diff --git a/configuration/common/default.nix b/config/common/default.nix similarity index 96% rename from configuration/common/default.nix rename to config/common/default.nix index e28c38a..8634acf 100644 --- a/configuration/common/default.nix +++ b/config/common/default.nix @@ -3,8 +3,8 @@ imports = [ ./prometheus-node-exporter.nix ./nginx.nix - ../../users/colmena-deploy - ../../users/yuri + ../users/colmena-deploy + ../users/yuri ]; time.timeZone = "Europe/Berlin"; diff --git a/configuration/common/nginx.nix b/config/common/nginx.nix similarity index 100% rename from configuration/common/nginx.nix rename to config/common/nginx.nix diff --git a/configuration/common/prometheus-node-exporter.nix b/config/common/prometheus-node-exporter.nix similarity index 61% rename from configuration/common/prometheus-node-exporter.nix rename to config/common/prometheus-node-exporter.nix index ac2d1ac..71f9baa 100644 --- a/configuration/common/prometheus-node-exporter.nix +++ b/config/common/prometheus-node-exporter.nix @@ -1,7 +1,7 @@ -{ ... }: +{ lib, ... }: { services.prometheus.exporters.node = { - enable = true; + enable = lib.mkDefault true; openFirewall = true; }; } diff --git a/configuration/proxmox-vm/default.nix b/config/environments/proxmox-vm/default.nix similarity index 100% rename from configuration/proxmox-vm/default.nix rename to config/environments/proxmox-vm/default.nix diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/config/environments/proxmox-vm/hardware-configuration.nix similarity index 100% rename from configuration/proxmox-vm/hardware-configuration.nix rename to config/environments/proxmox-vm/hardware-configuration.nix diff --git a/hosts/coturn/acme.nix b/config/hosts/coturn/acme.nix similarity index 100% rename from hosts/coturn/acme.nix rename to config/hosts/coturn/acme.nix diff --git a/hosts/coturn/configuration.nix b/config/hosts/coturn/configuration.nix similarity index 100% rename from hosts/coturn/configuration.nix rename to config/hosts/coturn/configuration.nix diff --git a/hosts/coturn/coturn.nix b/config/hosts/coturn/coturn.nix similarity index 100% rename from hosts/coturn/coturn.nix rename to config/hosts/coturn/coturn.nix diff --git a/hosts/coturn/default.nix b/config/hosts/coturn/default.nix similarity index 100% rename from hosts/coturn/default.nix rename to config/hosts/coturn/default.nix diff --git a/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix similarity index 100% rename from hosts/coturn/secrets.nix rename to config/hosts/coturn/secrets.nix diff --git a/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix similarity index 100% rename from hosts/hydra/configuration.nix rename to config/hosts/hydra/configuration.nix diff --git a/hosts/hydra/default.nix b/config/hosts/hydra/default.nix similarity index 100% rename from hosts/hydra/default.nix rename to config/hosts/hydra/default.nix diff --git a/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix similarity index 100% rename from hosts/hydra/hydra.nix rename to config/hosts/hydra/hydra.nix diff --git a/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix similarity index 100% rename from hosts/hydra/nginx.nix rename to config/hosts/hydra/nginx.nix diff --git a/hosts/hydra/nix-serve.nix b/config/hosts/hydra/nix-serve.nix similarity index 100% rename from hosts/hydra/nix-serve.nix rename to config/hosts/hydra/nix-serve.nix diff --git a/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix similarity index 100% rename from hosts/hydra/secrets.nix rename to config/hosts/hydra/secrets.nix diff --git a/hosts/iperf/configuration.nix b/config/hosts/iperf/configuration.nix similarity index 100% rename from hosts/iperf/configuration.nix rename to config/hosts/iperf/configuration.nix diff --git a/hosts/iperf/default.nix b/config/hosts/iperf/default.nix similarity index 100% rename from hosts/iperf/default.nix rename to config/hosts/iperf/default.nix diff --git a/hosts/iperf/iperf.nix b/config/hosts/iperf/iperf.nix similarity index 100% rename from hosts/iperf/iperf.nix rename to config/hosts/iperf/iperf.nix diff --git a/hosts/jackett/configuration.nix b/config/hosts/jackett/configuration.nix similarity index 100% rename from hosts/jackett/configuration.nix rename to config/hosts/jackett/configuration.nix diff --git a/hosts/jackett/default.nix b/config/hosts/jackett/default.nix similarity index 