Compare commits

..

31 Commits

Author SHA1 Message Date
7a7818c0c7
move packages to modules 2024-05-08 21:13:13 +02:00
2435182a68 domain config 2024-05-08 20:45:41 +02:00
d136aa65c5 misc updates 2024-05-08 20:23:42 +02:00
d378dc39d9 switch to t2bot fork for bridge, fix some misc 2024-02-11 18:54:14 +01:00
981abe57ec attempt more debugging 2024-02-03 11:51:15 +01:00
c3a7c463fe cli utils to interact with artisan 2024-01-30 22:09:45 +01:00
24b26bf4a3 secure database 2024-01-30 22:00:49 +01:00
30bdaa6e9f ITS ALIVE 2024-01-30 21:30:49 +01:00
4c950c9577 ptero docker with borked networking 2024-01-30 18:43:58 +01:00
6c537bb664 add bluemap reverse proxy for tle 2024-01-28 23:17:54 +01:00
7a42b92bd9 minor cleanup 2024-01-28 10:56:20 +01:00
f9bc07c8ff f@h, some misc fixes because updates 2024-01-28 09:34:03 +00:00
848b0f3d5c bodge permission check so simple mod can link bridge :P 2024-01-26 16:05:16 +00:00
4e26f2df34 minor cleanup 2024-01-26 12:50:59 +00:00
08a9547c0b add bridge bot, (temporarily) disable mjolnir as it refused to work 2024-01-26 12:45:18 +00:00
2f4e82c131 some misc patches 2024-01-26 09:14:45 +00:00
74ff3d0d23 add second mjolnir instance for tle 2024-01-01 08:58:03 +00:00
76988d47bb add mjolnir 2023-12-31 18:06:33 +00:00
8137ef1b86 optimize nextcloud, move it to postgres 2023-12-31 11:21:05 +00:00
ebd3e49554 some cleanup 2023-12-31 08:57:22 +00:00
596b60652a add mastodon 2023-12-30 15:02:18 +00:00
bea40ce69b add nextcloud 2023-12-30 12:48:12 +00:00
ba7db4a16f add postgres to prometheus 2023-12-30 12:13:20 +00:00
e5c120fee0 fix prometheus data sources 2023-12-30 12:09:30 +00:00
6eac33cc22 rudimentary grafana addition. Missing data sources, no clue how to get those. 2023-12-30 10:01:06 +00:00
d34dee84bd move modules to seperate folder 2023-12-29 11:51:41 +00:00
477bf5bf90 add fail2ban, so far only banning ssh connections 2023-12-29 11:47:44 +00:00
29b14ef74e redirect browsers to main page if connecting to mail server vhost 2023-12-29 09:41:29 +00:00
798e10bb07 add simple mail server, and it actually works! 2023-12-29 09:23:10 +00:00
fe65d25c31 update flake 2023-12-28 15:06:24 +00:00
077449e853 split config into different modules. Hope i didn't break anything :) 2023-12-28 14:32:47 +00:00
35 changed files with 1213 additions and 263 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
result

View File

@ -2,4 +2,6 @@
# todo: use post-quantum keys for ssh (not possible yet, yikes)
[
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
]

