diff options
| -rw-r--r-- | flake.lock | 53 | ||||
| -rw-r--r-- | flake.nix | 35 | ||||
| -rw-r--r-- | machines/overburn-1.nix | 24 | ||||
| -rw-r--r-- | openstack.nix | 6 | ||||
| -rw-r--r-- | services/cgit.nix | 26 | ||||
| -rw-r--r-- | services/ejabberd.nix | 425 | ||||
| -rw-r--r-- | services/mailserver.nix | 33 | ||||
| -rw-r--r-- | services/movim.nix | 32 | ||||
| -rw-r--r-- | services/murmur.nix | 30 | ||||
| -rw-r--r-- | services/website.nix | 41 |
10 files changed, 367 insertions, 338 deletions
@@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1742649964, - "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -85,11 +85,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1733802073, - "narHash": "sha256-6yW93R6xXw8izoPWn6Mu46jgJkKK8v79OTpnPBtI7ng=", + "lastModified": 1755705508, + "narHash": "sha256-2xmMgKwvgof0Yjio/UP+g5y+K2OYwxQo186antX2v68=", "owner": "DarthPJB", "repo": "nixinate", - "rev": "67d3d72077ba9638295e7857c1b8cbf3a160560d", + "rev": "edf603eed92c5c93b301b056c243b360da74a474", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-25_05": { "locked": { - "lastModified": 1747610100, - "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=", + "lastModified": 1753749649, + "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d", + "rev": "1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a", "type": "github" }, "original": { @@ -164,27 +164,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1747179050, - "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", + "lastModified": 1753939845, + "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_unstable": { - "locked": { - "lastModified": 1747744144, - "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f", + "rev": "94def634a20494ee057c76998843c015909d6311", "type": "github" }, "original": { @@ -198,7 +182,6 @@ "inputs": { "nixinate": "nixinate", "nixpkgs": "nixpkgs_2", - "nixpkgs_unstable": "nixpkgs_unstable", "secrix": "secrix", "simple-nixos-mailserver": "simple-nixos-mailserver" } @@ -208,11 +191,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1746643487, - "narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=", + "lastModified": 1753137768, + "narHash": "sha256-bCQ8IHak1hF38amAgz2YKIEwteU5eAkgoC0fwfoRxO0=", "owner": "platonic-systems", "repo": "secrix", - "rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5", + "rev": "f783b038ee639a589affcf3c612187dafcfa0476", "type": "github" }, "original": { @@ -230,11 +213,11 @@ "nixpkgs-25_05": "nixpkgs-25_05" }, "locked": { - "lastModified": 1747965231, - "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=", + "lastModified": 1754605910, + "narHash": "sha256-kVWxzm44ywJTb4REfwWCYXnROISykG0yE+X5A3Gov24=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "53007af63fade28853408370c4c600a63dd97f41", + "rev": "57d9624c71ca65bee69b30d72b11f6c5257e9500", "type": "gitlab" }, "original": { @@ -1,15 +1,15 @@ { description = "CrashOverBurn.com"; -# TODO: cgit, ejabber signup + # TODO: cgit, ejabber signup inputs = { nixinate.url = "github:DarthPJB/nixinate"; secrix.url = "github:platonic-systems/secrix"; - nixpkgs_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable"; + #nixpkgs_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; }; - outputs = inputs@{ self, nixpkgs, secrix, nixinate, nixpkgs_unstable, simple-nixos-mailserver }: + outputs = inputs@{ self, nixpkgs, secrix, nixinate, simple-nixos-mailserver }: let inherit (inputs.secrix) secrix; pkgs = nixpkgs.legacyPackages.x86_64-linux; @@ -19,7 +19,7 @@ in { formatter.x86_64-linux = pkgs.nixpkgs-fmt; - apps.x86_64-linux = (inputs.nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; }); + apps.x86_64-linux = (nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; }); devShell.x86_64-linux = pkgs.mkShell { buildInputs = with pkgs; [ figlet tmux ]; @@ -67,31 +67,32 @@ ./users/commander.nix (import ./services/cgit.nix { fqdn = "code.${fqdn}"; }) (import ./services/murmur.nix { fqdn = "mumble.${fqdn}"; }) - (import ./services/movim.nix { fqdn = "mumble.