100% rename from hosts/jackett/default.nix rename to config/hosts/jackett/default.nix diff --git a/hosts/jackett/jackett.nix b/config/hosts/jackett/jackett.nix similarity index 100% rename from hosts/jackett/jackett.nix rename to config/hosts/jackett/jackett.nix diff --git a/hosts/jellyfin/configuration.nix b/config/hosts/jellyfin/configuration.nix similarity index 100% rename from hosts/jellyfin/configuration.nix rename to config/hosts/jellyfin/configuration.nix diff --git a/hosts/jellyfin/default.nix b/config/hosts/jellyfin/default.nix similarity index 100% rename from hosts/jellyfin/default.nix rename to config/hosts/jellyfin/default.nix diff --git a/hosts/jellyfin/hardware-configuration.nix b/config/hosts/jellyfin/hardware-configuration.nix similarity index 100% rename from hosts/jellyfin/hardware-configuration.nix rename to config/hosts/jellyfin/hardware-configuration.nix diff --git a/hosts/jellyfin/jellyfin.nix b/config/hosts/jellyfin/jellyfin.nix similarity index 100% rename from hosts/jellyfin/jellyfin.nix rename to config/hosts/jellyfin/jellyfin.nix diff --git a/hosts/jellyfin/nginx.nix b/config/hosts/jellyfin/nginx.nix similarity index 100% rename from hosts/jellyfin/nginx.nix rename to config/hosts/jellyfin/nginx.nix diff --git a/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix similarity index 100% rename from hosts/jellyfin/secrets.nix rename to config/hosts/jellyfin/secrets.nix diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix new file mode 100644 index 0000000..2930c69 --- /dev/null +++ b/config/hosts/lifeline/configuration.nix @@ -0,0 +1,69 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; + + networking = { + hostName = "lifeline"; + useDHCP = true; + wireguard = { + enable = true; + interfaces.wg0 = { + privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret"; + listenPort = 51820; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-1"; + publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + }; + }; + nat = { + enable = true; + internalInterfaces = [ "wg0" ]; + externalInterface = "ens6"; + forwardPorts = [ + { + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + } + { + destination = "172.16.50.2:465"; + proto = "tcp"; + sourcePort = 465; + } + { + destination = "172.16.50.2:993"; + proto = "tcp"; + sourcePort = 993; + } + ]; + }; + firewall = { + allowedUDPPorts = [ 51820 ]; + }; + }; + + services.prometheus.exporters.node.enable = false; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/lifeline/default.nix b/config/hosts/lifeline/default.nix new file mode 100644 index 0000000..9d284a8 --- /dev/null +++ b/config/hosts/lifeline/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/config/hosts/lifeline/hardware-configuration.nix b/config/hosts/lifeline/hardware-configuration.nix new file mode 100644 index 0000000..85d6d9a --- /dev/null +++ b/config/hosts/lifeline/hardware-configuration.nix @@ -0,0 +1,16 @@ +{ modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + kernelModules = [ "nvme" ]; + }; + + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; +} diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix new file mode 100644 index 0000000..90f3f12 --- /dev/null +++ b/config/hosts/lifeline/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix new file mode 100644 index 0000000..4638917 --- /dev/null +++ b/config/hosts/mail-1/configuration.nix @@ -0,0 +1,61 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "mail-1"; + useDHCP = true; + defaultGateway = { + address = "172.16.50.1"; + interface = "wg0"; + }; + interfaces.enp6s18.ipv4 = { + routes = [ + { + address = "10.201.0.0"; + prefixLength = 16; + via = "10.202.41.1"; + } + { + address = "10.202.0.0"; + prefixLength = 16; + via = "10.202.41.1"; + } + { + address = "172.21.87.0"; # management VPN + prefixLength = 24; + via = "10.202.41.1"; + } + { + address = "217.160.117.160"; # + prefixLength = 32; + via = "10.202.41.1"; + } + ]; + }; + wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ + "172.16.50.2/24" + ]; + peers = [ + { + name = "lifeline"; + publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret"; + endpoint = "lifeline.io.grzb.de:51820"; + allowedIPs = [ "0.0.0.0/0" ]; + persistentKeepalive = 25; + } + ]; + privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret"; + }; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-1/default.nix b/config/hosts/mail-1/default.nix