View File

@ -1,131 +1,28 @@
{ lib, config, inputs, pkgs, ... }:
let
root_host = "grimmauld.de";
# git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt
root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0);
puffer_port = 8080;
puffer_sftp_port = 5657;
puffer_host = "puffer.${root_host}";
gitea_host = "git.${root_host}";
gitea_port = 8081;
matrix_host = "matrix.${root_host}";
inherit (config.networking) domain;
in {
imports = [
./hardware-configuration.nix
];
services.postgresql = {
enable = true;
# CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
ensureDatabases = [ "synapse" ];
package = pkgs.postgresql_15;
ensureUsers = [
{
name = "synapse";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host synapse matrix-synapse ::1/128 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
boot.kernelPackages = pkgs.linuxPackages_latest;
services.logrotate.checkConfig = false; # needed or this explodes
systemd.services.postgresql.postStart = let
password_file_path = config.age.secrets.synapse_db_pass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
services.matrix-synapse-next = {
enable = true;
workers.federationSenders = 1;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true;
enableNginx = true;
enableSlidingSync = false;
settings = {
server_name = root_host;
public_baseurl = "https://${root_host}";
enable_registration = false;
enable_registration_without_verification = true;
# registrations_require_3pid = [ "email" ];
database = {
name = "psycopg2";
args = {
host = "localhost";
port = 5432;
dbname = "synapse";
user = "synapse";
cp_min = 5;
cp_max = 10;
client_encoding = "auto";
passfile = config.age.secrets.synapse_db_pass_prepared.path;
};
};
};
};
services.redis.servers."".enable = true;
services.gitea = {
enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
HTTP_PORT = gitea_port;
ROOT_URL = "https://${gitea_host}/";
DISABLE_SSH = true;
};
# log.LEVEL = "Debug";
};
lfs.enable = true;
};
age.secrets = {
synapse_db_pass = {
file = ./secrets/synapse_db_pass.age;
owner = "postgres";
group = "postgres";
};
synapse_db_pass_prepared = {
file = ./secrets/synapse_db_pass_prepared.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0600";
};
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
users.users.grimmauld = {
@ -134,7 +31,6 @@ host replication all ::1/128 md5
extraGroups = [ "wheel" "docker" ];
shell = pkgs.xonsh;
packages = with pkgs; [
hyfetch
];
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
};
@ -142,160 +38,57 @@ host replication all ::1/128 md5
programs.xonsh.enable = true;
environment.systemPackages = with pkgs; [
wget
hyfetch
vulnix #
tree
vim
git
file
git-lfs
util-linux
btop
cached-nix-shell
cloud-utils
parted
visualvm
linuxPackages.perf
lshw
pciutils
gitea
# ffmpeg-full
pufferpanel
(writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
pypy3
];
security.acme = {
acceptTerms = true;
defaults.email = root_email;
certs."${root_host}" = {
webroot = "/var/lib/acme/acme-challenge/";
extraDomainNames = [ puffer_host gitea_host];
};
};
environment.sessionVariables = {
NIXPKGS_ALLOW_UNFREE="1";
OMP_NUM_THREADS = "4";
OMP_NUM_THREADS = "8";
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 8008 ];
allowPing = true;
allowedUDPPortRanges = [
# { from = 4000; to = 4007; }
];
allowedUDPPortRanges = [];
};
services.pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
};
extraPackages = with pkgs; [ jdk17_headless ];
extraGroups = [ "podman" "docker" ];
};
virtualisation.podman.enable = true;
virtualisation.docker.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.hostName = "grimmauld-nixos-server";
networking.domain = "grimmauld.de";
services.openssh.enable = true;
system.stateVersion = "23.11";
services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
services.nginx = {
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."${root_host}" = {
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies
useACMEHost = root_host;
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
useACMEHost = domain;
locations."/" = {
root = "/var/www/grimmauld.duckdns.org";
};
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
add_header Accept-Ranges bytes;'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
default_type application/json;
'';
};
locations."/_matrix" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
add_header X-debug-backend $synapse_backend;
add_header X-debug-group $synapse_uri_group;
client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
proxy_read_timeout 10m;
'';
};
locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
proxyPass = "http://synapse_worker_initial_sync";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
proxyPass = "http://synapse_worker_initial_sync";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."/_synapse/client" = {
proxyPass = "http://$synapse_backend";
};
locations."/.well-known/matrix" = {
proxyPass = "http://$synapse_backend";
};
};
virtualHosts."${puffer_host}" = {
serverName = puffer_host;
forceSSL = true;
useACMEHost = root_host;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
};
};
virtualHosts."${gitea_host}" = {
serverName = gitea_host;
forceSSL = true;
useACMEHost = root_host;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}";
root = "/var/www/${domain}";
};
};
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "unstable";
nixpkgs.config.allowUnfree = true;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "grimmauld-nixos-server";
networking.domain = "";
services.openssh.enable = true;
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}

View File

@ -8,11 +8,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1703433843,
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"lastModified": 1715101957,
"narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=",
"owner": "ryantm",
"repo": "agenix",
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"rev": "07479c2e7396acaaaac5925483498154034ea80a",
"type": "github"
},
"original": {
@ -21,6 +21,22 @@
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -43,6 +59,22 @@
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -64,16 +96,40 @@
"type": "github"
}
},
"nixos-matrix-modules": {
"nixos-mailserver": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils"
},
"locked": {
"lastModified": 1701507532,
"narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
"lastModified": 1706872533,
"narHash": "sha256-IeIIhd18Tp1oNipwxmRKnLr4dFxl6VUHWykQ1uVYIWE=",
"ref": "Grimmauld-master-patch-84178",
"rev": "bcd01ccb19e29ce8046962cb22ecfaa78bf1bfdd",
"revCount": 577,
"type": "git",
"url": "https://gitlab.com/Grimmauld/nixos-mailserver"
},
"original": {
"ref": "Grimmauld-master-patch-84178",
"type": "git",
"url": "https://gitlab.com/Grimmauld/nixos-mailserver"
}
},
"nixos-matrix-modules": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1710311999,
"narHash": "sha256-s0pT1NyrMgeolUojXXcnXQDymN7m80GTF7itCv0ZH20=",
"ref": "refs/heads/master",
"rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
"revCount": 56,
"rev": "6c9b67974b839740e2a738958512c7a704481157",
"revCount": 63,
"submodules": true,
"type": "git",
"url": "https://github.com/dali99/nixos-matrix-modules"
@ -100,28 +156,89 @@
"type": "github"
}
},
"nixpkgs-lib": {
"nixpkgs-23_05": {
"locked": {
"lastModified": 1673743903,
"narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714971268,
"narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1703255338,
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
"lastModified": 1705856552,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1714906307,
"narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
"type": "github"
},
"original": {
@ -134,8 +251,10 @@
"root": {
"inputs": {
"agenix": "agenix",
"nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable"
}
},
"systems": {
@ -152,6 +271,21 @@
"repo": "default",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

