diff options
| author | polwex <polwex@sortug.com> | 2024-07-21 01:09:48 +0700 |
|---|---|---|
| committer | polwex <polwex@sortug.com> | 2024-07-21 01:09:48 +0700 |
| commit | 78907aa98c1af8624a62ca123d088c6c16424f41 (patch) | |
| tree | 477fe923810522acc211b7514e4931af80f33ed7 /hosts/cloud | |
init
Diffstat (limited to 'hosts/cloud')
52 files changed, 2562 insertions, 0 deletions
diff --git a/hosts/cloud/bkk/configuration.nix b/hosts/cloud/bkk/configuration.nix new file mode 100644 index 0000000..42f6b2c --- /dev/null +++ b/hosts/cloud/bkk/configuration.nix @@ -0,0 +1,49 @@ +{ modulesPath, lib, pkgs, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./nginx.nix + ]; + boot = { + loader.grub = { + enable = true; + device = "/dev/vda"; + }; + }; + users.users.root.openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + + # enable flakes + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings = { + keep-outputs = true; + keep-derivations = true; + }; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + # ports = [5522]; + }; + networking = { + hostName = "yn-bkk"; # use Digital Ocean metadata server + }; + networking.firewall = { + enable = false; + # allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ]; + # allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ]; + }; + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://n.urbit.men"; + listen-http = ":8090"; + }; + }; + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/cloud/bkk/hardware-configuration.nix b/hosts/cloud/bkk/hardware-configuration.nix new file mode 100644 index 0000000..736857a --- /dev/null +++ b/hosts/cloud/bkk/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/22436064-dc92-4aea-8e58-0dc2ce872baa"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/9726a4b6-5c40-4863-9a21-07f0100dea8d"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens6.useDHCP = lib.mkDefault true; + # networking.interfaces.ens7.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/bkk/nginx.nix b/hosts/cloud/bkk/nginx.nix new file mode 100644 index 0000000..f948e0e --- /dev/null +++ b/hosts/cloud/bkk/nginx.nix @@ -0,0 +1,62 @@ +{ config, pkgs, ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@urbit.cam"; + services.nginx = { + enable = true; + virtualHosts."u.urbit.men" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."n.urbit.men" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8090"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + # virtualHosts."t.urbit.men" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "http://127.0.0.1:8081"; + # # proxyWebsockets = true; # needed if you need to use WebSocket + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header Forwarded $proxy_add_x_forwarded_for; + # ''; + # }; + # extraConfig = '' + # chunked_transfer_encoding off; + # proxy_http_version 1.1; + # proxy_buffering off; + # proxy_cache off; + # ''; + # }; + }; +} diff --git a/hosts/cloud/flake.lock b/hosts/cloud/flake.lock new file mode 100644 index 0000000..7b53099 --- /dev/null +++ b/hosts/cloud/flake.lock @@ -0,0 +1,48 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719401812, + "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", + "owner": "nix-community", + "repo": "disko", + "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719379843, + "narHash": "sha256-u+D+IOAMMl70+CJ9NKB+RMrASjInuIWMHzjLWQjPZ6c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b3f3c1b13fb08f3828442ee86630362e81136bbc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/cloud/flake.nix b/hosts/cloud/flake.nix new file mode 100644 index 0000000..84ad8d0 --- /dev/null +++ b/hosts/cloud/flake.nix @@ -0,0 +1,67 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + inputs.disko.url = "github:nix-community/disko"; + inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; + + outputs = { nixpkgs, disko, ... }: + { + nixosConfigurations.sortug = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./sortug/configuration.nix + ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.osortug = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./oldsortug/configuration.nix + ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.jeet = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./jeet/configuration.nix + # ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.bkk = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./bkk/configuration.nix + ./packages.nix + ./users.nix + ]; + }; + nixosConfigurations.sing = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./sing/configuration.nix + ./packages.nix + ./users.nix + ./sing/omail.nix + ./sing/nginx.nix + ./sing/jellyfin.nix + ]; + }; + nixosConfigurations.spanmail= nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./spanm/configuration.nix + ./spanm/users.nix + ./spanm/mail.nix + ./spanm/packages.nix + ./spanm/nginx.nix + ]; + }; + }; +} diff --git a/hosts/cloud/install-script.sh b/hosts/cloud/install-script.sh new file mode 100644 index 0000000..1f9a54e --- /dev/null +++ b/hosts/cloud/install-script.sh @@ -0,0 +1,170 @@ +# The disk that will be used +# NOTE: If installing on an nvme drive (ie: /dev/nvme0n1), you'll need to replace all occurrences of ${DISK}# with ${DISK}p# where # is the partition number. +# Don't forget to also replace all occurences of $(echo $DISK | cut -f1 -d\ )# with $(echo $DISK | cut -f1 -d\ )p# +export DISK='/dev/vda' + +export LUKS_KEY_DISK=cryptkey +export KEYFILE_LOCATION=/cryptkey +export KEY_DISK=/dev/mapper/cryptkey + +# we use parted here since it does a good job with adding BIOS protective MBR to GPT disk +# since we are booting in BIOS mode, we get a max of 4 primary partitions +# BIOS MBR partition (1MB) +# /boot partition (1GB) +# LUKS key partition (20MB) +# LUKS swap partition (2GB) +# ZFS root partition (Remaining