Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

server config

Browse source
This commit is contained in:
Grimmauld 2024-05-08 21:49:37 +02:00
parent 70a1ab7e68
commit f4615cbae9
Signed by: Grimmauld
GPG key ID: C2946668769F91FB
42 changed files with 1144 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
authorizedKeys.nix Normal file
View file

@ -0,0 +1,7 @@
# these are public keys. Publishing them shouldn't be an issue until there is quantum computers breaking rsa.
# todo: use post-quantum keys for ssh (not possible yet, yikes)
[
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
]

5
common/network/default.nix
View file

@ -20,6 +20,11 @@ in
wireguard-tools
openconnect
];
networking.firewall = {
enable = true;
allowPing = true;
};
};
imports = [ ./bluetooth.nix ];

23
common/tooling/default.nix
View file

@ -24,10 +24,20 @@ in
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
(writeShellScriptBin "tree" "${lib.getExe pkgs.eza} -T --git -lh --no-permissions --no-user --no-filesize --no-time")
(writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'')
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
urlencode
pstree
dos2unix
treefmt
file
wget
hyfetch
util-linux
btop
neovim-remote
linuxPackages.perf
eza
gcc
jdk17
@ -36,25 +46,19 @@ in
p7zip
tea
eza
fbcat
gomuks
btop
ranger
wget
file
util-linux
visualvm
imagemagick
nmap
hyfetch
parted
glib
glibc
expect
neovim-remote
]
++ lib.optionals cfg.graphical [
wev
@ -107,6 +111,9 @@ in
fugitive
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
programs.neovim = {
enable = true;
viAlias = true;

4
common/tooling/nix.nix
View file

@ -10,7 +10,6 @@ let
in
{
environment.systemPackages = with pkgs; [
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
(writeShellScriptBin "nixpkgs-review-head" "nixpkgs-review rev HEAD")
(writeShellScriptBin "rebuild" "bash -c \"nixos-rebuild switch |& nom\"")
@ -23,6 +22,7 @@ in
nix-output-monitor
nix-search-cli
niv
vulnix
];
environment.sessionVariables = lib.mkIf pkgs.config.allowUnfree { NIXPKGS_ALLOW_UNFREE = "1"; };
@ -43,6 +43,4 @@ in
};
# nix.package = pkgs.nixVersions.latest;
nix.optimise.automatic = true;
boot.tmp.cleanOnBoot = true;
}

1
common/tooling/security.nix
View file

@ -12,7 +12,6 @@ in
with cfg;
lib.mkIf enable {
security.polkit.enable = true;
networking.firewall.enable = lib.mkIf network true;
security.rtkit.enable = true;
security.doas.enable = true;

2
configuration.nix
View file

@ -13,6 +13,8 @@
kernelPackages = pkgs.linuxPackages_zen;
};
services.logrotate.checkConfig = false; # fixme: actually needed?
grimmShared = {
enable = true;
locale = true;

27
fake_flake.nix
View file

@ -15,6 +15,23 @@ let
grimmauld-nixos = [
./specific/grimm-nixos-laptop/configuration.nix
];
grimmauld-nixos-server = [
./specific/grimmauld-nixos-server/configuration.nix
./modules/letsencrypt.nix
./modules/matrix.nix
./modules/puffer.nix
./modules/gitea.nix
./modules/grafana.nix
./modules/nextcloud.nix
./modules/prometheus.nix
# ./modules/mjolnir.nix
./modules/fail2ban.nix
./modules/email.nix
./modules/discord-matrix-bridge.nix
./modules/mastodon.nix
];
};
nixpkgs_patches = [
@ -29,8 +46,14 @@ in
imports = [
"${nivSources.agenix}/modules/age.nix"
(import "${nivSources.lix-module}/module.nix" { lix = nivSources.lix-pkg; })
(builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default # fixme: ideally we'd not rely on the flake syntax to load the module
] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
"${nivSources.nixos-mailserver}/default.nix"
"${nivSources.nixos-matrix-modules}/module.nix"
# fixme: ideally we'd not rely on the flake syntax to load the module
(builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default
# (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default
# (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default
] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
nixpkgs.hostPlatform = system;

43
modules/discord-matrix-bridge.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ...}: let
bridge_port = 9005; # netstat -nlp | grep 9005
in {
nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "t2bot";
repo = "matrix-appservice-discord";
rev = "8361ca6121bf1f0902154baa538cb6d5766e477f";
hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU=";
};
patches = (let oldPatches = old.patches or []; in if oldPatches == null then [] else oldPatches) ++ [ ./patch_bridge_perms.patch ];
doCheck = false;
});})
];
age.secrets.matrix_discord_bridge_token.file = ../secrets/matrix_discord_bridge_token.age;
services.matrix-synapse-next.settings.app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" ];
services.matrix-appservice-discord = {
enable = true;
settings = {
auth = {
usePrivilegedIntents = true; # typing status and stuff
};
bridge = {
enableSelfServiceBridging = true;
inherit (config.networking) domain;
homeserverUrl = "https://${config.networking.domain}";
disablePresence = true;
disableTypingNotifications = true;
};
# logging.console = "silly";
};
serviceDependencies = ["matrix-synapse.target"];
port = bridge_port;
localpart = "_discord_";
package = pkgs.matrix-appservice-discord;
environmentFile = config.age.secrets.matrix_discord_bridge_token.path;
};
}

