AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

server testing

Browse Source
This commit is contained in:
Dmitriy Kholkin 2022-02-01 05:17:22 +03:00
parent b129726297
commit 00b65f0106
16 changed files with 490 additions and 500 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
flake.lock generated
View File

@ -98,6 +98,21 @@
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1642700792,
"narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "846b2ae0fc4cc943637d3d1def4454213e203cba",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"locked": {
"lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
@ -134,10 +149,7 @@
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"vscode-server-fixup",
"nixpkgs"
]
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1635839387,
@ -408,6 +420,21 @@
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1643650039,
"narHash": "sha256-/CNYphB5xu/1eoDSPozkXXU+L+qtpRVF2QyGtt1xKTw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a0ba069da39a5dc38ff3009423b2700c2fb5447d",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1643169865,
"narHash": "sha256-+KIpNRazbc8Gac9jdWCKQkFv9bjceaLaLhlwqUEYu8c=",
@ -423,16 +450,23 @@
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1643169865,
"narHash": "sha256-+KIpNRazbc8Gac9jdWCKQkFv9bjceaLaLhlwqUEYu8c=",
"path": "/nix/store/8jc465d8r1mrjxb7j6wx7qc7d95frv0k-source",
"rev": "945ec499041db73043f745fad3b2a3a01e826081",
"type": "path"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"nix-alien",
"flake-utils"
],
"nixpkgs": [
"nix-alien",
"nixpkgs"
]
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1642215333,
@ -474,7 +508,7 @@
"multimc-cracked": "multimc-cracked",
"nix": "nix",
"nix-alien": "nix-alien",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-mozilla": "nixpkgs-mozilla",
"nixpkgs-stable": "nixpkgs-stable",
@ -546,7 +580,7 @@
},
"vscode-server-fixup": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_3",
"home-manager": "home-manager_2",
"nixpkgs": [
"nixpkgs"

2
machines/Dell-Laptop/default.nix
View File

@ -24,7 +24,7 @@
deviceSpecific.isHost = false;
deviceSpecific.isShared = false;
deviceSpecific.isGaming = true;
deviceSpecific.enableVirtualisation = true;
deviceSpecific.enableVirtualisation = false;
deviceSpecific.wireguard.enable = true;
boot.blacklistedKernelModules = [

8
machines/Packard-Server/default.nix
View File

@ -26,7 +26,7 @@
bigScreen = false;
ram = 6;
};
deviceSpecific.enableVirtualisation = false;
deviceSpecific.enableVirtualisation = true;
deviceSpecific.wireguard.enable = true;
deviceSpecific.isLaptop = lib.mkForce true;
@ -34,9 +34,9 @@
cleanTmpDir = true;
# kernelParams = [ "video=VGA-1:d" ];
loader = {
timeout = lib.mkForce 4;
systemd-boot.enable = true;
};
timeout = lib.mkForce 4;
systemd-boot.enable = true;
};
};
services.tlp.settings.TLP_DEFAULT_MODE = lib.mkForce "AC";

2
modules/secrets.nix
View File

@ -158,7 +158,7 @@ in {
while inotifywait "$PASSWORD_STORE_DIR" -r -e move -e close_write -e create -e delete --exclude .git; do
sleep 1
pass git add --all
pass git commit -m "$(date +%F)_$(date+%T)"
pass git commit -m "$(date +%F)_$(date +%T)"
pass git pull --rebase
pass git push
done

4
profiles/applications/packages.nix
View File

@ -92,9 +92,5 @@ with config.deviceSpecific; {
# winetricks
] ++ lib.optionals isLaptop [
acpi
] ++ lib.optionals (enableVirtualisation) [
virt-manager
] ++ lib.optionals (config.virtualisation.docker.enable) [
docker-compose
];
}

2
profiles/network.nix
View File

@ -34,7 +34,7 @@ with config.deviceSpecific;
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = lib.mkIf isServer [ 22 80 443 13748 ];
allowedTCPPorts = lib.mkIf isServer [ 22 80 443 8448 ];
};
usePredictableInterfaceNames = true;