new file mode 100644 index 0000000..5537841 --- /dev/null +++ b/config/hosts/mail-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./simple-nixos-mailserver.nix + ]; +} diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix new file mode 100644 index 0000000..3352cee --- /dev/null +++ b/config/hosts/mail-1/secrets.nix @@ -0,0 +1,85 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-valkyrie-mail-1-mail-1-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-mail-1-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fiona-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-yuri-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-mio-vs-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fubuki-wg-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-cloud-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-status-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-matrix-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-social-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix new file mode 100644 index 0000000..81fa130 --- /dev/null +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -0,0 +1,66 @@ +{ simple-nixos-mailserver, ... }: +{ + imports = [ + simple-nixos-mailserver.nixosModule { + mailserver = { + enable = true; + openFirewall = true; + fqdn = "mail-1.grzb.de"; + enableImap = false; + enableImapSsl = true; + enableSubmission = false; + enableSubmissionSsl = true; + lmtpSaveToDetailMailbox = "no"; + domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; + loginAccounts = { + "fiona@grzb.de" = { + hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret"; + aliases = [ "@grzb.de" ]; + catchAll = [ "grzb.de" ]; + }; + "yuri@nekover.se" = { + hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret"; + aliases = [ "@nekover.se" ]; + catchAll = [ "nekover.se" ]; + }; + "mio@vs.grzb.de" = { + hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret"; + sendOnly = true; + aliases = [ "root@vs.grzb.de" ]; + }; + "fubuki@wg.grzb.de" = { + hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret"; + sendOnly = true; + aliases = [ "root@wg.grzb.de" ]; + }; + "cloud@nekover.se" = { + hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret"; + sendOnly = true; + }; + "status@nekover.se" = { + hashedPasswordFile = "/secrets/mail-status-nekover-se.secret"; + sendOnly = true; + }; + "matrix@nekover.se" = { + hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; + "social@nekover.se" = { + hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; + sendOnly = true; + aliases = [ "nyareply@nekover.se" ]; + }; + }; + certificateScheme = "acme-nginx"; + }; + } + ]; + + services.postfix = { + transport = "relay:[mail-2.grzb.de]"; + extraConfig = '' + proxy_interfaces = 212.53.203.19 + ''; + }; +} diff --git a/hosts/matrix/configuration.nix b/config/hosts/matrix/configuration.nix similarity index 100% rename from hosts/matrix/configuration.nix rename to config/hosts/matrix/configuration.nix diff --git a/hosts/matrix/default.nix b/config/hosts/matrix/default.nix similarity index 100% rename from hosts/matrix/default.nix rename to config/hosts/matrix/default.nix diff --git a/hosts/matrix/hardware-configuration.nix b/config/hosts/matrix/hardware-configuration.nix similarity index 100% rename from hosts/matrix/hardware-configuration.nix rename to config/hosts/matrix/hardware-configuration.nix diff --git a/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix similarity index 100% rename from hosts/matrix/matrix-synapse.nix rename to config/hosts/matrix/matrix-synapse.nix diff --git a/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix similarity index 100% rename from hosts/matrix/nginx.nix rename to config/hosts/matrix/nginx.nix diff --git a/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix similarity index 100% rename from hosts/matrix/postgresql.nix rename to config/hosts/matrix/postgresql.nix diff --git a/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix similarity index 100% rename from hosts/matrix/secrets.nix rename to config/hosts/matrix/secrets.nix diff --git a/hosts/metrics/configuration.nix b/config/hosts/metrics/configuration.nix similarity index 100% rename from hosts/metrics/configuration.nix rename to config/hosts/metrics/configuration.nix diff --git a/hosts/metrics/default.nix b/config/hosts/metrics/default.nix similarity index 