47
modules/email.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, ... }:
let
inherit (config.networking) domain;
mail_host = "mail.${domain}";
in {
security.acme.certs."${domain}".extraDomainNames = [ mail_host ];
# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
mailserver = {
enable = true;
fqdn = mail_host;
domains = [ domain ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"contact@${domain}" = {
hashedPasswordFile = ./mailpass/contact;
aliases = ["kontakt@${domain}"];
};
"admin@${domain}" = {
hashedPasswordFile = ./mailpass/admin;
};
"grimmauld@${domain}" = {
hashedPasswordFile = ./mailpass/grimmauld;
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "manual";
certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
keyFile = "/var/lib/acme/${domain}/key.pem";
};
services.nginx = {
enable = true;
virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
serverName = mail_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
return = "307 https://${domain}";
};
};
};
}

19
modules/fail2ban.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }: {
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
# Whitelist some subnets
"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
"matrix.org"
"app.element.io" # don't ratelimit matrix users
];
bantime = "1h"; # Ban IPs for 1h at first.
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
};
}

50
modules/gitea.nix Normal file
View file

@ -0,0 +1,50 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
gitea_host = "git.${domain}";
gitea_port = 8081;
gitea_ssh_port = 2222;
in {
services.gitea = {
enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
HTTP_PORT = gitea_port;
ROOT_URL = "https://${gitea_host}/";
DISABLE_SSH = false;
SSH_DOMAIN = domain;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_PORT = gitea_ssh_port;
# SSH_LISTEN_HOST="::"; # fixme?
# SSH_AUTHORIZED_PRINCIPALS_ALLOW="username";
};
# log.LEVEL = "Debug";
"ssh.minimum_key_sizes".RSA = 2048;
"git.timeout".MIGRATE = 6000;
};
lfs.enable = true;
};
environment.systemPackages = with pkgs; [
gitea
];
security.acme.certs."${domain}".extraDomainNames = [ gitea_host];
networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
services.nginx = {
enable = true;
virtualHosts."${gitea_host}" = {
serverName = gitea_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
};
};
};
}

43
modules/grafana.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, ... }:
let
inherit (config.networking) domain;
grafana_host = "grafana.${domain}";
grafana_port = 8082;
in {
age.secrets.grafana_admin_pass = {
file = ../secrets/grafana_admin_pass.age;
owner = "grafana";
group = "grafana";
mode = "0600";
};
security.acme.certs."${domain}".extraDomainNames = [ grafana_host ];
services.grafana = {
enable = true;
settings = {
security = {
admin_user = "admin";
admin_email = "admin@${domain}";
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
};
server = {
domain = grafana_host;
root_url = "https://${grafana_host}";
http_port = grafana_port;
};
};
};
services.nginx = {
enable = true;
virtualHosts."${grafana_host}" = {
serverName = grafana_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
};
}

15
modules/letsencrypt.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
root_email = "contact@${domain}";
in {
security.acme = {
acceptTerms = true;
defaults.email = root_email;
certs."${domain}" = {
webroot = "/var/lib/acme/acme-challenge/";
};
};
users.users.nginx.extraGroups = [ "acme" ];
}

1
modules/mailpass/admin Normal file
View file

@ -0,0 +1 @@
$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy

1
modules/mailpass/contact Normal file
View file

@ -0,0 +1 @@
$2b$05$WsEwEXHa3kzDdMJdluirn.ExpK5BGJENEf3iH2AAjW6IFUPSpBWVa

1
modules/mailpass/grimmauld Normal file
View file

@ -0,0 +1 @@
$2b$05$nmY9QnYyOhhhXn3OOalxkeWWLZtlaxD2vGwr0f6gtHNUz5EfZXvsa

17
modules/mastodon.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, ... } :
let
inherit (config.networking) domain;
mastodon_host = "mastodon.${domain}";
in {
security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
services.mastodon = {
enable = true;
localDomain = mastodon_host;
streamingProcesses = 7;
configureNginx = true;
smtp = {
fromAddress = "noreply@${domain}";
};
extraConfig.SINGLE_USER_MODE = "true";
};
}

