diff --git a/flake.lock b/flake.lock index 14dcb52..8414d35 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,37 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1684264534, @@ -31,13 +63,83 @@ "type": "github" } }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "impermanence": "impermanence", "nixpkgs": "nixpkgs", + "simple-mailserver": "simple-mailserver", "unstable": "unstable" } }, + "simple-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1687462267, + "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "24128c3052090311688b09a400aa408ba61c6ee5", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-23.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "unstable": { "locked": { "lastModified": 1686960236, @@ -53,6 +155,21 @@ "repo": "nixpkgs", "type": "github" } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index ac44b6f..ebf9d42 100644 --- a/flake.nix +++ b/flake.nix @@ -7,11 +7,14 @@ # https://nixos.wiki/wiki/Impermanence impermanence.url = "github:nix-community/impermanence"; + + simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; outputs = { self, nixpkgs, ... }@attrs: let - user = "user"; # Select user from `./users` directory + user = "user"; # Select user from the `./users` directory in { + # Media homeserver nixosConfigurations.homeserver = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = attrs; @@ -21,6 +24,16 @@ ]; }; + # dirae.org + nixosConfigurations.dirae = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + ./users/${user}.nix + ./systems/dirae.nix + ]; + }; + # Debugging VM configuration nixosConfigurations.qemu-vm = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; diff --git a/packages/gitlab/package.nix b/packages/gitlab/package.nix new file mode 100644 index 0000000..ee33c5d --- /dev/null +++ b/packages/gitlab/package.nix @@ -0,0 +1,25 @@ +{ ... }: + +{ + services.gitlab = { + enable = true; + host = "gitlab.dirae.org"; + + # Server is running on limited budet :,) + # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html + puma.workers = 0; + + user = "gitlab"; + group = "gitlab"; + + https = true; + databasePasswordFile = "/var/keys/gitlab/db_password"; + initialRootPasswordFile = "/var/keys/gitlab/root_password"; + secrets = { + dbFile = "/var/keys/gitlab/db"; + secretFile = "/var/keys/gitlab/secret"; + otpFile = "/var/keys/gitlab/otp"; + jwsFile = "/var/keys/gitlab/jws"; + }; + }; +} diff --git a/packages/mailserver/package.nix b/packages/mailserver/package.nix new file mode 100644 index 0000000..327d609 --- /dev/null +++ b/packages/mailserver/package.nix @@ -0,0 +1,33 @@ +{ simple-mailserver, ... }: + +{ + imports = [ + simple-mailserver.nixosModule + ]; + + mailserver = { + enable = true; + fqdn = "dirae.org"; + domains = [ "dirae.org" ]; + + loginAccounts = { + "caem@dirae.org" = { + hashedPasswordFile = "/nix/config/packages/mailserver/pw"; + + aliases = [ + "admin@dirae.org" + "postmaser@dirae.org" + "legal@dirae.org" + "contact@dirae.org" + "dmca@dirae.org" + "pt@dirae.org" + "cali@dirae.org" + "abuse@dirae.org" + ]; + }; + }; + + # Managed in configuration for nginx + certificateScheme = "acme"; + }; +} diff --git a/packages/nginx/dirae.nix b/packages/nginx/dirae.nix new file mode 100644 index 0000000..a4195c8 --- /dev/null +++ b/packages/nginx/dirae.nix @@ -0,0 +1,48 @@ +{ ... }: +let + fqdn = "dirae.org"; + serverConfig."m.server" = "dirae.org:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + security.acme.acceptTerms = true; + security.acme.defaults.email = "caem@dirae.org"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "dirae.org" = { + enableACME = true; + forceSSL = true; + locations."