109
profiles/servers/caddy.nix Normal file
View File

@ -0,0 +1,109 @@
{ config, lib, pkgs, ...}: {
services.caddy = {
enable = true;
# acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
globalConfig = ''
email ataraxiadev@ataraxiadev.com
'';
virtualHosts = let
# default = {
# useACMEHost = "ataraxiadev.com";
# };
in {
"ataraxiadev.com" = {
serverAliases = [ "www.ataraxiadev.com" ];
# listenAddresses = [ "0.0.0.0" ];
extraConfig = ''
templates
encode gzip zstd
root * /srv/www/ataraxiadev.com
file_server
'';
};
"matrix.ataraxiadev.com" = {
extraConfig = ''
@identity {
path /_matrix/identity/*
}
@noidentity {
not path /_matrix/identity/*
}
@search {
path /_matrix/client/r0/user_directory/search/*
}
@nosearch {
not path /_matrix/client/r0/user_directory/search/*
}
@static {
path /matrix/static-files/*
}
@nostatic {
not path /matrix/static-files/*
}
@wellknown {
path /.well-known/matrix/*
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
# identity
handle @identity {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
# search
handle @search {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
handle @wellknown {
encode zstd gzip
root * /matrix/static-files
header Cache-Control max-age=14400
header Content-Type application/json
header Access-Control-Allow-Origin *
file_server
}
handle {
encode zstd gzip
reverse_proxy localhost:8008 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
'';
};
};
};
users.users.caddy.extraGroups = [ "acme" ];
}

21
profiles/servers/cloudflare-ddns.nix Normal file
View File

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
with config.users.users.alukard; with config.users.groups.${group}; {
secrets."cloudflare-ddns-ataraxiadev" = {
owner = "${toString uid}";
# permissions = "400";
};
virtualisation.oci-containers.containers.cloudflare-ddns = {
autoStart = true;
environment = {
PUID = toString uid;
PGID = toString gid;
};
extraOptions = [
"--network=host"
"--security-opt=no-new-privileges:true"
];
image = "timothyjmiller/cloudflare-ddns:latest";
volumes = [ "${config.secrets.cloudflare-ddns-ataraxiadev.decrypted}:/config.json" ];
};
}

102
profiles/servers/coturn.nix
View File

@ -5,63 +5,77 @@
secrets = [ "turn_shared_secret" ];
template = "$turn_shared_secret";
};
# systemd.services.test_systemd_timers = {
# serviceConfig.Type = "oneshot";
# path = [
# pkgs.curl
# ];
# script = ''
# curl http://icanhazip.com
# '';
# };
# enable coturn
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
min-port = 49152;
max-port = 49172;
use-auth-secret = true;
static-auth-secret-file = config.secrets-envsubst.turn-shared-secret.substituted;
realm = "turn.ataraxiadev.com";
cert = config.secrets."ataraxiadev.com.pem".decrypted;
pkey = config.secrets."ataraxiadev.com.key".decrypted;
no-tls = true;
no-dtls = true;
# cert = config.secrets."ataraxiadev.com.pem".decrypted;
# pkey = config.secrets."ataraxiadev.com.key".decrypted;
extraConfig = ''
user-quota=20
total-quota=600
# for debugging
#verbose
allowed-peer-ip=10.0.0.1
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# external-ip=
#for debugging
# verbose
# allowed-peer-ip=10.0.0.1
#ban private IP ranges
# no-multicast-peers
# denied-peer-ip=0.0.0.0-0.255.255.255
# denied-peer-ip=10.0.0.0-10.255.255.255
# denied-peer-ip=100.64.0.0-100.127.255.255
# denied-peer-ip=127.0.0.0-127.255.255.255
# denied-peer-ip=169.254.0.0-169.254.255.255
# denied-peer-ip=172.16.0.0-172.31.255.255
# denied-peer-ip=192.0.0.0-192.0.0.255
# denied-peer-ip=192.0.2.0-192.0.2.255
# denied-peer-ip=192.88.99.0-192.88.99.255
# denied-peer-ip=192.168.0.0-192.168.255.255
# denied-peer-ip=198.18.0.0-198.19.255.255
# denied-peer-ip=198.51.100.0-198.51.100.255
# denied-peer-ip=203.0.113.0-203.0.113.255
# denied-peer-ip=240.0.0.0-255.255.255.255
# denied-peer-ip=::1
# denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
# denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
# denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
# denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
# denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
networking.firewall = {
interfaces.enp0s3 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 5349 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 5349 ];
};
networking.firewall = let
# networking.firewall = {
# interfaces.enp0s3 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;
} ];
in
{
# allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 5349 ];
# allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 5349 ];
};
}

