split off functionality into roles
parent
6459a6c0f6
commit
36b1a550c4
10
README.md
10
README.md
|
@ -9,7 +9,7 @@ Systems
|
|||
|
||||
Physical server. Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB, 2 cores ht)
|
||||
|
||||
- git hosting
|
||||
- [git hosting](./modules/gogs.nix)
|
||||
- [public files](./roles/pub.nix)
|
||||
- torrents
|
||||
- [quassel](./roles/quassel.nix)
|
||||
|
@ -20,10 +20,10 @@ Physical server. Mostly used for files. (storage: 6 TB hdd + 256GB ssd, RAM: 8GB
|
|||
VPS (Storage: 80GB, RAM: 1GB, 2 cores)
|
||||
|
||||
- [grafana](./roles/graphs.nix)
|
||||
- website
|
||||
- email
|
||||
- prosody
|
||||
- asterisk
|
||||
- [website](./roles/website.nix)
|
||||
- [email](./roles/main.nix)
|
||||
- [prosody](./roles/xmpp.nix)
|
||||
- [asterisk](./roles/asterisk.nix)
|
||||
|
||||
[woodhouse](https://en.wikipedia.org/wiki/List_of_Archer_characters#Recurring_characters)
|
||||
-----------
|
||||
|
|
|
@ -28,8 +28,6 @@ in
|
|||
|
||||
gogs.domain = "git.yori.cc";
|
||||
nginxssl.enable = true;
|
||||
# Let's Encrypt configuration.
|
||||
security.acme.preliminarySelfsigned = true;
|
||||
|
||||
# hidden SSH service
|
||||
|
||||
|
|
|
@ -17,12 +17,12 @@ in
|
|||
../roles/common.nix
|
||||
../roles/collectd.nix
|
||||
../roles/graphs.nix
|
||||
../modules/mailz.nix
|
||||
../modules/nginx.nix
|
||||
../roles/xmpp.nix
|
||||
../roles/website.nix
|
||||
../roles/mail.nix
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/muflax-blog.nix
|
||||
../modules/backup.nix
|
||||
./asterisk.nix
|
||||
../roles/asterisk.nix
|
||||
];
|
||||
|
||||
networking.hostName = secrets.hostnames.pennyworth;
|
||||
|
@ -34,68 +34,9 @@ in
|
|||
networking.enableIPv6 = lib.mkOverride 30 true;
|
||||
|
||||
system.stateVersion = "16.03";
|
||||
|
||||
nginxssl.enable = true;
|
||||
|
||||
# email
|
||||
services.mailz = {
|
||||
domain = config.networking.hostName;
|
||||
keydir = acmeKeyDir;
|
||||
mainUser = "yorick";
|
||||
users = {
|
||||
yorick = with secrets; {
|
||||
password = yorick_mailPassword;
|
||||
domains = email_domains;
|
||||
};
|
||||
};
|
||||
};
|
||||
services.backup = {
|
||||
enable = true;
|
||||
backups = {
|
||||
mail = {
|
||||
dir = "/var/spool/mail";
|
||||
remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak";
|
||||
keyfile = "/var/backup/creds";
|
||||
interval = "daily";
|
||||
};
|
||||
};
|
||||
};
|
||||
# website + lets encrypt challenge hosting
|
||||
nginxssl = {
|
||||
enable = true;
|
||||
challenges."${config.networking.hostName}" = acmeWebRoot;
|
||||
servers."yori.cc" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = acmeWebRoot;
|
||||
contents = ''
|
||||
location / {
|
||||
rewrite ^(.*) https://yorickvanpelt.nl$1 permanent;
|
||||
}
|
||||
'';
|
||||
};
|
||||
servers."yorickvanpelt.nl" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = acmeWebRoot;
|
||||
contents = ''
|
||||
location / {
|
||||
root ${yoricc}/web;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
# Let's Encrypt configuration.
|
||||
security.acme.preliminarySelfsigned = true;
|
||||
security.acme.certs."yori.cc" =
|
||||
{ email = secrets.email;
|
||||
extraDomains = {
|
||||
"${config.networking.hostName}" = null;
|
||||
"yorickvanpelt.nl" = null;
|
||||
};
|
||||
webroot = acmeWebRoot;
|
||||
postRun = ''systemctl reload nginx.service dovecot2.service postfix.service
|
||||
systemctl restart prosody.service
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."pad.yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -113,53 +54,6 @@ in
|
|||
private_key = "/run/keys/torkeys/ssh.pennyworth.key"; }
|
||||
];
|
||||
|
||||
# XMPP
|
||||
services.prosody = let
|
||||
# TODO: this should be in nixpkgs
|
||||
prosodyModules = pkgs.fetchhg {
|
||||
name = "prosody-modules-22042016";
|
||||
rev = "e0b8b8a50013";
|
||||
sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy";
|
||||
url = "https://hg.prosody.im/prosody-modules/";
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
allowRegistration = false;
|
||||
extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"];
|
||||
virtualHosts.yoricc = {
|
||||
enabled = true;
|
||||
domain = "yori.cc";
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/keys/key.pem";
|
||||
cert = "/var/lib/prosody/keys/fullchain.pem";
|
||||
};
|
||||
};
|
||||
# TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
|
||||
extraConfig = ''
|
||||
plugin_paths = { "${prosodyModules}" }
|
||||
use_libevent = true
|
||||
s2s_require_encryption = true
|
||||
c2s_require_encryption = true
|
||||
archive_expires_after = "never"
|
||||
storage = {
|
||||
archive2 = "sql";
|
||||
}
|
||||
'';
|
||||
|
||||
admins = [ "yorick@yori.cc"];
|
||||
};
|
||||
nixpkgs.config.packageOverrides = pkgs:
