diff --git a/flake.nix b/flake.nix index 24d7fdd..4560147 100644 --- a/flake.nix +++ b/flake.nix @@ -28,46 +28,46 @@ }; }; - outputs = - flakes@{ self - , nixpkgs - , unstable - , home-manager - , impermanence - , flake-utils - , vpsadminos - , homepage - , conduwuit - , mediawikiSkinCitizen - }: - let - system = "x86_64-linux"; + outputs = flakes @ { + self, + nixpkgs, + unstable, + home-manager, + impermanence, + flake-utils, + vpsadminos, + homepage, + conduwuit, + mediawikiSkinCitizen, + }: let + system = "x86_64-linux"; - pkgs = importPkgs nixpkgs; + pkgs = importPkgs nixpkgs; - importPkgs = flake: import flake { + importPkgs = flake: + import flake { inherit system; config = import ./pkgs/config nixpkgs.lib; - overlays = [ self.overlays.default ]; + overlays = [self.overlays.default]; }; - local = import ./pkgs; - in + local = import ./pkgs; + in with pkgs.lib; { - formatter.${system} = pkgs.nixpkgs-fmt; + formatter.${system} = pkgs.alejandra; packages.${system} = pkgs.local; - overlays.default = final: prev: - let - locals = local { - inherit final prev flakes; - }; - in + overlays.default = final: prev: let + locals = local { + inherit final prev flakes; + }; + in { local = locals; unstable = importPkgs unstable; - } // locals.override; + } + // locals.override; nixosConfigurations.vps = makeOverridable nixpkgs.lib.nixosSystem { inherit pkgs system; @@ -80,4 +80,3 @@ }; }; } - diff --git a/pkgs/config/default.nix b/pkgs/config/default.nix index 926636c..cc7f856 100644 --- a/pkgs/config/default.nix +++ b/pkgs/config/default.nix @@ -1 +1 @@ -lib: { } +lib: {} diff --git a/pkgs/default.nix b/pkgs/default.nix index a09e22a..d53c178 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,5 +1,9 @@ -{ final, prev, flakes }: { +{ + final, + prev, + flakes, +}: { homepage = flakes.homepage.packages.${final.system}.default; - override = { }; + override = {}; } diff --git a/sys/default.nix b/sys/default.nix index 6772114..37f91ea 100644 --- a/sys/default.nix +++ b/sys/default.nix @@ -1,6 +1,11 @@ -{ config, pkgs, lib, flakes, ... }: -with lib; { + config, + pkgs, + lib, + flakes, + ... +}: +with lib; { imports = [ flakes.vpsadminos.nixosConfigurations.container flakes.home-manager.nixosModules.home-manager @@ -22,7 +27,7 @@ with lib; useGlobalPkgs = true; useUserPackages = true; - extraSpecialArgs = { inherit flakes; }; + extraSpecialArgs = {inherit flakes;}; users.fabian = { imports = [ @@ -56,8 +61,8 @@ with lib; uid = 1000; group = "fabian"; shell = pkgs.zsh; - extraGroups = [ "users" "wheel" "networkmanager" "dialout" "libvirtd" ]; - openssh.authorizedKeys.keyFiles = [ ../pki/fabian.pub ]; + extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"]; + openssh.authorizedKeys.keyFiles = [../pki/fabian.pub]; }; groups.fabian.gid = 1000; }; @@ -75,13 +80,13 @@ with lib; "/mnt/export2008" = { device = "172.16.129.19:/nas/5876"; fsType = "nfs"; - options = [ "nofail" "noatime" ]; + options = ["nofail" "noatime"]; }; "/mnt/export2011" = { device = "172.16.129.151:/nas/5876/bepasty"; fsType = "nfs"; - options = [ "nofail" "noatime" "noexec" ]; + options = ["nofail" "noatime" "noexec"]; }; }; diff --git a/sys/home/cli.nix b/sys/home/cli.nix index b44cdbd..6476b39 100644 --- a/sys/home/cli.nix +++ b/sys/home/cli.nix @@ -1,6 +1,9 @@ -{ lib, pkgs, ... }: -with lib; { + lib, + pkgs, + ... +}: +with lib; { programs = { zsh = { enable = true; @@ -13,15 +16,14 @@ with lib; }; neovim.enable = true; }; - home.packages = with pkgs; - [ - file - htop - killall - man-pages - man-pages-posix - tree - zip - unzip - ]; + home.packages = with pkgs; [ + file + htop + killall + man-pages + man-pages-posix + tree + zip + unzip + ]; } diff --git a/sys/home/default.nix b/sys/home/default.nix index df9a4bb..df58014 100644 --- a/sys/home/default.nix +++ b/sys/home/default.nix @@ -1,7 +1,11 @@ -{ config, pkgs, lib, flakes, ... }: -with lib; { - + config, + pkgs, + lib, + flakes, + ... +}: +with lib; { imports = [ ./cli.nix ]; diff --git a/sys/srv/bepasty.nix b/sys/srv/bepasty.nix index aab1ca1..964dbec 100644 --- a/sys/srv/bepasty.nix +++ b/sys/srv/bepasty.nix @@ -1,8 +1,10 @@ -{ lib, pkgs, ... }: -with lib; { + lib, + pkgs, + ... +}: +with lib; { services = { - nginx = { virtualHosts."send.posixlycorrect.com" = { enableACME = true; @@ -10,11 +12,10 @@ with lib; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - ''; + ''; locations."/" = { proxyPass = "http://127.0.0.1:8989"; }; - }; }; diff --git a/sys/srv/default.nix b/sys/srv/default.nix index 84d22e7..61ccd14 100644 --- a/sys/srv/default.nix +++ b/sys/srv/default.nix @@ -1,6 +1,11 @@ -{ config, pkgs, lib, flakes, ... }: -with lib; { + config, + pkgs, + lib, + flakes, + ... +}: +with lib; { imports = [ ./net.nix ./mediawiki.nix diff --git a/sys/srv/forgejo.nix b/sys/srv/forgejo.nix index 9a6a565..4651285 100644 --- a/sys/srv/forgejo.nix +++ b/sys/srv/forgejo.nix @@ -1,6 +1,9 @@ -{ config, lib, ... }: -with lib; { + config, + lib, + ... +}: +with lib; { config = { environment.etc."fail2ban/filter.d/gitea.local".text = '' [Definition] @@ -16,7 +19,7 @@ with lib; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - ''; + ''; locations."/".proxyPass = "http://localhost:9170"; }; }; diff --git a/sys/srv/jellyfin.nix b/sys/srv/jellyfin.nix index fa6d9db..07c8896 100644 --- a/sys/srv/jellyfin.nix +++ b/sys/srv/jellyfin.nix @@ -1,9 +1,10 @@ -{ lib, pkgs, ... }: -with lib; { - + lib, + pkgs, + ... +}: +with lib; { services = { - nginx = { virtualHosts."stream.posixlycorrect.com" = { enableACME = true; @@ -11,7 +12,7 @@ with lib; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - ''; + ''; locations."/" = { proxyPass = "http://localhost:8096"; }; diff --git a/sys/srv/jitsi.nix b/sys/srv/jitsi.nix index a5b1483..42c62e6 100644 --- a/sys/srv/jitsi.nix +++ b/sys/srv/jitsi.nix @@ -1,9 +1,10 @@ -{ lib, pkgs, ... }: -with lib; { - + lib, + pkgs, + ... +}: +with lib; { services = { - nginx = { virtualHosts."meet.posixlycorrect.com" = { enableACME = true; @@ -11,7 +12,7 @@ with lib; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - + ssl_verify_depth 1; ssl_verify_client on; ssl_client_certificate ${../../pki/gatekeeper_ca.pem}; @@ -22,7 +23,6 @@ with lib; }; }; - jitsi-meet = { enable = true; hostName = "meet.posixlycorrect.com"; diff --git a/sys/srv/kuma.nix b/sys/srv/kuma.nix index 9f2bc99..e698c04 100644 --- a/sys/srv/kuma.nix +++ b/sys/srv/kuma.nix @@ -1,6 +1,9 @@ -{ lib, pkgs, ... }: -with lib; { + lib, + pkgs, + ... +}: +with lib; { services = { nginx = { virtualHosts."status.posixlycorrect.com" = { @@ -9,7 +12,7 @@ with lib; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - ''; + ''; locations."/" = { proxyPass = "http://127.0.0.1:4456"; }; diff --git a/sys/srv/matrix.nix b/sys/srv/matrix.nix index efcf7c5..44644fd 100644 --- a/sys/srv/matrix.nix +++ b/sys/srv/matrix.nix @@ -1,10 +1,14 @@ -{ lib, pkgs, config, flakes, ... }: -with lib; -let +{ + lib, + pkgs, + config, + flakes, + ... +}: +with lib; let subdomain = "matrix.posixlycorrect.com"; baseUrl = "https://${subdomain}"; -in -{ +in { # ver https://nixos.org/manual/nixos/stable/#module-services-matrix services = { matrix-conduit = { @@ -23,37 +27,32 @@ in }; }; - nginx.virtualHosts = - let - clientConfig."m.homeserver".base_url = baseUrl; - serverConfig."m.server" = "${subdomain}:443"; - mkWellKnown = data: '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; - in - { - "posixlycorrect.com" = { - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - "${subdomain}" = { - enableACME = true; - forceSSL = true; - extraConfig = '' - proxy_headers_hash_max_size 512; - proxy_headers_hash_bucket_size 128; - ''; - locations."/".extraConfig = '' - return 403; - ''; - locations."/_matrix".proxyPass = "http://[::1]:6167"; - locations."/_synapse/client".proxyPass = "http://[::1]:6167"; - - }; + nginx.virtualHosts = let + clientConfig."m.homeserver".base_url = baseUrl; + serverConfig."m.server" = "${subdomain}:443"; + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + in { + "posixlycorrect.com" = { + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; - - + "${subdomain}" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + ''; + locations."/".extraConfig = '' + return 403; + ''; + locations."/_matrix".proxyPass = "http://[::1]:6167"; + locations."/_synapse/client".proxyPass = "http://[::1]:6167"; + }; + }; }; } diff --git a/sys/srv/mediawiki.nix b/sys/srv/mediawiki.nix index 5483358..d07bd80 100644 --- a/sys/srv/mediawiki.nix +++ b/sys/srv/mediawiki.nix @@ -1,6 +1,10 @@ -{ lib, pkgs, flakes, ... }: -with lib; { + lib, + pkgs, + flakes, + ... +}: +with lib; { services = { nginx = { virtualHosts."wiki.posixlycorrect.com" = { @@ -9,7 +13,7 @@ with lib; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - ''; + ''; }; }; mediawiki = { diff --git a/sys/srv/msmtp.nix b/sys/srv/msmtp.nix index 9dad406..89e9bae 100644 --- a/sys/srv/msmtp.nix +++ b/sys/srv/msmtp.nix @@ -1,9 +1,12 @@ -{ lib, pkgs, ... }: -with lib; { + lib, + pkgs, + ... +}: +with lib; { users.groups = { mailsenders = { - members = [ "fabian" "mediawiki" ]; + members = ["fabian" "mediawiki"]; }; }; diff --git a/sys/srv/net.nix b/sys/srv/net.nix index bad4a4b..9d22700 100644 --- a/sys/srv/net.nix +++ b/sys/srv/net.nix @@ -1,11 +1,14 @@ -{ lib, pkgs, ... }: -with lib; { + lib, + pkgs, + ... +}: +with lib; { networking = { nftables.enable = true; firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [80 443]; }; domain = "posixlycorrect.com"; }; @@ -36,7 +39,7 @@ with lib; fail2ban = { enable = true; bantime = "10m"; - ignoreIP = [ "37.205.12.34" ]; # Never ban the server's own IP + ignoreIP = ["37.205.12.34"]; # Never ban the server's own IP bantime-increment = { enable = true; formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; diff --git a/sys/srv/vaultwarden.nix b/sys/srv/vaultwarden.nix index ec1bce9..2b8dc91 100644 --- a/sys/srv/vaultwarden.nix +++ b/sys/srv/vaultwarden.nix @@ -1,6 +1,9 @@ -{ config, lib, ... }: -with lib; { + config, + lib, + ... +}: +with lib; { services = { nginx = { virtualHosts."vault.posixlycorrect.com" = { @@ -9,7 +12,7 @@ with lib; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - ''; + ''; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; }; }; @@ -17,11 +20,13 @@ with lib; #fail2ban.jails.gitea.settings = { }; postgresql = { - ensureDatabases = [ "vaultwarden" ]; - ensureUsers = [{ - name = "vaultwarden"; - ensureDBOwnership = true; - }]; + ensureDatabases = ["vaultwarden"]; + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; }; vaultwarden = {