Compare commits
2 commits
70a1ab7e68
...
a7734d312b
Author | SHA1 | Date | |
---|---|---|---|
a7734d312b | |||
f4615cbae9 |
46 changed files with 1268 additions and 32 deletions
7
authorizedKeys.nix
Normal file
7
authorizedKeys.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
# these are public keys. Publishing them shouldn't be an issue until there is quantum computers breaking rsa.
|
||||
# todo: use post-quantum keys for ssh (not possible yet, yikes)
|
||||
[
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
|
||||
]
|
|
@ -56,9 +56,7 @@ in
|
|||
};
|
||||
|
||||
boot = {
|
||||
kernelParams = [
|
||||
"quiet"
|
||||
];
|
||||
kernelParams = [ "quiet" ];
|
||||
loader.efi.canTouchEfiVariables = true;
|
||||
initrd.availableKernelModules = [
|
||||
"xhci_pci"
|
||||
|
|
|
@ -83,9 +83,7 @@ in
|
|||
|
||||
services.power-profiles-daemon.enable = false;
|
||||
services.upower.enable = true;
|
||||
boot.extraModulePackages = [
|
||||
cpupower
|
||||
] ++ optional enable_perf_policy x86_energy_perf_policy;
|
||||
boot.extraModulePackages = [ cpupower ] ++ optional enable_perf_policy x86_energy_perf_policy;
|
||||
|
||||
services.tlp = {
|
||||
enable = true;
|
||||
|
|
|
@ -20,6 +20,11 @@ in
|
|||
wireguard-tools
|
||||
openconnect
|
||||
];
|
||||
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowPing = true;
|
||||
};
|
||||
};
|
||||
|
||||
imports = [ ./bluetooth.nix ];
|
||||
|
|
|
@ -24,10 +24,20 @@ in
|
|||
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
|
||||
(writeShellScriptBin "tree" "${lib.getExe pkgs.eza} -T --git -lh --no-permissions --no-user --no-filesize --no-time")
|
||||
(writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'')
|
||||
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
|
||||
|
||||
urlencode
|
||||
pstree
|
||||
dos2unix
|
||||
treefmt
|
||||
file
|
||||
wget
|
||||
hyfetch
|
||||
util-linux
|
||||
btop
|
||||
neovim-remote
|
||||
linuxPackages.perf
|
||||
eza
|
||||
|
||||
gcc
|
||||
jdk17
|
||||
|
@ -36,25 +46,19 @@ in
|
|||
p7zip
|
||||
|
||||
tea
|
||||
eza
|
||||
|
||||
fbcat
|
||||
gomuks
|
||||
btop
|
||||
ranger
|
||||
wget
|
||||
file
|
||||
util-linux
|
||||
|
||||
visualvm
|
||||
imagemagick
|
||||
nmap
|
||||
|
||||
hyfetch
|
||||
parted
|
||||
glib
|
||||
glibc
|
||||
expect
|
||||
neovim-remote
|
||||
]
|
||||
++ lib.optionals cfg.graphical [
|
||||
wev
|
||||
|
@ -107,6 +111,9 @@ in
|
|||
fugitive
|
||||
];
|
||||
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
zramSwap.enable = true;
|
||||
|
||||
programs.neovim = {
|
||||
enable = true;
|
||||
viAlias = true;
|
||||
|
|
|
@ -10,7 +10,6 @@ let
|
|||
in
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
|
||||
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
|
||||
(writeShellScriptBin "nixpkgs-review-head" "nixpkgs-review rev HEAD")
|
||||
(writeShellScriptBin "rebuild" "bash -c \"nixos-rebuild switch |& nom\"")
|
||||
|
@ -23,6 +22,7 @@ in
|
|||
nix-output-monitor
|
||||
nix-search-cli
|
||||
niv
|
||||
vulnix
|
||||
];
|
||||
|
||||
environment.sessionVariables = lib.mkIf pkgs.config.allowUnfree { NIXPKGS_ALLOW_UNFREE = "1"; };
|
||||
|
@ -43,6 +43,4 @@ in
|
|||
};
|
||||
# nix.package = pkgs.nixVersions.latest;
|
||||
nix.optimise.automatic = true;
|
||||
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
}
|
||||
|
|
|
@ -17,7 +17,11 @@ in
|
|||
|
||||
programs.xonsh = {
|
||||
enable = true;
|
||||
config = lib.concatLines (lib.mapAttrsToList (name: value: ''aliases["${name}"] = "${value}"'') config.environment.shellAliases);
|
||||
config = lib.concatLines (
|
||||
lib.mapAttrsToList (
|
||||
name: value: ''aliases["${name}"] = "${value}"''
|
||||
) config.environment.shellAliases
|
||||
);
|
||||
package = pkgs.xonsh.override {
|
||||
extraPackages =
|
||||
ps: with ps; [
|
||||
|
|
|
@ -12,7 +12,6 @@ in
|
|||
with cfg;
|
||||
lib.mkIf enable {
|
||||
security.polkit.enable = true;
|
||||
networking.firewall.enable = lib.mkIf network true;
|
||||
security.rtkit.enable = true;
|
||||
|
||||
security.doas.enable = true;
|
||||
|
|
|
@ -13,6 +13,8 @@
|
|||
kernelPackages = pkgs.linuxPackages_zen;
|
||||
};
|
||||
|
||||
services.logrotate.checkConfig = false; # fixme: actually needed?
