update for 18.03
parent
717ad7eea6
commit
9db7e7bc35
|
@ -12,9 +12,5 @@ in
|
|||
system.stateVersion = "17.09";
|
||||
# no, not that Ascanius.
|
||||
networking.hostName = secrets.hostnames.ascanius;
|
||||
services.tor.hiddenServices.ssh.map = [
|
||||
{ port = 22; }
|
||||
];
|
||||
services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key";
|
||||
|
||||
}
|
||||
|
|
|
@ -1,24 +1,11 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
let secrets = import <secrets>;
|
||||
acmeWebRoot = "/etc/sslcerts/acmeroot";
|
||||
acmeKeyDir = "${config.security.acme.directory}/git.yori.cc";
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
../physical/fractal.nix
|
||||
../roles/common.nix
|
||||
../modules/nginx.nix
|
||||
../roles/gogs.nix
|
||||
../modules/tor-hidden-service.nix
|
||||
../roles/quassel.nix
|
||||
../roles/pub.nix
|
||||
../roles/collectd.nix
|
||||
];
|
||||
imports = [
|
||||
../physical/fractal.nix
|
||||
../roles/common.nix
|
||||
];
|
||||
|
||||
|
||||
networking.hostName = secrets.hostnames.frumar;
|
||||
|
@ -26,14 +13,12 @@ in
|
|||
# The NixOS release to be compatible with for stateful data such as databases.
|
||||
system.stateVersion = "15.09";
|
||||
|
||||
nginxssl.enable = true;
|
||||
services.nginx.enable = true;
|
||||
services.yorick = {
|
||||
public = { enable = true; vhost = "pub.yori.cc"; };
|
||||
gogs = { enable = true; vhost = "git.yori.cc"; };
|
||||
quassel.enable = true;
|
||||
};
|
||||
|
||||
|
||||
# hidden SSH service
|
||||
|
||||
services.tor.hiddenServices = [
|
||||
{ name = "ssh";
|
||||
port = 22;
|
||||
hostname = secrets.tor_hostnames."ssh.frumar";
|
||||
private_key = "/run/keys/torkeys/ssh.frumar.key"; }
|
||||
];
|
||||
}
|
||||
}
|
||||
|
|
|
@ -12,14 +12,7 @@ in
|
|||
imports = [
|
||||
../physical/kassala.nix
|
||||
../roles/common.nix
|
||||
../roles/collectd.nix
|
||||
../roles/graphs.nix
|
||||
../roles/xmpp.nix
|
||||
../roles/website.nix
|
||||
../roles/mail.nix
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/muflax-blog.nix
|
||||
../roles/asterisk.nix
|
||||
];
|
||||
|
||||
networking.hostName = secrets.hostnames.pennyworth;
|
||||
|
@ -31,25 +24,34 @@ in
|
|||
networking.enableIPv6 = lib.mkOverride 30 true;
|
||||
|
||||
system.stateVersion = "16.03";
|
||||
yorick = { cpu = null; };
|
||||
|
||||
nginxssl.enable = true;
|
||||
|
||||
services.nginx.virtualHosts."pad.yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:9140";
|
||||
services.nginx.enable = true;
|
||||
services.yorick = {
|
||||
website = { enable = true; vhost = "yorickvanpelt.nl"; };
|
||||
mail = {
|
||||
enable = true;
|
||||
mainUser = "yorick";
|
||||
users = {
|
||||
yorick = with secrets; {
|
||||
password = yorick_mailPassword;
|
||||
domains = email_domains;
|
||||
};
|
||||
};
|
||||
};
|
||||
xmpp = {
|
||||
enable = true;
|
||||
vhost = "yori.cc";
|
||||
admins = [ "yorick@yori.cc" ];
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."yori.cc" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "yorickvanpelt.nl";
|
||||
};
|
||||
|
||||
# hidden SSH service
|
||||
|
||||
services.tor.hiddenServices = [
|
||||
{ name = "ssh";
|
||||
port = 22;
|
||||
hostname = secrets.tor_hostnames."ssh.pennyworth";
|
||||
private_key = "/run/keys/torkeys/ssh.pennyworth.key"; }
|
||||
];
