diff options
Diffstat (limited to 'nix/modules')
| -rw-r--r-- | nix/modules/cgit.nix | 23 | ||||
| -rw-r--r-- | nix/modules/conduit.nix | 2 | ||||
| -rw-r--r-- | nix/modules/configuration.nix | 65 | ||||
| -rw-r--r-- | nix/modules/gotosocial.nix | 14 | ||||
| -rw-r--r-- | nix/modules/home/default.nix | 6 | ||||
| -rw-r--r-- | nix/modules/home/emacs.nix | 1 | ||||
| -rw-r--r-- | nix/modules/home/git.nix | 13 | ||||
| -rw-r--r-- | nix/modules/home/mpd.nix | 10 | ||||
| -rw-r--r-- | nix/modules/home/user.nix | 10 | ||||
| -rw-r--r-- | nix/modules/maddy.nix | 15 | ||||
| -rw-r--r-- | nix/modules/matrix-appservice-irc.nix | 10 | ||||
| -rw-r--r-- | nix/modules/nginx.nix | 46 | ||||
| -rw-r--r-- | nix/modules/public_inbox.nix | 101 | ||||
| -rw-r--r-- | nix/modules/secrets.nix | 25 |
14 files changed, 293 insertions, 48 deletions
diff --git a/nix/modules/cgit.nix b/nix/modules/cgit.nix index cfb9158..54eb90c 100644 --- a/nix/modules/cgit.nix +++ b/nix/modules/cgit.nix @@ -1,6 +1,25 @@ -{ config, lib, ... }: +{ lib, config, ... }: { - services.cgit = { + services.cgit."my-projects" = { enable = true; + scanPath = "/srv/git"; + settings = { + root-title = "Nullring Git Server"; + root-desc = "Projects and cool things"; + enable-commit-graph = 1; + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-index-owner = 0; + clone-prefix = "https://git.${config.monorepo.vars.orgHost}"; + enable-tree-linenumbers = 1; + strict-export = "git-daemon-export-ok"; + }; + gitHttpBackend = { + enable = true; + checkExportOkFiles = true; + }; + nginx = { + virtualHost = "git.${config.monorepo.vars.orgHost}"; + }; }; } diff --git a/nix/modules/conduit.nix b/nix/modules/conduit.nix index 6e4611f..4d7a30c 100644 --- a/nix/modules/conduit.nix +++ b/nix/modules/conduit.nix @@ -18,7 +18,7 @@ services.lk-jwt-service = { enable = lib.mkDefault config.monorepo.profiles.server.enable; port = 6495; - livekitUrl = "wss://livekit.nullring.xyz"; + livekitUrl = "wss://livekit.${config.monorepo.vars.orgHost}"; keyFile = "/run/secrets/livekit_secret"; }; services.livekit = { diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index 128ad5b..decc121 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -1,6 +1,22 @@ { config, pkgs, lib, ... }: +let + userGroups = [ + "nginx" + "git" + "ircd" + "ngircd" + "conduit" + "livekit" + "matterbridge" + "maddy" + "ntfy-sh" + "public-inbox" + ]; +in { imports = [ + ./cgit.nix + ./public_inbox.nix ./matterbridge.nix ./mautrix.nix ./xserver.nix @@ -110,12 +126,16 @@ country=CA "snd-rawmidi" "xhci_hcd" "kvm_intel" - "crm" + "af_packet" + "ccm" "ctr" "cmac" "arc4" "ecb" "michael_mic" + "gcm" + "sha256" + "sha384" ]; kernelParams = [ @@ -373,7 +393,7 @@ country=CA environment.systemPackages = with pkgs; [ restic sbctl - git + gitFull git-lfs git-lfs-transfer vim @@ -391,47 +411,29 @@ country=CA ) ]; - users.groups.nginx = lib.mkDefault {}; - users.groups.git = lib.mkDefault {}; - users.groups.ircd = lib.mkDefault {}; - users.groups.ngircd = lib.mkDefault {}; - users.groups.conduit = lib.mkDefault {}; - users.groups.livekit = lib.mkDefault {}; - users.groups.matterbridge = lib.mkDefault {}; - users.groups.maddy = lib.mkDefault {}; - users.groups.ntfy-sh = lib.mkDefault {}; + users.groups = lib.genAttrs userGroups (name: lib.mkDefault {}); - users.users = { + users.users = lib.genAttrs userGroups (name: { + isSystemUser = lib.mkDefault true; + group = "${name}"; + extraGroups = [ "acme" "nginx" ]; + }) // { conduit = { isSystemUser = lib.mkDefault true; group = "conduit"; + extraGroups = []; }; matterbridge = { isSystemUser = lib.mkDefault true; group = "matterbridge"; + extraGroups = []; }; - maddy = { - isSystemUser = lib.mkDefault true; - group = "maddy"; - extraGroups = [ "acme" "nginx" ]; - }; - - ntfy-sh = { + public-inbox = { isSystemUser = lib.mkDefault true; - group = "ntfy-sh"; - extraGroups = [ "acme" "nginx" ]; - }; + group = "public-inbox"; - ngircd = { - isSystemUser = lib.mkDefault true; - group = "ngircd"; - extraGroups = [ "acme" "nginx" ]; - }; - livekit = { - isSystemUser = lib.mkDefault true; - group = "livekit"; - extraGroups = [ "acme" "nginx" ]; + extraGroups = [ "acme" "nginx" "git" ]; }; ircd = { @@ -459,6 +461,7 @@ country=CA group = "git"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCedJm0yYB0qLah/Y7PqLVgNh6qp+yujssGtuR05KbZLzSnsLUjUMObMyjFB9xTKrSGDqyoMkNe2l5VXMBJ9wBKLbzqMWbkakAWOj7EC/qZ6dFWA075mniwAuWKY/Q8QYohAJbbeU4j0ObWrltd4ar2Ac9vsVyftYF5efg8PEqVdOxzrBn5taY1zCCRjee5ISeRDIovnBbq7x86jsx5VnXTjMN9FZCI2qmz992Sg/PPXpXat+O1YQlG0eBHEny2Ug9gaAYnGOVr6kZKE4lrjz47nrXVXO6lJsNXmuzTVnEgo30DAA3dV4fws/M5ptM5Pgg2qe94HyHWhhmtXOekWmGtP3YxpVe3M/SPl31UL570ZDuuCcpJTsbe90ZyXC3CiSJkLKbmFkfOgZ6DI2LT8KSp09/2NCtZYriLN/nXObn6gQzByGMxVyKNx2hh8ENt9hzTCAk5lYDK3g3wS8eLCY3EH/caEqT9mLZEZeRHtAhtfozo1VJL7sSZ0Zm7wiIxHylwOshh1sYI1gb1MgMqNnrr1t8+8UK+Q0NERQW3yiphG36HXWy/DdCG0EF+N850KbgH1FFur+m+3hZCZCFVp3tGCcOC+bxWMBT3+9yC6LARi5cFjLQaWLsNO5xEs4vqX3+s3QjJ0pAYDkgtoeY2Fbh+imN+JasWn/cSy5p3UdE4ZQ== andrei@kiss" ]; }; "${config.monorepo.vars.userName}" = { diff --git a/nix/modules/gotosocial.nix b/nix/modules/gotosocial.nix new file mode 100644 index 0000000..6b81128 --- /dev/null +++ b/nix/modules/gotosocial.nix @@ -0,0 +1,14 @@ +{ lib, config, ... }: +{ + services.gotosocial = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + setupPostgresqlDB = true; + settings = { + application-name = "Nullring GoToSocial Instance"; + host = "gotosocial.${config.monorepo.vars.orgHost}"; + protocol = "https"; + bind-address = "127.0.0.1"; + port = 8080; + }; + }; +} diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index b1c07c3..a45ce59 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -53,19 +53,19 @@ email = { email = lib.mkOption { type = lib.types.str; - default = "ret2pop@gmail.com"; + default = "ret2pop@nullring.xyz"; example = "john@example.com"; description = "Email address and imaps/smtps account"; }; imapsServer = lib.mkOption { type = lib.types.str; - default = "imap.gmail.com"; + default = "mail.nullring.xyz"; example = "imap.example.com"; description = "imaps server address"; }; smtpsServer = lib.mkOption { type = lib.types.str; - default = "smtp.gmail.com"; + default = "mail.nullring.xyz"; example = "smtp.example.com"; description = "smtp server address"; }; diff --git a/nix/modules/home/emacs.nix b/nix/modules/home/emacs.nix index 4256d34..cdf1def 100644 --- a/nix/modules/home/emacs.nix +++ b/nix/modules/home/emacs.nix @@ -9,6 +9,7 @@ (setq system-email "${config.monorepo.profiles.email.email}") (setq system-username "${config.monorepo.vars.internetName}") (setq system-fullname "${config.monorepo.vars.fullName}") +(setq system-gpgkey "${config.monorepo.vars.gpgKey}") (load "${pkgs.writeText "init.el" (builtins.readFile ../../init.el)}") ''; diff --git a/nix/modules/home/git.nix