|
||||
# FIXME: ugly hacks!
|
||||
{ prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; };
|
||||
};
|
||||
systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
|
||||
systemd.services.prosody.preStart = ''
|
||||
mkdir -m 0700 -p /var/lib/prosody/keys
|
||||
cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys
|
||||
chown -R prosody:prosody /var/lib/prosody
|
||||
'';
|
||||
networking.firewall.allowedTCPPorts = [5222 5269];
|
||||
|
||||
services.muflax-blog = {
|
||||
enable = true;
|
||||
|
|
|
@ -97,5 +97,8 @@ in
|
|||
rxvt_unicode.terminfo
|
||||
];
|
||||
nix.gc.automatic = true;
|
||||
|
||||
security.acme.preliminarySelfsigned = true;
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let secrets = import <secrets>;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/mailz.nix
|
||||
../modules/backup.nix
|
||||
];
|
||||
config = {
|
||||
# email
|
||||
services.mailz = {
|
||||
domain = config.networking.hostName;
|
||||
keydir = acmeKeyDir;
|
||||
mainUser = "yorick";
|
||||
users = {
|
||||
yorick = with secrets; {
|
||||
password = yorick_mailPassword;
|
||||
domains = email_domains;
|
||||
};
|
||||
};
|
||||
};
|
||||
services.backup = {
|
||||
enable = true;
|
||||
backups = {
|
||||
mail = {
|
||||
dir = "/var/spool/mail";
|
||||
remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak";
|
||||
keyfile = "/var/backup/creds";
|
||||
interval = "daily";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
|
@ -0,0 +1,50 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
secrets = import <secrets>;
|
||||
yoricc = import ../packages/yori-cc.nix;
|
||||
acmeWebRoot = "/etc/sslcerts/acmeroot";
|
||||
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/nginx.nix
|
||||
];
|
||||
# website + lets encrypt challenge hosting
|
||||
nginxssl = {
|
||||
enable = true;
|
||||
challenges."${config.networking.hostName}" = acmeWebRoot;
|
||||
servers."yori.cc" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = acmeWebRoot;
|
||||
contents = ''
|
||||
location / {
|
||||
rewrite ^(.*) https://yorickvanpelt.nl$1 permanent;
|
||||
}
|
||||
'';
|
||||
};
|
||||
servers."yorickvanpelt.nl" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = acmeWebRoot;
|
||||
contents = ''
|
||||
location / {
|
||||
root ${yoricc}/web;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
# Let's Encrypt configuration.
|
||||
security.acme.certs."yori.cc" =
|
||||
{ email = secrets.email;
|
||||
extraDomains = {
|
||||
"${config.networking.hostName}" = null;
|
||||
"yorickvanpelt.nl" = null;
|
||||
};
|
||||
webroot = acmeWebRoot;
|
||||
postRun = ''systemctl reload nginx.service dovecot2.service postfix.service
|
||||
systemctl restart prosody.service
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
luadbi = pkgs.callPackage ../packages/luadbi.nix {};
|
||||
in
|
||||
{
|
||||
# XMPP
|
||||
services.prosody = let
|
||||
# TODO: this should be in nixpkgs
|
||||
prosodyModules = pkgs.fetchhg {
|
||||
name = "prosody-modules-22042016";
|
||||
rev = "e0b8b8a50013";
|
||||
sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy";
|
||||
url = "https://hg.prosody.im/prosody-modules/";
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
allowRegistration = false;
|
||||
extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"];
|
||||
virtualHosts.yoricc = {
|
||||
enabled = true;
|
||||
domain = "yori.cc";
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/keys/key.pem";
|
||||
cert = "/var/lib/prosody/keys/fullchain.pem";
|
||||
};
|
||||
};
|
||||
# TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
|
||||
extraConfig = ''
|
||||
plugin_paths = { "${prosodyModules}" }
|
||||
use_libevent = true
|
||||
s2s_require_encryption = true
|
||||
c2s_require_encryption = true
|
||||
archive_expires_after = "never"
|
||||
storage = {
|
||||
archive2 = "sql";
|
||||
}
|
||||
'';
|
||||
|
||||
admins = [ "yorick@yori.cc"];
|
||||
};
|
||||
nixpkgs.config.packageOverrides = pkgs:
|
||||
# FIXME: ugly hacks!
|
||||
{ prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; };
|
||||
};
|
||||
systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
|
||||
systemd.services.prosody.preStart = ''
|
||||
mkdir -m 0700 -p /var/lib/prosody/keys
|
||||
cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys
|
||||
chown -R prosody:prosody /var/lib/prosody
|
||||
'';
|
||||
networking.firewall.allowedTCPPorts = [5222 5269];
|
||||
|
||||
}
|
Loading…
Reference in New Issue