summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Bargman2025-08-20 20:57:34 +0000
committerJohn Bargman2025-08-20 20:57:34 +0000
commit474115c2c6d2ce965f45a60ca59490e128124878 (patch)
tree767b0e888e316c9ae611735460ad833527f679ae
parent451baad89b5101b2d0411669c5c696fd6ad435da (diff)
downloadcrash-web-474115c2c6d2ce965f45a60ca59490e128124878.tar
crash-web-474115c2c6d2ce965f45a60ca59490e128124878.tar.gz
crash-web-474115c2c6d2ce965f45a60ca59490e128124878.tar.bz2
crash-web-474115c2c6d2ce965f45a60ca59490e128124878.tar.lz
crash-web-474115c2c6d2ce965f45a60ca59490e128124878.tar.xz
crash-web-474115c2c6d2ce965f45a60ca59490e128124878.tar.zst
crash-web-474115c2c6d2ce965f45a60ca59490e128124878.zip
fixed everything
Diffstat
-rw-r--r--flake.lock53
-rw-r--r--flake.nix35
-rw-r--r--machines/overburn-1.nix24
-rw-r--r--openstack.nix6
-rw-r--r--services/cgit.nix26
-rw-r--r--services/ejabberd.nix425
-rw-r--r--services/mailserver.nix33
-rw-r--r--services/movim.nix32
-rw-r--r--services/murmur.nix30
-rw-r--r--services/website.nix41
10 files changed, 367 insertions, 338 deletions
diff --git a/flake.lock b/flake.lock
index acf4950..345c5f2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -45,11 +45,11 @@
]
},
"locked": {
- "lastModified": 1742649964,
- "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+ "lastModified": 1750779888,
+ "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "git-hooks.nix",
- "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+ "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
@@ -85,11 +85,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1733802073,
- "narHash": "sha256-6yW93R6xXw8izoPWn6Mu46jgJkKK8v79OTpnPBtI7ng=",
+ "lastModified": 1755705508,
+ "narHash": "sha256-2xmMgKwvgof0Yjio/UP+g5y+K2OYwxQo186antX2v68=",
"owner": "DarthPJB",
"repo": "nixinate",
- "rev": "67d3d72077ba9638295e7857c1b8cbf3a160560d",
+ "rev": "edf603eed92c5c93b301b056c243b360da74a474",
"type": "github"
},
"original": {
@@ -116,11 +116,11 @@
},
"nixpkgs-25_05": {
"locked": {
- "lastModified": 1747610100,
- "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
+ "lastModified": 1753749649,
+ "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
+ "rev": "1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a",
"type": "github"
},
"original": {
@@ -164,27 +164,11 @@
},
"nixpkgs_4": {
"locked": {
- "lastModified": 1747179050,
- "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+ "lastModified": 1753939845,
+ "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
- "type": "github"
- },
- "original": {
- "owner": "NixOS",
- "ref": "nixos-unstable",
- "repo": "nixpkgs",
- "type": "github"
- }
- },
- "nixpkgs_unstable": {
- "locked": {
- "lastModified": 1747744144,
- "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
- "owner": "NixOS",
- "repo": "nixpkgs",
- "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
+ "rev": "94def634a20494ee057c76998843c015909d6311",
"type": "github"
},
"original": {
@@ -198,7 +182,6 @@
"inputs": {
"nixinate": "nixinate",
"nixpkgs": "nixpkgs_2",
- "nixpkgs_unstable": "nixpkgs_unstable",
"secrix": "secrix",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
@@ -208,11 +191,11 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
- "lastModified": 1746643487,
- "narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=",
+ "lastModified": 1753137768,
+ "narHash": "sha256-bCQ8IHak1hF38amAgz2YKIEwteU5eAkgoC0fwfoRxO0=",
"owner": "platonic-systems",
"repo": "secrix",
- "rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5",
+ "rev": "f783b038ee639a589affcf3c612187dafcfa0476",
"type": "github"
},
"original": {
@@ -230,11 +213,11 @@
"nixpkgs-25_05": "nixpkgs-25_05"
},
"locked": {
- "lastModified": 1747965231,
- "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+ "lastModified": 1754605910,
+ "narHash": "sha256-kVWxzm44ywJTb4REfwWCYXnROISykG0yE+X5A3Gov24=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
