fabian/nix
1
0
Fork 2
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity

unified all nixos configurations

Browse source
This commit is contained in:
Fabian Montero 2024-11-20 17:52:37 -06:00
parent 001642dc94
commit 42530f5cfc
Signed by: fabian
GPG key ID: 1FFAC35E1798174F
32 changed files with 1054 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -68,7 +68,7 @@
inherit (pkgs.local.lib) importAll; inherit (pkgs.local.lib) importAll;
local = import ./pkgs; local = final: prev: import ./pkgs {inherit final prev flakes;};
in in
with pkgs.lib; { with pkgs.lib; {
formatter.${system} = pkgs.alejandra; formatter.${system} = pkgs.alejandra;

50
home/default.nix
View file

@ -1,4 +1,3 @@
#TODO: keys will not be shared in all platforms
{ {
flakes, flakes,
config, config,
@ -7,56 +6,7 @@
... ...
}: }:
with lib; { with lib; {
imports = [ imports = [
./modules ./modules
]; ];
xdg.enable = true;
programs = {
zsh = {
enable = true;
syntaxHighlighting.enable = true;
initExtra = import ./zshrc.nix pkgs;
};
git = {
enable = true;
userEmail = "fabian@posixlycorrect.com";
userName = "Fabian Montero";
signing = {
key = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
signByDefault = true;
};
};
gpg = {
enable = true;
settings = {
default-key = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
};
};
};
services.gpg-agent = {
enable = true;
enableZshIntegration = true;
pinentryPackage = pkgs.pinentry-emacs;
};
accounts.email.accounts = {
"fabian@posixlycorrect.com" = {
address = "fabian@posixlycorrect.com";
userName = "fabianmontero@fastmail.com";
realName = "fabian";
primary = true;
flavor = "fastmail.com";
gpg = {
encryptByDefault = true;
signByDefault = true;
key = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
};
};
};
} }

16
home/modules/baseline.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.local.baseline;
in {
options.local.baseline = {
enable = mkEnableOption "Basic settings";
};
config = mkIf cfg.enable {
xdg.enable = true;
};
}

1
home/modules/default.nix
View file

@ -7,5 +7,6 @@
imports = [ imports = [
./terminal ./terminal
./neovim.nix ./neovim.nix
./baseline.nix
]; ];
} }

8
home/modules/neovim.nix
View file

@ -3,7 +3,7 @@
lib, lib,
pkgs, pkgs,
... ...
}: }:
with lib; let with lib; let
cfg = config.local.apps.neovim; cfg = config.local.apps.neovim;
in { in {
@ -19,10 +19,10 @@ in {
extraConfig = '' extraConfig = ''
set nobackup set nobackup
set showmatch " show matching set showmatch " show matching
set hlsearch " highlight search set hlsearch " highlight search
set incsearch " incremental search set incsearch " incremental search
set tabstop=4 " number of columns occupied by a tab set tabstop=4 " number of columns occupied by a tab
set softtabstop=4 " see multiple spaces as tabstops so <BS> does the right thing set softtabstop=4 " see multiple spaces as tabstops so <BS> does the right thing
set shiftwidth=4 " width for autoindents set shiftwidth=4 " width for autoindents
set autoindent " indent a new line the same amount as the line just typed set autoindent " indent a new line the same amount as the line just typed

45
home/modules/terminal/default.nix
View file

@ -33,5 +33,50 @@ in {
''; '';
}; };
}; };
programs.zsh = {
enable = true;
syntaxHighlighting.enable = true;
initExtra = import ./zshrc.nix pkgs;
};
programs.git = {
enable = true;
userEmail = "fabian@posixlycorrect.com";
userName = "Fabian Montero";
#signing = {
# key = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
# signByDefault = true;
#};
};
programs.gpg = {
enable = true;
#settings = {
# default-key = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
#};
};
services.gpg-agent = {
enable = true;
enableZshIntegration = true;
pinentryPackage = pkgs.pinentry-emacs;
};
accounts.email.accounts = {
"fabian@posixlycorrect.com" = {
address = "fabian@posixlycorrect.com";
userName = "fabianmontero@fastmail.com";
realName = "fabian";
primary = true;
flavor = "fastmail.com";
gpg = {
encryptByDefault = true;
signByDefault = true;
key = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
};
};
};
}; };
} }

