diff --git a/logical/ascanius.nix b/logical/ascanius.nix index a666c18..6058945 100644 --- a/logical/ascanius.nix +++ b/logical/ascanius.nix @@ -12,9 +12,5 @@ in system.stateVersion = "17.09"; # no, not that Ascanius. networking.hostName = secrets.hostnames.ascanius; - services.tor.hiddenServices.ssh.map = [ - { port = 22; } - ]; - services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.ascanius.key"; } diff --git a/logical/frumar.nix b/logical/frumar.nix index 0c71722..6917703 100644 --- a/logical/frumar.nix +++ b/logical/frumar.nix @@ -1,24 +1,11 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, ... }: let secrets = import ; - acmeWebRoot = "/etc/sslcerts/acmeroot"; - acmeKeyDir = "${config.security.acme.directory}/git.yori.cc"; in { - imports = - [ # Include the results of the hardware scan. - ../physical/fractal.nix - ../roles/common.nix - ../modules/nginx.nix - ../roles/gogs.nix - ../modules/tor-hidden-service.nix - ../roles/quassel.nix - ../roles/pub.nix - ../roles/collectd.nix - ]; + imports = [ + ../physical/fractal.nix + ../roles/common.nix + ]; networking.hostName = secrets.hostnames.frumar; @@ -26,14 +13,12 @@ in # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "15.09"; - nginxssl.enable = true; + services.nginx.enable = true; + services.yorick = { + public = { enable = true; vhost = "pub.yori.cc"; }; + gogs = { enable = true; vhost = "git.yori.cc"; }; + quassel.enable = true; + }; + - # hidden SSH service - - services.tor.hiddenServices = [ - { name = "ssh"; - port = 22; - hostname = secrets.tor_hostnames."ssh.frumar"; - private_key = "/run/keys/torkeys/ssh.frumar.key"; } - ]; -} \ No newline at end of file +} diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 0be506a..2dfa35a 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -12,14 +12,7 @@ in imports = [ ../physical/kassala.nix ../roles/common.nix - ../roles/collectd.nix - ../roles/graphs.nix - ../roles/xmpp.nix - ../roles/website.nix - ../roles/mail.nix - ../modules/tor-hidden-service.nix ../modules/muflax-blog.nix - ../roles/asterisk.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -31,25 +24,34 @@ in networking.enableIPv6 = lib.mkOverride 30 true; system.stateVersion = "16.03"; + yorick = { cpu = null; }; - nginxssl.enable = true; - - services.nginx.virtualHosts."pad.yori.cc" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:9140"; + services.nginx.enable = true; + services.yorick = { + website = { enable = true; vhost = "yorickvanpelt.nl"; }; + mail = { + enable = true; + mainUser = "yorick"; + users = { + yorick = with secrets; { + password = yorick_mailPassword; + domains = email_domains; + }; + }; + }; + xmpp = { + enable = true; + vhost = "yori.cc"; + admins = [ "yorick@yori.cc" ]; }; }; + services.nginx.virtualHosts."yori.cc" = { + enableACME = true; + forceSSL = true; + globalRedirect = "yorickvanpelt.nl"; + }; - # hidden SSH service - services.tor.hiddenServices = [ - { name = "ssh"; - port = 22; - hostname = secrets.tor_hostnames."ssh.pennyworth"; - private_key = "/run/keys/torkeys/ssh.pennyworth.key"; } - ]; services.muflax-blog = { diff --git a/logical/woodhouse.nix b/logical/woodhouse.nix index b833b8d..463b899 100644 --- a/logical/woodhouse.nix +++ b/logical/woodhouse.nix @@ -26,15 +26,6 @@ in # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.09"; - - services.xserver = { - # displayManager.slim.autoLogin = true; # TODO: debug this - }; - - - services.tor.hiddenServices.ssh.map = [ {port = 22;} ]; - services.tor.service-keys.ssh = "/run/keys/torkeys/ssh.woodhouse.key"; - system.fsPackages = [ pkgs.sshfsFuse ]; fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" []; diff --git a/modules/mailz.nix b/modules/mailz.nix index b37a41f..4bf7169 100644 --- a/modules/mailz.nix +++ b/modules/mailz.nix @@ -274,13 +274,11 @@ in }; users.extraUsers = optional (cfg.user == "vmail") { - name = "vmail"; uid = cfg.uid; group = cfg.group; }; users.extraGroups = optional (cfg.group == "vmail") { - name = "vmail"; gid = cfg.gid; }; diff --git a/modules/muflax-blog.nix b/modules/muflax-blog.nix index bfebafa..5bfd51c 100644 --- a/modules/muflax-blog.nix +++ b/modules/muflax-blog.nix @@ -1,15 +1,18 @@ -{ pkgs, config, lib, ... }: +{ cur_pkgs, config, lib, ... }: let cfg = config.services.muflax-blog; - muflax-source = pkgs.fetchFromGitHub { + muflax-source = builtins.fetchGit { rev = "e5ce7ae4296c6605a7e886c153d569fc38318096"; - owner = "fmap"; - repo = "muflax65ngodyewp.onion"; - sha256 = "10n5km8mr7vjqlyb46drfhwzlrwranqaxpqc53a2hk9pqqckm8cx"; - }; - blog = lib.overrideDerivation (pkgs.callPackage "${muflax-source}/maintenance" {}) (default: { + ref = "HEAD"; + url = "https://github.com/fmap/muflax65ngodyewp.onion.git"; +}; +nixpkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs-channels/archive/78e9665b48ff45d3e29f45b3ebeb6fc6c6e19922.tar.gz"; + sha256 = "09f50jaijvry9lrnx891qmcf92yb8qs64n1cvy0db2yjrmxsxyw8"; +}) { system = builtins.currentSystem; }; + blog = lib.overrideDerivation (nixpkgs.callPackage "${muflax-source}/maintenance" {}) (default: { buildPhase = default.buildPhase + "\n" + '' grep -lr '[^@]muflax.com' out | xargs -r sed -i 's/\([^@]\)muflax.com/\1${cfg.hidden-service.hostname}/g' ''; @@ -46,11 +49,8 @@ in with lib; { } '') ["daily" "gospel" "blog"]); }; - services.tor.hiddenServices = [{ - name = "muflax-blog"; - remote_port = 80; - inherit (cfg.web-server) port; - inherit (cfg.hidden-service) hostname private_key; - }]; + services.tor.hiddenServices.muflax-blog.map = [{ + port = 80; toPort = cfg.web-server.port; }]; + services.tor.service-keys.muflax-blog = cfg.hidden-service.private_key; }; -} \ No newline at end of file +} diff --git a/modules/nginx.nix b/modules/nginx.nix index 2af7604..8d69147 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: let -cfg = config.nginxssl; sslcfg = dir: '' ssl on; ssl_certificate_key ${dir}/key.pem; @@ -9,139 +8,29 @@ sslcfg = dir: '' add_header Strict-Transport-Security max-age=15768000; ''; -makeChallenges = servername: key_webroot: '' - server { - listen 80; - listen [::]:80; - server_name ${servername}; - location /.well-known/acme-challenge { - default_type text/plain; - alias ${key_webroot}/.well-known/acme-challenge; - } - } -''; -makeServerBlock = servername: {key_root, key_webroot, contents, ...}: '' - server { - listen 80; - listen [::]:80; - server_name ${servername}; - server_tokens off; - location /.well-known/acme-challenge { - default_type text/plain; - alias ${key_webroot}/.well-known/acme-challenge; - } - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - server { - listen 443; - listen [::]:443; - server_name ${servername}; - location /.well-known/acme-challenge { - default_type text/plain; - alias ${key_webroot}/.well-known/acme-challenge; - } - ${sslcfg key_root} - ${contents} - } -''; -#vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers)); -servopts = {...}: { - options = { - key_webroot = mkOption { - type = types.string; - description = "The path where the acme challenge is stored"; - }; - key_root = mkOption { - type = types.string; - description = "The path where the SSL keys are stored"; - }; - contents = mkOption { - type = types.string; - description = "Extra server block contents, like location blocks"; - example = "location / {}"; - }; - }; -}; -inherit (lib) mkEnableOption mkOption types mkIf; in { - options.nginxssl = { - enable = mkEnableOption "enable new nginx module"; - no_vhost_keydir = mkOption { - type = types.string; - default = "/etc/sslcerts/no_vhost"; - description = "The path where the SSL keys for the default are stored (can and will be self-signed)"; - }; - servers = mkOption { - type = types.attrsOf types.optionSet; - description = "The servers to host"; - default = {}; - example = {"git.domain.com" = { - contents = "location / {}"; - key_root = "/var/lib/acme/git.domain.com"; - key_webroot = "/etc/sslcerts/acmeroot"; - }; - }; - options = [ servopts ]; - }; - challenges = mkOption { - type = types.attrsOf types.string; - default = {}; - example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";}; - description = "Other domains to host challenges for"; - }; - }; - config = mkIf cfg.enable { + config = lib.mkIf config.services.nginx.enable { services.nginx = { - enable = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedOptimisation = true; serverTokens = false; sslDhparam = "/etc/nginx/dhparam.pem"; - virtualHosts = { - "\"\"" = { - forceSSL = true; - locations."/" = { - index = "index.html index.htm"; - root = "${pkgs.nginx}/html"; - }; - sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem"; - sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem"; - default = true; - }; - }; - - appendHttpConfig = '' - - ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)} - - ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)} - - ''; - }; + virtualHosts."${config.networking.hostName}" = { + enableACME = true; + forceSSL = true; + default = true; + }; + }; networking.firewall.allowedTCPPorts = [80 443]; - system.activationScripts.nginxdhparams = - '' - if ! [[ -e /etc/nginx/dhparam.pem ]]; then - mkdir -p /etc/nginx/ - ${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 - fi - # self-sign certs in case an invalid vhost is looked up - dir=${cfg.no_vhost_keydir} - mkdir -m 0700 -p $dir - if ! [[ -e $dir/key.pem ]]; then - ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 - ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ - -subj "/C=NL/CN=www.example.com" - ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem - ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem - fi - ''; + system.activationScripts.nginxdhparams = '' + if ! [[ -e /etc/nginx/dhparam.pem ]]; then + mkdir -p /etc/nginx/ + ${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 + fi + ''; }; - } diff --git a/packages/luadbi.nix b/packages/luadbi.nix deleted file mode 100644 index 7a5f1d0..0000000 --- a/packages/luadbi.nix +++ /dev/null @@ -1,47 +0,0 @@ -{lib, fetchurl, lua, sqlite, luaPackages, - libpsql ? null, libmysql ? null, - withpsql ? false, withmysql ? false}: - -assert withpsql -> libpsql != null; -assert withmysql -> libmysql != null; - -luaPackages.buildLuaPackage rec { - version = "0.5"; - name = "luadbi-${version}"; - isLibrary = true; - src = fetchurl { - url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/luadbi/luadbi.${version}.tar.gz"; - sha256 = "07ikxgxgfpimnwf7zrqwcwma83ss3wm2nzjxpwv2a1c0vmc684a9"; - }; - - propagatedBuildInputs = [ sqlite ] - ++ (lib.optional withpsql [libpsql]) - ++ (lib.optional withmysql [libmysql]); - - unpackPhase = '' - mkdir ./luadbi - tar -xf $src -C ./luadbi - sourceRoot=./luadbi - chmod -R u+w "$sourceRoot"; - ''; - - preBuild = with lib.optionalString; '' - makeFlagsArray=( - sqlite3 - ${lib.optionalString withpsql "psql"} - ${lib.optionalString withmysql "mysql"} - LUA_LDIR="$out/share/lua/${lua.luaversion}" - LUA_INC="-I${lua}/include" LUA_CDIR="$out/lib/lua/${lua.luaversion}" - ) - ''; - - installPhase = '' - mkdir -p $out/lib/lua/${lua.luaversion} - install -p ./*.so DBI.lua $out/lib/lua/${lua.luaversion} - ''; - - meta = { - homepage = "https://code.google.com/archive/p/luadbi/downloads"; - maintainers = [ "Yorick" ]; - }; -} diff --git a/packages/yori-cc.nix b/packages/yori-cc.nix index f118f68..725b9f1 100644 --- a/packages/yori-cc.nix +++ b/packages/yori-cc.nix @@ -1,4 +1,4 @@ -with import {}; +{ stdenv, callPackage }: let gogitget = callPackage ./gogitget.nix {}; in diff --git a/physical/kassala.nix b/physical/kassala.nix index fd492f4..e90671c 100644 --- a/physical/kassala.nix +++ b/physical/kassala.nix @@ -30,7 +30,7 @@ in usePredictableInterfaceNames = false; # only eth0 interfaces.eth0 = { useDHCP = false; - inherit (ipconf) ip4 ip6; + inherit (ipconf) ipv4 ipv6; }; inherit (ipconf) nameservers; # ideally, it should add a route for this automatically diff --git a/roles/asterisk.nix b/roles/asterisk.nix deleted file mode 100644 index f54b0fc..0000000 --- a/roles/asterisk.