fuckwit/nix-config
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Activity

new beginning

Browse Source
This commit is contained in:
fuckwit
2024-06-30 23:27:40 +02:00
commit ec1513fbf3
52 changed files with 5459 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

288
nixos/primordial/configuration.nix Normal file
View File

@ -0,0 +1,288 @@
{
config,
pkgs,
...
}: let
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets."gitea.env" = {};
sops.secrets."keycloak_db_pw" = {};
imports = [
./mail.nix
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking = {
hostName = "primordial";
interfaces.enp1s0 = {
ipv6.addresses = [
{
address = "2a01:4f8:c010:b448::";
prefixLength = 64;
}
];
};
defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
firewall = {
enable = true;
allowedTCPPorts = [80 443];
};
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
security.acme.acceptTerms = true;
security.acme.defaults.email = "huanzodev@gmail.com";
services = {
openssh = {
enable = true;
ports = [22];
openFirewall = true;
settings = {
PermitRootLogin = "yes";
PasswordAuthentication = false;
};
};
postgresql = {
enable = true;
ensureDatabases = ["matrix-synapse"];
ensureUsers = [
{
name = "matrix-synapse";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
host all all 127.0.0.1/32 md5
'';
};
matrix-synapse = {
enable = true;
settings.server_name = "fuckwit.dev";
# The public base URL value must match the `base_url` value set in `clientConfig` above.
# The default value here is based on `server_name`, so if your `server_name` is different
# from the value of `fqdn` above, you will likely run into some mismatched domain names
# in client applications.
settings.public_baseurl = "https://matrix.fuckwit.dev";
settings.listeners = [
{
port = 8005;
bind_addresses = ["127.0.0.1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."fuckwit.dev" = let
serverConfig."m.server" = "matrix.fuckwit.dev:443";
clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
in {
enableACME = true;
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://element-hq.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
virtualHosts."matrix.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
# It's also possible to do a redirect here or something else, this vhost is not
# needed for Matrix. It's recommended though to *not put* element
# here, see also the section about Element.
locations."/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
};
virtualHosts."vault.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
};
};
virtualHosts."git.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
};
};
virtualHosts."grafana.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8002";
proxyWebsockets = true;
};
};
virtualHosts."influx.fuckwit.dev" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8003";
proxyWebsockets = true;
};
};
virtualHosts."sso.fuckwit.dev" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8004";
proxyWebsockets = true;
};
};
# virtualHosts."drone.fuckwit.dev" = {
# enableACME = true;
# addSSL = true;
# locations."/" = {
# proxyPass = "http://127.0.0.1:8004";
# proxyWebsockets = true;
# };
# };
};
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://vault.fuckwit.dev";
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8000;
SIGNUPS_ALLOWED = false;
};
};
gitea = {
enable = true;
settings.service.DISABLE_REGISTRATION = true;
settings.actions.ENABLED = true;
settings.server = {
DOMAIN = "git.fuckwit.dev";
ROOT_URL = "https://git.fuckwit.dev";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 8001;
};
lfs.enable = true;
};
grafana = {
enable = true;
settings.server = {
domain = "grafana.fuckwit.dev";
http_addr = "127.0.0.1";
http_port = 8002;
};
};
influxdb2 = {
enable = true;
settings = {
http-bind-address = "127.0.0.1:8003";
};
};
keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
passwordFile = config.sops.secrets."keycloak_db_pw".path;
};
settings = {
hostname = "sso.fuckwit.dev";
http-host = "127.0.0.1";
http-port = 8004;
proxy = "edge";
};
};
# drone-server = {
# enable = true;
# config = {
# giteaServer = "https://git.fuckwit.dev";
# serverHost = "drone.fuckwit.dev";
# serverPort = ":8004";
# serverProto = "https";
# };
# environmentFile = config.sops.secrets."gitea.env".path;
# };
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu"
];
system.stateVersion = "23.05";
}

53
nixos/primordial/hardware-configuration.nix Normal file
View File

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd = {
availableKernelModules = ["virtio_pci" "usbhid" "sd_mod" "sr_mod" "virtio_scsi"];
kernelModules = ["dm-snapshot"];
network.enable = true;
network.ssh = {
enable = true;
port = 222;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
];
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
};
luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/9f88803e-558d-4819-a223-df88396071fe";
preLVM = true;
};
};
};
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/1837e2be-189b-49be-b518-8b2bbc49e27e";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7E04-4E21";
fsType = "vfat";
};
swapDevices = [];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