${fqdn}"; }) + (import ./services/movim.nix { fqdn = "social.${fqdn}"; }) (import ./services/website.nix { inherit webroot; }) (import ./services/ejabberd.nix { inherit fqdn; }) (import ./services/mailserver.nix { inherit hashedPasswordFile; }) ./machines/overburn-1.nix - { + { secrix.hostPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3ElH/WQjW3B2yUBFFPpF8IIHsYrHODwTid6YM2npiw root@web-crash-over-burn"; secrix.defaultEncryptKeys = { - crash = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com" ]; + crash = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com" ]; }; imports = [ - "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix" + "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix" ]; - _module.args = - { + _module.args = + { inherit self inputs; nixinate = { - host = "193.16.42.36"; - sshUser = "commander"; - substituteOnTarget = true; - hermetic = true; - buildOn = "local"; + host = "193.16.42.36"; + port = 1108; + sshUser = "commander"; + substituteOnTarget = false; + hermetic = true; + buildOn = "local"; }; - }; - } + }; + } ]; }; }; diff --git a/machines/overburn-1.nix b/machines/overburn-1.nix index 7bed4e3..7b12a98 100644 --- a/machines/overburn-1.nix +++ b/machines/overburn-1.nix @@ -1,17 +1,17 @@ { webroot, fqdn, pkgs, ... }: let - top_level_domain = "crashoverburn.com"; -in + top_level_domain = "crashoverburn.com"; +in { - networking.hostName = "crashoverburn-1"; - security.acme = { - acceptTerms = true; - defaults.email = "postmaster@mail.crashoverburn.com"; - }; + networking.hostName = "crashoverburn-1"; + security.acme = { + acceptTerms = true; + defaults.email = "postmaster@mail.crashoverburn.com"; + }; - environment.systemPackages = [ - pkgs.btop - pkgs.tmux - pkgs.neovim - ]; + environment.systemPackages = [ + pkgs.btop + pkgs.tmux + pkgs.neovim + ]; } diff --git a/openstack.nix b/openstack.nix index fb16308..4424fc9 100644 --- a/openstack.nix +++ b/openstack.nix @@ -2,7 +2,7 @@ { nix = { settings.trusted-users = [ "root" "commander" ]; - package = pkgs.nixVersions.latest; #Unstable; + package = pkgs.nixVersions.latest; extraOptions = '' experimental-features = nix-command flakes ''; @@ -18,11 +18,11 @@ }; # Enable the OpenSSH daemon. services.openssh.enable = true; - services.openssh.ports = [ 1108 22 ]; + services.openssh.ports = [ 1108 ]; services.openssh.settings.PermitRootLogin = lib.mkForce "no"; services.openssh.settings.PasswordAuthentication = false; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 1108 22 ]; + networking.firewall.allowedTCPPorts = [ 1108 80 443 ]; networking.firewall.allowedUDPPorts = [ ]; # Configure keymap in X11 diff --git a/services/cgit.nix b/services/cgit.nix index fcfa77f..72f94dc 100644 --- a/services/cgit.nix +++ b/services/cgit.nix @@ -1,8 +1,8 @@ -{ fqdn } :{ pkgs, ... }: +{ fqdn }: { pkgs, ... }: { - services.uwsgi = { + services.uwsgi = { enable = true; - user = "public"; + user = "public"; group = "nginx"; plugins = [ "cgi" "python3" ]; @@ -24,7 +24,7 @@ services.gitolite = { enable = true; - user = "git"; + user = "git"; group = "git"; adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com"; extraGitoliteRc = '' @@ -33,16 +33,16 @@ ''; }; - users.extraUsers.public = - { - extraGroups = [ "git" "nginx"]; - isSystemUser = true; - group = "users"; - }; + users.extraUsers.public = + { + extraGroups = [ "git" "nginx" ]; + isSystemUser = true; + group = "users"; + }; services.nginx.virtualHosts."${fqdn}" = { - addSSL = true; - enableACME = true; + forceSSL = true; + useACMEHost = "crashoverburn.com"; root = "${pkgs.cgit}/cgit"; locations = { "/" = { @@ -58,7 +58,7 @@ uwsgi_read_timeout 600; ''; }; - }; + }; }; systemd.services.create-cgit-cache = { diff --git a/services/ejabberd.nix b/services/ejabberd.nix index f2057ac..935a409 100644 --- a/services/ejabberd.nix +++ b/services/ejabberd.nix @@ -1,6 +1,6 @@ { fqdn }: { config, lib, pkgs, inputs, ... }: let - unstable = inputs.nixpkgs_unstable.legacyPackages.x86_64-linux; + #unstable = inputs.nixpkgs_unstable.legacyPackages.x86_64-linux; inherit (builtins) toJSON; inherit (pkgs) writeText; inherit (pkgs.lib.lists) foldl'; @@ -9,236 +9,253 @@ let certs = config.security.acme.certs; certDirectory = certs.