From 7a2e3fd0a83c2459bb9047436d84cea2f44f1bc9 Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Fri, 23 Aug 2024 13:01:33 -0600 Subject: [PATCH] initial public commit --- .gitignore | 2 + flake.lock | 967 ++++++++++++++++++++++++++++++++++++ flake.nix | 77 +++ pkgs/config/default.nix | 1 + pkgs/default.nix | 5 + sys/default.nix | 102 ++++ sys/fabian.pub | 1 + sys/home/default.nix | 29 ++ sys/home/lib/cli.nix | 27 + sys/home/lib/default.nix | 5 + sys/srv/default.nix | 7 + sys/srv/gatekeeper_ca.pem | 21 + sys/srv/lib/bepasty.nix | 39 ++ sys/srv/lib/default.nix | 15 + sys/srv/lib/forgejo.nix | 60 +++ sys/srv/lib/jellyfin.nix | 29 ++ sys/srv/lib/jitsi.nix | 43 ++ sys/srv/lib/kuma.nix | 26 + sys/srv/lib/matrix.nix | 59 +++ sys/srv/lib/mediawiki.nix | 40 ++ sys/srv/lib/msmtp.nix | 32 ++ sys/srv/lib/net.nix | 65 +++ sys/srv/lib/tiddlywiki.nix | 33 ++ sys/srv/lib/vaultwarden.nix | 58 +++ 24 files changed, 1743 insertions(+) create mode 100644 .gitignore create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 pkgs/config/default.nix create mode 100644 pkgs/default.nix create mode 100644 sys/default.nix create mode 100644 sys/fabian.pub create mode 100644 sys/home/default.nix create mode 100644 sys/home/lib/cli.nix create mode 100644 sys/home/lib/default.nix create mode 100644 sys/srv/default.nix create mode 100644 sys/srv/gatekeeper_ca.pem create mode 100644 sys/srv/lib/bepasty.nix create mode 100644 sys/srv/lib/default.nix create mode 100644 sys/srv/lib/forgejo.nix create mode 100644 sys/srv/lib/jellyfin.nix create mode 100644 sys/srv/lib/jitsi.nix create mode 100644 sys/srv/lib/kuma.nix create mode 100644 sys/srv/lib/matrix.nix create mode 100644 sys/srv/lib/mediawiki.nix create mode 100644 sys/srv/lib/msmtp.nix create mode 100644 sys/srv/lib/net.nix create mode 100644 sys/srv/lib/tiddlywiki.nix create mode 100644 sys/srv/lib/vaultwarden.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f094862 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +!**/.keep +result diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..9a9a0f9 --- /dev/null +++ b/flake.lock @@ -0,0 +1,967 @@ +{ + "nodes": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1720542474, + "narHash": "sha256-aKjJ/4l2I9+wNGTaOGRsuS3M1+IoTibqgEMPDikXm04=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "6139576a3ce6bb992e0f6c3022528ec233e45f00", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "main", + "repo": "attic", + "type": "github" + } + }, + "cachix": { + "inputs": { + "devenv": "devenv", + "flake-compat": "flake-compat_3", + "nixpkgs": "nixpkgs_3", + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1719923519, + "narHash": "sha256-7Rhljj2fsklFRsu+eq7N683Z9qukmreMEj5C1GqCrSA=", + "owner": "cachix", + "repo": "cachix", + "rev": "4e9e71f78b9500fa6210cf1eaa4d75bdbab777c3", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "master", + "repo": "cachix", + "type": "github" + } + }, + "cachix_2": { + "inputs": { + "devenv": "devenv_2", + "flake-compat": [ + "conduwuit", + "cachix", + "devenv", + "flake-compat" + ], + "nixpkgs": [ + "conduwuit", + "cachix", + "devenv", + "nixpkgs" + ], + "pre-commit-hooks": [ + "conduwuit", + "cachix", + "devenv", + "pre-commit-hooks" + ] + }, + "locked": { + "lastModified": 1712055811, + "narHash": "sha256-7FcfMm5A/f02yyzuavJe06zLa9hcMHsagE28ADcmQvk=", + "owner": "cachix", + "repo": "cachix", + "rev": "02e38da89851ec7fec3356a5c04bc8349cae0e30", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "cachix", + "type": "github" + } + }, + "complement": { + "flake": false, + "locked": { + "lastModified": 