- "rev": "53007af63fade28853408370c4c600a63dd97f41",
+ "rev": "57d9624c71ca65bee69b30d72b11f6c5257e9500",
"type": "gitlab"
},
"original": {
diff --git a/flake.nix b/flake.nix
index 696b91b..cf325d8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,15 +1,15 @@
{
description = "CrashOverBurn.com";
-# TODO: cgit, ejabber signup
+ # TODO: cgit, ejabber signup
inputs = {
nixinate.url = "github:DarthPJB/nixinate";
secrix.url = "github:platonic-systems/secrix";
- nixpkgs_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
+ #nixpkgs_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
};
- outputs = inputs@{ self, nixpkgs, secrix, nixinate, nixpkgs_unstable, simple-nixos-mailserver }:
+ outputs = inputs@{ self, nixpkgs, secrix, nixinate, simple-nixos-mailserver }:
let
inherit (inputs.secrix) secrix;
pkgs = nixpkgs.legacyPackages.x86_64-linux;
@@ -19,7 +19,7 @@
in
{
formatter.x86_64-linux = pkgs.nixpkgs-fmt;
- apps.x86_64-linux = (inputs.nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; });
+ apps.x86_64-linux = (nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; });
devShell.x86_64-linux =
pkgs.mkShell {
buildInputs = with pkgs; [ figlet tmux ];
@@ -67,31 +67,32 @@
./users/commander.nix
(import ./services/cgit.nix { fqdn = "code.${fqdn}"; })
(import ./services/murmur.nix { fqdn = "mumble.${fqdn}"; })
- (import ./services/movim.nix { fqdn = "mumble.${fqdn}"; })
+ (import ./services/movim.nix { fqdn = "social.${fqdn}"; })
(import ./services/website.nix { inherit webroot; })
(import ./services/ejabberd.nix { inherit fqdn; })
(import ./services/mailserver.nix { inherit hashedPasswordFile; })
./machines/overburn-1.nix
- {
+ {
secrix.hostPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3ElH/WQjW3B2yUBFFPpF8IIHsYrHODwTid6YM2npiw root@web-crash-over-burn";
secrix.defaultEncryptKeys = {
- crash = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com" ];
+ crash = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com" ];
};
imports = [
- "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix"
+ "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix"
];
- _module.args =
- {
+ _module.args =
+ {
inherit self inputs;
nixinate = {
- host = "193.16.42.36";
- sshUser = "commander";
- substituteOnTarget = true;
- hermetic = true;
- buildOn = "local";
+ host = "193.16.42.36";
+ port = 1108;
+ sshUser = "commander";
+ substituteOnTarget = false;
+ hermetic = true;
+ buildOn = "local";
};
- };
- }
+ };
+ }
];
};
};
diff --git a/machines/overburn-1.nix b/machines/overburn-1.nix
index 7bed4e3..7b12a98 100644
--- a/machines/overburn-1.nix
+++ b/machines/overburn-1.nix
@@ -1,17 +1,17 @@
{ webroot, fqdn, pkgs, ... }:
let
- top_level_domain = "crashoverburn.com";
-in
+ top_level_domain = "crashoverburn.com";
+in
{
- networking.hostName = "crashoverburn-1";
- security.acme = {
- acceptTerms = true;
- defaults.email = "postmaster@mail.crashoverburn.com";
- };
+ networking.hostName = "crashoverburn-1";
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "postmaster@mail.crashoverburn.com";
+ };
- environment.systemPackages = [
- pkgs.btop
- pkgs.tmux
- pkgs.neovim
- ];
+ environment.systemPackages = [
+ pkgs.btop
+ pkgs.tmux
+ pkgs.neovim
+ ];
}
diff --git a/openstack.nix b/openstack.nix
index fb16308..4424fc9 100644
--- a/openstack.nix
+++ b/openstack.nix
@@ -2,7 +2,7 @@
{
nix = {
settings.trusted-users = [ "root" "commander" ];
- package = pkgs.nixVersions.latest; #Unstable;
+ package = pkgs.nixVersions.latest;
extraOptions = ''
experimental-features = nix-command flakes
'';
@@ -18,11 +18,11 @@
};
# Enable the OpenSSH daemon.
services.openssh.enable = true;
- services.openssh.ports = [ 1108 22 ];
+ services.openssh.ports = [ 1108 ];
services.openssh.settings.PermitRootLogin = lib.mkForce "no";
services.openssh.settings.PasswordAuthentication = false;
