12 files changed, 530 insertions, 0 deletions

diff --git a/hosts/cloud/sing/configuration.nix b/hosts/cloud/sing/configuration.nix
new file mode 100644
index 0000000..8428b10
--- /dev/null
+++ b/hosts/cloud/sing/configuration.nix
@@ -0,0 +1,38 @@
+{ modulesPath, pkgs, ... }:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./disk-config.nix
+  ];
+      boot.loader.grub = {
+        efiSupport = true;
+      };
+
+       # enable flakes
+      nix = {
+        package = pkgs.nixFlakes;
+        extraOptions = ''
+          experimental-features = nix-command flakes
+        '';
+        settings = {
+          keep-outputs = true;
+          keep-derivations = true;
+        };
+      };
+     
+      services.openssh = {
+        enable = true;
+        passwordAuthentication = false;
+        ports = [5522];
+      };
+      services.do-agent.enable =  true;
+      networking = {
+        hostName =  "yagonet-sing"; # use Digital Ocean metadata server
+      };
+      networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ];
+        allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ];
+      };
+}
diff --git a/hosts/cloud/sing/disk-config.nix b/hosts/cloud/sing/disk-config.nix
new file mode 100644
index 0000000..d1a1d90
--- /dev/null
+++ b/hosts/cloud/sing/disk-config.nix
@@ -0,0 +1,52 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+# Disk /dev/sda: 200 GiB, 214748364800 bytes, 419430400 sectors
+# Disk model: QEMU HARDDISK
+# Units: sectors of 1 * 512 = 512 bytes
+# Sector size (logical/physical): 512 bytes / 512 bytes
+# I/O size (minimum/optimal): 512 bytes / 512 bytes
+# Disklabel type: gpt
+# Disk identifier: CED6435C-56EF-4699-BEE9-19280C444BCA
+# 
+# Device       Start       End   Sectors  Size Type
+# /dev/sda1     2048      4095      2048    1M BIOS boot
+# /dev/sda2     4096   4194303   4190208    2G Linux filesystem
+# /dev/sda3  4194304 419428351 415234048  198G Linux filesystem
+#
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";  # Allocates the remainder of the disk, minus the sizes of the other partitions
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/cloud/sing/hardware-configuration.nix b/hosts/cloud/sing/hardware-configuration.nix
new file mode 100644
index 0000000..04d76e5
--- /dev/null
+++ b/hosts/cloud/sing/hardware-configuration.nix
@@ -0,0 +1,20 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/cloud/sing/init.nix b/hosts/cloud/sing/init.nix
new file mode 100644
index 0000000..361fac8
--- /dev/null
+++ b/hosts/cloud/sing/init.nix
@@ -0,0 +1,42 @@
+{ modulesPath, config, lib, pkgs, ... }: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./disk-config.nix
+  ];
+
+  # boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.loader.grub = {
+    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
+    # devices = [ ];
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+  services.openssh = {
+    enable = true;
+  };
+
+  users.users.root.initialHashedPassword = "$y$j9T$pCnKvY2ASrwPgAlZhqK9A/$Ro7mKqBTHjKhn5GN82fEUBNnUrdP.SxN9bBIl7QxY./";
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q"
+  ];
+  users.users.y = {
+       group = "users";
+        isNormalUser = true;
+        extraGroups = [
+          "systemd-journal"
+          "wheel"
+          "networkmanager"
+          "input"
+          "uinput"
+          "docker"
+        ];
+        createHome = true;
+        home = "/home/y";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes"
+        ];
+  };
+
+  system.stateVersion = "23.11";
+}
diff --git a/hosts/cloud/sing/jellyfin.nix b/hosts/cloud/sing/jellyfin.nix
new file mode 100644
index 0000000..c9c8b9e
--- /dev/null
+++ b/hosts/cloud/sing/jellyfin.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }: {
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+}
diff --git a/hosts/cloud/sing/mail.key b/hosts/cloud/sing/mail.key
new file mode 100644
index 0000000..ece0485
--- /dev/null
+++ b/hosts/cloud/sing/mail.key
@@ -0,0 +1 @@
+$2b$05$iw93ciS7B.5DfqxQ4XcAVuXF5d9qksmlg0I7FmMMa8vb1JIxN1f1e
diff --git a/hosts/cloud/sing/mail.nix b/hosts/cloud/sing/mail.nix
new file mode 100644
index 0000000..09a070d
--- /dev/null
+++ b/hosts/cloud/sing/mail.nix
@@ -0,0 +1,68 @@
+{   
+    mailserver = {
+    enable = true;
+    fqdn = "mail.sortug.com";
+    domains = [ "sortug.com" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "zh@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "jp@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "th@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "bd@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "info@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "admin@sortug.com" = { # legal and banking
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "internal@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "billing@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "polwex@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail2.key";
+      };
+      "kinode@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "hosting@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "support@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@sortug.com";
+  # services.roundcube = {
+  #    enable = true;
+  #    # this is the url of the vhost, not necessarily the same as the fqdn of
+  #    # the mailserver
+  #    hostName = "mail.sortug.com";
+  #    extraConfig = ''
+  #      # starttls needed for authentication, so the fqdn required to match
+  #      # the certificate
+  #      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+  #      $config['smtp_user'] = "%u";
+  #      $config['smtp_pass'] = "%p";
+  #    '';
+  # };
+  services.nginx.enable = true;
+}
diff --git a/hosts/cloud/sing/mail2.key b/hosts/cloud/sing/mail2.key
new file mode 100644
index 0000000..ba2fd93
--- /dev/null
+++ b/hosts/cloud/sing/mail2.key
@@ -0,0 +1 @@
+$2b$05$RDNpiqLeEGZjCb0z13R0tenPIr/r1ps1LPmIbGRkdSSmvFwgCVm6i
diff --git a/hosts/cloud/sing/nginx.nix b/hosts/cloud/sing/nginx.nix
new file mode 100644
index 0000000..501c4ee
--- /dev/null
+++ b/hosts/cloud/sing/nginx.nix
@@ -0,0 +1,129 @@
+{ config, pkgs, ... }: {
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@urbit.cam";
+  services.nginx = {
+    enable = true;
+    virtualHosts."s.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8081";