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - # todo: the prestart service copies to the wrong dir - services.asterisk = { - enable = true; - #extraArguments = ["-vvvddd"]; - confFiles."logger.conf" = '' - [general] - [logfiles] - syslog.local0 => notice,warning,error - console => debug,notice,warning,error,verbose,dtmf,fax - ''; - confFiles."extensions.conf" = '' - [from-sim] - exten => _X.,1,Verbose(Call from Limesco SIM [''${CALLERID(num)}] to [''${EXTEN}]) - same => n,Dial(SIP/speakup01/''${EXTEN}) - - [from-speakup] - ; Vervang ... door de rest van je DIY-nummer: - exten => 31626972516,1,Verbose(Call from SpeakUp [''${CALLERID(num)}] to [''${EXTEN}]) - same => n,Dial(SIP/limesco/''${EXTEN}) - ''; - }; - environment.systemPackages = with pkgs; [ - asterisk - ]; - #networking.firewall.allowedUDPPorts = [5060]; - #networking.firewall.allowedTCPPorts = [5060]; - networking.firewall.extraCommands = '' - iptables -A nixos-fw -p udp -s 193.169.138.0/23 -j nixos-fw-accept - iptables -A nixos-fw -p udp -s 91.232.130.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p udp -s 81.205.5.19 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -s 193.169.138.0/23 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -s 91.232.130.0/24 -j nixos-fw-accept - iptables -A nixos-fw -p tcp -s 81.205.5.19 -j nixos-fw-accept - ''; - # nixpkgs.config = { - # packageOverrides = pkgs : { - # asterisk = pkgs.asterisk.overrideDerivation (attrs: rec { - # version = "13.11.2"; - # broken = false; - - # src = pkgs.fetchurl { - # url = "http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-${version}.tar.gz"; - # sha256 = "0fjski1cpbxap1kcjg6sgd6c8qpxn8lb1sszpg6iz88vn4dh19vf"; - # }; - # }); - # }; - # }; -} diff --git a/roles/common.nix b/roles/common.nix index cf4aeb1..bd29e9d 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -1,10 +1,20 @@ let secrets = import ; in { config, pkgs, lib, ...}: +let + machine = with lib; head (splitString "." config.networking.hostName); +in { imports = [ ../roles/hardware.nix ../modules/tor-hidden-service.nix + ../modules/nginx.nix + ../roles/pub.nix + ../roles/quassel.nix + ../roles/gogs.nix + ../roles/mail.nix + ../roles/website.nix + ../roles/xmpp.nix ]; time.timeZone = "Europe/Amsterdam"; users.mutableUsers = false; @@ -28,11 +38,6 @@ in nixpkgs.config.allowUnfree = true; nix.package = pkgs.nixUnstable; - - nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to]; - nix.binaryCachePublicKeys = [ - "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g=" - ]; nix.buildCores = config.nix.maxJobs; nix.extraOptions = '' @@ -51,6 +56,9 @@ in services.tor = { enable = true; client.enable = true; + # ssh hidden service + hiddenServices.ssh.map = [{ port = 22; }]; + service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key"; }; programs.ssh.extraConfig = '' @@ -106,6 +114,5 @@ in ]; nix.gc.automatic = true; - security.acme.preliminarySelfsigned = true; } diff --git a/roles/gogs.nix b/roles/gogs.nix index 3dfc15e..e7c8a1e 100644 --- a/roles/gogs.nix +++ b/roles/gogs.nix @@ -1,57 +1,52 @@ { config, pkgs, lib, ... }: let - gitHome = "/var/gogs"; - gogsPort = 8001; - domain = "git.yori.cc"; + cfg = config.services.yorick.gogs; in { - imports = [ - ../modules/nginx.nix - ]; - - users.extraUsers.git = { home = gitHome; extraGroups = [ "git" ]; useDefaultShell = true;}; - users.extraGroups.git = { }; - services.gogs = rec { - enable = true; - user = "git"; - group = "git"; - database.user = "root"; - stateDir = gitHome; - repositoryRoot = "${stateDir}/gogs-repositories"; - rootUrl = "https://${domain}/"; - httpAddress = "localhost"; - httpPort = gogsPort; - extraConfig = '' - [service] - REGISTER_EMAIL_CONFIRM = false - ENABLE_NOTIFY_MAIL = false - DISABLE_REGISTRATION = true - REQUIRE_SIGNIN_VIEW = false - [picture] - DISABLE_GRAVATAR = false - AVATAR_UPLOAD_PATH = ${gitHome}/data/avatars - [mailer] - ENABLED = false - [session] - PROVIDER = file - [log] - ROOT_PATH = ${gitHome}/logs - MODE = file - LEVEL = Info - [server] - DISABLE_ROUTER_LOG = true - ''; - inherit domain; + options.services.yorick.gogs = with lib; { + enable = mkEnableOption "gogs"; + dir = mkOption { type = types.string; default = "/var/gogs"; }; + port = mkOption { type = types.int; default = 8001; }; + vhost = mkOption { type = types.string; }; }; - users.extraUsers.gogs.createHome = lib.mkForce false; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString gogsPort}"; + config = lib.mkIf cfg.enable { + + users.extraUsers.git = { home = cfg.dir; extraGroups = [ "git" ]; useDefaultShell = true;}; + users.extraGroups.git = { }; + services.gogs = rec { + enable = true; + user = "git"; + group = "git"; + database.user = "root"; + stateDir = cfg.dir; + repositoryRoot = "${stateDir}/gogs-repositories"; + rootUrl = "https://${cfg.vhost}/"; + httpAddress = "localhost"; + httpPort = cfg.port; extraConfig = '' - proxy_buffering off; + [service] + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + DISABLE_REGISTRATION = true + REQUIRE_SIGNIN_VIEW = false + [picture] + DISABLE_GRAVATAR = false + AVATAR_UPLOAD_PATH = ${cfg.dir}/data/avatars + [mailer] + ENABLED = false ''; + domain = cfg.vhost; + }; + users.extraUsers.gogs.createHome = lib.mkForce false; + services.nginx.virtualHosts.${cfg.vhost} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + extraConfig = '' + proxy_buffering off; + ''; + }; }; }; } diff --git a/roles/mail.nix b/roles/mail.nix index 8dfd293..d2df22f 100644 --- a/roles/mail.nix +++ b/roles/mail.nix @@ -1,25 +1,27 @@ { config, pkgs, lib, ... }: -let secrets = import ; -acmeKeyDir = "${config.security.acme.directory}/yori.cc"; +let +cfg = config.services.yorick.mail; in { imports = [ ../modules/mailz.nix ../modules/backup.nix ]; - config = { + options.services.yorick.mail = with lib; { + enable = mkEnableOption "mail service"; + mainUser = mkOption { type = types.string; }; + users = mkOption {}; + }; + config = lib.mkIf cfg.enable { # email - services.mailz = { + services.mailz = rec { domain = config.networking.hostName; - keydir = acmeKeyDir; - mainUser = "yorick"; - users = { - yorick = with secrets; { - password = yorick_mailPassword; - domains = email_domains; - }; - }; + keydir = "${config.security.acme.directory}/${domain}"; + inherit (cfg) mainUser users; }; + security.acme.certs.${config.networking.hostName}.postRun = '' + systemctl reload dovecot2.service postfix.service + ''; services.backup = { enable = true; backups = { diff --git a/roles/pub.nix b/roles/pub.nix index b15a46c..31d886c 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,14 +1,19 @@ { config, pkgs, lib, ... }: +let cfg = config.services.yorick.public; in { + options.services.yorick.public = { + enable = lib.mkEnableOption "public hosting"; + vhost = lib.mkOption { type = lib.types.string; }; + }; #imports = [../modules/nginx.nix]; - config = { + config = lib.mkIf cfg.enable { users.extraUsers.public = { home = "/home/public"; useDefaultShell = true; openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; createHome = true; }; - services.nginx.virtualHosts."pub.yori.cc" = { + services.nginx.virtualHosts.