175
modules/matrix.nix Normal file
View file

@ -0,0 +1,175 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
matrix_host = "matrix.${domain}";
in {
services.postgresql = {
enable = true;
# CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
ensureDatabases = [ "synapse" ];
package = pkgs.postgresql_15;
ensureUsers = [
{
name = "synapse";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host synapse matrix-synapse ::1/128 md5
host nextcloud nextcloud ::1/128 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map nextcloud nextcloud
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
systemd.services.postgresql.postStart = let
password_file_path = config.age.secrets.synapse_db_pass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services.matrix-synapse-next = {
enable = true;
workers.federationSenders = 1;
workers.federationReceivers = 1;
workers.initialSyncers = 1;
workers.normalSyncers = 1;
workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true;
mainLogConfig = ./matrix_synapse_log_config.yaml;
enableNginx = true;
enableSlidingSync = false;
settings = {
suppress_key_server_warning = true;
server_name = domain;
public_baseurl = "https://${domain}";
enable_registration = true;
registration_requires_token = true;
registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
# enable_registration_without_verification = true;
# mainLogConfig = ./matrix_synapse_log_config.yaml;
# registrations_require_3pid = [ "email" ];
database = {
name = "psycopg2";
args = {
host = "localhost";
port = 5432;
dbname = "synapse";
user = "synapse";
cp_min = 5;
cp_max = 10;
client_encoding = "auto";
passfile = config.age.secrets.synapse_db_pass_prepared.path;
};
};
};
};
services.redis.servers."".enable = true;
age.secrets.synapse_db_pass = {
file = ../secrets/synapse_db_pass.age;
owner = "postgres";
group = "postgres";
};
age.secrets.synapse_db_pass_prepared = {
file = ../secrets/synapse_db_pass_prepared.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0600";
};
age.secrets.synapse_registration_shared_secret = {
file = ../secrets/synapse_registration_shared_secret.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0600";
};
environment.systemPackages = with pkgs; [
matrix-synapse-tools.synadm
matrix-synapse
];
services.nginx = {
enable = true;
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
useACMEHost = domain;
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
add_header Accept-Ranges bytes;'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
default_type application/json;
'';
};
locations."/_matrix" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
add_header X-debug-backend $synapse_backend;
add_header X-debug-group $synapse_uri_group;
client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
proxy_read_timeout 10m;
'';
};
locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
proxyPass = "http://$synapse_backend";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
proxyPass = "http://synapse_worker_initial_sync";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
proxyPass = "http://synapse_worker_initial_sync";
extraConfig = ''
proxy_read_timeout 1h;
'';
};
locations."/_synapse/client" = {
proxyPass = "http://$synapse_backend";
};
locations."/.well-known/matrix" = {
proxyPass = "http://$synapse_backend";
};
};
};
# networking.firewall.allowedTCPPorts = [ 8448 8008 ];
}

25
modules/matrix_synapse_log_config.yaml Normal file
View file

@ -0,0 +1,25 @@
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it
# from the message text.
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False

69
modules/mjolnir.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, ... } :
let
in {
age.secrets = {
matrix_mjolnir_pass = {
file = ../secrets/matrix_mjolnir_pass.age;
owner = "mjolnir";
group = "mjolnir";
mode = "0600";
};
matrix_mjolnir_tle_pass = {
file = ../secrets/matrix_mjolnir_tle_pass.age;
owner = "mjolnir";
group = "mjolnir";
mode = "0777"; # not ideal, but containers are weird
};
};
# global mjolnir
services.mjolnir = {
enable = true;
homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
protectedRooms = [
"https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de"
];
managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de";
pantalaimon = {
enable = true;
username = "mjolnir";
options = {
homeserver = config.services.matrix-synapse-next.settings.public_baseurl;
};
passwordFile = config.age.secrets.matrix_mjolnir_pass.path;
};
};
services.logrotate.checkConfig = false; # needed or this explodes
containers.mjolnirtle = let
baseurl = config.services.matrix-synapse-next.settings.public_baseurl;
pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path;
in {
privateNetwork = false; # don't want nat
autoStart = true;
bindMounts."${pass_file}".isReadOnly = true;
config = { config, ... }: {
system.stateVersion = "unstable";
# tle mjolnir
services.logrotate.checkConfig = false;
services.mjolnir = {
enable = true;
homeserverUrl = baseurl;
protectedRooms = [
"https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de"
];
managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de";
pantalaimon = {
enable = true;
username = "mjolnir_tle";
options = {
homeserver = baseurl;
};
passwordFile = pass_file;
};
};
};
};
}

82
modules/nextcloud.nix Normal file
View file

@ -0,0 +1,82 @@
{ lib, pkgs, config, ...} :
let
inherit (config.networking) domain;
nextcloud_host = "cloud.${domain}";
nextcloud_port = 8083;
in {
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
};
security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ];
age.secrets = {
nextcloud_admin_pass = {
file = ../secrets/nextcloud_admin_pass.age;
owner = "nextcloud";
group = "nextcloud";
mode = "0600";
};
};
services.redis.servers.nextcloud = {
enable = true;
bind = "::1";
port = 6379;
};
systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = pkgs.writeScript "nextcloud-redis.sh" ''
#!${pkgs.runtimeShell}
nextcloud-occ config:system:set redis 'host' --value '::1' --type string
nextcloud-occ config:system:set redis 'port' --value 6379 --type integer
nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string
nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string
'';
services.nextcloud = {
enable = true;
https = true;
hostName = nextcloud_host;
package = pkgs.nextcloud28;
caching.redis = true;
# extraApps = with config.services.nextcloud.package.packages.apps; [
# news contacts calendar tasks;
# ];
config = {
adminpassFile = config.age.secrets.nextcloud_admin_pass.path;
dbuser = "nextcloud";
dbhost= "localhost:${builtins.toString config.services.postgresql.settings.port}";
dbtype = "pgsql";
};
settings = {
overwriteProtocol = "https";
defaultPhoneRegion = "DE";
filelocking.enabled = true;
redis = {
host = "localhost";
port = 6379;
timeout = 0.0;
};
};
phpOptions = {
"opcache.interned_strings_buffer" = "12";
};
};
services.nginx = {
enable = true;
virtualHosts."${nextcloud_host}" = {
serverName = nextcloud_host;
forceSSL = true;
useACMEHost = domain;
};
};
}