space) +# NOTE: Make the ZFS root partition your last partition, so that if you resize the disk it will be easy to get ZFS to use the extra space +parted --script $DISK mklabel gpt +parted --script --align optimal $DISK -- mklabel gpt mkpart 'BIOS-boot' 1MB 2MB set 1 bios_grub on mkpart 'boot' 2MB 1026MB mkpart 'luks-key' 1026MB 1046MB mkpart 'luks-swap' 1046MB 3094MB mkpart 'zfs-pool' 3094MB '100%' + +# tr -d '\n' < /dev/urandom | dd of=/dev/disk/by-partlabel/key +# Create an encrypted disk to hold our key, the key to this drive +# is what you'll type in to unlock the rest of your drives... so, +# remember it: +export DISK1_KEY=$(echo $DISK | cut -f1 -d\ )3 +cryptsetup luksFormat $DISK1_KEY +cryptsetup luksOpen $DISK1_KEY cryptkey + +# Write the key right to the decrypted LUKS partition, as raw bytes +echo "" > newline +dd if=/dev/zero bs=1 count=1 seek=1 of=newline +dd if=/dev/urandom bs=32 count=1 | od -A none -t x | tr -d '[:space:]' | cat - newline > hdd.key +dd if=/dev/zero of=$KEY_DISK +dd if=hdd.key of=$KEY_DISK +dd if=$KEY_DISK bs=64 count=1 + +# Format swap as encrypted LUKS and mount the partition +export DISK1_SWAP=$(echo $DISK | cut -f1 -d\ )4 +cryptsetup luksFormat --key-file=$KEY_DISK --keyfile-size=64 $DISK1_SWAP +cryptsetup open --key-file=$KEY_DISK --keyfile-size=64 $DISK1_SWAP cryptswap +mkswap /dev/mapper/cryptswap +swapon /dev/mapper/cryptswap + +# Create root pool +zpool create -f \ + -o ashift=12 \ + -o autotrim=on \ + -R /mnt \ + -O acltype=posixacl \ + -O compression=zstd \ + -O dnodesize=auto \ + -O normalization=formD \ + -O xattr=sa \ + -O atime=off \ + -O canmount=off \ + -O mountpoint=none \ + -O encryption=aes-256-gcm \ + -O keylocation=file://$KEY_DISK \ + -O keyformat=hex \ + rpool \ + ${DISK}5 + +# Create root system containers +zfs create \ + -o canmount=off \ + -o mountpoint=none \ + rpool/local +zfs create \ + -o canmount=off \ + -o mountpoint=none \ + rpool/safe + +# Create and mount dataset for `/` +zfs create -p -o mountpoint=legacy rpool/local/root +# Create a blank snapshot +zfs snapshot rpool/local/root@blank +# Mount root ZFS dataset +mount -t zfs rpool/local/root /mnt + +# Create and mount dataset for `/nix` +zfs create -p -o mountpoint=legacy rpool/local/nix +mkdir -p /mnt/nix +mount -t zfs rpool/local/nix /mnt/nix + +# Create and mount dataset for `/home` +zfs create -p -o mountpoint=legacy rpool/safe/home +mkdir -p /mnt/home +mount -t zfs rpool/safe/home /mnt/home + +# Create and mount dataset for `/persist` +zfs create -p -o mountpoint=legacy rpool/safe/persist +mkdir -p /mnt/persist +mount -t zfs rpool/safe/persist /mnt/persist + +# Create and mount dataset for `/services` +zfs create -p -o mountpoint=legacy rpool/safe/services +mkdir -p /mnt/services +mount -t zfs rpool/safe/services /mnt/services + +# create and mount boot partition +mkdir -p /mnt/boot +mkfs.vfat -F32 $(echo $DISK | cut -f1 -d\ )2 +mount -t vfat $(echo $DISK | cut -f1 -d\ )2 /mnt/boot + +# Generate initial system configuration +nixos-generate-config --root /mnt + +export CRYPTKEY="$(blkid -o export "$DISK1_KEY" | grep "^UUID=")" +export CRYPTKEY="${CRYPTKEY#UUID=*}" + +export CRYPTSWAP="$(blkid -o export "$DISK1_SWAP" | grep "^UUID=")" +export CRYPTSWAP="${CRYPTSWAP#UUID=*}" + +export RPOOL_PARTUUID="$(blkid -o export $(echo $DISK | cut -f1 -d\ )5 | grep "^PARTUUID=")" +export RPOOL_PARTUUID="${RPOOL_PARTUUID#PARTUUID=*}" + +# Import ZFS/boot-specific configuration +sed -i "s|./hardware-configuration.nix|./hardware-configuration.nix ./boot.nix|g" /mnt/etc/nixos/configuration.nix + +# Set root password +export rootPwd=$(mkpasswd -m SHA-512 -s "VerySecurePassword") +# Write boot.nix configuration +tee -a /mnt/etc/nixos/boot.nix <<EOF +{ config, pkgs, lib, ... }: + +{ boot.supportedFilesystems = [ "zfs" ]; + # Kernel modules needed for mounting LUKS devices in initrd stage + boot.initrd.availableKernelModules = [ "aesni_intel" "cryptd" ]; + + boot.initrd.luks.devices = { + cryptkey = { + device = "/dev/disk/by-uuid/$CRYPTKEY"; + }; + + cryptswap = { + device = "/dev/disk/by-uuid/$CRYPTSWAP"; + keyFile = "$KEY_DISK"; + keyFileSize = 64; + }; + }; + + boot.zfs.devNodes = "/dev/disk/by-partuuid/$RPOOL_PARTUUID"; + boot.zfs.forceImportAll = true; + + # ZFS ARC Size 64MB + boot.kernelParams = [ "zfs.zfs_arc_max=268435456" ]; + + networking.hostId = "$(head -c 8 /etc/machine-id)"; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + + boot.loader.grub = { + enable = true; + copyKernels = true; + zfsSupport = true; + device = "/dev/vda2"; + }; + + users.users.root.initialHashedPassword = "$rootPwd"; +} +EOF + +# Install system and apply configuration +nixos-install -v --show-trace --no-root-passwd --root /mnt + +# Unmount filesystems +umount -Rl /mnt +zpool export -a + +# Reboot +reboot diff --git a/hosts/cloud/jeet/configuration.nix b/hosts/cloud/jeet/configuration.nix new file mode 100644 index 0000000..1d470e2 --- /dev/null +++ b/hosts/cloud/jeet/configuration.nix @@ -0,0 +1,75 @@ +{ modulesPath, pkgs, ... }: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./disk-config.nix + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; + # enable flakes + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings = { + keep-outputs = true; + keep-derivations = true; + }; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + # ports = [5522]; + }; + services.do-agent.enable = true; + networking = { + firewall.enable = false; + hostName = "yn-ind"; # use Digital Ocean metadata server + networkmanager.enable = true; + useDHCP = false; + interfaces.eth0.ipv4.addresses = [ + {address = "93.127.194.223"; prefixLength = 32;} + ]; + interfaces.eth0.ipv6.addresses = [ + {address = "2a02:4780:12:413b::1"; prefixLength = 64;} + ]; + defaultGateway = { + address = "169.254.0.1"; + interface = "eth0"; + }; + defaultGateway6 = { + address = "fe80:1"; + interface = "eth0"; + }; + interfaces.ens18.ipv4.addresses = [ + {address = "93.127.194.223"; prefixLength = 32;} + ]; + interfaces.ens18.ipv6.addresses = [ + {address = "2a02:4780:12:413b::1"; prefixLength = 64;} + ]; + # defaultGateway = { + # address = "169.254.0.1"; + # interface = "ens18"; + # }; + # defaultGateway6 = { + # address = "fe80:1"; + # interface = "ens18"; + # }; + nameservers = [ + "217.21.86.10" + "8.8.4.4" + "1.1.1.1" + ]; + }; + + users.users.root.openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + # networking.firewall = { + # enable = true; + # allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ]; + # allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ]; + # }; +} diff --git a/hosts/cloud/jeet/disk-config.nix b/hosts/cloud/jeet/disk-config.nix new file mode 100644 index 0000000..d1a1d90 --- /dev/null +++ b/hosts/cloud/jeet/disk-config.nix @@ -0,0 +1,52 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ +# Disk /dev/sda: 200 GiB, 214748364800 bytes, 419430400 sectors +# Disk model: QEMU HARDDISK +# Units: sectors of 1 * 512 = 512 bytes +# Sector size (logical/physical): 512 bytes / 512 bytes +# I/O size (minimum/optimal): 512 bytes / 512 bytes +# Disklabel type: gpt +# Disk identifier: CED6435C-56EF-4699-BEE9-19280C444BCA +# +# Device Start End Sectors Size Type +# /dev/sda1 2048 4095 2048 1M BIOS boot +# /dev/sda2 4096 4194303 4190208 2G Linux filesystem +# /dev/sda3 4194304 419428351 415234048 198G Linux filesystem +# + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; # Allocates the remainder of the disk, minus the sizes of the other partitions + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/cloud/jeet/hardware-configuration.nix b/hosts/cloud/jeet/hardware-configuration.nix new file mode 100644 index 0000000..bb83c96 --- /dev/null +++ b/hosts/cloud/jeet/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/oldsortug/configuration.nix b/hosts/cloud/oldsortug/configuration.nix new file mode 100644 index 0000000..1c1866e --- /dev/null +++ b/hosts/cloud/oldsortug/configuration.nix @@ -0,0 +1,46 @@ +{ modulesPath, lib, ... }: +{ + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + ./hardware-configuration.nix + ./gitea.nix + ./nginx.nix + ./coturn.nix + ]; + boot = { + growPartition = true; + kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ]; + initrd.kernelModules = [ "virtio_scsi" ]; + kernelModules = [ "virtio_pci" "virtio_net" ]; + loader = { + grub.device = "/dev/sda"; + timeout = 0; + grub.configurationLimit = 0; + }; + }; + services.openssh = { + enable = true; + passwordAuthentication = false; + ports = [5522]; + }; + services.do-agent.enable = true; + networking = { + hostName = "sortug"; # use Digital Ocean metadata server + }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 40308 80 443 53 51820 5522 ]; + allowedUDPPorts = [ 40308 80 443 53 51820 5522 + 50000 + 50001 + 50002 + 50003 + 50004 + 50005 + 50006 + 50007 + 50008 + 50009 + 50010 + ]; + }; +} diff --git a/hosts/cloud/oldsortug/coturn.nix b/hosts/cloud/oldsortug/coturn.nix new file mode 100644 index 0000000..aaf097c --- /dev/null +++ b/hosts/cloud/oldsortug/coturn.nix @@ -0,0 +1,60 @@ +{ ... }: + +{ + services.coturn = { + enable = true; + lt-cred-mech = true; + # use-auth-secret = true; + # static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC"; + realm = "turn.sortug.com"; + # relay-ips = [ + # "<public-server-ip>" + # ]; + # no-tcp-relay = true; + extraConfig = " + cipher-list=\"HIGH\" + no-loopback-peers + no-multicast-peers + "; + # secure-stun = true; + cert = "/var/lib/acme/turn.sortug.com/fullchain.pem"; + pkey = "/var/lib/acme/turn.sortug.com/key.pem"; + min-port = 49152; + max-port = 49999; + }; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + allowPing = false; + allowedTCPPorts = [ + 5349 # STUN tls + 5350 # STUN tls alt + 80 # http + 443 # https + ]; + allowedUDPPortRanges = [ + { from=49152; to=49999; } # TURN relay + ]; + }; + + # setup certs + services.nginx = { + enable = true; + virtualHosts = { + "turn.sortug.com" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + users.groups.turnserver.members = ["nginx" "coturn"]; + + # share certs with coturn and restart on renewal + security.acme.certs = { + "turn.sortug.com" = { + postRun = "systemctl reload nginx.service; systemctl restart coturn.service"; + }; + }; +} + diff --git a/hosts/cloud/oldsortug/gitea.nix b/hosts/cloud/oldsortug/gitea.nix new file mode 100644 index 0000000..a25773a --- /dev/null +++ b/hosts/cloud/oldsortug/gitea.nix @@ -0,0 +1,27 @@ +{ config, ...}: +{ + services.gitea = { + enable = true; + user = "git"; + appName = "Sortug Git"; + settings.server = { + domain = "git.sortug.com"; + ROOT_URL = "https://git.sortug.com/"; + SSH_PORT = 5522; + }; + lfs.enable = true; + }; + + users.users = { + git = { + description = "Gitea Service"; + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; + }; + + + +} diff --git a/hosts/cloud/oldsortug/hardware-configuration.nix b/hosts/cloud/oldsortug/hardware-configuration.nix new file mode 100644 index 0000000..f46db2a --- /dev/null +++ b/hosts/cloud/oldsortug/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/32e438fa-ead6-47d5-8ebe-75f6b1d0c1a6"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/cloud/oldsortug/nginx.nix b/hosts/cloud/oldsortug/nginx.nix new file mode 100644 index 0000000..ba64539 --- /dev/null +++ b/hosts/cloud/oldsortug/nginx.nix @@ -0,0 +1,21 @@ +{ ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@sortug.com"; + users.users.y.homeMode = "750"; + services.nginx = { + enable = true; + virtualHosts."old.