|
||||
|
||||
|
||||
services.muflax-blog = {
|
||||
|
|
|
@ -26,15 +26,6 @@ in
|
|||
# The NixOS release to be compatible with for stateful data such as databases.
|
||||
system.stateVersion = "17.09";
|
||||
|
||||
|
||||
services.xserver = {
|
||||
# displayManager.slim.autoLogin = true; # TODO: debug this
|
||||
};
|
||||
|
||||
|
||||
services.tor.hiddenServices.ssh.map = [ {port = 22;} ];
|
||||
services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key";
|
||||
|
||||
system.fsPackages = [ pkgs.sshfsFuse ];
|
||||
|
||||
fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];
|
||||
|
|
|
@ -274,13 +274,11 @@ in
|
|||
};
|
||||
|
||||
users.extraUsers = optional (cfg.user == "vmail") {
|
||||
name = "vmail";
|
||||
uid = cfg.uid;
|
||||
group = cfg.group;
|
||||
};
|
||||
|
||||
users.extraGroups = optional (cfg.group == "vmail") {
|
||||
name = "vmail";
|
||||
gid = cfg.gid;
|
||||
};
|
||||
|
||||
|
|
|
@ -1,15 +1,18 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
{ cur_pkgs, config, lib, ... }:
|
||||
|
||||
|
||||
let
|
||||
cfg = config.services.muflax-blog;
|
||||
muflax-source = pkgs.fetchFromGitHub {
|
||||
muflax-source = builtins.fetchGit {
|
||||
rev = "e5ce7ae4296c6605a7e886c153d569fc38318096";
|
||||
owner = "fmap";
|
||||
repo = "muflax65ngodyewp.onion";
|
||||
sha256 = "10n5km8mr7vjqlyb46drfhwzlrwranqaxpqc53a2hk9pqqckm8cx";
|
||||
};
|
||||
blog = lib.overrideDerivation (pkgs.callPackage "${muflax-source}/maintenance" {}) (default: {
|
||||
ref = "HEAD";
|
||||
url = "https://github.com/fmap/muflax65ngodyewp.onion.git";
|
||||
};
|
||||
nixpkgs = import (builtins.fetchTarball {
|
||||
url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz";
|
||||
sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8";
|
||||
}) { system = builtins.currentSystem; };
|
||||
blog = lib.overrideDerivation (nixpkgs.callPackage "${muflax-source}/maintenance" {}) (default: {
|
||||
buildPhase = default.buildPhase + "\n" + ''
|
||||
grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g'
|
||||
'';
|
||||
|
@ -46,11 +49,8 @@ in with lib; {
|
|||
}
|
||||
'') ["daily" "gospel" "blog"]);
|
||||
};
|
||||
services.tor.hiddenServices = [{
|
||||
name = "muflax-blog";
|
||||
remote_port = 80;
|
||||
inherit (cfg.web-server) port;
|
||||
inherit (cfg.hidden-service) hostname private_key;
|
||||
}];
|
||||
services.tor.hiddenServices.muflax-blog.map = [{
|
||||
port = 80; toPort = cfg.web-server.port; }];
|
||||
services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key;
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.nginxssl;
|
||||
sslcfg = dir: ''
|
||||
ssl on;
|
||||
ssl_certificate_key ${dir}/key.pem;
|
||||
|
@ -9,139 +8,29 @@ sslcfg = dir: ''
|
|||
add_header Strict-Transport-Security max-age=15768000;
|
||||
'';
|
||||
|
||||
makeChallenges = servername: key_webroot: ''
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name ${servername};
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias ${key_webroot}/.well-known/acme-challenge;
|
||||
}
|
||||
}
|
||||
'';
|
||||
makeServerBlock = servername: {key_root, key_webroot, contents, ...}: ''
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name ${servername};
|
||||
server_tokens off;
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias ${key_webroot}/.well-known/acme-challenge;
|
||||
}
|
||||
location / {
|
||||
rewrite ^(.*) https://$host$1 permanent;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 443;
|
||||
