354 lines
10 KiB
Nix
354 lines
10 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
makeVirtualHost = {
|
|
subdomain,
|
|
port,
|
|
}: {
|
|
name = "${subdomain}.fuckwit.dev";
|
|
value = {
|
|
forceSSL = true;
|
|
useACMEHost = "fuckwit.dev";
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites);
|
|
|
|
mkWellKnown = data: ''
|
|
default_type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
return 200 '${builtins.toJSON data}';
|
|
'';
|
|
secretFile = name: config.sops.secrets.${name}.path;
|
|
in {
|
|
sops.defaultSopsFile = ./secrets.yaml;
|
|
sops.secrets."acme.env" = {};
|
|
sops.secrets."restic_mail_repository_password" = {};
|
|
sops.secrets."restic_ssh_key" = {};
|
|
sops.secrets."act-runner-token" = {};
|
|
sops.secrets."gitlab-db-password".owner = config.users.users.gitlab.name;
|
|
sops.secrets."gitlab-initial-root-pw".owner = config.users.users.gitlab.name;
|
|
sops.secrets."gitlab-db-key-base".owner = config.users.users.gitlab.name;
|
|
sops.secrets."gitlab-secret-key-base".owner = config.users.users.gitlab.name;
|
|
sops.secrets."gitlab-otp-key-base".owner = config.users.users.gitlab.name;
|
|
sops.secrets."gitlab-jws-key-pem".owner = config.users.users.gitlab.name;
|
|
sops.secrets."gitlab-runner-authentication-file" = {};
|
|
|
|
imports = [
|
|
./mail.nix
|
|
./hardware-configuration.nix
|
|
];
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
|
|
|
networking = {
|
|
hostName = "primordial";
|
|
|
|
interfaces.enp1s0 = {
|
|
ipv6.addresses = [
|
|
{
|
|
address = "2a01:4f8:c010:b448::";
|
|
prefixLength = 64;
|
|
}
|
|
];
|
|
};
|
|
|
|
defaultGateway6 = {
|
|
address = "fe80::1";
|
|
interface = "enp1s0";
|
|
};
|
|
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [80 443];
|
|
};
|
|
};
|
|
|
|
time.timeZone = "Europe/Berlin";
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "acme@fuckwit.dev";
|
|
dnsProvider = "cloudflare";
|
|
environmentFile = secretFile "acme.env";
|
|
dnsPropagationCheck = true;
|
|
};
|
|
|
|
certs."fuckwit.dev" = {
|
|
extraDomainNames = ["*.fuckwit.dev"];
|
|
};
|
|
};
|
|
users.users.nginx.extraGroups = ["acme"];
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
ports = [22];
|
|
openFirewall = true;
|
|
settings = {
|
|
PermitRootLogin = "yes";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
postgresql = {
|
|
enable = true;
|
|
ensureDatabases = ["matrix-synapse"];
|
|
ensureUsers = [
|
|
{
|
|
name = "matrix-synapse";
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
authentication = pkgs.lib.mkOverride 10 ''
|
|
#type database DBuser auth-method
|
|
local all all trust
|
|
host all all 127.0.0.1/32 md5
|
|
'';
|
|
};
|
|
|
|
gitlab = {
|
|
enable = true;
|
|
https = true;
|
|
host = "gitlab.fuckwit.dev";
|
|
port = 443;
|
|
databasePasswordFile = secretFile "gitlab-db-password";
|
|
initialRootPasswordFile = secretFile "gitlab-initial-root-pw";
|
|
secrets = {
|
|
secretFile = secretFile "gitlab-secret-key-base";
|
|
otpFile = secretFile "gitlab-otp-key-base";
|
|
dbFile = secretFile "gitlab-db-key-base";
|
|
jwsFile = secretFile "gitlab-jws-key-pem";
|
|
};
|
|
registry = {
|
|
enable = true;
|
|
package = pkgs.gitlab-container-registry;
|
|
defaultForProjects = true;
|
|
externalAddress = "https://registry-git.fuckwit.dev";
|
|
externalPort = 443;
|
|
keyFile = "/run/gitlab/registry.pem";
|
|
certFile = "/run/gitlab/registry.crt";
|
|
};
|
|
};
|
|
|
|
gitlab-runner = {
|
|
enable = true;
|
|
|
|
services = {
|
|
default = {
|
|
authenticationTokenConfigFile = secretFile "gitlab-runner-authentication-file";
|
|
dockerImage = "debian:stable";
|
|
};
|
|
};
|
|
};
|
|
|
|
matrix-synapse = {
|
|
enable = true;
|
|
settings.server_name = "fuckwit.dev";