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + # actually important + }; + }; + }; +} diff --git a/hosts/cloud/oldsortug/packages.nix b/hosts/cloud/oldsortug/packages.nix new file mode 100644 index 0000000..6985acb --- /dev/null +++ b/hosts/cloud/oldsortug/packages.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + neovim + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/oldsortug/users.nix b/hosts/cloud/oldsortug/users.nix new file mode 100644 index 0000000..b3515c1 --- /dev/null +++ b/hosts/cloud/oldsortug/users.nix @@ -0,0 +1,56 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; +# plugins = [{ +# name="foreign-env"; +# src = pkgs.fetchFromGitHub { +# owner = "oh-my-fish"; +# repo = "plugin-foreign-env"; +# rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc"; +# sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs"; +# }; +# }]; +}; + + users = { + extraUsers = { + y = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; +# urbit = { +# group = "users"; +# isNormalUser = true; +# createHome = true; +# isSystemUser = false; +# openssh.authorizedKeys.keys = +# [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/VzXbaX1CLqQfPCkRdMHzAKsbS//2B0qlw3ROnR74tgl7jrBP2qeYhydcNECqC5WWO+KLZrbOWdVLATLW6z6oLlMx6E6WCfRVx/F7coMd/FBYqHwJ2Z1PbG0YSjWH07GyVYU2Nc9HfW459aXpGQ2LlTjYP14i7DqvSesCIkfbPfHzwAkyDxj4oIMXS3LMQlh4u69YKoXS/LPU+1Qv+bT5alRc2Uw+/9/q1IfDDxIiKqt3EVNEM6p5QssXtlFhk0+7zXRApWbpYLbjAVHDHbFoPAXeKLQvpgnz1K84fOGNlXj9nISYfDba8NVWQbetKnVxmQNDUKk3jOcBFmjgHvYv pkova@Pyrys-MacBook-Pro.local" ]; +# }; + }; + }; +} + + + diff --git a/hosts/cloud/packages.nix b/hosts/cloud/packages.nix new file mode 100644 index 0000000..fe7065b --- /dev/null +++ b/hosts/cloud/packages.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + helix + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # streaming + ffmpeg_5 + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/sing/configuration.nix b/hosts/cloud/sing/configuration.nix new file mode 100644 index 0000000..8428b10 --- /dev/null +++ b/hosts/cloud/sing/configuration.nix @@ -0,0 +1,38 @@ +{ modulesPath, pkgs, ... }: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + ]; + boot.loader.grub = { + efiSupport = true; + }; + + # enable flakes + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings = { + keep-outputs = true; + keep-derivations = true; + }; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + ports = [5522]; + }; + services.do-agent.enable = true; + networking = { + hostName = "yagonet-sing"; # use Digital Ocean metadata server + }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ]; + allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ]; + }; +} diff --git a/hosts/cloud/sing/disk-config.nix b/hosts/cloud/sing/disk-config.nix new file mode 100644 index 0000000..d1a1d90 --- /dev/null +++ b/hosts/cloud/sing/disk-config.nix @@ -0,0 +1,52 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ +# Disk /dev/sda: 200 GiB, 214748364800 bytes, 419430400 sectors +# Disk model: QEMU HARDDISK +# Units: sectors of 1 * 512 = 512 bytes +# Sector size (logical/physical): 512 bytes / 512 bytes +# I/O size (minimum/optimal): 512 bytes / 512 bytes +# Disklabel type: gpt +# Disk identifier: CED6435C-56EF-4699-BEE9-19280C444BCA +# +# Device Start End Sectors Size Type +# /dev/sda1 2048 4095 2048 1M BIOS boot +# /dev/sda2 4096 4194303 4190208 2G Linux filesystem +# /dev/sda3 4194304 419428351 415234048 198G Linux filesystem +# + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; # Allocates the remainder of the disk, minus the sizes of the other partitions + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/cloud/sing/hardware-configuration.nix b/hosts/cloud/sing/hardware-configuration.nix new file mode 100644 index 0000000..04d76e5 --- /dev/null +++ b/hosts/cloud/sing/hardware-configuration.nix @@ -0,0 +1,20 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/cloud/sing/init.nix b/hosts/cloud/sing/init.nix new file mode 100644 index 0000000..361fac8 --- /dev/null +++ b/hosts/cloud/sing/init.nix @@ -0,0 +1,42 @@ +{ modulesPath, config, lib, pkgs, ... }: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + ]; + + # boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.loader.grub = { + # no need to set devices, disko will add all devices that have a EF02 partition to the list already + # devices = [ ]; + efiSupport = true; + efiInstallAsRemovable = true; + }; + services.openssh = { + enable = true; + }; + + users.users.root.initialHashedPassword = "$y$j9T$pCnKvY2ASrwPgAlZhqK9A/$Ro7mKqBTHjKhn5GN82fEUBNnUrdP.SxN9bBIl7QxY./"; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q" + ]; + users.users.y = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + "networkmanager" + "input" + "uinput" + "docker" + ]; + createHome = true; + home = "/home/y"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" + ]; + }; + + system.stateVersion = "23.11"; +} diff --git a/hosts/cloud/sing/jellyfin.nix b/hosts/cloud/sing/jellyfin.nix new file mode 100644 index 0000000..c9c8b9e --- /dev/null +++ b/hosts/cloud/sing/jellyfin.