yorick
/
dotfiles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update for 18.03

auto-flake-update
Yorick van Pelt 2018-03-11 18:28:25 +01:00
parent 717ad7eea6
commit 9db7e7bc35
20 changed files with 241 additions and 488 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
logical/ascanius.nix
View File

@ -12,9 +12,5 @@ in
system.stateVersion = "17.09";
# no, not that Ascanius.
networking.hostName = secrets.hostnames.ascanius;
services.tor.hiddenServices.ssh.map = [
{ port = 22; }
];
services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key";
}

39
logical/frumar.nix
View File

@ -1,24 +1,11 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let secrets = import <secrets>;
acmeWebRoot = "/etc/sslcerts/acmeroot";
acmeKeyDir = "${config.security.acme.directory}/git.yori.cc";
in
{
imports =
[ # Include the results of the hardware scan.
../physical/fractal.nix
../roles/common.nix
../modules/nginx.nix
../roles/gogs.nix
../modules/tor-hidden-service.nix
../roles/quassel.nix
../roles/pub.nix
../roles/collectd.nix
];
imports = [
../physical/fractal.nix
../roles/common.nix
];
networking.hostName = secrets.hostnames.frumar;
@ -26,14 +13,12 @@ in
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
nginxssl.enable = true;
services.nginx.enable = true;
services.yorick = {
public = { enable = true; vhost = "pub.yori.cc"; };
gogs = { enable = true; vhost = "git.yori.cc"; };
quassel.enable = true;
};
# hidden SSH service
services.tor.hiddenServices = [
{ name = "ssh";
port = 22;
hostname = secrets.tor_hostnames."ssh.frumar";
private_key = "/run/keys/torkeys/ssh.frumar.key"; }
];
}
}

44
logical/pennyworth.nix
View File

@ -12,14 +12,7 @@ in
imports = [
../physical/kassala.nix
../roles/common.nix
../roles/collectd.nix
../roles/graphs.nix
../roles/xmpp.nix
../roles/website.nix
../roles/mail.nix
../modules/tor-hidden-service.nix
../modules/muflax-blog.nix
../roles/asterisk.nix
];
networking.hostName = secrets.hostnames.pennyworth;
@ -31,25 +24,34 @@ in
networking.enableIPv6 = lib.mkOverride 30 true;
system.stateVersion = "16.03";
yorick = { cpu = null; };
nginxssl.enable = true;
services.nginx.virtualHosts."pad.yori.cc" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9140";
services.nginx.enable = true;
services.yorick = {
website = { enable = true; vhost = "yorickvanpelt.nl"; };
mail = {
enable = true;
mainUser = "yorick";
users = {
yorick = with secrets; {
password = yorick_mailPassword;
domains = email_domains;
};
};
};
xmpp = {
enable = true;
vhost = "yori.cc";
admins = [ "yorick@yori.cc" ];
};
};
services.nginx.virtualHosts."yori.cc" = {
enableACME = true;
forceSSL = true;
globalRedirect = "yorickvanpelt.nl";
};
# hidden SSH service
services.tor.hiddenServices = [
{ name = "ssh";
port = 22;
hostname = secrets.tor_hostnames."ssh.pennyworth";
private_key = "/run/keys/torkeys/ssh.pennyworth.key"; }
];
services.muflax-blog = {

9
logical/woodhouse.nix
View File

@ -26,15 +26,6 @@ in
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "17.09";
services.xserver = {
# displayManager.slim.autoLogin = true; # TODO: debug this
};
services.tor.hiddenServices.ssh.map = [ {port = 22;} ];
services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key";
system.fsPackages = [ pkgs.sshfsFuse ];
fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];

2
modules/mailz.nix
View File

@ -274,13 +274,11 @@ in
};
users.extraUsers = optional (cfg.user == "vmail") {
name = "vmail";
uid = cfg.uid;
group = cfg.group;
};
users.extraGroups = optional (cfg.group == "vmail") {
name = "vmail";
gid = cfg.gid;
};