26
profiles/servers/gitea.nix
View File

@ -1,26 +0,0 @@
{ pkgs, config, lib, ... }:
{
secrets.gitea = {
owner = "gitea";
};
services.gitea = {
enable = true;
appName = "AtaraxiaDev Gitea Instance";
cookieSecure = true;
database = {
type = "postgres";
passwordFile = config.secrets.gitea.decrypted;
};
disableRegistration = true;
domain = "code.ataraxiadev.com";
httpPort = 6000;
lfs.enable = true;
rootUrl = "https://code.ataraxiadev.com";
settings = {
server = {
SSH_DOMAIN = "gitea.ataraxiadev.com";
};
};
};
}

122
profiles/servers/mailserver.nix
View File

@ -1,122 +0,0 @@
{ pkgs, config, lib, inputs, ... }:
let
module = toString inputs.simple-nixos-mailserver;
in {
imports = [ module ];
secrets.mailserver = {
owner = "dovecot2:cert";
services = [ "dovecot2" ];
};
secrets.sasl_passwd = {
permissions = "444";
};
security.acme = {
email = "ataraxiadev@ataraxiadev.com";
acceptTerms = true;
certs."mail.ataraxiadev.com" = {
group = "cert";
webroot = "/var/lib/acme/acme-challenge";
postRun = ''
systemctl reload postfix
systemctl reload dovecot2
'';
};
};
services.postfix = {
mapFiles."sasl_passwd" = config.secrets.sasl_passwd.decrypted;
extraConfig =
''
smtp_tls_security_level = may
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_tls_security_options =
relayhost = [smtp.email.eu-zurich-1.oci.oraclecloud.com]:587
'';
dnsBlacklists = [
"all.s5h.net"
"b.barracudacentral.org"
"bl.spamcop.net"
"blacklist.woody.ch"
"bogons.cymru.com"
"cbl.abuseat.org"
"combined.abuse.ch"
"db.wpbl.info"
"dnsbl-1.uceprotect.net"
"dnsbl-2.uceprotect.net"
"dnsbl-3.uceprotect.net"
"dnsbl.anticaptcha.net"
"dnsbl.dronebl.org"
"dnsbl.inps.de"
"dnsbl.sorbs.net"
"dnsbl.spfbl.net"
"drone.abuse.ch"
"duinv.aupads.org"
"dul.dnsbl.sorbs.net"
"dyna.spamrats.com"
"dynip.rothen.com"
"http.dnsbl.sorbs.net"
"ips.backscatterer.org"
"ix.dnsbl.manitu.net"
"korea.services.net"
"misc.dnsbl.sorbs.net"
"noptr.spamrats.com"
"orvedb.aupads.org"
"pbl.spamhaus.org"
"proxy.bl.gweep.ca"
"psbl.surriel.com"
"relays.bl.gweep.ca"
"relays.nether.net"
"sbl.spamhaus.org"
"singular.ttk.pte.hu"
"smtp.dnsbl.sorbs.net"
"socks.dnsbl.sorbs.net"
"spam.abuse.ch"
"spam.dnsbl.anonmails.de"
"spam.dnsbl.sorbs.net"
"spam.spamrats.com"
"spambot.bls.digibase.ca"
"spamrbl.imp.ch"
"spamsources.fabel.dk"
"ubl.lashback.com"
"ubl.unsubscore.com"
"virus.rbl.jp"
"web.dnsbl.sorbs.net"
"wormrbl.imp.ch"
"xbl.spamhaus.org"
"z.mailspike.net"
"zen.spamhaus.org"
"zombie.dnsbl.sorbs.net"
];
dnsBlacklistOverrides = ''
ataraxiadev.com OK
mail.ataraxiadev.com OK
192.168.0.0/16 OK
${lib.concatMapStringsSep "\n" (machine: "${machine}.lan OK") (builtins.attrNames inputs.self.nixosConfigurations)}
'';
};
mailserver = rec {
enable = true;
openFirewall = true;
fqdn = "mail.ataraxiadev.com";
domains = [ "ataraxiadev.com" ];
loginAccounts = {
"ataraxiadev@ataraxiadev.com" = {
aliases =
[ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ];
hashedPasswordFile = config.secrets.mailserver.decrypted;
};
};
localDnsResolver = false;
certificateScheme = 1;
certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
enableImap = true;
enableImapSsl = true;
enableSubmission = true;
enableSubmissionSsl = true;
virusScanning = false;
};
}