View File

@ -7,21 +7,44 @@
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
nixos-matrix-modules = {
url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1";
flake = true;
};
nixos-mailserver = {
# url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver";
url = "git+https://gitlab.com/Grimmauld/nixos-mailserver?ref=Grimmauld-master-patch-84178";
flake = true;
};
};
outputs = { nixos-matrix-modules, self, nixpkgs, agenix }: let
outputs = { nixos-mailserver, nixos-matrix-modules, self, nixpkgs-stable, nixpkgs, agenix, ... } @ inputs: let
system = "x86_64-linux";
stable = import nixpkgs-stable { inherit system; config.allowUnfree = true; };
in {
nixosConfigurations = {
grimmauld-nixos-server = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs stable; };
modules = [
./configuration.nix
./modules/matrix.nix
./modules/puffer.nix
./modules/gitea.nix
./modules/grafana.nix
./modules/nextcloud.nix
./modules/prometheus.nix
./modules/letsencrypt.nix
# ./modules/mjolnir.nix
./modules/fail2ban.nix
./modules/email.nix
./modules/discord-matrix-bridge.nix
./modules/mastodon.nix
./modules/toolchains.nix
# ./modules/ptero.nix
agenix.nixosModules.default
nixos-mailserver.nixosModules.default
nixos-matrix-modules.nixosModules.default
{ environment.systemPackages = [ agenix.packages.${system}.default ]; }
];

View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ...}: let
bridge_port = 9005; # netstat -nlp | grep 9005
in {
nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "t2bot";
repo = "matrix-appservice-discord";
rev = "8361ca6121bf1f0902154baa538cb6d5766e477f";
hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU=";
};
patches = (let oldPatches = old.patches or []; in if oldPatches == null then [] else oldPatches) ++ [ ./patch_bridge_perms.patch ];
doCheck = false;
});})
];
age.secrets.matrix_discord_bridge_token.file = ../secrets/matrix_discord_bridge_token.age;
services.matrix-synapse-next.settings.app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" ];
services.matrix-appservice-discord = {
enable = true;
settings = {
auth = {
usePrivilegedIntents = true; # typing status and stuff
};
bridge = {
enableSelfServiceBridging = true;
inherit (config.networking) domain;
homeserverUrl = "https://${config.networking.domain}";
disablePresence = true;
disableTypingNotifications = true;
};
# logging.console = "silly";
};
serviceDependencies = ["matrix-synapse.target"];
port = bridge_port;
localpart = "_discord_";
package = pkgs.matrix-appservice-discord;
environmentFile = config.age.secrets.matrix_discord_bridge_token.path;
};
}

47
modules/email.nix Normal file
View File

@ -0,0 +1,47 @@
{ config, ... }:
let
inherit (config.networking) domain;
mail_host = "mail.${domain}";
in {
security.acme.certs."${domain}".extraDomainNames = [ mail_host ];
# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
mailserver = {
enable = true;
fqdn = mail_host;
domains = [ domain ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"contact@${domain}" = {
hashedPasswordFile = ./mailpass/contact;
aliases = ["kontakt@${domain}"];
};
"admin@${domain}" = {
hashedPasswordFile = ./mailpass/admin;
};
"grimmauld@${domain}" = {
hashedPasswordFile = ./mailpass/grimmauld;
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "manual";
certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
keyFile = "/var/lib/acme/${domain}/key.pem";
};
services.nginx = {
enable = true;
virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
serverName = mail_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
return = "307 https://${domain}";
};
};
};
}

19
modules/fail2ban.nix Normal file
View File

@ -0,0 +1,19 @@
{ ... }: {
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
# Whitelist some subnets
"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
"matrix.org"
"app.element.io" # don't ratelimit matrix users
];
bantime = "1h"; # Ban IPs for 1h at first.
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
};
}

50
modules/gitea.nix Normal file
View File

@ -0,0 +1,50 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
gitea_host = "git.${domain}";
gitea_port = 8081;
gitea_ssh_port = 2222;
in {
services.gitea = {
enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
HTTP_PORT = gitea_port;
ROOT_URL = "https://${gitea_host}/";
DISABLE_SSH = false;
SSH_DOMAIN = domain;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_PORT = gitea_ssh_port;
# SSH_LISTEN_HOST="::"; # fixme?
# SSH_AUTHORIZED_PRINCIPALS_ALLOW="username";
};
# log.LEVEL = "Debug";
"ssh.minimum_key_sizes".RSA = 2048;
"git.timeout".MIGRATE = 6000;
};
lfs.enable = true;
};
environment.systemPackages = with pkgs; [
gitea
];
security.acme.certs."${domain}".extraDomainNames = [ gitea_host];
networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
services.nginx = {
enable = true;
virtualHosts."${gitea_host}" = {
serverName = gitea_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
};
};
};
}

43
modules/grafana.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, ... }:
let
inherit (config.networking) domain;
grafana_host = "grafana.${domain}";
grafana_port = 8082;
in {
age.secrets.grafana_admin_pass = {
file = ../secrets/grafana_admin_pass.age;
owner = "grafana";
group = "grafana";
mode = "0600";
};
security.acme.certs."${domain}".extraDomainNames = [ grafana_host ];
services.grafana = {
enable = true;
settings = {
security = {
admin_user = "admin";
admin_email = "admin@${domain}";
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
};
server = {
domain = grafana_host;
root_url = "https://${grafana_host}";
http_port = grafana_port;
};
};
};
services.nginx = {
enable = true;
virtualHosts."${grafana_host}" = {
serverName = grafana_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
};
}

15
modules/letsencrypt.nix Normal file
View File

@ -0,0 +1,15 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
root_email = "contact@${domain}";
in {
security.acme = {
acceptTerms = true;
defaults.email = root_email;
certs."${domain}" = {
webroot = "/var/lib/acme/acme-challenge/";
};
};
users.users.nginx.extraGroups = [ "acme" ];
}

