diff options
Diffstat (limited to '')
30 files changed, 805 insertions, 33 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 41fb768..a90b456 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,174 @@ All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - - - +## v0.15.0 - 2023-10-13 +#### Bug Fixes +- **(system/services/mastodon)** remove unneccessary stringcasts - (cfdd2e3) - sils +- **(system/services/mastodon)** change string to list of string - (478437b) - sils +- **(system/services/mastodon)** add nginx to group 'mastodon' - (1ddfb65) - sils +- **(system/services/mastodon)** allow registration only with vhack.eu/sils.li mail - (bd82494) - sils +- **(system/services/mastodon)** separate domains for user handles and webinterface - (cb49aa5) - sils +- **(system/services/mastodon)** correct age secret path - (b8f786b) - sils +#### Build system +- **(flake)** update - (d4fbb49) - sils +#### Features +- **(system/services)** actually import mastodon - (927fc16) - sils +- **(treewide)** add mastodon - (631e9c0) - sils + +- - - + +## v0.14.0 - 2023-10-11 +#### Features +- **(system/services/nix)** add wheel group to trusted-users - (52ae495) - sils + +- - - + +## v0.13.0 - 2023-10-03 +#### Bug Fixes +- **(system/services/murmur)** Allow murmur's user to read certs - (c154fa3) - Soispha +#### Features +- **(system/services/murmur)** Initialize - (a3c3166) - Soispha +#### Miscellaneous Chores +- **(version)** v0.12.0 - (5b1220b) - Soispha + +- - - + +## v0.12.0 - 2023-10-03 +#### Bug Fixes +- **(system/services/murmur)** Allow murmur's user to read certs - (c37bf3d) - Soispha +#### Build system +- **(flake)** update - (f3eeef8) - sils +#### Features +- **(system/services/murmur)** Init - (beb53b0) - Soispha + +- - - + +## v0.11.0 - 2023-10-03 +#### Bug Fixes +- **(system/services/miniflux)** Reduce password length - (ca1e354) - Soispha +- **(system/services/miniflux)** Correctly specify secret path - (b4944b1) - Soispha +#### Features +- **(system/services/miniflux)** Init - (932c45d) - Soispha + +- - - + +## v0.10.0 - 2023-10-02 +#### Bug Fixes +- **(system/services/nginx)** Update hosts - (2aa1c16) - Soispha +- **(system/services/taskserver)** Use strict certificate validation - (17f6a00) - Soispha +- **(system/services/taskserver)** Specify domain to listen on - (18624e4) - Soispha +#### Build system +- **(flake)** Update - (327e8bf) - Soispha +- **(flake)** update - (0a877a1) - sils +- **(flake)** update - (ec43442) - sils +- **(flake)** Update - (a4c1e69) - Soispha +#### Features +- **(system/services/taskserver)** Init - (cd75ff6) - Soispha + +- - - + +## v0.9.0 - 2023-08-18 +#### Bug Fixes +- **(system)** Binary substitution for debugging - (9685791) - sils +- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils +- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils +- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils +- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha +- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha +- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha +- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha +- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha +- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha +- **(system/services/invidious)** Specifiy database host - (704232e) - sils +- **(system/services/libreddit)** Don't open firewall - (f0a9852) - Soispha +- **(system/services/libreddit)** Actually proxy services via nginx - (097d566) - Soispha +#### Build system +- **(flake)** Update - (46dfce2) - Soispha +#### Features +- **(system)** Add invidious - (3175754) - sils +- **(system/services/libreddit)** Init - (7428d69) - Soispha +#### Miscellaneous Chores +- **(Changelog)** Delete branch specific changelogs - (112606a) - Soispha +- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha +- **(version)** v0.9.0 - (74e2c16) - sils +- **(version)** v0.8.0 - (03ce680) - Soispha +- **(version)** v0.8.0 - (d9ac400) - Soispha +#### Refactoring +- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha +- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils + +- - - + +## v0.9.0 - 2023-08-13 +#### Bug Fixes +- **(system)** Binary substitution for debugging - (9685791) - sils +- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils +- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils +- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils +- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha +- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha +- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha +- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha +- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha +- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha +- **(system/services/invidious)** Specifiy database host - (704232e) - sils +#### Features +- **(system)** Add invidious - (3175754) - sils +#### Miscellaneous Chores +- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha +- **(version)** v0.8.0 - (03ce680) - Soispha +- **(version)** v0.8.0 - (d9ac400) - Soispha +#### Refactoring +- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha +- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils + +- - - +## v0.8.0 - 2023-08-11 +#### Features +- **(system/services/snapper)** Add - (1256cab) - Soispha + +- - - +## v0.7.0 - 2023-08-04 +#### Bug Fixes +- **(system/services/nix-sync)** Remove timeout on build - (dfb847a) - Soispha +- **(system/services/nix-sync)** Rebase on pulls, to allow for force pushes - (8d9ef95) - Soispha +- **(system/services/nix-sync)** Make the timer relative to the unit start - (18aa0c5) - Soispha +- **(system/users)** declare nixremote as normal user - (e326476) - sils +#### Build system +- **(flake)** Update - (7e153ea) - Soispha +#### Features +- **(system/services/nginx/hosts)** Add another domain - (81bf112) - Soispha +- **(system/users)** Add nixremote - (6e2578e) - sils + +- - - + +## v0.6.0 - 2023-07-28 +#### Bug Fixes +- **(treewide)** Use correct function argument specification - (8350b2e) - Soispha +#### Features +- **(system/services/mail/users)** Add mailusers - (a3eed53) - Soispha +#### Refactoring +- **(system/services/nginx)** Reduce encrypted stuff to a minimum - (2b766df) - Soispha + +- - - + +## v0.5.1 - 2023-07-28 +#### Bug Fixes +- **(system/services/mail)** Update mail users - (fe5da03) - sils + +- - - + +## v0.5.0 - 2023-07-27 +#### Bug Fixes +- **(system/impermanence)** Keycloak was actually postgresql - (595ab5c) - Soispha +- **(system/mail)** Add User - (8423cea) - sils +- **(system/services/matrix/bridges/m-wa)** Use own database - (911c3a1) - Soispha +- **(system/services/matrix/bridges/m-wa)** Correct postgresql uri - (30c0434) - Soispha +#### Features +- **(system/services/matrix/bridges)** Add mautrix-whatsapp bridge - (7fe499e) - Soispha + +- - - + ## v0.4.1 - 2023-07-25 #### Bug Fixes - **(system/services/mail)** Add new user - (e03e490) - sils @@ -222,4 +390,4 @@ All notable changes to this project will be documented in this file. See [conven - - - -Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file +Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). diff --git a/flake.lock b/flake.lock index bc45c24..298efde 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ ] }, "locked": { - "lastModified": 1690228878, - "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "lastModified": 1696775529, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "owner": "ryantm", "repo": "agenix", - "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", "type": "github" }, "original": { @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1688772518, - "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", + "lastModified": 