diff options
Diffstat (limited to '')
27 files changed, 605 insertions, 8 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 0d3bd82..3c923d8 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -3,12 +3,16 @@ imports = [ ./mods/acme.nix ./mods/etebase-server.nix - ./mods/keycloak.nix + ./mods/fail2ban.nix ./mods/mail.nix + ./mods/mastodon.nix ./mods/matrix.nix ./mods/minecraft.nix + ./mods/murmur.nix ./mods/nix-sync.nix ./mods/openssh.nix + ./mods/postgresql.nix + ./mods/taskserver.nix ./mods/users.nix ]; diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix new file mode 100644 index 0000000..a5bdbfd --- /dev/null +++ b/system/impermanence/mods/mastodon.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/matrix.nix b/system/impermanence/mods/matrix.nix index 7f02609..3af6530 100644 --- a/system/impermanence/mods/matrix.nix +++ b/system/impermanence/mods/matrix.nix @@ -6,6 +6,12 @@ group = "matrix-synapse"; mode = "0700"; } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } ]; systemd.tmpfiles.rules = [ "d /etc/matrix 0755 matrix-synapse matrix-synapse" diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix new file mode 100644 index 0000000..48912e1 --- /dev/null +++ b/system/impermanence/mods/murmur.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/murmur"; + user = "murmur"; + group = "murmur"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/keycloak.nix b/system/impermanence/mods/postgresql.nix index 63b02f5..63b02f5 100644 --- a/system/impermanence/mods/keycloak.nix +++ b/system/impermanence/mods/postgresql.nix diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix new file mode 100644 index 0000000..9208aa4 --- /dev/null +++ b/system/impermanence/mods/taskserver.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/taskserver" + ]; +} diff --git a/system/secrets/default.nix b/system/secrets/default.nix index dcff9ca..1e3ce84 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -18,6 +18,23 @@ mode = "700"; owner = "etebase-server"; group = "etebase-server"; + invidiousHmac = { + file = ./invidious/hmac.tix; + mode = "700"; + owner = "root"; + group = "root"; + }; + minifluxAdmin = { + file = ./miniflux/admin.tix; + mode = "700"; + owner = "root"; + group = "root"; + }; + mastodonMail = { + file = ./mastodon/mail.tix; + mode = "700"; + owner = "mastodon"; + group = "mastodon"; }; }; }; diff --git a/system/secrets/invidious/hmac.tix b/system/secrets/invidious/hmac.tix new file mode 100644 index 0000000..f760fa9 --- /dev/null +++ b/system/secrets/invidious/hmac.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds +dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t +dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ +bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw +ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv +T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa +aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv +S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t +LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc +N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx +aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/mastodon/mail.tix b/system/secrets/mastodon/mail.tix new file mode 100644 index 0000000..c64a2e7 --- /dev/null +++ b/system/secrets/mastodon/mail.tix @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT05Uc2hrcFAwd1c5S1o0 +L3hhQURmdUVBbmxSYVFGczdGWThTck9VdkhRCktOZ1JSamN0Ly9pVXJDMDZ4Y0VZ +bmRyMTlaOU9HOEZ5SitzOVovUkhCNFUKLT4gWDI1NTE5IHlqUTFtODd6QXpNMFBY +WTY2cTJ2TFI5S0ZGc1doeEVEUi9veGRDKzN5UWsKUC9WZUtXVUs5cnkxL3Y5RlJs +RTRkNE5zQ0NtbG0vdStuZXZVUzFoeTBwNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +Um1qczl3YTM0S3dIb3AzQmpSNVNNUXFzMFNLNEEwQllOSUkrMHNzVy9uMApTdjhz +U250NGNpdk5SbWhPNjhjWWM0aWovRCt0MjR3M29JSTZjLy9IbTAwCi0+IEwtZ3Jl +YXNlIEp6KCk4by1jIF0Kd2xoKytCU3d3MGFxZmRmS2gxSDJiVFp1L3hOS2hJVEtz +NlFHWHhnRW5SNTZRMFFFRUJrVXo2blZvNlZTSXNqeQpVbWFLUmVHN1ptWGdLMkJT +RVJuUWxTVE4vcDhsCi0tLSA5ckxpdFhrQWErb2NkcXlWaHR6WmVndVppbjRIQ3cw +VjAxdTlnTEdmTkVrCou6/oezocFtYn7QDWLFzknFPlD5d1xBFutng6dvazWasZXD +qecouKvAmFFA4mQHUjbmD2QxWdorU7SyYpEPeTJ4rbOuayySkYPxUoo8gqvd7JkS +0VCavUuSb8nmfk24E3M= +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/miniflux/admin.tix b/system/secrets/miniflux/admin.tix new file mode 100644 index 0000000..6b34ab0 --- /dev/null +++ b/system/secrets/miniflux/admin.