rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-15 13:23:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: rouven.seifert:7372df381da013798d08241a664397bd5837dbba
Branches Tags
rouven.seifert:main
rouven.seifert:push-vxnoqsltyuxy
..
compare: rouven.seifert:7811c95ecf2d4ac28207bd2b9fdc7fa6d7010ac6
Branches Tags
rouven.seifert:main
rouven.seifert:push-vxnoqsltyuxy

No commits in common. "7372df381da013798d08241a664397bd5837dbba" and "7811c95ecf2d4ac28207bd2b9fdc7fa6d7010ac6" have entirely different histories.
7372df381d ... 7811c95ecf

13 changed files with 121 additions and 76 deletions
Show stats Expand all files Collapse all files

30
flake.lock
View file

@ -312,11 +312,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716457508, "lastModified": 1715930644,
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=", "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05", "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716170277, "lastModified": 1715483403,
"narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=", "narHash": "sha256-WMDuQj7J5jbpXI/X/E6FZRKgBFGcaSTvYyVxPnKE6KU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "e0638db3db43b582512a7de8c0f8363a162842b9", "rev": "f9027322f48b427da23746aa359a6510dfcd0228",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -475,11 +475,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1716330097, "lastModified": 1715787315,
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=", "narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2", "rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -639,11 +639,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716449531, "lastModified": 1712775102,
"narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=", "narHash": "sha256-kQF0HpU4Bis+Q1gE+OUJk1T3UJgDwTZc9rCDHRam9h4=",
"owner": "~rouven", "owner": "~rouven",
"repo": "purge", "repo": "purge",
"rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80", "rev": "2959391aa4a1438b3f27669c6930feec58171eab",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {
@ -783,11 +783,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716450661, "lastModified": 1712701713,
"narHash": "sha256-4D4Hbe0+ilkaLEux6oBI/kUIUBqCRnUtf5Oln4kTOEE=", "narHash": "sha256-q++FP8VC5TTQrUa+0l2TQKmafZpDy1L3rzUynFaAn/4=",
"owner": "~rouven", "owner": "~rouven",
"repo": "trucksimulator", "repo": "trucksimulator",
"rev": "43b44df053d484099dedc96784941f6a019f7b39", "rev": "af43589e9a0ae0f868a4eff3c738201ed1041788",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {

2
hosts/falkenstein/default.nix
View file

@ -5,12 +5,12 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup ./modules/backup
./modules/caddy
./modules/logging ./modules/logging
./modules/dns ./modules/dns
./modules/fail2ban ./modules/fail2ban
./modules/mail ./modules/mail
./modules/networks ./modules/networks
./modules/nginx
./modules/pfersel ./modules/pfersel
./modules/purge ./modules/purge
./modules/trucksimulatorbot ./modules/trucksimulatorbot

33
hosts/falkenstein/modules/caddy/default.nix
View file

@ -1,33 +0,0 @@
{ config, ... }:
let
# matrix homeserver discovery
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
};
clientConfig = {
"m.homeserver" = {
base_url = "https://${matrix_domain}";
# server_name = config.networking.domain;
};
"org.matrix.msc3575.proxy" = {
url = "https://${matrix_domain}";
};
};
in
{
services.caddy = {
enable = true;
email = "ca@${config.networking.domain}";
logFormat = "format console";
virtualHosts."${config.networking.domain}".extraConfig = ''
file_server browse
root * /srv/web/${config.networking.domain}
respond /.well-known/matrix/client ${builtins.toJSON clientConfig}
respond /.well-known/matrix/server ${builtins.toJSON serverConfig}
'';
};
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
}

4
hosts/falkenstein/modules/dns/default.nix
View file

@ -36,7 +36,9 @@ let
subdomains = subdomains =
let let
getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts); getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts);
getVirtualHostsNginx = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts);
genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; });
genCNAMEsNginx = hostname: lib.attrsets.genAttrs (getVirtualHostsNginx hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; });
in in
lib.attrsets.mergeAttrsList [ lib.attrsets.mergeAttrsList [
rec { rec {
@ -54,7 +56,9 @@ let
} }
(genCNAMEs "nuc") (genCNAMEs "nuc")
(genCNAMEsNginx "nuc")
(builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ]) (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ])
(builtins.removeAttrs (genCNAMEsNginx "falkenstein") [ "mail" ])
]; ];
}); });
in in

6
hosts/falkenstein/modules/logging/default.nix
View file

@ -19,11 +19,15 @@
weekly weekly
rotate 156 rotate 156
} }
"/var/log/caddy/*.log" { "/var/log/nginx/*.log" {
compress compress
delaycompress delaycompress
weekly weekly
postrotate
[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`
endscript
rotate 26 rotate 26
su nginx nginx
} }
''; '';
} }