1722323564, + "narHash": "sha256-6w6/N8walz4Ayc9zu7iySqJRmGFukhkaICLn4dweAcA=", + "owner": "matrix-org", + "repo": "complement", + "rev": "6e4426a9e63233f9821a4d2382bfed145244183f", + "type": "github" + }, + "original": { + "owner": "matrix-org", + "ref": "main", + "repo": "complement", + "type": "github" + } + }, + "conduwuit": { + "inputs": { + "attic": "attic", + "cachix": "cachix", + "complement": "complement", + "crane": "crane_2", + "fenix": "fenix", + "flake-compat": "flake-compat_5", + "flake-utils": "flake-utils_3", + "liburing": "liburing", + "nix-filter": "nix-filter", + "nixpkgs": [ + "unstable" + ], + "rocksdb": "rocksdb" + }, + "locked": { + "lastModified": 1721105087, + "narHash": "sha256-t74TUSswsCkOdZCKjgP74qEHKg78ShKTkP6x9/zqYX4=", + "owner": "girlbossceo", + "repo": "conduwuit", + "rev": "c29197b3f457cf72197ef5251f9815107b2526d7", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "ref": "v0.4.5", + "repo": "conduwuit", + "type": "github" + } + }, + "crane": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717025063, + "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=", + "owner": "ipetkov", + "repo": "crane", + "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1720546058, + "narHash": "sha256-iU2yVaPIZm5vMGdlT0+57vdB/aPq/V5oZFBRwYw+HBM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "2d83156f23c43598cf44e152c33a59d3892f8b29", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "ref": "master", + "repo": "crane", + "type": "github" + } + }, + "devenv": { + "inputs": { + "cachix": "cachix_2", + "flake-compat": [ + "conduwuit", + "cachix", + "flake-compat" + ], + "nix": "nix_2", + "nixpkgs": [ + "conduwuit", + "cachix", + "nixpkgs" + ], + "pre-commit-hooks": [ + "conduwuit", + "cachix", + "pre-commit-hooks" + ] + }, + "locked": { + "lastModified": 1719759336, + "narHash": "sha256-3a34VL/QnHprl5gMy9xlx6d8J+iNp+W88Ex8smkgH9M=", + "owner": "cachix", + "repo": "devenv", + "rev": "bb32aa986f2f695385e54428d0eaf7d05b31466e", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "devenv", + "type": "github" + } + }, + "devenv_2": { + "inputs": { + "flake-compat": [ + "conduwuit", + "cachix", + "devenv", + "cachix", + "flake-compat" + ], + "nix": "nix", + "nixpkgs": "nixpkgs_2", + "poetry2nix": "poetry2nix", + "pre-commit-hooks": [ + "conduwuit", + "cachix", + "devenv", + "cachix", + "pre-commit-hooks" + ] + }, + "locked": { + "lastModified": 1708704632, + "narHash": "sha256-w+dOIW60FKMaHI1q5714CSibk99JfYxm0CzTinYWr+Q=", + "owner": "cachix", + "repo": "devenv", + "rev": "2ee4450b0f4b95a1b90f2eb5ffea98b90e48c196", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "python-rewrite", + "repo": "devenv", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1720852044, + "narHash": "sha256-3NBYz8VuXuKU+8ONd9NFafCNjPEGHIZQ2Mdoam1a4mY=", + "owner": "nix-community", + "repo": "fenix", + "rev": "5087b12a595ee73131a944d922f24d81dae05725", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "main", + "repo": "fenix", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "ref": "master", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "cachix", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1720042825, + "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "homepage": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1724101903, + "narHash": "sha256-y/hyv5ASoo4owEH3CiQo8ny/1Z2m81fyYsxKbhFGpl8=", + "ref": "master", + "rev": "af81b24225902f1ca660f122f0d55ad88c00b29a", + "revCount": 14, + "type": "git", + "url": "https://git.posixlycorrect.com/fabian/homepage.git" + }, + "original": { + "ref": "master", + "type": "git", + "url": "https://git.posixlycorrect.com/fabian/homepage.git" + } + }, + "impermanence": { + "locked": { + "lastModified": 1719091691, + "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "liburing": { + "flake": false, + "locked": { + "lastModified": 1720798442, + "narHash": "sha256-gtPppAoksMLW4GuruQ36nf4EAqIA1Bs6V9Xcx8dBxrQ=", + "owner": "axboe", + "repo": "liburing", + "rev": "1d674f83b7d0f07553ac44d99a401b05853d9dbe", + "type": "github" + }, + "original": { + "owner": "axboe", + "ref": "master", + "repo": "liburing", + "type": "github" + } + }, + "nix": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs": [ + "conduwuit", + "cachix", + "devenv", + "cachix", + "devenv", + "nixpkgs" + ], + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1712911606, + "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=", + "owner": "domenkozar", + "repo": "nix", + "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12", + "type": "github" + }, + "original": { + "owner": "domenkozar", + "ref": "devenv-2.21", + "repo": "nix", + "type": "github" + } + }, + "nix-filter": { + "locked": { + "lastModified": 1710156097, + "narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "3342559a24e85fc164b295c3444e8a139924675b", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "conduwuit", + "cachix", + "devenv", + "cachix", + "devenv", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688870561, + "narHash": "sha256-4UYkifnPEw1nAzqqPOTL2MvWtm3sNGw1UTYTalkTcGY=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "165b1650b753316aa7f1787f3005a8d2da0f5301", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix_2": { + "inputs": { + "flake-compat": [ + "conduwuit", + "cachix", + "devenv", + "flake-compat" + ], + "nixpkgs": [ + "conduwuit", + "cachix", + "devenv", + "nixpkgs" + ], + "nixpkgs-regression": "nixpkgs-regression_2" + }, + "locked": { + "lastModified": 1712911606, + "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=", + "owner": "domenkozar", + "repo": "nix", + "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12", + "type": "github" + }, + "original": { + "owner": "domenkozar", + "ref": "devenv-2.21", + "repo": "nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1711401922, + "narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "07262b18b97000d16a4bdb003418bd2fb067a932", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs-regression_2": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1711460390, + "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "44733514b72e732bd49f5511bd0203dea9b9a434", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1718811006, + "narHash": "sha256-0Y8IrGhRmBmT7HHXlxxepg2t8j1X90++qRN3lukGaIk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "03d771e513ce90147b65fe922d87d3a0356fc125", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1692808169, + "narHash": "sha256-x9Opq06rIiwdwGeK2Ykj69dNc2IvUH1fY55Wm7atwrE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9201b5ff357e781bf014d0330d18555695df7ba8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1719426051, + "narHash": "sha256-yJL9VYQhaRM7xs0M867ZFxwaONB9T2Q4LnGo1WovuR4=", + "path": "/nix/store/f0ddmw6s86y567yg06h5019z72szbzch-source", + "rev": "89c49874fb15f4124bf71ca5f42a04f2ee5825fd", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1722221733, + "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "12bf09802d77264e441f48e25459c10c93eada2e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "poetry2nix": { + "inputs": { + "flake-utils": "flake-utils_2", + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "conduwuit", + "cachix", + "devenv", + "cachix", + "devenv", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1692876271, + "narHash": "sha256-IXfZEkI0Mal5y1jr6IRWMqK8GW2/f28xJenZIPQqkY0=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "d5006be9c2c2417dafb2e2e5034d83fabd207ee3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_4", + "gitignore": "gitignore", + "nixpkgs": [ + "conduwuit", + "cachix", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1719259945, + "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "rocksdb": { + "flake": false, + "locked": { + "lastModified": 