AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

server things

Browse Source
This commit is contained in:
Dmitriy Kholkin 2022-08-31 11:37:26 +03:00
parent 0a7748b293
commit 44a15ee850
12 changed files with 2147 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
machines/NixOS-CT/default.nix
View File

@ -8,6 +8,7 @@
fail2ban
gitea
mailserver
microbin
nginx
roundcube
seafile
@ -15,6 +16,7 @@
battery-historian
media-stack
duplicacy
];
deviceSpecific.devInfo = {

2
profiles/nix/default.nix
View File

@ -10,6 +10,7 @@ with config.deviceSpecific; {
extraOptions = ''
experimental-features = nix-command flakes
builders-use-substitutes = true
'';
settings = {
@ -37,6 +38,7 @@ with config.deviceSpecific; {
sshUser = "alukard";
sshKey = config.secrets.ssh-builder.decrypted;
systems = [ "x86_64-linux" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];

11
profiles/overlay.nix
View File

@ -33,6 +33,7 @@ with lib; {
hyprpaper = pkgs.callPackage ./packages/hyprpaper.nix { src = inputs.hyprpaper; };
ibm-plex-powerline = pkgs.callPackage ./packages/ibm-plex-powerline.nix { };
kitti3 = pkgs.python3Packages.callPackage ./packages/kitti3.nix { };
microbin = pkgs.callPackage ./packages/microbin-pkg { };
mpris-ctl = pkgs.callPackage ./packages/mpris-ctl.nix { };
parsec = pkgs.callPackage ./packages/parsec.nix { };
reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { };
@ -57,12 +58,10 @@ with lib; {
src = inputs.qbittorrent-ee;
});
nix = if !config.deviceSpecific.isServer then
inputs.nix.packages.${system}.default.overrideAttrs (oa: {
doInstallCheck = false;
patches = [ ./nix/nix.patch ] ++ oa.patches or [ ];
})
else pkgs.nixFlakes;
nix = inputs.nix.packages.${system}.default.overrideAttrs (oa: {
doInstallCheck = false;
patches = [ ./nix/nix.patch ] ++ oa.patches or [ ];
});
}
)
];

1972
profiles/packages/microbin-pkg/add-Cargo.lock.patch Normal file
View File

File diff suppressed because it is too large Load Diff

26
profiles/packages/microbin-pkg/default.nix Normal file
View File

@ -0,0 +1,26 @@
{ lib, fetchFromGitHub, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "microbin";
version = "1.1.0";
src = fetchFromGitHub {
owner = "szabodanika";
repo = pname;
rev = "v${version}";
sha256 = "1ppm34sj01pwwfyyy433k7r6li9ckngjq6j9xjjb2k184hzy2dva";
};
cargoPatches = [
./add-Cargo.lock.patch
];
cargoSha256 = "sha256-AkFrS26uwJgHXwXWnSU4FRwWA7c3iZmpZ35QiKKk18s=";
meta = with lib; {
description = "A tiny, self-contained, configurable paste bin and URL shortener written in Rust.";
homepage = "https://github.com/szabodanika/microbin";
license = licenses.bsd3;
maintainers = [ ];
};
}

75
profiles/servers/duplicacy.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, lib, pkgs, ... }:
let
start-backup = ''
#!${pkgs.runtimeShell}
export DUPLICACY_GCD_TOKEN=/var/secrets/gcd-token
export DUPLICACY_PASSWORD=$(cat /var/secrets/duplicacy-pass)
if [ ! -d "/backups/.duplicacy" ]; then
echo "First init duplicacy repo with \"duplicacy init -e gcd://<folder-in-gdisk>\""
exit 1
fi
if [ ! -d "/backups/var" ]; then
mkdir -p /backups/var
fi
if [ ! -L "/backups/var/dkim" ]; then
ln -s /var/dkim /backups/var/dkim
fi
if [ ! -L "/backups/var/vmail" ]; then
ln -s /var/vmail /backups/var/vmail
fi
if [ ! -L "/backups/var/microbin" ]; then
ln -s /var/microbin /backups/var/microbin
fi
if [ ! -L "/backups/gitea" ]; then
ln -s /gitea /backups/gitea
fi
cd /backups
duplicacy backup
'';
start-prune = ''
#!${pkgs.runtimeShell}
export DUPLICACY_GCD_TOKEN=/var/secrets/gcd-token;
export DUPLICACY_PASSWORD=$(cat /var/secrets/duplicacy-pass);
if [ ! -d "/backups/.duplicacy" ]; then
echo "First init duplicacy repo with \"duplicacy init -e gcd://<folder-in-gdisk>\""
exit 1
fi
cd /backups
duplicacy prune -keep 0:30 -keep 7:14 -keep 1:7
'';
in {
secrets.gcd-token.services = [ ];
secrets.duplicacy-pass.services = [ ];
systemd.services.duplicacy-backup = {
serviceConfig.Type = "oneshot";
path = [ pkgs.duplicacy ];
script = start-backup;
};
systemd.timers.duplicacy-backup = {
wantedBy = [ "timers.target" ];
partOf = [ "duplicacy-backup.service" ];
timerConfig.OnCalendar = [ "*-*-* 05:00:00" ];
};
systemd.services.duplicacy-prune = {
serviceConfig.Type = "oneshot";
path = [ pkgs.duplicacy ];
script = start-prune;
};
systemd.timers.duplicacy-prune = {
wantedBy = [ "timers.target" ];
partOf = [ "duplicacy-prune.service" ];
timerConfig.OnCalendar = [ "*-*-* 01:00:00" ];
};
}

