2016-04-14 14:02:16 +02:00
|
|
|
|
# Edit this configuration file to define what should be installed on
|
|
|
|
|
# your system. Help is available in the configuration.nix(5) man page
|
|
|
|
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
|
|
|
|
|
|
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
secrets = import <secrets>;
|
|
|
|
|
yoricc = import ../packages/yori-cc.nix;
|
2016-04-23 01:44:07 +02:00
|
|
|
|
luadbi = pkgs.callPackage ../packages/luadbi.nix {};
|
2016-04-21 22:39:41 +02:00
|
|
|
|
acmeWebRoot = "/etc/sslcerts/acmeroot";
|
|
|
|
|
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
|
2016-04-14 14:02:16 +02:00
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
imports = [
|
|
|
|
|
./hardware-configuration.nix
|
|
|
|
|
../roles/common.nix
|
2016-04-21 22:44:08 +02:00
|
|
|
|
../modules/mailz.nix
|
2016-04-21 22:39:41 +02:00
|
|
|
|
../modules/nginx.nix
|
2016-04-21 22:45:06 +02:00
|
|
|
|
../modules/tor-hidden-service.nix
|
2016-04-29 01:07:06 +02:00
|
|
|
|
../modules/muflax-blog.nix
|
2016-09-20 20:05:45 +02:00
|
|
|
|
../modules/backup.nix
|
2016-04-14 14:02:16 +02:00
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
networking.hostName = secrets.hostnames.pennyworth;
|
|
|
|
|
|
2016-09-19 20:54:40 +02:00
|
|
|
|
services.nixosManual.enable = false;
|
|
|
|
|
|
2016-04-22 19:12:59 +02:00
|
|
|
|
environment.noXlibs = true;
|
|
|
|
|
|
2016-04-14 14:02:16 +02:00
|
|
|
|
services.openssh.enable = true;
|
|
|
|
|
networking.enableIPv6 = lib.mkOverride 30 true;
|
|
|
|
|
|
|
|
|
|
system.stateVersion = "16.03";
|
|
|
|
|
|
|
|
|
|
# root password is useful from console, ssh has password logins disabled
|
|
|
|
|
users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword;
|
|
|
|
|
|
2016-04-22 19:12:59 +02:00
|
|
|
|
# email
|
2016-04-21 22:44:08 +02:00
|
|
|
|
services.mailz = {
|
|
|
|
|
domain = config.networking.hostName;
|
|
|
|
|
keydir = acmeKeyDir;
|
2016-09-19 20:54:40 +02:00
|
|
|
|
mainUser = "yorick";
|
2016-04-21 22:44:08 +02:00
|
|
|
|
users = {
|
2016-09-19 20:54:40 +02:00
|
|
|
|
yorick = with secrets; {
|
|
|
|
|
password = yorick_mailPassword;
|
|
|
|
|
domains = email_domains;
|
2016-04-21 22:44:08 +02:00
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2016-09-20 20:05:45 +02:00
|
|
|
|
services.backup = {
|
|
|
|
|
enable = true;
|
|
|
|
|
backups = {
|
|
|
|
|
mail = {
|
|
|
|
|
dir = "/var/spool/mail";
|
|
|
|
|
remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak";
|
2016-09-21 13:43:04 +02:00
|
|
|
|
keyfile = "/var/backup/creds";
|
2016-09-20 20:05:45 +02:00
|
|
|
|
interval = "daily";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2016-04-22 19:12:59 +02:00
|
|
|
|
# website + lets encrypt challenge hosting
|
2016-04-21 22:39:41 +02:00
|
|
|
|
nginxssl = {
|
2016-04-14 14:02:16 +02:00
|
|
|
|
enable = true;
|
2016-04-21 22:39:41 +02:00
|
|
|
|
challenges."${config.networking.hostName}" = acmeWebRoot;
|
|
|
|
|
servers."yori.cc" = {
|
2016-09-22 19:36:20 +02:00
|
|
|
|
key_root = acmeKeyDir;
|
|
|
|
|
key_webroot = acmeWebRoot;
|
|
|
|
|
contents = ''
|
|
|
|
|
location / {
|
|
|
|
|
rewrite ^(.*) https://yorickvanpelt.nl$1 permanent;
|
|
|
|
|
}
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
servers."yorickvanpelt.nl" = {
|
2016-04-21 22:39:41 +02:00
|
|
|
|
key_root = acmeKeyDir;
|
|
|
|
|
key_webroot = acmeWebRoot;
|
|
|
|
|
contents = ''
|
2016-04-14 14:02:16 +02:00
|
|
|
|
location / {
|
|
|
|
|
root ${yoricc}/web;
|
|
|
|
|
}
|
2016-04-21 22:39:41 +02:00
|
|
|
|
'';
|
|
|
|
|
};
|
2016-04-14 14:02:16 +02:00
|
|
|
|
};
