unified all nixos configurations

sys/platforms/vps/default.nix

@@ -0,0 +1,108 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+    flakes.vpsadminos.nixosConfigurations.container
+    flakes.home-manager.nixosModules.home-manager
+    flakes.impermanence.nixosModule
+    ./srv
+  ];
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+
+    extraSpecialArgs = {inherit flakes;};
+
+    users.fabian = {
+      imports = [
+        flakes.impermanence.nixosModules.home-manager.impermanence
+        "${flakes.self}/home/platforms/fabian@vps"
+        "${flakes.self}/home"
+      ];
+    };
+  };
+
+  programs = {
+    zsh.enable = true;
+    fuse.userAllowOther = true;
+  };
+
+  networking.hostName = "vps";
+
+  nix = {
+    package = pkgs.nixFlakes;
+
+    extraOptions = ''
+      experimental-features = nix-command flakes repl-flake
+    '';
+
+    # No me interesa el global registry
+    settings.flake-registry = "";
+  };
+
+  users = {
+    users.fabian = {
+      isNormalUser = true;
+      uid = 1000;
+      group = "fabian";
+      shell = pkgs.zsh;
+      extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"];
+      openssh.authorizedKeys.keyFiles = [pki/fabian.ssh];
+    };
+    groups.fabian.gid = 1000;
+  };
+
+  systemd.extraConfig = ''
+    DefaultTimeoutStartSec=900s
+  '';
+
+  security.dhparams = {
+    enable = true;
+    defaultBitSize = 4096;
+  };
+
+  fileSystems = {
+    "/mnt/export2008" = {
+      device = "172.16.129.19:/nas/5876";
+      fsType = "nfs";
+      options = ["nofail" "noatime"];
+    };
+
+    "/mnt/export2011" = {
+      device = "172.16.129.151:/nas/5876/bepasty";
+      fsType = "nfs";
+      options = ["nofail" "noatime" "noexec"];
+    };
+  };
+
+  services.earlyoom = {
+    enable = mkDefault true;
+    enableNotifications = true;
+  };
+
+  # Coredumps son un riesgo de seguridad y puden usar mucho disco
+  systemd.coredump.extraConfig = ''
+    Storage=none
+    ProcessSizeMax=0
+  '';
+
+  time.timeZone = "Europe/Amsterdam";
+
+  system.stateVersion = "24.05";
+}

sys/platforms/vps/pki/fabian.ssh

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkK2Cg3dozG78AEA2OTzydezcKVnNTTj0MUJZcP/mrN fabian@posixlycorrect.com

