fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: fi:main
Branches Tags
fi:main
fi:ikiwiki
fi:mas
..
compare: fi:mas
Branches Tags
fi:main
fi:ikiwiki
fi:mas

No commits in common. "main" and "mas" have entirely different histories.
main ... mas

31 changed files with 428 additions and 350 deletions
Show stats Expand all files Collapse all files

17
.sops.yaml Normal file
View file

@ -0,0 +1,17 @@
keys:
- &admin_gpg_fi_cherry 3664299DF7043167375A444792C901ED05ED21F8
- &admin_gpg_fi_violet 46BAEDB6A776F5E245C766F943399230C7523D82
- &admin_gpg_fi_kiara 0DE8BF7F4727049D4D9D78FC25936DC2A622FE56
- &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5
creation_rules:
- path_regex: config/hosts/matrix/.*
key_groups:
- pgp:
- *admin_gpg_fi_cherry
- *admin_gpg_fi_violet
- *admin_gpg_fi_kiara
age:
- *host_age_matrix
stores:
yaml:
indent: 2

2
config/hosts/forgejo/forgejo.nix
View file

@ -3,6 +3,7 @@
services.forgejo = { services.forgejo = {
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";
settings = { settings = {
DEFAULT = { DEFAULT = {
@ -59,6 +60,5 @@
HOST = "redis+socket:///run/redis-forgejo/redis.sock"; HOST = "redis+socket:///run/redis-forgejo/redis.sock";
}; };
}; };
secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
}; };
} }

26
config/hosts/gameserver-node-1/configuration.nix Normal file
View file

@ -0,0 +1,26 @@
{ pterodactyl, ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "gameserver-node-1";
};
#environment.systemPackages = [
# pterodactyl.packages."x86_64-linux".pterodactyl-wings
#];
imports = [
pterodactyl.nixosModules.pterodactyl-wings
];
services.wings = {
enable = false;
configuration = "";
};
system.stateVersion = "24.05";
}

2
config/hosts/ikiwiki/default.nix → config/hosts/gameserver-node-1/default.nix
View file

@ -2,7 +2,5 @@
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./ikiwiki.nix
./nginx.nix
]; ];
} }

1
config/hosts/hydra/configuration.nix
View file

@ -24,7 +24,6 @@
users.users.builder = { users.users.builder = {
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/plZfxF/RtB+pJsUYx9HUgRcB56EoO0uj+j3AGzZta root@cherry"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara"
]; ];
}; };

27
config/hosts/ikiwiki/configuration.nix
View file

@ -1,27 +0,0 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "ikiwiki";
firewall = {
enable = true;
allowedTCPPorts = [ 80 8443 ];
};
};
fileSystems = {
# partition data disk with `sudo mkfs.ext4 /dev/vdx`
# label data disk with `e2label /dev/vdx "data"`
"/mnt/data" = {
device = "/dev/disk/by-label/data";
fsType = "ext4";
autoResize = true;
};
};
system.stateVersion = "24.05";
}