28
modules/muflax-blog.nix
View File

@ -1,15 +1,18 @@
{ pkgs, config, lib, ... }:
{ cur_pkgs, config, lib, ... }:
let
cfg = config.services.muflax-blog;
muflax-source = pkgs.fetchFromGitHub {
muflax-source = builtins.fetchGit {
rev = "e5ce7ae4296c6605a7e886c153d569fc38318096";
owner = "fmap";
repo = "muflax65ngodyewp.onion";
sha256 = "10n5km8mr7vjqlyb46drfhwzlrwranqaxpqc53a2hk9pqqckm8cx";
};
blog = lib.overrideDerivation (pkgs.callPackage "${muflax-source}/maintenance" {}) (default: {
ref = "HEAD";
url = "https://github.com/fmap/muflax65ngodyewp.onion.git";
};
nixpkgs = import (builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz";
sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8";
}) { system = builtins.currentSystem; };
blog = lib.overrideDerivation (nixpkgs.callPackage "${muflax-source}/maintenance" {}) (default: {
buildPhase = default.buildPhase + "\n" + ''
grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g'
'';
@ -46,11 +49,8 @@ in with lib; {
}
'') ["daily" "gospel" "blog"]);
};
services.tor.hiddenServices = [{
name = "muflax-blog";
remote_port = 80;
inherit (cfg.web-server) port;
inherit (cfg.hidden-service) hostname private_key;
}];
services.tor.hiddenServices.muflax-blog.map = [{
port = 80; toPort = cfg.web-server.port; }];
services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key;
};
}
}

137
modules/nginx.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
let
cfg = config.nginxssl;
sslcfg = dir: ''
ssl on;
ssl_certificate_key ${dir}/key.pem;
@ -9,139 +8,29 @@ sslcfg = dir: ''
add_header Strict-Transport-Security max-age=15768000;
'';
makeChallenges = servername: key_webroot: ''
server {
listen 80;
listen [::]:80;
server_name ${servername};
location /.well-known/acme-challenge {
default_type text/plain;
alias ${key_webroot}/.well-known/acme-challenge;
}
}
'';
makeServerBlock = servername: {key_root, key_webroot, contents, ...}: ''
server {
listen 80;
listen [::]:80;
server_name ${servername};
server_tokens off;
location /.well-known/acme-challenge {
default_type text/plain;
alias ${key_webroot}/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen 443;
listen [::]:443;
server_name ${servername};
location /.well-known/acme-challenge {
default_type text/plain;
alias ${key_webroot}/.well-known/acme-challenge;
}
${sslcfg key_root}
${contents}
}
'';
#vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers));
servopts = {...}: {
options = {
key_webroot = mkOption {
type = types.string;
description = "The path where the acme challenge is stored";
};
key_root = mkOption {
type = types.string;
description = "The path where the SSL keys are stored";
};
contents = mkOption {
type = types.string;
description = "Extra server block contents, like location blocks";
example = "location / {}";
};
};
};
inherit (lib) mkEnableOption mkOption types mkIf;
in
{
options.nginxssl = {
enable = mkEnableOption "enable new nginx module";
no_vhost_keydir = mkOption {
type = types.string;
default = "/etc/sslcerts/no_vhost";
description = "The path where the SSL keys for the default are stored (can and will be self-signed)";
};
servers = mkOption {
type = types.attrsOf types.optionSet;
description = "The servers to host";
default = {};
example = {"git.domain.com" = {
contents = "location / {}";
key_root = "/var/lib/acme/git.domain.com";
key_webroot = "/etc/sslcerts/acmeroot";
};
};
options = [ servopts ];
};
challenges = mkOption {
type = types.attrsOf types.string;
default = {};
example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";};
description = "Other domains to host challenges for";
};
};
config = mkIf cfg.enable {
config = lib.mkIf config.services.nginx.enable {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
serverTokens = false;
sslDhparam = "/etc/nginx/dhparam.pem";
virtualHosts = {
"\"\"" = {
forceSSL = true;
locations."/" = {
index = "index.html index.htm";
root = "${pkgs.nginx}/html";
};
sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem";
sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem";
default = true;
};
};
appendHttpConfig = ''
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)}
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)}
'';
};
virtualHosts."${config.networking.hostName}" = {
enableACME = true;
forceSSL = true;
default = true;
};
};
networking.firewall.allowedTCPPorts = [80 443];
system.activationScripts.nginxdhparams =
''
if ! [[ -e /etc/nginx/dhparam.pem ]]; then
mkdir -p /etc/nginx/
${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
fi
# self-sign certs in case an invalid vhost is looked up
dir=${cfg.no_vhost_keydir}
mkdir -m 0700 -p $dir
if ! [[ -e $dir/key.pem ]]; then
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
-subj "/C=NL/CN=www.example.com"
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
fi
'';
system.activationScripts.nginxdhparams = ''
if ! [[ -e /etc/nginx/dhparam.pem ]]; then
mkdir -p /etc/nginx/
${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
fi
'';
};
}