sys/platforms/vps/pki/fabian_primary.gpg

@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZHlROBYJKwYBBAHaRw8BAQdAhzA1JCghQ6KoHOuf6JPQhEmchHLVXFVye4I2
+pRUOUMO0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
+PoiUBBMWCgA8FiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwMFCQlmAYAE
+CwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEB/6w14XmBdPP2EA/i9ugFxpIFF6oOQs
+clMfr+sNj6Il0OUTJK0dqpp4mGorAP0awa6nfhU8T1Ju7UWr6cfSmnL4bM6M/4Z3
+D+AF/L5PBokCMwQQAQoAHRYhBOd6gIv5qVXWaO7qZHP6nJy18CSbBQJkeVKDAAoJ
+EHP6nJy18CSbzTkP/Reio0ObRrRW+QSw62ZXrUG0mFcNeeoM9amldCToFRyGnSDu
+wtZ9nqwLiTJ01VPBOsEZLsl4VonO3rdadqnMTZ3XqKK9VHBl6UNot3DQ8INDAcko
+GW1zvEdxNkpMxhtAja0JkcBdG7+zxc2aEGeKfEna2qDXA+xtYw5+pssOWYMip7hm
+jQ2NzYMYav2KYRBC7eXTkAIIIJi/l9pR1IwHtY3a0gfbkQymgCyt5wVG6LneYFIR
++ycNVCObwyP8gFASdId0bWnA23rkilc9ZBOCps/cGfDLM+KQ+sLAWBFBQyQeEjcv
+tU+pLXncAEvWy/SFmprVSLDQMMooFaEJMZChojGcCkwAPG1twsihqIA3E44Q3/+G
+K0gZN57jGMnfvuQiuLuttOMdu27KwEu++t3YUt0P6S4kARpx51zZJ7A2Yj2u22aM
+7EL8qq6KTNdNoS7FgwQkrWbokdDZIl0HV+5TeMQfylPqOPhuFK/1A9qztqknBPVY
+QUx2t6FZUgH9sT7uD+5gXxyeqmEIFo2i6D8G/4TEPbKtWivJfeOqDEBn4QEY2nvE
+zgJLLU5XCv9xPz5rizRCa+h+kg+i4mH6fLCBCCAPXsbAAo0gUlGJvX4slPh7uPOa
+T2r7A/7uezResBzP/L/vostlmjO5c8cOl9Wc6D1kRZq17/AjMUgy6+KR3iVnuDgE
+ZHlROBIKKwYBBAGXVQEFAQEHQPRbCS2p8xpt3fRxfyRnDOdH9pULY4NtGmZUS0ve
+ZGkTAwEIB4h+BBgWCgAmFiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwwF
+CQlmAYAACgkQH/rDXheYF0/65AD+LtDeedCYv9zs+1Ia3DvejVZM256WEH+dRH5h
+Pm3RzQ8A/2+bXRnfsgGqacj/kKEL3spuos95ngRNRkrQ39nc1koP
+=PAxr
+-----END PGP PUBLIC KEY BLOCK-----

sys/platforms/vps/pki/fabian_yubikey.gpg

@@ -0,0 +1,19 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZukhMBYJKwYBBAHaRw8BAQdAC/Gy2p7RPFw3k+ROFnKpJvCVqQb+BUYboE2u
+CP1kz/C0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
+PoiTBBMWCgA7FiEEcgbY7iR0898Y6odvDsFpH/jBqB8FAmbpITACGwMFCwkIBwIC
+IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQDsFpH/jBqB+oGwEAhmegCZJAt8Opv/9+
+HBbL51f2035qymHPgkV/SyFM1GEBAOVQY6A5U+NrLNiaQTN5Z7jcfQuBobzk4ksn
+RzROhTcAiHUEEBYKAB0WIQR6onfmBKQXORa7tOkf+sNeF5gXTwUCZutnFQAKCRAf
++sNeF5gXT1juAQDsH/lDorfMdWxuP87eV9OP8jQvibuTuZ9n2jUllXsLcQEA5gDJ
+05NW5Tw2g9mvlrocWr7N2/PC5UvFct4akwDXtA+4MwRm6SEwFgkrBgEEAdpHDwEB
+B0AHSmncE+krtL9ZGe4eq865vjaLiUAVnZQaVObKm11CBYh4BBgWCgAgFiEEcgbY
+7iR0898Y6odvDsFpH/jBqB8FAmbpITACGyAACgkQDsFpH/jBqB+hBwD/Y9vAcbPG
+CTmZvtgYlZW5Oey5T3hHoANv1THOZwv9G58BALEBZRvDztmYPjRaMyAMonrpc2P0
+GPHYLcqCPVbjkaAKuDgEZukhMBIKKwYBBAGXVQEFAQEHQC2+QJcHEJjdZikBYeMj
+ks53MjfeawAXU31KtAU60KACAwEIB4h4BBgWCgAgFiEEcgbY7iR0898Y6odvDsFp
+H/jBqB8FAmbpITACGwwACgkQDsFpH/jBqB+0TwD+K4IcFstNGLrijlgH2zuQaI+p
+8QT8AInjSpGfC4zcMlEBAIVYvdTYw4IXPSQOs0qPyR0nhfGIeoBMeWrAAfoxQ0oB
+=wpc0
+-----END PGP PUBLIC KEY BLOCK-----