136
config/hosts/ikiwiki/ikiwiki.nix
View file

@ -1,136 +0,0 @@
{ pkgs, config, ... }:
let
ikiwikiBootstrapTheme = pkgs.fetchgit {
url = "https://github.com/dequis/ikiwiki-bootstrap-theme.git";
rev = "afaedf8460d03664be6f590cf632b8be05de77dc";
hash = "sha256-iX/onqrsvzJdDrJ7WoQMnlAQtOA+rmi+esv25/IOsq8=";
}; # TODO: fork and set link color to #6d2bff or something
ikiwikiDataPath = "/mnt/data/ikiwiki";
ikiwikiSettingsHeader = pkgs.writeText "ikiwiki-settings-header" ''
# IkiWiki::Setup::Yaml - YAML formatted setup file
'';
ikiwikiSettings = {
wikiname = "fi-zone";
adminemail = "fiona@grzb.de";
adminuser = [
"fi"
];
banned_users = [];
srcdir = "${ikiwikiDataPath}/fi-zone";
destdir = "${ikiwikiDataPath}/public_html/fi-zone";
url = "https://fi.nekover.se/";
cgiurl = "https://fi.nekover.se/ikiwiki.cgi";
reverse_proxy = 0;
cgi_wrapper = "${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi";
cgiauthurl = "https://fi.nekover.se/auth/ikiwiki.cgi";
cgi_wrappermode = "06755";
cgi_overload_delay = "";
cgi_overload_message = "";
only_committed_changes = 0;
rcs = "";
add_plugins = [
"goodstuff"
"websetup"
"httpauth"
];
disable_plugins = [];
templatedir = "${ikiwikiBootstrapTheme}";
underlaydir = "${pkgs.ikiwiki-full}/share/ikiwiki/basewiki";
usedirs = 1;
prefix_directives = 1;
indexpages = 0;
discussion = 0;
html5 = 1;
sslcookie = 1;
default_pageext = "mdwn";
htmlext = "html";
timeformat = "%c";
userdir = "";
numbacklinks = 10;
hardlink = 0;
libdirs = [];
libdir = "${ikiwikiDataPath}/.ikiwiki";
ENV = {};
timezone = ":/etc/localtime";
wiki_file_chars = "-[:alnum:]+/.:_";
allow_symlinks_before_srcdir = 0;
cookiejar = {
file = "${ikiwikiDataPath}/.ikiwiki/cookies";
};
useragent = "ikiwiki/${pkgs.ikiwiki-full.version}";
responsive_layout = 1;
deterministic = 0;
rss = 1;
atom = 1;
blogspam_pagespec = "postcomment(*)";
locked_pages = "* and !postcomment(*)";
comments_pagespec = "posts/* and !*/Discussion";
archive_pagespec = "page(posts/*) and !*/Discussion";
global_sidebars = 0;
tagbase = "tags";
};
ikiwikiSettingsFile = pkgs.concatText "fi-zone.setup" [
ikiwikiSettingsHeader
((pkgs.formats.yaml { }).generate "fi-zone-settings" ikiwikiSettings)
];
in
{
environment.systemPackages = with pkgs; [
ikiwiki-full
];
users = {
users.ikiwiki = {
isSystemUser = true;
group = "ikiwiki";
};
groups.ikiwiki = {};
};
services.fcgiwrap.instances."ikiwiki" = {
socket = {
user = config.services.nginx.user;
group = config.services.nginx.group;
};
process = {
user = config.services.nginx.user;
group = config.services.nginx.group;
};
};
systemd.services.ikiwiki-directory-setup = {
description = "Setup ikiwiki directory structure.";
script = ''
mkdir -p ${ikiwikiDataPath}
mkdir -p ${ikiwikiDataPath}/fi-zone/.ikiwiki
touch ${ikiwikiDataPath}/fi-zone/.ikiwiki/lockfile
chown -R ${config.users.users.ikiwiki.name}:${config.users.users.ikiwiki.group} ${ikiwikiDataPath}
'';
serviceConfig = {
Type = "simple";
User = "root";
};
wantedBy = [
"multi-user.target"
];
};
systemd.services.ikiwiki-settings-setup = {
description = "Setup ikiwiki with configuration managed by NixOS.";
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.ikiwiki-full}/bin/ikiwiki --setup ${ikiwikiSettingsFile}";
User = config.users.users.ikiwiki.name;
Group = config.users.users.ikiwiki.group;
Requires = [ "ikiwiki-directory-setup.service" ];
};
wantedBy = [
"multi-user.target"
];
};
}

47
config/hosts/ikiwiki/nginx.nix
View file

@ -1,47 +0,0 @@
{ pkgs, config, ... }:
let
ikiwikiDataPath = "/mnt/data/ikiwiki";
in
{
services.nginx = {
enable = true;
virtualHosts."fi.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
root = "${ikiwikiDataPath}/public_html/fi-zone";
locations = {
"/" = {
tryFiles = "$uri $uri/ =404";
};
"~ .cgi" = {
basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
extraConfig = ''
gzip off;
fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
fastcgi_index ikiwiki.cgi;
fastcgi_param SCRIPT_FILENAME ${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi;
fastcgi_param DOCUMENT_ROOT ${ikiwikiDataPath}/public_html/fi-zone;
fastcgi_param REMOTE_USER $remote_user if_not_empty;
include ${pkgs.nginx}/conf/fastcgi_params;
'';
};
};
extraConfig = ''
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
}