b/nix/modules/home/git.nix index c80b6f9..24e84b4 100644 --- a/nix/modules/home/git.nix +++ b/nix/modules/home/git.nix @@ -1,7 +1,8 @@ -{ lib, config, ... }: +{ pkgs, lib, config, ... }: { programs.git = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; + package = pkgs.gitFull; lfs.enable = lib.mkDefault config.monorepo.profiles.graphics.enable; userName = config.monorepo.vars.fullName; userEmail = config.monorepo.profiles.email.email; @@ -12,6 +13,16 @@ extraConfig = { init.defaultBranch = "main"; + credential."${config.monorepo.profiles.email.smtpsServer}" = { + username = "${config.monorepo.profiles.email.email}"; + helper = "!f() { test \"$1\" = get && echo \"password=$(cat /run/user/1000/secrets/mail)\"; }; f"; + }; + sendemail = { + smtpserver = "${config.monorepo.profiles.email.smtpsServer}"; + smtpuser = "${config.monorepo.profiles.email.email}"; + smtpserverport = 465; + smtpencryption = "ssl"; + }; }; aliases = { diff --git a/nix/modules/home/mpd.nix b/nix/modules/home/mpd.nix index 8f646ea..2ab711b 100644 --- a/nix/modules/home/mpd.nix +++ b/nix/modules/home/mpd.nix @@ -13,16 +13,16 @@ type "pipewire" name "pipewire output" } + audio_output { type "httpd" - name "My HTTP Stream" + name "Ret2pop's Music Stream" encoder "opus" # optional port "8000" - # quality "5.0" # do not define if bitrate is defined - bitrate "128000" # do not define if quality is defined + bitrate "128000" format "48000:16:1" - always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. - tags "yes" # httpd supports sending tags to listening streams. + always_on "yes" + tags "yes" } audio_output { diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix index 55e16fc..28bbd22 100644 --- a/nix/modules/home/user.nix +++ b/nix/modules/home/user.nix @@ -30,6 +30,8 @@ packages = with pkgs; (if config.monorepo.profiles.graphics.enable then [ # wikipedia # kiwix kiwix-tools + gnupg + unzip mupdf zathura @@ -51,7 +53,7 @@ pavucontrol alsa-utils imagemagick ffmpeg helvum # Net - curl rsync git iamb ungoogled-chromium + curl rsync gitFull iamb ungoogled-chromium # Tor torsocks tor-browser @@ -149,6 +151,12 @@ cd "$HOME" ''; }; }; + xdg.mimeApps = { + enable = true; + defaultApplications = { + "x-scheme-handler/mailto" = "emacsclient-mail.desktop"; + }; + }; programs.bash.enable = true; fonts.fontconfig.enable = true; diff --git a/nix/modules/maddy.nix b/nix/modules/maddy.nix index 42f24f9..706e187 100644 --- a/nix/modules/maddy.nix +++ b/nix/modules/maddy.nix @@ -25,10 +25,25 @@ "imap tls://0.0.0.0:993 tcp://0.0.0.0:143" "submission tls://0.0.0.0:465 tcp://0.0.0.0:587" ] options.services.maddy.config.default; + ensureAccounts = [ + "${config.monorepo.vars.internetName}@${config.monorepo.vars.orgHost}" + "monorepo@${config.monorepo.vars.orgHost}" + "nullerbot@${config.monorepo.vars.orgHost}" + "discussion@${config.monorepo.vars.orgHost}" + ]; ensureCredentials = { "${config.monorepo.vars.internetName}@${config.monorepo.vars.orgHost}" = { passwordFile = "/run/secrets/mail_password"; }; + "monorepo@${config.monorepo.vars.orgHost}" = { + passwordFile = "/run/secrets/mail_monorepo_password"; + }; + "nullerbot@${config.monorepo.vars.orgHost}" = { + passwordFile = "/run/secrets/mail_monorepo_password"; + }; + "discussion@${config.monorepo.vars.orgHost}" = { + passwordFile = "/run/secrets/mail_monorepo_password"; + }; }; }; } diff --git a/nix/modules/matrix-appservice-irc.nix b/nix/modules/matrix-appservice-irc.nix new file mode 100644 index 0000000..518cdde --- /dev/null +++ b/nix/modules/matrix-appservice-irc.