AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

server things

Browse Source
This commit is contained in:
Dmitriy Kholkin 2022-08-31 11:37:26 +03:00
parent 0a7748b293
commit 44a15ee850
12 changed files with 2147 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
machines/NixOS-CT/default.nix
View File

@ -8,6 +8,7 @@
fail2ban fail2ban
gitea gitea
mailserver mailserver
microbin
nginx nginx
roundcube roundcube
seafile seafile
@ -15,6 +16,7 @@
battery-historian battery-historian
media-stack media-stack
duplicacy
]; ];
deviceSpecific.devInfo = { deviceSpecific.devInfo = {

2
profiles/nix/default.nix
View File

@ -10,6 +10,7 @@ with config.deviceSpecific; {
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
builders-use-substitutes = true
''; '';
settings = { settings = {
@ -37,6 +38,7 @@ with config.deviceSpecific; {
sshUser = "alukard"; sshUser = "alukard";
sshKey = config.secrets.ssh-builder.decrypted; sshKey = config.secrets.ssh-builder.decrypted;
systems = [ "x86_64-linux" ]; systems = [ "x86_64-linux" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
} }
]; ];

11
profiles/overlay.nix
View File

@ -33,6 +33,7 @@ with lib; {
hyprpaper = pkgs.callPackage ./packages/hyprpaper.nix { src = inputs.hyprpaper; }; hyprpaper = pkgs.callPackage ./packages/hyprpaper.nix { src = inputs.hyprpaper; };
ibm-plex-powerline = pkgs.callPackage ./packages/ibm-plex-powerline.nix { }; ibm-plex-powerline = pkgs.callPackage ./packages/ibm-plex-powerline.nix { };
kitti3 = pkgs.python3Packages.callPackage ./packages/kitti3.nix { }; kitti3 = pkgs.python3Packages.callPackage ./packages/kitti3.nix { };
microbin = pkgs.callPackage ./packages/microbin-pkg { };
mpris-ctl = pkgs.callPackage ./packages/mpris-ctl.nix { }; mpris-ctl = pkgs.callPackage ./packages/mpris-ctl.nix { };
parsec = pkgs.callPackage ./packages/parsec.nix { }; parsec = pkgs.callPackage ./packages/parsec.nix { };
reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { }; reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { };
@ -57,12 +58,10 @@ with lib; {
src = inputs.qbittorrent-ee; src = inputs.qbittorrent-ee;
}); });
nix = if !config.deviceSpecific.isServer then nix = inputs.nix.packages.${system}.default.overrideAttrs (oa: {
inputs.nix.packages.${system}.default.overrideAttrs (oa: { doInstallCheck = false;
doInstallCheck = false; patches = [ ./nix/nix.patch ] ++ oa.patches or [ ];
patches = [ ./nix/nix.patch ] ++ oa.patches or [ ]; });
})
else pkgs.nixFlakes;
} }
) )
]; ];

1972
profiles/packages/microbin-pkg/add-Cargo.lock.patch Normal file
View File

File diff suppressed because it is too large Load Diff

26
profiles/packages/microbin-pkg/default.nix Normal file
View File

@ -0,0 +1,26 @@
{ lib, fetchFromGitHub, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "microbin";
version = "1.1.0";
src = fetchFromGitHub {
owner = "szabodanika";
repo = pname;
rev = "v${version}";
sha256 = "1ppm34sj01pwwfyyy433k7r6li9ckngjq6j9xjjb2k184hzy2dva";
};
cargoPatches = [
./add-Cargo.lock.patch
];
cargoSha256 = "sha256-AkFrS26uwJgHXwXWnSU4FRwWA7c3iZmpZ35QiKKk18s=";
meta = with lib; {
description = "A tiny, self-contained, configurable paste bin and URL shortener written in Rust.";
homepage = "https://github.com/szabodanika/microbin";
license = licenses.bsd3;
maintainers = [ ];
};
}