listen [::]:443;
|
||||
server_name ${servername};
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias ${key_webroot}/.well-known/acme-challenge;
|
||||
}
|
||||
${sslcfg key_root}
|
||||
${contents}
|
||||
}
|
||||
'';
|
||||
#vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers));
|
||||
servopts = {...}: {
|
||||
options = {
|
||||
key_webroot = mkOption {
|
||||
type = types.string;
|
||||
description = "The path where the acme challenge is stored";
|
||||
};
|
||||
key_root = mkOption {
|
||||
type = types.string;
|
||||
description = "The path where the SSL keys are stored";
|
||||
};
|
||||
contents = mkOption {
|
||||
type = types.string;
|
||||
description = "Extra server block contents, like location blocks";
|
||||
example = "location / {}";
|
||||
};
|
||||
};
|
||||
};
|
||||
inherit (lib) mkEnableOption mkOption types mkIf;
|
||||
in
|
||||
{
|
||||
options.nginxssl = {
|
||||
enable = mkEnableOption "enable new nginx module";
|
||||
no_vhost_keydir = mkOption {
|
||||
type = types.string;
|
||||
default = "/etc/sslcerts/no_vhost";
|
||||
description = "The path where the SSL keys for the default are stored (can and will be self-signed)";
|
||||
};
|
||||
servers = mkOption {
|
||||
type = types.attrsOf types.optionSet;
|
||||
description = "The servers to host";
|
||||
default = {};
|
||||
example = {"git.domain.com" = {
|
||||
contents = "location / {}";
|
||||
key_root = "/var/lib/acme/git.domain.com";
|
||||
key_webroot = "/etc/sslcerts/acmeroot";
|
||||
};
|
||||
};
|
||||
options = [ servopts ];
|
||||
};
|
||||
challenges = mkOption {
|
||||
type = types.attrsOf types.string;
|
||||
default = {};
|
||||
example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";};
|
||||
description = "Other domains to host challenges for";
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
config = lib.mkIf config.services.nginx.enable {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
serverTokens = false;
|
||||
sslDhparam = "/etc/nginx/dhparam.pem";
|
||||
virtualHosts = {
|
||||
"\"\"" = {
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
index = "index.html index.htm";
|
||||
root = "${pkgs.nginx}/html";
|
||||
};
|
||||
sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem";
|
||||
sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem";
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
|
||||
appendHttpConfig = ''
|
||||
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)}
|
||||
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)}
|
||||
|
||||
'';
|
||||
};
|
||||
virtualHosts."${config.networking.hostName}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
system.activationScripts.nginxdhparams =
|
||||
''
|
||||
if ! [[ -e /etc/nginx/dhparam.pem ]]; then
|
||||
mkdir -p /etc/nginx/
|
||||
${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
|
||||
fi
|
||||
# self-sign certs in case an invalid vhost is looked up
|
||||
dir=${cfg.no_vhost_keydir}
|
||||
mkdir -m 0700 -p $dir
|
||||
if ! [[ -e $dir/key.pem ]]; then
|
||||
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
|
||||
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
|
||||
-subj "/C=NL/CN=www.example.com"
|
||||
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
|
||||
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
|
||||
fi
|
||||
'';
|
||||
system.activationScripts.nginxdhparams = ''
|
||||
if ! [[ -e /etc/nginx/dhparam.pem ]]; then
|
||||
mkdir -p /etc/nginx/
|
||||
