dotfiles/pennyworth/configuration.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, lib, ... }:

let
  secrets = import <secrets>;
  yoricc = import ../packages/yori-cc.nix;
  acmeWebRoot = "/etc/sslcerts/acmeroot";
  acmeKeyDir = "${config.security.acme.directory}/yori.cc";
in
{
  imports = [
      ./hardware-configuration.nix
      ../roles/common.nix
      ../modules/mailz.nix
      ../modules/nginx.nix
      ../modules/tor-hidden-service.nix
  ];

  networking.hostName = secrets.hostnames.pennyworth;

  environment.noXlibs = true;

  services.openssh.enable = true;
  networking.enableIPv6 = lib.mkOverride 30 true;

  system.stateVersion = "16.03";

  # root password is useful from console, ssh has password logins disabled
  users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword;

  # email
  services.mailz = {
    domain = config.networking.hostName;
    keydir = acmeKeyDir;
    domains = secrets.email_domains;
    users = {
      yorick = {
        password = secrets.yorick_mailPassword;
        aliases = ["postmaster" "me" "ik" "info" "~"];
      };
    };
  };

  # website + lets encrypt challenge hosting
  nginxssl = {
    enable = true;
    challenges."${config.networking.hostName}" = acmeWebRoot;
    servers."yori.cc" = {
      key_root = acmeKeyDir;
      key_webroot = acmeWebRoot;
      contents = ''
        location / {
          root ${yoricc}/web;
        }
      '';
    };
  };


  # Let's Encrypt configuration.
  security.acme.certs."yori.cc" =
    { email = secrets.email;
      extraDomains = {
        "${config.networking.hostName}" = null;
      };
      webroot = acmeWebRoot;
      postRun = ''systemctl reload nginx.service dovecot2.service opensmtpd.service
          systemctl restart prosody.service
      '';
    };
  # Generate a dummy self-signed certificate until we get one from
  # Let's Encrypt.
  system.activationScripts.letsEncryptKeys =
    ''
      dir=${acmeKeyDir}
      mkdir -m 0700 -p $dir
      if ! [[ -e $dir/key.pem ]]; then
        ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
        ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
          -subj "/C=NL/CN=www.example.com"
        ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
        ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
      fi
    '';

  # hidden SSH service

  services.tor.hiddenServices = [
    { name = "ssh";
      port = 22;
      hostname = "/run/keys/torkeys/ssh.pennyworth.hostname";
      private_key = "/run/keys/torkeys/ssh.pennyworth.key"; }
  ];

  # XMPP
  services.prosody = let
    # TODO: this should be in nixpkgs
    prosodyModules = pkgs.fetchhg {
      name = "prosody-modules-22042016";
      rev = "e0b8b8a50013";
      sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy";
      url = "https://hg.prosody.im/prosody-modules/";
    };
  in {
    enable = true;

    allowRegistration = false;
    extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"];
    virtualHosts.yoricc = {
      enabled = true;
      domain = "yori.cc";
      ssl = {
        key = "/var/lib/prosody/keys/key.pem";
        cert = "/var/lib/prosody/keys/fullchain.pem";
      };
    };
    # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
    extraConfig = ''
      plugin_paths = { "${prosodyModules}" }
      use_libevent = true
      s2s_require_encryption = true
      c2s_require_encryption = true
    '';

    admins = [ "yorick@yori.cc"];
  };
  systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
  systemd.services.prosody.preStart = ''
      mkdir -m 0700 -p /var/lib/prosody/keys
      cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys
      chown -R prosody:prosody /var/lib/prosody
  '';
  networking.firewall.allowedTCPPorts = [5222 5269];
}