1720900786, + "narHash": "sha256-Vta9Um/RRuWwZ46BjXftV06iWLm/j/9MX39emXUvSAY=", + "owner": "girlbossceo", + "repo": "rocksdb", + "rev": "911f4243e69c2e320a7a209bf1f5f3ff5f825495", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "ref": "v9.4.0", + "repo": "rocksdb", + "type": "github" + } + }, + "root": { + "inputs": { + "conduwuit": "conduwuit", + "flake-utils": "flake-utils_4", + "home-manager": "home-manager", + "homepage": "homepage", + "impermanence": "impermanence", + "nixpkgs": "nixpkgs_5", + "unstable": "unstable", + "vpsadminos": "vpsadminos" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1720717809, + "narHash": "sha256-6I+fm+nTLF/iaj7ffiFGlSY7POmubwUaPA/Wq0Bm53M=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "ffbc5ad993d5cd2f3b8bcf9a511165470944ab91", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "unstable": { + "locked": { + "lastModified": 1722185531, + "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "vpsadminos": { + "locked": { + "lastModified": 1722101851, + "narHash": "sha256-fM5Z8Qhk9/AbGYJ4VrJilGlFK9btBEF+ROtbYYJZJ1I=", + "owner": "vpsfreecz", + "repo": "vpsadminos", + "rev": "2c8ff8462a6f4aefb7bd2663d6ddbedd9d161f2c", + "type": "github" + }, + "original": { + "owner": "vpsfreecz", + "repo": "vpsadminos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..d192bc0 --- /dev/null +++ b/flake.nix @@ -0,0 +1,77 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager = { + url = "github:nix-community/home-manager/release-24.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + impermanence.url = "github:nix-community/impermanence"; + + flake-utils.url = "github:numtide/flake-utils"; + + vpsadminos.url = "github:vpsfreecz/vpsadminos"; + + homepage.url = "git+https://git.posixlycorrect.com/fabian/homepage.git?ref=master"; + + conduwuit = { + url = "github:girlbossceo/conduwuit?ref=v0.4.5"; + #FIXME: PodrĂ¡ volver a "nixpkgs" una vez que rocksdb.enableLiburing llegue a stable + inputs.nixpkgs.follows = "unstable"; + }; + }; + + outputs = + flakes@{ self + , nixpkgs + , unstable + , home-manager + , impermanence + , flake-utils + , vpsadminos + , homepage + , conduwuit + }: + let + system = "x86_64-linux"; + + pkgs = importPkgs nixpkgs; + + importPkgs = flake: import flake { + inherit system; + + config = import ./pkgs/config nixpkgs.lib; + overlays = [ self.overlays.default ]; + }; + + local = import ./pkgs; + in + with pkgs.lib; { + formatter.${system} = pkgs.nixpkgs-fmt; + packages.${system} = pkgs.local; + + overlays.default = final: prev: + let + locals = local { + inherit final prev flakes; + }; + in + { + local = locals; + unstable = importPkgs unstable; + } // locals.override; + + nixosConfigurations.vps = makeOverridable nixpkgs.lib.nixosSystem { + inherit pkgs system; + + specialArgs = { + inherit flakes; + }; + + modules = singleton ./sys; + }; + }; +} + diff --git a/pkgs/config/default.nix b/pkgs/config/default.nix new file mode 100644 index 0000000..926636c --- /dev/null +++ b/pkgs/config/default.nix @@ -0,0 +1 @@ +lib: { } diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..a09e22a --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,5 @@ +{ final, prev, flakes }: { + homepage = flakes.homepage.packages.${final.system}.default; + + override = { }; +} diff --git a/sys/default.nix b/sys/default.nix new file mode 100644 index 0000000..ab1d182 --- /dev/null +++ b/sys/default.nix @@ -0,0 +1,102 @@ +{ config, pkgs, lib, flakes, ... }: +with lib; +{ + imports = [ + flakes.vpsadminos.nixosConfigurations.container + flakes.home-manager.nixosModules.home-manager + flakes.impermanence.nixosModule + ./srv + ]; + + environment.systemPackages = with pkgs; [ + vim + git + ]; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + + extraSpecialArgs = { inherit flakes; }; + + users.fabian = { + imports = [ + flakes.impermanence.nixosModules.home-manager.impermanence + ./home + ]; + }; + }; + + programs = { + zsh.enable = true; + fuse.userAllowOther = true; + }; + + networking.hostName = "vps"; + + nix = { + package = pkgs.nixFlakes; + + extraOptions = '' + experimental-features = nix-command flakes repl-flake + ''; + + # No me interesa el global registry + settings.flake-registry = ""; + }; + + users = { + users.fabian = { + isNormalUser = true; + uid = 1000; + group = "fabian"; + shell = pkgs.zsh; + extraGroups = [ "users" "wheel" "networkmanager" "dialout" "libvirtd" ]; + openssh.authorizedKeys.keyFiles = [ ./fabian.pub ]; + }; + groups.fabian.gid = 1000; + }; + + systemd.extraConfig = '' + DefaultTimeoutStartSec=900s + ''; + + security.dhparams = { + enable = true; + defaultBitSize = 4096; + }; + + fileSystems = { + "/mnt/export2008" = { + device = "172.16.129.19:/nas/5876"; + fsType = "nfs"; + options = [ "nofail" "noatime" ]; + }; + + "/mnt/export2011" = { + device = "172.16.129.151:/nas/5876/bepasty"; + fsType = "nfs"; + options = [ "nofail" "noatime" "noexec" ]; + }; + }; + + services.earlyoom = { + enable = mkDefault true; + enableNotifications = true; + }; + + # Coredumps son un riesgo de seguridad y puden usar mucho disco + systemd.coredump.extraConfig = '' + Storage=none + ProcessSizeMax=0 + ''; + + time.timeZone = "Europe/Amsterdam"; + + system.stateVersion = "24.05"; +} diff --git a/sys/fabian.pub b/sys/fabian.pub new file mode 100644 index 0000000..45b9932 --- /dev/null +++ b/sys/fabian.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkK2Cg3dozG78AEA2OTzydezcKVnNTTj0MUJZcP/mrN fabian@posixlycorrect.com diff --git a/sys/home/default.nix b/sys/home/default.nix new file mode 100644 index 0000000..3e21063 --- /dev/null +++ b/sys/home/default.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, flakes, ... }: +with lib; +{ + + imports = [ + ./lib + ]; + + home = { + stateVersion = "24.05"; # No tocar esto + username = "fabian"; + homeDirectory = "/home/fabian"; + sessionVariables = { + "EDITOR" = "nvim"; + }; + }; + + xdg.enable = true; + + nix.registry = { + "system".to = { + type = "path"; + path = "/home/fabian/nix"; + }; + + "nixpkgs".flake = flakes.nixpkgs; + "unstable".flake = flakes.unstable; + }; +} diff --git a/sys/home/lib/cli.nix b/sys/home/lib/cli.nix new file mode 100644 index 0000000..e57942a --- /dev/null +++ b/sys/home/lib/cli.nix @@ -0,0 +1,27 @@ +{ lib, pkgs, ... }: +with lib; +{ + programs = { + zsh = { + enable = true; + syntaxHighlighting.enable = true; + }; + git = { + enable = true; + userEmail = "fabian@posixlycorrect.com"; + userName = "fabianmv"; + }; + neovim.enable = true; + }; + home.packages = with pkgs; + [ + file + htop + killall + man-pages + man-pages-posix + tree + zip + unzip + ]; +} diff --git a/sys/home/lib/default.nix b/sys/home/lib/default.nix new file mode 100644 index 0000000..200e1cd --- /dev/null +++ b/sys/home/lib/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./cli.nix + ]; +} diff --git a/sys/srv/default.nix b/sys/srv/default.nix new file mode 100644 index 0000000..c3d905a --- /dev/null +++ b/sys/srv/default.nix @@ -0,0 +1,7 @@ +{ config, pkgs, lib, flakes, ... }: +with lib; +{ + imports = [ + ./lib + ]; +} diff --git a/sys/srv/gatekeeper_ca.pem b/sys/srv/gatekeeper_ca.pem new file mode 100644 index 0000000..51c2de9 --- /dev/null +++ b/sys/srv/gatekeeper_ca.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDijCCAnKgAwIBAgIUQCBAoFSQrYx063PnK3XKiOJSpvQwDQYJKoZIhvcNAQEL +BQAwKzEpMCcGA1UEAwwgcG9zaXhseWNvcnJlY3QuY29tIGdhdGVrZWVwZXIgQ0Ew +HhcNMjQwODAyMDcxNzE4WhcNMzQwNzMxMDcxNzE4WjArMSkwJwYDVQQDDCBwb3Np +eGx5Y29ycmVjdC5jb20gZ2F0ZWtlZXBlciBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKxjqIpRxIu2yPejUbyMixZACESrbmIGOhhxwUu1ys6aYPOZ +7yQMs5xuJXcgCuD7Oba1eBi+CpLhyvgZlyLrCfxoCzTdAeeXq0EB7YUn8IYEN3dR +e+yds//zkjRzbXAaIbUoAF8XaXgylOSIXLNrh0TTjNscC+TPYvKSbaDhdICOZ1ky +u08w5QdOoi1W8FNJd4LKIKWQZW3dMeNaBbKnt9R4mjL28tE5gP6ZYUvcCIoqYAbE +DSNq29lXsmDzbD914bN5wYoTP3A+k8QG6eYGb10YgaaJ0TBxeLzadVBq7gFylMt3 +1LTNmH/v+l73IYfiDV4O3d33cg0VOKqiD48WCnkCAwEAAaOBpTCBojAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBStVj4YoMTnD+XZ+doBI7Ao17Gg3DBmBgNVHSMEXzBd +gBStVj4YoMTnD+XZ+doBI7Ao17Gg3KEvpC0wKzEpMCcGA1UEAwwgcG9zaXhseWNv +cnJlY3QuY29tIGdhdGVrZWVwZXIgQ0GCFEAgQKBUkK2MdOtz5yt1yojiUqb0MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAZgbpPdkhAbrbA7Y63WI2Bo26 +tPVCZpsEKiwpyEbDDC+NVrbOit1kQg/j26RuXLDVg19IfXk407FVFVGYVJNE+kXt +KjyKCGyyZUBQRebCN8kzFsCQ/AJSfzNKQhEK68rchSH66mbjtOtItkdVZRnq0pWI +7WXlTIxK8KTcAx2V/ijyalCENUpwRWfM4Qnkqsi82Dx9e8V0TRCLomW7IQok4dre +F6IolUHw9ZuSC10/T8n8+riqWBWEisBGLz79OrdETdHK9A5gpNHRF+sO9JAhVr/t +exBWTEJ33BeI0NX87d0Pneun4nss5FsLst+Ut7Y0F2QF2Iar1iERUalHVIjCtA== +-----END CERTIFICATE----- diff --git a/sys/srv/lib/bepasty.nix b/sys/srv/lib/bepasty.nix new file mode 100644 index 0000000..aab1ca1 --- /dev/null +++ b/sys/srv/lib/bepasty.nix @@ -0,0 +1,39 @@ +{ lib, pkgs, ... }: +with lib; +{ + services = { + + nginx = { + virtualHosts."send.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:8989"; + }; + + }; + }; + + bepasty = { + enable = true; + servers = { + "send" = { + bind = "127.0.0.1:8989"; + secretKeyFile = "/var/trust/bepasty/secretKeyFile"; + dataDir = "/mnt/export2011/data"; + defaultPermissions = "read,create,delete"; + extraConfig = '' + SITENAME = 'send.posixlycorrect.com' + MAX_ALLOWED_FILE_SIZE = 4 * 1000 * 1000 * 1000 + SESSION_COOKIE_SECURE = True + ASCIINEMA_THEME = 'asciinema' + ''; + }; + }; + }; + }; +} diff --git a/sys/srv/lib/default.nix b/sys/srv/lib/default.nix new file mode 100644 index 0000000..16900d7 --- /dev/null +++ b/sys/srv/lib/default.nix @@ -0,0 +1,15 @@ +{ + imports = [ + ./net.nix + ./mediawiki.nix + ./jitsi.nix + ./matrix.nix + ./forgejo.nix + ./vaultwarden.nix + ./bepasty.nix + ./jellyfin.nix + ./msmtp.nix + ./tiddlywiki.nix + ./kuma.nix + ]; +} diff --git a/sys/srv/lib/forgejo.nix b/sys/srv/lib/forgejo.nix new file mode 100644 index 0000000..9a6a565 --- /dev/null +++ b/sys/srv/lib/forgejo.nix @@ -0,0 +1,60 @@ +{ config, lib, ... }: +with lib; +{ + config = { + environment.etc."fail2ban/filter.d/gitea.local".text = '' + [Definition] + failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + ignoreregex = + ''; + + services = { + nginx = { + virtualHosts."git.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/".proxyPass = "http://localhost:9170"; + }; + }; + + fail2ban.jails.gitea.settings = { + filter = "gitea"; + logpath = "${config.services.gitea.stateDir}/log/gitea.log"; + maxretry = "10"; + findtime = "3600"; + bantime = "900"; + action = "iptables-allports"; + }; + + forgejo = { + enable = true; + lfs.enable = true; + useWizard = false; + settings = { + general.APP_NAME = "posixlycorrect"; + server = { + DOMAIN = "git.posixlycorrect.com"; + ROOT_URL = "https://git.posixlycorrect.com"; + HTTP_PORT = 9170; + LANDING_PAGE = "explore"; + }; + + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + + # ver https://github.com/nektos/act + actions = { + ENABLED = false; + }; + mailer = { + ENABLED = false; + }; + }; + }; + }; + }; +} diff --git a/sys/srv/lib/jellyfin.nix b/sys/srv/lib/jellyfin.nix new file mode 100644 index 0000000..fa6d9db --- /dev/null +++ b/sys/srv/lib/jellyfin.nix @@ -0,0 +1,29 @@ +{ lib, pkgs, ... }: +with lib; +{ + + services = { + + nginx = { + virtualHosts."stream.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/" = { + proxyPass = "http://localhost:8096"; + }; + }; + }; + + jellyfin = { + enable = true; + user = "jellyfin"; + group = "jellyfin"; + dataDir = "/mnt/export2008/jellyfin/dataDir"; + cacheDir = "/mnt/export2008/jellyfin/cacheDir"; + }; + }; +} diff --git a/sys/srv/lib/jitsi.nix b/sys/srv/lib/jitsi.nix new file mode 100644 index 0000000..db756b1 --- /dev/null +++ b/sys/srv/lib/jitsi.nix @@ -0,0 +1,43 @@ +{ lib, pkgs, ... }: +with lib; +{ + + services = { + + nginx = { + virtualHosts."meet.