11
config/hosts/ikiwiki/secrets.nix
View file

@ -1,11 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys."ikiwiki-auth-file.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
destDir = "/secrets";
user = "nginx";
group = "nginx";
permissions = "0640";
uploadAt = "pre-activation";
};
}

8
config/hosts/keycloak/keycloak.nix
View file

@ -3,10 +3,10 @@
services.keycloak = { services.keycloak = {
enable = true; enable = true;
settings = { settings = {
hostname = "https://id.nekover.se"; hostname = "id.nekover.se";
hostname-admin = "https://keycloak-admin.nekover.se"; hostname-admin = "keycloak-admin.nekover.se";
proxy-headers = "forwarded"; hostname-strict-backchannel = true;
http-enabled = true; proxy = "edge";
http-host = "127.0.0.1"; http-host = "127.0.0.1";
http-port = 8080; http-port = 8080;
}; };

36
config/hosts/mail-1/configuration.nix
View file

@ -15,20 +15,28 @@
]; ];
routes = [ routes = [
{ {
Gateway = "10.202.41.1"; routeConfig = {
Destination = "10.201.0.0/16"; Gateway = "10.202.41.1";
Destination = "10.201.0.0/16";
};
} }
{ {
Gateway = "10.202.41.1"; routeConfig = {
Destination = "10.202.0.0/16"; Gateway = "10.202.41.1";
Destination = "10.202.0.0/16";
};
} }
{ {
Gateway = "10.202.41.1"; routeConfig = {
Destination = "172.21.87.0/24"; Gateway = "10.202.41.1";
Destination = "172.21.87.0/24";
};
} }
{ {
Gateway = "10.202.41.1"; routeConfig = {
Destination = "212.53.203.19/32"; Gateway = "10.202.41.1";
Destination = "212.53.203.19/32";
};
} }
]; ];
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
}; };
wireguardPeers = [{ wireguardPeers = [{
PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; wireguardPeerConfig = {
PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
Endpoint = "212.53.203.19:51822"; PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
AllowedIPs = [ "0.0.0.0/0" ]; Endpoint = "212.53.203.19:51822";
PersistentKeepalive = 25; AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
};
}]; }];
}; };
}; };

36
config/hosts/mail-2/configuration.nix
View file

@ -15,20 +15,28 @@
]; ];
routes = [ routes = [
{ {
Gateway = "10.201.41.1"; routeConfig = {
Destination = "10.201.0.0/16"; Gateway = "10.201.41.1";
Destination = "10.201.0.0/16";
};
} }
{ {
Gateway = "10.201.41.1"; routeConfig = {
Destination = "10.202.0.0/16"; Gateway = "10.201.41.1";
Destination = "10.202.0.0/16";
};
} }
{ {
Gateway = "10.201.41.1"; routeConfig = {
Destination = "172.21.87.0/24"; Gateway = "10.201.41.1";
Destination = "172.21.87.0/24";
};
} }
{ {
Gateway = "10.201.41.1"; routeConfig = {
Destination = "217.160.117.160/32"; Gateway = "10.201.41.1";
Destination = "217.160.117.160/32";
};
} }
]; ];
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
@ -54,11 +62,13 @@
PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
}; };
wireguardPeers = [{ wireguardPeers = [{
PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; wireguardPeerConfig = {
PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
Endpoint = "217.160.117.160:51820"; PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
AllowedIPs = [ "0.0.0.0/0" ]; Endpoint = "217.160.117.160:51820";
PersistentKeepalive = 25; AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
};
}]; }];
}; };
}; };