/" = { + root = "/var/www/dirae"; + }; + locations."/.well-known/matrix/server".extraConfig = '' + return 200 '{"m.server": "dirae.org:443"}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; + + }; + + "gitlab.dirae.org" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + + }; + }; + }; +} diff --git a/packages/sshd/package.nix b/packages/sshd/package.nix new file mode 100644 index 0000000..1288e1f --- /dev/null +++ b/packages/sshd/package.nix @@ -0,0 +1,16 @@ +{ ... }: + +{ + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + }; + }; + + users.users."user".openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnopPaLuQT4+5LzqiBM4JfdRamzArszOrfoDy96KpQL9jeZQhT4E7LE63tySza4auJyTkFcnfGEQQaAlCUYTVvWrvB6l2nG7mVZ5Cr0YvQ1U9AY+1OPE5wCSDUk9zaUm3ldWgUWRA/MyGtzm3kQ+ZtYIOqtvF6Ki5vPRYl+QR0cjThw5Sr/99sTqZwgmbPoAkLXnioSI+oOgV6H8M9XCuvwmlm6YKfBrjTQltj93GpSf24Lf9YaFc51Auao78AfOof/EtGWlcBrvfdjaS/scxSmHO9r/AShV/BEVboG+89i+Qia67cATGIwDLB6HZO1dO5qTSImzcQ/QnFW1E0IGZy3LvKd/FT8QCpHjDtPlsxWwIuTgyLD3c9OZTTA8w619QBKic3KEhuRkhuwOqSPgpvgkK8hS91gr8spL+6U4Bdgo8gZH14kj7ZhiNsIur0Chj/X1uCHGXEHhlV4ky2XAxhGSSr9fy06w4uPsIXGnSufm8jbBAhYDrNzaod2Q/73VE= user@workstation" + ]; + + networking.firewall.allowedTCPPorts = [ 22 ]; +} diff --git a/packages/synapse/package.nix b/packages/synapse/package.nix new file mode 100644 index 0000000..73ad666 --- /dev/null +++ b/packages/synapse/package.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: + +{ + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.matrix-synapse = { + enable = true; + settings.server_name = "dirae.org"; + + settings.listeners = [ + { + port = 8008; + bind_addresses = [ "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = true; + }]; + } + ]; + }; +} diff --git a/sets/meta/sysadmin.nix b/sets/meta/sysadmin.nix index c9eaddd..ac5c14c 100644 --- a/sets/meta/sysadmin.nix +++ b/sets/meta/sysadmin.nix @@ -6,6 +6,7 @@ wget curl git + tree ]; services.openssh.enable = true; diff --git a/systems/dirae.nix b/systems/dirae.nix new file mode 100644 index 0000000..f52a088 --- /dev/null +++ b/systems/dirae.nix @@ -0,0 +1,54 @@ +{ ... }: + +{ + imports = [ + ./common.nix + ./hardware/dirae.nix +# ./persist/dirae.nix + ../sets/meta/sysadmin.nix + ../packages/vim/package.nix + ../packages/sshd/package.nix + ../packages/mailserver/package.nix + ../packages/nginx/dirae.nix + ../packages/gitlab/package.nix + ../packages/synapse/package.nix + ]; + + boot = { + loader = { + grub = { + enable = true; + device = "/dev/vda"; + }; + }; + + kernel = { + sysctl."net.ipv6.conf.eth0.disable_ipv6" = true; + }; + }; + + networking = { + hostName = "dirae"; + enableIPv6 = false; + hostId = "149e5b5c"; + interfaces = { + enp6s18.ipv4.addresses = [{ + address = "91.210.224.148"; + prefixLength = 24; + }]; + }; + nameservers = [ "1.1.1.1" "8.8.8.8" ]; + defaultGateway = "91.210.224.1"; + firewall = { + enable = true; + }; + }; + + time.timeZone = "Europe/Berlin"; + + # To not mess up SSH sessions from weird terminals + environment.sessionVariables = { + TERM = "xterm"; + }; +} + diff --git a/systems/hardware/dirae.nix b/systems/hardware/dirae.nix new file mode 100644 index 0000000..9d9ffa7 --- /dev/null +++ b/systems/hardware/dirae.nix @@ -0,0 +1,44 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.zfs.devNodes = "/dev/disk/by-path"; + + # Will enable this later when everything is stable +# boot.initrd.postDeviceCommands = lib.mkAfter '' +# zfs rollback -r local/root@blank +# ''; + + fileSystems."