${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -1,47 +0,0 @@
|
|||
{lib, fetchurl, lua, sqlite, luaPackages,
|
||||
libpsql ? null, libmysql ? null,
|
||||
withpsql ? false, withmysql ? false}:
|
||||
|
||||
assert withpsql -> libpsql != null;
|
||||
assert withmysql -> libmysql != null;
|
||||
|
||||
luaPackages.buildLuaPackage rec {
|
||||
version = "0.5";
|
||||
name = "luadbi-${version}";
|
||||
isLibrary = true;
|
||||
src = fetchurl {
|
||||
url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/luadbi/luadbi.${version}.tar.gz";
|
||||
sha256 = "07ikxgxgfpimnwf7zrqwcwma83ss3wm2nzjxpwv2a1c0vmc684a9";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [ sqlite ]
|
||||
++ (lib.optional withpsql [libpsql])
|
||||
++ (lib.optional withmysql [libmysql]);
|
||||
|
||||
unpackPhase = ''
|
||||
mkdir ./luadbi
|
||||
tar -xf $src -C ./luadbi
|
||||
sourceRoot=./luadbi
|
||||
chmod -R u+w "$sourceRoot";
|
||||
'';
|
||||
|
||||
preBuild = with lib.optionalString; ''
|
||||
makeFlagsArray=(
|
||||
sqlite3
|
||||
${lib.optionalString withpsql "psql"}
|
||||
${lib.optionalString withmysql "mysql"}
|
||||
LUA_LDIR="$out/share/lua/${lua.luaversion}"
|
||||
LUA_INC="-I${lua}/include" LUA_CDIR="$out/lib/lua/${lua.luaversion}"
|
||||
)
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/lib/lua/${lua.luaversion}
|
||||
install -p ./*.so DBI.lua $out/lib/lua/${lua.luaversion}
|
||||
'';
|
||||
|
||||
meta = {
|
||||
homepage = "https://code.google.com/archive/p/luadbi/downloads";
|
||||
maintainers = [ "Yorick" ];
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
with import <nixpkgs> {};
|
||||
{ stdenv, callPackage }:
|
||||
|
||||
let gogitget = callPackage ./gogitget.nix {}; in
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ in
|
|||
usePredictableInterfaceNames = false; # only eth0
|
||||
interfaces.eth0 = {
|
||||
useDHCP = false;
|
||||
inherit (ipconf) ip4 ip6;
|
||||
inherit (ipconf) ipv4 ipv6;
|
||||
};
|
||||
inherit (ipconf) nameservers;
|
||||
# ideally, it should add a route for this automatically
|
||||
|
|
|
@ -1,51 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
# todo: the prestart service copies to the wrong dir
|
||||
services.asterisk = {
|
||||
enable = true;
|
||||
#extraArguments = ["-vvvddd"];
|
||||
confFiles."logger.conf" = ''
|
||||
[general]
|
||||
[logfiles]
|
||||
syslog.local0 => notice,warning,error
|
||||
console => debug,notice,warning,error,verbose,dtmf,fax
|
||||
'';
|
||||
confFiles."extensions.conf" = ''
|
||||
[from-sim]
|
||||
exten => _X.,1,Verbose(Call from Limesco SIM [''${CALLERID(num)}] to [''${EXTEN}])
|
||||
same => n,Dial(SIP/speakup01/''${EXTEN})
|
||||
|
||||
[from-speakup]
|
||||
; Vervang ... door de rest van je DIY-nummer:
|
||||
exten => 31626972516,1,Verbose(Call from SpeakUp [''${CALLERID(num)}] to [''${EXTEN}])
|
||||
same => n,Dial(SIP/limesco/''${EXTEN})
|
||||
'';
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
asterisk
|
||||
];
|
||||
#networking.firewall.allowedUDPPorts = [5060];
|
||||
#networking.firewall.allowedTCPPorts = [5060];
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -A nixos-fw -p udp -s 193.169.138.0/23 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -s 91.232.130.0/24 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p udp -s 81.205.5.19 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 193.169.138.0/23 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 91.232.130.0/24 -j nixos-fw-accept
|
||||