0
home/zshrc.nix → home/modules/terminal/zshrc.nix
View file

1
home/platforms/fabian@posixlycorrect/default.nix
View file

@ -12,6 +12,7 @@
./isolation.nix ./isolation.nix
]; ];
local.baseline = true;
local.apps.terminal.enable = true; local.apps.terminal.enable = true;
local.apps.neovim.enable = true; local.apps.neovim.enable = true;

29
home/platforms/fabian@vps/cli.nix Normal file
View file

@ -0,0 +1,29 @@
{
lib,
pkgs,
...
}:
with lib; {
programs = {
zsh = {
enable = true;
syntaxHighlighting.enable = true;
};
git = {
enable = true;
userEmail = "fabian@posixlycorrect.com";
userName = "fabian";
};
neovim.enable = true;
};
home.packages = with pkgs; [
file
htop
killall
man-pages
man-pages-posix
tree
zip
unzip
];
}

33
home/platforms/fabian@vps/default.nix Normal file
View file

@ -0,0 +1,33 @@
{
config,
pkgs,
lib,
flakes,
...
}:
with lib; {
imports = [
./cli.nix
];
home = {
stateVersion = "24.05"; # No tocar esto
username = "fabian";
homeDirectory = "/home/fabian";
sessionVariables = {
"EDITOR" = "nvim";
};
};
xdg.enable = true;
nix.registry = {
"system".to = {
type = "path";
path = "/home/fabian/nix";
};
"nixpkgs".flake = flakes.nixpkgs;
"unstable".flake = flakes.unstable;
};
}

8
pkgs/default.nix
View file

@ -1,7 +1,13 @@
final: prev: {
final,
prev,
flakes,
}:
with prev.lib; let with prev.lib; let
inherit (final) callPackage fetchpatch; inherit (final) callPackage fetchpatch;
in { in {
homepage = flakes.homepage.packages.${final.system}.default;
lib = callPackage ./lib {}; lib = callPackage ./lib {};
st = prev.st.override { st = prev.st.override {

1
sys/platforms/vps/cdn/factorio_blueprints/nauvis_science.txt Normal file
View file

File diff suppressed because one or more lines are too long

1
sys/platforms/vps/cdn/factorio_blueprints/red_circuits.txt Normal file
View file

File diff suppressed because one or more lines are too long

108
sys/platforms/vps/default.nix Normal file
View file

@ -0,0 +1,108 @@
{
config,
pkgs,
lib,
flakes,
...
}:
with lib; {
imports = [
flakes.vpsadminos.nixosConfigurations.container
flakes.home-manager.nixosModules.home-manager
flakes.impermanence.nixosModule
./srv
];
environment.systemPackages = with pkgs; [
vim
git
];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {inherit flakes;};
users.fabian = {
imports = [
flakes.impermanence.nixosModules.home-manager.impermanence
"${flakes.self}/home/platforms/fabian@vps"
"${flakes.self}/home"
];
};
};
programs = {
zsh.enable = true;
fuse.userAllowOther = true;
};
networking.hostName = "vps";
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes repl-flake
'';
# No me interesa el global registry
settings.flake-registry = "";
};
users = {
users.fabian = {
isNormalUser = true;
uid = 1000;
group = "fabian";
shell = pkgs.zsh;
extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"];
openssh.authorizedKeys.keyFiles = [pki/fabian.ssh];
};
groups.fabian.gid = 1000;
};
systemd.extraConfig = ''
DefaultTimeoutStartSec=900s
'';
security.dhparams = {
enable = true;
defaultBitSize = 4096;
};
fileSystems = {
"/mnt/export2008" = {
device = "172.16.129.19:/nas/5876";
fsType = "nfs";
options = ["nofail" "noatime"];
};
"/mnt/export2011" = {
device = "172.16.129.151:/nas/5876/bepasty";
fsType = "nfs";
options = ["nofail" "noatime" "noexec"];
};
};
services.earlyoom = {
enable = mkDefault true;
enableNotifications = true;
};
# Coredumps son un riesgo de seguridad y puden usar mucho disco
systemd.coredump.extraConfig = ''
Storage=none
ProcessSizeMax=0
'';
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "24.05";
}

1
sys/platforms/vps/pki/fabian.ssh Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkK2Cg3dozG78AEA2OTzydezcKVnNTTj0MUJZcP/mrN fabian@posixlycorrect.com