1
modules/mailpass/admin Normal file
View File

@ -0,0 +1 @@
$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy

1
modules/mailpass/contact Normal file
View File

@ -0,0 +1 @@
$2b$05$WsEwEXHa3kzDdMJdluirn.ExpK5BGJENEf3iH2AAjW6IFUPSpBWVa

View File

@ -0,0 +1 @@
$2b$05$nmY9QnYyOhhhXn3OOalxkeWWLZtlaxD2vGwr0f6gtHNUz5EfZXvsa

17
modules/mastodon.nix Normal file
View File

@ -0,0 +1,17 @@
{ config, ... } :
let
inherit (config.networking) domain;
mastodon_host = "mastodon.${domain}";
in {
security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
services.mastodon = {
enable = true;
localDomain = mastodon_host;
streamingProcesses = 7;
configureNginx = true;
smtp = {
fromAddress = "noreply@${domain}";
};
extraConfig.SINGLE_USER_MODE = "true";
};
}

175
modules/matrix.nix Normal file
View File

@ -0,0 +1,175 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
matrix_host = "matrix.${domain}";
in {
services.postgresql = {
enable = true;
# CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
ensureDatabases = [ "synapse" ];
package = pkgs.postgresql_15;
ensureUsers = [
{
name = "synapse";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host synapse matrix-synapse ::1/128 md5
host nextcloud nextcloud ::1/128 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map nextcloud nextcloud
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
systemd.services.postgresql.postStart = let
password_file_path = config.age.secrets.synapse_db_pass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services.matrix-synapse-next = {
enable = true;
workers.federationSenders = 1;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true;
mainLogConfig = ./matrix_synapse_log_config.yaml;
enableNginx = true;
enableSlidingSync = false;
settings = {
suppress_key_server_warning = true;
server_name = domain;
public_baseurl = "https://${domain}";
enable_registration = true;
registration_requires_token = true;
registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
# enable_registration_without_verification = true;
# mainLogConfig = ./matrix_synapse_log_config.yaml;
# registrations_require_3pid = [ "email" ];
database = {
name = "psycopg2";
args = {
host = "localhost";
port = 5432;
dbname = "synapse";
user = "synapse";
cp_min = 5;
cp_max = 10;
client_encoding = "auto";
passfile = config.age.secrets.synapse_db_pass_prepared.path;
};
};
};
};
services.redis.servers."".enable = true;
age.secrets.synapse_db_pass = {
file = ../secrets/synapse_db_pass.age;
owner = "postgres";
group = "postgres";
};
age.secrets.synapse_db_pass_prepared = {
file = ../secrets/synapse_db_pass_prepared.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0600";
};
age.secrets.synapse_registration_shared_secret = {
file = ../secrets/synapse_registration_shared_secret.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0600";
};
environment.systemPackages = with pkgs; [
matrix-synapse-tools.synadm
matrix-synapse
];
services.nginx = {
enable = true;
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
useACMEHost = domain;
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
add_header Accept-Ranges bytes;'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
default_type application/json;
'';
};
locations."/_matrix" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
add_header X-debug-backend $synapse_backend;
add_header X-debug-group $synapse_uri_group;
client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
proxy_read_timeout 10m;
'';
};
locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
proxyPass = "http://synapse_worker_initial_sync";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
proxyPass = "http://synapse_worker_initial_sync";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."/_synapse/client" = {
proxyPass = "http://$synapse_backend";
};
locations."/.well-known/matrix" = {
proxyPass = "http://$synapse_backend";
};
};
};
# networking.firewall.allowedTCPPorts = [ 8448 8008 ];
}

View File

@ -0,0 +1,25 @@
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it
# from the message text.
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False

69
modules/mjolnir.nix Normal file
View File

@ -0,0 +1,69 @@
{ config, ... } :
let
in {
age.secrets = {
matrix_mjolnir_pass = {
file = ../secrets/matrix_mjolnir_pass.age;
owner = "mjolnir";
group = "mjolnir";
mode = "0600";
};
matrix_mjolnir_tle_pass = {
file = ../secrets/matrix_mjolnir_tle_pass.age;
owner = "mjolnir";
group = "mjolnir";
mode = "0777"; # not ideal, but containers are weird
};
};
# global mjolnir
services.mjolnir = {
enable = true;
homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
protectedRooms = [
"https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de"
];
managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de";
pantalaimon = {
enable = true;
username = "mjolnir";
options = {
homeserver = config.services.matrix-synapse-next.settings.public_baseurl;
};
passwordFile = config.age.secrets.matrix_mjolnir_pass.path;
};
};
services.logrotate.checkConfig = false; # needed or this explodes
containers.mjolnirtle = let
baseurl = config.services.matrix-synapse-next.settings.public_baseurl;
pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path;
in {
privateNetwork = false; # don't want nat
autoStart = true;
bindMounts."${pass_file}".isReadOnly = true;
config = { config, ... }: {
system.stateVersion = "unstable";
# tle mjolnir
services.logrotate.checkConfig = false;
services.mjolnir = {
enable = true;
homeserverUrl = baseurl;
protectedRooms = [
"https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de"
];
managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de";
pantalaimon = {
enable = true;
username = "mjolnir_tle";
options = {
homeserver = baseurl;
};
passwordFile = pass_file;
};
};
};
};
}