iptables -A nixos-fw -p tcp -s 81.205.5.19 -j nixos-fw-accept
|
||||
'';
|
||||
# nixpkgs.config = {
|
||||
# packageOverrides = pkgs : {
|
||||
# asterisk = pkgs.asterisk.overrideDerivation (attrs: rec {
|
||||
# version = "13.11.2";
|
||||
# broken = false;
|
||||
|
||||
# src = pkgs.fetchurl {
|
||||
# url = "http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-${version}.tar.gz";
|
||||
# sha256 = "0fjski1cpbxap1kcjg6sgd6c8qpxn8lb1sszpg6iz88vn4dh19vf";
|
||||
# };
|
||||
# });
|
||||
# };
|
||||
# };
|
||||
}
|
|
@ -1,10 +1,20 @@
|
|||
let secrets = import <secrets>;
|
||||
in
|
||||
{ config, pkgs, lib, ...}:
|
||||
let
|
||||
machine = with lib; head (splitString "." config.networking.hostName);
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../roles/hardware.nix
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/nginx.nix
|
||||
../roles/pub.nix
|
||||
../roles/quassel.nix
|
||||
../roles/gogs.nix
|
||||
../roles/mail.nix
|
||||
../roles/website.nix
|
||||
../roles/xmpp.nix
|
||||
];
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
users.mutableUsers = false;
|
||||
|
@ -28,11 +38,6 @@ in
|
|||
nixpkgs.config.allowUnfree = true;
|
||||
nix.package = pkgs.nixUnstable;
|
||||
|
||||
|
||||
nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to];
|
||||
nix.binaryCachePublicKeys = [
|
||||
"hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g="
|
||||
];
|
||||
nix.buildCores = config.nix.maxJobs;
|
||||
|
||||
nix.extraOptions = ''
|
||||
|
@ -51,6 +56,9 @@ in
|
|||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
# ssh hidden service
|
||||
hiddenServices.ssh.map = [{ port = 22; }];
|
||||
service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key";
|
||||
};
|
||||
|
||||
programs.ssh.extraConfig = ''
|
||||
|
@ -106,6 +114,5 @@ in
|
|||
];
|
||||
nix.gc.automatic = true;
|
||||
|
||||
security.acme.preliminarySelfsigned = true;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,57 +1,52 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
gitHome = "/var/gogs";
|
||||
gogsPort = 8001;
|
||||
domain = "git.yori.cc";
|
||||
cfg = config.services.yorick.gogs;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/nginx.nix
|
||||
];
|
||||
|
||||
users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; useDefaultShell = true;};
|
||||
users.extraGroups.git = { };
|
||||
services.gogs = rec {
|
||||
enable = true;
|
||||
user = "git";
|
||||
group = "git";
|
||||
database.user = "root";
|
||||
stateDir = gitHome;
|
||||
repositoryRoot = "${stateDir}/gogs-repositories";
|
||||
rootUrl = "https://${domain}/";
|
||||
httpAddress = "localhost";
|
||||
httpPort = gogsPort;
|
||||
extraConfig = ''
|
||||
[service]
|
||||
REGISTER_EMAIL_CONFIRM = false
|
||||
ENABLE_NOTIFY_MAIL = false
|
||||
DISABLE_REGISTRATION = true
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
[picture]
|
||||
DISABLE_GRAVATAR = false
|
||||
AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars
|
||||
[mailer]
|
||||
ENABLED = false
|
||||
[session]
|
||||
PROVIDER = file
|
||||
[log]
|
||||
ROOT_PATH = ${gitHome}/logs
|
||||
MODE = file
|
||||
LEVEL = Info
|
||||
[server]
|
||||
DISABLE_ROUTER_LOG = true
|
||||
'';
|
||||
inherit domain;
|
||||
options.services.yorick.gogs = with lib; {
|
||||
enable = mkEnableOption "gogs";
|
||||
dir = mkOption { type = types.string; default = "/var/gogs"; };
|
||||
port = mkOption { type = types.int; default = 8001; };
|
||||
vhost = mkOption { type = types.string; };
|