12
modules/patch_bridge_perms.patch Normal file
View file

@ -0,0 +1,12 @@
diff --git a/src/util.ts b/src/util.ts
index f09190e..c7bc841 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -353,6 +353,7 @@ export class Util {
if (res && res.users && res.users[userId] !== undefined) {
haveLevel = res.users[userId];
}
+ requiredLevel = 50;
return haveLevel >= requiredLevel;
}

52
modules/prometheus.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, ... } :
let
inherit (config.networking) domain;
prometheus_host = "prometheus.${domain}";
prometheus_port = 9090; # netstat -nlp | grep 9090
in {
security.acme.certs."${domain}".extraDomainNames = [ prometheus_host];
services.prometheus = {
enable = true;
port = prometheus_port;
globalConfig.scrape_interval = "15s";
scrapeConfigs = [
{
job_name = "chrysalis";
static_configs = [{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
"127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
"127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
];
}];
}
];
exporters = {
nginx.enable = true;
redis.enable = true;
domain.enable = true;
postgres.enable = true;
nginxlog.enable = true;
jitsi.enable = true;
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
services.nginx = {
enable = true;
virtualHosts."${prometheus_host}" = {
serverName = prometheus_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
};
};
};
}

130
modules/ptero.nix Normal file
View file

@ -0,0 +1,130 @@
{config, pkgs, ...}: let
inherit (config.networking) domain;
root_email = "contact@${domain}";
ptero_host = "ptero.${domain}";
DATA_DIR = "/var/lib/pterodactylpanel";
panel_user = "pterodactyl";
local_bridge = "ptero-local-br";
ptero_ver = "1.11.5";
ptero_port = "8042";
in {
users.users.${panel_user} = {
isSystemUser = true;
extraGroups = ["docker"];
group = panel_user;
};
users.groups.${panel_user} = {};
age.secrets.ptero_env = {
file = ../secrets/ptero_env.age;
};
systemd.services.init-ptero-data-dir = {
description = "Create the pterodactyl panel data dir";
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script =''
mkdir -p ${DATA_DIR}/database
mkdir -p ${DATA_DIR}/cache
mkdir -p ${DATA_DIR}/panel/var
mkdir -p ${DATA_DIR}/panel/logs
mkdir -p ${DATA_DIR}/panel/nginx
chown ${panel_user}:${panel_user} -R ${DATA_DIR}
chmod +777 -R ${DATA_DIR}
'';
};
virtualisation.oci-containers.backend = "podman";
systemd.services.init-ptero-local-network = {
description = "Create the network bridge ${local_bridge} for ptero.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = let podmancli = "${config.virtualisation.podman.package}/bin/podman";
in ''
check=$(${podmancli} pod ls | grep "ptero" || true)
if [ -z "$check" ]; then
${podmancli} pod create -p "${ptero_port}:80" ptero
else
echo "ptero pod already exists"
fi
'';
};
virtualisation.oci-containers.containers."ptero-mysql" = {
image = "library/mysql:8.0";
workdir = "${DATA_DIR}/database";
extraOptions = [ "--pod=ptero" ];
environment = {
"MYSQL_USER" = "pterodactyl";
"MYSQL_DATABASE" = "panel";
};
environmentFiles = [ config.age.secrets.ptero_env.path ];
volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"];
cmd=["--default-authentication-plugin=mysql_native_password"];
};
virtualisation.oci-containers.containers."ptero-cache" = {
image = "redis:alpine";
workdir = "${DATA_DIR}/cache";
volumes = ["${DATA_DIR}/cache:${DATA_DIR}/cache"];
extraOptions = [ "--pod=ptero" ];
};
virtualisation.oci-containers.containers."ptero-panel" = {
image = "ghcr.io/pterodactyl/panel:v${ptero_ver}";
volumes = [
"${DATA_DIR}/panel/var/:/app/var/"
"${DATA_DIR}/panel/logs/:/app/storage/logs"
"${DATA_DIR}/panel/nginx/:/etc/nginx/conf.d/"
];
extraOptions = [ "--pod=ptero" ];
environment = {
"APP_URL" = "https://${ptero_host}";
"APP_TIMEZONE" = "Europe/Berlin";
"APP_SERVICE_AUTHOR" = root_email;
"MAIL_FROM" = "noreply@${domain}";
"MAIL_DRIVER" = "smtp";
"MAIL_HOST" = "mail";
"MAIL_PORT" = "25";
"MAIL_USERNAME" = "";
"MAIL_PASSWORD" = "";
"MAIL_ENCRYPTION" = "true";
"APP_ENV"= "production";
"APP_ENVIRONMENT_ONLY"= "false";
"CACHE_DRIVER" = "redis";
"SESSION_DRIVER" = "redis";
"QUEUE_DRIVER" = "redis";
"REDIS_HOST" = "127.0.0.1";
"DB_HOST" = "127.0.0.1";
"TRUSTED_PROXIES" = "*";
};
labels = {
"traefik.http.routers.pterodactyl_panel.entrypoints"="web";
};
environmentFiles = [ config.age.secrets.ptero_env.path ];
};
security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
services.nginx = {
enable = true;
virtualHosts."${ptero_host}" = {
serverName = ptero_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${ptero_port}";
};
};
};
environment.systemPackages = with pkgs; [
(writeShellScriptBin "ptero-nix" "${config.virtualisation.podman.package}/bin/podman exec -it ptero-panel php artisan $@")
];
}