100% rename from hosts/metrics/default.nix rename to config/hosts/metrics/default.nix diff --git a/hosts/metrics/grafana.nix b/config/hosts/metrics/grafana.nix similarity index 100% rename from hosts/metrics/grafana.nix rename to config/hosts/metrics/grafana.nix diff --git a/hosts/metrics/nginx.nix b/config/hosts/metrics/nginx.nix similarity index 100% rename from hosts/metrics/nginx.nix rename to config/hosts/metrics/nginx.nix diff --git a/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix similarity index 100% rename from hosts/metrics/prometheus.nix rename to config/hosts/metrics/prometheus.nix diff --git a/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix similarity index 100% rename from hosts/metrics/secrets.nix rename to config/hosts/metrics/secrets.nix diff --git a/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix similarity index 100% rename from hosts/netbox/configuration.nix rename to config/hosts/netbox/configuration.nix diff --git a/hosts/netbox/default.nix b/config/hosts/netbox/default.nix similarity index 100% rename from hosts/netbox/default.nix rename to config/hosts/netbox/default.nix diff --git a/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix similarity index 100% rename from hosts/netbox/netbox.nix rename to config/hosts/netbox/netbox.nix diff --git a/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix similarity index 100% rename from hosts/netbox/nginx.nix rename to config/hosts/netbox/nginx.nix diff --git a/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix similarity index 100% rename from hosts/netbox/secrets.nix rename to config/hosts/netbox/secrets.nix diff --git a/hosts/nextcloud/configuration.nix b/config/hosts/nextcloud/configuration.nix similarity index 100% rename from hosts/nextcloud/configuration.nix rename to config/hosts/nextcloud/configuration.nix diff --git a/hosts/nextcloud/default.nix b/config/hosts/nextcloud/default.nix similarity index 100% rename from hosts/nextcloud/default.nix rename to config/hosts/nextcloud/default.nix diff --git a/hosts/nextcloud/hardware-configuration.nix b/config/hosts/nextcloud/hardware-configuration.nix similarity index 100% rename from hosts/nextcloud/hardware-configuration.nix rename to config/hosts/nextcloud/hardware-configuration.nix diff --git a/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix similarity index 100% rename from hosts/nextcloud/nextcloud.nix rename to config/hosts/nextcloud/nextcloud.nix diff --git a/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix similarity index 100% rename from hosts/nextcloud/secrets.nix rename to config/hosts/nextcloud/secrets.nix diff --git a/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix similarity index 100% rename from hosts/nitter/configuration.nix rename to config/hosts/nitter/configuration.nix diff --git a/hosts/nitter/default.nix b/config/hosts/nitter/default.nix similarity index 100% rename from hosts/nitter/default.nix rename to config/hosts/nitter/default.nix diff --git a/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix similarity index 100% rename from hosts/nitter/nginx.nix rename to config/hosts/nitter/nginx.nix diff --git a/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix similarity index 100% rename from hosts/nitter/nitter.nix rename to config/hosts/nitter/nitter.nix diff --git a/hosts/tor-relay/configuration.nix b/config/hosts/tor-relay/configuration.nix similarity index 100% rename from hosts/tor-relay/configuration.nix rename to config/hosts/tor-relay/configuration.nix diff --git a/hosts/tor-relay/default.nix b/config/hosts/tor-relay/default.nix similarity index 100% rename from hosts/tor-relay/default.nix rename to config/hosts/tor-relay/default.nix diff --git a/hosts/tor-relay/tor.nix b/config/hosts/tor-relay/tor.nix similarity index 100% rename from hosts/tor-relay/tor.nix rename to config/hosts/tor-relay/tor.nix diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/config/hosts/web-nonpublic-linuxcrewd/configuration.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/configuration.nix rename to config/hosts/web-nonpublic-linuxcrewd/configuration.nix diff --git a/hosts/web-nonpublic-linuxcrewd/default.nix b/config/hosts/web-nonpublic-linuxcrewd/default.