# Open ports in the firewall.
- networking.firewall.allowedTCPPorts = [ 1108 22 ];
+ networking.firewall.allowedTCPPorts = [ 1108 80 443 ];
networking.firewall.allowedUDPPorts = [ ];
# Configure keymap in X11
diff --git a/services/cgit.nix b/services/cgit.nix
index fcfa77f..72f94dc 100644
--- a/services/cgit.nix
+++ b/services/cgit.nix
@@ -1,8 +1,8 @@
-{ fqdn } :{ pkgs, ... }:
+{ fqdn }: { pkgs, ... }:
{
- services.uwsgi = {
+ services.uwsgi = {
enable = true;
- user = "public";
+ user = "public";
group = "nginx";
plugins = [ "cgi" "python3" ];
@@ -24,7 +24,7 @@
services.gitolite = {
enable = true;
- user = "git";
+ user = "git";
group = "git";
adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com";
extraGitoliteRc = ''
@@ -33,16 +33,16 @@
'';
};
- users.extraUsers.public =
- {
- extraGroups = [ "git" "nginx"];
- isSystemUser = true;
- group = "users";
- };
+ users.extraUsers.public =
+ {
+ extraGroups = [ "git" "nginx" ];
+ isSystemUser = true;
+ group = "users";
+ };
services.nginx.virtualHosts."${fqdn}" = {
- addSSL = true;
- enableACME = true;
+ forceSSL = true;
+ useACMEHost = "crashoverburn.com";
root = "${pkgs.cgit}/cgit";
locations = {
"/" = {
@@ -58,7 +58,7 @@
uwsgi_read_timeout 600;
'';
};
- };
+ };
};
systemd.services.create-cgit-cache = {
diff --git a/services/ejabberd.nix b/services/ejabberd.nix
index f2057ac..935a409 100644
--- a/services/ejabberd.nix
+++ b/services/ejabberd.nix
@@ -1,6 +1,6 @@
{ fqdn }: { config, lib, pkgs, inputs, ... }:
let
- unstable = inputs.nixpkgs_unstable.legacyPackages.x86_64-linux;
+ #unstable = inputs.nixpkgs_unstable.legacyPackages.x86_64-linux;
inherit (builtins) toJSON;
inherit (pkgs) writeText;
inherit (pkgs.lib.lists) foldl';
@@ -9,236 +9,253 @@ let
certs = config.security.acme.certs;
certDirectory = certs.${fqdn}.directory;
-in {
+in
+{
services.ejabberd = {
enable = true;
imagemagick = true;
- configFile = let
- toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s;
- dhfile = config.security.dhparams.params.nginx.path;
- toACLs = map (x: { acl = x; });
- in writeText "ejabberd.yml" (toJSON {
- hosts = [ fqdn ];
- loglevel = 4;
- s2s_cafile = "/etc/ssl/certs/ca-certificates.crt";
- ca_file = "/etc/ssl/certs/ca-certificates.crt";
- certfiles = [ "${certDirectory}/*.pem" ];
- listen = map (x: x // { ip = "10.0.1.30"; }) [
- {
- inherit dhfile;
- port = 5222;
- module = "ejabberd_c2s";
- max_stanza_size = 262144;
- shaper = "c2s_shaper";
- access = "c2s";
- starttls_required = true;
- }
- {
- inherit dhfile;
- port = 5223;
- tls = true;
- module = "ejabberd_c2s";
- max_stanza_size = 262144;
- shaper = "c2s_shaper";
- access = "c2s";
- starttls_required = true;
- }
- {
- inherit dhfile;
- port = 5269;
- module = "ejabberd_s2s_in";
- max_stanza_size = 524288;
- }
- {
- inherit dhfile;
- port = 5443;
- module = "ejabberd_http";
- tls = true;
- request_handlers = toPaths {
- admin = "ejabberd_web_admin";
- api = "mod_http_api";
- bosh = "mod_bosh";
- captcha = "ejabberd_captcha";
- upload = "mod_http_upload";
- ws = "ejabberd_http_ws";
- };
- }
- {
- inherit dhfile;
- port = 5280;
- module = "ejabberd_http";