75
profiles/servers/duplicacy.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, lib, pkgs, ... }:
let
start-backup = ''
#!${pkgs.runtimeShell}
export DUPLICACY_GCD_TOKEN=/var/secrets/gcd-token
export DUPLICACY_PASSWORD=$(cat /var/secrets/duplicacy-pass)
if [ ! -d "/backups/.duplicacy" ]; then
echo "First init duplicacy repo with \"duplicacy init -e gcd://<folder-in-gdisk>\""
exit 1
fi
if [ ! -d "/backups/var" ]; then
mkdir -p /backups/var
fi
if [ ! -L "/backups/var/dkim" ]; then
ln -s /var/dkim /backups/var/dkim
fi
if [ ! -L "/backups/var/vmail" ]; then
ln -s /var/vmail /backups/var/vmail
fi
if [ ! -L "/backups/var/microbin" ]; then
ln -s /var/microbin /backups/var/microbin
fi
if [ ! -L "/backups/gitea" ]; then
ln -s /gitea /backups/gitea
fi
cd /backups
duplicacy backup
'';
start-prune = ''
#!${pkgs.runtimeShell}
export DUPLICACY_GCD_TOKEN=/var/secrets/gcd-token;
export DUPLICACY_PASSWORD=$(cat /var/secrets/duplicacy-pass);
if [ ! -d "/backups/.duplicacy" ]; then
echo "First init duplicacy repo with \"duplicacy init -e gcd://<folder-in-gdisk>\""
exit 1
fi
cd /backups
duplicacy prune -keep 0:30 -keep 7:14 -keep 1:7
'';
in {
secrets.gcd-token.services = [ ];
secrets.duplicacy-pass.services = [ ];
systemd.services.duplicacy-backup = {
serviceConfig.Type = "oneshot";
path = [ pkgs.duplicacy ];
script = start-backup;
};
systemd.timers.duplicacy-backup = {
wantedBy = [ "timers.target" ];
partOf = [ "duplicacy-backup.service" ];
timerConfig.OnCalendar = [ "*-*-* 05:00:00" ];
};
systemd.services.duplicacy-prune = {
serviceConfig.Type = "oneshot";
path = [ pkgs.duplicacy ];
script = start-prune;
};
systemd.timers.duplicacy-prune = {
wantedBy = [ "timers.target" ];
partOf = [ "duplicacy-prune.service" ];
timerConfig.OnCalendar = [ "*-*-* 01:00:00" ];
};
}

8
profiles/servers/gitea.nix
View File

@ -7,12 +7,10 @@
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "AtaraxiaDev's Gitea Instance"; appName = "AtaraxiaDev's Gitea Instance";
cookieSecure = true;
database = { database = {
type = "postgres"; type = "postgres";
passwordFile = config.secrets.gitea.decrypted; passwordFile = config.secrets.gitea.decrypted;
}; };
disableRegistration = true;
domain = "code.ataraxiadev.com"; domain = "code.ataraxiadev.com";
httpPort = 6000; httpPort = 6000;
lfs.enable = true; lfs.enable = true;
@ -27,6 +25,12 @@
FILE_MAX_SIZE = 100; FILE_MAX_SIZE = 100;
MAX_FILES = 10; MAX_FILES = 10;
}; };
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
ui = { ui = {
DEFAULT_THEME = "arc-green"; DEFAULT_THEME = "arc-green";
}; };

30
profiles/servers/mailserver.nix
View File

@ -88,10 +88,14 @@ in {
ataraxiadev.com OK ataraxiadev.com OK
mail.ataraxiadev.com OK mail.ataraxiadev.com OK
127.0.0.0/8 OK 127.0.0.0/8 OK
10.0.0.0/8 OK
172.16.0.0/12 OK
192.168.0.0/16 OK 192.168.0.0/16 OK
''; '';
headerChecks = [
{
action = "IGNORE";
pattern = "/^User-Agent.*Roundcube Webmail/";
}
];
}; };
mailserver = rec { mailserver = rec {
enable = true; enable = true;
@ -103,18 +107,12 @@ in {
loginAccounts = { loginAccounts = {
"ataraxiadev@ataraxiadev.com" = { "ataraxiadev@ataraxiadev.com" = {
aliases = aliases =
[ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ]; [ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" "ark@ataraxiadev.com" "ark" ];
hashedPasswordFile = config.secrets.mailserver.decrypted; hashedPasswordFile = config.secrets.mailserver.decrypted;
}; };
"minichka76@ataraxiadev.com" = { "minichka76@ataraxiadev.com" = {
aliases = [ aliases =
"minichka76" [ "minichka76" "kpoxa@ataraxiadev.com" "kpoxa" ];
"kpoxa@ataraxiadev.com" "kpoxa"
"kpoxa1@ataraxiadev.com" "kpoxa1"
"kpoxa2@ataraxiadev.com" "kpoxa2"
"kpoxa3@ataraxiadev.com" "kpoxa3"
"kpoxa4@ataraxiadev.com" "kpoxa4"
];
hashedPasswordFile = config.secrets.mailserver-minichka.decrypted; hashedPasswordFile = config.secrets.mailserver-minichka.decrypted;
}; };
"vaultwarden@ataraxiadev.com" = { "vaultwarden@ataraxiadev.com" = {
@ -126,16 +124,18 @@ in {
hashedPasswordFile = config.secrets.mailserver-seafile.decrypted; hashedPasswordFile = config.secrets.mailserver-seafile.decrypted;
}; };
}; };
hierarchySeparator = "/";
localDnsResolver = false; localDnsResolver = false;
certificateScheme = 1; certificateScheme = 1;
certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem"; certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem"; keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
enableManageSieve = true;
enableImap = true; enableImap = true;
enableImapSsl = false; enableImapSsl = true;
# enablePop3 = true; enablePop3 = false;
# enablePop3Ssl = false; enablePop3Ssl = false;
enableSubmission = true; enableSubmission = true;
enableSubmissionSsl = false; enableSubmissionSsl = true;
virusScanning = false; virusScanning = false;
}; };
} }