50
modules/puffer.nix Normal file
View file

@ -0,0 +1,50 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
puffer_port = 8080;
puffer_sftp_port = 5657;
puffer_host = "puffer.${domain}";
tlemap_host = "tlemap.${domain}";
tlemap_port = 8100;
in {
services.pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
};
extraPackages = with pkgs; [];
extraGroups = [ "docker" ];
};
services.nginx = {
enable = true;
virtualHosts."${puffer_host}" = {
serverName = puffer_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
};
};
virtualHosts."${tlemap_host}" = {
serverName = tlemap_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
};
};
};
security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ];
networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ];
# virtualisation.podman.enable = true;
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
pufferpanel
(writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
];
}

50
modules/toolchains.nix Normal file
View file

@ -0,0 +1,50 @@
{config, pkgs, ...}: let
git_user = "Grimmauld";
in {
environment.systemPackages = with pkgs; [
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
mkpasswd
node2nix
];
programs.git = {
enable = true;
lfs.enable = true;
config = {
init.defaultBranch = "main";
credential.username = git_user;
core.editor = "${pkgs.neovim}/bin/nvim";
user.name = git_user;
user.email = "${git_user}@grimmauld.de";
};
};
programs.tmux = {
enable = true;
historyLimit = 42000;
#keyMode = "vi";
};
programs.neovim = {
enable = true;
viAlias = true;
defaultEditor = true;
configure = {
customRC = ''
set number
set hidden
set nocompatible
'';
packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
start = [ vim-nix vim-scala fugitive autoclose-nvim ];
# manually loadable by calling `:packadd $plugin-name`
opt = [ ];
};
};
};
programs.xonsh.enable = true;
}

18
nix/sources.json
View file

@ -35,6 +35,24 @@
"rev": "005b2b61e671e11d0427507883f8ae66e15d939d",
"type": "git"
},
"nixos-mailserver": {
"branch": "master",
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git",
"rev": "41059fc548088e49e3ddb3a2b4faeb5de018e60f",
"type": "git"
},
"nixos-matrix-modules": {
"branch": "master",
"description": "NixOS modules for matrix related services",
"homepage": null,
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "6c9b67974b839740e2a738958512c7a704481157",
"sha256": "0v8z37yhmbdq2y9l3wz6vscg402x4xvms8sajnl0fcmbvka56jmk",
"type": "tarball",
"url": "https://github.com/dali99/nixos-matrix-modules/archive/6c9b67974b839740e2a738958512c7a704481157.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs": {
"branch": "nixos-unstable",
"description": "Nix Packages collection",

15
secrets/grafana_admin_pass.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
~‰E~ß}IÝR9•<39>â*·\™frèÿyÅUw¤BÔ 1<>!¨ÝÞã÷ðtez“yxX¾W<øs!ëÛ

16
secrets/matrix_admin_pass.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
Y34uAa+VEd/xy3iIs0rDEpF9iBQVpU//AQcTpP/lo1idGdUbVS2KeqkWZiGFfiOL
PZNBZ9TkQhqKvw4dD7xdVNZoO9R2O9KApMIAtf4XRN+YvNA6l9dnpu/UDLFzh2F0
NJY4TXRXJPRB3k5ngbCvYv2anQ6yMi7cpHZNEIgM/LdKGJ/56YHXQAxtOe4o+0Mz
Q1FQOsEFGa2Kb5f5D9wdjfZvDkoUzG9W2Cao2GAKdtJQx0yAP3T4uEt+22nYo5OB
mOuKJ0qNwfoSk0ErC+dYlkgknG6W4QsxA/G7ZMzFq/E70yNzAOAViXPMRSnJYpr2
p2C8nhQ3lhlS2bFu46Jgi4NTj9FvnABVH+QiwL3P+WtqCMGy+LRfHDMJ1i14M35/
6cTaeSw1d4UiZekxgCsHXrT4BipC70pH+9vZYGTVzP3SxfkbilwhQJvpREnNZq1o
e2vfMHod3syDvZfYEILayODY+WwuqVp4O6NIOoPNygKwdoN+DiYKs7vhUFXU/AWA
iVL5jQ0p4fI7qQm/jrNL3E7Mj+FMYQMBKTvSjF8O/YFBymsDtcN0bLlKIOdSdLP/
Tm0tffNargbnrF9a4ZNjOihbNYocDfID7hyFsdpqF9TsANXeiRkBGWT/RnOzMBs0
QZLz3iChOR87PPC4loqZJpQSYLnQ77m7ZcODzDnScwo
--- UWFxzIGon0JaPMjmKUkZQGNLa44SSusFKXVb3eGhyFE
̶¼w“ÂT©XP=žïÓ/m$nyßwϧç¿ð«‰,þïo ùïƒØNé0Fò ’ø±,øî<C3B8>
¡d+ËSâ”