82
modules/nextcloud.nix Normal file
View File

@ -0,0 +1,82 @@
{ lib, pkgs, config, ...} :
let
inherit (config.networking) domain;
nextcloud_host = "cloud.${domain}";
nextcloud_port = 8083;
in {
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
};
security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ];
age.secrets = {
nextcloud_admin_pass = {
file = ../secrets/nextcloud_admin_pass.age;
owner = "nextcloud";
group = "nextcloud";
mode = "0600";
};
};
services.redis.servers.nextcloud = {
enable = true;
bind = "::1";
port = 6379;
};
systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = pkgs.writeScript "nextcloud-redis.sh" ''
#!${pkgs.runtimeShell}
nextcloud-occ config:system:set redis 'host' --value '::1' --type string
nextcloud-occ config:system:set redis 'port' --value 6379 --type integer
nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string
nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string
'';
services.nextcloud = {
enable = true;
https = true;
hostName = nextcloud_host;
package = pkgs.nextcloud28;
caching.redis = true;
# extraApps = with config.services.nextcloud.package.packages.apps; [
# news contacts calendar tasks;
# ];
config = {
adminpassFile = config.age.secrets.nextcloud_admin_pass.path;
dbuser = "nextcloud";
dbhost= "localhost:${builtins.toString config.services.postgresql.port}";
dbtype = "pgsql";
};
settings = {
overwriteProtocol = "https";
defaultPhoneRegion = "DE";
filelocking.enabled = true;
redis = {
host = "localhost";
port = 6379;
timeout = 0.0;
};
};
phpOptions = {
"opcache.interned_strings_buffer" = "12";
};
};
services.nginx = {
enable = true;
virtualHosts."${nextcloud_host}" = {
serverName = nextcloud_host;
forceSSL = true;
useACMEHost = domain;
};
};
}

View File

@ -0,0 +1,12 @@
diff --git a/src/util.ts b/src/util.ts
index f09190e..c7bc841 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -353,6 +353,7 @@ export class Util {
if (res && res.users && res.users[userId] !== undefined) {
haveLevel = res.users[userId];
}
+ requiredLevel = 50;
return haveLevel >= requiredLevel;
}

52
modules/prometheus.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, ... } :
let
inherit (config.networking) domain;
prometheus_host = "prometheus.${domain}";
prometheus_port = 9090; # netstat -nlp | grep 9090
in {
security.acme.certs."${domain}".extraDomainNames = [ prometheus_host];
services.prometheus = {
enable = true;
port = prometheus_port;
globalConfig.scrape_interval = "15s";
scrapeConfigs = [
{
job_name = "chrysalis";
static_configs = [{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
"127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
"127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
];
}];
}
];
exporters = {
nginx.enable = true;
redis.enable = true;
domain.enable = true;
postgres.enable = true;
nginxlog.enable = true;
jitsi.enable = true;
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
services.nginx = {
enable = true;
virtualHosts."${prometheus_host}" = {
serverName = prometheus_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
};
};
};
}

130
modules/ptero.nix Normal file
View File

@ -0,0 +1,130 @@
{config, pkgs, ...}: let
inherit (config.networking) domain;
root_email = "contact@${domain}";
ptero_host = "ptero.${domain}";
DATA_DIR = "/var/lib/pterodactylpanel";
panel_user = "pterodactyl";
local_bridge = "ptero-local-br";
ptero_ver = "1.11.5";
ptero_port = "8042";
in {
users.users.${panel_user} = {
isSystemUser = true;
extraGroups = ["docker"];
group = panel_user;
};
users.groups.${panel_user} = {};
age.secrets.ptero_env = {
file = ../secrets/ptero_env.age;
};
systemd.services.init-ptero-data-dir = {
description = "Create the pterodactyl panel data dir";
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script =''
mkdir -p ${DATA_DIR}/database
mkdir -p ${DATA_DIR}/cache
mkdir -p ${DATA_DIR}/panel/var
mkdir -p ${DATA_DIR}/panel/logs
mkdir -p ${DATA_DIR}/panel/nginx
chown ${panel_user}:${panel_user} -R ${DATA_DIR}
chmod +777 -R ${DATA_DIR}
'';
};
virtualisation.oci-containers.backend = "podman";
systemd.services.init-ptero-local-network = {
description = "Create the network bridge ${local_bridge} for ptero.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = let podmancli = "${config.virtualisation.podman.package}/bin/podman";
in ''
check=$(${podmancli} pod ls | grep "ptero" || true)
if [ -z "$check" ]; then
${podmancli} pod create -p "${ptero_port}:80" ptero
else
echo "ptero pod already exists"
fi
'';
};
virtualisation.oci-containers.containers."ptero-mysql" = {
image = "library/mysql:8.0";
workdir = "${DATA_DIR}/database";
extraOptions = [ "--pod=ptero" ];
environment = {
"MYSQL_USER" = "pterodactyl";
"MYSQL_DATABASE" = "panel";
};
environmentFiles = [ config.age.secrets.ptero_env.path ];
volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"];
cmd=["--default-authentication-plugin=mysql_native_password"];
};
virtualisation.oci-containers.containers."ptero-cache" = {
image = "redis:alpine";
workdir = "${DATA_DIR}/cache";
volumes = ["${DATA_DIR}/cache:${DATA_DIR}/cache"];
extraOptions = [ "--pod=ptero" ];
};
virtualisation.oci-containers.containers."ptero-panel" = {
image = "ghcr.io/pterodactyl/panel:v${ptero_ver}";
volumes = [
"${DATA_DIR}/panel/var/:/app/var/"
"${DATA_DIR}/panel/logs/:/app/storage/logs"
"${DATA_DIR}/panel/nginx/:/etc/nginx/conf.d/"
];
extraOptions = [ "--pod=ptero" ];
environment = {
"APP_URL" = "https://${ptero_host}";
"APP_TIMEZONE" = "Europe/Berlin";
"APP_SERVICE_AUTHOR" = root_email;
"MAIL_FROM" = "noreply@${domain}";
"MAIL_DRIVER" = "smtp";
"MAIL_HOST" = "mail";
"MAIL_PORT" = "25";
"MAIL_USERNAME" = "";
"MAIL_PASSWORD" = "";
"MAIL_ENCRYPTION" = "true";
"APP_ENV"= "production";
"APP_ENVIRONMENT_ONLY"= "false";
"CACHE_DRIVER" = "redis";
"SESSION_DRIVER" = "redis";
"QUEUE_DRIVER" = "redis";
"REDIS_HOST" = "127.0.0.1";
"DB_HOST" = "127.0.0.1";
"TRUSTED_PROXIES" = "*";
};
labels = {
"traefik.http.routers.pterodactyl_panel.entrypoints"="web";
};
environmentFiles = [ config.age.secrets.ptero_env.path ];
};
security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
services.nginx = {
enable = true;
virtualHosts."${ptero_host}" = {
serverName = ptero_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${ptero_port}";
};
};
};
environment.systemPackages = with pkgs; [
(writeShellScriptBin "ptero-nix" "${config.virtualisation.podman.package}/bin/podman exec -it ptero-panel php artisan $@")
];
}