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: { + + services.jellyfin = { + enable = true; + openFirewall = true; + }; +} diff --git a/hosts/cloud/sing/mail.key b/hosts/cloud/sing/mail.key new file mode 100644 index 0000000..ece0485 --- /dev/null +++ b/hosts/cloud/sing/mail.key @@ -0,0 +1 @@ +$2b$05$iw93ciS7B.5DfqxQ4XcAVuXF5d9qksmlg0I7FmMMa8vb1JIxN1f1e diff --git a/hosts/cloud/sing/mail.nix b/hosts/cloud/sing/mail.nix new file mode 100644 index 0000000..09a070d --- /dev/null +++ b/hosts/cloud/sing/mail.nix @@ -0,0 +1,68 @@ +{ + mailserver = { + enable = true; + fqdn = "mail.sortug.com"; + domains = [ "sortug.com" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "zh@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "jp@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "th@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "bd@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "info@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "admin@sortug.com" = { # legal and banking + hashedPasswordFile = "/home/y/mail.key"; + }; + "internal@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "billing@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "polwex@sortug.com" = { + hashedPasswordFile = "/home/y/mail2.key"; + }; + "kinode@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "hosting@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "support@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@sortug.com"; + # services.roundcube = { + # enable = true; + # # this is the url of the vhost, not necessarily the same as the fqdn of + # # the mailserver + # hostName = "mail.sortug.com"; + # extraConfig = '' + # # starttls needed for authentication, so the fqdn required to match + # # the certificate + # $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + # $config['smtp_user'] = "%u"; + # $config['smtp_pass'] = "%p"; + # ''; + # }; + services.nginx.enable = true; +} diff --git a/hosts/cloud/sing/mail2.key b/hosts/cloud/sing/mail2.key new file mode 100644 index 0000000..ba2fd93 --- /dev/null +++ b/hosts/cloud/sing/mail2.key @@ -0,0 +1 @@ +$2b$05$RDNpiqLeEGZjCb0z13R0tenPIr/r1ps1LPmIbGRkdSSmvFwgCVm6i diff --git a/hosts/cloud/sing/nginx.nix b/hosts/cloud/sing/nginx.nix new file mode 100644 index 0000000..501c4ee --- /dev/null +++ b/hosts/cloud/sing/nginx.nix @@ -0,0 +1,129 @@ +{ config, pkgs, ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@urbit.cam"; + services.nginx = { + enable = true; + virtualHosts."s.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8081"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."h.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."f.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8082"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."b.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8083"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + }; + virtualHosts."k.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8084"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + }; + virtualHosts."j.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + }; + virtualHosts."hls.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + root = "/var/www/hls"; + extraConfig = '' + add_header Cache-control no-cache; + add_header Access-Control-Allow-Origin *; + types { + application/vnd.apple.mpegurl m3u8; + video/mp2t ts; + } + ''; + }; + }; + virtualHosts."leo.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8090"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."sayu.urbit.cam" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8091"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + chunked_transfer_encoding off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache off; + ''; + }; + }; +} diff --git a/hosts/cloud/sing/omail.nix b/hosts/cloud/sing/omail.nix new file mode 100644 index 0000000..ccbc847 --- /dev/null +++ b/hosts/cloud/sing/omail.nix @@ -0,0 +1,79 @@ +{ config, lib, ... }: { + imports = [ + (builtins.fetchTarball { + # Pick a release version you are interested in and set its hash, e.g. + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz"; + # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command: + # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack + sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8"; + }) + ]; + + services.dovecot2.sieve.extensions = [ "fileinto" ]; + mailserver = { + enable = true; + fqdn = "mail.sortug.com"; + domains = [ "sortug.com" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "zh@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "jp@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "th@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "bd@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "info@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "admin@sortug.com" = { # legal and banking + hashedPasswordFile = "/home/y/mail.key"; + }; + "internal@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "billing@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "polwex@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "kinode@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "hosting@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + "support@sortug.com" = { + hashedPasswordFile = "/home/y/mail.key"; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = lib.mkForce "security@sortug.com"; + services.roundcube = { + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "mail.sortug.com"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; + services.nginx.enable = true; +} diff --git a/hosts/cloud/sing/packages.nix b/hosts/cloud/sing/packages.nix new file mode 100644 index 0000000..6985acb --- /dev/null +++ b/hosts/cloud/sing/packages.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + neovim + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/sing/users.nix b/hosts/cloud/sing/users.nix new file mode 100644 index 0000000..4d455ee --- /dev/null +++ b/hosts/cloud/sing/users.