caem/nixos-system-config
caem/nixos-system-config
1
Fork 0
Code Releases Activity

Add configuration for dirae.org

Browse source
This commit is contained in:
caem 2023-07-01 15:08:00 +02:00
parent 471ae20bb7
commit fe9f7d9732
17 changed files with 421 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
flake.lock
View file

@ -1,5 +1,37 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1684264534,
@ -31,13 +63,83 @@
"type": "github"
}
},
"nixpkgs-22_11": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"impermanence": "impermanence",
"nixpkgs": "nixpkgs",
"simple-mailserver": "simple-mailserver",
"unstable": "unstable"
}
},
"simple-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils"
},
"locked": {
"lastModified": 1687462267,
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"unstable": {
"locked": {
"lastModified": 1686960236,
@ -53,6 +155,21 @@
"repo": "nixpkgs",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

15
flake.nix
View file

@ -7,11 +7,14 @@
# https://nixos.wiki/wiki/Impermanence
impermanence.url = "github:nix-community/impermanence";
simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
};
outputs = { self, nixpkgs, ... }@attrs: let
user = "user"; # Select user from `./users` directory
user = "user"; # Select user from the `./users` directory
in {
# Media homeserver
nixosConfigurations.homeserver = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = attrs;
@ -21,6 +24,16 @@
];
};
# dirae.org
nixosConfigurations.dirae = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = attrs;
modules = [
./users/${user}.nix
./systems/dirae.nix
];
};
# Debugging VM configuration
nixosConfigurations.qemu-vm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";

25
packages/gitlab/package.nix Normal file
View file

@ -0,0 +1,25 @@
{ ... }:
{
services.gitlab = {
enable = true;
host = "gitlab.dirae.org";
# Server is running on limited budet :,)
# https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
puma.workers = 0;
user = "gitlab";
group = "gitlab";
https = true;
databasePasswordFile = "/var/keys/gitlab/db_password";
initialRootPasswordFile = "/var/keys/gitlab/root_password";
secrets = {
dbFile = "/var/keys/gitlab/db";
secretFile = "/var/keys/gitlab/secret";
otpFile = "/var/keys/gitlab/otp";
jwsFile = "/var/keys/gitlab/jws";
};
};
}

33
packages/mailserver/package.nix Normal file
View file

@ -0,0 +1,33 @@
{ simple-mailserver, ... }:
{
imports = [
simple-mailserver.nixosModule
];
mailserver = {
enable = true;
fqdn = "dirae.org";
domains = [ "dirae.org" ];
loginAccounts = {
"caem@dirae.org" = {
hashedPasswordFile = "/nix/config/packages/mailserver/pw";
aliases = [
"admin@dirae.org"
"postmaser@dirae.org"
"legal@dirae.org"
"contact@dirae.org"
"dmca@dirae.org"
"pt@dirae.org"
"cali@dirae.org"
"abuse@dirae.org"
];
};
};
# Managed in configuration for nginx
certificateScheme = "acme";
};
}

48
packages/nginx/dirae.nix Normal file
View file

@ -0,0 +1,48 @@
{ ... }:
let
fqdn = "dirae.org";
serverConfig."m.server" = "dirae.org:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
security.acme.acceptTerms = true;
security.acme.defaults.email = "caem@dirae.org";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/www/dirae";
};
locations."/.well-known/matrix/server".extraConfig = ''
return 200 '{"m.server": "dirae.org:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
};
"gitlab.dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
};
};
}