47
packages/luadbi.nix
View File

@ -1,47 +0,0 @@
{lib, fetchurl, lua, sqlite, luaPackages,
libpsql ? null, libmysql ? null,
withpsql ? false, withmysql ? false}:
assert withpsql -> libpsql != null;
assert withmysql -> libmysql != null;
luaPackages.buildLuaPackage rec {
version = "0.5";
name = "luadbi-${version}";
isLibrary = true;
src = fetchurl {
url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/luadbi/luadbi.${version}.tar.gz";
sha256 = "07ikxgxgfpimnwf7zrqwcwma83ss3wm2nzjxpwv2a1c0vmc684a9";
};
propagatedBuildInputs = [ sqlite ]
++ (lib.optional withpsql [libpsql])
++ (lib.optional withmysql [libmysql]);
unpackPhase = ''
mkdir ./luadbi
tar -xf $src -C ./luadbi
sourceRoot=./luadbi
chmod -R u+w "$sourceRoot";
'';
preBuild = with lib.optionalString; ''
makeFlagsArray=(
sqlite3
${lib.optionalString withpsql "psql"}
${lib.optionalString withmysql "mysql"}
LUA_LDIR="$out/share/lua/${lua.luaversion}"
LUA_INC="-I${lua}/include" LUA_CDIR="$out/lib/lua/${lua.luaversion}"
)
'';
installPhase = ''
mkdir -p $out/lib/lua/${lua.luaversion}
install -p ./*.so DBI.lua $out/lib/lua/${lua.luaversion}
'';
meta = {
homepage = "https://code.google.com/archive/p/luadbi/downloads";
maintainers = [ "Yorick" ];
};
}

2
packages/yori-cc.nix
View File

@ -1,4 +1,4 @@
with import <nixpkgs> {};
{ stdenv, callPackage }:
let gogitget = callPackage ./gogitget.nix {}; in

2
physical/kassala.nix
View File

@ -30,7 +30,7 @@ in
usePredictableInterfaceNames = false; # only eth0
interfaces.eth0 = {
useDHCP = false;
inherit (ipconf) ip4 ip6;
inherit (ipconf) ipv4 ipv6;
};
inherit (ipconf) nameservers;
# ideally, it should add a route for this automatically

51
roles/asterisk.nix
View File

@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
{
# todo: the prestart service copies to the wrong dir
services.asterisk = {
enable = true;
#extraArguments = ["-vvvddd"];
confFiles."logger.conf" = ''
[general]
[logfiles]
syslog.local0 => notice,warning,error
console => debug,notice,warning,error,verbose,dtmf,fax
'';
confFiles."extensions.conf" = ''
[from-sim]
exten => _X.,1,Verbose(Call from Limesco SIM [''${CALLERID(num)}] to [''${EXTEN}])
same => n,Dial(SIP/speakup01/''${EXTEN})
[from-speakup]
; Vervang ... door de rest van je DIY-nummer:
exten => 31626972516,1,Verbose(Call from SpeakUp [''${CALLERID(num)}] to [''${EXTEN}])
same => n,Dial(SIP/limesco/''${EXTEN})
'';
};
environment.systemPackages = with pkgs; [
asterisk
];
#networking.firewall.allowedUDPPorts = [5060];
#networking.firewall.allowedTCPPorts = [5060];
networking.firewall.extraCommands = ''
iptables -A nixos-fw -p udp -s 193.169.138.0/23 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 91.232.130.0/24 -j nixos-fw-accept
iptables -A nixos-fw -p udp -s 81.205.5.19 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 193.169.138.0/23 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 91.232.130.0/24 -j nixos-fw-accept
iptables -A nixos-fw -p tcp -s 81.205.5.19 -j nixos-fw-accept
'';
# nixpkgs.config = {
# packageOverrides = pkgs : {
# asterisk = pkgs.asterisk.overrideDerivation (attrs: rec {
# version = "13.11.2";
# broken = false;
# src = pkgs.fetchurl {
# url = "http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-${version}.tar.gz";
# sha256 = "0fjski1cpbxap1kcjg6sgd6c8qpxn8lb1sszpg6iz88vn4dh19vf";
# };
# });
# };
# };
}

