevel >= requiredLevel;
}

10
modules/prometheus.nix
View File

@ -1,10 +1,10 @@
{ config, ... } : { config, ... } :
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
prometheus_host = "prometheus.${domain}"; prometheus_host = "prometheus.${root_host}";
prometheus_port = 9090; # netstat -nlp | grep 9090 prometheus_port = 9090; # netstat -nlp | grep 9090
in { in {
security.acme.certs."${domain}".extraDomainNames = [ prometheus_host]; security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host];
services.prometheus = { services.prometheus = {
enable = true; enable = true;
@ -42,10 +42,10 @@ in {
virtualHosts."${prometheus_host}" = { virtualHosts."${prometheus_host}" = {
serverName = prometheus_host; serverName = prometheus_host;
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = root_host;
locations."/" = { locations."/" = {
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}"; # proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you! return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you!
}; };
}; };
}; };

130
modules/ptero.nix
View File

@ -1,130 +0,0 @@
{config, pkgs, ...}: let
inherit (config.networking) domain;
root_email = "contact@${domain}";
ptero_host = "ptero.${domain}";
DATA_DIR = "/var/lib/pterodactylpanel";
panel_user = "pterodactyl";
local_bridge = "ptero-local-br";
ptero_ver = "1.11.5";
ptero_port = "8042";
in {
users.users.${panel_user} = {
isSystemUser = true;
extraGroups = ["docker"];
group = panel_user;
};
users.groups.${panel_user} = {};
age.secrets.ptero_env = {
file = ../secrets/ptero_env.age;
};
systemd.services.init-ptero-data-dir = {
description = "Create the pterodactyl panel data dir";
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script =''
mkdir -p ${DATA_DIR}/database
mkdir -p ${DATA_DIR}/cache
mkdir -p ${DATA_DIR}/panel/var
mkdir -p ${DATA_DIR}/panel/logs
mkdir -p ${DATA_DIR}/panel/nginx
chown ${panel_user}:${panel_user} -R ${DATA_DIR}
chmod +777 -R ${DATA_DIR}
'';
};
virtualisation.oci-containers.backend = "podman";
systemd.services.init-ptero-local-network = {
description = "Create the network bridge ${local_bridge} for ptero.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = let podmancli = "${config.virtualisation.podman.package}/bin/podman";
in ''
check=$(${podmancli} pod ls | grep "ptero" || true)
if [ -z "$check" ]; then
${podmancli} pod create -p "${ptero_port}:80" ptero
else
echo "ptero pod already exists"
fi
'';
};
virtualisation.oci-containers.containers."ptero-mysql" = {
image = "library/mysql:8.0";
workdir = "${DATA_DIR}/database";
extraOptions = [ "--pod=ptero" ];
environment = {
"MYSQL_USER" = "pterodactyl";
"MYSQL_DATABASE" = "panel";
};
environmentFiles = [ config.age.secrets.ptero_env.path ];
volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"];
cmd=["--default-authentication-plugin=mysql_native_password"];
};
virtualisation.oci-containers.containers."ptero-cache" = {
image = "redis:alpine";
workdir = "${DATA_DIR}/cache";
volumes = ["${DATA_DIR}/cache:${DATA_DIR}/cache"];
extraOptions = [ "--pod=ptero" ];
};
virtualisation.oci-containers.containers."ptero-panel" = {
image = "ghcr.io/pterodactyl/panel:v${ptero_ver}";
volumes = [
"${DATA_DIR}/panel/var/:/app/var/"
"${DATA_DIR}/panel/logs/:/app/storage/logs"
"${DATA_DIR}/panel/nginx/:/etc/nginx/conf.d/"
];
extraOptions = [ "--pod=ptero" ];
environment = {
"APP_URL" = "https://${ptero_host}";
"APP_TIMEZONE" = "Europe/Berlin";
"APP_SERVICE_AUTHOR" = root_email;
"MAIL_FROM" = "noreply@${domain}";
"MAIL_DRIVER" = "smtp";
"MAIL_HOST" = "mail";
"MAIL_PORT" = "25";
"MAIL_USERNAME" = "";
"MAIL_PASSWORD" = "";
"MAIL_ENCRYPTION" = "true";
"APP_ENV"= "production";
"APP_ENVIRONMENT_ONLY"= "false";
"CACHE_DRIVER" = "redis";
"SESSION_DRIVER" = "redis";
"QUEUE_DRIVER" = "redis";
"REDIS_HOST" = "127.0.0.1";
"DB_HOST" = "127.0.0.1";
"TRUSTED_PROXIES" = "*";
};
labels = {
"traefik.http.routers.pterodactyl_panel.entrypoints"="web";
};
environmentFiles = [ config.age.secrets.ptero_env.path ];
};
security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
services.nginx = {
enable = true;
virtualHosts."${ptero_host}" = {
serverName = ptero_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${ptero_port}";
};
};
};
environment.systemPackages = with pkgs; [
(writeShellScriptBin "ptero-nix" "${config.virtualisation.podman.package}/bin/podman exec -it ptero-panel php artisan $@")
];
}