|
||||
|
||||
grimmShared = {
|
||||
enable = true;
|
||||
locale = true;
|
||||
|
|
|
@ -9,11 +9,33 @@ let
|
|||
nivSources = import ./nix/sources.nix;
|
||||
asGithubRef = src: "github:${src.owner}/${src.repo}/${src.rev}";
|
||||
|
||||
build_target = let env_host = builtins.getEnv "NIXOS_TARGET_HOST"; in if env_host != "" then env_host else builtins.replaceStrings ["\n"] [""] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname));
|
||||
build_target =
|
||||
let
|
||||
env_host = builtins.getEnv "NIXOS_TARGET_HOST";
|
||||
in
|
||||
if env_host != "" then
|
||||
env_host
|
||||
else
|
||||
builtins.replaceStrings [ "\n" ] [ "" ] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname));
|
||||
|
||||
host_modules = {
|
||||
grimmauld-nixos = [
|
||||
./specific/grimm-nixos-laptop/configuration.nix
|
||||
grimmauld-nixos = [ ./specific/grimm-nixos-laptop/configuration.nix ];
|
||||
|
||||
grimmauld-nixos-server = [
|
||||
./specific/grimmauld-nixos-server/configuration.nix
|
||||
./modules/letsencrypt.nix
|
||||
|
||||
./modules/matrix.nix
|
||||
./modules/puffer.nix
|
||||
./modules/gitea.nix
|
||||
./modules/grafana.nix
|
||||
./modules/nextcloud.nix
|
||||
./modules/prometheus.nix
|
||||
# ./modules/mjolnir.nix
|
||||
./modules/fail2ban.nix
|
||||
./modules/email.nix
|
||||
./modules/discord-matrix-bridge.nix
|
||||
./modules/mastodon.nix
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -29,7 +51,13 @@ in
|
|||
imports = [
|
||||
"${nivSources.agenix}/modules/age.nix"
|
||||
(import "${nivSources.lix-module}/module.nix" { lix = nivSources.lix-pkg; })
|
||||
(builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default # fixme: ideally we'd not rely on the flake syntax to load the module
|
||||
"${nivSources.nixos-mailserver}/default.nix"
|
||||
"${nivSources.nixos-matrix-modules}/module.nix"
|
||||
|
||||
# fixme: ideally we'd not rely on the flake syntax to load the module
|
||||
(builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default
|
||||
# (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default
|
||||
# (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default
|
||||
] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
|
||||
|
||||
nixpkgs.hostPlatform = system;
|
||||
|
|
60
modules/discord-matrix-bridge.nix
Normal file
60
modules/discord-matrix-bridge.nix
Normal file
|
@ -0,0 +1,60 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
bridge_port = 9005; # netstat -nlp | grep 9005
|
||||
in
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
(final: prev: {
|
||||
matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "t2bot";
|
||||
repo = "matrix-appservice-discord";
|
||||
rev = "8361ca6121bf1f0902154baa538cb6d5766e477f";
|
||||
hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU=";
|
||||
};
|
||||
patches =
|
||||
(
|
||||
let
|
||||
oldPatches = old.patches or [ ];
|
||||
in
|
||||
if oldPatches == null then [ ] else oldPatches
|
||||
)
|
||||
++ [ ./patch_bridge_perms.patch ];
|
||||
doCheck = false;
|
||||
});
|
||||
})
|
||||
];
|
||||
|
||||
age.secrets.matrix_discord_bridge_token.file = ../secrets/matrix_discord_bridge_token.age;
|
||||
|
||||
services.matrix-synapse-next.settings.app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||
];
|
||||
|
||||
services.matrix-appservice-discord = {
|
||||
enable = true;
|
||||
settings = {
|
||||
auth = {
|
||||
usePrivilegedIntents = true; # typing status and stuff
|
||||
};
|
||||
bridge = {
|
||||
enableSelfServiceBridging = true;
|
||||
inherit (config.networking) domain;
|
||||
homeserverUrl = "https://${config.networking.domain}";
|
||||
disablePresence = true;
|
||||
disableTypingNotifications = true;
|
||||
};
|
||||
# logging.console = "silly";
|
||||
};
|
||||
serviceDependencies = [ "matrix-synapse.target" ];
|
||||
port = bridge_port;
|
||||
localpart = "_discord_";
|
||||
package = pkgs.matrix-appservice-discord;
|
||||
environmentFile = config.age.secrets.matrix_discord_bridge_token.path;
|
||||
};
|
||||
}
|
49
modules/email.nix
Normal file
49
modules/email.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
mail_host = "mail.${domain}";
|
||||
in
|
||||
{
|
||||
security.acme.certs."${domain}".extraDomainNames = [ mail_host ];
|
||||
|
||||
# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = mail_host;
|
||||
domains = [ domain ];
|
||||
|
||||
# A list of all login accounts. To create the password hashes, use
|
||||
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
loginAccounts = {
|
||||
"contact@${domain}" = {
|
||||
hashedPasswordFile = ./mailpass/contact;
|
||||
aliases = [ "kontakt@${domain}" ];
|
||||
};
|
||||
"admin@${domain}" = {
|
||||
hashedPasswordFile = ./mailpass/admin;
|
||||
};
|
||||
"grimmauld@${domain}" = {
|
||||
hashedPasswordFile = ./mailpass/grimmauld;
|
||||
};
|
||||
};
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = "manual";
|
||||
certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
keyFile = "/var/lib/acme/${domain}/key.pem";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${mail_host}" = {
|
||||
# you should NOT be here from a browser :P
|
||||
serverName = mail_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
return = "307 https://${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
22
modules/fail2ban.nix
Normal file
22
modules/fail2ban.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
maxretry = 5;
|
||||
ignoreIP = [
|
||||
# Whitelist some subnets
|
||||
"10.0.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
"matrix.org"
|
||||
"app.element.io" # don't ratelimit matrix users
|
||||
];
|
||||
bantime = "1h"; # Ban IPs for 1h at first.
|
||||
bantime-increment = {
|
||||
enable = true; # Enable increment of bantime after each violation
|
||||
multipliers = "1 2 4 8 16 32 64 128 256";
|
||||
maxtime = "168h"; # Do not ban for more than 1 week
|
||||
overalljails = true; # Calculate the bantime based on all the violations
|
||||
};
|
||||
};
|
||||
}
|
53
modules/gitea.nix
Normal file
53
modules/gitea.nix
Normal file
|
@ -0,0 +1,53 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
gitea_host = "git.${domain}";
|
||||
gitea_port = 8081;
|
||||
gitea_ssh_port = 2222;
|
||||
in
|
||||
{
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
settings = {
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
server = {
|
||||
HTTP_PORT = gitea_port;
|
||||
ROOT_URL = "https://${gitea_host}/";
|
||||
DISABLE_SSH = false;
|
||||
SSH_DOMAIN = domain;
|
||||
START_SSH_SERVER = true;
|
||||
BUILTIN_SSH_SERVER_USER = "git";
|
||||
SSH_PORT = gitea_ssh_port;