||||
};
|
||||
users.extraUsers.gogs.createHome = lib.mkForce false;
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString gogsPort}";
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
users.extraUsers.git = { home = cfg.dir; extraGroups = [ "git" ]; useDefaultShell = true;};
|
||||
users.extraGroups.git = { };
|
||||
services.gogs = rec {
|
||||
enable = true;
|
||||
user = "git";
|
||||
group = "git";
|
||||
database.user = "root";
|
||||
stateDir = cfg.dir;
|
||||
repositoryRoot = "${stateDir}/gogs-repositories";
|
||||
rootUrl = "https://${cfg.vhost}/";
|
||||
httpAddress = "localhost";
|
||||
httpPort = cfg.port;
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
[service]
|
||||
REGISTER_EMAIL_CONFIRM = false
|
||||
ENABLE_NOTIFY_MAIL = false
|
||||
DISABLE_REGISTRATION = true
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
[picture]
|
||||
DISABLE_GRAVATAR = false
|
||||
AVATAR_UPLOAD_PATH = ${cfg.dir}/data/avatars
|
||||
[mailer]
|
||||
ENABLED = false
|
||||
'';
|
||||
domain = cfg.vhost;
|
||||
};
|
||||
users.extraUsers.gogs.createHome = lib.mkForce false;
|
||||
services.nginx.virtualHosts.${cfg.vhost} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,25 +1,27 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let secrets = import <secrets>;
|
||||
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
|
||||
let
|
||||
cfg = config.services.yorick.mail;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/mailz.nix
|
||||
../modules/backup.nix
|
||||
];
|
||||
config = {
|
||||
options.services.yorick.mail = with lib; {
|
||||
enable = mkEnableOption "mail service";
|
||||
mainUser = mkOption { type = types.string; };
|
||||
users = mkOption {};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
# email
|
||||
services.mailz = {
|
||||
services.mailz = rec {
|
||||
domain = config.networking.hostName;
|
||||
keydir = acmeKeyDir;
|
||||
mainUser = "yorick";
|
||||
users = {
|
||||
yorick = with secrets; {
|
||||
password = yorick_mailPassword;
|
||||
domains = email_domains;
|
||||
};
|
||||
};
|
||||
keydir = "${config.security.acme.directory}/${domain}";
|
||||
inherit (cfg) mainUser users;
|
||||
};
|
||||
security.acme.certs.${config.networking.hostName}.postRun = ''
|
||||
systemctl reload dovecot2.service postfix.service
|
||||
'';
|
||||
services.backup = {
|
||||
enable = true;
|
||||
backups = {
|
||||
|
|
|
@ -1,14 +1,19 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let cfg = config.services.yorick.public; in
|
||||
{
|
||||
options.services.yorick.public = {
|
||||
enable = lib.mkEnableOption "public hosting";
|
||||
vhost = lib.mkOption { type = lib.types.string; };
|
||||
};
|
||||
#imports = [../modules/nginx.nix];
|
||||
config = {
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.extraUsers.public = {
|
||||
home = "/home/public";
|
||||
useDefaultShell = true;
|
||||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
|
||||
createHome = true;
|
||||
};
|
||||
services.nginx.virtualHosts."pub.yori.cc" = {
|
||||
services.nginx.virtualHosts.${cfg.vhost} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
|
|
@ -1,40 +1,45 @@
|
|||
{config, pkgs, lib, ...}:
|
||||
{
|
||||
containers.quassel = {
|
||||
config = { config, pkgs, ... }: {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql94;
|
||||
extraConfig = ''
|
||||
max_connections = 10
|
||||
shared_buffers = 1GB
|
||||
effective_cache_size = 4GB
|
||||
work_mem = 50MB
|
||||
maintenance_work_mem = 100MB