19
roles/common.nix
View File

@ -1,10 +1,20 @@
let secrets = import <secrets>;
in
{ config, pkgs, lib, ...}:
let
machine = with lib; head (splitString "." config.networking.hostName);
in
{
imports = [
../roles/hardware.nix
../modules/tor-hidden-service.nix
../modules/nginx.nix
../roles/pub.nix
../roles/quassel.nix
../roles/gogs.nix
../roles/mail.nix
../roles/website.nix
../roles/xmpp.nix
];
time.timeZone = "Europe/Amsterdam";
users.mutableUsers = false;
@ -28,11 +38,6 @@ in
nixpkgs.config.allowUnfree = true;
nix.package = pkgs.nixUnstable;
nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to];
nix.binaryCachePublicKeys = [
"hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g="
];
nix.buildCores = config.nix.maxJobs;
nix.extraOptions = ''
@ -51,6 +56,9 @@ in
services.tor = {
enable = true;
client.enable = true;
# ssh hidden service
hiddenServices.ssh.map = [{ port = 22; }];
service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key";
};
programs.ssh.extraConfig = ''
@ -106,6 +114,5 @@ in
];
nix.gc.automatic = true;
security.acme.preliminarySelfsigned = true;
}

89
roles/gogs.nix
View File

@ -1,57 +1,52 @@
{ config, pkgs, lib, ... }:
let
gitHome = "/var/gogs";
gogsPort = 8001;
domain = "git.yori.cc";
cfg = config.services.yorick.gogs;
in
{
imports = [
../modules/nginx.nix
];
users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; useDefaultShell = true;};
users.extraGroups.git = { };
services.gogs = rec {
enable = true;
user = "git";
group = "git";
database.user = "root";
stateDir = gitHome;
repositoryRoot = "${stateDir}/gogs-repositories";
rootUrl = "https://${domain}/";
httpAddress = "localhost";
httpPort = gogsPort;
extraConfig = ''
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
[picture]
DISABLE_GRAVATAR = false
AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars
[mailer]
ENABLED = false
[session]
PROVIDER = file
[log]
ROOT_PATH = ${gitHome}/logs
MODE = file
LEVEL = Info
[server]
DISABLE_ROUTER_LOG = true
'';
inherit domain;
options.services.yorick.gogs = with lib; {
enable = mkEnableOption "gogs";
dir = mkOption { type = types.string; default = "/var/gogs"; };
port = mkOption { type = types.int; default = 8001; };
vhost = mkOption { type = types.string; };
};
users.extraUsers.gogs.createHome = lib.mkForce false;
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString gogsPort}";
config = lib.mkIf cfg.enable {
users.extraUsers.git = { home = cfg.dir; extraGroups = [ "git" ]; useDefaultShell = true;};
users.extraGroups.git = { };
services.gogs = rec {
enable = true;
user = "git";
group = "git";
database.user = "root";
stateDir = cfg.dir;
repositoryRoot = "${stateDir}/gogs-repositories";
rootUrl = "https://${cfg.vhost}/";
httpAddress = "localhost";
httpPort = cfg.port;
extraConfig = ''
proxy_buffering off;
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
[picture]
DISABLE_GRAVATAR = false
AVATAR_UPLOAD_PATH = ${cfg.dir}/data/avatars
[mailer]
ENABLED = false
'';
domain = cfg.vhost;
};
users.extraUsers.gogs.createHome = lib.mkForce false;
services.nginx.virtualHosts.${cfg.vhost} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
extraConfig = ''
proxy_buffering off;
'';
};
};
};
}