${cfg.vhost} = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/roles/quassel.nix b/roles/quassel.nix index b7e595e..87252e1 100644 --- a/roles/quassel.nix +++ b/roles/quassel.nix @@ -1,40 +1,45 @@ {config, pkgs, lib, ...}: { - containers.quassel = { - config = { config, pkgs, ... }: { - services.postgresql = { - enable = true; - package = pkgs.postgresql94; - extraConfig = '' - max_connections = 10 - shared_buffers = 1GB - effective_cache_size = 4GB - work_mem = 50MB - maintenance_work_mem = 100MB - ''; + options.services.yorick.quassel = { + enable = lib.mkEnableOption "quassel container"; + }; + config = { + containers.quassel = { + config = { config, pkgs, ... }: { + services.postgresql = { + enable = true; + package = pkgs.postgresql94; + extraConfig = '' + max_connections = 10 + shared_buffers = 1GB + effective_cache_size = 4GB + work_mem = 50MB + maintenance_work_mem = 100MB + ''; + }; + services.quassel = { + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix + enable = true; + interfaces = ["0.0.0.0"]; + }; + environment.systemPackages = [ + pkgs.quasselDaemon + ]; + networking.firewall.allowedTCPPorts = [4242]; }; - services.quassel = { - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix - enable = true; - interfaces = ["0.0.0.0"]; - }; - environment.systemPackages = [ - pkgs.quasselDaemon - ]; - networking.firewall.allowedTCPPorts = [4242]; + privateNetwork = true; + hostAddress = "192.168.125.1"; + localAddress = "192.168.125.11"; }; - privateNetwork = true; - hostAddress = "192.168.125.1"; - localAddress = "192.168.125.11"; + # give the containers networking + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp2s0"; + forwardPorts = [ + { sourcePort = 4242; destination = "192.168.125.11:4242"; } + ]; + }; + networking.firewall.allowedTCPPorts = [4242]; }; - # give the containers networking - networking.nat = { - enable = true; - internalInterfaces = ["ve-+"]; - externalInterface = "enp2s0"; - forwardPorts = [ - { sourcePort = 4242; destination = "192.168.125.11:4242"; } - ]; - }; - networking.firewall.allowedTCPPorts = [4242]; } diff --git a/roles/website.nix b/roles/website.nix index a63db4c..8657647 100644 --- a/roles/website.nix +++ b/roles/website.nix @@ -1,50 +1,25 @@ { config, lib, pkgs, ... }: let - secrets = import ; - yoricc = import ../packages/yori-cc.nix; - acmeWebRoot = "/etc/sslcerts/acmeroot"; - acmeKeyDir = "${config.security.acme.directory}/yori.cc"; + yoricc = pkgs.callPackage ../packages/yori-cc.nix {}; + cfg = config.services.yorick.website; in + with lib; { - imports = [ - ../modules/nginx.nix - ]; - # website + lets encrypt challenge hosting - nginxssl = { - enable = true; - challenges."${config.networking.hostName}" = acmeWebRoot; - servers."yori.cc" = { - key_root = acmeKeyDir; - key_webroot = acmeWebRoot; - contents = '' - location / { - rewrite ^(.*) https://yorickvanpelt.nl$1 permanent; - } - ''; + options.services.yorick = { + website = { + enable = mkEnableOption "yoricc website"; + vhost = mkOption { type = types.string; }; + pkg = mkOption { type = types.package; default = yoricc; }; }; - servers."yorickvanpelt.nl" = { - key_root = acmeKeyDir; - key_webroot = acmeWebRoot; - contents = '' - location / { - root ${yoricc}/web; - } - ''; + redirect = mkOption { type = types.loaOf types.string; default = []; }; + }; + config.services.nginx.virtualHosts = with cfg; mkIf enable { + ${vhost} = { + enableACME = true; + forceSSL = true; + locations."