15
secrets/matrix_discord_bridge_token.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
NjaxRq6jsJbscI9ySg58c9D8HEOUjEusNfEDn2aCEcyvmO0AeLImCK/MI08x8hJ2
FwSmPVpumzatiTd9U8orgUj7ivr5On5yItg1FJs1yGojDotnvXKx2P2ulAkeGs/B
KHx7UZnCwm9gAzwz8r6Uki+R56/Wu/TCfygbGq0sRI1+Tyo2PdZv0EiXXQ+f5g0c
VS23NyxGxzO3yIHRV0hRB9xRfUlYddSINVqcfRr54q2DIFi1DKU2BueAchGF2tIl
9uazNaWetXeqLF15UAYbxv1Sh5/YOmZKSr6WXhTfmzT6bSTnDwu6IqYhgBagRIEO
lv17r0wbmNAHhDZKuj60Fv+28tbWdU4WENOVhrxsImJMP6iHC79iCpNM/uHLALwN
yB1MF4oFAajX2LzW4tmmoR3bM2LCy/aW3oNccLm8M1mWuPg6pqyhiejAk/09b0BT
73HqqHSBys4DMEUjxntG+BhtwAm+3e+zcG+7MSa9fVf3yb566EUnVNHjm60pX0JN
FIn08qwIS1vtDD/2vGDMB575sYafurh6gJ6kmwikv2IOlbJBoyXBONEb7Q5TGeJ6
mon6l7zdqgW/sYgW2wAsmwGrUTHeJNVV/CUNt1sPhmb7VyqRpP0a/fWif/S2XpxY
Caiv38ccsmpmm639BhBV7iF8BhV//Ovja/hKwsLUsoM
--- suzKNMEdOeEQQnOg6BIVnTTGqCg7b0+eAiVS6PR8W2c
´êõG"ÎÇu¿ívʪ¦¡ÚH"ÅtH aËÅz#¶0.é<>âɳ:žIå¾_†DU‡7xª¼MÌ@‰¹#ÆP£¢µ9ªz5¿”;Çš-<2D>êk“jhHâªáy[cü PÖ¯õî७Axî°¾áÐJàâ¸,í =í^%Ùá}éŽn\s½{« qÎ~AgxÛ6Š©ÿpÊfwæ8ÇÝ"yê³Ô²Ý¦ñ|=Ȅ륷T4Ï<>TxÀ]<5D>—©|>¬*Õ‚ä

16
secrets/matrix_mjolnir_pass.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
jXawkbb/FkE0/pdY3wvHC+iVx9RgIB7ytAKsk+mxx0hhwAOZL4oswvvKsnYdkUjv
5UMexnENT9I1+ZLyVMusvxvlMM+LxZtkNOLCylFF4G/Xyrq6QS5NMFK5aD0slT1U
nwufnIABuheku4yK3W/lYJcwsHT+lFfkSyqXw214AMHI37YVnsSxgjgV3KhC9ZhG
dxWG010li/7uFh1+/006+DKoa7VejrJM7OUeUVCjBjSwYazMUAi8okuaZzhMeeWG
sC8v7RmnZTM/mS0nBu0wcZxUB7Vz2c2evBNUuARELfMzxRfh9yIQMzg3k5A7xNqC
qjj3KchocgNPoTrzG/x4uFFhCmF523LJ/85IlFIQ8X/1MrAgZg/L5N5fEmhHLRG6
yVGRm0xs9wEWf1ZzSPALHO/fLUa6K+9IEo9e5Ne3+HtzeiSrlBTgAThm4iS/j9gJ
Gh5cnAuG8dmvZsnV0VJLZCCa938PugsKxsbEGRgtIwj5FaBudLd6DzNwqq9n88Y3
H3Vnc56ru/XWHVTnVNKAstXkUmAxCH2SKpETXgb2Nd7aLBEYd0Dp334wdYOYaBnR
3p0jTTpU2TFA8zfLJRy0CnElfC11YYp5aF3+ONEuGFbiAdFSoixRd0xUdxKvQ6Ym
KK875Yhl3KBCbQGHGzT9TRwqFv4GM5gntoV6QFXv8R4
--- mty/HLWaSdsD6bxDTO2KJ9itaRpuI1OKyH3+KAMX6TM
j©¡©Ÿžƒ÷¼Í hŒV¹4*µ °á
ÿÞ…tñÝ3šJ0ð!ÁhFB¹”'Ráxí¶}jÒJ¥