50
modules/puffer.nix Normal file
View File

@ -0,0 +1,50 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
puffer_port = 8080;
puffer_sftp_port = 5657;
puffer_host = "puffer.${domain}";
tlemap_host = "tlemap.${domain}";
tlemap_port = 8100;
in {
services.pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
};
extraPackages = with pkgs; [];
extraGroups = [ "docker" ];
};
services.nginx = {
enable = true;
virtualHosts."${puffer_host}" = {
serverName = puffer_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
};
};
virtualHosts."${tlemap_host}" = {
serverName = tlemap_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
};
};
};
security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ];
networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ];
# virtualisation.podman.enable = true;
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
pufferpanel
(writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
];
}

50
modules/toolchains.nix Normal file
View File

@ -0,0 +1,50 @@
{config, pkgs, ...}: let
git_user = "Grimmauld";
in {
environment.systemPackages = with pkgs; [
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
mkpasswd
node2nix
];
programs.git = {
enable = true;
lfs.enable = true;
config = {
init.defaultBranch = "main";
credential.username = git_user;
core.editor = "${pkgs.neovim}/bin/nvim";
user.name = git_user;
user.email = "${git_user}@grimmauld.de";
};
};
programs.tmux = {
enable = true;
historyLimit = 42000;
#keyMode = "vi";
};
programs.neovim = {
enable = true;
viAlias = true;
defaultEditor = true;
configure = {
customRC = ''
set number
set hidden
set nocompatible
'';
packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
start = [ vim-nix vim-scala fugitive autoclose-nvim ];
# manually loadable by calling `:packadd $plugin-name`
opt = [ ];
};
};
};
programs.xonsh.enable = true;
}

1
result
View File

@ -1 +0,0 @@
/nix/store/wf6nyixk6236i1h6ws7yn3lnq7plhyd8-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc

View File

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
~‰E~ß}IÝR9•<39>â*·\™frèÿyÅUw¤BÔ 1<>!¨ÝÞã÷ðtez“yxX¾W<øs!ëÛ

View File

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
Y34uAa+VEd/xy3iIs0rDEpF9iBQVpU//AQcTpP/lo1idGdUbVS2KeqkWZiGFfiOL
PZNBZ9TkQhqKvw4dD7xdVNZoO9R2O9KApMIAtf4XRN+YvNA6l9dnpu/UDLFzh2F0
NJY4TXRXJPRB3k5ngbCvYv2anQ6yMi7cpHZNEIgM/LdKGJ/56YHXQAxtOe4o+0Mz
Q1FQOsEFGa2Kb5f5D9wdjfZvDkoUzG9W2Cao2GAKdtJQx0yAP3T4uEt+22nYo5OB
mOuKJ0qNwfoSk0ErC+dYlkgknG6W4QsxA/G7ZMzFq/E70yNzAOAViXPMRSnJYpr2
p2C8nhQ3lhlS2bFu46Jgi4NTj9FvnABVH+QiwL3P+WtqCMGy+LRfHDMJ1i14M35/
6cTaeSw1d4UiZekxgCsHXrT4BipC70pH+9vZYGTVzP3SxfkbilwhQJvpREnNZq1o
e2vfMHod3syDvZfYEILayODY+WwuqVp4O6NIOoPNygKwdoN+DiYKs7vhUFXU/AWA
iVL5jQ0p4fI7qQm/jrNL3E7Mj+FMYQMBKTvSjF8O/YFBymsDtcN0bLlKIOdSdLP/
Tm0tffNargbnrF9a4ZNjOihbNYocDfID7hyFsdpqF9TsANXeiRkBGWT/RnOzMBs0
QZLz3iChOR87PPC4loqZJpQSYLnQ77m7ZcODzDnScwo
--- UWFxzIGon0JaPMjmKUkZQGNLa44SSusFKXVb3eGhyFE
̶¼w“ÂT©XP=žïÓ/m$nyßwϧç¿ð«‰,þïo ùïƒØNé0Fò ’ø±,øî<C3B8>
¡d+ËSâ”