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/default.nix rename to config/hosts/web-nonpublic-linuxcrewd/default.nix diff --git a/hosts/web-nonpublic-linuxcrewd/nginx.nix b/config/hosts/web-nonpublic-linuxcrewd/nginx.nix similarity index 100% rename from hosts/web-nonpublic-linuxcrewd/nginx.nix rename to config/hosts/web-nonpublic-linuxcrewd/nginx.nix diff --git a/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix similarity index 100% rename from hosts/web-public-2/configuration.nix rename to config/hosts/web-public-2/configuration.nix diff --git a/hosts/web-public-2/default.nix b/config/hosts/web-public-2/default.nix similarity index 100% rename from hosts/web-public-2/default.nix rename to config/hosts/web-public-2/default.nix diff --git a/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix similarity index 100% rename from hosts/web-public-2/nginx.nix rename to config/hosts/web-public-2/nginx.nix diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix similarity index 83% rename from hosts/web-public-2/virtualHosts/acme-challenge.nix rename to config/hosts/web-public-2/virtualHosts/acme-challenge.nix index c04b2e8..f5adeea 100644 --- a/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -9,6 +9,15 @@ proxyPass = "http://jellyfin.vs.grzb.de:80"; }; }; + services.nginx.virtualHosts."mail-1.grzb.de" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://mail-1.vs.grzb.de:80"; + }; + }; services.nginx.virtualHosts."matrix.nekover.se" = { listen = [{ addr = "0.0.0.0"; diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/anisync.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix similarity index 93% rename from hosts/web-public-2/virtualHosts/default.nix rename to config/hosts/web-public-2/virtualHosts/default.nix index 7df558e..6a5c3bb 100644 --- a/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -8,7 +8,6 @@ ./git.grzb.de.nix ./mewtube.nekover.se.nix ./nekover.se.nix - ./nextcloud.grzb.de.nix ./social.nekover.se.nix ]; diff --git a/hosts/web-public-2/virtualHosts/element-web-config/config.json b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json similarity index 100% rename from hosts/web-public-2/virtualHosts/element-web-config/config.json rename to config/hosts/web-public-2/virtualHosts/element-web-config/config.json diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/element.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/element.nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/git.grzb.de.nix rename to config/hosts/web-public-2/virtualHosts/git.grzb.de.nix diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/nekover.se.nix diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix similarity index 100% rename from hosts/web-public-2/virtualHosts/social.nekover.se.nix rename to config/hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/configuration/nixos-generators/default.nix b/config/nixos-generators/default.nix similarity index 100% rename from configuration/nixos-generators/default.nix rename to config/nixos-generators/default.nix diff --git a/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix similarity index 100% rename from users/colmena-deploy/default.nix rename to config/users/colmena-deploy/default.nix diff --git a/users/yuri/default.nix b/config/users/yuri/default.nix similarity index 100% rename from users/yuri/default.nix rename to config/users/yuri/default.nix diff --git a/flake.lock b/flake.lock index 4b4607e..3d6c071 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,44 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nixlib": { "locked": { - "lastModified": 1689469483, - "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", + "lastModified": 1693701915, + "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", + "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", "type": "github" }, "original": { @@ -23,11 +55,11 @@ ] }, "locked": { - "lastModified": 1690133435, - "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", + "lastModified": 1693791338, + "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", + "rev": "8ee78470029e641cddbd8721496da1316b47d3b4", "type": "github" }, "original": { @@ -38,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693725722, - "narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=", + "lastModified": 1694493899, + "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e", + "rev": "c5167858ca4870e933da123762eb55363ccefe2b", "type": "github" }, "original": { @@ -52,13 +84,43 @@ "type": "github" } }, - "nixpkgs-unstable": { + "nixpkgs-22_11": { "locked": { - "lastModified": 1693723626, - "narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=", + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1694502577, + "narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72", "type": "github" }, "original": { @@ -68,11 +130,66 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1687462267, + "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "24128c3052090311688b09a400aa408ba61c6ee5", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-23.