25
sys/platforms/vps/pki/fabian_primary.gpg Normal file
View file

@ -0,0 +1,25 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZHlROBYJKwYBBAHaRw8BAQdAhzA1JCghQ6KoHOuf6JPQhEmchHLVXFVye4I2
pRUOUMO0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiUBBMWCgA8FiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwMFCQlmAYAE
CwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEB/6w14XmBdPP2EA/i9ugFxpIFF6oOQs
clMfr+sNj6Il0OUTJK0dqpp4mGorAP0awa6nfhU8T1Ju7UWr6cfSmnL4bM6M/4Z3
D+AF/L5PBokCMwQQAQoAHRYhBOd6gIv5qVXWaO7qZHP6nJy18CSbBQJkeVKDAAoJ
EHP6nJy18CSbzTkP/Reio0ObRrRW+QSw62ZXrUG0mFcNeeoM9amldCToFRyGnSDu
wtZ9nqwLiTJ01VPBOsEZLsl4VonO3rdadqnMTZ3XqKK9VHBl6UNot3DQ8INDAcko
GW1zvEdxNkpMxhtAja0JkcBdG7+zxc2aEGeKfEna2qDXA+xtYw5+pssOWYMip7hm
jQ2NzYMYav2KYRBC7eXTkAIIIJi/l9pR1IwHtY3a0gfbkQymgCyt5wVG6LneYFIR
+ycNVCObwyP8gFASdId0bWnA23rkilc9ZBOCps/cGfDLM+KQ+sLAWBFBQyQeEjcv
tU+pLXncAEvWy/SFmprVSLDQMMooFaEJMZChojGcCkwAPG1twsihqIA3E44Q3/+G
K0gZN57jGMnfvuQiuLuttOMdu27KwEu++t3YUt0P6S4kARpx51zZJ7A2Yj2u22aM
7EL8qq6KTNdNoS7FgwQkrWbokdDZIl0HV+5TeMQfylPqOPhuFK/1A9qztqknBPVY
QUx2t6FZUgH9sT7uD+5gXxyeqmEIFo2i6D8G/4TEPbKtWivJfeOqDEBn4QEY2nvE
zgJLLU5XCv9xPz5rizRCa+h+kg+i4mH6fLCBCCAPXsbAAo0gUlGJvX4slPh7uPOa
T2r7A/7uezResBzP/L/vostlmjO5c8cOl9Wc6D1kRZq17/AjMUgy6+KR3iVnuDgE
ZHlROBIKKwYBBAGXVQEFAQEHQPRbCS2p8xpt3fRxfyRnDOdH9pULY4NtGmZUS0ve
ZGkTAwEIB4h+BBgWCgAmFiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwwF
CQlmAYAACgkQH/rDXheYF0/65AD+LtDeedCYv9zs+1Ia3DvejVZM256WEH+dRH5h
Pm3RzQ8A/2+bXRnfsgGqacj/kKEL3spuos95ngRNRkrQ39nc1koP
=PAxr
-----END PGP PUBLIC KEY BLOCK-----

19
sys/platforms/vps/pki/fabian_yubikey.gpg Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZukhMBYJKwYBBAHaRw8BAQdAC/Gy2p7RPFw3k+ROFnKpJvCVqQb+BUYboE2u
CP1kz/C0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiTBBMWCgA7FiEEcgbY7iR0898Y6odvDsFpH/jBqB8FAmbpITACGwMFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQDsFpH/jBqB+oGwEAhmegCZJAt8Opv/9+
HBbL51f2035qymHPgkV/SyFM1GEBAOVQY6A5U+NrLNiaQTN5Z7jcfQuBobzk4ksn
RzROhTcAiHUEEBYKAB0WIQR6onfmBKQXORa7tOkf+sNeF5gXTwUCZutnFQAKCRAf
+sNeF5gXT1juAQDsH/lDorfMdWxuP87eV9OP8jQvibuTuZ9n2jUllXsLcQEA5gDJ
05NW5Tw2g9mvlrocWr7N2/PC5UvFct4akwDXtA+4MwRm6SEwFgkrBgEEAdpHDwEB
B0AHSmncE+krtL9ZGe4eq865vjaLiUAVnZQaVObKm11CBYh4BBgWCgAgFiEEcgbY
7iR0898Y6odvDsFpH/jBqB8FAmbpITACGyAACgkQDsFpH/jBqB+hBwD/Y9vAcbPG
CTmZvtgYlZW5Oey5T3hHoANv1THOZwv9G58BALEBZRvDztmYPjRaMyAMonrpc2P0
GPHYLcqCPVbjkaAKuDgEZukhMBIKKwYBBAGXVQEFAQEHQC2+QJcHEJjdZikBYeMj
ks53MjfeawAXU31KtAU60KACAwEIB4h4BBgWCgAgFiEEcgbY7iR0898Y6odvDsFp
H/jBqB8FAmbpITACGwwACgkQDsFpH/jBqB+0TwD+K4IcFstNGLrijlgH2zuQaI+p
8QT8AInjSpGfC4zcMlEBAIVYvdTYw4IXPSQOs0qPyR0nhfGIeoBMeWrAAfoxQ0oB
=wpc0
-----END PGP PUBLIC KEY BLOCK-----