15
hosts/falkenstein/modules/mail/default.nix
View file

@ -8,6 +8,17 @@ in
./dovecot2.nix ./dovecot2.nix
./rspamd.nix ./rspamd.nix
]; ];
# acquire certificates security.acme.certs."${domain}" = {
services.caddy.virtualHosts."${domain}".extraConfig = ""; reloadServices = [
"postfix.service"
"dovecot2.service"
];
};
services.nginx.virtualHosts = {
"${domain}" = {
enableACME = true;
forceSSL = true;
};
};
} }

4
hosts/falkenstein/modules/mail/dovecot2.nix
View file

@ -14,8 +14,8 @@ in
enableQuota = false; enableQuota = false;
enableLmtp = true; enableLmtp = true;
mailLocation = "maildir:/var/mail/%n"; mailLocation = "maildir:/var/mail/%n";
sslServerCert = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.crt"; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.key"; sslServerKey = "/var/lib/acme/${hostname}/key.pem";
protocols = [ "imap" "sieve" ]; protocols = [ "imap" "sieve" ];
mailPlugins = { mailPlugins = {
globally.enable = [ "listescape" ]; globally.enable = [ "listescape" ];

4
hosts/falkenstein/modules/mail/postfix.nix
View file

@ -33,8 +33,8 @@ in
origin = "${domain}"; origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ]; destination = [ "${hostname}" "${domain}" "localhost" ];
networks = [ "127.0.0.1" ]; networks = [ "127.0.0.1" ];
sslCert = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.crt"; sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.key"; sslKey = "/var/lib/acme/${hostname}/key.pem";
config = { config = {
# home_mailbox = "Maildir/"; # home_mailbox = "Maildir/";
smtp_helo_name = config.networking.fqdn; smtp_helo_name = config.networking.fqdn;

11
hosts/falkenstein/modules/mail/rspamd.nix
View file

@ -38,9 +38,14 @@
enable = true; enable = true;
}; };
}; };
caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = '' nginx.virtualHosts."rspamd.${config.networking.domain}" = {
reverse_proxy 127.0.0.1:11334 locations = {
''; "/" = {
proxyPass = "http://127.0.0.1:11334";
proxyWebsockets = true;
};
};
};
}; };
systemd = { systemd = {
services.rspamd-dmarc-report = { services.rspamd-dmarc-report = {

70
hosts/falkenstein/modules/nginx/default.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, lib, pkgs, ... }:
{
# set default options for virtualHosts
options = with lib; {
services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule
({ name, ... }: {
enableACME = true;
forceSSL = true;
# enable http3 for all hosts
quic = true;
http3 = true;
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
})
);
};
};
config =
let
# matrix homeserver discovery
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
};
clientConfig = {
"m.homeserver" = {
base_url = "https://${matrix_domain}";
# server_name = config.networking.domain;
};
"org.matrix.msc3575.proxy" = {
url = "https://${matrix_domain}";
};
};
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."${config.networking.domain}" = {
root = "/srv/web/${config.networking.domain}";
locations = {
"/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
"/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "rouven@${config.networking.domain}";
};
};
};
}

3
hosts/falkenstein/modules/purge/default.nix
View file

@ -15,7 +15,4 @@ in
tokenFile = config.age.secrets.purge.path; tokenFile = config.age.secrets.purge.path;
}; };
}; };
services.caddy.virtualHosts."${domain}".extraConfig = ''
reverse_proxy unix//run/purge/app.sock
'';
} }

14
hosts/falkenstein/modules/trucksimulatorbot/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, trucksimulatorbot, ... }: { config, pkgs, ... }:
let let
domain = "trucks.${config.networking.domain}"; domain = "trucks.${config.networking.domain}";
in in
@ -24,16 +24,4 @@ in
]; ];
ensureDatabases = [ "trucksimulator" ]; ensureDatabases = [ "trucksimulator" ];
}; };
# reverse_proxy unix//run/trucksimulator/app.sock
services.caddy.virtualHosts."${domain}".extraConfig = ''
redir /invite https://discord.com/api/oauth2/authorize?client_id=831052837353816066&permissions=262144&scope=bot%20applications.commands
handle /docs* {
file_server browse
root * ${trucksimulatorbot.packages.x86_64-linux.docs}
}
route /images* {
uri strip_prefix /images
reverse_proxy unix//run/trucksimulator/images.sock
}
'';
} }

1
hosts/nuc/modules/caddy/default.nix
View file

@ -5,7 +5,6 @@
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
} }