- request_handlers = toPaths {
- admin = "ejabberd_web_admin";
- ".well-known/acme-challenge" = "ejabberd_acme";
- };
- }
- {
- port = 3478;
- transport = "udp";
- module = "ejabberd_stun";
- use_turn = true;
- turn_ipv4_address = "193.16.42.36";
- }
- {
- port = 1883;
- module = "mod_mqtt";
- backlog = 1000;
- }
- ];
- s2s_use_starttls = "required";
- acl = {
- local.user_regexp = "";
- loopback.ip = [
- "127.0.0.1/8"
- "::1/128"
+ configFile =
+ let
+ toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s;
+ dhfile = config.security.dhparams.params.nginx.path;
+ toACLs = map (x: { acl = x; });
+ in
+ writeText "ejabberd.yml" (toJSON {
+ hosts = [ fqdn ];
+ loglevel = 4;
+ s2s_cafile = "/etc/ssl/certs/ca-certificates.crt";
+ ca_file = "/etc/ssl/certs/ca-certificates.crt";
+ certfiles = [ "${certDirectory}/*.pem" ];
+ listen = map (x: x // { ip = "10.0.1.30"; }) [
+ {
+ inherit dhfile;
+ port = 5222;
+ module = "ejabberd_c2s";
+ max_stanza_size = 262144;
+ shaper = "c2s_shaper";
+ access = "c2s";
+ starttls_required = true;
+ }
+ {
+ inherit dhfile;
+ port = 5223;
+ tls = true;
+ module = "ejabberd_c2s";
+ max_stanza_size = 262144;
+ shaper = "c2s_shaper";
+ access = "c2s";
+ starttls_required = true;
+ }
+ {
+ inherit dhfile;
+ port = 5269;
+ module = "ejabberd_s2s_in";
+ max_stanza_size = 524288;
+ }
+ {
+ inherit dhfile;
+ port = 5443;
+ module = "ejabberd_http";
+ tls = true;
+ request_handlers = toPaths {
+ admin = "ejabberd_web_admin";
+ api = "mod_http_api";
+ bosh = "mod_bosh";
+ captcha = "ejabberd_captcha";
+ upload = "mod_http_upload";
+ ws = "ejabberd_http_ws";
+ };
+ }
+ {
+ inherit dhfile;
+ port = 5280;
+ module = "ejabberd_http";
+ request_handlers = toPaths {
+ admin = "ejabberd_web_admin";
+ ".well-known/acme-challenge" = "ejabberd_acme";
+ };
+ }
+ {
+ port = 3478;
+ transport = "udp";
+ module = "ejabberd_stun";
+ use_turn = true;
+ turn_ipv4_address = "193.16.42.36";
+ }
+ {
+ port = 1883;
+ module = "mod_mqtt";
+ backlog = 1000;
+ }
];
- admin.user = [ "crash@${fqdn}" ];
- };
- access_rules = {
- c2s = {
- deny = "blocked";
- allow = "all";
+ s2s_use_starttls = "required";
+ acl = {
+ local.user_regexp = "";
+ loopback.ip = [
+ "127.0.0.1/8"
+ "::1/128"
+ ];
+ admin.user = [ "crash@${fqdn}" ];
};
- } // mapAttrs' (n: v: nameValuePair n { allow = v; }) {
- local = "local";
- announce = "admin";
- configure = "admin";
- muc_create = "local";
- pubsub_createnode = "local";
- trusted_network = "loopback";
- };
- api_permissions = {
- "console commands" = {
- from = [ "ejabberd_ctl" ];
- who = "all";
- what = "*";
+ access_rules = {
+ c2s = {
+ deny = "blocked";
+ allow = "all";
+ };
+ } // mapAttrs' (n: v: nameValuePair n { allow = v; }) {
+ local = "local";
+ announce = "admin";
+ configure = "admin";
+ muc_create = "local";
+ pubsub_createnode = "local";
+ trusted_network = "loopback";
};
- "admin access" = {
- who = {
- access.allow = toACLs [
- "local"
- "admin"
- ];
- oauth = {
- scope = "ejabberd:admin";
+ api_permissions = {
+ "console commands" = {
+ from = [ "ejabberd_ctl" ];
+ who = "all";
+ what = "*";
+ };
+ "admin access" = {