20
profiles/servers/microbin.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, pkgs, lib, ... }: {
secrets.microbin-pass.services = [ "microbin.service" ];
systemd.services.microbin = {
description = "MicroBin";
path = [ pkgs.microbin ];
script = ''
mkdir -p /var/microbin
cd /var/microbin
MICROBIN_PASS=$(cat /var/secrets/microbin-pass)
microbin --editable --highlightsyntax --private -b 127.0.0.1 -p 9988 --auth-username ataraxiadev --auth-password $MICROBIN_PASS
'';
serviceConfig = {
Restart = "always";
Type = "simple";
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
}

19
profiles/servers/nginx.nix
View File

@ -34,6 +34,7 @@
"kavita.ataraxiadev.com" "kavita.ataraxiadev.com"
"shoko.ataraxiadev.com" "shoko.ataraxiadev.com"
"bathist.ataraxiadev.com" "bathist.ataraxiadev.com"
"microbin.ataraxiadev.com"
]; ];
}; };
}; };
@ -50,9 +51,9 @@
proxy_hide_header X-Frame-Options; proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy; proxy_hide_header Content-Security-Policy;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com moz-extension://43a2224f-fe82-45d7-bdc3-c218984e73c8"; # add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com moz-extension://43a2224f-fe82-45d7-bdc3-c218984e73c8";
add_header X-Robots-Tag "none"; add_header X-Robots-Tag "none";
add_header Referrer-Policy "strict-origin-when-cross-origin"; # add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
''; '';
virtualHosts = let virtualHosts = let
@ -221,6 +222,20 @@
''; '';
}; };
} // default; } // default;
"microbin.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://localhost:9988";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
client_max_body_size 40M;
'';
} // default;
};
}; };
}; };

9
profiles/servers/roundcube.nix
View File

@ -4,7 +4,7 @@
database.username = "roundcube"; database.username = "roundcube";
dicts = with pkgs.aspellDicts; [ en ru ]; dicts = with pkgs.aspellDicts; [ en ru ];
extraConfig = '' extraConfig = ''
$config['default_host'] = array( $config['imap_host'] = array(
'tls://mail.ataraxiadev.com' => "AtaraxiaDev's Mail Server", 'tls://mail.ataraxiadev.com' => "AtaraxiaDev's Mail Server",
'ssl://imap.gmail.com:993' => 'Google Mail', 'ssl://imap.gmail.com:993' => 'Google Mail',
); );
@ -13,10 +13,13 @@
'mail.gmail.com' => 'gmail.com', 'mail.gmail.com' => 'gmail.com',
); );
$config['x_frame_options'] = false; $config['x_frame_options'] = false;
$config['smtp_host'] = "tls://${config.mailserver.fqdn}:587";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
''; '';
hostName = "webmail.ataraxiadev.com"; hostName = "webmail.ataraxiadev.com";
maxAttachmentSize = 25; maxAttachmentSize = 50;
plugins = [ "carddav" "persistent_login" ]; plugins = [ "carddav" "persistent_login" "managesieve" ];
package = pkgs.roundcube.withPlugins (plugins: package = pkgs.roundcube.withPlugins (plugins:
with plugins; [ carddav persistent_login ] with plugins; [ carddav persistent_login ]
); );

2
profiles/servers/vaultwarden.nix
View File

@ -6,7 +6,7 @@
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
# backupDir = "/backups/vaultwarden"; backupDir = "/backups/vaultwarden";
config = { config = {
domain = "https://vw.ataraxiadev.com"; domain = "https://vw.ataraxiadev.com";
extendedLogging = true; extendedLogging = true;