|
||||
'';
|
||||
options.services.yorick.quassel = {
|
||||
enable = lib.mkEnableOption "quassel container";
|
||||
};
|
||||
config = {
|
||||
containers.quassel = {
|
||||
config = { config, pkgs, ... }: {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql94;
|
||||
extraConfig = ''
|
||||
max_connections = 10
|
||||
shared_buffers = 1GB
|
||||
effective_cache_size = 4GB
|
||||
work_mem = 50MB
|
||||
maintenance_work_mem = 100MB
|
||||
'';
|
||||
};
|
||||
services.quassel = {
|
||||
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix
|
||||
enable = true;
|
||||
interfaces = ["0.0.0.0"];
|
||||
};
|
||||
environment.systemPackages = [
|
||||
pkgs.quasselDaemon
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [4242];
|
||||
};
|
||||
services.quassel = {
|
||||
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix
|
||||
enable = true;
|
||||
interfaces = ["0.0.0.0"];
|
||||
};
|
||||
environment.systemPackages = [
|
||||
pkgs.quasselDaemon
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [4242];
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.125.1";
|
||||
localAddress = "192.168.125.11";
|
||||
};
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.125.1";
|
||||
localAddress = "192.168.125.11";
|
||||
# give the containers networking
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
internalInterfaces = ["ve-+"];
|
||||
externalInterface = "enp2s0";
|
||||
forwardPorts = [
|
||||
{ sourcePort = 4242; destination = "192.168.125.11:4242"; }
|
||||
];
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [4242];
|
||||
};
|
||||
# give the containers networking
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
internalInterfaces = ["ve-+"];
|
||||
externalInterface = "enp2s0";
|
||||
forwardPorts = [
|
||||
{ sourcePort = 4242; destination = "192.168.125.11:4242"; }
|
||||
];
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [4242];
|
||||
}
|
||||
|
|
|
@ -1,50 +1,25 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
secrets = import <secrets>;
|
||||
yoricc = import ../packages/yori-cc.nix;
|
||||
acmeWebRoot = "/etc/sslcerts/acmeroot";
|
||||
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
|
||||
yoricc = pkgs.callPackage ../packages/yori-cc.nix {};
|
||||
cfg = config.services.yorick.website;
|
||||
in
|
||||
with lib;
|
||||
{
|
||||
imports = [
|
||||
../modules/nginx.nix
|
||||
];
|
||||
# website + lets encrypt challenge hosting
|
||||
nginxssl = {
|
||||
enable = true;
|
||||
challenges."${config.networking.hostName}" = acmeWebRoot;
|
||||
servers."yori.cc" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = acmeWebRoot;
|
||||
contents = ''
|
||||
location / {
|
||||
rewrite ^(.*) https://yorickvanpelt.nl$1 permanent;
|
||||
}
|
||||
'';
|
||||
options.services.yorick = {
|
||||
website = {
|
||||
enable = mkEnableOption "yoricc website";
|
||||
vhost = mkOption { type = types.string; };
|
||||
pkg = mkOption { type = types.package; default = yoricc; };
|
||||
};
|
||||
servers."yorickvanpelt.nl" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = acmeWebRoot;
|
||||
contents = ''
|
||||
location / {
|
||||
root ${yoricc}/web;
|
||||
}
|
||||
'';
|
||||
redirect = mkOption { type = types.loaOf types.string; default = []; };
|
||||
};
|
||||
config.services.nginx.virtualHosts = with cfg; mkIf enable {
|
||||
${vhost} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".root = "${pkg}/web";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