15
config/hosts/mastodon/mastodon.nix
View file

@ -5,37 +5,28 @@ let
rev = "v2.2"; rev = "v2.2";
hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ="; hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ=";
}; };
mastodonModern = pkgs.fetchgit {
url = "https://git.gay/freeplay/Mastodon-Modern.git";
rev = "e9e53496789234d5782b5b3d97ed66a130b1678a";
hash = "sha256-lUq57Gbr1UCMVGoO4xTT3wYPNwohdepxSPCX+WP6AS8=";
};
mastodonNekoversePatches = pkgs.fetchgit { mastodonNekoversePatches = pkgs.fetchgit {
url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU="; hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU=";
}; };
mastodonNekoverseOverlay = final: prev: { mastodonNekoverseOverlay = final: prev: {
mastodon = (prev.mastodon.override rec { mastodon = (prev.mastodon.override rec {
version = "4.3.2"; version = "4.3.1";
srcOverride = final.applyPatches { srcOverride = final.applyPatches {
src = pkgs.stdenv.mkDerivation { src = pkgs.stdenv.mkDerivation {
name = "mastodonWithThemes"; name = "mastodonWithThemes";
src = pkgs.fetchgit { src = pkgs.fetchgit {
url = "https://github.com/mastodon/mastodon.git"; url = "https://github.com/mastodon/mastodon.git";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-A1sSUBtlztKFsZ3TY/c9CXFV8LhttRW2JmSU0QSVOIg="; sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4=";
}; };
installPhase = '' installPhase = ''
cp -r ./ $out/ cp -r ./ $out/
cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/ cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/
echo "@import 'mastodon/variables';
@import 'application';" >> $out/app/javascript/styles/modern-dark.scss
cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss
echo "tangerineui: styles/tangerineui.scss echo "tangerineui: styles/tangerineui.scss
tangerineui-purple: styles/tangerineui-purple.scss tangerineui-purple: styles/tangerineui-purple.scss
tangerineui-cherry: styles/tangerineui-cherry.scss tangerineui-cherry: styles/tangerineui-cherry.scss
tangerineui-lagoon: styles/tangerineui-lagoon.scss tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml
modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
''; '';
}; };
patches = [ patches = [

1
config/hosts/matrix/default.nix
View file

@ -3,6 +3,7 @@
imports = [ imports = [
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./mas.nix
./postgresql.nix ./postgresql.nix
./matrix-synapse.nix ./matrix-synapse.nix
./nginx.nix ./nginx.nix

131
config/hosts/matrix/mas.nix Normal file
View file

@ -0,0 +1,131 @@
{ pkgs, ... }:
let
masConfig = (pkgs.formats.yaml { }).generate "matrix-authentication-service-config.yaml" {
http = {
public_base = "https://matrix-auth.nekover.se";
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{ name = "assets"; }
];
binds = [{ socket = "/var/run/mas.sock"; }];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "localhost";
port = 8081;
}
];
proxy_protocol = false;
}
];
trusted_proxies = [
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/10"
"127.0.0.1/8"
"fd00::/8"
"::1/128"
];
};
database = {
uri = "postgresql://mas_user:mas@localhost/mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
email = {
from = "\"Matrix Authentication Service\" <nyareply@nekover.se>";
reply_to = "\"No reply\" <nyareply@nekover.se>";
transport = "smtp";
mode = "tls";
hostname = "mail-1.grzb.de";
port = 465;
username = "matrix@nekover.se";
# password = "";
};
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "argon2id";
}
];
# See https://github.com/dropbox/zxcvbn#usage
minimum_complexity = 3;
};
matrix = {
homeserver = "nekover.se";
# secret =
endpoint = "http://localhost:8008";
};
upstream_oauth2 = {
providers = [{
id = "01H8PKNWKKRPCBW4YGH1RWV279";
issuer = "https://id.nekover.se/realms/nekoverse";
human_name = "Nekoverse ID";
token_endpoint_auth_method = "client_secret_basic";
client_id = "matrix-authentication-service";
#client_secret = "";
scope = "openid profile email";
claims_imports = {
localpart = {
action = "require";
template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
};
displayname = {
action = "suggest";
template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
};
email = {
action = "suggest";
template = "\"{{ user.email }}\"";
set_email_verification = "import";
};
};
}];
};
# secrets = { }
};
in
{
environment.systemPackages = with pkgs; [
matrix-authentication-service
];
systemd.services.matrix-authentication-service = {
description = "Matrix Authentication Service";
after = [ "network-online.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
Restart = "on-abort";
DynamicUser = "yes";
User = "mas";
Group = "nogroup";
WorkingDirectory = pkgs.matrix-authentication-service;
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masConfig} --config=/secrets/";
SyslogIdentifier = "matrix-authentication-service";
};
wantedBy = [ "multi-user.target" ];
};
}