26
roles/mail.nix
View File

@ -1,25 +1,27 @@
{ config, pkgs, lib, ... }:
let secrets = import <secrets>;
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
let
cfg = config.services.yorick.mail;
in
{
imports = [
../modules/mailz.nix
../modules/backup.nix
];
config = {
options.services.yorick.mail = with lib; {
enable = mkEnableOption "mail service";
mainUser = mkOption { type = types.string; };
users = mkOption {};
};
config = lib.mkIf cfg.enable {
# email
services.mailz = {
services.mailz = rec {
domain = config.networking.hostName;
keydir = acmeKeyDir;
mainUser = "yorick";
users = {
yorick = with secrets; {
password = yorick_mailPassword;
domains = email_domains;
};
};
keydir = "${config.security.acme.directory}/${domain}";
inherit (cfg) mainUser users;
};
security.acme.certs.${config.networking.hostName}.postRun = ''
systemctl reload dovecot2.service postfix.service
'';
services.backup = {
enable = true;
backups = {

9
roles/pub.nix
View File

@ -1,14 +1,19 @@
{ config, pkgs, lib, ... }:
let cfg = config.services.yorick.public; in
{
options.services.yorick.public = {
enable = lib.mkEnableOption "public hosting";
vhost = lib.mkOption { type = lib.types.string; };
};
#imports = [../modules/nginx.nix];
config = {
config = lib.mkIf cfg.enable {
users.extraUsers.public = {
home = "/home/public";
useDefaultShell = true;
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
createHome = true;
};
services.nginx.virtualHosts."pub.yori.cc" = {
services.nginx.virtualHosts.${cfg.vhost} = {
forceSSL = true;
enableACME = true;
locations."/" = {

73
roles/quassel.nix
View File

@ -1,40 +1,45 @@
{config, pkgs, lib, ...}:
{
containers.quassel = {
config = { config, pkgs, ... }: {
services.postgresql = {
enable = true;
package = pkgs.postgresql94;
extraConfig = ''
max_connections = 10
shared_buffers = 1GB
effective_cache_size = 4GB
work_mem = 50MB
maintenance_work_mem = 100MB
'';
options.services.yorick.quassel = {
enable = lib.mkEnableOption "quassel container";
};
config = {
containers.quassel = {
config = { config, pkgs, ... }: {
services.postgresql = {
enable = true;
package = pkgs.postgresql94;
extraConfig = ''
max_connections = 10
shared_buffers = 1GB
effective_cache_size = 4GB
work_mem = 50MB
maintenance_work_mem = 100MB
'';
};
services.quassel = {
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix
enable = true;
interfaces = ["0.0.0.0"];
};
environment.systemPackages = [
pkgs.quasselDaemon
];
networking.firewall.allowedTCPPorts = [4242];
};
services.quassel = {
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix
enable = true;
interfaces = ["0.0.0.0"];
};
environment.systemPackages = [
pkgs.quasselDaemon
];
networking.firewall.allowedTCPPorts = [4242];
privateNetwork = true;
hostAddress = "192.168.125.1";
localAddress = "192.168.125.11";
};
privateNetwork = true;
hostAddress = "192.168.125.1";
localAddress = "192.168.125.11";
# give the containers networking
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp2s0";
forwardPorts = [
{ sourcePort = 4242; destination = "192.168.125.11:4242"; }
];
};
networking.firewall.allowedTCPPorts = [4242];
};
# give the containers networking
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp2s0";
forwardPorts = [
{ sourcePort = 4242; destination = "192.168.125.11:4242"; }
];
};
networking.firewall.allowedTCPPorts = [4242];
}

55
roles/website.nix
View File

@ -1,50 +1,25 @@
{ config, lib, pkgs, ... }:
let
secrets = import <secrets>;
yoricc = import ../packages/yori-cc.nix;
acmeWebRoot = "/etc/sslcerts/acmeroot";
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
yoricc = pkgs.callPackage ../packages/yori-cc.nix {};
cfg = config.services.yorick.website;
in
with lib;
{
imports = [
../modules/nginx.nix
];
# website + lets encrypt challenge hosting
nginxssl = {
enable = true;
challenges."${config.networking.hostName}" = acmeWebRoot;
servers."yori.cc" = {
key_root = acmeKeyDir;
key_webroot = acmeWebRoot;
contents = ''
location / {
rewrite ^(.*) https://yorickvanpelt.nl$1 permanent;
}
'';
options.services.yorick = {
website = {
enable = mkEnableOption "yoricc website";
vhost = mkOption { type = types.string; };
pkg = mkOption { type = types.package; default = yoricc; };
};
servers."yorickvanpelt.nl" = {
key_root = acmeKeyDir;
key_webroot = acmeWebRoot;
contents = ''
location / {
root ${yoricc}/web;
}
'';
redirect = mkOption { type = types.loaOf types.string; default = []; };
};
config.services.nginx.virtualHosts = with cfg; mkIf enable {
${vhost} = {
enableACME = true;
forceSSL = true;
locations."/".root = "${pkg}/web";
};
};
# Let's Encrypt configuration.
security.acme.certs."yori.cc" =
{ email = secrets.email;
extraDomains = {
"${config.networking.hostName}" = null;
"yorickvanpelt.nl" = null;
};
webroot = acmeWebRoot;
postRun = ''systemctl reload nginx.service dovecot2.service postfix.service
systemctl restart prosody.service
'';
};
}