8
profiles/servers/gitea.nix
View File

@ -7,12 +7,10 @@
services.gitea = {
enable = true;
appName = "AtaraxiaDev's Gitea Instance";
cookieSecure = true;
database = {
type = "postgres";
passwordFile = config.secrets.gitea.decrypted;
};
disableRegistration = true;
domain = "code.ataraxiadev.com";
httpPort = 6000;
lfs.enable = true;
@ -27,6 +25,12 @@
FILE_MAX_SIZE = 100;
MAX_FILES = 10;
};
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
ui = {
DEFAULT_THEME = "arc-green";
};

30
profiles/servers/mailserver.nix
View File

@ -88,10 +88,14 @@ in {
ataraxiadev.com OK
mail.ataraxiadev.com OK
127.0.0.0/8 OK
10.0.0.0/8 OK
172.16.0.0/12 OK
192.168.0.0/16 OK
'';
headerChecks = [
{
action = "IGNORE";
pattern = "/^User-Agent.*Roundcube Webmail/";
}
];
};
mailserver = rec {
enable = true;
@ -103,18 +107,12 @@ in {
loginAccounts = {
"ataraxiadev@ataraxiadev.com" = {
aliases =
[ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ];
[ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" "ark@ataraxiadev.com" "ark" ];
hashedPasswordFile = config.secrets.mailserver.decrypted;
};
"minichka76@ataraxiadev.com" = {
aliases = [
"minichka76"
"kpoxa@ataraxiadev.com" "kpoxa"
"kpoxa1@ataraxiadev.com" "kpoxa1"
"kpoxa2@ataraxiadev.com" "kpoxa2"
"kpoxa3@ataraxiadev.com" "kpoxa3"
"kpoxa4@ataraxiadev.com" "kpoxa4"
];
aliases =
[ "minichka76" "kpoxa@ataraxiadev.com" "kpoxa" ];
hashedPasswordFile = config.secrets.mailserver-minichka.decrypted;
};
"vaultwarden@ataraxiadev.com" = {
@ -126,16 +124,18 @@ in {
hashedPasswordFile = config.secrets.mailserver-seafile.decrypted;
};
};
hierarchySeparator = "/";
localDnsResolver = false;
certificateScheme = 1;
certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
enableManageSieve = true;
enableImap = true;
enableImapSsl = false;
# enablePop3 = true;
# enablePop3Ssl = false;
enableImapSsl = true;
enablePop3 = false;
enablePop3Ssl = false;
enableSubmission = true;
enableSubmissionSsl = false;
enableSubmissionSsl = true;
virusScanning = false;
};
}

20
profiles/servers/microbin.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, pkgs, lib, ... }: {
secrets.microbin-pass.services = [ "microbin.service" ];
systemd.services.microbin = {
description = "MicroBin";
path = [ pkgs.microbin ];
script = ''
mkdir -p /var/microbin
cd /var/microbin
MICROBIN_PASS=$(cat /var/secrets/microbin-pass)
microbin --editable --highlightsyntax --private -b 127.0.0.1 -p 9988 --auth-username ataraxiadev --auth-password $MICROBIN_PASS
'';
serviceConfig = {
Restart = "always";
Type = "simple";
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
}

19
profiles/servers/nginx.nix
View File

@ -34,6 +34,7 @@
"kavita.ataraxiadev.com"
"shoko.ataraxiadev.com"
"bathist.ataraxiadev.com"
"microbin.ataraxiadev.com"
];
};
};
@ -50,9 +51,9 @@
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com moz-extension://43a2224f-fe82-45d7-bdc3-c218984e73c8";
# add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com moz-extension://43a2224f-fe82-45d7-bdc3-c218984e73c8";
add_header X-Robots-Tag "none";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Content-Type-Options "nosniff";
'';
virtualHosts = let
@ -221,6 +222,20 @@
'';
};
} // default;
"microbin.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://localhost:9988";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
client_max_body_size 40M;
'';
} // default;
};
};
};

9
profiles/servers/roundcube.nix
View File

@ -4,7 +4,7 @@
database.username = "roundcube";
dicts = with pkgs.aspellDicts; [ en ru ];
extraConfig = ''
$config['default_host'] = array(
$config['imap_host'] = array(
'tls://mail.ataraxiadev.com' => "AtaraxiaDev's Mail Server",
'ssl://imap.gmail.com:993' => 'Google Mail',
);
@ -13,10 +13,13 @@
'mail.gmail.com' => 'gmail.com',
);
$config['x_frame_options'] = false;
$config['smtp_host'] = "tls://${config.mailserver.fqdn}:587";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
hostName = "webmail.ataraxiadev.com";
maxAttachmentSize = 25;
plugins = [ "carddav" "persistent_login" ];
maxAttachmentSize = 50;
plugins = [ "carddav" "persistent_login" "managesieve" ];
package = pkgs.roundcube.withPlugins (plugins:
with plugins; [ carddav persistent_login ]
);

2
profiles/servers/vaultwarden.nix
View File

@ -6,7 +6,7 @@
services.vaultwarden = {
enable = true;
# backupDir = "/backups/vaultwarden";
backupDir = "/backups/vaultwarden";
config = {
domain = "https://vw.ataraxiadev.com";
extendedLogging = true;