110
sys/platforms/vps/srv/authentik.nix Normal file
View file

@ -0,0 +1,110 @@
{
lib,
pkgs,
flakes,
...
}:
with lib; {
imports = [flakes.authentik-nix.nixosModules.default];
options = {
services.nginx.virtualHosts = mkOption {
type = with lib.types;
attrsOf (
submodule
(
{config, ...}: {
options = {
enableAuthentik = mkOption {
default = false;
type = bool;
};
locations = mkOption {
type = attrsOf (
submodule {
config = mkIf config.enableAuthentik {
extraConfig = ''
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
}
);
};
};
config = mkIf config.enableAuthentik {
extraConfig = ''
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location /outpost.goauthentik.io {
proxy_pass http://localhost:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
'';
};
}
)
);
};
};
config = {
services = {
authentik = {
enable = true;
environmentFile = "/var/trust/authentik/authentik-env";
nginx = {
enable = true;
enableACME = true;
host = "auth.posixlycorrect.com";
};
settings = {
email = {
host = "smtp.fastmail.com";
port = 587;
username = "fabianmontero@fastmail.com";
use_tls = true;
use_ssl = false;
from = "auth@posixlycorrect.com";
};
disable_startup_analytics = true;
avatars = "initials";
};
};
};
};
}

40
sys/platforms/vps/srv/bepasty.nix Normal file
View file

@ -0,0 +1,40 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."send.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8989";
};
};
};
bepasty = {
enable = true;
servers = {
"send" = {
bind = "127.0.0.1:8989";
secretKeyFile = "/var/trust/bepasty/secretKeyFile";
dataDir = "/mnt/export2011/data";
defaultPermissions = "read,create,delete";
extraConfig = ''
SITENAME = 'send.posixlycorrect.com'
MAX_ALLOWED_FILE_SIZE = 4 * 1000 * 1000 * 1000
SESSION_COOKIE_SECURE = True
ASCIINEMA_THEME = 'asciinema'
'';
};
};
};
};
}

25
sys/platforms/vps/srv/default.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
pkgs,
lib,
flakes,
...
}:
with lib; {
imports = [
./net.nix
./mediawiki.nix
# ./jitsi.nix
# ./matrix.nix currently not being used
./forgejo.nix
./vaultwarden.nix
# ./bepasty.nix
# ./jellyfin.nix
./msmtp.nix
./kuma.nix
# ./authentik.nix consumes too much RAM and serves no purpose for now
./paperless.nix
./trilium.nix
./firefly.nix
];
}

33
sys/platforms/vps/srv/firefly.nix Normal file
View file

@ -0,0 +1,33 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."firefly.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
firefly-iii = {
enable = true;
user = "firefly-iii";
dataDir = "/var/lib/firefly-iii";
enableNginx = true;
virtualHost = "firefly.posixlycorrect.com";
settings = {
SITE_OWNER = "fabian@posixlycorrect.com";
DB_CONNECTION = "sqlite";
APP_ENV = "local";
APP_KEY_FILE = "/var/trust/firefly/key_file";
};
};
};
}