sys/platforms/vps/srv/authentik.nix

@@ -0,0 +1,110 @@
+{
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [flakes.authentik-nix.nixosModules.default];
+
+  options = {
+    services.nginx.virtualHosts = mkOption {
+      type = with lib.types;
+        attrsOf (
+          submodule
+          (
+            {config, ...}: {
+              options = {
+                enableAuthentik = mkOption {
+                  default = false;
+                  type = bool;
+                };
+                locations = mkOption {
+                  type = attrsOf (
+                    submodule {
+                      config = mkIf config.enableAuthentik {
+                        extraConfig = ''
+                          auth_request        /outpost.goauthentik.io/auth/nginx;
+                          error_page          401 = @goauthentik_proxy_signin;
+                          auth_request_set $auth_cookie $upstream_http_set_cookie;
+                          add_header Set-Cookie $auth_cookie;
+
+                          # translate headers from the outposts back to the actual upstream
+                          auth_request_set $authentik_username $upstream_http_x_authentik_username;
+                          auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+                          auth_request_set $authentik_email $upstream_http_x_authentik_email;
+                          auth_request_set $authentik_name $upstream_http_x_authentik_name;
+                          auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+                          proxy_set_header X-authentik-username $authentik_username;
+                          proxy_set_header X-authentik-groups $authentik_groups;
+                          proxy_set_header X-authentik-email $authentik_email;
+                          proxy_set_header X-authentik-name $authentik_name;
+                          proxy_set_header X-authentik-uid $authentik_uid;
+                        '';
+                      };
+                    }
+                  );
+                };
+              };
+              config = mkIf config.enableAuthentik {
+                extraConfig = ''
+                  proxy_buffers 8 16k;
+                  proxy_buffer_size 32k;
+
+                  location /outpost.goauthentik.io {
+                    proxy_pass          http://localhost:9000/outpost.goauthentik.io;
+                    # ensure the host of this vserver matches your external URL you've configured
+                    # in authentik
+                    proxy_set_header    Host $host;
+                    proxy_redirect      http://localhost:9000 https://auth.posixlycorrect.com;
+                    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
+                    add_header          Set-Cookie $auth_cookie;
+                    auth_request_set    $auth_cookie $upstream_http_set_cookie;
+
+                    # required for POST requests to work
+                    proxy_pass_request_body off;
+                    proxy_set_header Content-Length "";
+                  }
+
+                  location @goauthentik_proxy_signin {
+                    internal;
+                    add_header Set-Cookie $auth_cookie;
+                    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+                    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+                    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+                  }
+                '';
+              };
+            }
+          )
+        );
+    };
+  };
+
+  config = {
+    services = {
+      authentik = {
+        enable = true;
+        environmentFile = "/var/trust/authentik/authentik-env";
+        nginx = {
+          enable = true;
+          enableACME = true;
+          host = "auth.posixlycorrect.com";
+        };
+        settings = {
+          email = {
+            host = "smtp.fastmail.com";
+            port = 587;
+            username = "fabianmontero@fastmail.com";
+            use_tls = true;
+            use_ssl = false;
+            from = "auth@posixlycorrect.com";
+          };
+          disable_startup_analytics = true;
+          avatars = "initials";
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/bepasty.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."send.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8989";
+        };
+      };
+    };
+
+    bepasty = {
+      enable = true;
+      servers = {
+        "send" = {
+          bind = "127.0.0.1:8989";
+          secretKeyFile = "/var/trust/bepasty/secretKeyFile";
+          dataDir = "/mnt/export2011/data";
+          defaultPermissions = "read,create,delete";
+          extraConfig = ''
+            SITENAME = 'send.posixlycorrect.com'
+            MAX_ALLOWED_FILE_SIZE = 4 * 1000 * 1000 * 1000
+            SESSION_COOKIE_SECURE = True
+            ASCIINEMA_THEME = 'asciinema'
+          '';
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/default.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [
+    ./net.nix
+    ./mediawiki.nix
+    # ./jitsi.nix
+    # ./matrix.nix currently not being used
+    ./forgejo.nix
+    ./vaultwarden.nix
+    # ./bepasty.nix
+    # ./jellyfin.nix
+    ./msmtp.nix
+    ./kuma.nix
+    # ./authentik.nix  consumes too much RAM and serves no purpose for now
+    ./paperless.nix
+    ./trilium.nix
+    ./firefly.nix
+  ];
+}