+        # proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+      extraConfig = ''
+        chunked_transfer_encoding off;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_cache off;      
+      '';
+    };
+    virtualHosts."h.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+      };
+    };
+    virtualHosts."f.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8082";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+      };
+    };
+    virtualHosts."b.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8083";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+    virtualHosts."k.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8084";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+    virtualHosts."j.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+    virtualHosts."hls.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        root = "/var/www/hls";
+        extraConfig = ''
+          add_header Cache-control no-cache;
+          add_header Access-Control-Allow-Origin *;
+          types {
+            application/vnd.apple.mpegurl m3u8;
+            video/mp2t ts;
+          }
+        '';
+      };
+    };
+    virtualHosts."leo.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8090";
+        # proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+      extraConfig = ''
+        chunked_transfer_encoding off;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_cache off;      
+      '';
+    };
+    virtualHosts."sayu.urbit.cam" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8091";
+        # proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+      extraConfig = ''
+        chunked_transfer_encoding off;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_cache off;      
+      '';
+    };
+  };
+}
diff --git a/hosts/cloud/sing/omail.nix b/hosts/cloud/sing/omail.nix
new file mode 100644
index 0000000..ccbc847
--- /dev/null
+++ b/hosts/cloud/sing/omail.nix
@@ -0,0 +1,79 @@
+{ config, lib, ... }: {
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a release version you are interested in and set its hash, e.g.
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz";
+      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
+      # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
+      sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8";
+    })
+  ];
+  
+  services.dovecot2.sieve.extensions = [ "fileinto" ];
+  mailserver = {
+    enable = true;
+    fqdn = "mail.sortug.com";
+    domains = [ "sortug.com" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "zh@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "jp@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "th@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "bd@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "info@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "admin@sortug.com" = { # legal and banking
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "internal@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "billing@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "polwex@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "kinode@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "hosting@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+      "support@sortug.com" = {
+        hashedPasswordFile = "/home/y/mail.key";
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = lib.mkForce "security@sortug.com";
+  services.roundcube = {
+     enable = true;
+     # this is the url of the vhost, not necessarily the same as the fqdn of
+     # the mailserver
+     hostName = "mail.sortug.com";
+     extraConfig = ''
+       # starttls needed for authentication, so the fqdn required to match
+       # the certificate
+       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+       $config['smtp_user'] = "%u";
+       $config['smtp_pass'] = "%p";
+     '';
+  };
+  services.nginx.enable = true;
+}
diff --git a/hosts/cloud/sing/packages.nix b/hosts/cloud/sing/packages.nix
new file mode 100644
index 0000000..6985acb
--- /dev/null
+++ b/hosts/cloud/sing/packages.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, ... }:
+
+{
+   nixpkgs.config = {
+     allowUnfree = true;
+   };
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    fish
+    # unix utilities
+    tmux
+    bat # cat replacement written in Rust
+    colordiff
+    direnv # Per-directory environment variables
+    lsd
+    fd # find replacement written in Rust
+    fzf # Fuzzy finder
+    git
+    glibcLocales
+    gnumake
+    htop # Resource monitoring
+    jq # JSON parsing for the CLI
+    lsof
+    ripgrep # grep replacement written in Rust
+    sd # Fancy sed replacement
+    silver-searcher
+    skim # High-powered fuzzy finder written in Rust
+    strace # debug stack trace
+    tealdeer # tldr for various shell tools
+    testdisk
+    tokei # Handy tool to see lines of code by language
+    watchexec # Fileystem watcher/executor useful for speedy development
+    xsv # CSV file parsing utility
+    just # Intriguing new make replacement
+    mdcat # Markdown converter/reader for the CLI
+    tree
+    unzip
+    zip
+
+    # networking
+    curl
+    caddy # simple web server made with go
+    innernet
+    
+    # s3
+    minio
+    # databases
+   # postgresql
+   # sqlite
+  ];
+}
+
diff --git a/hosts/cloud/sing/users.nix b/hosts/cloud/sing/users.nix
new file mode 100644
index 0000000..4d455ee
--- /dev/null
+++ b/hosts/cloud/sing/users.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+
+let shellAliases = {
+  l = "lsd -lAh";
+  la = "lsd -lAh";
+  ports = "sudo lsof -i -P -n | grep LISTEN";
+  gco = "git checkout";
+  gcob = "git checkout -b";
+};
+
+in {
+  programs.fish = {
+    inherit shellAliases;
+    enable = true;
+  };
+
+  users = {
+    users = {
+      y = {
+        hashedPassword = "$y$j9T$KLRxiAIFO2yLoalaeSmjg/$ZzEQbGvVmRJ6gESNxNuRchNcx0V01QpCxnJVv5pdk/B";
+        group = "users";
+        isNormalUser = true;
+        extraGroups = [
+          "systemd-journal"
+          "wheel"
+        ];
+        createHome = true;
+        home = "/home/y";
+        isSystemUser = false;
+        shell = pkgs.fish;
+        openssh.authorizedKeys.keys =
+          [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+qXhCHNrSZmy4HEXaFn6xAp1w2GzQBMOfVdbR3E81Q cloudboxes" ];
+     };
+    };
+  };
+}
+
+
+