283
profiles/servers/matrix-synapse.nix
View File

@ -9,34 +9,55 @@
services.matrix-synapse = with config.services.coturn; {
enable = true;
allow_guest_access = true;
app_service_config_files = [ config.secrets-envsubst.mautrix-telegram-registration.substituted ];
# app_service_config_files = [ config.secrets-envsubst.mautrix-telegram-registration.substituted ];
extraConfigFiles = [ config.secrets-envsubst.matrix-shared-secret.substituted ];
logConfig = options.services.matrix-synapse.logConfig.default + ''
loggers:
shared_secret_authenticator:
level: INFO
'';
listeners = [{
bind_address = "0.0.0.0";
port = 13748;
resources = [
{
listeners = [
# {
# bind_address = "::";
# port = 8448;
# type = "http";
# tls = true;
# x_forwarded = false;
# resources = [{
# compress = false;
# names = [ "federation" ];
# }];
# }
{
bind_address = "::";
port = 8008;
type = "http";
tls = false;
x_forwarded = true;
resources = [{
compress = true;
names = [ "client" ];
}
{
}];
}
{
bind_address = "::";
port = 8048;
type = "http";
tls = false;
x_forwarded = true;
resources = [{
compress = false;
names = [ "federation" ];
}
];
type = "http";
tls = false;
x_forwarded = true;
}];
}];
}
];
plugins = with pkgs.matrix-synapse-plugins; [ matrix-synapse-shared-secret-auth ];
public_baseurl = "https://ataraxiadev.com";
public_baseurl = "https://matrix.ataraxiadev.com";
server_name = "ataraxiadev.com";
turn_uris = [ "turns:${realm}?transport=udp" "turns:${realm}?transport=tcp" ];
turn_uris = [
"turns:${realm}?transport=udp" "turns:${realm}?transport=tcp"
"turn:${realm}?transport=udp" "turn:${realm}?transport=tcp"
];
turn_user_lifetime = "24h";
};
@ -55,126 +76,126 @@
'';
};
services.mautrix-telegram = {
enable = true;
environmentFile = toString config.secrets-envsubst.mautrix-telegram;
settings = {
appservice = {
address = "http://localhost:29317";
bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX";
database = "postgresql://mautrix-telegram:$MATRIX_PASS@localhost/mautrix-telegram";
id = "telegram";
max_body_size = 1;
port = 29317;
public = {
enabled = true;
prefix = "/mautrix-telegram";
external = "https://matrix.ataraxiadev.com/mautrix-telegram";
};
provisioning.enabled = false;
};
bridge = {
alias_template = "tg_{groupname}";
allow_matrix_login = false;
animated_sticker = {
target = "gif";
args = {
width = 128;
height = 128;
fps = 30;
background = "15191E";
};
};
bot_messages_as_notices = true;
catch_up = true;
command_prefix = "!tg";
encryption = {
allow = true;
default = false;
};
filter = {
mode = "whitelist";
list = [ ];
};
image_as_file_size = 10;
login_shared_secret_map."ataraxiadev.com" = "$SHARED_SECRET_AUTH";
max_document_size = 100;
max_initial_member_sync = -1;
max_telegram_delete = 10;
permissions = {
"*" = "relaybot";
"@ataraxiadev:ataraxiadev.com" = "admin";
"@kpoxa:ataraxiadev.com" = "full";
};
plaintext_highlights = true;
startup_sync = false;
sync_direct_chat_list = false;
sync_direct_chats = false;
username_template = "tg_{userid}";
};
homeserver = {
address = "https://matrix.ataraxiadev.com";
asmux = false;
domain = "ataraxiadev.com";
verify_ssl = true;
};
telegram = { bot_token = "disabled"; };
};
};
# services.mautrix-telegram = {
# enable = true;
# environmentFile = toString config.secrets-envsubst.mautrix-telegram;
# settings = {
# appservice = {
# address = "http://localhost:29317";
# bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX";
# database = "postgresql://mautrix-telegram:$MATRIX_PASS@localhost/mautrix-telegram";
# id = "telegram";
# max_body_size = 1;
# port = 29317;
# public = {
# enabled = true;
# prefix = "/mautrix-telegram";
# external = "https://matrix.ataraxiadev.com/mautrix-telegram";
# };
# provisioning.enabled = false;
# };
# bridge = {
# alias_template = "tg_{groupname}";