sys/platforms/vps/srv/firefly.nix

@@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."firefly.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+
+    firefly-iii = {
+      enable = true;
+      user = "firefly-iii";
+      dataDir = "/var/lib/firefly-iii";
+      enableNginx = true;
+      virtualHost = "firefly.posixlycorrect.com";
+      settings = {
+        SITE_OWNER = "fabian@posixlycorrect.com";
+        DB_CONNECTION = "sqlite";
+        APP_ENV = "local";
+        APP_KEY_FILE = "/var/trust/firefly/key_file";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/forgejo.nix

@@ -0,0 +1,64 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  config = {
+    environment.etc."fail2ban/filter.d/gitea.local".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+    '';
+
+    services = {
+      nginx = {
+        virtualHosts."git.posixlycorrect.com" = {
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            proxy_headers_hash_max_size 512;
+            proxy_headers_hash_bucket_size 128;
+          '';
+          locations."/".proxyPass = "http://localhost:9170";
+        };
+      };
+
+      fail2ban.jails.gitea.settings = {
+        filter = "gitea";
+        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
+        maxretry = "10";
+        findtime = "3600";
+        bantime = "900";
+        action = "iptables-allports";
+      };
+
+      forgejo = {
+        enable = true;
+        lfs.enable = true;
+        useWizard = false;
+        settings = {
+          general.APP_NAME = "posixlycorrect";
+          ui.DEFAULT_THEME = "forgejo-dark";
+          server = {
+            DOMAIN = "git.posixlycorrect.com";
+            ROOT_URL = "https://git.posixlycorrect.com";
+            HTTP_PORT = 9170;
+            LANDING_PAGE = "explore";
+          };
+
+          # You can temporarily allow registration to create an admin user.
+          service.DISABLE_REGISTRATION = true;
+
+          # ver https://github.com/nektos/act
+          actions = {
+            ENABLED = false;
+          };
+          mailer = {
+            ENABLED = false;
+          };
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/jellyfin.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."stream.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://localhost:8096";
+        };
+      };
+    };
+
+    jellyfin = {
+      enable = true;
+      user = "jellyfin";
+      group = "jellyfin";
+      dataDir = "/mnt/export2008/jellyfin/dataDir";
+      cacheDir = "/mnt/export2008/jellyfin/cacheDir";
+    };
+  };
+}

sys/platforms/vps/srv/jitsi.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."meet.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+
+    jitsi-meet = {
+      enable = true;
+      hostName = "meet.posixlycorrect.com";
+      nginx.enable = true;
+      config = {
+        enableWelcomePage = true;
+        prejoinPageEnabled = true;
+        defaultLang = "en";
+      };
+      interfaceConfig = {
+        SHOW_JITSI_WATERMARK = false;
+        SHOW_WATERMARK_FOR_GUESTS = false;
+      };
+    };
+    jitsi-videobridge.openFirewall = true;
+  };
+}

sys/platforms/vps/srv/kuma.nix

@@ -0,0 +1,29 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."status.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:4456";
+        };
+      };
+    };
+    uptime-kuma = {
+      enable = true;
+      settings = {
+        HOST = "127.0.0.1";
+        PORT = "4456";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/matrix.nix