14
config/hosts/matrix/matrix-synapse.nix
View file

@ -46,6 +46,20 @@
]; ];
turn_user_lifetime = 86400000; turn_user_lifetime = 86400000;
turn_allow_guests = true; turn_allow_guests = true;
experimental_features = {
msc3861 = {
enabled = true;
# Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
issuer = "https://nekover.se";
client_id = "0000000000000000000SYNAPSE";
client_auth_method = "client_secret_basic";
# Matches the `client_secret` in the auth service config
client_secret = "SomeRandomSecret";
# Matches the `matrix.secret` in the auth service config
admin_token = "AnotherRandomSecret";
account_management_url = "https://id.nekover.se/realms/nekoverse/account/";
};
};
}; };
extras = [ "oidc" ]; extras = [ "oidc" ];
extraConfigFiles = [ extraConfigFiles = [

100
config/hosts/matrix/nginx.nix
View file

@ -2,40 +2,76 @@
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."matrix.nekover.se" = { virtualHosts = {
forceSSL = true; "matrix.nekover.se" = {
enableACME = true; forceSSL = true;
listen = [ enableACME = true;
{ listen = [
addr = "0.0.0.0"; {
port = 80; addr = "0.0.0.0";
} port = 80;
{ }
addr = "0.0.0.0"; {
port = 8448; addr = "0.0.0.0";
ssl = true; port = 8448;
} ssl = true;
]; }
locations = { ];
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { locations = {
proxyPass = "http://127.0.0.1:8009"; "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
priority = 999; proxyPass = "http://127.0.0.1:8009";
priority = 999;
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
}; };
"~ ^(/_matrix|/_synapse/client)" = { extraConfig = ''
proxyPass = "http://127.0.0.1:8008"; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
};
"matrix-auth.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations = {
"/" = {
proxy_pass = "http://unix:/var/run/mas.sock";
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:9443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
}; };
}; };
} }

5
config/hosts/matrix/postgresql.nix
View file

@ -8,6 +8,11 @@
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
CREATE DATABASE "mas" WITH OWNER "mas_user"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
''; '';
}; };
} }

2
config/hosts/nextcloud/nextcloud.nix
View file

@ -2,7 +2,7 @@
{ {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud30; package = pkgs.nextcloud29;
hostName = "cloud.nekover.se"; hostName = "cloud.nekover.se";
https = true; https = true;
config = { config = {

2
config/hosts/paperless/configuration.nix
View file

@ -13,5 +13,5 @@
}; };
}; };
system.stateVersion = "23.05"; system.stateVersion = "24.05";
} }

2
config/hosts/torrent/configuration.nix
View file

@ -25,5 +25,5 @@
}; };
}; };
system.stateVersion = "24.11"; system.stateVersion = "23.11";
} }

6
config/hosts/torrent/jackett.nix
View file

@ -1,8 +1,8 @@
{ nixpkgs-master, ... }: { nixpkgs-unstable, ... }:
{ {
services.jackett = { services.jackett = {
enable = true; enable = true;
# use package from master to work around faulty test in older jackett version # use package from unstable to work around faulty test in older jackett version
package = nixpkgs-master.legacyPackages."x86_64-linux".jackett; package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett;
}; };
} }

4
config/hosts/torrent/qbittorrent-nox/services.nix
View file

@ -2,9 +2,9 @@
# - https://github.com/NixOS/nixpkgs/issues/236736#issuecomment-1704670598 # - https://github.com/NixOS/nixpkgs/issues/236736#issuecomment-1704670598
# - https://nixos.org/manual/nixos/stable/#sect-nixos-systemd-nixos # - https://nixos.org/manual/nixos/stable/#sect-nixos-systemd-nixos
{ nixpkgs-unstable, ... }: { pkgs, ... }:
{ {
systemd.packages = [ nixpkgs-unstable.legacyPackages."x86_64-linux".qbittorrent-nox ]; systemd.packages = [ pkgs.qbittorrent-nox ];
systemd.services."qbittorrent-nox@torrent" = { systemd.services."qbittorrent-nox@torrent" = {
overrideStrategy = "asDropin"; overrideStrategy = "asDropin";