20
nixos/primordial/mail.nix Normal file
View File

@ -0,0 +1,20 @@
{
config,
pkgs,
...
}: {
mailserver = {
enable = true;
fqdn = "mail.fuckwit.dev";
domains = ["fuckwit.dev"];
loginAccounts = {
"me@fuckwit.dev" = {
hashedPassword = "$2b$05$Wl7pyRXrNBaUSuufqor9ZuJWeXxRaF.6kpbvHoxEp3i65Lnu5Yyg.";
catchAll = ["fuckwit.dev"];
};
};
certificateScheme = "acme-nginx";
};
}

34
nixos/primordial/secrets.yaml Normal file
View File

@ -0,0 +1,34 @@
gitea.env: ENC[AES256_GCM,data:wkSPzLQtL3vGNIjG+jG6I3+R7wLBBdXeaCHbKxMbpVOldo8zrPLu8HdoryneRro58d7D9Cao9x+n5SvYNfGwHPgDJG8saXTeyEffIWIKNC+5+8fjiWwIkAvstckmZjSLitVxcwhifs49jmZgW/xQBPEPiAHzVkjeueV7p/Jm9WgyD2ycPrKUvNEYJ6DWZqQq9r10Y/KsRZsvRzF2cp6YeX7YGjW7E2wuQz9yy8gOFHxmoJxAc4zM7XaKZWKtow1UPCjTtxiY7qRkWK7KQt21Xf3FCsU=,iv:qQv7hbqh3Kl6sE/XW37D9AbYt4gLJw5BnfbbLIkzOd4=,tag:g6Cecvdb67W01HvIULNzsQ==,type:str]
keycloak_db_pw: ENC[AES256_GCM,data:1oBqzpFokAmjkT770YKYwzCllaGTprtDR9W4B/+V6ZUXPhJ1R9DNWZHqpQ==,iv:dK36GBiDj12HVjUkZqTVk/rR6s1sf6dmQTk1ZJQwi+I=,tag:6Ix9QSf+A0U82sG0z8wSmw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12u7ayy2q5dps2pcpc6z7962pz07jxv3tt03hna6jyumlu4fdjvtqdg2n3e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdzZwcllIMEwwVXFlVDVi
WjJOUmlKbVRmWllpWnhtdWZJclBxM2o2bFRNCmo3citJUTFPS2x0ekVZSnIzRkRI
VFgrenZDbTZFbm1wS0pLU2swVnhVNlkKLS0tIGhTWnpEZElSc2RJTWNTaWV0TjhG
V1h2NGxyNVc3WnF2ZFBpQm1oK1AzeGcK4GoD2E8nwOl/WKtgMgs0Y1Q8abRX4mpy
GdHGDQUWvySCisJo4JXsooYkLjOyKvir+vcVbX4nDd4L1W2OMULkrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-25T19:17:29Z"
mac: ENC[AES256_GCM,data:Qnou0/umwMX2XD7gDF6SceFI5tLjOO30OVhFSXhxc2yuFj/gB0R1bPplLm5j/wmxfRQDvvm2zLgGFMqt+8i4Z+6OYgbuwFcv4FR2E001aWVj1zh+F8pRZVTxqnsvegoKWQwoXkhZe5S/fjX9N09SMYhBkjLUh9fboGXajEpDws8=,iv:hTQgeyli/MPaUVxJSzhDK+ssxv78w7hRBtQ1pnZGASg=,tag:HDKQ2duHMYvGa74Vp0fIjw==,type:str]
pgp:
- created_at: "2024-01-25T11:10:44Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DMGJRmcuHhnsSAQdAzUIeSKtxy9kMAxDPoaY3n6avZ6DgxInoP3PjyrTgERww
7D6dPyaBVNIVKR54ZNYfMtPDescbDV4W3c3MI+eTsi76BqbFEdLHfShlKcWy9FZ1
1GgBCQIQRMPHNYC1ef7LAasDcVtWsSfakMk1RQ8FmOPPXLdRJQUAqBJ6gwJG6f+V
oXE5qUuvVjEvZzIxuhmVBb+mlLRq4UVW6brjH65Gfh8ofXWzHmLLXbEHI31HUc4e
7GBBHbB8U36bxQ==
=VHqv
-----END PGP MESSAGE-----
fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
unencrypted_suffix: _unencrypted
version: 3.8.1