1
Fork 0

Add configuration for dirae.org

This commit is contained in:
caem 2023-07-01 15:08:00 +02:00
parent 471ae20bb7
commit fe9f7d9732
17 changed files with 421 additions and 20 deletions

View file

@ -1,5 +1,37 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1684264534,
@ -31,13 +63,83 @@
"type": "github"
}
},
"nixpkgs-22_11": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"impermanence": "impermanence",
"nixpkgs": "nixpkgs",
"simple-mailserver": "simple-mailserver",
"unstable": "unstable"
}
},
"simple-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils"
},
"locked": {
"lastModified": 1687462267,
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"unstable": {
"locked": {
"lastModified": 1686960236,
@ -53,6 +155,21 @@
"repo": "nixpkgs",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

View file

@ -7,11 +7,14 @@
# https://nixos.wiki/wiki/Impermanence
impermanence.url = "github:nix-community/impermanence";
simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
};
outputs = { self, nixpkgs, ... }@attrs: let
user = "user"; # Select user from `./users` directory
user = "user"; # Select user from the `./users` directory
in {
# Media homeserver
nixosConfigurations.homeserver = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = attrs;
@ -21,6 +24,16 @@
];
};
# dirae.org
nixosConfigurations.dirae = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = attrs;
modules = [
./users/${user}.nix
./systems/dirae.nix
];
};
# Debugging VM configuration
nixosConfigurations.qemu-vm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";

View file

@ -0,0 +1,25 @@
{ ... }:
{
services.gitlab = {
enable = true;
host = "gitlab.dirae.org";
# Server is running on limited budet :,)
# https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
puma.workers = 0;
user = "gitlab";
group = "gitlab";
https = true;
databasePasswordFile = "/var/keys/gitlab/db_password";
initialRootPasswordFile = "/var/keys/gitlab/root_password";
secrets = {
dbFile = "/var/keys/gitlab/db";
secretFile = "/var/keys/gitlab/secret";
otpFile = "/var/keys/gitlab/otp";
jwsFile = "/var/keys/gitlab/jws";
};
};
}

View file

@ -0,0 +1,33 @@
{ simple-mailserver, ... }:
{
imports = [
simple-mailserver.nixosModule
];
mailserver = {
enable = true;
fqdn = "dirae.org";
domains = [ "dirae.org" ];
loginAccounts = {
"caem@dirae.org" = {
hashedPasswordFile = "/nix/config/packages/mailserver/pw";
aliases = [
"admin@dirae.org"
"postmaser@dirae.org"
"legal@dirae.org"
"contact@dirae.org"
"dmca@dirae.org"
"pt@dirae.org"
"cali@dirae.org"
"abuse@dirae.org"
];
};
};
# Managed in configuration for nginx
certificateScheme = "acme";
};
}

48
packages/nginx/dirae.nix Normal file
View file

@ -0,0 +1,48 @@
{ ... }:
let
fqdn = "dirae.org";
serverConfig."m.server" = "dirae.org:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
security.acme.acceptTerms = true;
security.acme.defaults.email = "caem@dirae.org";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/www/dirae";
};
locations."/.well-known/matrix/server".extraConfig = ''
return 200 '{"m.server": "dirae.org:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
};
"gitlab.dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
};
};
}