|
||||
# SSH_LISTEN_HOST="::"; # fixme?
|
||||
# SSH_AUTHORIZED_PRINCIPALS_ALLOW="username";
|
||||
};
|
||||
# log.LEVEL = "Debug";
|
||||
"ssh.minimum_key_sizes".RSA = 2048;
|
||||
"git.timeout".MIGRATE = 6000;
|
||||
};
|
||||
lfs.enable = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ gitea ];
|
||||
|
||||
security.acme.certs."${domain}".extraDomainNames = [ gitea_host ];
|
||||
networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${gitea_host}" = {
|
||||
serverName = gitea_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
44
modules/grafana.nix
Normal file
44
modules/grafana.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
grafana_host = "grafana.${domain}";
|
||||
grafana_port = 8082;
|
||||
in
|
||||
{
|
||||
age.secrets.grafana_admin_pass = {
|
||||
file = ../secrets/grafana_admin_pass.age;
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
mode = "0600";
|
||||
};
|
||||
|
||||
security.acme.certs."${domain}".extraDomainNames = [ grafana_host ];
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
settings = {
|
||||
security = {
|
||||
admin_user = "admin";
|
||||
admin_email = "admin@${domain}";
|
||||
admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
|
||||
};
|
||||
server = {
|
||||
domain = grafana_host;
|
||||
root_url = "https://${grafana_host}";
|
||||
http_port = grafana_port;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${grafana_host}" = {
|
||||
serverName = grafana_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
22
modules/letsencrypt.nix
Normal file
22
modules/letsencrypt.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
root_email = "contact@${domain}";
|
||||
in
|
||||
{
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = root_email;
|
||||
certs."${domain}" = {
|
||||
webroot = "/var/lib/acme/acme-challenge/";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
}
|
1
modules/mailpass/admin
Normal file
1
modules/mailpass/admin
Normal file
|
@ -0,0 +1 @@
|
|||
$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy
|
1
modules/mailpass/contact
Normal file
1
modules/mailpass/contact
Normal file
|
@ -0,0 +1 @@
|
|||
$2b$05$WsEwEXHa3kzDdMJdluirn.ExpK5BGJENEf3iH2AAjW6IFUPSpBWVa
|
1
modules/mailpass/grimmauld
Normal file
1
modules/mailpass/grimmauld
Normal file
|
@ -0,0 +1 @@
|
|||
$2b$05$nmY9QnYyOhhhXn3OOalxkeWWLZtlaxD2vGwr0f6gtHNUz5EfZXvsa
|
18
modules/mastodon.nix
Normal file
18
modules/mastodon.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
mastodon_host = "mastodon.${domain}";
|
||||
in
|
||||
{
|
||||
security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
|
||||
services.mastodon = {
|
||||
enable = true;
|
||||
localDomain = mastodon_host;
|
||||
streamingProcesses = 7;
|
||||
configureNginx = true;
|
||||
smtp = {
|
||||
fromAddress = "noreply@${domain}";
|
||||
};
|
||||
extraConfig.SINGLE_USER_MODE = "true";
|
||||
};
|
||||
}
|
184
modules/matrix.nix
Normal file
184
modules/matrix.nix
Normal file
|
@ -0,0 +1,184 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
matrix_host = "matrix.${domain}";
|
||||
in
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
# CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
|
||||
ensureDatabases = [ "synapse" ];
|
||||
package = pkgs.postgresql_15;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "synapse";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
authentication = pkgs.lib.mkOverride 10 ''
|
||||
#type database DBuser auth-method
|
||||
local all postgres peer
|
||||
local all all peer
|
||||
host all all 127.0.0.1/32 md5
|
||||
host synapse matrix-synapse ::1/128 md5
|
||||
host nextcloud nextcloud ::1/128 md5
|
||||
host all all ::1/128 md5
|
||||
local replication all peer
|
||||
host replication all 127.0.0.1/32 md5
|
||||
host replication all ::1/128 md5
|
||||
'';
|
||||
identMap = ''
|
||||
# ArbitraryMapName systemUser DBUser
|
||||
superuser_map root postgres
|
||||
superuser_map matrix-synapse synapse
|
||||
superuser_map nextcloud nextcloud
|
||||
superuser_map postgres postgres
|
||||
# Let other names login as themselves
|
||||
superuser_map /^(.*)$ \1
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.postgresql.postStart =
|
||||
let
|
||||
password_file_path = config.age.secrets.synapse_db_pass.path;
|
||||
in
|
||||
''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
|
||||
services.matrix-synapse-next = {
|
||||
enable = true;
|
||||
|
||||
workers.federationSenders = 1;
|
||||
workers.federationReceivers = 1;
|
||||
workers.initialSyncers = 1;
|
||||
workers.normalSyncers = 1;
|
||||
workers.eventPersisters = 2;
|
||||
workers.useUserDirectoryWorker = true;
|
||||
mainLogConfig = ./matrix_synapse_log_config.yaml;
|
||||
|
||||
enableNginx = true;
|
||||
enableSlidingSync = false;
|
||||
|
||||
settings = {
|
||||
suppress_key_server_warning = true;
|
||||
server_name = domain;
|
||||
public_baseurl = "https://${domain}";
|
||||
enable_registration = true;
|
||||
registration_requires_token = true;
|
||||
registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
|
||||
# enable_registration_without_verification = true;
|
||||
# mainLogConfig = ./matrix_synapse_log_config.yaml;
|
||||
|
||||
# registrations_require_3pid = [ "email" ];
|
||||
|
||||
database = {
|
||||
name = "psycopg2";
|
||||
args = {
|
||||
host = "localhost";
|
||||
port = 5432;
|
||||
dbname = "synapse";
|
||||
user = "synapse";
|
||||
cp_min = 5;
|
||||
cp_max = 10;
|
||||
client_encoding = "auto";
|
||||
passfile = config.age.secrets.synapse_db_pass_prepared.path;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
services.redis.servers."".enable = true;
|
||||
|
||||
age.secrets.synapse_db_pass = {
|
||||
file = ../secrets/synapse_db_pass.age;
|
||||
owner = "postgres";
|
||||
group = "postgres";
|
||||
};
|
||||
age.secrets.synapse_db_pass_prepared = {
|
||||
file = ../secrets/synapse_db_pass_prepared.age;
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
mode = "0600";
|
||||
};
|
||||
age.secrets.synapse_registration_shared_secret = {
|
||||
file = ../secrets/synapse_registration_shared_secret.age;
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
mode = "0600";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
matrix-synapse-tools.synadm
|
||||
matrix-synapse
|
||||
];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies
|
||||
useACMEHost = domain;
|
||||
locations."/.well-known/matrix/server" = {
|
||||
return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
|
||||
extraConfig = ''
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
add_header Accept-Ranges bytes;'';
|
||||
};
|
||||
locations."/.well-known/matrix/client" = {
|
||||
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'";
|
||||
extraConfig = ''
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
default_type application/json;
|
||||
'';
|
||||
};
|
||||
locations."/_matrix" = {
|
||||
proxyPass = "http://$synapse_backend";
|
||||
extraConfig = ''
|
||||
add_header X-debug-backend $synapse_backend;
|
||||
add_header X-debug-group $synapse_uri_group;
|
||||
client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
|
||||
proxy_read_timeout 10m;
|
||||
'';
|
||||
};
|
||||
locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
|
||||
proxyPass = "http://$synapse_backend";
|
||||
extraConfig = ''
|
||||
proxy_read_timeout 1h;
|
||||
'';
|
||||
};
|
||||
locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
|
||||
proxyPass = "http://synapse_worker_initial_sync";
|
||||
extraConfig = ''
|
||||
proxy_read_timeout 1h;
|
||||
'';
|
||||
};
|
||||
locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
|
||||
proxyPass = "http://synapse_worker_initial_sync";
|
||||
extraConfig = ''
|
||||
proxy_read_timeout 1h;
|
||||
'';
|
||||
};
|
||||
locations."/_synapse/client" = {
|
||||
proxyPass = "http://$synapse_backend";
|
||||
};
|
||||
locations."/.well-known/matrix" = {
|
||||
proxyPass = "http://$synapse_backend";
|
||||
};
|
||||
};
|
||||
};
|
||||
# networking.firewall.allowedTCPPorts = [ 8448 8008 ];
|
||||
}
|
25
modules/matrix_synapse_log_config.yaml
Normal file
25
modules/matrix_synapse_log_config.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