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ZHJ3V0E3bjVLYUd5N2gx +eE15dlBldWt1ZGpBcGc3ZWcwMTNKSTcxR0Y0Cm03dEgxYzdhYjYvWFNNUVdtR3E1 +dW1lMlE3R3dlcUZ1Qm1GMElPQU8xYmMKLT4gWDI1NTE5IFJrc28wZzhWQ3RoeFFK +WFlTSmVzRGMzamxrQ0NSUG9KVWxSajJsQ1BablEKS0tFb096djZOdUJIVTdaSndH +b1ZMT3ZCZGVkaWMvU0hPSFhsMkY3RzBkNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +SWdGV1pSYzY3bWxadWJZeXVmTXBHeGpMTTYyak1IbE9jTjZQS3dwRXozUQo1UFlT +am9WNzh1TytMNTFsNjM4amh0N2JDdkxjYk9GL285UWUrZHV5L3p3Ci0+IEkqMS1n +cmVhc2UgZV4KRFlYWlRyNDFtZlJWcS9vZ1hiUkJxdE9saHpTTWQ3TitMc1N0UXBE +eWZ5SQotLS0gRzE4bmpSTWpjUnlHUlNHTTNWSjNNL0d3VFFpVFdOaVlMUERmRHNt +d2k3WQqd+49pa75kfJffbdCOmNvPLUN7N+d+lI4lXlPTyLWTNnM8qaVz+BAhMH40 +ri9BTHHtg4ql7bXZWXZt/CiBLUOuv+yKckm4u51vjOwyHwUjaMYF4bfXS+rChsQV +BL+XWihQZ5wNsUh1PRHMy3mrF1XSYROa4ApK/i5Sgm271cvBMI4C4G+oux0/wvkL +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 9e52383..29904ab 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -13,4 +13,8 @@ in { "keycloak/passwd.tix".publicKeys = allSecrets; "matrix-synapse/passwd.tix".publicKeys = allSecrets; "etebase-server/passwd.tix".publicKeys = allSecrets; + "invidious/hmac.tix".publicKeys = allSecrets; + "invidious/settings.tix".publicKeys = allSecrets; + "miniflux/admin.tix".publicKeys = allSecrets; + "mastodon/mail.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 1b459f7..e269dbc 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,14 +2,21 @@ imports = [ ./etebase ./fail2ban + ./invidious ./keycloak + ./libreddit ./mail + ./mastodon ./matrix ./minecraft + ./miniflux + ./murmur ./nginx ./nix ./nix-sync ./openssh ./rust-motd + ./snapper + ./taskserver ]; } diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix new file mode 100644 index 0000000..a1d202c --- /dev/null +++ b/system/services/invidious/default.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.invidious; +in { + services.invidious = { + enable = true; + database = { + createLocally = true; + }; + domain = "invidious.vhack.eu"; + nginx.enable = true; + extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac"; + + settings = { + check_tables = true; + }; + }; + systemd.services.invidious.serviceConfig = { + LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + + ExecStart = let + # taken from the invidious module + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; + + jqFilter = + "." + + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" + + " | .[0]" + + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; + + # don't escape extraSettingsFile, to allow variable substitution + jqFiles = + settingsFile + + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; + in + lib.mkForce (pkgs.writeScript "start-invidious" '' + #! ${pkgs.dash}/bin/dash + + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''); + }; +} diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix new file mode 100644 index 0000000..e4ab893 --- /dev/null +++ b/system/services/libreddit/default.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + ... +}: let + domain = "libreddit.vhack.eu"; +in { + services.libreddit = { + enable = true; + address = "127.0.0.1"; + openFirewall = false; + }; + + services.nginx = { + enable = true; + virtualHosts.${domain} = { + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; + + enableACME = lib.mkDefault true; + forceSSL = lib.mkDefault true; + }; + }; +} diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 60f41a9..2104a8a 100644 --- a/system/services/mail/users.nix +++ b/system/services/mail/users.nix Binary files differdiff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix new file mode 100644 index 0000000..39a0f56 --- /dev/null +++ b/system/services/mastodon/default.nix @@ -0,0 +1,54 @@ +{config, ...