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; + }; + + users = { + users = { + y = { + hashedPassword = "$y$j9T$KLRxiAIFO2yLoalaeSmjg/$ZzEQbGvVmRJ6gESNxNuRchNcx0V01QpCxnJVv5pdk/B"; + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; + }; + }; +} + + + diff --git a/hosts/cloud/sortug/configuration.nix b/hosts/cloud/sortug/configuration.nix new file mode 100644 index 0000000..da267f6 --- /dev/null +++ b/hosts/cloud/sortug/configuration.nix @@ -0,0 +1,90 @@ +{ modulesPath, lib, ... }: +{ + imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + ./hardware-configuration.nix + (modulesPath + "/installer/scan/not-detected.nix") + ./gitea.nix + ./nginx.nix + ./minio.nix + # ./coturn.nix + ./disk-config.nix + # ./mail.nix + ]; + + + boot = { + loader.grub.enable = true; + # loader.grub.device = "/dev/sda"; + }; + + services.openssh = { + enable = true; + passwordAuthentication = false; + ports = [5522]; + }; + + users.users.root.openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + + services.do-agent.enable = true; + networking = { + firewall.enable = false; + networkmanager.enable = true; + hostName = "sortug"; # use Digital Ocean metadata server + useDHCP = false; + interfaces.enp3s0.ipv4.addresses = [ + {address = "209.182.234.186"; prefixLength = 24;} + ]; + interfaces.enp3s0.ipv6.addresses = [ + {address = "2602:ff16:14:0:1:f7:0:1"; prefixLength = 64;} + ]; + defaultGateway = { + address = "209.182.234.1"; + interface = "enp3s0"; + }; + defaultGateway6 = { + address = "2602:ff16:14::1"; + interface = "enp3s0"; + }; + nameservers = [ + "8.8.8.8" + "8.8.4.4" + "2001:4860:4860::8888" + "2001:4860:4860::8844" + ]; + }; + + # curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-23.11 bash -x + + services.resolved = { + enable = true; + domains = + [ "2001:4860:4860::8888" "2001:4860:4860::8844" ]; + }; + + # networking.firewall = { + # enable = true; + # allowedTCPPorts = [ 40308 80 443 53 51820 5522 ]; + # allowedUDPPorts = [ 40308 80 443 53 51820 5522 + # 50000 + # 50001 + # 50002 + # 50003 + # 50004 + # 50005 + # 50006 + # 50007 + # 50008 + # 50009 + # 50010 + # ]; + # }; + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://ntfy.sortug.com"; + listen-http = ":8099"; + }; + }; + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/cloud/sortug/coturn.nix b/hosts/cloud/sortug/coturn.nix new file mode 100644 index 0000000..aaf097c --- /dev/null +++ b/hosts/cloud/sortug/coturn.nix @@ -0,0 +1,60 @@ +{ ... }: + +{ + services.coturn = { + enable = true; + lt-cred-mech = true; + # use-auth-secret = true; + # static-auth-secret = "GHhc4i7Hwto0KxoDgNioYgWgkc1iLbEE8t45G6voTzD07vKvFsK6R4b8kShVZEhC"; + realm = "turn.sortug.com"; + # relay-ips = [ + # "<public-server-ip>" + # ]; + # no-tcp-relay = true; + extraConfig = " + cipher-list=\"HIGH\" + no-loopback-peers + no-multicast-peers + "; + # secure-stun = true; + cert = "/var/lib/acme/turn.sortug.com/fullchain.pem"; + pkey = "/var/lib/acme/turn.sortug.com/key.pem"; + min-port = 49152; + max-port = 49999; + }; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + allowPing = false; + allowedTCPPorts = [ + 5349 # STUN tls + 5350 # STUN tls alt + 80 # http + 443 # https + ]; + allowedUDPPortRanges = [ + { from=49152; to=49999; } # TURN relay + ]; + }; + + # setup certs + services.nginx = { + enable = true; + virtualHosts = { + "turn.sortug.com" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + users.groups.turnserver.members = ["nginx" "coturn"]; + + # share certs with coturn and restart on renewal + security.acme.certs = { + "turn.sortug.com" = { + postRun = "systemctl reload nginx.service; systemctl restart coturn.service"; + }; + }; +} + diff --git a/hosts/cloud/sortug/default.nix b/hosts/cloud/sortug/default.nix new file mode 100644 index 0000000..0307c7b --- /dev/null +++ b/hosts/cloud/sortug/default.nix @@ -0,0 +1,3 @@ +inputs: [ + ./configuration.nix +] diff --git a/hosts/cloud/sortug/disk-config.nix b/hosts/cloud/sortug/disk-config.nix new file mode 100644 index 0000000..75ae234 --- /dev/null +++ b/hosts/cloud/sortug/disk-config.nix @@ -0,0 +1,56 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/cloud/sortug/fetch/configuration.nix b/hosts/cloud/sortug/fetch/configuration.nix new file mode 100644 index 0000000..11b56bc --- /dev/null +++ b/hosts/cloud/sortug/fetch/configuration.nix @@ -0,0 +1,126 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + # networking.hostName = "nixos"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + + + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # hardware.pulseaudio.enable = true; + # OR + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.alice = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # firefox + # tree + # ]; + # }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + # environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + # ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? + +} + diff --git a/hosts/cloud/sortug/fetch/hardware-configuration.nix b/hosts/cloud/sortug/fetch/hardware-configuration.nix new file mode 100644 index 0000000..119faaf --- /dev/null +++ b/hosts/cloud/sortug/fetch/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/sortug/gitea.nix b/hosts/cloud/sortug/gitea.nix new file mode 100644 index 0000000..a25773a --- /dev/null +++ b/hosts/cloud/sortug/gitea.nix @@ -0,0 +1,27 @@ +{ config, ...}: +{ + services.gitea = { + enable = true; + user = "git"; + appName = "Sortug Git"; + settings.server = { + domain = "git.sortug.com"; + ROOT_URL = "https://git.sortug.com/"; + SSH_PORT = 5522; + }; + lfs.enable = true; + }; + + users.users = { + git = { + description = "Gitea Service"; + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; + }; + + + +} diff --git a/hosts/cloud/sortug/hardware-configuration.nix b/hosts/cloud/sortug/hardware-configuration.nix new file mode 100644 index 0000000..f219647 --- /dev/null +++ b/hosts/cloud/sortug/hardware-configuration.nix @@ -0,0 +1,17 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/sortug/hardware2.nix b/hosts/cloud/sortug/hardware2.nix new file mode 100644 index 0000000..beece7b --- /dev/null +++ b/hosts/cloud/sortug/hardware2.