@@ -0,0 +1,58 @@
+{
+  lib,
+  pkgs,
+  config,
+  flakes,
+  ...
+}:
+with lib; let
+  subdomain = "matrix.posixlycorrect.com";
+  baseUrl = "https://${subdomain}";
+in {
+  # ver https://nixos.org/manual/nixos/stable/#module-services-matrix
+  services = {
+    matrix-conduit = {
+      enable = true;
+      package = flakes.conduwuit.packages.${pkgs.system}.default;
+      settings.global = {
+        address = "::1";
+        port = 6167;
+        allow_encryption = true;
+        allow_federation = true;
+        allow_registration = false;
+        database_backend = "rocksdb";
+        server_name = "posixlycorrect.com";
+        allow_check_for_updates = true;
+        new_user_displayname_suffix = "";
+      };
+    };
+
+    nginx.virtualHosts = let
+      clientConfig."m.homeserver".base_url = baseUrl;
+      serverConfig."m.server" = "${subdomain}:443";
+      mkWellKnown = data: ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '${builtins.toJSON data}';
+      '';
+    in {
+      "posixlycorrect.com" = {
+        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+      };
+      "${subdomain}" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/".extraConfig = ''
+          return 403;
+        '';
+        locations."/_matrix".proxyPass = "http://[::1]:6167";
+        locations."/_synapse/client".proxyPass = "http://[::1]:6167";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/mediawiki.nix

@@ -0,0 +1,77 @@
+{
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."wiki.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+    mediawiki = {
+      enable = true;
+      name = "posixlycorrect wiki";
+      webserver = "nginx";
+      nginx.hostName = "wiki.posixlycorrect.com";
+      database.type = "postgres";
+
+      passwordFile = "/run/keys/mediawiki-password";
+
+      skins = {
+        citizen = "${flakes.mediawikiSkinCitizen}";
+      };
+
+      extraConfig = ''
+        # Disable anonymous editing and account creation
+        $wgGroupPermissions['*']['edit'] = false;
+        $wgGroupPermissions['*']['createaccount'] = false;
+
+        $wgDefaultSkin = 'citizen';
+        $wgDefaultMobileSkin = 'citizen';
+        $wgCitizenThemeDefault = 'dark';
+        $wgCitizenShowPageTools = 'login';
+        $wgLogos = [
+          'icon' => "https://posixlycorrect.com/favicon.png",
+          '1x' => "https://posixlycorrect.com/favicon.png",
+          '2x' => "https://posixlycorrect.com/favicon.png",
+        ];
+
+        $wgEnableEmail = false; #TODO: arreglar esto
+        $wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
+        $wgEmergencyContact = 'mediawiki@posixlycorrect.com';
+        $wgPasswordSender = 'mediawiki@posixlycorrect.com';
+      '';
+
+      extensions = {
+        # some extensions are included and can enabled by passing null
+        VisualEditor = null;
+        CategoryTree = null;
+        CiteThisPage = null;
+        Scribunto = null;
+        Cite = null;
+        CodeEditor = null;
+        Math = null;
+        MultimediaViewer = null;
+        PdfHandler = null;
+        Poem = null;
+        SecureLinkFixer = null;
+        WikiEditor = null;
+        ParserFunctions = null;
+
+        TemplateStyles = pkgs.fetchzip {
+          url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/TemplateStyles/+archive/refs/heads/wmf/1.42.0-wmf.9.tar.gz";
+          sha256 = "sha256-+EOwkDU8L0qQ4Wo3WDqNug4Pyz/PUhOiHKmNcFJO4G0=";
+          stripRoot = false;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/msmtp.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  users.groups = {
+    mailsenders = {
+      members = ["fabian" "mediawiki"];
+    };
+  };
+
+  # esto sirve para que PHP pueda accesar la clave smtp de fastmail
+  #systemd.services.phpfpm-mediawiki = {
+  #  path = [ "/run/wrappers" ];
+  #  serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
+  #};
+
+  programs = {
+    msmtp = {
+      enable = true;
+      accounts = {
+        default = {
+          auth = true;
+          host = "smtp.fastmail.com";
+          port = 587;
+          passwordeval = "cat /var/trust/fastmail/smtp_key";
+          user = "fabianmontero@fastmail.com";
+          tls = true;
+          tls_starttls = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/net.nix