/".root = "${pkg}/web"; }; }; - - # Let's Encrypt configuration. - security.acme.certs."yori.cc" = - { email = secrets.email; - extraDomains = { - "${config.networking.hostName}" = null; - "yorickvanpelt.nl" = null; - }; - webroot = acmeWebRoot; - postRun = ''systemctl reload nginx.service dovecot2.service postfix.service - systemctl restart prosody.service - ''; - }; } diff --git a/roles/workstation.nix b/roles/workstation.nix index b343443..391410a 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -17,7 +17,7 @@ enable = true; drivers = [ pkgs.gutenprint ]; }; - environment.systemPackages = [pkgs.ghostscript]; + environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager]; services.xserver.displayManager.sessionCommands = '' gpg-connect-agent /bye unset SSH_AGENT_PID @@ -29,5 +29,5 @@ # yubikey hardware.u2f.enable = true; services.pcscd.enable = true; - environment.systemPackages = [pkgs.yubikey-manager]; + #environment.systemPackages = [pkgs.yubikey-manager]; } diff --git a/roles/xmpp.nix b/roles/xmpp.nix index c654637..7e80d85 100644 --- a/roles/xmpp.nix +++ b/roles/xmpp.nix @@ -1,56 +1,57 @@ { config, lib, pkgs, ... }: let - luadbi = pkgs.callPackage ../packages/luadbi.nix {}; - acmeKeyDir = "${config.security.acme.directory}/yori.cc"; + acmeKeyDir = "${config.security.acme.directory}/${cfg.vhost}"; + communityModules = [ "mam" "carbons" "smacks" ]; + cfg = config.services.yorick.xmpp; in { - # XMPP - services.prosody = let - # TODO: this should be in nixpkgs - prosodyModules = pkgs.fetchhg { - name = "prosody-modules-22042016"; - rev = "e0b8b8a50013"; - sha256 = "06qd46bmwjpzrygih91fv7z7g8z60kn0qyr7cf06a57a28117wdy"; - url = "https://hg.prosody.im/prosody-modules/"; - }; + options.services.yorick.xmpp = with lib; { + enable = mkEnableOption "xmpp"; + vhost = mkOption { type = types.string; }; + admins = mkOption { type = types.listOf types.string; }; + }; + config = lib.mkIf cfg.enable { + # XMPP + services.prosody = let in { - enable = true; - - allowRegistration = false; - extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"]; - virtualHosts.yoricc = { - enabled = true; - domain = "yori.cc"; - ssl = { - key = "/var/lib/prosody/keys/key.pem"; - cert = "/var/lib/prosody/keys/fullchain.pem"; + enable = true; + + allowRegistration = false; + extraModules = [ "private" "vcard" "privacy" "compression" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"] ++ communityModules; + virtualHosts.default = { + enabled = true; + domain = cfg.vhost; + ssl = { + key = "/var/lib/prosody/keys/key.pem"; + cert = "/var/lib/prosody/keys/fullchain.pem"; + }; + }; + # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? + extraConfig = '' + use_libevent = true + s2s_require_encryption = true + c2s_require_encryption = true + archive_expires_after = "never" + storage = { + archive2 = "sql"; + } + ''; + inherit (cfg) admins; + package = pkgs.prosody.override { + withZlib = true; withDBI = true; + withCommunityModules = communityModules; }; }; - # TODO: Component "chat.yori.cc" "muc" # also proxy65 and pubsub? - extraConfig = '' - plugin_paths = { "${prosodyModules}" } - use_libevent = true - s2s_require_encryption = true - c2s_require_encryption = true - archive_expires_after = "never" - storage = { - archive2 = "sql"; - } - ''; - - admins = [ "yorick@yori.cc"]; - }; - nixpkgs.config.packageOverrides = pkgs: - # FIXME: ugly hacks! - { prosody = pkgs.prosody.override { withZlib = true; luazlib = luadbi; }; - }; - systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; - systemd.services.prosody.preStart = '' + systemd.services.prosody.serviceConfig.PermissionsStartOnly = true; + systemd.services.prosody.preStart = '' mkdir -m 0700 -p /var/lib/prosody/keys cp ${acmeKeyDir}/key.pem ${acmeKeyDir}/fullchain.pem /var/lib/prosody/keys chown -R prosody:prosody /var/lib/prosody - ''; - networking.firewall.allowedTCPPorts = [5222 5269]; - + ''; + networking.firewall.allowedTCPPorts = [5222 5269]; + security.acme.certs.${cfg.vhost}.postRun = '' + systemctl restart prosody.service + ''; + }; } diff --git a/secrets.nix b/secrets.nix index f1a7853..32c7ebf 100644 Binary files a/secrets.nix and b/secrets.nix differ