{ lib, config, inputs, pkgs, ... }: let root_host = "grimmauld.de"; # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0); puffer_port = 8080; puffer_sftp_port = 5657; puffer_host = "puffer.${root_host}"; gitea_host = "git.${root_host}"; gitea_port = 8081; in { imports = [ ./hardware-configuration.nix ]; services.postgresql = { enable = true; ensureDatabases = [ "matrix-synapse" ]; package = pkgs.postgresql_15; ensureUsers = [ { # name = "synapse"; name = "matrix-synapse"; ensureDBOwnership = true; } ]; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all postgres peer local all all peer host all all 127.0.0.1/32 md5 host synapse matrix-synapse ::1/128 md5 host all all ::1/128 md5 local replication all peer host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5 ''; identMap = '' # ArbitraryMapName systemUser DBUser superuser_map root postgres superuser_map matrix-synapse synapse superuser_map postgres postgres # Let other names login as themselves superuser_map /^(.*)$ \1 ''; }; systemd.services.postgresql.postStart = let password_file_path = config.age.secrets.synapse_db_pass.path; in '' $PSQL -tA <<'EOF' DO $$ DECLARE password TEXT; BEGIN password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', ''')); EXECUTE format('ALTER ROLE matrix-synapse WITH PASSWORD '''%s''';', password); END $$; EOF ''; services.matrix-synapse-next = { enable = true; workers.federationSenders = 1; workers.federationReceivers = 1; workers.initialSyncers = 1; workers.normalSyncers = 1; workers.eventPersisters = 2; workers.useUserDirectoryWorker = true; enableNginx = true; settings = { server_name = root_host; enable_registration = true; macaroon_secret_key = "supersecretsecretkey"; registrations_require_3pid = [ "email" ]; database = { name = "psycopg2"; args = { # host = "localhost"; # user = "synapse"; passfile = config.age.secrets.synapse_db_pass_prepared.path; # password = "synapse"; # dbname = "synapse"; }; }; }; }; services.redis.servers."".enable = true; services.gitea = { enable = true; settings = { service.DISABLE_REGISTRATION = true; server = { HTTP_PORT = gitea_port; ROOT_URL = "https://${gitea_host}/"; DISABLE_SSH = true; }; # log.LEVEL = "Debug"; }; lfs.enable = true; }; age.secrets = { synapse_db_pass = { file = ./secrets/synapse_db_pass.age; owner = "postgres"; group = "postgres"; }; synapse_db_pass_prepared = { file = ./secrets/synapse_db_pass_prepared.age; owner = "matrix-synapse"; group = "matrix-synapse"; }; # duckdns_token.file = ./secrets/duckdns_token.age; }; users.users.grimmauld = { isNormalUser = true; description = "grimmauld"; extraGroups = [ "wheel" "docker" ]; shell = pkgs.xonsh; packages = with pkgs; [ hyfetch ]; openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); }; programs.xonsh.enable = true; environment.systemPackages = with pkgs; [ wget tree vim git file git-lfs util-linux btop cached-nix-shell cloud-utils parted visualvm linuxPackages.perf lshw pciutils gitea # ffmpeg-full pufferpanel (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@") pypy3 ]; # systemd.services = { # dynamic-dns-updater = { # path = [ # pkgs.curl # ]; # script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="''; # startAt = "hourly"; # }; # }; security.acme = { acceptTerms = true; defaults.email = root_email; certs."${root_host}" = { webroot = "/var/lib/acme/acme-challenge/"; extraDomainNames = [ puffer_host gitea_host]; }; }; environment.sessionVariables = { NIXPKGS_ALLOW_UNFREE="1"; OMP_NUM_THREADS = "4"; }; users.users.nginx.extraGroups = [ "acme" ]; networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 ]; allowPing = true; allowedUDPPortRanges = [ # { from = 4000; to = 4007; } ]; }; services.pufferpanel = { enable = true; environment = { PUFFER_WEB_HOST = ":${builtins.toString puffer_port}"; PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}"; }; extraPackages = with pkgs; [ jdk17_headless ]; extraGroups = [ "podman" "docker" ]; }; virtualisation.podman.enable = true; virtualisation.docker.enable = true; services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; virtualHosts."${root_host}" = { forceSSL = true; useACMEHost = root_host; root = "/var/www/grimmauld.duckdns.org"; }; virtualHosts."${puffer_host}" = { serverName = puffer_host; forceSSL = true; useACMEHost = root_host; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; }; }; virtualHosts."${gitea_host}" = { serverName = gitea_host; forceSSL = true; useACMEHost = root_host; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}"; }; }; }; nix.settings.experimental-features = [ "nix-command" "flakes" ]; system.stateVersion = "unstable"; nixpkgs.config.allowUnfree = true; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "grimmauld-nixos-server"; networking.domain = ""; services.openssh.enable = true; # users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); }