Add configuration for dirae.org
This commit is contained in:
parent
471ae20bb7
commit
fe9f7d9732
17 changed files with 421 additions and 20 deletions
117
flake.lock
117
flake.lock
|
@ -1,5 +1,37 @@
|
|||
{
|
||||
"nodes": {
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668681692,
|
||||
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1684264534,
|
||||
|
@ -31,13 +63,83 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-22_11": {
|
||||
"locked": {
|
||||
"lastModified": 1669558522,
|
||||
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-22.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-23_05": {
|
||||
"locked": {
|
||||
"lastModified": 1684782344,
|
||||
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-23.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1670751203,
|
||||
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-unstable",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"impermanence": "impermanence",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"simple-mailserver": "simple-mailserver",
|
||||
"unstable": "unstable"
|
||||
}
|
||||
},
|
||||
"simple-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-22_11": "nixpkgs-22_11",
|
||||
"nixpkgs-23_05": "nixpkgs-23_05",
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1687462267,
|
||||
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"ref": "nixos-23.05",
|
||||
"repo": "nixos-mailserver",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1686960236,
|
||||
|
@ -53,6 +155,21 @@
|
|||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"locked": {
|
||||
"lastModified": 1605370193,
|
||||
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
15
flake.nix
15
flake.nix
|
@ -7,11 +7,14 @@
|
|||
|
||||
# https://nixos.wiki/wiki/Impermanence
|
||||
impermanence.url = "github:nix-community/impermanence";
|
||||
|
||||
simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }@attrs: let
|
||||
user = "user"; # Select user from `./users` directory
|
||||
user = "user"; # Select user from the `./users` directory
|
||||
in {
|
||||
# Media homeserver
|
||||
nixosConfigurations.homeserver = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = attrs;
|
||||
|
@ -21,6 +24,16 @@
|
|||
];
|
||||
};
|
||||
|
||||
# dirae.org
|
||||
nixosConfigurations.dirae = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = attrs;
|
||||
modules = [
|
||||
./users/${user}.nix
|
||||
./systems/dirae.nix
|
||||
];
|
||||
};
|
||||
|
||||
# Debugging VM configuration
|
||||
nixosConfigurations.qemu-vm = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
|
|
25
packages/gitlab/package.nix
Normal file
25
packages/gitlab/package.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
services.gitlab = {
|
||||
enable = true;
|
||||
host = "gitlab.dirae.org";
|
||||
|
||||
# Server is running on limited budet :,)
|
||||
# https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
|
||||
puma.workers = 0;
|
||||
|
||||
user = "gitlab";
|
||||
group = "gitlab";
|
||||
|
||||
https = true;
|
||||
databasePasswordFile = "/var/keys/gitlab/db_password";
|
||||
initialRootPasswordFile = "/var/keys/gitlab/root_password";
|
||||
secrets = {
|
||||
dbFile = "/var/keys/gitlab/db";
|
||||
secretFile = "/var/keys/gitlab/secret";
|
||||
otpFile = "/var/keys/gitlab/otp";
|
||||
jwsFile = "/var/keys/gitlab/jws";
|
||||
};
|
||||
};
|
||||
}
|
33
packages/mailserver/package.nix
Normal file
33
packages/mailserver/package.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ simple-mailserver, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
simple-mailserver.nixosModule
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "dirae.org";
|
||||
domains = [ "dirae.org" ];
|
||||
|
||||
loginAccounts = {
|
||||
"caem@dirae.org" = {
|
||||
hashedPasswordFile = "/nix/config/packages/mailserver/pw";
|
||||
|
||||
aliases = [
|
||||
"admin@dirae.org"
|
||||
"postmaser@dirae.org"
|
||||
"legal@dirae.org"
|
||||
"contact@dirae.org"
|
||||
"dmca@dirae.org"
|
||||
"pt@dirae.org"
|
||||
"cali@dirae.org"
|
||||
"abuse@dirae.org"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Managed in configuration for nginx
|
||||
certificateScheme = "acme";
|
||||
};
|
||||
}
|
48
packages/nginx/dirae.nix
Normal file
48
packages/nginx/dirae.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
{ ... }:
|
||||
let
|
||||
fqdn = "dirae.org";
|
||||
serverConfig."m.server" = "dirae.org:443";
|
||||
mkWellKnown = data: ''
|
||||
add_header Content-Type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON data}';
|
||||
'';
|
||||
in {
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "caem@dirae.org";
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts = {
|
||||
"dirae.org" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
root = "/var/www/dirae";
|
||||
};
|
||||
locations."/.well-known/matrix/server".extraConfig = ''
|
||||
return 200 '{"m.server": "dirae.org:443"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
'';
|
||||
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
|
||||
|
||||
};
|
||||
|
||||
"gitlab.dirae.org" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
16
packages/sshd/package.nix
Normal file
16
packages/sshd/package.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