}: let + emailAddress = "mastodon@vhack.eu"; +in { + services.mastodon = { + enable = true; + localDomain = "vhack.eu"; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = emailAddress; + user = emailAddress; + host = "server1.vhack.eu"; + passwordFile = config.age.secrets.mastodonMail.path; + }; + extraConfig = { + WEB_DOMAIN = "mastodon.vhack.eu"; + EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts = { + ${config.services.mastodon.extraConfig.WEB_DOMAIN} = { + root = "${config.services.mastodon.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = true; + enableACME = true; + + locations = { + "/system/".alias = "/var/lib/mastodon/public-system/"; + "/".tryFiles = "$uri @proxy"; + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; + + "vhack.eu" = { + locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; + }; + }; + }; + + users.groups.${config.services.mastodon.group}.members = [ + config.services.nginx.user + ]; +} diff --git a/system/services/matrix/bridges/mautrix-whatsapp.nix b/system/services/matrix/bridges/mautrix-whatsapp.nix new file mode 100644 index 0000000..1c68af9 --- /dev/null +++ b/system/services/matrix/bridges/mautrix-whatsapp.nix @@ -0,0 +1,149 @@ +# TAKEN FROM: https://raw.githubusercontent.com/Vskilet/nixpkgs/mautrix-whatsapp2/nixos/modules/services/matrix/mautrix-whatsapp.nix +{ + lib, + config, + pkgs, + ... +}: +with lib; let + cfg = config.services.mautrix-whatsapp; + dataDir = "/var/lib/mautrix-whatsapp"; + settingsFormat = pkgs.formats.json {}; + + registrationFile = "${dataDir}/whatsapp-registration.yaml"; + settingsFile = settingsFormat.generate "config.json" cfg.settings; + + startupScript = '' + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0]' ${settingsFile} ${registrationFile} \ + > ${dataDir}/config.yml + + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --config='${dataDir}/config.yml' \ + --registration='${registrationFile}' + ''; +in { + options.services.mautrix-whatsapp = { + enable = mkEnableOption "Mautrix-whatsapp, a puppeting bridge between Matrix and WhatsApp."; + + settings = mkOption rec { + apply = recursiveUpdate default; + inherit (settingsFormat) type; + + description = lib.mdDoc '' + {file}`config.yaml` configuration as a Nix attribute set. + Configuration options should match those described in + [example-config.yaml](https://github.com/mautrix/whatsapp/blob/master/example-config.yaml). + ''; + default = { + homeserver = { + domain = config.services.matrix-synapse.settings.server_name; + }; + appservice = { + address = "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "sqlite3"; + uri = "${dataDir}/mautrix-whatsapp.db"; + }; + id = "whatsapp"; + bot = { + username = "whatsappbot"; + displayname = "WhatsApp Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "whatsapp_{{.}}"; + displayname_template = "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}"; + command_prefix = "!wa"; + permissions."*" = "relay"; + }; + relay = { + enabled = true; + management = "!whatsappbot:${toString config.services.matrix-synapse.settings.server_name}"; + }; + logging = { + directory = "${dataDir}/logs"; + file_name_format = "{{.Date}}-{{.Index}}.log"; + file_date_format = "2006-01-02"; + file_mode = 0384; + timestamp_format = "Jan _2, 2006 15:04:05"; + print_level = "info"; + }; + }; + example = { + settings = { + homeserver.address = "https://matrix.myhomeserver.org"; + bridge.permissions = { + "@admin:myhomeserver.org" = "admin"; + }; + }; + }; + }; + + serviceDependencies = mkOption { + type = with types; listOf str; + default = optional config.services.matrix-synapse.enable "matrix-synapse.service"; + defaultText = literalExpression '' + optional config.services.matrix-synapse.enable "matrix-synapse.service" + ''; + description = lib.mdDoc '' + List of Systemd services to require and wait for when starting the application service. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.mautrix-whatsapp = { + description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix"; + + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"] ++ cfg.serviceDependencies; + after = ["network-online.target"] ++ cfg.serviceDependencies; + + preStart = '' + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + ''; + + script = startupScript; + + serviceConfig = { + Type = "simple"; + #DynamicUser = true; + PrivateTmp = true; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = "${dataDir}"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + User = "mautrix-whatsapp"; + Group = "matrix-synapse"; + SupplementaryGroups = "matrix-synapse"; + UMask = 0027; + Restart = "always"; + }; + }; + + users.groups.mautrix-whatsapp = {}; + users.users.mautrix-whatsapp = { + isSystemUser = true; + group = "mautrix-whatsapp"; + home = dataDir; + }; + services.matrix-synapse.settings.app_service_config_files = ["${registrationFile}"]; + }; +} diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index 62345a7..ed3b567 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -12,15 +12,27 @@ return 200 '${builtins.toJSON data}'; ''; in { + imports = [ + ./bridges/mautrix-whatsapp.nix + ]; + networking.firewall.allowedTCPPorts = [80 443]; services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + --Matrix: CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; + + --Whatsapp-bridge: + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; ''; services.nginx = { @@ -52,6 +64,29 @@ in { }; }; + services.mautrix-whatsapp = { + enable = true; + settings = { + appservice = { + database = { + type = "postgres"; + uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; + }; + whatsapp = { + # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. + # This also determints the whatsapp icon + browser_name = "unknown"; + }; + }; + homeserver.address = "https://matrix.vhack.eu"; + bridge.permissions = { + "@soispha:vhack.eu" = "admin"; + "@sils:vhack.eu" = "admin"; + "@nightingale:vhack.eu" = "admin"; + }; + }; + }; + services.matrix-synapse = { enable = true; dataDir = "/var/lib/matrix"; diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix new file mode 100644 index 0000000..516a9b2 --- /dev/null +++ b/system/services/miniflux/default.nix @@ -0,0 +1,19 @@ +{config, ...}: { + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "127.0.0.1:5892"; + }; + adminCredentialsFile = config.age.secrets.minifluxAdmin.path; + }; + + services.nginx = { + enable = true; + virtualHosts."rss.vhack.eu" = { + locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}"; + + enableACME = true; + forceSSL = true; + }; + }; +} diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix new file mode 100644 index 0000000..1dcd781 --- /dev/null +++ b/system/services/murmur/default.nix @@ -0,0 +1,41 @@ +{...}: let + murmurStore = "/var/lib/murmur"; +in { + services.murmur = { + enable = true; + openFirewall = true; + welcometext = '' + <b>You never get a second chance to make a first impression</b><br> + + The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! + ''; + sslKey = "${murmurStore}/key.pem"; + sslCert = "${murmurStore}/fullchain.pem"; + + registerUrl = "vhack.eu"; + registerName = "vhack"; + registerHostname = "mumble.vhack.eu"; + hostName = "mumble.vhack.eu"; + clientCertRequired = true; + bandwidth = 7200000; + }; + + security.acme.certs.murmur = { + domain = "mumble.vhack.eu"; + postRun = + /* + bash + */ + '' + set -x + rm "${murmurStore}/key.pem" + rm "${murmurStore}/fullchain.pem" + + cp key.pem "${murmurStore}"; + cp fullchain.pem "${murmurStore}"; + + chown murmur:murmur "${murmurStore}/key.pem" + chown murmur:murmur "${murmurStore}/fullchain.pem" + ''; + }; +} diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix index 404c167..8544475 100644 --- a/system/services/nginx/default.nix +++ b/system/services/nginx/default.nix @@ -1,7 +1,33 @@ -{...}: { - imports = [ - ./hosts.nix - ]; +{...