1696384830, + "narHash": "sha256-j8ZsVqzmj5sOm5MW9cqwQJUZELFFwOislDmqDDEMl6k=", "owner": "ipetkov", "repo": "crane", - "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", + "rev": "f2143cd27f8bd09ee4f0121336c65015a2a0a19c", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1690278259, - "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=", + "lastModified": 1696814493, + "narHash": "sha256-1qArVsJGG2RHbV2iKFpAmM5os3myvwpXMOdFy5nh54M=", "owner": "nix-community", "repo": "disko", - "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170", + "rev": "32ce057c183506cecb0b84950e4eaf39f37e8c75", "type": "github" }, "original": { @@ -112,11 +112,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -132,11 +132,11 @@ ] }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -168,11 +168,11 @@ }, "impermanence": { "locked": { - "lastModified": 1684264534, - "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=", + "lastModified": 1694622745, + "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", "owner": "nix-community", "repo": "impermanence", - "rev": "89253fb1518063556edd5e54509c30ac3089d5e6", + "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", "type": "github" }, "original": { @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690231403, - "narHash": "sha256-R9IcQpnzarV34znupG9Bq3PCRamswvZW0BMXLqkh5cw=", + "lastModified": 1696954215, + "narHash": "sha256-AFnALq/MZs0vRKwjGpS27maCMRcXr04lzi+BI7ZIoDw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0108b255ea1ea0e230a664f375c8bde1644bcc18", + "rev": "0927ba648bbbdff18356c292edcfefbb4e1a143d", "type": "github" }, "original": { @@ -284,11 +284,11 @@ ] }, "locked": { - "lastModified": 1690252178, - "narHash": "sha256-9oEz822bvbHobfCUjJLDor2BqW3I5tycIauzDlzOALY=", + "lastModified": 1696990596, + "narHash": "sha256-Yyb4o7/qNGB+oig3978ehzRrJf/zjfCOEB/g7ZF3//E=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "8d64353ca827002fb8459e44d49116c78d868eba", + "rev": "c6d2f0bbd56fc833a7c1973f422ca92a507d0320", "type": "github" }, "original": { diff --git a/notes/taskserver.md b/notes/taskserver.md new file mode 100644 index 0000000..36aeff0 --- /dev/null +++ b/notes/taskserver.md @@ -0,0 +1,7 @@ +# User export +Use +```bash +nixos-taskserver user export my-company alice +# or via ssh +ssh $server nixos-taskserver user export my-company alice #| sh +``` diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 0d3bd82..3c923d8 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -3,12 +3,16 @@ imports = [ ./mods/acme.nix ./mods/etebase-server.nix - ./mods/keycloak.nix + ./mods/fail2ban.nix ./mods/mail.nix + ./mods/mastodon.nix ./mods/matrix.nix ./mods/minecraft.nix + ./mods/murmur.nix ./mods/nix-sync.nix ./mods/openssh.nix + ./mods/postgresql.nix + ./mods/taskserver.nix ./mods/users.nix ]; diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix new file mode 100644 index 0000000..a5bdbfd --- /dev/null +++ b/system/impermanence/mods/mastodon.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/matrix.nix b/system/impermanence/mods/matrix.nix index 7f02609..3af6530 100644 --- a/system/impermanence/mods/matrix.nix +++ b/system/impermanence/mods/matrix.nix @@ -6,6 +6,12 @@ group = "matrix-synapse"; mode = "0700"; } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } ]; systemd.tmpfiles.rules = [ "d /etc/matrix 0755 matrix-synapse matrix-synapse" diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix new file mode 100644 index 0000000..48912e1 --- /dev/null +++ b/system/impermanence/mods/murmur.