25
modules/puffer.nix
View File

@ -1,11 +1,9 @@
{ lib, config, inputs, pkgs, ... }: { lib, config, inputs, pkgs, ... }:
let let
inherit (config.networking) domain; root_host = "grimmauld.de";
puffer_port = 8080; puffer_port = 8080;
puffer_sftp_port = 5657; puffer_sftp_port = 5657;
puffer_host = "puffer.${domain}"; puffer_host = "puffer.${root_host}";
tlemap_host = "tlemap.${domain}";
tlemap_port = 8100;
in { in {
services.pufferpanel = { services.pufferpanel = {
enable = true; enable = true;
@ -22,29 +20,16 @@ in {
virtualHosts."${puffer_host}" = { virtualHosts."${puffer_host}" = {
serverName = puffer_host; serverName = puffer_host;
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = root_host;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
}; };
}; };
virtualHosts."${tlemap_host}" = {
serverName = tlemap_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
};
};
}; };
security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ]; security.acme.certs."${root_host}".extraDomainNames = [ puffer_host ];
networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ]; networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 ];
# virtualisation.podman.enable = true; # virtualisation.podman.enable = true;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
pufferpanel
(writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
];
} }

50
modules/toolchains.nix
View File

@ -1,50 +0,0 @@
{config, pkgs, ...}: let
git_user = "Grimmauld";
in {
environment.systemPackages = with pkgs; [
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
mkpasswd
node2nix
];
programs.git = {
enable = true;
lfs.enable = true;
config = {
init.defaultBranch = "main";
credential.username = git_user;
core.editor = "${pkgs.neovim}/bin/nvim";
user.name = git_user;
user.email = "${git_user}@grimmauld.de";
};
};
programs.tmux = {
enable = true;
historyLimit = 42000;
#keyMode = "vi";
};
programs.neovim = {
enable = true;
viAlias = true;
defaultEditor = true;
configure = {
customRC = ''
set number
set hidden
set nocompatible
'';
packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
start = [ vim-nix vim-scala fugitive autoclose-nvim ];
# manually loadable by calling `:packadd $plugin-name`
opt = [ ];
};
};
};
programs.xonsh.enable = true;
}

15
secrets/matrix_discord_bridge_token.age
View File

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
NjaxRq6jsJbscI9ySg58c9D8HEOUjEusNfEDn2aCEcyvmO0AeLImCK/MI08x8hJ2
FwSmPVpumzatiTd9U8orgUj7ivr5On5yItg1FJs1yGojDotnvXKx2P2ulAkeGs/B
KHx7UZnCwm9gAzwz8r6Uki+R56/Wu/TCfygbGq0sRI1+Tyo2PdZv0EiXXQ+f5g0c
VS23NyxGxzO3yIHRV0hRB9xRfUlYddSINVqcfRr54q2DIFi1DKU2BueAchGF2tIl
9uazNaWetXeqLF15UAYbxv1Sh5/YOmZKSr6WXhTfmzT6bSTnDwu6IqYhgBagRIEO
lv17r0wbmNAHhDZKuj60Fv+28tbWdU4WENOVhrxsImJMP6iHC79iCpNM/uHLALwN
yB1MF4oFAajX2LzW4tmmoR3bM2LCy/aW3oNccLm8M1mWuPg6pqyhiejAk/09b0BT
73HqqHSBys4DMEUjxntG+BhtwAm+3e+zcG+7MSa9fVf3yb566EUnVNHjm60pX0JN
FIn08qwIS1vtDD/2vGDMB575sYafurh6gJ6kmwikv2IOlbJBoyXBONEb7Q5TGeJ6
mon6l7zdqgW/sYgW2wAsmwGrUTHeJNVV/CUNt1sPhmb7VyqRpP0a/fWif/S2XpxY
Caiv38ccsmpmm639BhBV7iF8BhV//Ovja/hKwsLUsoM
--- suzKNMEdOeEQQnOg6BIVnTTGqCg7b0+eAiVS6PR8W2c
´êõG"ÎÇu¿ívʪ¦¡ÚH"ÅtH aËÅz#¶0.é<>âɳ:žIå¾_†DU‡7xª¼MÌ@‰¹#ÆP£¢µ9ªz5¿”;Çš-<2D>êk“jhHâªáy[cü PÖ¯õî७Axî°¾áÐJàâ¸,í =í^%Ùá}éŽn\s½{« qÎ~AgxÛ6Š©ÿpÊfwæ8ÇÝ"yê³Ô²Ý¦ñ|=Ȅ륷T4Ï<>TxÀ]<5D>—©|>¬*Õ‚ä

BIN
secrets/ptero_env.age
View File

Binary file not shown.

2
secrets/secrets.nix
View File

@ -13,6 +13,4 @@ in
"matrix_admin_pass.age".publicKeys = [ contabo_nix_pub ]; "matrix_admin_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ]; "matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ]; "matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub ];
"ptero_env.age".publicKeys = [ contabo_nix_pub ];
} }