12
config/hosts/torrent/sonarr.nix
View file

@ -1,17 +1,5 @@
{ ... }: { ... }:
{ {
# The sonarr package is dependend on .NET 6 which is marked as insecure.
# It doesn't seem to build with the later .NET versions.
# In the meantime allow the installation of these insecure packages since sonarr is only reachable locally.
nixpkgs.config = {
permittedInsecurePackages = [
"aspnetcore-runtime-wrapped-6.0.36"
"aspnetcore-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
];
};
services.sonarr = { services.sonarr = {
enable = true; enable = true;
user = "torrent"; user = "torrent";

2
config/hosts/web-public-2/nginx.nix
View file

@ -20,13 +20,13 @@
birdsite.nekover.se 10.202.41.107:8443; birdsite.nekover.se 10.202.41.107:8443;
cloud.nekover.se 10.202.41.122:8443; cloud.nekover.se 10.202.41.122:8443;
element.nekover.se 127.0.0.1:8443; element.nekover.se 127.0.0.1:8443;
fi.nekover.se 10.202.41.125:8443;
gameserver.grzb.de 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443;
git.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443;
git.nekover.se 10.202.41.106:8443; git.nekover.se 10.202.41.106:8443;
hydra.nekover.se 10.202.41.121:8443; hydra.nekover.se 10.202.41.121:8443;
id.nekover.se 10.202.41.124:8443; id.nekover.se 10.202.41.124:8443;
matrix.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443;
matrix-auth.nekover.se 10.202.41.112:9443;
mewtube.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443;
nix-cache.nekover.se 10.202.41.121:8443; nix-cache.nekover.se 10.202.41.121:8443;

2
config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -4,10 +4,10 @@ let
"jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
"mail-1.grzb.de" = "mail-1.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de";
"matrix-auth.nekover.se" = "matrix.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de";
"git.nekover.se" = "forgejo.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de";
"fi.nekover.se" = "ikiwiki.vs.grzb.de";
"jackett.grzb.de" = "torrent.vs.grzb.de"; "jackett.grzb.de" = "torrent.vs.grzb.de";
"jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de"; "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de";
"keycloak-admin.nekover.se" = "keycloak.vs.grzb.de"; "keycloak-admin.nekover.se" = "keycloak.vs.grzb.de";

17
config/hosts/web-public-2/virtualHosts/nekover.se.nix
View file

@ -16,7 +16,22 @@
''; '';
}; };
locations."/.well-known/matrix/client" = { locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; return = "200 '
{
\"m.homeserver\": {
\"base_url\": \"https://matrix.nekover.se\"
},
\"m.identity_server\": {
\"base_url\": \"https://vector.im\"
},
\"org.matrix.msc3575.proxy\": {
\"url\": \"https://matrix.nekover.se\"
},
\"org.matrix.msc2965.authentication\": {
\"issuer\": \"https://nekover.se/\",
\"account\": \"https://matrix-auth.nekover.se/account\"
}
}'";
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;

2
config/nixos-generators/default.nix
View file

@ -10,5 +10,5 @@
firewall.enable = true; firewall.enable = true;
}; };
system.stateVersion = "24.11"; system.stateVersion = "23.05";
} }