+ who = {
access.allow = toACLs [
- "loopback"
+ "local"
"admin"
];
+ oauth = {
+ scope = "ejabberd:admin";
+ access.allow = toACLs [
+ "loopback"
+ "admin"
+ ];
+ };
};
+ what = [
+ "*"
+ "!stop"
+ "!start"
+ ];
};
- what = [
- "*"
- "!stop"
- "!start"
- ];
- };
- "public commands" = {
- who.ip = "127.0.0.1/8";
- what = [
- "status"
- "connected_users_number"
- ];
- };
- };
- shaper = {
- normal = {
- rate = 3000;
- burst_size = 20000;
- };
- fast = 100000;
- };
- shaper_rules = {
- max_user_sessions = 10;
- max_user_offline_messages = {
- "5000" = "admin";
- "100" = "all";
- };
- c2s_shaper = {
- none = "admin";
- normal = "all";
- };
- s2s_shaper = "fast";
- };
- modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({
- announce.access = "announce";
- http_upload = {
- put_url = "https://@HOST@:5443/upload";
- custom_headers = {
- Access-Control-Allow-Origin = "https://@HOST@";
- Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS";
- Access-Control-Allow-Headers = "Content-Type";
+ "public commands" = {
+ who.ip = "127.0.0.1/8";
+ what = [
+ "status"
+ "connected_users_number"
+ ];
};
};
- mam = {
- assume_mam_usage = true;
- default = "always";
- };
- muc = {
- access = [ "allow" ];
- access_admin = [ { allow = "admin"; } ];
- access_create = "muc_create";
- access_persistent = "muc_create";
- access_mam = [ "allow" ];
- default_room_options.mam = true;
- };
- offline.access_max_user_messages = "max_user_offline_messages";
- proxy65 = {
- access = "local";
- max_connections = 5;
+ shaper = {
+ normal = {
+ rate = 3000;
+ burst_size = 20000;
+ };
+ fast = 100000;
};
- pubsub = {
- access_createnode = "pubsub_createnode";
- plugins = [
- "flat"
- "pep"
- ];
- force_node_config."storage:bookmarks".access_model = "whitelist";
+ shaper_rules = {
+ max_user_sessions = 10;
+ max_user_offline_messages = {
+ "5000" = "admin";
+ "100" = "all";
+ };
+ c2s_shaper = {
+ none = "admin";
+ normal = "all";
+ };
+ s2s_shaper = "fast";
};
- register.ip_access = "trusted_network";
- roster.versioning = true;
- stream_mgmt.resend_on_timeout = "if_offline";
- version.show_os = false;
- } // foldl' (a: x: a // { ${x} = {}; }) {} [
- "adhoc" "admin_extra" "avatar"
- "blocking" "bosh"
- "caps" "carboncopy" "client_state" "configure"
- "disco"
- "fail2ban"
- "http_api"
- "last"
- "mqtt" "muc_admin"
- "ping" "privacy" "private" "push" "push_keepalive"
- "s2s_dialback" "shared_roster" "stun_disco"
- "vcard" "vcard_xupdate"
- ]);
- });
- package = unstable.ejabberd.override {
+ modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({
+ announce.access = "announce";
+ http_upload = {
+ put_url = "https://@HOST@:5443/upload";
+ custom_headers = {
+ Access-Control-Allow-Origin = "https://@HOST@";
+ Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS";
+ Access-Control-Allow-Headers = "Content-Type";
+ };
+ };
+ mam = {
+ assume_mam_usage = true;
+ default = "always";
+ };
+ muc = {
+ access = [ "allow" ];
+ access_admin = [{ allow = "admin"; }];
+ access_create = "muc_create";
+ access_persistent = "muc_create";
+ access_mam = [ "allow" ];
+ default_room_options.mam = true;