# allow_matrix_login = false;
# animated_sticker = {
# target = "gif";
# args = {
# width = 128;
# height = 128;
# fps = 30;
# background = "15191E";
# };
# };
# bot_messages_as_notices = true;
# catch_up = true;
# command_prefix = "!tg";
# encryption = {
# allow = true;
# default = false;
# };
# filter = {
# mode = "whitelist";
# list = [ ];
# };
# image_as_file_size = 10;
# login_shared_secret_map."ataraxiadev.com" = "$SHARED_SECRET_AUTH";
# max_document_size = 100;
# max_initial_member_sync = -1;
# max_telegram_delete = 10;
# permissions = {
# "*" = "relaybot";
# "@ataraxiadev:ataraxiadev.com" = "admin";
# "@kpoxa:ataraxiadev.com" = "full";
# };
# plaintext_highlights = true;
# startup_sync = false;
# sync_direct_chat_list = false;
# sync_direct_chats = false;
# username_template = "tg_{userid}";
# };
# homeserver = {
# address = "https://matrix.ataraxiadev.com";
# asmux = false;
# domain = "ataraxiadev.com";
# verify_ssl = true;
# };
# telegram = { bot_token = "disabled"; };
# };
# };
secrets-envsubst.mautrix-telegram = {
secrets = [ "as_token" "hs_token" "api_id" "api_hash" "matrix_pass" "shared_secret" ];
template = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=$as_token
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=$hs_token
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=$api_id
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=$api_hash
MATRIX_PASS=$matrix_pass
SHARED_SECRET_AUTH=$shared_secret
'';
};
# secrets-envsubst.mautrix-telegram = {
# secrets = [ "as_token" "hs_token" "api_id" "api_hash" "matrix_pass" "shared_secret" ];
# template = ''
# MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=$as_token
# MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=$hs_token
# MAUTRIX_TELEGRAM_TELEGRAM_API_ID=$api_id
# MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=$api_hash
# MATRIX_PASS=$matrix_pass
# SHARED_SECRET_AUTH=$shared_secret
# '';
# };
secrets-envsubst.mautrix-telegram-registration = {
directory = "mautrix-telegram";
secrets = [ "as_token" "hs_token" "sender_localpart" ];
owner = "matrix-synapse";
template = builtins.toJSON {
as_token = "$as_token";
hs_token = "$hs_token";
id = "telegram";
namespaces = {
aliases = [{
exclusive = true;
regex = "#tg_.+:ataraxiadev.com";
}];
users = [{
exclusive = true;
regex = "@tg_.+:ataraxiadev.com";
} {
exclusive = true;
regex = "@telegrambot:ataraxiadev.com";
}];
};
rate_limited = false;
sender_localpart = "$sender_localpart";
url = "http://localhost:29317";
};
};
# secrets-envsubst.mautrix-telegram-registration = {
# directory = "mautrix-telegram";
# secrets = [ "as_token" "hs_token" "sender_localpart" ];
# owner = "matrix-synapse";
# template = builtins.toJSON {
# as_token = "$as_token";
# hs_token = "$hs_token";
# id = "telegram";
# namespaces = {
# aliases = [{
# exclusive = true;
# regex = "#tg_.+:ataraxiadev.com";
# }];
# users = [{
# exclusive = true;
# regex = "@tg_.+:ataraxiadev.com";
# } {
# exclusive = true;
# regex = "@telegrambot:ataraxiadev.com";
# }];
# };
# rate_limited = false;
# sender_localpart = "$sender_localpart";
# url = "http://localhost:29317";
# };
# };
systemd.services.mautrix-telegram = {
path = with pkgs; [ lottieconverter ];
serviceConfig = {
DynamicUser = lib.mkForce false;
User = "mautrix-telegram";
};
};
# systemd.services.mautrix-telegram = {
# path = with pkgs; [ lottieconverter ];
# serviceConfig = {
# DynamicUser = lib.mkForce false;
# User = "mautrix-telegram";
# };
# };
users.users.mautrix-telegram = {
group = "mautrix-telegram";
isSystemUser = true;
};
# users.users.mautrix-telegram = {
# group = "mautrix-telegram";
# isSystemUser = true;
# };
users.groups.mautrix-telegram = {};
# users.groups.mautrix-telegram = {};
users.users.matrix-synapse.name = lib.mkForce "matrix-synapse";
}