version: 1
|
||||
|
||||
# In systemd's journal, loglevel is implicitly stored, so let's omit it
|
||||
# from the message text.
|
||||
formatters:
|
||||
journal_fmt:
|
||||
format: '%(name)s: [%(request)s] %(message)s'
|
||||
|
||||
filters:
|
||||
context:
|
||||
(): synapse.util.logcontext.LoggingContextFilter
|
||||
request: ""
|
||||
|
||||
handlers:
|
||||
journal:
|
||||
class: systemd.journal.JournalHandler
|
||||
formatter: journal_fmt
|
||||
filters: [context]
|
||||
SYSLOG_IDENTIFIER: synapse
|
||||
|
||||
root:
|
||||
level: WARNING
|
||||
handlers: [journal]
|
||||
|
||||
disable_existing_loggers: False
|
69
modules/mjolnir.nix
Normal file
69
modules/mjolnir.nix
Normal file
|
@ -0,0 +1,69 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
in
|
||||
{
|
||||
age.secrets = {
|
||||
matrix_mjolnir_pass = {
|
||||
file = ../secrets/matrix_mjolnir_pass.age;
|
||||
owner = "mjolnir";
|
||||
group = "mjolnir";
|
||||
mode = "0600";
|
||||
};
|
||||
|
||||
matrix_mjolnir_tle_pass = {
|
||||
file = ../secrets/matrix_mjolnir_tle_pass.age;
|
||||
owner = "mjolnir";
|
||||
group = "mjolnir";
|
||||
mode = "0777"; # not ideal, but containers are weird
|
||||
};
|
||||
};
|
||||
|
||||
# global mjolnir
|
||||
services.mjolnir = {
|
||||
enable = true;
|
||||
homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
|
||||
protectedRooms = [ "https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de" ];
|
||||
managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de";
|
||||
pantalaimon = {
|
||||
enable = true;
|
||||
username = "mjolnir";
|
||||
options = {
|
||||
homeserver = config.services.matrix-synapse-next.settings.public_baseurl;
|
||||
};
|
||||
passwordFile = config.age.secrets.matrix_mjolnir_pass.path;
|
||||
};
|
||||
};
|
||||
|
||||
services.logrotate.checkConfig = false; # needed or this explodes
|
||||
containers.mjolnirtle =
|
||||
let
|
||||
baseurl = config.services.matrix-synapse-next.settings.public_baseurl;
|
||||
pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path;
|
||||
in
|
||||
{
|
||||
privateNetwork = false; # don't want nat
|
||||
autoStart = true;
|
||||
bindMounts."${pass_file}".isReadOnly = true;
|
||||
config =
|
||||
{ config, ... }:
|
||||
{
|
||||
system.stateVersion = "unstable";
|
||||
# tle mjolnir
|
||||
services.logrotate.checkConfig = false;
|
||||
services.mjolnir = {
|
||||
enable = true;
|
||||
homeserverUrl = baseurl;
|
||||
protectedRooms = [ "https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de" ];
|
||||
managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de";
|
||||
pantalaimon = {
|
||||
enable = true;
|
||||
username = "mjolnir_tle";
|
||||
options = {
|
||||
homeserver = baseurl;
|
||||
};
|
||||
passwordFile = pass_file;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
87
modules/nextcloud.nix
Normal file
87
modules/nextcloud.nix
Normal file
|
@ -0,0 +1,87 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
nextcloud_host = "cloud.${domain}";
|
||||
nextcloud_port = 8083;
|
||||
in
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "nextcloud";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
security.acme.certs."${domain}".extraDomainNames = [ nextcloud_host ];
|
||||
age.secrets = {
|
||||
nextcloud_admin_pass = {
|
||||
file = ../secrets/nextcloud_admin_pass.age;
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
mode = "0600";
|
||||
};
|
||||
};
|
||||
|
||||
services.redis.servers.nextcloud = {
|
||||
enable = true;
|
||||
bind = "::1";
|
||||
port = 6379;
|
||||
};
|
||||
|
||||
systemd.services.nextcloud-setup.serviceConfig.ExecStartPost = pkgs.writeScript "nextcloud-redis.sh" ''
|
||||
#!${pkgs.runtimeShell}
|
||||
nextcloud-occ config:system:set redis 'host' --value '::1' --type string
|
||||
nextcloud-occ config:system:set redis 'port' --value 6379 --type integer
|
||||
nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string
|
||||
nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string
|
||||
'';
|
||||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
https = true;
|
||||
hostName = nextcloud_host;
|
||||
package = pkgs.nextcloud28;
|
||||
caching.redis = true;
|
||||
|
||||
# extraApps = with config.services.nextcloud.package.packages.apps; [
|
||||
# news contacts calendar tasks;
|
||||
# ];
|
||||
config = {
|
||||
adminpassFile = config.age.secrets.nextcloud_admin_pass.path;
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "localhost:${builtins.toString config.services.postgresql.settings.port}";
|
||||
dbtype = "pgsql";
|
||||
};
|
||||
settings = {
|
||||
overwriteProtocol = "https";
|
||||
defaultPhoneRegion = "DE";
|
||||
filelocking.enabled = true;
|
||||
redis = {
|
||||
host = "localhost";
|
||||
port = 6379;
|
||||
timeout = 0.0;
|
||||
};
|
||||
};
|
||||
phpOptions = {
|
||||
"opcache.interned_strings_buffer" = "12";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${nextcloud_host}" = {
|
||||
serverName = nextcloud_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
};
|
||||
};
|
||||
}
|
12
modules/patch_bridge_perms.patch
Normal file
12
modules/patch_bridge_perms.patch
Normal file
|
@ -0,0 +1,12 @@
|
|||
diff --git a/src/util.ts b/src/util.ts
|
||||
index f09190e..c7bc841 100644
|
||||
--- a/src/util.ts
|
||||
+++ b/src/util.ts
|
||||
@@ -353,6 +353,7 @@ export class Util {
|
||||
if (res && res.users && res.users[userId] !== undefined) {
|
||||
haveLevel = res.users[userId];
|
||||
}
|
||||