+ };
+ offline.access_max_user_messages = "max_user_offline_messages";
+ proxy65 = {
+ access = "local";
+ max_connections = 5;
+ };
+ pubsub = {
+ access_createnode = "pubsub_createnode";
+ plugins = [
+ "flat"
+ "pep"
+ ];
+ force_node_config."storage:bookmarks".access_model = "whitelist";
+ };
+ register.ip_access = "trusted_network";
+ roster.versioning = true;
+ stream_mgmt.resend_on_timeout = "if_offline";
+ version.show_os = false;
+ } // foldl' (a: x: a // { ${x} = { }; }) { } [
+ "adhoc"
+ "admin_extra"
+ "avatar"
+ "blocking"
+ "bosh"
+ "caps"
+ "carboncopy"
+ "client_state"
+ "configure"
+ "disco"
+ "fail2ban"
+ "http_api"
+ "last"
+ "mqtt"
+ "muc_admin"
+ "ping"
+ "privacy"
+ "private"
+ "push"
+ "push_keepalive"
+ "s2s_dialback"
+ "shared_roster"
+ "stun_disco"
+ "vcard"
+ "vcard_xupdate"
+ ]);
+ });
+ package = pkgs.ejabberd.override {
withZlib = true;
withTools = true;
};
};
security.acme.certs.${fqdn} = {
- extraDomainNames = map (x: "${x}.${fqdn}") [
- "pubsub"
- "proxy"
- "upload"
- "conference"
- ];
+# extraDomainNames = map (x: "${x}.${fqdn}") [
+# "pubsub"
+# "proxy"
+# "upload"
+# "conference"
+# ];
group = "ejabberd-cert";
postRun = "systemctl restart ejabberd.service";
};
users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ];
security.dhparams = {
enable = true;
- params.nginx = {};
+ params.nginx = { };
};
networking.firewall.allowedTCPPorts = [
- 5222 # xmpp-client
- 5223 # xmpp-client
- 5269 # xmpp-server
- 5280 # xmpp-bosh
- 5443 # https
- 3478 # xmpp-stun
+ 5222 # xmpp-client
+ 5223 # xmpp-client
+ 5269 # xmpp-server
+ 5280 # xmpp-bosh
+ 5443 # https
+ 3478 # xmpp-stun
];
}
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 3bd75a4..7807e0b 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,17 +1,18 @@
-{ hashedPasswordFile } :{ pkgs,... }:
+{ hashedPasswordFile }: { pkgs, ... }:
{
- mailserver = {
- fqdn = "mail.crashoverburn.com";
- domains = [ "mail.crashoverburn.com" "crashoverburn.com" ];
- enable = true;
- # A list of all login accounts. To create the password hashes, use
- # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
- loginAccounts = {
- "crash@crashoverburn.com" = {
- inherit hashedPasswordFile;
- aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ];
- };
- };
- certificateScheme = "acme-nginx";
- };
-} \ No newline at end of file
+ mailserver = {
+ stateVersion = 3;
+ fqdn = "mail.crashoverburn.com";
+ domains = [ "mail.crashoverburn.com" "crashoverburn.com" ];
+ enable = true;
+ # A list of all login accounts. To create the password hashes, use
+ # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+ loginAccounts = {
+ "crash@crashoverburn.com" = {
+ inherit hashedPasswordFile;
+ aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ];
+ };
+ };
+ certificateScheme = "acme-nginx";
+ };
+}
diff --git a/services/movim.nix b/services/movim.nix
index 25759a4..27b273b 100644
--- a/services/movim.nix
+++ b/services/movim.nix
@@ -1,24 +1,28 @@
{ fqdn }: { config, lib, pkgs, inputs, ... }:
let
- certs = config.security.acme.certs;
- certDirectory = "${certs.${fqdn}.directory}";