133
profiles/servers/nginx.nix
View File

@ -1,133 +0,0 @@
{ pkgs, config, lib, ... }: {
users.groups.cert.members = [ "turnserver" "nginx" "dovecot2" ];
secrets."ataraxiadev.com.pem" = {
owner = "root:cert";
permissions = "440";
};
secrets."ataraxiadev.com.key" = {
owner = "root:cert";
permissions = "440";
};
secrets."origin-pull-ca.pem" = {
owner = "root:cert";
permissions = "440";
};
## DNS-over-TLS
services.stubby = {
enable = true;
settings = pkgs.stubby.passthru.settingsExample // {
dnssec = "GETDNS_EXTENSION_TRUE";
listen_addresses = [ "0::1" "127.0.0.1" ];
resolution_type = "GETDNS_RESOLUTION_STUB";
round_robin_upstreams = 1;
tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
tls_min_version = "GETDNS_TLS1_3";
upstream_recursive_servers = [
{
address_data = "2620:fe::fe";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2620:fe::9";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "9.9.9.9";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "149.112.112.112";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2606:4700:4700::1112";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "2606:4700:4700::1002";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "1.1.1.2";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "1.0.0.2";
tls_auth_name = "cloudflare-dns.com";
}
];
};
};
networking.nameservers = [ "::1" "127.0.0.1" ];
services.resolved = {
enable = true;
fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
appendHttpConfig = "charset utf-8;";
virtualHosts = let
default = {
forceSSL = true;
enableACME = false;
sslCertificate = config.secrets."ataraxiadev.com.pem".decrypted;
sslCertificateKey = config.secrets."ataraxiadev.com.key".decrypted;
sslTrustedCertificate = config.secrets."origin-pull-ca.pem".decrypted;
};
in {
"ataraxiadev.com" = {
default = true;
locations."/" = {
root = "/var/lib/ataraxiadev.com";
};
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/acme-challenge";
};
locations."/.well-known/matrix/server".extraConfig =
let
server = { "m.server" = "matrix.ataraxiadev.com:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."/.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://matrix.ataraxiadev.com"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."/_matrix" = {
proxyPass = "http://localhost:13748";
};
} // default;
"matrix.ataraxiadev.com" = {
locations."/".extraConfig = ''
return 404;
'';
locations."/mautrix-telegram/" = {
proxyPass = "http://localhost:29317";
};
locations."/_matrix" = {
proxyPass = "http://localhost:13748";
};
} // default;
"code.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://localhost:6000";
};
} // default;
};
};
}

54
profiles/servers/stubby.nix Normal file
View File

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }: {
## DNS-over-TLS
services.stubby = {
enable = true;
settings = pkgs.stubby.passthru.settingsExample // {
dnssec = "GETDNS_EXTENSION_TRUE";
listen_addresses = [ "0::1" "127.0.0.1" ];
resolution_type = "GETDNS_RESOLUTION_STUB";
round_robin_upstreams = 1;
tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
tls_min_version = "GETDNS_TLS1_3";
upstream_recursive_servers = [
{
address_data = "2620:fe::fe";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2620:fe::9";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "9.9.9.9";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "149.112.112.112";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2606:4700:4700::1112";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "2606:4700:4700::1002";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "1.1.1.2";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "1.0.0.2";
tls_auth_name = "cloudflare-dns.com";
}
];
};
};
networking.nameservers = [ "::1" "127.0.0.1" ];
services.resolved = {
enable = true;
fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
};
}

49
profiles/virtualisation.nix
View File

@ -1,22 +1,41 @@
{ config, lib, pkgs, ... }:
with config.deviceSpecific; {
# virtualisation.docker.enable = enableVirtualisation && (config.device == "AMD-Workstation");
virtualisation.libvirtd = {
enable = enableVirtualisation;
qemu = {
ovmf.enable = true;
runAsRoot = true;
package = pkgs.qemu;
config = lib.mkIf enableVirtualisation {
# virtualisation.podman = {
# enable = isServer;
# dockerCompat = true;
# defaultNetwork.dnsname.enable = true;
# };
virtualisation.docker = {
enable = isServer;
};
onBoot = "ignore";
onShutdown = "shutdown";
};
virtualisation.spiceUSBRedirection.enable = enableVirtualisation;
# virtualisation.oci-containers.backend = "docker";
# virtualisation.oci-containers.backend = lib.mkForce "podman";
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
virtualisation.libvirtd = {
enable = !isServer;
qemu = {
ovmf.enable = true;
runAsRoot = true;
package = pkgs.qemu;
};
onBoot = "ignore";
onShutdown = "shutdown";
};
virtualisation.spiceUSBRedirection.enable = true;
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
};
environment.systemPackages = if isServer then [
# arion
# docker-client
] else [
virt-manager
];
};
}

11
roles/server.nix
View File

@ -10,11 +10,14 @@
kitty
nix-index
#coturn
#gitea
coturn
cloudflare-ddns
# gitea
#mailserver
#matrix-synapse
nginx
matrix-synapse
# nginx
stubby
caddy
vscode-server
];
}