View File

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
NjaxRq6jsJbscI9ySg58c9D8HEOUjEusNfEDn2aCEcyvmO0AeLImCK/MI08x8hJ2
FwSmPVpumzatiTd9U8orgUj7ivr5On5yItg1FJs1yGojDotnvXKx2P2ulAkeGs/B
KHx7UZnCwm9gAzwz8r6Uki+R56/Wu/TCfygbGq0sRI1+Tyo2PdZv0EiXXQ+f5g0c
VS23NyxGxzO3yIHRV0hRB9xRfUlYddSINVqcfRr54q2DIFi1DKU2BueAchGF2tIl
9uazNaWetXeqLF15UAYbxv1Sh5/YOmZKSr6WXhTfmzT6bSTnDwu6IqYhgBagRIEO
lv17r0wbmNAHhDZKuj60Fv+28tbWdU4WENOVhrxsImJMP6iHC79iCpNM/uHLALwN
yB1MF4oFAajX2LzW4tmmoR3bM2LCy/aW3oNccLm8M1mWuPg6pqyhiejAk/09b0BT
73HqqHSBys4DMEUjxntG+BhtwAm+3e+zcG+7MSa9fVf3yb566EUnVNHjm60pX0JN
FIn08qwIS1vtDD/2vGDMB575sYafurh6gJ6kmwikv2IOlbJBoyXBONEb7Q5TGeJ6
mon6l7zdqgW/sYgW2wAsmwGrUTHeJNVV/CUNt1sPhmb7VyqRpP0a/fWif/S2XpxY
Caiv38ccsmpmm639BhBV7iF8BhV//Ovja/hKwsLUsoM
--- suzKNMEdOeEQQnOg6BIVnTTGqCg7b0+eAiVS6PR8W2c
´êõG"ÎÇu¿ívʪ¦¡ÚH"ÅtH aËÅz#¶0.é<>âɳ:žIå¾_†DU‡7xª¼MÌ@‰¹#ÆP£¢µ9ªz5¿”;Çš-<2D>êk“jhHâªáy[cü PÖ¯õî७Axî°¾áÐJàâ¸,í =í^%Ùá}éŽn\s½{« qÎ~AgxÛ6Š©ÿpÊfwæ8ÇÝ"yê³Ô²Ý¦ñ|=Ȅ륷T4Ï<>TxÀ]<5D>—©|>¬*Õ‚ä

View File

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
jXawkbb/FkE0/pdY3wvHC+iVx9RgIB7ytAKsk+mxx0hhwAOZL4oswvvKsnYdkUjv
5UMexnENT9I1+ZLyVMusvxvlMM+LxZtkNOLCylFF4G/Xyrq6QS5NMFK5aD0slT1U
nwufnIABuheku4yK3W/lYJcwsHT+lFfkSyqXw214AMHI37YVnsSxgjgV3KhC9ZhG
dxWG010li/7uFh1+/006+DKoa7VejrJM7OUeUVCjBjSwYazMUAi8okuaZzhMeeWG
sC8v7RmnZTM/mS0nBu0wcZxUB7Vz2c2evBNUuARELfMzxRfh9yIQMzg3k5A7xNqC
qjj3KchocgNPoTrzG/x4uFFhCmF523LJ/85IlFIQ8X/1MrAgZg/L5N5fEmhHLRG6
yVGRm0xs9wEWf1ZzSPALHO/fLUa6K+9IEo9e5Ne3+HtzeiSrlBTgAThm4iS/j9gJ
Gh5cnAuG8dmvZsnV0VJLZCCa938PugsKxsbEGRgtIwj5FaBudLd6DzNwqq9n88Y3
H3Vnc56ru/XWHVTnVNKAstXkUmAxCH2SKpETXgb2Nd7aLBEYd0Dp334wdYOYaBnR
3p0jTTpU2TFA8zfLJRy0CnElfC11YYp5aF3+ONEuGFbiAdFSoixRd0xUdxKvQ6Ym
KK875Yhl3KBCbQGHGzT9TRwqFv4GM5gntoV6QFXv8R4
--- mty/HLWaSdsD6bxDTO2KJ9itaRpuI1OKyH3+KAMX6TM
j©¡©Ÿžƒ÷¼Í hŒV¹4*µ °á
ÿÞ…tñÝ3šJ0ð!ÁhFB¹”'Ráxí¶}jÒJ¥