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + swapDevices = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/bb9bdf23-2368-4452-988d-8b82e64b7fc4"; + fsType = "ext4"; + }; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/sortug/legacy.nix b/hosts/cloud/sortug/legacy.nix new file mode 100644 index 0000000..98348ee --- /dev/null +++ b/hosts/cloud/sortug/legacy.nix @@ -0,0 +1,40 @@ +{ + disko.devices = { + disk = { + vdb = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "ESP"; + start = "1M"; + end = "500M"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "500M"; + end = "100%"; + part-type = "primary"; + bootable = true; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + } + ]; + }; + }; + }; + }; +} + diff --git a/hosts/cloud/sortug/minio.nix b/hosts/cloud/sortug/minio.nix new file mode 100644 index 0000000..13a5ff5 --- /dev/null +++ b/hosts/cloud/sortug/minio.nix @@ -0,0 +1,9 @@ +{...}: { + + services.minio = { + enable = true; + listenAddress = "127.0.0.1:9000"; + consoleAddress = "127.0.0.1:9001"; + rootCredentialsFile = /etc/nixos/minio-creds; + }; +} diff --git a/hosts/cloud/sortug/nginx.nix b/hosts/cloud/sortug/nginx.nix new file mode 100644 index 0000000..a3e5a85 --- /dev/null +++ b/hosts/cloud/sortug/nginx.nix @@ -0,0 +1,124 @@ +{ ... }: { + + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@sortug.com"; + services.nginx = { + enable = true; + virtualHosts."sortug.com" = { + enableACME = true; + forceSSL = true; + root = "/var/www/sortug"; + # root = "/home/y/www"; + }; + virtualHosts."cal.sortug.com" = { + enableACME = true; + forceSSL = true; + root = "/var/www/sorcal"; + # root = "/home/y/www"; + }; + virtualHosts."git.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."u.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8082"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + virtualHosts."p.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8083"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + proxy_http_version 1.1; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."ntfy.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8099"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + proxy_http_version 1.1; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."ustj.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8085"; + # proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header Forwarded $proxy_add_x_forwarded_for; + ''; + }; + extraConfig = '' + proxy_http_version 1.1; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + ''; + }; + virtualHosts."s3.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + # actually important + }; + }; + virtualHosts."s3c.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9001"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + }; + }; + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + virtualHosts."urbit.s3.sortug.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + }; +} diff --git a/hosts/cloud/sortug/packages.nix b/hosts/cloud/sortug/packages.nix new file mode 100644 index 0000000..6985acb --- /dev/null +++ b/hosts/cloud/sortug/packages.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + neovim + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + glibcLocales + gnumake + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + skim # High-powered fuzzy finder written in Rust + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + caddy # simple web server made with go + innernet + + # s3 + minio + # databases + # postgresql + # sqlite + ]; +} + diff --git a/hosts/cloud/sortug/users.nix b/hosts/cloud/sortug/users.nix new file mode 100644 index 0000000..b3515c1 --- /dev/null +++ b/hosts/cloud/sortug/users.nix @@ -0,0 +1,56 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; +# plugins = [{ +# name="foreign-env"; +# src = pkgs.fetchFromGitHub { +# owner = "oh-my-fish"; +# repo = "plugin-foreign-env"; +# rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc"; +# sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs"; +# }; +# }]; +}; + + users = { + extraUsers = { + y = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; +# urbit = { +# group = "users"; +# isNormalUser = true; +# createHome = true; +# isSystemUser = false; +# openssh.authorizedKeys.keys = +# [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/VzXbaX1CLqQfPCkRdMHzAKsbS//2B0qlw3ROnR74tgl7jrBP2qeYhydcNECqC5WWO+KLZrbOWdVLATLW6z6oLlMx6E6WCfRVx/F7coMd/FBYqHwJ2Z1PbG0YSjWH07GyVYU2Nc9HfW459aXpGQ2LlTjYP14i7DqvSesCIkfbPfHzwAkyDxj4oIMXS3LMQlh4u69YKoXS/LPU+1Qv+bT5alRc2Uw+/9/q1IfDDxIiKqt3EVNEM6p5QssXtlFhk0+7zXRApWbpYLbjAVHDHbFoPAXeKLQvpgnz1K84fOGNlXj9nISYfDba8NVWQbetKnVxmQNDUKk3jOcBFmjgHvYv pkova@Pyrys-MacBook-Pro.local" ]; +# }; + }; + }; +} + + + diff --git a/hosts/cloud/spanm/configuration.nix b/hosts/cloud/spanm/configuration.nix new file mode 100644 index 0000000..0ec8bf2 --- /dev/null +++ b/hosts/cloud/spanm/configuration.nix @@ -0,0 +1,66 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "spanmail"; # Define your hostname. + # + # Enable networking + networking.networkmanager.enable = true; + + networking.interfaces.ens160.ipv4.addresses = [ { + address = "185.32.214.66"; + prefixLength = 22; + } ]; + networking.defaultGateway = "185.32.212.1"; + + networking.nameservers = [ "185.32.212.3" ]; + + # Set your time zone. + time.timeZone = "Europe/Zurich"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKD2DxTdE7vekp+BTifuB9gPoIPdaFSGkgVblA5MbTh" +]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + +} diff --git a/hosts/cloud/spanm/flake.lock b/hosts/cloud/spanm/flake.lock new file mode 100644 index 0000000..6bc7bd0 --- /dev/null +++ b/hosts/cloud/spanm/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1704008649, + "narHash": "sha256-rGPSWjXTXTurQN9beuHdyJhB8O761w1Zc5BqSSmHvoM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d44d59d2b5bd694cd9d996fd8c51d03e3e9ba7f7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/cloud/spanm/flake.nix b/hosts/cloud/spanm/flake.nix new file mode 100644 index 0000000..b801212 --- /dev/null +++ b/hosts/cloud/spanm/flake.nix @@ -0,0 +1,16 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + + outputs = { nixpkgs, ... }: + { + nixosConfigurations.spanmail = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./configuration.nix + ./users.nix + ./packages.nix + ./mail.nix + ]; + }; + }; +} diff --git a/hosts/cloud/spanm/hardware-configuration.nix b/hosts/cloud/spanm/hardware-configuration.nix new file mode 100644 index 0000000..fad27b2 --- /dev/null +++ b/hosts/cloud/spanm/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "ahci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/7a5731fc-56f0-4ce5-9dbe-dec8d1ba25db"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/066C-4E19"; + fsType = "vfat"; + }; + swapDevices = [ { + device = "/var/lib/swapfile"; + size = 4*1024; + } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens160.