16
packages/sshd/package.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
};
};
users.users."user".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnopPaLuQT4+5LzqiBM4JfdRamzArszOrfoDy96KpQL9jeZQhT4E7LE63tySza4auJyTkFcnfGEQQaAlCUYTVvWrvB6l2nG7mVZ5Cr0YvQ1U9AY+1OPE5wCSDUk9zaUm3ldWgUWRA/MyGtzm3kQ+ZtYIOqtvF6Ki5vPRYl+QR0cjThw5Sr/99sTqZwgmbPoAkLXnioSI+oOgV6H8M9XCuvwmlm6YKfBrjTQltj93GpSf24Lf9YaFc51Auao78AfOof/EtGWlcBrvfdjaS/scxSmHO9r/AShV/BEVboG+89i+Qia67cATGIwDLB6HZO1dO5qTSImzcQ/QnFW1E0IGZy3LvKd/FT8QCpHjDtPlsxWwIuTgyLD3c9OZTTA8w619QBKic3KEhuRkhuwOqSPgpvgkK8hS91gr8spL+6U4Bdgo8gZH14kj7ZhiNsIur0Chj/X1uCHGXEHhlV4ky2XAxhGSSr9fy06w4uPsIXGnSufm8jbBAhYDrNzaod2Q/73VE= user@workstation"
];
networking.firewall.allowedTCPPorts = [ 22 ];
}

31
packages/synapse/package.nix Normal file
View file

@ -0,0 +1,31 @@
{ pkgs, ... }:
{
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.matrix-synapse = {
enable = true;
settings.server_name = "dirae.org";
settings.listeners = [
{
port = 8008;
bind_addresses = [ "127.0.0.1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
];
};
}

1
sets/meta/sysadmin.nix
View file

@ -6,6 +6,7 @@
wget
curl
git
tree
];
services.openssh.enable = true;

54
systems/dirae.nix Normal file
View file

@ -0,0 +1,54 @@
{ ... }:
{
imports = [
./common.nix
./hardware/dirae.nix
# ./persist/dirae.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/sshd/package.nix
../packages/mailserver/package.nix
../packages/nginx/dirae.nix
../packages/gitlab/package.nix
../packages/synapse/package.nix
];
boot = {
loader = {
grub = {
enable = true;
device = "/dev/vda";
};
};
kernel = {
sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
};
};
networking = {
hostName = "dirae";
enableIPv6 = false;
hostId = "149e5b5c";
interfaces = {
enp6s18.ipv4.addresses = [{
address = "91.210.224.148";
prefixLength = 24;
}];
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
defaultGateway = "91.210.224.1";
firewall = {
enable = true;
};
};
time.timeZone = "Europe/Berlin";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = {
TERM = "xterm";
};
}

44
systems/hardware/dirae.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.zfs.devNodes = "/dev/disk/by-path";
# Will enable this later when everything is stable
# boot.initrd.postDeviceCommands = lib.mkAfter ''
# zfs rollback -r local/root@blank
# '';
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B33B-0EBE";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

4
systems/homeserver.nix
View file

@ -4,7 +4,7 @@
imports = [
./common.nix
./hardware/homeserver.nix
./persist/homeserver.nix
./persist/common.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/nginx/homeserver.nix
@ -53,7 +53,7 @@
console.keyMap = "uk";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = rec {
environment.sessionVariables = {
TERM = "xterm";
};
}

2
systems/persist/common.nix
View file

@ -5,7 +5,7 @@
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist/common" = {
environment.persistence."/nix/persist" = {
directories = [
"/etc/ssh"
"/var/lib"

33
systems/persist/dirae.nix Normal file
View file

@ -0,0 +1,33 @@
{ impermanence, ... }:
{
imports = [
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist" = {
hideMounts = true;
directories = [
"/var/spool"
{ directory = "/var/dkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/sieve"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rwx,o="; }
{ directory = "/var/vmail"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rws,o="; }
"/etc/dovecot"
"/etc/pki"
"/etc/ssh"
{ directory = "/var/lib/acme"; user = "acme";
group = "acme"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/lib/opendkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=,o="; }
"/var/lib/postfix"
"/var/log"
];
files = [
"/etc/machine-id"
];
};
}

7
systems/persist/homeserver.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
imports = [
./common.nix
];
}

7
systems/persist/qemu-vm.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
imports = [
./common.nix
];
}

2
systems/qemu-vm.nix
View file

@ -6,7 +6,7 @@
../sets/meta/sysadmin.nix
../packages/vim/package.nix
./common.nix
./persist/qemu-vm.nix
./persist/common.nix
];
boot.loader.grub.enable = true;

2
users/user.nix
View file

@ -1,4 +1,4 @@
{ ... }:
{ ... }:
{
users.users.user = {