4
roles/workstation.nix
View File

@ -17,7 +17,7 @@
enable = true;
drivers = [ pkgs.gutenprint ];
};
environment.systemPackages = [pkgs.ghostscript];
environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager];
services.xserver.displayManager.sessionCommands = ''
gpg-connect-agent /bye
unset SSH_AGENT_PID
@ -29,5 +29,5 @@
# yubikey
hardware.u2f.enable = true;
services.pcscd.enable = true;
environment.systemPackages = [pkgs.yubikey-manager];
#environment.systemPackages = [pkgs.yubikey-manager];
}

89
roles/xmpp.nix
View File

@ -1,56 +1,57 @@
{ config, lib, pkgs, ... }:
let
luadbi = pkgs.callPackage ../packages/luadbi.nix {};
acmeKeyDir = "${config.security.acme.directory}/yori.cc";
acmeKeyDir = "${config.security.acme.directory}/${cfg.vhost}";
communityModules = [ "mam" "carbons" "smacks" ];
cfg = config.services.yorick.xmpp;
in
{
# XMPP
services.prosody = let
# TODO: this should be in nixpkgs
prosodyModules = pkgs.fetchhg {
name = "prosody-modules-22042016";
rev = "e0b8b8a50013";
sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy";
url = "https://hg.prosody.im/prosody-modules/";
};
options.services.yorick.xmpp = with lib; {
enable = mkEnableOption "xmpp";
vhost = mkOption { type = types.string; };
admins = mkOption { type = types.listOf types.string; };
};
config = lib.mkIf cfg.enable {
# XMPP
services.prosody = let
in {
enable = true;
allowRegistration = false;
extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"];
virtualHosts.yoricc = {
enabled = true;
domain = "yori.cc";
ssl = {
key = "/var/lib/prosody/keys/key.pem";
cert = "/var/lib/prosody/keys/fullchain.pem";
enable = true;
allowRegistration = false;
extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"] ++ communityModules;
virtualHosts.default = {
enabled = true;
domain = cfg.vhost;
ssl = {
key = "/var/lib/prosody/keys/key.pem";
cert = "/var/lib/prosody/keys/fullchain.pem";
};
};
# TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
extraConfig = ''
use_libevent = true
s2s_require_encryption = true
c2s_require_encryption = true
archive_expires_after = "never"
storage = {
archive2 = "sql";
}
'';
inherit (cfg) admins;
package = pkgs.prosody.override {
withZlib = true; withDBI = true;
withCommunityModules = communityModules;
};
};
# TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub?
extraConfig = ''
plugin_paths = { "${prosodyModules}" }
use_libevent = true
s2s_require_encryption = true
c2s_require_encryption = true
archive_expires_after = "never"
storage = {
archive2 = "sql";
}
'';
admins = [ "yorick@yori.cc"];
};
nixpkgs.config.packageOverrides = pkgs:
# FIXME: ugly hacks!
{ prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; };
};
systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
systemd.services.prosody.preStart = ''
systemd.services.prosody.serviceConfig.PermissionsStartOnly = true;
systemd.services.prosody.preStart = ''
mkdir -m 0700 -p /var/lib/prosody/keys
cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys
chown -R prosody:prosody /var/lib/prosody
'';
networking.firewall.allowedTCPPorts = [5222 5269];
'';
networking.firewall.allowedTCPPorts = [5222 5269];
security.acme.certs.${cfg.vhost}.postRun = ''
systemctl restart prosody.service
'';
};
}

BIN
secrets.nix
View File

Binary file not shown.