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/murmur"; + user = "murmur"; + group = "murmur"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/keycloak.nix b/system/impermanence/mods/postgresql.nix index 63b02f5..63b02f5 100644 --- a/system/impermanence/mods/keycloak.nix +++ b/system/impermanence/mods/postgresql.nix diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix new file mode 100644 index 0000000..9208aa4 --- /dev/null +++ b/system/impermanence/mods/taskserver.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/taskserver" + ]; +} diff --git a/system/secrets/default.nix b/system/secrets/default.nix index dcff9ca..1e3ce84 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -18,6 +18,23 @@ mode = "700"; owner = "etebase-server"; group = "etebase-server"; + invidiousHmac = { + file = ./invidious/hmac.tix; + mode = "700"; + owner = "root"; + group = "root"; + }; + minifluxAdmin = { + file = ./miniflux/admin.tix; + mode = "700"; + owner = "root"; + group = "root"; + }; + mastodonMail = { + file = ./mastodon/mail.tix; + mode = "700"; + owner = "mastodon"; + group = "mastodon"; }; }; }; diff --git a/system/secrets/invidious/hmac.tix b/system/secrets/invidious/hmac.tix new file mode 100644 index 0000000..f760fa9 --- /dev/null +++ b/system/secrets/invidious/hmac.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds +dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t +dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ +bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw +ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv +T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa +aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv +S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t +LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc +N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx +aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/mastodon/mail.tix b/system/secrets/mastodon/mail.tix new file mode 100644 index 0000000..c64a2e7 --- /dev/null +++ b/system/secrets/mastodon/mail.tix @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT05Uc2hrcFAwd1c5S1o0 +L3hhQURmdUVBbmxSYVFGczdGWThTck9VdkhRCktOZ1JSamN0Ly9pVXJDMDZ4Y0VZ +bmRyMTlaOU9HOEZ5SitzOVovUkhCNFUKLT4gWDI1NTE5IHlqUTFtODd6QXpNMFBY +WTY2cTJ2TFI5S0ZGc1doeEVEUi9veGRDKzN5UWsKUC9WZUtXVUs5cnkxL3Y5RlJs +RTRkNE5zQ0NtbG0vdStuZXZVUzFoeTBwNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +Um1qczl3YTM0S3dIb3AzQmpSNVNNUXFzMFNLNEEwQllOSUkrMHNzVy9uMApTdjhz +U250NGNpdk5SbWhPNjhjWWM0aWovRCt0MjR3M29JSTZjLy9IbTAwCi0+IEwtZ3Jl +YXNlIEp6KCk4by1jIF0Kd2xoKytCU3d3MGFxZmRmS2gxSDJiVFp1L3hOS2hJVEtz +NlFHWHhnRW5SNTZRMFFFRUJrVXo2blZvNlZTSXNqeQpVbWFLUmVHN1ptWGdLMkJT +RVJuUWxTVE4vcDhsCi0tLSA5ckxpdFhrQWErb2NkcXlWaHR6WmVndVppbjRIQ3cw +VjAxdTlnTEdmTkVrCou6/oezocFtYn7QDWLFzknFPlD5d1xBFutng6dvazWasZXD +qecouKvAmFFA4mQHUjbmD2QxWdorU7SyYpEPeTJ4rbOuayySkYPxUoo8gqvd7JkS +0VCavUuSb8nmfk24E3M= +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/miniflux/admin.tix b/system/secrets/miniflux/admin.tix new file mode 100644 index 0000000..6b34ab0 --- /dev/null +++ b/system/secrets/miniflux/admin.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ZHJ3V0E3bjVLYUd5N2gx +eE15dlBldWt1ZGpBcGc3ZWcwMTNKSTcxR0Y0Cm03dEgxYzdhYjYvWFNNUVdtR3E1 +dW1lMlE3R3dlcUZ1Qm1GMElPQU8xYmMKLT4gWDI1NTE5IFJrc28wZzhWQ3RoeFFK +WFlTSmVzRGMzamxrQ0NSUG9KVWxSajJsQ1BablEKS0tFb096djZOdUJIVTdaSndH +b1ZMT3ZCZGVkaWMvU0hPSFhsMkY3RzBkNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +SWdGV1pSYzY3bWxadWJZeXVmTXBHeGpMTTYyak1IbE9jTjZQS3dwRXozUQo1UFlT +am9WNzh1TytMNTFsNjM4amh0N2JDdkxjYk9GL285UWUrZHV5L3p3Ci0+IEkqMS1n +cmVhc2UgZV4KRFlYWlRyNDFtZlJWcS9vZ1hiUkJxdE9saHpTTWQ3TitMc1N0UXBE +eWZ5SQotLS0gRzE4bmpSTWpjUnlHUlNHTTNWSjNNL0d3VFFpVFdOaVlMUERmRHNt +d2k3WQqd+49pa75kfJffbdCOmNvPLUN7N+d+lI4lXlPTyLWTNnM8qaVz+BAhMH40 +ri9BTHHtg4ql7bXZWXZt/CiBLUOuv+yKckm4u51vjOwyHwUjaMYF4bfXS+rChsQV +BL+XWihQZ5wNsUh1PRHMy3mrF1XSYROa4ApK/i5Sgm271cvBMI4C4G+oux0/wvkL +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 9e52383..29904ab 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -13,4 +13,8 @@ in { "keycloak/passwd.tix".publicKeys = allSecrets; "matrix-synapse/passwd.tix".publicKeys = allSecrets; "etebase-server/passwd.tix".publicKeys = allSecrets; + "invidious/hmac.tix".publicKeys = allSecrets; + "invidious/settings.tix".publicKeys = allSecrets; + "miniflux/admin.tix".publicKeys = allSecrets; + "mastodon/mail.