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + enable = lib.mkDefault config.monorepo.profiles.server.enable; + registrationUrl = "localhost"; + + settings = { + homeserver.url = "https://matrix.nullring.xyz"; + homserver.domain = "matrix.nullring.xyz"; + }; +} diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix index 87f11c1..791e3a4 100644 --- a/nix/modules/nginx.nix +++ b/nix/modules/nginx.nix @@ -10,7 +10,7 @@ gitweb = { enable = true; - virtualHost = "${config.monorepo.vars.remoteHost}"; + virtualHost = "${config.monorepo.vars.orgHost}"; }; virtualHosts = { @@ -49,11 +49,12 @@ }; locations."= /.well-known/matrix/server" = { extraConfig = '' + default_type application/json; add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = ''200 '{"m.server": "matrix.nullring.xyz:443"}' ''; + return = ''200 '{"m.server": "matrix.${config.monorepo.vars.orgHost}:443"}' ''; }; locations."/.well-known/matrix/client" = { extraConfig = '' @@ -115,8 +116,8 @@ proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; # --- CORS CONFIGURATION START --- # 1. Allow all origins (including app.element.io) @@ -161,6 +162,43 @@ enableACME = true; }; + "git.${config.monorepo.vars.orgHost}" = { + forceSSL = true; + enableACME = true; + }; + "list.${config.monorepo.vars.orgHost}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9090"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + # the port comes from ssh tunnelling + "music.${config.monorepo.vars.remoteHost}" = { + addSSL = true; + enableACME = true; + basicAuthFile = config.sops.secrets."mpd_password".path; + locations."/" = { + proxyPass = "http://localhost:8000"; + extraConfig = '' +proxy_buffering off; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_read_timeout 36000s; +''; + }; + }; + "${config.monorepo.vars.orgHost}" = { serverName = "${config.monorepo.vars.orgHost}"; root = "/var/www/nullring/"; diff --git a/nix/modules/public_inbox.nix b/nix/modules/public_inbox.nix new file mode 100644 index 0000000..cba1e39 --- /dev/null +++ b/nix/modules/public_inbox.nix @@ -0,0 +1,101 @@ +{ lib, config, ... }: +{ + systemd.tmpfiles.rules = [ + "C+ /var/lib/public-inbox/style.css 0644 public-inbox public-inbox - ${../data/public-inbox.css}" + ]; + systemd.services.public-inbox-httpd = if config.monorepo.profiles.server.enable then { + preStart = '' + # Copy or link the file. + # Using 'cp' is often safer for sandboxed services than linking to the store. Lol. + cp -f ${../data/public-inbox.css} /var/lib/public-inbox/style.css + chmod 644 /var/lib/public-inbox/style.css + ''; + + serviceConfig = { + # Allow the service to see the file it just created + BindPaths = [ + "/var/lib/public-inbox" + "/srv/git/" + ]; + ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ]; + # Ensure it can actually write to the directory during preStart + ReadWritePaths = [ "/var/lib/public-inbox" ]; + }; + } else {}; + + systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then { + after = [ "sops-nix.service" ]; + confinement.enable = lib.mkForce false; + preStart = '' + mkdir -p /var/lib/public-inbox/.tmp + chmod 0700 /var/lib/public-inbox/.tmp + ln -sfn ${config.sops.templates."public-inbox-netrc".path} /var/lib/public-inbox/.netrc + ''; + environment = { + PUBLIC_INBOX_FORCE_IPV4 = "1"; + NETRC = config.sops.templates."public-inbox-netrc".path; + HOME = "/var/lib/public-inbox"; + TMPDIR = "/var/lib/public-inbox/.tmp"; + }; + + serviceConfig = { + RestrictSUIDSGID = lib.mkForce false; + ReadWritePaths = [ "/var/lib/public-inbox" ]; + RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + PrivateNetwork = lib.mkForce false; + SystemCallFilter = lib.mkForce []; + RootDirectory = lib.mkForce ""; + + CapabilityBoundingSet = lib.mkForce [ "~" ]; + UMask = lib.mkForce "0022"; + ProtectSystem = lib.mkForce false; + }; + } else {}; + + services.public-inbox = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + settings = { + coderepo."nullerbot".dir = "/srv/git/nullerbot.git"; + coderepo."nullerbot".cgitUrl = "https://git.nullring.xyz/nullerbot.git"; + coderepo."monorepo".dir = "/srv/git/monorepo.git"; + coderepo."monorepo".cgitUrl = "https://git.nullring.xyz/monorepo.git"; + publicinbox.css = ["/var/lib/public-inbox/style.css"]; + publicinbox.wwwlisting = "all"; + }; + http = { + enable = true; + port = 9090; + }; + inboxes = { + "monorepo" = { + description = "discussion of ret2pop's monorepo project and related work."; + address = [ "monorepo@${config.monorepo.vars.orgHost}" ]; + inboxdir = "/var/lib/public-inbox/monorepo"; + url = "https://list.${config.monorepo.vars.orgHost}/monorepo"; + watch = [ "imaps://monorepo%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; + coderepo = [ + "monorepo" + ]; + }; + + "discussion" = { + description = "Main Nullring Discussion Mailing List"; + address = [ "discussion@${config.monorepo.vars.orgHost}" ]; + inboxdir = "/var/lib/public-inbox/discuss"; + url = "https://list.${config.monorepo.vars.orgHost}/discussion"; + watch = [ "imaps://discussion%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; + }; + + "nullerbot" = { + description = "Discussion of Nullerbot Matrix Bot"; + address = [ "nullerbot@${config.monorepo.vars.orgHost}" ]; + inboxdir = "/var/lib/public-inbox/nullerbot"; + url = "https://list.${config.monorepo.vars.orgHost}/nullerbot"; + watch = [ "imaps://nullerbot%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; + coderepo = [ + "nullerbot" + ]; + }; + }; + }; +} diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix index f7deb5d..9c1dbed 100644 --- a/nix/modules/secrets.nix +++ b/nix/modules/secrets.nix @@ -7,6 +7,16 @@ templates = if config.monorepo.profiles.server.enable then { + "public-inbox-netrc" = { + owner = "public-inbox"; + group = "public-inbox"; + mode = "0400"; + content = '' +machine mail.${config.monorepo.vars.orgHost} login monorepo@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"} +machine mail.${config.monorepo.vars.orgHost} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"} +machine mail.${config.monorepo.vars.orgHost} login nullerbot@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"} + ''; + }; "matterbridge" = { owner = "matterbridge"; content = '' @@ -91,6 +101,17 @@ channel="-5290629325" format = "yaml"; owner = "maddy"; }; + + mail_monorepo_password = { + format = "yaml"; + owner = "maddy"; + }; + + mail_monorepo_password_pi = { + format = "yaml"; + owner = "public-inbox"; + }; + conduit_secrets = { format = "yaml"; }; @@ -103,6 +124,10 @@ channel="-5290629325" discord_token = { format = "yaml"; }; + mpd_password = { + format = "yaml"; + owner = "nginx"; + }; ntfy = { format = "yaml"; owner = "ntfy-sh"; |