# Let's Encrypt configuration.
|
||||
security.acme.certs."yori.cc" =
|
||||
{ email = secrets.email;
|
||||
extraDomains = {
|
||||
"${config.networking.hostName}" = null;
|
||||
"yorickvanpelt.nl" = null;
|
||||
};
|
||||
webroot = acmeWebRoot;
|
||||
postRun = ''systemctl reload nginx.service dovecot2.service postfix.service
|
||||
systemctl restart prosody.service
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
enable = true;
|
||||
drivers = [ pkgs.gutenprint ];
|
||||
};
|
||||
environment.systemPackages = [pkgs.ghostscript];
|
||||
environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager];
|
||||
services.xserver.displayManager.sessionCommands = ''
|
||||
gpg-connect-agent /bye
|
||||
unset SSH_AGENT_PID
|
||||
|
@ -29,5 +29,5 @@
|
|||
# yubikey
|
||||
hardware.u2f.enable = true;
|
||||
services.pcscd.enable = true;
|
||||
environment.systemPackages = [pkgs.yubikey-manager];
|
||||
#environment.systemPackages = [pkgs.yubikey-manager];
|
||||
}
|
||||
|
|
|
@ -1,56 +1,57 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
luadbi = pkgs.callPackage ../packages/luadbi.nix {};
|
||||
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
|
||||
acmeKeyDir = "${config.security.acme.directory}/${cfg.vhost}";
|
||||
communityModules = [ "mam" "carbons" "smacks" ];
|
||||
cfg = config.services.yorick.xmpp;
|
||||
in
|
||||
{
|
||||
# XMPP
|
||||
services.prosody = let
|
||||
# TODO: this should be in nixpkgs
|
||||
prosodyModules = pkgs.fetchhg {
|
||||
name = "prosody-modules-22042016";
|
||||
rev = "e0b8b8a50013";
|
||||
sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy";
|
||||
url = "https://hg.prosody.im/prosody-modules/";
|
||||
};
|
||||
options.services.yorick.xmpp = with lib; {
|
||||
enable = mkEnableOption "xmpp";
|
||||
vhost = mkOption { type = types.string; };
|
||||
admins = mkOption { type = types.listOf types.string; };
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
# XMPP
|
||||
services.prosody = let
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
allowRegistration = false;
|
||||
extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"];
|
||||
virtualHosts.yoricc = {
|
||||
enabled = true;
|
||||
domain = "yori.cc";
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/keys/key.pem";
|
||||
cert = "/var/lib/prosody/keys/fullchain.pem";
|
||||
enable = true;
|
||||
|
||||
allowRegistration = false;
|
||||
extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"] ++ communityModules;
|
||||
virtualHosts.default = {
|
||||
enabled = true;
|
||||
domain = cfg.vhost;
|
||||
ssl = {
|
||||
key = "/var/lib/prosody/keys/key.pem";
|
||||
cert = "/var/lib/prosody/keys/fullchain.pem";
|
||||
};
|
||||
};
|
||||
# TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
|
||||
extraConfig = ''
|
||||
use_libevent = true
|
||||
s2s_require_encryption = true
|
||||
c2s_require_encryption = true
|
||||
archive_expires_after = "never"
|
||||
storage = {
|
||||
archive2 = "sql";
|
||||
}
|
||||
'';
|
||||
inherit (cfg) admins;
|
||||
package = pkgs.prosody.override {
|
||||
withZlib = true; withDBI = true;
|
||||
withCommunityModules = communityModules;
|
||||
};
|
||||
};
|
||||
# TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
|
||||
extraConfig = ''
|
||||
plugin_paths = { "${prosodyModules}" }
|
||||
use_libevent = true
|
||||
s2s_require_encryption = true
|
||||
c2s_require_encryption = true
|
||||
archive_expires_after = "never"
|
||||
storage = {
|
||||
archive2 = "sql";
|
||||
}
|
||||
'';
|
||||
|
||||
admins = [ "yorick@yori.cc"];
|
||||
};
|
||||
nixpkgs.config.packageOverrides = pkgs:
|
||||
# FIXME: ugly hacks!
|
||||
{ prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; };
|
||||
};
|
||||
systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
|
||||
systemd.services.prosody.preStart = ''
|
||||
systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
|
||||
systemd.services.prosody.preStart = ''
|
||||
mkdir -m 0700 -p /var/lib/prosody/keys
|
||||
cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys
|
||||
chown -R prosody:prosody /var/lib/prosody
|
||||
'';
|
||||
networking.firewall.allowedTCPPorts = [5222 5269];
|
||||
|
||||
'';
|
||||
networking.firewall.allowedTCPPorts = [5222 5269];
|
||||
security.acme.certs.${cfg.vhost}.postRun = ''
|
||||
systemctl restart prosody.service
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
BIN
secrets.nix
BIN
secrets.nix
Binary file not shown.
Loading…
Reference in New Issue