}: let + domains = import ./hosts.nix {}; + mkVirtHost = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + forceSSL = true; + enableACME = true; + root = "${root}"; + }; + }; + + mkNixSyncRepository = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + path = "${root}"; + uri = "${url}"; + }; + }; + + virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains); + nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains); +in { security.acme = { acceptTerms = true; defaults = { @@ -15,5 +41,11 @@ }; services.nginx = { enable = true; + virtualHosts = virtHosts; + }; + + services.nix-sync = { + enable = true; + repositories = nixSyncRepositories; }; } diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 1590756..3abd841 100644 --- a/system/services/nginx/hosts.nix +++ b/system/services/nginx/hosts.nix Binary files differdiff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 44348c0..8c466b8 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -10,7 +10,7 @@ description = "Nix sync ${name} timer"; wantedBy = ["timers.target"]; timerConfig = { - OnActiveSec = repo.interval; + OnUnitActiveSec = repo.interval; }; after = ["network-online.target"]; }; @@ -37,7 +37,7 @@ branch="$(git rev-parse @)"; if ! [ "$origin" = "$branch" ]; then - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; @@ -66,7 +66,7 @@ if ! [ -L ${esa repo.path} ]; then cd ${esa repoCachePath}; - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; @@ -88,6 +88,7 @@ preStart = execStartPreScript; serviceConfig = { + TimeoutSec = 0; ExecStart = execStartScript; Restart = "on-abort"; # User and group diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix index bd562ec..ec5fe5d 100644 --- a/system/services/nix/default.nix +++ b/system/services/nix/default.nix @@ -13,6 +13,10 @@ settings = { auto-optimise-store = true; experimental-features = ["nix-command" "flakes"]; + trusted-users = [ + "root" + "@wheel" + ]; }; }; } diff --git a/system/services/snapper/default.nix b/system/services/snapper/default.nix new file mode 100644 index 0000000..cdebf8d --- /dev/null +++ b/system/services/snapper/default.nix @@ -0,0 +1,41 @@ +{...}: { + services.snapper = { + configs = { + srv = { + SUBVOLUME = "/srv"; + FSTYPE = "btrfs"; + # users and groups allowed to work with config + ALLOW_GROUPS = ["wheel"]; + + # sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots + # directory + SYNC_ACL = true; + + # run daily number cleanup + NUMBER_CLEANUP = false; + + # limit for number cleanup + NUMBER_MIN_AGE = 1800; + NUMBER_LIMIT = 50; + NUMBER_LIMIT_IMPORTANT = 10; + + # create hourly snapshots + TIMELINE_CREATE = true; + + # cleanup hourly snapshots after some time + TIMELINE_CLEANUP = true; + + # limits for timeline cleanup + TIMELINE_MIN_AGE = 1800; + TIMELINE_LIMIT_HOURLY = 7; + TIMELINE_LIMIT_DAILY = 3; + TIMELINE_LIMIT_WEEKLY = 2; + TIMELINE_LIMIT_MONTHLY = 2; + TIMELINE_LIMIT_YEARLY = 2; + + # cleanup empty pre-post-pairs + EMPTY_PRE_POST_CLEANUP = true; + }; + }; + }; +} diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix new file mode 100644 index 0000000..517da5d --- /dev/null +++ b/system/services/taskserver/default.nix @@ -0,0 +1,30 @@ +{...}: { + services.taskserver = { + enable = true; + pki.auto = { + expiration = { + server = 365; + crl = 365; + client = 365; + ca = 365; + }; + bits = 4096; + }; + organisations = { + vhack = { + users = [ + "soispha" + ]; + }; + soispha = { + users = [ + "soispha" + ]; + }; + }; + trust = "strict"; + openFirewall = true; + fqdn = "taskserver.vhack.eu"; + listenHost = "taskserver.vhack.eu"; + }; +} diff --git a/system/users/default.nix b/system/users/default.nix index 822c94b..06020a6 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -48,6 +48,20 @@ openssh.authorizedKeys.keys = [ ]; }; + nixremote = { + name = "nixremote"; + isNormalUser = true; + createHome = true; + home = "/home/nixremote"; + uid = 1003; + group = "nixremote"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbSWqFzb+WTq2JVoRGoTkCkP7AM3bNY91bsUBeoQQc8gKAWuqCrpAOmr2Q2QMaTTGEOM0CsWfWLs3ZYtynHmc7wIFc4T/sUloV+dB9oSCmOk5ePxtj8+gpPK35Ja+ug5zmXsaI4s+n9mEbuuEjn33MxDYCUzAI+aWvWe68u/j+FM3u9c3Ta009rotajjSZ/cmIltgNLsG1rnAZRpwmLVg5UL4cb9um54o/NLYFd2KAekQFVbwUQDzzqriZhWmzkfhnznBMDblf9R1xvZ18Lqv3JF21shdaR43NW1wtuntBvAdsVYK2VUEbj+3MxTkK0aQ/E9SHMtH8MRE4oxU74TeTWfIhuSZk9/wekzSNMkHP3ReFC6B9xCMYa+ZqaTaGSWLQi78AQDeM2F9rAfp3hQzyRa7T7qKlgbae/hEb07xZglqmG7eml9vPSt4AHv5Y176Q95NiiWduGoLQOmjvSBMU9/KEGrGKyLfGH1Wa2EOfPxKKcvcHW0Xi9PlPiuP0nYk= root@thinklappi" + ]; + }; + }; + groups.nixremote = { + gid = 1004; }; }; } |