+ requiredLevel = 50;
|
||||
return haveLevel >= requiredLevel;
|
||||
}
|
||||
|
55
modules/prometheus.nix
Normal file
55
modules/prometheus.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
prometheus_host = "prometheus.${domain}";
|
||||
prometheus_port = 9090; # netstat -nlp | grep 9090
|
||||
in
|
||||
{
|
||||
security.acme.certs."${domain}".extraDomainNames = [ prometheus_host ];
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
port = prometheus_port;
|
||||
globalConfig.scrape_interval = "15s";
|
||||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "chrysalis";
|
||||
static_configs = [
|
||||
{
|
||||
targets = [
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
|
||||
];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
exporters = {
|
||||
nginx.enable = true;
|
||||
redis.enable = true;
|
||||
domain.enable = true;
|
||||
postgres.enable = true;
|
||||
nginxlog.enable = true;
|
||||
jitsi.enable = true;
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
port = 9002;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${prometheus_host}" = {
|
||||
serverName = prometheus_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
|
||||
return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
137
modules/ptero.nix
Normal file
137
modules/ptero.nix
Normal file
|
@ -0,0 +1,137 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
root_email = "contact@${domain}";
|
||||
ptero_host = "ptero.${domain}";
|
||||
DATA_DIR = "/var/lib/pterodactylpanel";
|
||||
panel_user = "pterodactyl";
|
||||
local_bridge = "ptero-local-br";
|
||||
ptero_ver = "1.11.5";
|
||||
ptero_port = "8042";
|
||||
in
|
||||
{
|
||||
users.users.${panel_user} = {
|
||||
isSystemUser = true;
|
||||
extraGroups = [ "docker" ];
|
||||
group = panel_user;
|
||||
};
|
||||
users.groups.${panel_user} = { };
|
||||
|
||||
age.secrets.ptero_env = {
|
||||
file = ../secrets/ptero_env.age;
|
||||
};
|
||||
|
||||
systemd.services.init-ptero-data-dir = {
|
||||
description = "Create the pterodactyl panel data dir";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
mkdir -p ${DATA_DIR}/database
|
||||
mkdir -p ${DATA_DIR}/cache
|
||||
mkdir -p ${DATA_DIR}/panel/var
|
||||
mkdir -p ${DATA_DIR}/panel/logs
|
||||
mkdir -p ${DATA_DIR}/panel/nginx
|
||||
chown ${panel_user}:${panel_user} -R ${DATA_DIR}
|
||||
chmod +777 -R ${DATA_DIR}
|
||||
'';
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.backend = "podman";
|
||||
|
||||
systemd.services.init-ptero-local-network = {
|
||||
description = "Create the network bridge ${local_bridge} for ptero.";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
script =
|
||||
let
|
||||
podmancli = "${config.virtualisation.podman.package}/bin/podman";
|
||||
in
|
||||
''
|
||||
check=$(${podmancli} pod ls | grep "ptero" || true)
|
||||
if [ -z "$check" ]; then
|
||||
${podmancli} pod create -p "${ptero_port}:80" ptero
|
||||
else
|
||||
echo "ptero pod already exists"
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers."ptero-mysql" = {
|
||||
image = "library/mysql:8.0";
|
||||
workdir = "${DATA_DIR}/database";
|
||||
extraOptions = [ "--pod=ptero" ];
|
||||
environment = {
|
||||
"MYSQL_USER" = "pterodactyl";
|
||||
"MYSQL_DATABASE" = "panel";
|
||||
};
|
||||
environmentFiles = [ config.age.secrets.ptero_env.path ];
|
||||
volumes = [
|
||||
"${DATA_DIR}/database:/var/lib/mysql"
|
||||
"${DATA_DIR}/database:${DATA_DIR}/database"
|
||||
];
|
||||
cmd = [ "--default-authentication-plugin=mysql_native_password" ];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers."ptero-cache" = {
|
||||
image = "redis:alpine";
|
||||
workdir = "${DATA_DIR}/cache";
|
||||
volumes = [ "${DATA_DIR}/cache:${DATA_DIR}/cache" ];
|
||||
extraOptions = [ "--pod=ptero" ];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers."ptero-panel" = {
|
||||
image = "ghcr.io/pterodactyl/panel:v${ptero_ver}";
|
||||
volumes = [
|
||||
"${DATA_DIR}/panel/var/:/app/var/"
|
||||
"${DATA_DIR}/panel/logs/:/app/storage/logs"
|
||||
"${DATA_DIR}/panel/nginx/:/etc/nginx/conf.d/"
|
||||
];
|
||||
extraOptions = [ "--pod=ptero" ];
|
||||
environment = {
|
||||
"APP_URL" = "https://${ptero_host}";
|
||||
"APP_TIMEZONE" = "Europe/Berlin";
|
||||
"APP_SERVICE_AUTHOR" = root_email;
|
||||
|
||||
"MAIL_FROM" = "noreply@${domain}";
|
||||
"MAIL_DRIVER" = "smtp";
|
||||
"MAIL_HOST" = "mail";
|
||||
"MAIL_PORT" = "25";
|
||||
"MAIL_USERNAME" = "";
|
||||
"MAIL_PASSWORD" = "";
|
||||
"MAIL_ENCRYPTION" = "true";
|
||||
|
||||
"APP_ENV" = "production";
|
||||
"APP_ENVIRONMENT_ONLY" = "false";
|
||||
"CACHE_DRIVER" = "redis";
|
||||
"SESSION_DRIVER" = "redis";
|
||||
"QUEUE_DRIVER" = "redis";
|
||||
"REDIS_HOST" = "127.0.0.1";
|
||||
"DB_HOST" = "127.0.0.1";
|
||||
"TRUSTED_PROXIES" = "*";
|
||||
};
|
||||
labels = {
|
||||
"traefik.http.routers.pterodactyl_panel.entrypoints" = "web";
|
||||
};
|
||||
environmentFiles = [ config.age.secrets.ptero_env.path ];
|
||||
};
|
||||
|
||||
security.acme.certs."${domain}".extraDomainNames = [ ptero_host ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${ptero_host}" = {
|
||||
serverName = ptero_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${ptero_port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
(writeShellScriptBin "ptero-nix" "${config.virtualisation.podman.package}/bin/podman exec -it ptero-panel php artisan $@")
|
||||
];
|
||||
}
|
66
modules/puffer.nix
Normal file
66