|
|
|
|
|
|
2016-04-21 22:39:41 +02:00
|
|
|
|
|
|
|
|
|
# Let's Encrypt configuration.
|
2016-09-19 20:54:40 +02:00
|
|
|
|
security.acme.preliminarySelfsigned = true;
|
2016-04-21 22:39:41 +02:00
|
|
|
|
security.acme.certs."yori.cc" =
|
|
|
|
|
{ email = secrets.email;
|
|
|
|
|
extraDomains = {
|
|
|
|
|
"${config.networking.hostName}" = null;
|
2016-09-22 19:36:20 +02:00
|
|
|
|
"yorickvanpelt.nl" = null;
|
2016-04-21 22:39:41 +02:00
|
|
|
|
};
|
|
|
|
|
webroot = acmeWebRoot;
|
2016-09-22 19:36:20 +02:00
|
|
|
|
postRun = ''systemctl reload nginx.service dovecot2.service postfix.service
|
2016-04-22 19:12:59 +02:00
|
|
|
|
systemctl restart prosody.service
|
|
|
|
|
'';
|
2016-04-21 22:39:41 +02:00
|
|
|
|
};
|
|
|
|
|
'';
|
2016-04-21 22:45:06 +02:00
|
|
|
|
|
2016-04-22 19:12:59 +02:00
|
|
|
|
# hidden SSH service
|
|
|
|
|
|
2016-04-21 22:45:06 +02:00
|
|
|
|
services.tor.hiddenServices = [
|
|
|
|
|
{ name = "ssh";
|
|
|
|
|
port = 22;
|
2016-04-29 01:05:09 +02:00
|
|
|
|
hostname = secrets.tor_hostnames."ssh.pennyworth";
|
2016-04-21 22:45:06 +02:00
|
|
|
|
private_key = "/run/keys/torkeys/ssh.pennyworth.key"; }
|
|
|
|
|
];
|
2016-04-22 19:12:59 +02:00
|
|
|
|
|
|
|
|
|
# XMPP
|
2016-04-23 00:30:39 +02:00
|
|
|
|
services.prosody = let
|
|
|
|
|
# TODO: this should be in nixpkgs
|
|
|
|
|
prosodyModules = pkgs.fetchhg {
|
|
|
|
|
name = "prosody-modules-22042016";
|
|
|
|
|
rev = "e0b8b8a50013";
|
|
|
|
|
sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy";
|
|
|
|
|
url = "https://hg.prosody.im/prosody-modules/";
|
|
|
|
|
};
|
|
|
|
|
in {
|
2016-04-22 19:12:59 +02:00
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
allowRegistration = false;
|
2016-04-23 00:30:39 +02:00
|
|
|
|
extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"];
|
2016-04-22 19:12:59 +02:00
|
|
|
|
virtualHosts.yoricc = {
|
|
|
|
|
enabled = true;
|
|
|
|
|
domain = "yori.cc";
|
|
|
|
|
ssl = {
|
|
|
|
|
key = "/var/lib/prosody/keys/key.pem";
|
|
|
|
|
cert = "/var/lib/prosody/keys/fullchain.pem";
|
|
|
|
|
};
|
|
|
|
|
};
|
2016-04-23 00:30:39 +02:00
|
|
|
|
# TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
|
2016-04-22 19:12:59 +02:00
|
|
|
|
extraConfig = ''
|
2016-04-23 00:30:39 +02:00
|
|
|
|
plugin_paths = { "${prosodyModules}" }
|
2016-04-22 19:12:59 +02:00
|
|
|
|
use_libevent = true
|
|
|
|
|
s2s_require_encryption = true
|
|
|
|
|
c2s_require_encryption = true
|
2016-04-23 01:44:07 +02:00
|
|
|
|
archive_expires_after = "never"
|
|
|
|
|
storage = {
|
|
|
|
|
archive2 = "sql";
|
|
|
|
|
}
|
2016-04-22 19:12:59 +02:00
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
admins = [ "yorick@yori.cc"];
|
|
|
|
|
};
|
2016-04-23 01:44:07 +02:00
|
|
|
|
nixpkgs.config.packageOverrides = pkgs:
|
|
|
|
|
# FIXME: ugly hacks!
|
|
|
|
|
{ prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; };
|
|
|
|
|
};
|
2016-04-22 19:12:59 +02:00
|
|
|
|
systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
|
|
|
|
|
systemd.services.prosody.preStart = ''
|
|
|
|
|
mkdir -m 0700 -p /var/lib/prosody/keys
|
|
|
|
|
cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys
|
|
|
|
|
chown -R prosody:prosody /var/lib/prosody
|
|
|
|
|
'';
|
|
|
|
|
networking.firewall.allowedTCPPorts = [5222 5269];
|
2016-04-29 01:07:06 +02:00
|
|
|
|
|
|
|
|
|
services.muflax-blog = {
|
|
|
|
|
enable = true;
|
|
|
|
|
web-server = {
|
|
|
|
|
port = 9001;
|
|
|
|
|
};
|
|
|
|
|
hidden-service = {
|
|
|
|
|
hostname = "muflax65ngodyewp.onion";
|
|
|
|
|
private_key = "/run/keys/torkeys/http.muflax.key";
|
|
|
|
|
};
|
|
|
|
|
};
|
2016-04-14 14:02:16 +02:00
|
|
|
|
}
|