15
secrets/matrix_mjolnir_tle_pass.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
MbJMn9f+sg1SygW+O6rIF8fXmieYHkQFnSuI/U71YG3JIJwMDQLMqN8dB1pi5fvg
j4wQU2211KdUsOjmpSFAoylielEMVRSm8ae+0pMDrCli6z8xb0Izd495EMexxwH8
+FWQORHvrXIaxPgHcOQ4g0SApkDAhEGl8XrI3dvC2szEy9tM5ph3LrXIAV6GBKp/
SlHD385bgZkuN8lwaczKGTjBktYiK2h1lpJBb+sQkuOP3h8rpHetU6CCbooJkQ4c
x8ND7fu3ptd/YhzVRAhTMOaQU62f1FEJoGP67hsm79rOm+0vnH5K1r16gAB2jjAh
RHXYFhzpPLrYUUCwdklGGtCFcTRc2g4gRglDx4IutTZ+2EBkrzePZ8OqXpR5/2xO
yROb3L3wex0bm9MqIyClaPFq9eUtSI4ca8s5TCZV///6FrzJVEsAlj0xZFQFGTT3
T1zOOEEzEX4f9878Wj/Rl+MZhtZUJYG39fwonFS799Omgks+NcSXi5pnPTMXnONq
cVXQM1y2wvLlxf9qbPkFCnvkqq6pWMXma18BTiAakbOZ0y/EpOGQG+vAz+zZ5wq1
le3fgfiKPM4oXuPrMPxuCd1QsmoHj5YYDSSGPWYgxHt3kKKpDVadpqgRp2FyrFGA
KGKGwqbOv12pbzmP2S3WlbAhQiUodg6my93H4kroPPM
--- q4gCKxg3dPi7iXSqByd4F3dQ6hv2h8ZH4vz1Abzzovo
„źŇgyÂŢşňŹIîŻnó<6E>ÔŚşeË*é(¨a5ĘTüÓ}ÚâDú%€ĽŔÇľUqg4\b ˘ýc5´ĆÜoY

15
secrets/nextcloud_admin_pass.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
Q/jX41H5vQpkJf7eEOKeRezpVFRM8NS4puvIrPXE/zUx4DTn38BpSbVuv+PUH/D1
LPAplIAh8JmeXGE9V0LcVX3cvwQ/IwYZ6Iwu82yCBFOv4F4EjbFZsXRjva64m4lj
Nr5vikahk3IVezsMqFn5f46/G5ZCRyPZSlOyojPZ4YA+mZq3g1PuL4Cd/296y0SI
0xNeYG9F8gCEW1iAKKjX5QBLBx/HztgJrYm6MVEK0jRDe1LC1JBWa670smI3ALH5
V1uQbPutsOkuyZw46Nbb9bBYLQLDoKoVmAetj6AIak9p7q4/vzWMEv1zgmHczAMC
7T3zuQ1D2zjS+ePXXhof2ZpBT4yr/hfRtf0V7NhDokFZZOleJE9K3BLkQCVdUTA8
ZSzX2MnZe4OXKXSh+8+KFD37AyR7P0G4eZF5rZJ2IIrdUz6/MFjheKUAQanfg8nm
Uh4YWFu2wyVYy1OYeuSoAhzj8VpGiEa4E1WRA7Hb7AdK9t2JvIIOG5duAWw+qHXY
leh5LKHeTdtEPqEY8QqdcUoEnU+q8DseXGrRJx16aPZgP1trjlDPRWNT9Ko8gIOn
kLctSbJ3v/wv9hI9waEaWw93LCDG6E+MK5pD03f6vKcr6HQoqEMg8+eVzX+dCoa4
AF6DiI1pXrYzjLztPLcUwb7Az/hPFrVrAZ6x7KUq2E4
--- QKrzExwjVrJvMy+dzU0aQ1PCye2SwR4e5ZJXEN/yX6c
˜vú4 Ás/ö¤R"y—RJˆ C?oâ«O]«ä¬aHézêš…âlÀ( y?¡šÀ™à /GM

