{ config, pkgs, ... }: let mkWellKnown = data: '' default_type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; in { sops.defaultSopsFile = ./secrets.yaml; sops.secrets."gitea.env" = {}; sops.secrets."keycloak_db_pw" = {}; sops.secrets."restic_mail_repository_password" = {}; sops.secrets."restic_ssh_key" = {}; imports = [ ./mail.nix ./hardware-configuration.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking = { hostName = "primordial"; interfaces.enp1s0 = { ipv6.addresses = [ { address = "2a01:4f8:c010:b448::"; prefixLength = 64; } ]; }; defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; }; firewall = { enable = true; allowedTCPPorts = [80 443]; }; }; time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "en_US.UTF-8"; security.acme.acceptTerms = true; security.acme.defaults.email = "huanzodev@gmail.com"; services = { openssh = { enable = true; ports = [22]; openFirewall = true; settings = { PermitRootLogin = "yes"; PasswordAuthentication = false; }; }; postgresql = { enable = true; ensureDatabases = ["matrix-synapse"]; ensureUsers = [ { name = "matrix-synapse"; ensureDBOwnership = true; } ]; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust host all all 127.0.0.1/32 md5 ''; }; matrix-synapse = { enable = true; settings.server_name = "fuckwit.dev"; # The public base URL value must match the `base_url` value set in `clientConfig` above. # The default value here is based on `server_name`, so if your `server_name` is different # from the value of `fqdn` above, you will likely run into some mismatched domain names # in client applications. settings.public_baseurl = "https://matrix.fuckwit.dev"; settings.listeners = [ { port = 8005; bind_addresses = ["127.0.0.1"]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = ["client" "federation"]; compress = true; } ]; } ]; }; nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; virtualHosts."fuckwit.dev" = let serverConfig."m.server" = "matrix.fuckwit.dev:443"; clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443"; in { enableACME = true; forceSSL = true; # This section is not needed if the server_name of matrix-synapse is equal to # the domain (i.e. example.org from @foo:example.org) and the federation port # is 8448. # Further reference can be found in the docs about delegation under # https://element-hq.github.io/synapse/latest/delegate.html locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; # This is usually needed for homeserver discovery (from e.g. other Matrix clients). # Further reference can be found in the upstream docs at # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; virtualHosts."matrix.fuckwit.dev" = { enableACME = true; forceSSL = true; # It's also possible to do a redirect here or something else, this vhost is not # needed for Matrix. It's recommended though to *not put* element # here, see also the section about Element. locations."/".extraConfig = '' return 404; ''; # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash # *must not* be used here. locations."/_matrix".proxyPass = "http://127.0.0.1:8005"; # Forward requests for e.g. SSO and password-resets. locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005"; }; virtualHosts."vault.fuckwit.dev" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8000"; }; }; virtualHosts."git.fuckwit.dev" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8001"; }; }; virtualHosts."grafana.fuckwit.dev" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8002"; proxyWebsockets = true; }; }; virtualHosts."influx.fuckwit.dev" = { enableACME = true; addSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8003"; proxyWebsockets = true; }; }; virtualHosts."sso.fuckwit.dev" = { enableACME = true; addSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8004"; proxyWebsockets = true; }; }; # virtualHosts."drone.fuckwit.dev" = { # enableACME = true; # addSSL = true; # locations."/" = { # proxyPass = "http://127.0.0.1:8004"; # proxyWebsockets = true; # }; # }; }; vaultwarden = { enable = true; config = { DOMAIN = "https://vault.fuckwit.dev"; ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = 8000; SIGNUPS_ALLOWED = false; }; }; gitea = { enable = true; settings.service.DISABLE_REGISTRATION = true; settings.actions.ENABLED = true; settings.server = { DOMAIN = "git.fuckwit.dev"; ROOT_URL = "https://git.fuckwit.dev"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 8001; }; lfs.enable = true; }; grafana = { enable = true; settings.server = { domain = "grafana.fuckwit.dev"; http_addr = "127.0.0.1"; http_port = 8002; root_url = "https://grafana.fuckwit.dev"; }; }; influxdb2 = { enable = true; settings = { http-bind-address = "127.0.0.1:8003"; }; }; restic = { backups = { mail = { repository = "sftp:u169497-sub5@u169497.your-storagebox.de:mail"; initialize = true; extraOptions = [ "sftp.command='ssh -p23 u169497-sub5@u169497.your-storagebox.de -i ${config.sops.secrets."restic_ssh_key".path} -s sftp'" ]; passwordFile = config.sops.secrets."restic_mail_repository_password".path; paths = ["/var/vmail" "/var/dkim"]; timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "1h"; }; }; }; }; # keycloak = { # enable = true; # # database = { # type = "postgresql"; # createLocally = true; # passwordFile = config.sops.secrets."keycloak_db_pw".path; # }; # # settings = { # hostname = "sso.fuckwit.dev"; # http-host = "127.0.0.1"; # http-port = 8004; # proxy = "edge"; # }; # }; # drone-server = { # enable = true; # config = { # giteaServer = "https://git.fuckwit.dev"; # serverHost = "drone.fuckwit.dev"; # serverPort = ":8004"; # serverProto = "https"; # }; # environmentFile = config.sops.secrets."gitea.env".path; # }; }; users.users."root".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu" ]; system.stateVersion = "23.05"; }