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 1b459f7..e269dbc 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,14 +2,21 @@ imports = [ ./etebase ./fail2ban + ./invidious ./keycloak + ./libreddit ./mail + ./mastodon ./matrix ./minecraft + ./miniflux + ./murmur ./nginx ./nix ./nix-sync ./openssh ./rust-motd + ./snapper + ./taskserver ]; } diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix new file mode 100644 index 0000000..a1d202c --- /dev/null +++ b/system/services/invidious/default.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.invidious; +in { + services.invidious = { + enable = true; + database = { + createLocally = true; + }; + domain = "invidious.vhack.eu"; + nginx.enable = true; + extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac"; + + settings = { + check_tables = true; + }; + }; + systemd.services.invidious.serviceConfig = { + LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + + ExecStart = let + # taken from the invidious module + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; + + jqFilter = + "." + + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" + + " | .[0]" + + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; + + # don't escape extraSettingsFile, to allow variable substitution + jqFiles = + settingsFile + + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; + in + lib.mkForce (pkgs.writeScript "start-invidious" '' + #! ${pkgs.dash}/bin/dash + + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''); + }; +} diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix new file mode 100644 index 0000000..e4ab893 --- /dev/null +++ b/system/services/libreddit/default.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + ... +}: let + domain = "libreddit.vhack.eu"; +in { + services.libreddit = { + enable = true; + address = "127.0.0.1"; + openFirewall = false; + }; + + services.nginx = { + enable = true; + virtualHosts.${domain} = { + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; + + enableACME = lib.mkDefault true; + forceSSL = lib.mkDefault true; + }; + }; +} diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 60f41a9..2104a8a 100644 --- a/system/services/mail/users.nix +++ b/system/services/mail/users.nix Binary files differdiff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix new file mode 100644 index 0000000..39a0f56 --- /dev/null +++ b/system/services/mastodon/default.nix @@ -0,0 +1,54 @@ +{config, ...}: let + emailAddress = "mastodon@vhack.eu"; +in { + services.mastodon = { + enable = true; + localDomain = "vhack.eu"; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = emailAddress; + user = emailAddress; + host = "server1.vhack.eu"; + passwordFile = config.age.secrets.mastodonMail.path; + }; + extraConfig = { + WEB_DOMAIN = "mastodon.vhack.eu"; + EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts = { + ${config.services.mastodon.extraConfig.WEB_DOMAIN} = { + root = "${config.services.mastodon.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = true; + enableACME = true; + + locations = { + "/system/".alias = "/var/lib/mastodon/public-system/"; + "/".tryFiles = "$uri @proxy"; + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; + + "vhack.eu" = { + locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; + }; + }; + }; + + users.groups.