75
flake.lock
View file

@ -34,11 +34,11 @@
}, },
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1734829460, "lastModified": 1729386149,
"narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=", "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c", "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -55,11 +55,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1734915500, "lastModified": 1729472750,
"narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=", "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4", "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -70,16 +70,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1736167739, "lastModified": 1730963269,
"narHash": "sha256-vL6dGj+0w+l1cK4duEokolgmx4Hu3O1TPjpD6Dfd7oY=", "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bd27be8c9381a66288504d5266db495de571d7bf", "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.11-small", "ref": "nixos-24.05-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -101,11 +101,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1736204625, "lastModified": 1731015792,
"narHash": "sha256-y1OxajWQrxP7naHYPoUCrf4AAhEqOGwpNbj+qBXSn5s=", "narHash": "sha256-u8U89hPPbGu627UNtd3H9/CPifDOrmsNGm2y83C9A0A=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6199c32fe66a688ce7c3483de2b05b358ab7a0a6", "rev": "f7516232a6bf821825c2bd114abcaec1bcd1e54d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -117,11 +117,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1736165148, "lastModified": 1730989260,
"narHash": "sha256-AdKOlljgcTLOrJb3HFpaaoHWJhFrkVeT9HbRm0JvcwE=", "narHash": "sha256-5R9m921OhgOUNHVIxTS8+jZJokkZRsH7UOecxlchqZ8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9f46f57b78d2ef865cd8c58eff8d430bb62a471a", "rev": "3aea494127aae5d08c4c501ea4ba27e6c185b822",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -132,6 +132,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1729265718,
"narHash": "sha256-4HQI+6LsO3kpWTYuVGIzhJs1cetFcwT7quWCk/6rqeo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ccc0c2126893dd20963580b6478d1a10a4512185",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1717602782, "lastModified": 1717602782,
"narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
@ -146,12 +162,31 @@
"type": "indirect" "type": "indirect"
} }
}, },
"pterodactyl": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1730915158,
"narHash": "sha256-qQvhHUbC5yKD6x/G0P2tvHoRf92Nd/QWB76CRnV5oyI=",
"ref": "refs/heads/main",
"rev": "1eff87119f6e48b6b1d1afef468ee4ff1aebe333",
"revCount": 3,
"type": "git",
"url": "https://git.nekover.se/fi/pterodactyl.git"
},
"original": {
"type": "git",
"url": "https://git.nekover.se/fi/pterodactyl.git"
}
},
"root": { "root": {
"inputs": { "inputs": {
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master", "nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"pterodactyl": "pterodactyl",
"simple-nixos-mailserver": "simple-nixos-mailserver" "simple-nixos-mailserver": "simple-nixos-mailserver"
} }
}, },
@ -159,16 +194,16 @@
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"nixpkgs-24_05": "nixpkgs-24_05", "nixpkgs-24_05": "nixpkgs-24_05",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1734885828, "lastModified": 1718084203,
"narHash": "sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd+unfrjNomSL7SM=", "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "636b82f4175e3f6b1e80d2189bb0469e2ae01a55", "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {

12
flake.nix
View file

@ -1,6 +1,6 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixpkgs-master.url = "github:NixOS/nixpkgs/master";
nixos-generators = { nixos-generators = {
@ -8,9 +8,13 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
pterodactyl = {
url = "git+https://git.nekover.se/fi/pterodactyl.git";
};
inputs.sops-nix.url = "github:Mic92/sops-nix";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, pterodactyl, sops-nix, ... }@inputs:
let let
hosts = import ./hosts.nix inputs; hosts = import ./hosts.nix inputs;
helper = import ./helper.nix inputs; helper = import ./helper.nix inputs;
@ -28,10 +32,10 @@
nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts;
specialArgs = { specialArgs = {
inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver pterodactyl;
# Provide environment for secret key command # Provide environment for secret key command
keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ]; keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
}; };
}; };
} // builtins.mapAttrs (helper.generateColmenaHost) hosts; } // builtins.mapAttrs (helper.generateColmenaHost) hosts;

25
hosts.nix
View file

@ -1,4 +1,4 @@
{ nixpkgs, nixpkgs-unstable, ... }: { nixpkgs, nixpkgs-unstable, sops-nix, ... }:
let let
# Set of environment specific modules # Set of environment specific modules
environments = { environments = {
@ -22,15 +22,16 @@ let
modules = [ modules = [
./config/common ./config/common
./config/hosts/${name} ./config/hosts/${name}
sops-nix.nixosModules.sops
] ++ (if environment != "" then environments.${environment} else []); ] ++ (if environment != "" then environments.${environment} else []);
}) hosts; }) hosts;
in in
generateDefaults { generateDefaults {
hydra = { gameserver-node-1 = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
ikiwiki = { hydra = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
@ -61,12 +62,17 @@ in
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
mail-2 = {
site = "wg";
environment = "proxmox";
};
mastodon = { mastodon = {
hostNixpkgs = nixpkgs-unstable; hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
matrix = { matrix = {
hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
@ -74,6 +80,11 @@ in
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
navidrome = {
hostNixpkgs = nixpkgs-unstable;
site = "wg";
environment = "proxmox";
};
netbox = { netbox = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
@ -82,6 +93,10 @@ in
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
nitter = {
site = "vs";
environment = "proxmox";
};
coturn = { coturn = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
@ -104,6 +119,10 @@ in
site = "af"; site = "af";
environment = "openstack"; environment = "openstack";
}; };
web-public-1 = {
site = "wg";
environment = "proxmox";
};
web-public-2 = { web-public-2 = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";