64
sys/platforms/vps/srv/forgejo.nix Normal file
View file

@ -0,0 +1,64 @@
{
config,
lib,
...
}:
with lib; {
config = {
environment.etc."fail2ban/filter.d/gitea.local".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
'';
services = {
nginx = {
virtualHosts."git.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://localhost:9170";
};
};
fail2ban.jails.gitea.settings = {
filter = "gitea";
logpath = "${config.services.gitea.stateDir}/log/gitea.log";
maxretry = "10";
findtime = "3600";
bantime = "900";
action = "iptables-allports";
};
forgejo = {
enable = true;
lfs.enable = true;
useWizard = false;
settings = {
general.APP_NAME = "posixlycorrect";
ui.DEFAULT_THEME = "forgejo-dark";
server = {
DOMAIN = "git.posixlycorrect.com";
ROOT_URL = "https://git.posixlycorrect.com";
HTTP_PORT = 9170;
LANDING_PAGE = "explore";
};
# You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true;
# ver https://github.com/nektos/act
actions = {
ENABLED = false;
};
mailer = {
ENABLED = false;
};
};
};
};
};
}

30
sys/platforms/vps/srv/jellyfin.nix Normal file
View file

@ -0,0 +1,30 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."stream.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://localhost:8096";
};
};
};
jellyfin = {
enable = true;
user = "jellyfin";
group = "jellyfin";
dataDir = "/mnt/export2008/jellyfin/dataDir";
cacheDir = "/mnt/export2008/jellyfin/cacheDir";
};
};
}

35
sys/platforms/vps/srv/jitsi.nix Normal file
View file

@ -0,0 +1,35 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."meet.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
jitsi-meet = {
enable = true;
hostName = "meet.posixlycorrect.com";
nginx.enable = true;
config = {
enableWelcomePage = true;
prejoinPageEnabled = true;
defaultLang = "en";
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
jitsi-videobridge.openFirewall = true;
};
}

29
sys/platforms/vps/srv/kuma.nix Normal file
View file

@ -0,0 +1,29 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."status.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:4456";
};
};
};
uptime-kuma = {
enable = true;
settings = {
HOST = "127.0.0.1";
PORT = "4456";
};
};
};
}

58
sys/platforms/vps/srv/matrix.nix Normal file
View file

@ -0,0 +1,58 @@
{
lib,
pkgs,
config,
flakes,
...
}:
with lib; let
subdomain = "matrix.posixlycorrect.com";
baseUrl = "https://${subdomain}";
in {
# ver https://nixos.org/manual/nixos/stable/#module-services-matrix
services = {
matrix-conduit = {
enable = true;
package = flakes.conduwuit.packages.${pkgs.system}.default;
settings.global = {
address = "::1";
port = 6167;
allow_encryption = true;
allow_federation = true;
allow_registration = false;
database_backend = "rocksdb";
server_name = "posixlycorrect.com";
allow_check_for_updates = true;
new_user_displayname_suffix = "";
};
};
nginx.virtualHosts = let
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${subdomain}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
"posixlycorrect.com" = {
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${subdomain}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".extraConfig = ''
return 403;
'';
locations."/_matrix".proxyPass = "http://[::1]:6167";
locations."/_synapse/client".proxyPass = "http://[::1]:6167";
};
};
};
}

77
sys/platforms/vps/srv/mediawiki.nix Normal file
View file

@ -0,0 +1,77 @@
{
lib,
pkgs,
flakes,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."wiki.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
mediawiki = {
enable = true;
name = "posixlycorrect wiki";
webserver = "nginx";
nginx.hostName = "wiki.posixlycorrect.com";
database.type = "postgres";
passwordFile = "/run/keys/mediawiki-password";
skins = {
citizen = "${flakes.mediawikiSkinCitizen}";
};
extraConfig = ''
# Disable anonymous editing and account creation
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgDefaultSkin = 'citizen';
$wgDefaultMobileSkin = 'citizen';
$wgCitizenThemeDefault = 'dark';
$wgCitizenShowPageTools = 'login';
$wgLogos = [
'icon' => "https://posixlycorrect.com/favicon.png",
'1x' => "https://posixlycorrect.com/favicon.png",
'2x' => "https://posixlycorrect.com/favicon.png",
];
$wgEnableEmail = false; #TODO: arreglar esto
$wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
$wgEmergencyContact = 'mediawiki@posixlycorrect.com';
$wgPasswordSender = 'mediawiki@posixlycorrect.com';
'';
extensions = {
# some extensions are included and can enabled by passing null
VisualEditor = null;
CategoryTree = null;
CiteThisPage = null;
Scribunto = null;
Cite = null;
CodeEditor = null;
Math = null;
MultimediaViewer = null;
PdfHandler = null;
Poem = null;
SecureLinkFixer = null;
WikiEditor = null;
ParserFunctions = null;
TemplateStyles = pkgs.fetchzip {
url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/TemplateStyles/+archive/refs/heads/wmf/1.42.0-wmf.9.tar.gz";
sha256 = "sha256-+EOwkDU8L0qQ4Wo3WDqNug4Pyz/PUhOiHKmNcFJO4G0=";
stripRoot = false;
};
};
};
};
}