15
secrets/nextcloud_db_pass.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
ULPpqCrbkoqF5Zx+YNl2igi962ho+4bJv4ZqkdUJWXKvwBCKBujUhTRubao3E1H7
M6Qa1X/ENOjLRjaDGN/LHTKl+7yv7TyayHxWlPVylBHgs2m18Zr0+pcIl+771FSm
E0QFs61ENZibrBubOv9sib0Drb/8hi393kLAuBIIblzVt8Td3eLz9oXBltkXDJ26
ndY61jJbMcOkaS/AgcENSdwuDETxlceOBNuIRucjpcGFDrobngJyNbV8amH3Fc4D
07iwIGFK5xF+Z3h1dH+oKPTqenDcBsq32LYNOUczap0ia4/CCw/by/VrTnudX9FC
VGJ3MmJIXLaeCMMSsHEQNrNf6hq+rysuAeW3rUco8k9lWv4J08l2Z4wEfwIX3UdT
LmyTe9FeKib8ul4FuAnAXWl5Mwik2xG87Ci375/qeZgIduH6UyelBErzGA5HwtV+
Zhfo+moImBg5wkQAMqBEYo3llMU4S0uV3A7sxcFSGrKnW+qFt46+TzkAAZJCBaFC
tXM44LI+JceJhlBnI83sayEf1kEQlsxGqqdOpRQaVI5xBX7rGduFOFsVFAOO60I9
jIESQSoV36KVgm4w+v99jYiLI9mfHRNzC0KH5qeTW8tST6N1+TyP0uhzfIoNVfpg
buHTgKaPO37VciLDT2qGz8VVcbg7wlFE2neNPqQQss4
--- CWjL7M33VOuujkVFJG+zj8JwUwvA2ymMNvjIXvAxNxE
âê`áßnœ÷\<5C>çUÂD…Ð`Až‚î?xM7ž½¤RNÓJÕïIëÒ}GŽøý=x“<78>@åÙ”“Ü4)ÉžR°f¯rwÄã¹ £}ºÍZ2

BIN
secrets/ptero_env.age Normal file
View file

Binary file not shown.

16
secrets/secrets.nix
View file

@ -1,7 +1,23 @@
let
laptop_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos";
laptop_pub_ed = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos";
# obtained with `ssh-keyscan [ip]`
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
in
{
"nextcloud_pass.age".publicKeys = [ laptop_pub laptop_pub_ed ];
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
"grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
"nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];
"nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub ];
"synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub ];
"matrix_admin_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ];
"matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub ];
"ptero_env.age".publicKeys = [ contabo_nix_pub ];
}

15
secrets/synapse_db_pass.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
uphSCXWnsU8Ffn8E3G3cQFlU+Op480vwqkDZKcvwGo/7aPeSKvcxpDkkvZbBSpeJ
agOsx9umGm2xJd38ss7vUYiTGZFyXVRVR0ECRLUSjmt4U1fbdIXM1JijKPJBNPFf
rZWc/+6uXXHFwv0633SyM6swuytmo6jKbdExclY1Q5bwYHfTAUvHaeUW1AFWd24d
HWJCLXEY3VK7WvcH3nvpzeNvRMbkaOBrcPnt7rqWmKH0F92tFP3mNiOtbHRZgSe8
aJodlNU390gLqED/BOqKjLxCYvfiVSSRu6ziP/h3VKqmC8HDD8e+nSQwS7qMlgXi
4i6kgZQr+is1rsU5GMLe+H7jw/ZI+hOxNyutGXi1wd1qgrM1qbCfJmUS8tYUP2kw
NsD4+h1xz2Hkop+6MKursOPsD6Vw/TFuNKDXyQstbrz8jU8rP5jvkIn6o7PT4rVm
HyJ4sHlabnmqufyVCtjfZz84fyOjHqeoqeS0ST5zH1VcjGh9pEJiMOK0FoiJlDaQ
hyzKhREJ/iAlb1EJ9IRu+rVgO9hamj4ZyqE4kFrTfp9/bb5HbH04km+WZByzcenA
G8aOVUwk/IvC77jjMBKwn8i09DgBbjz5RHD6hXZwHOnPPQctBO8TDRIreQ9IHBsv
xIpQuRIf1GAiGwbVdGxffwsS38Aw6h2EDzX436NFJmc
--- AK4cj1yXlOGE07/jrzEfZ1RRwYnabyglA78+X54ON2E
þå/ɳò¤bæåîŠðm/Õ¨ï(N¸]Mc©Ãð<>$àïžÚ5²ô&†Ú¬xf¿Áp*Ȥq<C2A4>ôælÂåt¿¾æœ<C3A6>1¤64ÎËoƒ„(±¬,

BIN
secrets/synapse_db_pass_prepared.age Normal file
View file

Binary file not shown.

BIN
secrets/synapse_registration_shared_secret.age Normal file
View file

Binary file not shown.

35
specific/grimmauld-nixos-server/configuration.nix Normal file
View file

@ -0,0 +1,35 @@
{ lib, config, inputs, pkgs, ... }:
let
inherit (config.networking) domain;
in {
imports = [
./hardware-configuration.nix
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.hostName = "grimmauld-nixos-server";
networking.domain = "grimmauld.de";
services.openssh.enable = true;
system.stateVersion = "23.11";
services.nginx = {
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
useACMEHost = domain;
locations."/" = {
root = "/var/www/${domain}";
};
};
};
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}

13
specific/grimmauld-nixos-server/hardware-configuration.nix Normal file
View file

@ -0,0 +1,13 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
environment.sessionVariables = {
OMP_NUM_THREADS = "8";
};
}

3
users.nix
View file

@ -9,10 +9,13 @@
isNormalUser = true;
# shell = pkgs.xonsh;
description = "grimmauld";
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
extraGroups = lib.intersectLists (lib.attrNames config.users.groups) [
"networkmanager"
"kvm"
"wheel"
"docker"
"input"
"video"
"lp"