16
packages/sshd/package.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
};
};
users.users."user".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnopPaLuQT4+5LzqiBM4JfdRamzArszOrfoDy96KpQL9jeZQhT4E7LE63tySza4auJyTkFcnfGEQQaAlCUYTVvWrvB6l2nG7mVZ5Cr0YvQ1U9AY+1OPE5wCSDUk9zaUm3ldWgUWRA/MyGtzm3kQ+ZtYIOqtvF6Ki5vPRYl+QR0cjThw5Sr/99sTqZwgmbPoAkLXnioSI+oOgV6H8M9XCuvwmlm6YKfBrjTQltj93GpSf24Lf9YaFc51Auao78AfOof/EtGWlcBrvfdjaS/scxSmHO9r/AShV/BEVboG+89i+Qia67cATGIwDLB6HZO1dO5qTSImzcQ/QnFW1E0IGZy3LvKd/FT8QCpHjDtPlsxWwIuTgyLD3c9OZTTA8w619QBKic3KEhuRkhuwOqSPgpvgkK8hS91gr8spL+6U4Bdgo8gZH14kj7ZhiNsIur0Chj/X1uCHGXEHhlV4ky2XAxhGSSr9fy06w4uPsIXGnSufm8jbBAhYDrNzaod2Q/73VE= user@workstation"
];
networking.firewall.allowedTCPPorts = [ 22 ];
}

View file

@ -0,0 +1,31 @@
{ pkgs, ... }:
{
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.matrix-synapse = {
enable = true;
settings.server_name = "dirae.org";
settings.listeners = [
{
port = 8008;
bind_addresses = [ "127.0.0.1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
];
};
}

View file

@ -6,6 +6,7 @@
wget
curl
git
tree
];
services.openssh.enable = true;

54
systems/dirae.nix Normal file
View file

@ -0,0 +1,54 @@
{ ... }:
{
imports = [
./common.nix
./hardware/dirae.nix
# ./persist/dirae.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/sshd/package.nix
../packages/mailserver/package.nix
../packages/nginx/dirae.nix
../packages/gitlab/package.nix
../packages/synapse/package.nix
];
boot = {
loader = {
grub = {
enable = true;
device = "/dev/vda";
};
};
kernel = {
sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
};
};
networking = {
hostName = "dirae";
enableIPv6 = false;
hostId = "149e5b5c";
interfaces = {
enp6s18.ipv4.addresses = [{
address = "91.210.224.148";
prefixLength = 24;
}];
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
defaultGateway = "91.210.224.1";
firewall = {
enable = true;
};
};
time.timeZone = "Europe/Berlin";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = {
TERM = "xterm";
};
}

View file

@ -0,0 +1,44 @@
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.zfs.devNodes = "/dev/disk/by-path";
# Will enable this later when everything is stable
# boot.initrd.postDeviceCommands = lib.mkAfter ''
# zfs rollback -r local/root@blank
# '';
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B33B-0EBE";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -4,7 +4,7 @@
imports = [
./common.nix
./hardware/homeserver.nix
./persist/homeserver.nix
./persist/common.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/nginx/homeserver.nix
@ -53,7 +53,7 @@
console.keyMap = "uk";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = rec {
environment.sessionVariables = {
TERM = "xterm";
};
}

View file

@ -5,7 +5,7 @@
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist/common" = {
environment.persistence."/nix/persist" = {
directories = [
"/etc/ssh"
"/var/lib"

33
systems/persist/dirae.nix Normal file
View file

@ -0,0 +1,33 @@
{ impermanence, ... }:
{
imports = [
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist" = {
hideMounts = true;
directories = [
"/var/spool"
{ directory = "/var/dkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/sieve"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rwx,o="; }
{ directory = "/var/vmail"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rws,o="; }
"/etc/dovecot"
"/etc/pki"
"/etc/ssh"
{ directory = "/var/lib/acme"; user = "acme";
group = "acme"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/lib/opendkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=,o="; }
"/var/lib/postfix"
"/var/log"
];
files = [
"/etc/machine-id"
];
};
}

View file

@ -1,7 +0,0 @@
{ ... }:
{
imports = [
./common.nix
];
}

View file

@ -1,7 +0,0 @@
{ ... }:
{
imports = [
./common.nix
];
}

View file

@ -6,7 +6,7 @@
../sets/meta/sysadmin.nix
../packages/vim/package.nix
./common.nix
./persist/qemu-vm.nix
./persist/common.nix
];
boot.loader.grub.enable = true;

View file

@ -1,4 +1,4 @@
{ ... }:
{ ... }:
{
users.users.user = {