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + + ssl_verify_depth 1; + ssl_verify_client on; + ssl_client_certificate ${../gatekeeper_ca.pem}; + + if ($ssl_client_verify != "SUCCESS") { + return 403; + } + ''; + }; + }; + + + jitsi-meet = { + enable = true; + hostName = "meet.posixlycorrect.com"; + nginx.enable = true; + config = { + enableWelcomePage = true; + prejoinPageEnabled = true; + defaultLang = "en"; + }; + interfaceConfig = { + SHOW_JITSI_WATERMARK = false; + SHOW_WATERMARK_FOR_GUESTS = false; + }; + }; + jitsi-videobridge.openFirewall = true; + }; +} diff --git a/sys/srv/lib/kuma.nix b/sys/srv/lib/kuma.nix new file mode 100644 index 0000000..9f2bc99 --- /dev/null +++ b/sys/srv/lib/kuma.nix @@ -0,0 +1,26 @@ +{ lib, pkgs, ... }: +with lib; +{ + services = { + nginx = { + virtualHosts."status.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:4456"; + }; + }; + }; + uptime-kuma = { + enable = true; + settings = { + HOST = "127.0.0.1"; + PORT = "4456"; + }; + }; + }; +} diff --git a/sys/srv/lib/matrix.nix b/sys/srv/lib/matrix.nix new file mode 100644 index 0000000..efcf7c5 --- /dev/null +++ b/sys/srv/lib/matrix.nix @@ -0,0 +1,59 @@ +{ lib, pkgs, config, flakes, ... }: +with lib; +let + subdomain = "matrix.posixlycorrect.com"; + baseUrl = "https://${subdomain}"; +in +{ + # ver https://nixos.org/manual/nixos/stable/#module-services-matrix + services = { + matrix-conduit = { + enable = true; + package = flakes.conduwuit.packages.${pkgs.system}.default; + settings.global = { + address = "::1"; + port = 6167; + allow_encryption = true; + allow_federation = true; + allow_registration = false; + database_backend = "rocksdb"; + server_name = "posixlycorrect.com"; + allow_check_for_updates = true; + new_user_displayname_suffix = ""; + }; + }; + + nginx.virtualHosts = + let + clientConfig."m.homeserver".base_url = baseUrl; + serverConfig."m.server" = "${subdomain}:443"; + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + in + { + "posixlycorrect.com" = { + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + "${subdomain}" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/".extraConfig = '' + return 403; + ''; + locations."/_matrix".proxyPass = "http://[::1]:6167"; + locations."/_synapse/client".proxyPass = "http://[::1]:6167"; + + }; + }; + + + }; +} diff --git a/sys/srv/lib/mediawiki.nix b/sys/srv/lib/mediawiki.nix new file mode 100644 index 0000000..2fc527e --- /dev/null +++ b/sys/srv/lib/mediawiki.nix @@ -0,0 +1,40 @@ +{ lib, pkgs, ... }: +with lib; +{ + services = { + nginx = { + virtualHosts."wiki.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + }; + }; + mediawiki = { + enable = true; + name = "posixlycorrect wiki"; + webserver = "nginx"; + nginx.hostName = "wiki.posixlycorrect.com"; + database.type = "postgres"; + + passwordFile = "/run/keys/mediawiki-password"; + extraConfig = '' + # Disable anonymous editing and account creation + $wgGroupPermissions['*']['edit'] = false; + $wgGroupPermissions['*']['createaccount'] = false; + + $wgEnableEmail = false; #TODO: arreglar esto + $wgNoReplyAddress = 'mediawiki@posixlycorrect.com'; + $wgEmergencyContact = 'mediawiki@posixlycorrect.com'; + $wgPasswordSender = 'mediawiki@posixlycorrect.com'; + ''; + + extensions = { + # some extensions are included and can enabled by passing null + VisualEditor = null; + }; + }; + }; +} diff --git a/sys/srv/lib/msmtp.nix b/sys/srv/lib/msmtp.nix new file mode 100644 index 0000000..9dad406 --- /dev/null +++ b/sys/srv/lib/msmtp.nix @@ -0,0 +1,32 @@ +{ lib, pkgs, ... }: +with lib; +{ + users.groups = { + mailsenders = { + members = [ "fabian" "mediawiki" ]; + }; + }; + + # esto sirve para que PHP pueda accesar la clave smtp de fastmail + #systemd.services.phpfpm-mediawiki = { + # path = [ "/run/wrappers" ]; + # serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ]; + #}; + + programs = { + msmtp = { + enable = true; + accounts = { + default = { + auth = true; + host = "smtp.fastmail.com"; + port = 587; + passwordeval = "cat /var/trust/fastmail/smtp_key"; + user = "fabianmontero@fastmail.com"; + tls = true; + tls_starttls = true; + }; + }; + }; + }; +} diff --git a/sys/srv/lib/net.nix b/sys/srv/lib/net.nix new file mode 100644 index 0000000..bad4a4b --- /dev/null +++ b/sys/srv/lib/net.nix @@ -0,0 +1,65 @@ +{ lib, pkgs, ... }: +with lib; +{ + networking = { + nftables.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + domain = "posixlycorrect.com"; + }; + + # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx + security.acme = { + acceptTerms = true; + defaults.email = "fabian@posixlycorrect.com"; + }; + + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + logError = "/var/log/nginx/error.log"; + clientMaxBodySize = "99M"; + virtualHosts = { + "posixlycorrect.com" = { + forceSSL = true; + enableACME = true; + root = "${pkgs.local.homepage}"; + }; + }; + }; + fail2ban = { + enable = true; + bantime = "10m"; + ignoreIP = [ "37.205.12.34" ]; # Never ban the server's own IP + bantime-increment = { + enable = true; + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + maxtime = "48h"; # Do not ban for more than 48h + rndtime = "10m"; + overalljails = true; # Calculate the bantime based on all the violations + }; + jails = { + # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419 + nginx-botsearch.settings = { + # Usar log en vez de journalctl + # TODO: Pasar todo a systemd? + backend = "pyinotify"; + logpath = "/var/log/nginx/*.log"; + journalmatch = ""; + }; + nginx-bad-request.settings = { + backend = "pyinotify"; + logpath = "/var/log/nginx/*.log"; + journalmatch = ""; + maxretry = 10; + }; + }; + }; + }; +} diff --git a/sys/srv/lib/tiddlywiki.nix b/sys/srv/lib/tiddlywiki.nix new file mode 100644 index 0000000..9cc7fe4 --- /dev/null +++ b/sys/srv/lib/tiddlywiki.nix @@ -0,0 +1,33 @@ +{ lib, pkgs, ... }: +with lib; +{ + + systemd.services.tiddlywiki.serviceConfig.LoadCredential = [ "credentials.csv:/var/trust/tiddlywiki/credentials.csv" ]; + + services = { + nginx = { + virtualHosts."testing.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:7456"; + }; + }; + }; + tiddlywiki = { + enable = true; + listenOptions = { + readers = "(anon)"; + writers = "(authenticated)"; + admin = "fabian"; + credentials = "/run/credentials/tiddlywiki.service/credentials.csv"; + host = "127.0.0.1"; + port = 7456; + }; + }; + }; +} diff --git a/sys/srv/lib/vaultwarden.nix b/sys/srv/lib/vaultwarden.nix new file mode 100644 index 0000000..ec1bce9 --- /dev/null +++ b/sys/srv/lib/vaultwarden.nix @@ -0,0 +1,58 @@ +{ config, lib, ... }: +with lib; +{ + services = { + nginx = { + virtualHosts."vault.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + }; + }; + + #fail2ban.jails.gitea.settings = { }; + + postgresql = { + ensureDatabases = [ "vaultwarden" ]; + ensureUsers = [{ + name = "vaultwarden"; + ensureDBOwnership = true; + }]; + }; + + vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = "/var/trust/vaultwarden/smtp_key"; + config = { + DOMAIN = "https://vault.posixlycorrect.com"; + SIGNUPS_ALLOWED = false; + + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + ROCKET_LOG = "critical"; + + # Using FASTMAIL mail server + # If you use an external mail server, follow: + # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + SMTP_HOST = "smtp.fastmail.com"; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + + SMTP_FROM = "vault@posixlycorrect.com"; + SMTP_FROM_NAME = "posixlycorrect vaultwarden server"; + + SMTP_AUTH_MECHANISM = "PLAIN"; + + DATABASE_URL = "postgresql:///vaultwarden"; + }; + }; + + bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com"; + }; +}