helvetica/puter
1
0
Fork 0
Code Activity

improvements

Browse source
This commit is contained in:
Lukas Wurzinger 2024-02-14 23:06:49 +01:00
parent 3ab713a5b3
commit 4bc84394c4
23 changed files with 289 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

78
hosts/abacus/conduit.nix Normal file
View file

@ -0,0 +1,78 @@
{
config,
pkgs,
...
}: let
inherit (config.networking) domain;
subdomain = "matrix";
jsonFormat = pkgs.formats.json {};
wellKnownServer = jsonFormat.generate "well-known-matrix-server" {
"m.server" = "${subdomain}.${domain}:443";
};
wellKnownClient = jsonFormat.generate "well-known-matrix-client" {
"m.homeserver".base_url = "https://${subdomain}.${domain}";
};
in {
services.matrix-conduit = {
enable = true;
settings.global = {
server_name = domain;
address = "127.0.0.1";
port = 8010;
database_backend = "rocksdb";
allow_registration = false;
};
};
systemd.services.conduit.serviceConfig.LimitNOFILE = 8192;
services.nginx.virtualHosts = {
${domain}.locations = {
"=/.well-known/matrix/server" = {
alias = wellKnownServer;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
"=/.well-known/matrix/client" = {
alias = wellKnownClient;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
};
"${subdomain}.${domain}" = {
enableACME = true;
forceSSL = true;
quic = true;
locations = {
"/".return = "404";
"/_matrix/" = {
proxyPass = "http://${config.services.matrix-conduit.settings.global.address}:${toString config.services.matrix-conduit.settings.global.port}$request_uri";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
};
extraConfig = ''
merge_slashes off;
'';
};
};
}

5
hosts/abacus/default.nix
View file

@ -2,12 +2,13 @@
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./conduit.nix
./forgejo.nix
./mailserver.nix
./navidrome.nix
./nextcloud.nix
./nginx.nix
./static.nix
./vaultwarden.nix
# TODO: dendrite/conduit, gitea/forgejo
];
nixpkgs.hostPlatform = "aarch64-linux";

38
hosts/abacus/forgejo.nix Normal file
View file

@ -0,0 +1,38 @@
{config, ...}: let
virtualHostName = "tea.${config.networking.domain}";
in {
services.forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
settings = {
session = {
COOKIE_SECURE = true;
PROVIDER = "db";
};
service = {
DISABLE_REGISTRATION = true;
};
server = {
PROTOCOL = "http";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 8020;
DOMAIN = virtualHostName;
ROOT_URL = "https://${virtualHostName}/";
};
};
};
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
quic = true;
locations."/".proxyPass = "http://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
};
}

31
hosts/abacus/mailserver.nix
View file

@ -1,6 +1,16 @@
{config, ...}: let
inherit (config.networking) domain;
inherit (config.networking) fqdn;
{
config,
pkgs,
...
}: let
inherit (config.networking) domain fqdn;
wellKnownMtaSts = pkgs.writeText "" ''
version: STSv1
mode: enforce
mx: ${fqdn}
max_age: 86400
'';
in {
age.secrets.mail-lukas.file = ../../secrets/mail-lukas.age;
@ -19,7 +29,7 @@ in {
loginAccounts = {
"lukas@${domain}" = {
hashedPasswordFile = config.age.secrets.mail-lukas.path;
aliases = ["postmaster@${domain}"];
aliases = ["postmaster@${domain}" "vault@${domain}"];
};
};
@ -30,9 +40,20 @@ in {
services.dovecot2.sieve.extensions = ["fileinto"];
services.nginx.virtualHosts."mta-sts.${domain}" = {
locations."= /.well-known/mta-sts.txt".return = ''200 "version: STSv1\nmode: enforce\nmx: ${fqdn}\nmax_age: 86400"'';
enableACME = true;
forceSSL = true;
quic = true;
locations = {
"/".return = "404";
"=/.well-known/mta-sts.txt" = {
alias = wellKnownMtaSts;
extraConfig = ''
default_type text/plain;
'';
};
};
};
}

24
hosts/abacus/navidrome.nix Normal file
View file

@ -0,0 +1,24 @@
{config, ...}: {
services.navidrome = {
enable = true;
settings = {
Address = "127.0.0.1";
Port = 8030;
MusicFolder = "/srv/music";
};
};
services.nginx.virtualHosts."navi.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
quic = true;
locations."/".proxyPass = "http://${config.services.navidrome.settings.Address}:${builtins.toString config.services.navidrome.settings.Port}";
};
fileSystems.${config.services.navidrome.settings.MusicFolder} = {
device = "/dev/disk/by-label/music";
fsType = "btrfs";
options = ["compress=zstd" "noatime"];
};
}

8
hosts/abacus/nextcloud.nix
View file

@ -2,9 +2,7 @@
config,
pkgs,
...
}: let
hostName = "cloud.${config.networking.domain}";
in {
}: {
age.secrets.nextcloud-lukas = {
file = ../../secrets/nextcloud-lukas.age;
owner = "nextcloud";
@ -29,7 +27,7 @@ in {
enable = true;
package = pkgs.nextcloud28;
inherit hostName;
hostName = "cloud.${config.networking.domain}";
https = true;
configureRedis = true;
@ -61,7 +59,7 @@ in {
};
};
services.nginx.virtualHosts.${hostName} = {
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
enableACME = true;
forceSSL = true;
quic = true;

32
hosts/abacus/nginx.nix
View file

@ -15,6 +15,36 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
commonHttpConfig = "access_log syslog:server=unix:/dev/log;";
commonHttpConfig = ''
error_log stderr;
access_log /var/log/nginx/access.log;
'';
virtualHosts = let
inherit (config.networking) domain;
in {
"~.*" = {
default = true;
rejectSSL = true;
globalRedirect = domain;
};
${domain} = {
enableACME = true;
forceSSL = true;
quic = true;
root = "/var/www/${domain}";
};
"log.${domain}" = {
enableACME = true;
forceSSL = true;
quic = true;
root = "/var/www/log.${domain}";
};
};
};
}

20
hosts/abacus/static.nix
View file

@ -1,20 +0,0 @@
{config, ...}: {
services.nginx = {
virtualHosts = let
inherit (config.networking) domain;
in {
${domain} = {
root = "/var/www/${domain}";
enableACME = true;
forceSSL = true;
quic = true;
};
"log.${domain}" = {
root = "/var/www/log.${domain}";
enableACME = true;
forceSSL = true;
quic = true;
};
};
};
}

22
hosts/abacus/vaultwarden.nix
View file

@ -1,20 +1,38 @@
{config, ...}: let
inherit (config.networking) domain;
virtualHostName = "vault.${domain}";
in {
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${virtualHostName}";
SIGNUPS_ALLOWED = false;
INVITATIONS_ALLOWED = true;
INVITATION_ORG_NAME = domain;
SMTP_HOST = config.mailserver.fqdn;
SMTP_PORT = 587;
SMTP_SECURITY = "force_tls";
SMTP_TIMEOUT = 15;
SMTP_FROM = "vault@${domain}";
SMTP_FROM_NAME = "Vaultwarden";
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8000;
};
};
services.nginx.virtualHosts."vault.${domain}" = {
locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
quic = true;
locations."/" = {
proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
proxyWebsockets = true;
};
};
}

1
hosts/glacier/default.nix
View file

@ -1,5 +1,4 @@
{
pkgs,
inputs,
modulesPath,
...