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 2e5abe8..2a78e5b 100644 --- a/flake.nix +++ b/flake.nix @@ -6,9 +6,10 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let + outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; in { @@ -25,13 +26,13 @@ nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; specialArgs = { - inherit hosts; + inherit hosts simple-nixos-mailserver; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; hydraJobs = { - nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts; + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts; }; # Generate a base VM image for Proxmox with `nix build .#base-proxmox` @@ -39,9 +40,9 @@ base-proxmox = nixos-generators.nixosGenerate { system = "x86_64-linux"; modules = [ - ./configuration/common - ./configuration/nixos-generators - ./configuration/proxmox-vm + ./config/common + ./config/nixos-generators + ./config/environments/proxmox-vm ]; format = "proxmox"; }; diff --git a/helper.nix b/helper.nix index 360b356..c59a44c 100644 --- a/helper.nix +++ b/helper.nix @@ -11,7 +11,7 @@ }; # Set imports and optionally import colmena secrets configuration - imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; + imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./config/hosts/${name}/secrets.nix) ./config/hosts/${name}/secrets.nix; }; generateNixConfiguration = name: specialArgs: { diff --git a/hosts.nix b/hosts.nix index 177da2d..6d496d4 100644 --- a/hosts.nix +++ b/hosts.nix @@ -3,66 +3,90 @@ let # Set of environment specific modules environments = { "proxmox" = [ - ./configuration/proxmox-vm - ]; + ./config/environments/proxmox-vm + ]; }; generateDefaults = hosts: builtins.mapAttrs (name: { hostNixpkgs ? nixpkgs, system ? "x86_64-linux", # pkgs is explicitly defined so that overlays for each host can easily be created pkgs ? hostNixpkgs.legacyPackages.${system}, - environment ? "proxmox", + environment ? "", site }: { inherit hostNixpkgs system pkgs environment site; # define common and host modules and additionally add environment specific modules modules = [ - ./configuration/common - ./hosts/${name} - ] ++ environments.${environment}; + ./config/common + ./config/hosts/${name} + ] ++ (if environment != "" then environments.${environment} else []); }) hosts; in generateDefaults { + #fee = { + # site = "wg"; + # environment = "bare-metal"; + #}; hydra = { site = "vs"; + environment = "proxmox"; }; iperf = { site = "vs"; + environment = "proxmox"; }; jackett = { site = "vs"; + environment = "proxmox"; }; jellyfin = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; + }; + lifeline = { + site = "io"; + }; + mail-1 = { + site = "vs"; + environment = "proxmox"; }; matrix = { site = "vs"; + environment = "proxmox"; }; metrics = { site = "vs"; + environment = "proxmox"; }; netbox = { site = "vs"; + environment = "proxmox"; }; nextcloud = { site = "vs"; + environment = "proxmox"; }; nitter = { site = "vs"; + environment = "proxmox"; }; coturn = { site = "vs"; + environment = "proxmox"; }; tor-relay = { site = "vs"; + environment = "proxmox"; }; web-public-2 = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; }; web-nonpublic-linuxcrewd = { hostNixpkgs = nixpkgs-unstable; site = "vs"; + environment = "proxmox"; }; } diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix deleted file mode 100644 index 8cbdcc9..0000000 --- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."nextcloud.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - locations."/" = { - proxyPass = "http://nextcloud-grzb.vs.grzb.de:80"; - }; - locations."= /.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - locations."= /.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - extraConfig = '' - proxy_read_timeout 3600; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 4096m; - ''; - }; -}