modules/puffer.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
puffer_port = 8080;
|
||||
puffer_sftp_port = 5657;
|
||||
puffer_host = "puffer.${domain}";
|
||||
tlemap_host = "tlemap.${domain}";
|
||||
tlemap_port = 8100;
|
||||
in
|
||||
{
|
||||
services.pufferpanel = {
|
||||
enable = true;
|
||||
environment = {
|
||||
PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
|
||||
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
|
||||
};
|
||||
extraPackages = with pkgs; [ ];
|
||||
extraGroups = [ "docker" ];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${puffer_host}" = {
|
||||
serverName = puffer_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
|
||||
};
|
||||
};
|
||||
virtualHosts."${tlemap_host}" = {
|
||||
serverName = tlemap_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
security.acme.certs."${domain}".extraDomainNames = [
|
||||
puffer_host
|
||||
tlemap_host
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
puffer_sftp_port
|
||||
25565
|
||||
25566
|
||||
25567
|
||||
25568
|
||||
7270
|
||||
];
|
||||
|
||||
# virtualisation.podman.enable = true;
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
pufferpanel
|
||||
(writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
|
||||
];
|
||||
}
|
57
modules/toolchains.nix
Normal file
57
modules/toolchains.nix
Normal file
|
@ -0,0 +1,57 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
git_user = "Grimmauld";
|
||||
in
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
|
||||
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
|
||||
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
|
||||
mkpasswd
|
||||
node2nix
|
||||
];
|
||||
|
||||
programs.git = {
|
||||
enable = true;
|
||||
lfs.enable = true;
|
||||
config = {
|
||||
init.defaultBranch = "main";
|
||||
credential.username = git_user;
|
||||
core.editor = "${pkgs.neovim}/bin/nvim";
|
||||
user.name = git_user;
|
||||
user.email = "${git_user}@grimmauld.de";
|
||||
};
|
||||
};
|
||||
|
||||
programs.tmux = {
|
||||
enable = true;
|
||||
historyLimit = 42000;
|
||||
#keyMode = "vi";
|
||||
};
|
||||
|
||||
programs.neovim = {
|
||||
enable = true;
|
||||
viAlias = true;
|
||||
defaultEditor = true;
|
||||
configure = {
|
||||
customRC = ''
|
||||
set number
|
||||
set hidden
|
||||
set nocompatible
|
||||
'';
|
||||
packages.myVimPackage = with pkgs.vimPlugins; {
|
||||
# loaded on launch
|
||||
start = [
|
||||
vim-nix
|
||||
vim-scala
|
||||
fugitive
|
||||
autoclose-nvim
|
||||
];
|
||||
# manually loadable by calling `:packadd $plugin-name`
|
||||
opt = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
programs.xonsh.enable = true;
|
||||
}
|
|
@ -35,6 +35,24 @@
|
|||
"rev": "005b2b61e671e11d0427507883f8ae66e15d939d",
|
||||
"type": "git"
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"branch": "master",
|
||||
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git",
|
||||
"rev": "41059fc548088e49e3ddb3a2b4faeb5de018e60f",
|
||||
"type": "git"
|
||||
},
|
||||
"nixos-matrix-modules": {
|
||||
"branch": "master",
|
||||
"description": "NixOS modules for matrix related services",
|
||||
"homepage": null,
|
||||
"owner": "dali99",
|
||||
"repo": "nixos-matrix-modules",
|
||||
"rev": "6c9b67974b839740e2a738958512c7a704481157",
|
||||
"sha256": "0v8z37yhmbdq2y9l3wz6vscg402x4xvms8sajnl0fcmbvka56jmk",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/dali99/nixos-matrix-modules/archive/6c9b67974b839740e2a738958512c7a704481157.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"branch": "nixos-unstable",
|
||||
"description": "Nix Packages collection",
|
||||
|
|
15
secrets/grafana_admin_pass.age
Normal file
15
secrets/grafana_admin_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
|
||||
L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
|
||||
qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
|
||||
PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
|
||||
Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
|
||||
FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
|
||||
Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
|
||||
Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
|
||||
h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
|
||||
HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
|
||||
qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
|
||||
--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
|
||||
~‰E~ß}IÝR9•<39>â*·\–™f›rèÿyÅU›w¤BÔ
1<>!¨ÝÞã÷ðtez“yxX¾W<øs!ëÛ
|
16
secrets/matrix_admin_pass.age
Normal file
16
secrets/matrix_admin_pass.age
Normal file
|
@ -0,0 +1,16 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
Y34uAa+VEd/xy3iIs0rDEpF9iBQVpU//AQcTpP/lo1idGdUbVS2KeqkWZiGFfiOL
|
||||
PZNBZ9TkQhqKvw4dD7xdVNZoO9R2O9KApMIAtf4XRN+YvNA6l9dnpu/UDLFzh2F0
|
||||
NJY4TXRXJPRB3k5ngbCvYv2anQ6yMi7cpHZNEIgM/LdKGJ/56YHXQAxtOe4o+0Mz
|
||||
Q1FQOsEFGa2Kb5f5D9wdjfZvDkoUzG9W2Cao2GAKdtJQx0yAP3T4uEt+22nYo5OB
|
||||
mOuKJ0qNwfoSk0ErC+dYlkgknG6W4QsxA/G7ZMzFq/E70yNzAOAViXPMRSnJYpr2
|
||||
p2C8nhQ3lhlS2bFu46Jgi4NTj9FvnABVH+QiwL3P+WtqCMGy+LRfHDMJ1i14M35/
|
||||
6cTaeSw1d4UiZekxgCsHXrT4BipC70pH+9vZYGTVzP3SxfkbilwhQJvpREnNZq1o
|
||||
e2vfMHod3syDvZfYEILayODY+WwuqVp4O6NIOoPNygKwdoN+DiYKs7vhUFXU/AWA
|
||||
iVL5jQ0p4fI7qQm/jrNL3E7Mj+FMYQMBKTvSjF8O/YFBymsDtcN0bLlKIOdSdLP/
|
||||
Tm0tffNargbnrF9a4ZNjOihbNYocDfID7hyFsdpqF9TsANXeiRkBGWT/RnOzMBs0
|
||||
QZLz3iChOR87PPC4loqZJpQSYLnQ77m7ZcODzDnScwo
|
||||
--- UWFxzIGon0JaPMjmKUkZQGNLa44SSusFKXVb3eGhyFE
|
||||