- port = config.services.murmur.port;
- dbfolder = "/persist/replicable/murmur/murmur.sqlite";
+ port =2024;
in
{
- users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ];
+# Nginx configuration
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ };
services.movim = {
enable = true;
- domain = "social.${fqdn}";
+ domain = "${fqdn}";
+ port = 2024; # WebSocket port
+
podConfig = {
- locale = "en";
+ timezone = "UTC";
description = "OverBurnSocial";
xmppdomain = fqdn;
};
- serverAliases = [
- "pics.${config.movim.domain}"
- ];
- enableACME = true;
- forceHttps = true;
- };
-};
+ nginx =
+ {
+ forceSSL = true;
+ useACMEHost = "crashoverburn.com";
+ };
+ };
+}
diff --git a/services/murmur.nix b/services/murmur.nix
index e3d5d60..f40774f 100644
--- a/services/murmur.nix
+++ b/services/murmur.nix
@@ -1,4 +1,4 @@
-{ fqdn } :{ pkgs, config, self, ... }:
+{ fqdn }: { pkgs, config, self, ... }:
let
certs = config.security.acme.certs;
certDirectory = "${certs.${fqdn}.directory}";
@@ -36,7 +36,7 @@ in
bandwidth = 64000000;
clientCertRequired = true;
hostName = "10.0.1.30";
-# registerHostname = "${fqdn}";
+ # registerHostname = "${fqdn}";
#registerName = "crashoverburn.com";
sslCert = "${certDirectory}/fullchain.pem";
sslKey = "${certDirectory}/key.pem";
@@ -53,21 +53,21 @@ in
security.acme.certs.${fqdn} = {
group = "murmur-cert";
postRun = "systemctl restart murmur.service";
+ webroot = "/var/lib/acme/acme-challenge/";
};
users.groups.murmur-cert.members = [ "murmur" "nginx" ];
-
- services.nginx = {
- enable = true;
- virtualHosts.${fqdn} = {
- listenAddresses = [
- "10.0.1.30"
- ];
- #useACMEHost = "crashoverburn.com";
- enableACME = true;
- forceSSL = true;
- locations."/".return = "301 https://crashoverburn.com";
- };
- };
+# services.nginx = {
+# enable = true;
+# virtualHosts.${fqdn} = {
+# listenAddresses = [
+# "10.0.1.30"
+# ];
+# useACMEHost = "crashoverburn.com";
+# #enableACME = true;
+# forceSSL = true;
+# locations."/".return = "301 https://crashoverburn.com/mumble";
+# };
+# };
}
diff --git a/services/website.nix b/services/website.nix
index d36f538..784f3b3 100644
--- a/services/website.nix
+++ b/services/website.nix
@@ -1,14 +1,37 @@
{ webroot }: { config, lib, pkgs, ... }:
+let
+fqdn = "crashoverburn.com";
+in
{
- services.nginx.enable = true;
- services.nginx.virtualHosts."crashoverburn.com" = {
- addSSL = true;
- enableACME = true;
- root = webroot;
+ users.users.nginx.extraGroups = [ "acme" ];
+ security.acme.certs."${fqdn}" =
+ {
+ extraDomainNames= map (x: "${x}.${fqdn}")
+ [
+ "pubsub"
+ "proxy"
+ "upload"
+ "conference"
+ "social"
+ "pics.social"
+ ];
+ webroot = "/var/lib/acme/acme-challenge/";
};
- services.nginx.virtualHosts."crashoverburn.online" = {
- addSSL = true;
- enableACME = true;
- root = webroot;
+ services.nginx = {
+ enable = true;
+ virtualHosts = {
+ "${fqdn}" = {
+ forceSSL = true;
+ enableACME = true;
+ #useACMEHost = "crashoverburn.com";
+ locations."/".root = webroot;
+ };
+ "crashoverburn.online" = {
+ forceSSL = true;
+ #useACMEHost = "crashoverburn.com";
+ enableACME = true;
+ locations."/".root = webroot;
+ };
+ };
};
}