View File

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
MbJMn9f+sg1SygW+O6rIF8fXmieYHkQFnSuI/U71YG3JIJwMDQLMqN8dB1pi5fvg
j4wQU2211KdUsOjmpSFAoylielEMVRSm8ae+0pMDrCli6z8xb0Izd495EMexxwH8
+FWQORHvrXIaxPgHcOQ4g0SApkDAhEGl8XrI3dvC2szEy9tM5ph3LrXIAV6GBKp/
SlHD385bgZkuN8lwaczKGTjBktYiK2h1lpJBb+sQkuOP3h8rpHetU6CCbooJkQ4c
x8ND7fu3ptd/YhzVRAhTMOaQU62f1FEJoGP67hsm79rOm+0vnH5K1r16gAB2jjAh
RHXYFhzpPLrYUUCwdklGGtCFcTRc2g4gRglDx4IutTZ+2EBkrzePZ8OqXpR5/2xO
yROb3L3wex0bm9MqIyClaPFq9eUtSI4ca8s5TCZV///6FrzJVEsAlj0xZFQFGTT3
T1zOOEEzEX4f9878Wj/Rl+MZhtZUJYG39fwonFS799Omgks+NcSXi5pnPTMXnONq
cVXQM1y2wvLlxf9qbPkFCnvkqq6pWMXma18BTiAakbOZ0y/EpOGQG+vAz+zZ5wq1
le3fgfiKPM4oXuPrMPxuCd1QsmoHj5YYDSSGPWYgxHt3kKKpDVadpqgRp2FyrFGA
KGKGwqbOv12pbzmP2S3WlbAhQiUodg6my93H4kroPPM
--- q4gCKxg3dPi7iXSqByd4F3dQ6hv2h8ZH4vz1Abzzovo
„źŇgyÂŢşňŹIîŻnó<6E>ÔŚşeË*é(¨a5ĘTüÓ}ÚâDú%€ĽŔÇľUqg4\b ˘ýc5´ĆÜoY

View File

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
Q/jX41H5vQpkJf7eEOKeRezpVFRM8NS4puvIrPXE/zUx4DTn38BpSbVuv+PUH/D1
LPAplIAh8JmeXGE9V0LcVX3cvwQ/IwYZ6Iwu82yCBFOv4F4EjbFZsXRjva64m4lj
Nr5vikahk3IVezsMqFn5f46/G5ZCRyPZSlOyojPZ4YA+mZq3g1PuL4Cd/296y0SI
0xNeYG9F8gCEW1iAKKjX5QBLBx/HztgJrYm6MVEK0jRDe1LC1JBWa670smI3ALH5
V1uQbPutsOkuyZw46Nbb9bBYLQLDoKoVmAetj6AIak9p7q4/vzWMEv1zgmHczAMC
7T3zuQ1D2zjS+ePXXhof2ZpBT4yr/hfRtf0V7NhDokFZZOleJE9K3BLkQCVdUTA8
ZSzX2MnZe4OXKXSh+8+KFD37AyR7P0G4eZF5rZJ2IIrdUz6/MFjheKUAQanfg8nm
Uh4YWFu2wyVYy1OYeuSoAhzj8VpGiEa4E1WRA7Hb7AdK9t2JvIIOG5duAWw+qHXY
leh5LKHeTdtEPqEY8QqdcUoEnU+q8DseXGrRJx16aPZgP1trjlDPRWNT9Ko8gIOn
kLctSbJ3v/wv9hI9waEaWw93LCDG6E+MK5pD03f6vKcr6HQoqEMg8+eVzX+dCoa4
AF6DiI1pXrYzjLztPLcUwb7Az/hPFrVrAZ6x7KUq2E4
--- QKrzExwjVrJvMy+dzU0aQ1PCye2SwR4e5ZJXEN/yX6c
˜vú4 Ás/ö¤R"y—RJˆ C?oâ«O]«ä¬aHézêš…âlÀ( y?¡šÀ™à /GM

View File

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
ULPpqCrbkoqF5Zx+YNl2igi962ho+4bJv4ZqkdUJWXKvwBCKBujUhTRubao3E1H7
M6Qa1X/ENOjLRjaDGN/LHTKl+7yv7TyayHxWlPVylBHgs2m18Zr0+pcIl+771FSm
E0QFs61ENZibrBubOv9sib0Drb/8hi393kLAuBIIblzVt8Td3eLz9oXBltkXDJ26
ndY61jJbMcOkaS/AgcENSdwuDETxlceOBNuIRucjpcGFDrobngJyNbV8amH3Fc4D
07iwIGFK5xF+Z3h1dH+oKPTqenDcBsq32LYNOUczap0ia4/CCw/by/VrTnudX9FC
VGJ3MmJIXLaeCMMSsHEQNrNf6hq+rysuAeW3rUco8k9lWv4J08l2Z4wEfwIX3UdT
LmyTe9FeKib8ul4FuAnAXWl5Mwik2xG87Ci375/qeZgIduH6UyelBErzGA5HwtV+
Zhfo+moImBg5wkQAMqBEYo3llMU4S0uV3A7sxcFSGrKnW+qFt46+TzkAAZJCBaFC
tXM44LI+JceJhlBnI83sayEf1kEQlsxGqqdOpRQaVI5xBX7rGduFOFsVFAOO60I9
jIESQSoV36KVgm4w+v99jYiLI9mfHRNzC0KH5qeTW8tST6N1+TyP0uhzfIoNVfpg
buHTgKaPO37VciLDT2qGz8VVcbg7wlFE2neNPqQQss4
--- CWjL7M33VOuujkVFJG+zj8JwUwvA2ymMNvjIXvAxNxE
âê`áßnœ÷\<5C>çUÂD…Ð`Až‚î?xM7ž½¤RNÓJÕïIëÒ}GŽøý=x“<78>@åÙ”“Ü4)ÉžR°f¯rwÄã¹ £}ºÍZ2

BIN
secrets/ptero_env.age Normal file

Binary file not shown.

View File

@ -6,4 +6,13 @@ in
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
"grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
"nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];
"nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub ];
"synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub ];
"matrix_admin_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub ];
"ptero_env.age".publicKeys = [ contabo_nix_pub ];
}

Binary file not shown.