35
sys/platforms/vps/srv/msmtp.nix Normal file
View file

@ -0,0 +1,35 @@
{
lib,
pkgs,
...
}:
with lib; {
users.groups = {
mailsenders = {
members = ["fabian" "mediawiki"];
};
};
# esto sirve para que PHP pueda accesar la clave smtp de fastmail
#systemd.services.phpfpm-mediawiki = {
# path = [ "/run/wrappers" ];
# serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
#};
programs = {
msmtp = {
enable = true;
accounts = {
default = {
auth = true;
host = "smtp.fastmail.com";
port = 587;
passwordeval = "cat /var/trust/fastmail/smtp_key";
user = "fabianmontero@fastmail.com";
tls = true;
tls_starttls = true;
};
};
};
};
}

92
sys/platforms/vps/srv/net.nix Normal file
View file

@ -0,0 +1,92 @@
{
lib,
pkgs,
...
}:
with lib; {
networking = {
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [80 443];
};
domain = "posixlycorrect.com";
};
# ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
security.acme = {
acceptTerms = true;
defaults.email = "fabian@posixlycorrect.com";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
logError = "/var/log/nginx/error.log";
clientMaxBodySize = "99M";
virtualHosts = {
"posixlycorrect.com" = {
forceSSL = true;
enableACME = true;
locations = {
"/".root = "${pkgs.local.homepage}";
"~ ^/pki(?:/(.*))?$" = {
# https://serverfault.com/a/476368
alias = "${../pki}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
"~ ^/factorio_blueprints(?:/(.*))?$" = {
# https://serverfault.com/a/476368
alias = "${../cdn/factorio_blueprints}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
};
};
};
};
fail2ban = {
enable = true;
bantime = "10m";
ignoreIP = ["37.205.12.34"]; # Never ban the server's own IP
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
maxtime = "48h"; # Do not ban for more than 48h
rndtime = "10m";
overalljails = true; # Calculate the bantime based on all the violations
};
jails = {
# https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
nginx-botsearch.settings = {
# Usar log en vez de journalctl
# TODO: Pasar todo a systemd?
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
};
nginx-bad-request.settings = {
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
maxretry = 10;
};
};
};
};
}

39
sys/platforms/vps/srv/paperless.nix Normal file
View file

@ -0,0 +1,39 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."docs.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
paperless = {
enable = true;
user = "paperless";
passwordFile = "/var/trust/paperless/passwordFile";
openMPThreadingWorkaround = true; # see https://github.com/NixOS/nixpkgs/issues/240591
address = "127.0.0.1";
port = 28981;
settings = {
PAPERLESS_URL = "docs.posixlycorrect.com";
PAPERLESS_OCR_LANGUAGE = "eng+spa";
PAPERLESS_APP_TITLE = "posixlycorrect";
PAPERLESS_OCR_USER_ARGS = {
"invalidate_digital_signatures" = true;
};
};
};
};
}

32
sys/platforms/vps/srv/trilium.nix Normal file
View file

@ -0,0 +1,32 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."notes.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
trilium-server = {
enable = true;
host = "127.0.0.1";
port = 8458;
noAuthentication = false;
instanceName = "posixlycorrect";
dataDir = "/var/lib/trilium";
nginx = {
enable = true;
hostName = "notes.posixlycorrect.com";
};
};
};
}

63
sys/platforms/vps/srv/vaultwarden.nix Normal file
View file

@ -0,0 +1,63 @@
{
config,
lib,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."vault.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
#fail2ban.jails.gitea.settings = { };
postgresql = {
ensureDatabases = ["vaultwarden"];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/var/trust/vaultwarden/smtp_key";
config = {
DOMAIN = "https://vault.posixlycorrect.com";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Using FASTMAIL mail server
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
SMTP_HOST = "smtp.fastmail.com";
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_FROM = "vault@posixlycorrect.com";
SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
SMTP_AUTH_MECHANISM = "PLAIN";
DATABASE_URL = "postgresql:///vaultwarden";
};
};
bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
};
}