̶¼w“ÂT©XP=žïÓ/m$nyßwϧç¿ð«‰,þïoùïƒØNé0Fò ’ø±,øî<C3B8>
|
||||
¡d+ËSâ”
|
15
secrets/matrix_discord_bridge_token.age
Normal file
15
secrets/matrix_discord_bridge_token.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
NjaxRq6jsJbscI9ySg58c9D8HEOUjEusNfEDn2aCEcyvmO0AeLImCK/MI08x8hJ2
|
||||
FwSmPVpumzatiTd9U8orgUj7ivr5On5yItg1FJs1yGojDotnvXKx2P2ulAkeGs/B
|
||||
KHx7UZnCwm9gAzwz8r6Uki+R56/Wu/TCfygbGq0sRI1+Tyo2PdZv0EiXXQ+f5g0c
|
||||
VS23NyxGxzO3yIHRV0hRB9xRfUlYddSINVqcfRr54q2DIFi1DKU2BueAchGF2tIl
|
||||
9uazNaWetXeqLF15UAYbxv1Sh5/YOmZKSr6WXhTfmzT6bSTnDwu6IqYhgBagRIEO
|
||||
lv17r0wbmNAHhDZKuj60Fv+28tbWdU4WENOVhrxsImJMP6iHC79iCpNM/uHLALwN
|
||||
yB1MF4oFAajX2LzW4tmmoR3bM2LCy/aW3oNccLm8M1mWuPg6pqyhiejAk/09b0BT
|
||||
73HqqHSBys4DMEUjxntG+BhtwAm+3e+zcG+7MSa9fVf3yb566EUnVNHjm60pX0JN
|
||||
FIn08qwIS1vtDD/2vGDMB575sYafurh6gJ6kmwikv2IOlbJBoyXBONEb7Q5TGeJ6
|
||||
mon6l7zdqgW/sYgW2wAsmwGrUTHeJNVV/CUNt1sPhmb7VyqRpP0a/fWif/S2XpxY
|
||||
Caiv38ccsmpmm639BhBV7iF8BhV//Ovja/hKwsLUsoM
|
||||
--- suzKNMEdOeEQQnOg6BIVnTTGqCg7b0+eAiVS6PR8W2c
|
||||
´êõG"ÎÇu¿ívʪ¦¡ÚH"ÅtH aËÅz#¶0.é<>â‚ɳ:žI’勾_†DU‡7xª¼MÌ@‰¹#ÆP£¢µ9ªz5¿”;Çš-<2D>êk“jhHâªáy[cü>ÖPÖ¯õîà¥Axî°¾áÐJàâ¸,í =í^%Ùá}éŽn\s½{«qÎ~AgxÛ6Š©ÿpÊfwæ8ÇÝ"yê³Ô²Ý¦ñ|=Ȅ륷T4Ï<>TxÀ]<5D>—©|>¬*Õ‚ä
|
16
secrets/matrix_mjolnir_pass.age
Normal file
16
secrets/matrix_mjolnir_pass.age
Normal file
|
@ -0,0 +1,16 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
jXawkbb/FkE0/pdY3wvHC+iVx9RgIB7ytAKsk+mxx0hhwAOZL4oswvvKsnYdkUjv
|
||||
5UMexnENT9I1+ZLyVMusvxvlMM+LxZtkNOLCylFF4G/Xyrq6QS5NMFK5aD0slT1U
|
||||
nwufnIABuheku4yK3W/lYJcwsHT+lFfkSyqXw214AMHI37YVnsSxgjgV3KhC9ZhG
|
||||
dxWG010li/7uFh1+/006+DKoa7VejrJM7OUeUVCjBjSwYazMUAi8okuaZzhMeeWG
|
||||
sC8v7RmnZTM/mS0nBu0wcZxUB7Vz2c2evBNUuARELfMzxRfh9yIQMzg3k5A7xNqC
|
||||
qjj3KchocgNPoTrzG/x4uFFhCmF523LJ/85IlFIQ8X/1MrAgZg/L5N5fEmhHLRG6
|
||||
yVGRm0xs9wEWf1ZzSPALHO/fLUa6K+9IEo9e5Ne3+HtzeiSrlBTgAThm4iS/j9gJ
|
||||
Gh5cnAuG8dmvZsnV0VJLZCCa938PugsKxsbEGRgtIwj5FaBudLd6DzNwqq9n88Y3
|
||||
H3Vnc56ru/XWHVTnVNKAstXkUmAxCH2SKpETXgb2Nd7aLBEYd0Dp334wdYOYaBnR
|
||||
3p0jTTpU2TFA8zfLJRy0CnElfC11YYp5aF3+ONEuGFbiAdFSoixRd0xUdxKvQ6Ym
|
||||
KK875Yhl3KBCbQGHGzT9TRwqFv4GM5gntoV6QFXv8R4
|
||||
--- mty/HLWaSdsD6bxDTO2KJ9itaRpuI1OKyH3+KAMX6TM
|
||||
j©¡©Ÿžƒ÷¼ÍhŒV¹4*µ °á
|
||||
ÿÞ…tñÝ3šJ0ð!ÁhFB‚¹”'Ráxí¶}jÒJ¥
|
15
secrets/matrix_mjolnir_tle_pass.age
Normal file
15
secrets/matrix_mjolnir_tle_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
MbJMn9f+sg1SygW+O6rIF8fXmieYHkQFnSuI/U71YG3JIJwMDQLMqN8dB1pi5fvg
|
||||
j4wQU2211KdUsOjmpSFAoylielEMVRSm8ae+0pMDrCli6z8xb0Izd495EMexxwH8
|
||||
+FWQORHvrXIaxPgHcOQ4g0SApkDAhEGl8XrI3dvC2szEy9tM5ph3LrXIAV6GBKp/
|
||||
SlHD385bgZkuN8lwaczKGTjBktYiK2h1lpJBb+sQkuOP3h8rpHetU6CCbooJkQ4c
|
||||
x8ND7fu3ptd/YhzVRAhTMOaQU62f1FEJoGP67hsm79rOm+0vnH5K1r16gAB2jjAh
|
||||
RHXYFhzpPLrYUUCwdklGGtCFcTRc2g4gRglDx4IutTZ+2EBkrzePZ8OqXpR5/2xO
|
||||
yROb3L3wex0bm9MqIyClaPFq9eUtSI4ca8s5TCZV///6FrzJVEsAlj0xZFQFGTT3
|
||||
T1zOOEEzEX4f9878Wj/Rl+MZhtZUJYG39fwonFS799Omgks+NcSXi5pnPTMXnONq
|
||||
cVXQM1y2wvLlxf9qbPkFCnvkqq6pWMXma18BTiAakbOZ0y/EpOGQG+vAz+zZ5wq1
|
||||
le3fgfiKPM4oXuPrMPxuCd1QsmoHj5YYDSSGPWYgxHt3kKKpDVadpqgRp2FyrFGA
|
||||
KGKGwqbOv12pbzmP2S3WlbAhQiUodg6my93H4kroPPM
|
||||
--- q4gCKxg3dPi7iXSqByd4F3dQ6hv2h8ZH4vz1Abzzovo
|
||||
„źŇgyÂŢşňŹIîŻnó<6E>ÔŚşeË*é(¨a5ĘTüÓ}ÚâDú%€ĽŔÇľUqg4\b ˘ýc5´ĆÜoY
|
15
secrets/nextcloud_admin_pass.age
Normal file
15
secrets/nextcloud_admin_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
Q/jX41H5vQpkJf7eEOKeRezpVFRM8NS4puvIrPXE/zUx4DTn38BpSbVuv+PUH/D1
|
||||
LPAplIAh8JmeXGE9V0LcVX3cvwQ/IwYZ6Iwu82yCBFOv4F4EjbFZsXRjva64m4lj
|
||||
Nr5vikahk3IVezsMqFn5f46/G5ZCRyPZSlOyojPZ4YA+mZq3g1PuL4Cd/296y0SI
|
||||
0xNeYG9F8gCEW1iAKKjX5QBLBx/HztgJrYm6MVEK0jRDe1LC1JBWa670smI3ALH5
|
||||
V1uQbPutsOkuyZw46Nbb9bBYLQLDoKoVmAetj6AIak9p7q4/vzWMEv1zgmHczAMC
|
||||
7T3zuQ1D2zjS+ePXXhof2ZpBT4yr/hfRtf0V7NhDokFZZOleJE9K3BLkQCVdUTA8
|
||||
ZSzX2MnZe4OXKXSh+8+KFD37AyR7P0G4eZF5rZJ2IIrdUz6/MFjheKUAQanfg8nm
|
||||
Uh4YWFu2wyVYy1OYeuSoAhzj8VpGiEa4E1WRA7Hb7AdK9t2JvIIOG5duAWw+qHXY
|
||||
leh5LKHeTdtEPqEY8QqdcUoEnU+q8DseXGrRJx16aPZgP1trjlDPRWNT9Ko8gIOn
|
||||
kLctSbJ3v/wv9hI9waEaWw93LCDG6E+MK5pD03f6vKcr6HQoqEMg8+eVzX+dCoa4
|
||||
AF6DiI1pXrYzjLztPLcUwb7Az/hPFrVrAZ6x7KUq2E4
|
||||
--- QKrzExwjVrJvMy+dzU0aQ1PCye2SwR4e5ZJXEN/yX6c
|
||||
˜vú4
Ás/ö¤R"y—RJˆC?oâ«O]«ä¬aHézêš…’âl››À(
y?¡šÀ™à /GM’
|
15
secrets/nextcloud_db_pass.age
Normal file
15
secrets/nextcloud_db_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
ULPpqCrbkoqF5Zx+YNl2igi962ho+4bJv4ZqkdUJWXKvwBCKBujUhTRubao3E1H7
|
||||
M6Qa1X/ENOjLRjaDGN/LHTKl+7yv7TyayHxWlPVylBHgs2m18Zr0+pcIl+771FSm
|
||||
E0QFs61ENZibrBubOv9sib0Drb/8hi393kLAuBIIblzVt8Td3eLz9oXBltkXDJ26
|
||||
ndY61jJbMcOkaS/AgcENSdwuDETxlceOBNuIRucjpcGFDrobngJyNbV8amH3Fc4D
|
||||
07iwIGFK5xF+Z3h1dH+oKPTqenDcBsq32LYNOUczap0ia4/CCw/by/VrTnudX9FC
|
||||
VGJ3MmJIXLaeCMMSsHEQNrNf6hq+rysuAeW3rUco8k9lWv4J08l2Z4wEfwIX3UdT
|
||||
LmyTe9FeKib8ul4FuAnAXWl5Mwik2xG87Ci375/qeZgIduH6UyelBErzGA5HwtV+
|
||||
Zhfo+moImBg5wkQAMqBEYo3llMU4S0uV3A7sxcFSGrKnW+qFt46+TzkAAZJCBaFC
|
||||
tXM44LI+JceJhlBnI83sayEf1kEQlsxGqqdOpRQaVI5xBX7rGduFOFsVFAOO60I9
|
||||
jIESQSoV36KVgm4w+v99jYiLI9mfHRNzC0KH5qeTW8tST6N1+TyP0uhzfIoNVfpg
|
||||
buHTgKaPO37VciLDT2qGz8VVcbg7wlFE2neNPqQQss4
|
||||
--- CWjL7M33VOuujkVFJG+zj8JwUwvA2ymMNvjIXvAxNxE
|
||||
âê`áßnœ÷\<5C>çU‘D…Ð`Až‚î?xM7ž½¤ReœNÓJÕïIëÒ}GŽøý=x“<78>@åÙ”“Ü4)ÉžR°f¯rwÄã¹ £}ºÍZ2
|
BIN
secrets/ptero_env.age
Normal file
BIN
secrets/ptero_env.age
Normal file
Binary file not shown.