|
|
# The public base URL value must match the `base_url` value set in `clientConfig` above.
|
|
# The default value here is based on `server_name`, so if your `server_name` is different
|
|
# from the value of `fqdn` above, you will likely run into some mismatched domain names
|
|
# in client applications.
|
|
settings.public_baseurl = "https://matrix.fuckwit.dev";
|
|
settings.listeners = [
|
|
{
|
|
port = 8005;
|
|
bind_addresses = ["127.0.0.1"];
|
|
type = "http";
|
|
tls = false;
|
|
x_forwarded = true;
|
|
resources = [
|
|
{
|
|
names = ["client" "federation"];
|
|
compress = true;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
|
|
virtualHosts =
|
|
{
|
|
"fuckwit.dev" = let
|
|
serverConfig."m.server" = "matrix.fuckwit.dev:443";
|
|
clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
|
|
in {
|
|
useACMEHost = "fuckwit.dev";
|
|
forceSSL = true;
|
|
# This section is not needed if the server_name of matrix-synapse is equal to
|
|
# the domain (i.e. example.org from @foo:example.org) and the federation port
|
|
# is 8448.
|
|
# Further reference can be found in the docs about delegation under
|
|
# https://element-hq.github.io/synapse/latest/delegate.html
|
|
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
|
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
|
|
# Further reference can be found in the upstream docs at
|
|
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
|
|
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
|
};
|
|
|
|
"matrix.fuckwit.dev" = {
|
|
useACMEHost = "fuckwit.dev";
|
|
forceSSL = true;
|
|
# It's also possible to do a redirect here or something else, this vhost is not
|
|
# needed for Matrix. It's recommended though to *not put* element
|
|
# here, see also the section about Element.
|
|
locations."/".extraConfig = ''
|
|
return 404;
|
|
'';
|
|
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
|
|
# *must not* be used here.
|
|
locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
|
|
# Forward requests for e.g. SSO and password-resets.
|
|
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
|
|
};
|
|
|
|
"gitlab.fuckwit.dev" = {
|
|
useACMEHost = "fuckwit.dev";
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
|
};
|
|
};
|
|
}
|
|
// makeVirtualHosts [
|
|
{
|
|
subdomain = "vault";
|
|
port = 8000;
|
|
}
|
|
{
|
|
subdomain = "git";
|
|
port = 8001;
|
|
}
|
|
{
|
|
subdomain = "grafana";
|
|
port = 8002;
|
|
}
|
|
{
|
|
subdomain = "influx";
|
|
port = 8003;
|
|
}
|
|
{
|
|
subdomain = "registry-git";
|
|
port = 4567;
|
|
}
|
|
];
|
|
};
|
|
|
|
vaultwarden = {
|
|
enable = true;
|
|
|
|
config = {
|
|
DOMAIN = "https://vault.fuckwit.dev";
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = 8000;
|
|
SIGNUPS_ALLOWED = false;
|
|
};
|
|
};
|
|
|
|
gitea = {
|
|
enable = true;
|
|
|
|
settings.service.DISABLE_REGISTRATION = true;
|
|
settings.actions.ENABLED = true;
|
|
settings.server = {
|
|
DOMAIN = "git.fuckwit.dev";
|
|
ROOT_URL = "https://git.fuckwit.dev";
|
|
HTTP_ADDR = "127.0.0.1";
|
|
HTTP_PORT = 8001;
|
|
};
|
|
lfs.enable = true;
|
|
};
|
|
|
|
gitea-actions-runner.instances = {
|
|
docker-runner = {
|
|
enable = true;
|
|
name = "primordial-docker";
|
|
url = "https://git.fuckwit.dev";
|
|
tokenFile = config.sops.secrets."act-runner-token".path;
|
|
labels = [
|
|
"ubuntu-latest:docker://node:16-bullseye"
|
|
];
|
|
settings = {
|
|
runner.capacity = 5;
|
|
cache.enabled = false;
|
|
};
|
|
};
|
|
};
|
|
|
|
grafana = {
|
|
enable = true;
|
|
|
|
settings.server = {
|
|
domain = "grafana.fuckwit.dev";
|
|
http_addr = "127.0.0.1";
|
|
http_port = 8002;
|
|
root_url = "https://grafana.fuckwit.dev";
|
|
};
|
|
};
|
|
|
|
influxdb2 = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
http-bind-address = "127.0.0.1:8003";
|
|
};
|
|
};
|
|
|
|
restic = {
|
|
backups = {
|
|
mail = {
|
|
repository = "sftp:u169497-sub5@u169497.your-storagebox.de:mail";
|
|
initialize = true;
|
|
extraOptions = [
|
|
"sftp.command='ssh -p23 u169497-sub5@u169497.your-storagebox.de -i ${config.sops.secrets."restic_ssh_key".path} -s sftp'"
|
|
];
|
|
passwordFile = config.sops.secrets."restic_mail_repository_password".path;
|
|
paths = ["/var/vmail" "/var/dkim"];
|
|
timerConfig = {
|
|
OnCalendar = "00:05";
|
|
RandomizedDelaySec = "1h";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
virtualisation.podman = {
|
|
enable = true;
|
|
dockerSocket.enable = true;
|
|
};
|
|
virtualisation.docker.enable = lib.mkForce false;
|
|
|
|
users.users."root".openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu"
|
|
];
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|