/" = { + device = "local/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B33B-0EBE"; + fsType = "vfat"; + }; + + fileSystems."/nix" = { + device = "local/nix"; + fsType = "zfs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/systems/homeserver.nix b/systems/homeserver.nix index cd07919..527c553 100644 --- a/systems/homeserver.nix +++ b/systems/homeserver.nix @@ -4,7 +4,7 @@ imports = [ ./common.nix ./hardware/homeserver.nix - ./persist/homeserver.nix + ./persist/common.nix ../sets/meta/sysadmin.nix ../packages/vim/package.nix ../packages/nginx/homeserver.nix @@ -53,7 +53,7 @@ console.keyMap = "uk"; # To not mess up SSH sessions from weird terminals - environment.sessionVariables = rec { + environment.sessionVariables = { TERM = "xterm"; }; } diff --git a/systems/persist/common.nix b/systems/persist/common.nix index 12c5c4f..25700c4 100644 --- a/systems/persist/common.nix +++ b/systems/persist/common.nix @@ -5,7 +5,7 @@ impermanence.nixosModules.impermanence ]; - environment.persistence."/nix/persist/common" = { + environment.persistence."/nix/persist" = { directories = [ "/etc/ssh" "/var/lib" diff --git a/systems/persist/dirae.nix b/systems/persist/dirae.nix new file mode 100644 index 0000000..87316ea --- /dev/null +++ b/systems/persist/dirae.nix @@ -0,0 +1,33 @@ +{ impermanence, ... }: + +{ + imports = [ + impermanence.nixosModules.impermanence + ]; + + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = [ + "/var/spool" + { directory = "/var/dkim"; user = "opendkim"; + group = "opendkim"; mode = "u=rwx,g=rx,o=rx"; } + { directory = "/var/sieve"; user = "virtualMail"; + group = "virtualMail"; mode = "u=rwx,g=rwx,o="; } + { directory = "/var/vmail"; user = "virtualMail"; + group = "virtualMail"; mode = "u=rwx,g=rws,o="; } + "/etc/dovecot" + "/etc/pki" + "/etc/ssh" + { directory = "/var/lib/acme"; user = "acme"; + group = "acme"; mode = "u=rwx,g=rx,o=rx"; } + { directory = "/var/lib/opendkim"; user = "opendkim"; + group = "opendkim"; mode = "u=rwx,g=,o="; } + "/var/lib/postfix" + "/var/log" + ]; + + files = [ + "/etc/machine-id" + ]; + }; +} diff --git a/systems/persist/homeserver.nix b/systems/persist/homeserver.nix deleted file mode 100644 index 27f4abc..0000000 --- a/systems/persist/homeserver.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - imports = [ - ./common.nix - ]; -} diff --git a/systems/persist/qemu-vm.nix b/systems/persist/qemu-vm.nix deleted file mode 100644 index 27f4abc..0000000 --- a/systems/persist/qemu-vm.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - imports = [ - ./common.nix - ]; -} diff --git a/systems/qemu-vm.nix b/systems/qemu-vm.nix index 13ba35d..ffb8a4b 100644 --- a/systems/qemu-vm.nix +++ b/systems/qemu-vm.nix @@ -6,7 +6,7 @@ ../sets/meta/sysadmin.nix ../packages/vim/package.nix ./common.nix - ./persist/qemu-vm.nix + ./persist/common.nix ]; boot.loader.grub.enable = true; diff --git a/users/user.nix b/users/user.nix index 2968bdd..3b1137e 100644 --- a/users/user.nix +++ b/users/user.nix @@ -1,4 +1,4 @@ -{ ... }: +{ ... }: { users.users.user = {