${config.services.mastodon.group}.members = [ + config.services.nginx.user + ]; +} diff --git a/system/services/matrix/bridges/mautrix-whatsapp.nix b/system/services/matrix/bridges/mautrix-whatsapp.nix new file mode 100644 index 0000000..1c68af9 --- /dev/null +++ b/system/services/matrix/bridges/mautrix-whatsapp.nix @@ -0,0 +1,149 @@ +# TAKEN FROM: https://raw.githubusercontent.com/Vskilet/nixpkgs/mautrix-whatsapp2/nixos/modules/services/matrix/mautrix-whatsapp.nix +{ + lib, + config, + pkgs, + ... +}: +with lib; let + cfg = config.services.mautrix-whatsapp; + dataDir = "/var/lib/mautrix-whatsapp"; + settingsFormat = pkgs.formats.json {}; + + registrationFile = "${dataDir}/whatsapp-registration.yaml"; + settingsFile = settingsFormat.generate "config.json" cfg.settings; + + startupScript = '' + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0]' ${settingsFile} ${registrationFile} \ + > ${dataDir}/config.yml + + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --config='${dataDir}/config.yml' \ + --registration='${registrationFile}' + ''; +in { + options.services.mautrix-whatsapp = { + enable = mkEnableOption "Mautrix-whatsapp, a puppeting bridge between Matrix and WhatsApp."; + + settings = mkOption rec { + apply = recursiveUpdate default; + inherit (settingsFormat) type; + + description = lib.mdDoc '' + {file}`config.yaml` configuration as a Nix attribute set. + Configuration options should match those described in + [example-config.yaml](https://github.com/mautrix/whatsapp/blob/master/example-config.yaml). + ''; + default = { + homeserver = { + domain = config.services.matrix-synapse.settings.server_name; + }; + appservice = { + address = "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "sqlite3"; + uri = "${dataDir}/mautrix-whatsapp.db"; + }; + id = "whatsapp"; + bot = { + username = "whatsappbot"; + displayname = "WhatsApp Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "whatsapp_{{.}}"; + displayname_template = "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}"; + command_prefix = "!wa"; + permissions."*" = "relay"; + }; + relay = { + enabled = true; + management = "!whatsappbot:${toString config.services.matrix-synapse.settings.server_name}"; + }; + logging = { + directory = "${dataDir}/logs"; + file_name_format = "{{.Date}}-{{.Index}}.log"; + file_date_format = "2006-01-02"; + file_mode = 0384; + timestamp_format = "Jan _2, 2006 15:04:05"; + print_level = "info"; + }; + }; + example = { + settings = { + homeserver.address = "https://matrix.myhomeserver.org"; + bridge.permissions = { + "@admin:myhomeserver.org" = "admin"; + }; + }; + }; + }; + + serviceDependencies = mkOption { + type = with types; listOf str; + default = optional config.services.matrix-synapse.enable "matrix-synapse.service"; + defaultText = literalExpression '' + optional config.services.matrix-synapse.enable "matrix-synapse.service" + ''; + description = lib.mdDoc '' + List of Systemd services to require and wait for when starting the application service. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.mautrix-whatsapp = { + description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix"; + + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"] ++ cfg.serviceDependencies; + after = ["network-online.target"] ++ cfg.serviceDependencies; + + preStart = '' + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + ''; + + script = startupScript; + + serviceConfig = { + Type = "simple"; + #DynamicUser = true; + PrivateTmp = true; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = "${dataDir}"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + User = "mautrix-whatsapp"; + Group = "matrix-synapse"; + SupplementaryGroups = "matrix-synapse"; + UMask = 0027; + Restart = "always"; + }; + }; + + users.groups.mautrix-whatsapp = {}; + users.users.mautrix-whatsapp = { + isSystemUser = true; + group = "mautrix-whatsapp"; + home = dataDir; + }; + services.matrix-synapse.settings.app_service_config_files = ["${registrationFile}"]; + }; +} diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index 62345a7..ed3b567 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -12,15 +12,27 @@ return 200 '${builtins.toJSON data}'; ''; in { + imports = [ + ./bridges/mautrix-whatsapp.nix + ]; + networking.firewall.allowedTCPPorts = [80 443]; services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + --Matrix: CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; + + --Whatsapp-bridge: + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; ''; services.nginx = { @@ -52,6 +64,29 @@ in { }; }; + services.mautrix-whatsapp = { + enable = true; + settings = { + appservice = { + database = { + type = "postgres"; + uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; + }; + whatsapp = { + # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. + # This also determints the whatsapp icon + browser_name = "unknown"; + }; + }; + homeserver.address = "https://matrix.vhack.eu"; + bridge.permissions = { + "@soispha:vhack.eu" = "admin"; + "@sils:vhack.eu" = "admin"; + "@nightingale:vhack.eu" = "admin"; + }; + }; + }; + services.matrix-synapse = { enable = true; dataDir = "/var/lib/matrix"; diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix new file mode 100644 index 0000000..516a9b2 --- /dev/null +++ b/system/services/miniflux/default.nix @@ -0,0 +1,19 @@ +{config, ...}: { + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "127.0.0.1:5892"; + }; + adminCredentialsFile = config.age.secrets.minifluxAdmin.path; + }; + + services.nginx = { + enable = true; + virtualHosts."rss.vhack.eu" = { + locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}"; + + enableACME = true; + forceSSL = true; + }; + }; +} diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix new file mode 100644 index 0000000..1dcd781 --- /dev/null +++ b/system/services/murmur/default.nix @@ -0,0 +1,41 @@ +{...}: let + murmurStore = "/var/lib/murmur"; +in { + services.murmur = { + enable = true; + openFirewall = true; + welcometext = '' + <b>You never get a second chance to make a first impression</b><br> + + The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! + ''; + sslKey = "${murmurStore}/key.pem"; + sslCert = "${murmurStore}/fullchain.pem"; + + registerUrl = "vhack.eu"; + registerName = "vhack"; + registerHostname = "mumble.vhack.eu"; + hostName = "mumble.vhack.eu"; + clientCertRequired = true; + bandwidth = 7200000; + }; + + security.acme.certs.murmur = { + domain = "mumble.vhack.eu"; + postRun = + /* + bash + */ + '' + set -x + rm "${murmurStore}/key.pem" + rm "${murmurStore}/fullchain.pem" + + cp key.pem "${murmurStore}"; + cp fullchain.pem "${murmurStore}"; + + chown murmur:murmur "${murmurStore}/key.pem" + chown murmur:murmur "${murmurStore}/fullchain.pem" + ''; + }; +} diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix index 404c167..8544475 100644 --- a/system/services/nginx/default.nix +++ b/system/services/nginx/default.nix @@ -1,7 +1,33 @@ -{...}: { - imports = [ - ./hosts.nix - ]; +{...}: let + domains = import ./hosts.nix {}; + mkVirtHost = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + forceSSL = true; + enableACME = true; + root = "${root}"; + }; + }; + + mkNixSyncRepository = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + path = "${root}"; + uri = "${url}"; + }; + }; + + virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains); + nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains); +in { security.acme = { acceptTerms = true; defaults = { @@ -15,5 +41,11 @@ }; services.nginx = { enable = true; + virtualHosts = virtHosts; + }; + + services.nix-sync = { + enable = true; + repositories = nixSyncRepositories; }; } diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 1590756..3abd841 100644 --- a/system/services/nginx/hosts.nix +++ b/system/services/nginx/hosts.nix Binary files differdiff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 44348c0..8c466b8 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -10,7 +10,7 @@ description = "Nix sync ${name} timer"; wantedBy = ["timers.target"]; timerConfig = { - OnActiveSec = repo.interval; + OnUnitActiveSec = repo.interval; }; after = ["network-online.target"]; }; @@ -37,7 +37,7 @@ branch="$(git rev-parse @)"; if ! [ "$origin" = "$branch" ]; then - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; @@ -66,7 +66,7 @@ if ! [ -L ${esa repo.path} ]; then cd ${esa repoCachePath}; - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; @@ -88,6 +88,7 @@ preStart = execStartPreScript; serviceConfig = { + TimeoutSec = 0; ExecStart = execStartScript; Restart = "on-abort"; # User and group diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix index bd562ec..ec5fe5d 100644 --- a/system/services/nix/default.nix +++ b/system/services/nix/default.nix @@ -13,6 +13,10 @@ settings = { auto-optimise-store = true; experimental-features = ["nix-command" "flakes"]; + trusted-users = [ + "root" + "@wheel" + ]; }; }; } diff --git a/system/services/snapper/default.nix b/system/services/snapper/default.nix new file mode 100644 index 0000000..cdebf8d --- /dev/null +++ b/system/services/snapper/default.nix @@ -0,0 +1,41 @@ +{...}: { + services.snapper = { + configs = { + srv = { + SUBVOLUME = "/srv"; + FSTYPE = "btrfs"; + # users and groups allowed to work with config + ALLOW_GROUPS = ["wheel"]; + + # sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots + # directory + SYNC_ACL = true; + + # run daily number cleanup + NUMBER_CLEANUP = false; + + # limit for number cleanup + NUMBER_MIN_AGE = 1800; + NUMBER_LIMIT = 50; + NUMBER_LIMIT_IMPORTANT = 10; + + # create hourly snapshots + TIMELINE_CREATE = true; + + # cleanup hourly snapshots after some time + TIMELINE_CLEANUP = true; + + # limits for timeline cleanup + TIMELINE_MIN_AGE = 1800; + TIMELINE_LIMIT_HOURLY = 7; + TIMELINE_LIMIT_DAILY = 3; + TIMELINE_LIMIT_WEEKLY = 2; + TIMELINE_LIMIT_MONTHLY = 2; + TIMELINE_LIMIT_YEARLY = 2; + + # cleanup empty pre-post-pairs + EMPTY_PRE_POST_CLEANUP = true; + }; + }; + }; +} diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix new file mode 100644 index 0000000..517da5d --- /dev/null +++ b/system/services/taskserver/default.nix @@ -0,0 +1,30 @@ +{...}: { + services.taskserver = { + enable = true; + pki.auto = { + expiration = { + server = 365; + crl = 365; + client = 365; + ca = 365; + }; + bits = 4096; + }; + organisations = { + vhack = { + users = [ + "soispha" + ]; + }; + soispha = { + users = [ + "soispha" + ]; + }; + }; + trust = "strict"; + openFirewall = true; + fqdn = "taskserver.vhack.eu"; + listenHost = "taskserver.vhack.eu"; + }; +} diff --git a/system/users/default.nix b/system/users/default.nix index 822c94b..06020a6 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -48,6 +48,20 @@ openssh.authorizedKeys.keys = [ ]; }; + nixremote = { + name = "nixremote"; + isNormalUser = true; + createHome = true; + home = "/home/nixremote"; + uid = 1003; + group = "nixremote"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbSWqFzb+WTq2JVoRGoTkCkP7AM3bNY91bsUBeoQQc8gKAWuqCrpAOmr2Q2QMaTTGEOM0CsWfWLs3ZYtynHmc7wIFc4T/sUloV+dB9oSCmOk5ePxtj8+gpPK35Ja+ug5zmXsaI4s+n9mEbuuEjn33MxDYCUzAI+aWvWe68u/j+FM3u9c3Ta009rotajjSZ/cmIltgNLsG1rnAZRpwmLVg5UL4cb9um54o/NLYFd2KAekQFVbwUQDzzqriZhWmzkfhnznBMDblf9R1xvZ18Lqv3JF21shdaR43NW1wtuntBvAdsVYK2VUEbj+3MxTkK0aQ/E9SHMtH8MRE4oxU74TeTWfIhuSZk9/wekzSNMkHP3ReFC6B9xCMYa+ZqaTaGSWLQi78AQDeM2F9rAfp3hQzyRa7T7qKlgbae/hEb07xZglqmG7eml9vPSt4AHv5Y176Q95NiiWduGoLQOmjvSBMU9/KEGrGKyLfGH1Wa2EOfPxKKcvcHW0Xi9PlPiuP0nYk= root@thinklappi" + ]; + }; + }; + groups.nixremote = { + gid = 1004; }; }; } |