users.users."user".openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnopPaLuQT4+5LzqiBM4JfdRamzArszOrfoDy96KpQL9jeZQhT4E7LE63tySza4auJyTkFcnfGEQQaAlCUYTVvWrvB6l2nG7mVZ5Cr0YvQ1U9AY+1OPE5wCSDUk9zaUm3ldWgUWRA/MyGtzm3kQ+ZtYIOqtvF6Ki5vPRYl+QR0cjThw5Sr/99sTqZwgmbPoAkLXnioSI+oOgV6H8M9XCuvwmlm6YKfBrjTQltj93GpSf24Lf9YaFc51Auao78AfOof/EtGWlcBrvfdjaS/scxSmHO9r/AShV/BEVboG+89i+Qia67cATGIwDLB6HZO1dO5qTSImzcQ/QnFW1E0IGZy3LvKd/FT8QCpHjDtPlsxWwIuTgyLD3c9OZTTA8w619QBKic3KEhuRkhuwOqSPgpvgkK8hS91gr8spL+6U4Bdgo8gZH14kj7ZhiNsIur0Chj/X1uCHGXEHhlV4ky2XAxhGSSr9fy06w4uPsIXGnSufm8jbBAhYDrNzaod2Q/73VE= user@workstation"
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
}
|
31
packages/synapse/package.nix
Normal file
31
packages/synapse/package.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.initialScript = pkgs.writeText "synapse-init" ''
|
||||
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
||||
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
||||
TEMPLATE template0
|
||||
LC_COLLATE = "C"
|
||||
LC_CTYPE = "C";
|
||||
'';
|
||||
|
||||
services.matrix-synapse = {
|
||||
enable = true;
|
||||
settings.server_name = "dirae.org";
|
||||
|
||||
settings.listeners = [
|
||||
{
|
||||
port = 8008;
|
||||
bind_addresses = [ "127.0.0.1" ];
|
||||
type = "http";
|
||||
tls = false;
|
||||
x_forwarded = true;
|
||||
resources = [{
|
||||
names = [ "client" "federation" ];
|
||||
compress = true;
|
||||
}];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -6,6 +6,7 @@
|
|||
wget
|
||||
curl
|
||||
git
|
||||
tree
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
|
54
systems/dirae.nix
Normal file
54
systems/dirae.nix
Normal file
|
@ -0,0 +1,54 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./common.nix
|
||||
./hardware/dirae.nix
|
||||
# ./persist/dirae.nix
|
||||
../sets/meta/sysadmin.nix
|
||||
../packages/vim/package.nix
|
||||
../packages/sshd/package.nix
|
||||
../packages/mailserver/package.nix
|
||||
../packages/nginx/dirae.nix
|
||||
../packages/gitlab/package.nix
|
||||
../packages/synapse/package.nix
|
||||
];
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
grub = {
|
||||
enable = true;
|
||||
device = "/dev/vda";
|
||||
};
|
||||
};
|
||||
|
||||
kernel = {
|
||||
sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "dirae";
|
||||
enableIPv6 = false;
|
||||
hostId = "149e5b5c";
|
||||
interfaces = {
|
||||
enp6s18.ipv4.addresses = [{
|
||||
address = "91.210.224.148";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
};
|
||||
nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
defaultGateway = "91.210.224.1";
|
||||
firewall = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# To not mess up SSH sessions from weird terminals
|
||||
environment.sessionVariables = {
|
||||
TERM = "xterm";
|
||||
};
|
||||
}
|
||||
|
44
systems/hardware/dirae.nix
Normal file
44
systems/hardware/dirae.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.zfs.devNodes = "/dev/disk/by-path";
|
||||
|
||||
# Will enable this later when everything is stable
|
||||
# boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
# zfs rollback -r local/root@blank
|
||||
# '';
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "local/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/B33B-0EBE";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/nix" = {
|
||||
device = "local/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
|
@ -4,7 +4,7 @@
|
|||
imports = [
|
||||
./common.nix
|
||||
./hardware/homeserver.nix
|
||||
./persist/homeserver.nix
|
||||
./persist/common.nix
|
||||
../sets/meta/sysadmin.nix
|
||||
../packages/vim/package.nix
|
||||
../packages/nginx/homeserver.nix
|
||||
|
@ -53,7 +53,7 @@
|
|||
console.keyMap = "uk";
|
||||
|
||||
# To not mess up SSH sessions from weird terminals
|
||||
environment.sessionVariables = rec {
|
||||
environment.sessionVariables = {
|
||||
TERM = "xterm";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
impermanence.nixosModules.impermanence
|
||||
];
|
||||
|
||||
environment.persistence."/nix/persist/common" = {
|
||||
environment.persistence."/nix/persist" = {
|
||||
directories = [
|
||||
"/etc/ssh"
|
||||
"/var/lib"
|
||||
|
|
33
systems/persist/dirae.nix
Normal file
33
systems/persist/dirae.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ impermanence, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
impermanence.nixosModules.impermanence
|
||||
];
|
||||
|
||||
environment.persistence."/nix/persist" = {
|
||||
hideMounts = true;
|
||||
directories = [
|
||||
"/var/spool"
|
||||
{ directory = "/var/dkim"; user = "opendkim";
|
||||
group = "opendkim"; mode = "u=rwx,g=rx,o=rx"; }
|
||||
{ directory = "/var/sieve"; user = "virtualMail";
|
||||
group = "virtualMail"; mode = "u=rwx,g=rwx,o="; }
|
||||
{ directory = "/var/vmail"; user = "virtualMail";
|
||||
group = "virtualMail"; mode = "u=rwx,g=rws,o="; }
|
||||
"/etc/dovecot"
|
||||
"/etc/pki"
|
||||
"/etc/ssh"
|
||||
{ directory = "/var/lib/acme"; user = "acme";
|
||||
group = "acme"; mode = "u=rwx,g=rx,o=rx"; }
|
||||
{ directory = "/var/lib/opendkim"; user = "opendkim";
|
||||
group = "opendkim"; mode = "u=rwx,g=,o="; }
|
||||
"/var/lib/postfix"
|
||||
"/var/log"
|
||||
];
|
||||
|
||||
files = [
|
||||
"/etc/machine-id"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./common.nix
|
||||
];
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./common.nix
|
||||
];
|
||||
}
|
|
@ -6,7 +6,7 @@
|
|||
../sets/meta/sysadmin.nix
|
||||
../packages/vim/package.nix
|
||||
./common.nix
|
||||
./persist/qemu-vm.nix
|
||||
./persist/common.nix
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
users.users.user = {
|
||||
|
|
Loading…
Reference in a new issue