@@ -0,0 +1,92 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  networking = {
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [80 443];
+    };
+    domain = "posixlycorrect.com";
+  };
+
+  # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "fabian@posixlycorrect.com";
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      logError = "/var/log/nginx/error.log";
+      clientMaxBodySize = "99M";
+      virtualHosts = {
+        "posixlycorrect.com" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/".root = "${pkgs.local.homepage}";
+
+            "~ ^/pki(?:/(.*))?$" = {
+              # https://serverfault.com/a/476368
+              alias = "${../pki}/$1";
+              extraConfig = ''
+                autoindex on;
+                autoindex_exact_size on;
+                autoindex_localtime on;
+                autoindex_format html;
+              '';
+            };
+
+            "~ ^/factorio_blueprints(?:/(.*))?$" = {
+              # https://serverfault.com/a/476368
+              alias = "${../cdn/factorio_blueprints}/$1";
+              extraConfig = ''
+                autoindex on;
+                autoindex_exact_size on;
+                autoindex_localtime on;
+                autoindex_format html;
+              '';
+            };
+          };
+        };
+      };
+    };
+    fail2ban = {
+      enable = true;
+      bantime = "10m";
+      ignoreIP = ["37.205.12.34"]; # Never ban the server's own IP
+      bantime-increment = {
+        enable = true;
+        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+        maxtime = "48h"; # Do not ban for more than 48h
+        rndtime = "10m";
+        overalljails = true; # Calculate the bantime based on all the violations
+      };
+      jails = {
+        # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
+        nginx-botsearch.settings = {
+          # Usar log en vez de journalctl
+          # TODO: Pasar todo a systemd?
+          backend = "pyinotify";
+          logpath = "/var/log/nginx/*.log";
+          journalmatch = "";
+        };
+        nginx-bad-request.settings = {
+          backend = "pyinotify";
+          logpath = "/var/log/nginx/*.log";
+          journalmatch = "";
+          maxretry = 10;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/paperless.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."docs.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:28981";
+        };
+      };
+    };
+
+    paperless = {
+      enable = true;
+      user = "paperless";
+      passwordFile = "/var/trust/paperless/passwordFile";
+      openMPThreadingWorkaround = true; # see https://github.com/NixOS/nixpkgs/issues/240591
+      address = "127.0.0.1";
+      port = 28981;
+      settings = {
+        PAPERLESS_URL = "docs.posixlycorrect.com";
+        PAPERLESS_OCR_LANGUAGE = "eng+spa";
+        PAPERLESS_APP_TITLE = "posixlycorrect";
+        PAPERLESS_OCR_USER_ARGS = {
+          "invalidate_digital_signatures" = true;
+        };
+      };
+    };
+  };
+}

sys/platforms/vps/srv/trilium.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."notes.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+      };
+    };
+
+    trilium-server = {
+      enable = true;
+      host = "127.0.0.1";
+      port = 8458;
+      noAuthentication = false;
+      instanceName = "posixlycorrect";
+      dataDir = "/var/lib/trilium";
+      nginx = {
+        enable = true;
+        hostName = "notes.posixlycorrect.com";
+      };
+    };
+  };
+}

sys/platforms/vps/srv/vaultwarden.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  services = {
+    nginx = {
+      virtualHosts."vault.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          proxy_headers_hash_max_size 512;
+          proxy_headers_hash_bucket_size 128;
+        '';
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+
+    #fail2ban.jails.gitea.settings = { };
+
+    postgresql = {
+      ensureDatabases = ["vaultwarden"];
+      ensureUsers = [
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = "/var/trust/vaultwarden/smtp_key";
+      config = {
+        DOMAIN = "https://vault.posixlycorrect.com";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        ROCKET_LOG = "critical";
+
+        # Using FASTMAIL mail server
+        # If you use an external mail server, follow:
+        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+        SMTP_HOST = "smtp.fastmail.com";
+        SMTP_PORT = 587;
+        SMTP_SECURITY = "starttls";
+
+        SMTP_FROM = "vault@posixlycorrect.com";
+        SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
+
+        SMTP_AUTH_MECHANISM = "PLAIN";
+
+        DATABASE_URL = "postgresql:///vaultwarden";
+      };
+    };
+
+    bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
+  };
+}