|
@ -1,7 +1,26 @@
|
|||
let
|
||||
laptop_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos";
|
||||
laptop_pub_ed = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos";
|
||||
|
||||
# obtained with `ssh-keyscan [ip]`
|
||||
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
|
||||
in
|
||||
{
|
||||
"nextcloud_pass.age".publicKeys = [ laptop_pub laptop_pub_ed ];
|
||||
"nextcloud_pass.age".publicKeys = [
|
||||
laptop_pub
|
||||
laptop_pub_ed
|
||||
];
|
||||
|
||||
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
|
||||
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
|
||||
"grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"nextcloud_db_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"synapse_registration_shared_secret.age".publicKeys = [ contabo_nix_pub ];
|
||||
"matrix_admin_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
"matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub ];
|
||||
"ptero_env.age".publicKeys = [ contabo_nix_pub ];
|
||||
}
|
||||
|
|
15
secrets/synapse_db_pass.age
Normal file
15
secrets/synapse_db_pass.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa jWbwAg
|
||||
uphSCXWnsU8Ffn8E3G3cQFlU+Op480vwqkDZKcvwGo/7aPeSKvcxpDkkvZbBSpeJ
|
||||
agOsx9umGm2xJd38ss7vUYiTGZFyXVRVR0ECRLUSjmt4U1fbdIXM1JijKPJBNPFf
|
||||
rZWc/+6uXXHFwv0633SyM6swuytmo6jKbdExclY1Q5bwYHfTAUvHaeUW1AFWd24d
|
||||
HWJCLXEY3VK7WvcH3nvpzeNvRMbkaOBrcPnt7rqWmKH0F92tFP3mNiOtbHRZgSe8
|
||||
aJodlNU390gLqED/BOqKjLxCYvfiVSSRu6ziP/h3VKqmC8HDD8e+nSQwS7qMlgXi
|
||||
4i6kgZQr+is1rsU5GMLe+H7jw/ZI+hOxNyutGXi1wd1qgrM1qbCfJmUS8tYUP2kw
|
||||
NsD4+h1xz2Hkop+6MKursOPsD6Vw/TFuNKDXyQstbrz8jU8rP5jvkIn6o7PT4rVm
|
||||
HyJ4sHlabnmqufyVCtjfZz84fyOjHqeoqeS0ST5zH1VcjGh9pEJiMOK0FoiJlDaQ
|
||||
hyzKhREJ/iAlb1EJ9IRu+rVgO9hamj4ZyqE4kFrTfp9/bb5HbH04km+WZByzcenA
|
||||
G8aOVUwk/IvC77jjMBKwn8i09DgBbjz5RHD6hXZwHOnPPQctBO8TDRIreQ9IHBsv
|
||||
xIpQuRIf1GAiGwbVdGxffwsS38Aw6h2EDzX436NFJmc
|
||||
--- AK4cj1yXlOGE07/jrzEfZ1RRwYnabyglA78+X54ON2E
|
||||
þå/ɳò¤bæåîŠðm/Õ¨ï(N¸]Mc©Ãð<>$àïžÚ5²ô&†Ú¬xf¿Áp*Ȥq<C2A4>ôælÂåt¿¾‚–æœ<C3A6>1¤64‘ÎË›oƒ„(±¬,*ü
|
BIN
secrets/synapse_db_pass_prepared.age
Normal file
BIN
secrets/synapse_db_pass_prepared.age
Normal file
Binary file not shown.
BIN
secrets/synapse_registration_shared_secret.age
Normal file
BIN
secrets/synapse_registration_shared_secret.age
Normal file
Binary file not shown.
43
specific/grimmauld-nixos-server/configuration.nix
Normal file
43
specific/grimmauld-nixos-server/configuration.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
in
|
||||
{
|
||||
imports = [ ./hardware-configuration.nix ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
networking.hostName = "grimmauld-nixos-server";
|
||||
networking.domain = "grimmauld.de";
|
||||
services.openssh.enable = true;
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
services.nginx = {
|
||||
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
|
||||
virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
root = "/var/www/${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
|
||||
}
|
20
specific/grimmauld-nixos-server/hardware-configuration.nix
Normal file
20
specific/grimmauld-nixos-server/hardware-configuration.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"xen_blkfront"
|
||||
"vmw_pvscsi"
|
||||
];
|
||||
boot.initrd.kernelModules = [ "nvme" ];
|
||||
fileSystems."/" = {
|
||||
device = "/dev/sda3";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
environment.sessionVariables = {
|
||||
OMP_NUM_THREADS = "8";
|
||||
};
|
||||
}
|
21
users.nix
21
users.nix
|
@ -9,10 +9,13 @@
|
|||
isNormalUser = true;
|
||||
# shell = pkgs.xonsh;
|
||||
description = "grimmauld";
|
||||
|
||||
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
|
||||
extraGroups = lib.intersectLists (lib.attrNames config.users.groups) [
|
||||
"networkmanager"
|
||||
"kvm"
|
||||
"wheel"
|
||||
"docker"
|
||||
"input"
|
||||
"video"
|
||||
"lp"
|
||||
|
@ -32,13 +35,15 @@
|
|||
{ remote = "Videos"; }
|
||||
];
|
||||
|
||||
packages = with pkgs; lib.optionals config.grimmShared.graphical [
|
||||
webcord
|
||||
discord
|
||||
obs-studio
|
||||
element-desktop
|
||||
ghidra
|
||||
# rmview
|
||||
];
|
||||
packages =
|
||||
with pkgs;
|
||||
lib.optionals config.grimmShared.graphical [
|
||||
webcord
|
||||
discord
|
||||
obs-studio
|
||||
element-desktop
|
||||
ghidra
|
||||
# rmview
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue