fabian/nix_config
1
0
Fork 2
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity

unified all nixos configurations

Browse source
This commit is contained in:
Fabian Montero 2024-11-20 17:52:37 -06:00
parent 001642dc94
commit 42530f5cfc
Signed by: fabian
GPG key ID: 1FFAC35E1798174F
32 changed files with 1054 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

110
sys/platforms/vps/srv/authentik.nix Normal file
View file

@ -0,0 +1,110 @@
{
lib,
pkgs,
flakes,
...
}:
with lib; {
imports = [flakes.authentik-nix.nixosModules.default];
options = {
services.nginx.virtualHosts = mkOption {
type = with lib.types;
attrsOf (
submodule
(
{config, ...}: {
options = {
enableAuthentik = mkOption {
default = false;
type = bool;
};
locations = mkOption {
type = attrsOf (
submodule {
config = mkIf config.enableAuthentik {
extraConfig = ''
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
}
);
};
};
config = mkIf config.enableAuthentik {
extraConfig = ''
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location /outpost.goauthentik.io {
proxy_pass http://localhost:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
'';
};
}
)
);
};
};
config = {
services = {
authentik = {
enable = true;
environmentFile = "/var/trust/authentik/authentik-env";
nginx = {
enable = true;
enableACME = true;
host = "auth.posixlycorrect.com";
};
settings = {
email = {
host = "smtp.fastmail.com";
port = 587;
username = "fabianmontero@fastmail.com";
use_tls = true;
use_ssl = false;
from = "auth@posixlycorrect.com";
};
disable_startup_analytics = true;
avatars = "initials";
};
};
};
};
}

40
sys/platforms/vps/srv/bepasty.nix Normal file
View file

@ -0,0 +1,40 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."send.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8989";
};
};
};
bepasty = {
enable = true;
servers = {
"send" = {
bind = "127.0.0.1:8989";
secretKeyFile = "/var/trust/bepasty/secretKeyFile";
dataDir = "/mnt/export2011/data";
defaultPermissions = "read,create,delete";
extraConfig = ''
SITENAME = 'send.posixlycorrect.com'
MAX_ALLOWED_FILE_SIZE = 4 * 1000 * 1000 * 1000
SESSION_COOKIE_SECURE = True
ASCIINEMA_THEME = 'asciinema'
'';
};
};
};
};
}

25
sys/platforms/vps/srv/default.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
pkgs,
lib,
flakes,
...
}:
with lib; {
imports = [
./net.nix
./mediawiki.nix
# ./jitsi.nix
# ./matrix.nix currently not being used
./forgejo.nix
./vaultwarden.nix
# ./bepasty.nix
# ./jellyfin.nix
./msmtp.nix
./kuma.nix
# ./authentik.nix consumes too much RAM and serves no purpose for now
./paperless.nix
./trilium.nix
./firefly.nix
];
}

33
sys/platforms/vps/srv/firefly.nix Normal file
View file

@ -0,0 +1,33 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."firefly.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
firefly-iii = {
enable = true;
user = "firefly-iii";
dataDir = "/var/lib/firefly-iii";
enableNginx = true;
virtualHost = "firefly.posixlycorrect.com";
settings = {
SITE_OWNER = "fabian@posixlycorrect.com";
DB_CONNECTION = "sqlite";
APP_ENV = "local";
APP_KEY_FILE = "/var/trust/firefly/key_file";
};
};
};
}

64
sys/platforms/vps/srv/forgejo.nix Normal file
View file

@ -0,0 +1,64 @@
{
config,
lib,
...
}:
with lib; {
config = {
environment.etc."fail2ban/filter.d/gitea.local".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
'';
services = {
nginx = {
virtualHosts."git.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://localhost:9170";
};
};
fail2ban.jails.gitea.settings = {
filter = "gitea";
logpath = "${config.services.gitea.stateDir}/log/gitea.log";
maxretry = "10";
findtime = "3600";
bantime = "900";
action = "iptables-allports";
};
forgejo = {
enable = true;
lfs.enable = true;
useWizard = false;
settings = {
general.APP_NAME = "posixlycorrect";
ui.DEFAULT_THEME = "forgejo-dark";
server = {
DOMAIN = "git.posixlycorrect.com";
ROOT_URL = "https://git.posixlycorrect.com";
HTTP_PORT = 9170;
LANDING_PAGE = "explore";
};
# You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true;
# ver https://github.com/nektos/act
actions = {
ENABLED = false;
};
mailer = {
ENABLED = false;
};
};
};
};
};
}

30
sys/platforms/vps/srv/jellyfin.nix Normal file
View file

@ -0,0 +1,30 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."stream.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://localhost:8096";
};
};
};
jellyfin = {
enable = true;
user = "jellyfin";
group = "jellyfin";
dataDir = "/mnt/export2008/jellyfin/dataDir";
cacheDir = "/mnt/export2008/jellyfin/cacheDir";
};
};
}

35
sys/platforms/vps/srv/jitsi.nix Normal file
View file

@ -0,0 +1,35 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."meet.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
jitsi-meet = {
enable = true;
hostName = "meet.posixlycorrect.com";
nginx.enable = true;
config = {
enableWelcomePage = true;
prejoinPageEnabled = true;
defaultLang = "en";
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
jitsi-videobridge.openFirewall = true;
};
}

29
sys/platforms/vps/srv/kuma.nix Normal file
View file

@ -0,0 +1,29 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."status.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:4456";
};
};
};
uptime-kuma = {
enable = true;
settings = {
HOST = "127.0.0.1";
PORT = "4456";
};
};
};
}

58
sys/platforms/vps/srv/matrix.nix Normal file
View file

@ -0,0 +1,58 @@
{
lib,
pkgs,
config,
flakes,
...
}:
with lib; let
subdomain = "matrix.posixlycorrect.com";
baseUrl = "https://${subdomain}";
in {
# ver https://nixos.org/manual/nixos/stable/#module-services-matrix
services = {
matrix-conduit = {
enable = true;
package = flakes.conduwuit.packages.${pkgs.system}.default;
settings.global = {
address = "::1";
port = 6167;
allow_encryption = true;
allow_federation = true;
allow_registration = false;
database_backend = "rocksdb";
server_name = "posixlycorrect.com";
allow_check_for_updates = true;
new_user_displayname_suffix = "";
};
};
nginx.virtualHosts = let
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${subdomain}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
"posixlycorrect.com" = {
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${subdomain}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".extraConfig = ''
return 403;
'';
locations."/_matrix".proxyPass = "http://[::1]:6167";
locations."/_synapse/client".proxyPass = "http://[::1]:6167";
};
};
};
}

77
sys/platforms/vps/srv/mediawiki.nix Normal file
View file

@ -0,0 +1,77 @@
{
lib,
pkgs,
flakes,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."wiki.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
mediawiki = {
enable = true;
name = "posixlycorrect wiki";
webserver = "nginx";
nginx.hostName = "wiki.posixlycorrect.com";
database.type = "postgres";
passwordFile = "/run/keys/mediawiki-password";
skins = {
citizen = "${flakes.mediawikiSkinCitizen}";
};
extraConfig = ''
# Disable anonymous editing and account creation
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgDefaultSkin = 'citizen';
$wgDefaultMobileSkin = 'citizen';
$wgCitizenThemeDefault = 'dark';
$wgCitizenShowPageTools = 'login';
$wgLogos = [
'icon' => "https://posixlycorrect.com/favicon.png",
'1x' => "https://posixlycorrect.com/favicon.png",
'2x' => "https://posixlycorrect.com/favicon.png",
];
$wgEnableEmail = false; #TODO: arreglar esto
$wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
$wgEmergencyContact = 'mediawiki@posixlycorrect.com';
$wgPasswordSender = 'mediawiki@posixlycorrect.com';
'';
extensions = {
# some extensions are included and can enabled by passing null
VisualEditor = null;
CategoryTree = null;
CiteThisPage = null;
Scribunto = null;
Cite = null;
CodeEditor = null;
Math = null;
MultimediaViewer = null;
PdfHandler = null;
Poem = null;
SecureLinkFixer = null;
WikiEditor = null;
ParserFunctions = null;
TemplateStyles = pkgs.fetchzip {
url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/TemplateStyles/+archive/refs/heads/wmf/1.42.0-wmf.9.tar.gz";
sha256 = "sha256-+EOwkDU8L0qQ4Wo3WDqNug4Pyz/PUhOiHKmNcFJO4G0=";
stripRoot = false;
};
};
};
};
}

35
sys/platforms/vps/srv/msmtp.nix Normal file
View file

@ -0,0 +1,35 @@
{
lib,
pkgs,
...
}:
with lib; {
users.groups = {
mailsenders = {
members = ["fabian" "mediawiki"];
};
};
# esto sirve para que PHP pueda accesar la clave smtp de fastmail
#systemd.services.phpfpm-mediawiki = {
# path = [ "/run/wrappers" ];
# serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
#};
programs = {
msmtp = {
enable = true;
accounts = {
default = {
auth = true;
host = "smtp.fastmail.com";
port = 587;
passwordeval = "cat /var/trust/fastmail/smtp_key";
user = "fabianmontero@fastmail.com";
tls = true;
tls_starttls = true;
};
};
};
};
}

92
sys/platforms/vps/srv/net.nix Normal file
View file

@ -0,0 +1,92 @@
{
lib,
pkgs,
...
}:
with lib; {
networking = {
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [80 443];
};
domain = "posixlycorrect.com";
};
# ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
security.acme = {
acceptTerms = true;
defaults.email = "fabian@posixlycorrect.com";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
logError = "/var/log/nginx/error.log";
clientMaxBodySize = "99M";
virtualHosts = {
"posixlycorrect.com" = {
forceSSL = true;
enableACME = true;
locations = {
"/".root = "${pkgs.local.homepage}";
"~ ^/pki(?:/(.*))?$" = {
# https://serverfault.com/a/476368
alias = "${../pki}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
"~ ^/factorio_blueprints(?:/(.*))?$" = {
# https://serverfault.com/a/476368
alias = "${../cdn/factorio_blueprints}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
};
};
};
};
fail2ban = {
enable = true;
bantime = "10m";
ignoreIP = ["37.205.12.34"]; # Never ban the server's own IP
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
maxtime = "48h"; # Do not ban for more than 48h
rndtime = "10m";
overalljails = true; # Calculate the bantime based on all the violations
};
jails = {
# https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
nginx-botsearch.settings = {
# Usar log en vez de journalctl
# TODO: Pasar todo a systemd?
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
};
nginx-bad-request.settings = {
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
maxretry = 10;
};
};
};
};
}

39
sys/platforms/vps/srv/paperless.nix Normal file
View file

@ -0,0 +1,39 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."docs.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
paperless = {
enable = true;
user = "paperless";
passwordFile = "/var/trust/paperless/passwordFile";
openMPThreadingWorkaround = true; # see https://github.com/NixOS/nixpkgs/issues/240591
address = "127.0.0.1";
port = 28981;
settings = {
PAPERLESS_URL = "docs.posixlycorrect.com";
PAPERLESS_OCR_LANGUAGE = "eng+spa";
PAPERLESS_APP_TITLE = "posixlycorrect";
PAPERLESS_OCR_USER_ARGS = {
"invalidate_digital_signatures" = true;
};
};
};
};
}

32
sys/platforms/vps/srv/trilium.nix Normal file
View file

@ -0,0 +1,32 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."notes.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
trilium-server = {
enable = true;
host = "127.0.0.1";
port = 8458;
noAuthentication = false;
instanceName = "posixlycorrect";
dataDir = "/var/lib/trilium";
nginx = {
enable = true;
hostName = "notes.posixlycorrect.com";
};
};
};
}

63
sys/platforms/vps/srv/vaultwarden.nix Normal file
View file

@ -0,0 +1,63 @@
{
config,
lib,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."vault.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
#fail2ban.jails.gitea.settings = { };
postgresql = {
ensureDatabases = ["vaultwarden"];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/var/trust/vaultwarden/smtp_key";
config = {
DOMAIN = "https://vault.posixlycorrect.com";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Using FASTMAIL mail server
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
SMTP_HOST = "smtp.fastmail.com";
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_FROM = "vault@posixlycorrect.com";
SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
SMTP_AUTH_MECHANISM = "PLAIN";
DATABASE_URL = "postgresql:///vaultwarden";
};
};
bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
};
}