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/cloud/spanm/mail.nix b/hosts/cloud/spanm/mail.nix new file mode 100644 index 0000000..d020fec --- /dev/null +++ b/hosts/cloud/spanm/mail.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: { + imports = [ + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz"; + # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command: + # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack + + sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8"; + }) + ]; + + services.dovecot2.sieve.extensions = [ "fileinto" ]; + mailserver = { + enable = true; + fqdn = "mail.spandrell.ch"; + domains = [ "spandrell.ch" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "s@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "book@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "site@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "lol@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "sub@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "security@spandrell.ch" = { + hashedPasswordFile = "/home/span/mail.key"; + }; + "parallax@spandrell.ch" = { + hashedPassword = "$2y$12$RVCKyEwpPmQLznKOgtXiBOR3nRy5aT3rFMtypJiDe6xFPfi/r3TXq"; + }; + "finnem@spandrell.ch" = { + hashedPasswordFile = "/home/span/finnem.key"; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@spandrell.ch"; + services.roundcube = { + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "mail.spandrell.ch"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; + services.nginx.enable = true; +} diff --git a/hosts/cloud/spanm/nginx.nix b/hosts/cloud/spanm/nginx.nix new file mode 100644 index 0000000..cda5ab4 --- /dev/null +++ b/hosts/cloud/spanm/nginx.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: { + + services.nginx = { + enable = true; + appendHttpConfig = '' + limit_req_zone $binary_remote_addr zone=blog:10m rate=10r/s; + ''; + virtualHosts."spandrell.ch" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + limit_req zone=blog burst=20 nodelay; + proxy_set_header Host $Host; + proxy_set_header Forwarded for=$remote_addr; + ''; + }; + }; + virtualHosts."u.spandrell.ch" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8081"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + limit_req zone=blog burst=20 nodelay; + proxy_set_header Host $Host; + proxy_set_header Forwarded for=$remote_addr; + ''; + }; + }; + virtualHosts."s3.spandrell.ch" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_set_header Host $Host; + ''; + }; + }; + }; +} diff --git a/hosts/cloud/spanm/packages.nix b/hosts/cloud/spanm/packages.nix new file mode 100644 index 0000000..6574071 --- /dev/null +++ b/hosts/cloud/spanm/packages.nix @@ -0,0 +1,47 @@ +{ config, pkgs, ... }: + +{ + nixpkgs.config = { + allowUnfree = true; + }; + + environment.systemPackages = with pkgs; [ + vim + helix + fish + # unix utilities + tmux + bat # cat replacement written in Rust + colordiff + direnv # Per-directory environment variables + lsd + fd # find replacement written in Rust + fzf # Fuzzy finder + git + htop # Resource monitoring + jq # JSON parsing for the CLI + lsof + ripgrep # grep replacement written in Rust + sd # Fancy sed replacement + silver-searcher + strace # debug stack trace + tealdeer # tldr for various shell tools + testdisk + tokei # Handy tool to see lines of code by language + watchexec # Fileystem watcher/executor useful for speedy development + xsv # CSV file parsing utility + just # Intriguing new make replacement + mdcat # Markdown converter/reader for the CLI + tree + unzip + zip + + # networking + curl + wget + + minio + ncdu + ]; +} + diff --git a/hosts/cloud/spanm/users.nix b/hosts/cloud/spanm/users.nix new file mode 100644 index 0000000..60e3a5a --- /dev/null +++ b/hosts/cloud/spanm/users.nix @@ -0,0 +1,42 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; + }; + + users = { + users = { + span = { + group = "users"; + isNormalUser = true; + extraGroups = [ + "networkmanager" + "systemd-journal" + "wheel" + ]; + createHome = true; + home = "/home/span"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKD2DxTdE7vekp+BTifuB9gPoIPdaFSGkgVblA5MbTh" + ]; + }; + }; + }; +} + + + diff --git a/hosts/cloud/users.nix b/hosts/cloud/users.nix new file mode 100644 index 0000000..7fa3b07 --- /dev/null +++ b/hosts/cloud/users.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + + +let shellAliases = { + l = "lsd -lAh"; + la = "lsd -lAh"; + ports = "sudo lsof -i -P -n | grep LISTEN"; + gco = "git checkout"; + gcob = "git checkout -b"; +}; + +in { + programs.fish = { + inherit shellAliases; + enable = true; + }; + + users = { + users = { + y = { + hashedPassword = "$y$j9T$KLRxiAIFO2yLoalaeSmjg/$ZzEQbGvVmRJ6gESNxNuRchNcx0V01QpCxnJVv5pdk/B"; + group = "users"; + isNormalUser = true; + extraGroups = [ + "systemd-journal" + "wheel" + "nginx" + ]; + createHome = true; + home = "/home/y"; + isSystemUser = false; + shell = pkgs.fish; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ]; + }; + }; + }; +} + + + |