${fqdn}.directory; -in { +in +{ services.ejabberd = { enable = true; imagemagick = true; - configFile = let - toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s; - dhfile = config.security.dhparams.params.nginx.path; - toACLs = map (x: { acl = x; }); - in writeText "ejabberd.yml" (toJSON { - hosts = [ fqdn ]; - loglevel = 4; - s2s_cafile = "/etc/ssl/certs/ca-certificates.crt"; - ca_file = "/etc/ssl/certs/ca-certificates.crt"; - certfiles = [ "${certDirectory}/*.pem" ]; - listen = map (x: x // { ip = "10.0.1.30"; }) [ - { - inherit dhfile; - port = 5222; - module = "ejabberd_c2s"; - max_stanza_size = 262144; - shaper = "c2s_shaper"; - access = "c2s"; - starttls_required = true; - } - { - inherit dhfile; - port = 5223; - tls = true; - module = "ejabberd_c2s"; - max_stanza_size = 262144; - shaper = "c2s_shaper"; - access = "c2s"; - starttls_required = true; - } - { - inherit dhfile; - port = 5269; - module = "ejabberd_s2s_in"; - max_stanza_size = 524288; - } - { - inherit dhfile; - port = 5443; - module = "ejabberd_http"; - tls = true; - request_handlers = toPaths { - admin = "ejabberd_web_admin"; - api = "mod_http_api"; - bosh = "mod_bosh"; - captcha = "ejabberd_captcha"; - upload = "mod_http_upload"; - ws = "ejabberd_http_ws"; - }; - } - { - inherit dhfile; - port = 5280; - module = "ejabberd_http"; - request_handlers = toPaths { - admin = "ejabberd_web_admin"; - ".well-known/acme-challenge" = "ejabberd_acme"; - }; - } - { - port = 3478; - transport = "udp"; - module = "ejabberd_stun"; - use_turn = true; - turn_ipv4_address = "193.16.42.36"; - } - { - port = 1883; - module = "mod_mqtt"; - backlog = 1000; - } - ]; - s2s_use_starttls = "required"; - acl = { - local.user_regexp = ""; - loopback.ip = [ - "127.0.0.1/8" - "::1/128" + configFile = + let + toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s; + dhfile = config.security.dhparams.params.nginx.path; + toACLs = map (x: { acl = x; }); + in + writeText "ejabberd.yml" (toJSON { + hosts = [ fqdn ]; + loglevel = 4; + s2s_cafile = "/etc/ssl/certs/ca-certificates.crt"; + ca_file = "/etc/ssl/certs/ca-certificates.crt"; + certfiles = [ "${certDirectory}/*.pem" ]; + listen = map (x: x // { ip = "10.0.1.30"; }) [ + { + inherit dhfile; + port = 5222; + module = "ejabberd_c2s"; + max_stanza_size = 262144; + shaper = "c2s_shaper"; + access = "c2s"; + starttls_required = true; + } + { + inherit dhfile; + port = 5223; + tls = true; + module = "ejabberd_c2s"; + max_stanza_size = 262144; + shaper = "c2s_shaper"; + access = "c2s"; + starttls_required = true; + } + { + inherit dhfile; + port = 5269; + module = "ejabberd_s2s_in"; + max_stanza_size = 524288; + } + { + inherit dhfile; + port = 5443; + module = "ejabberd_http"; + tls = true; + request_handlers = toPaths { + admin = "ejabberd_web_admin"; + api = "mod_http_api"; + bosh = "mod_bosh"; + captcha = "ejabberd_captcha"; + upload = "mod_http_upload"; + ws = "ejabberd_http_ws"; + }; + } + { + inherit dhfile; + port = 5280; + module = "ejabberd_http"; + request_handlers = toPaths { + admin = "ejabberd_web_admin"; + ".well-known/acme-challenge" = "ejabberd_acme"; + }; + } + { + port = 3478; + transport = "udp"; + module = "ejabberd_stun"; + use_turn = true; + turn_ipv4_address = "193.16.42.36"; + } + { + port = 1883; + module = "mod_mqtt"; + backlog = 1000; + } ]; - admin.user = [ "crash@${fqdn}" ]; - }; - access_rules = { - c2s = { - deny = "blocked"; - allow = "all"; + s2s_use_starttls = "required"; + acl = { + local.user_regexp = ""; + loopback.ip = [ + "127.0.0.1/8" + "::1/128" + ]; + admin.user = [ "crash@${fqdn}" ]; }; - } // mapAttrs' (n: v: nameValuePair n { allow = v; }) { - local = "local"; - announce = "admin"; - configure = "admin"; - muc_create = "local"; - pubsub_createnode = "local"; - trusted_network = "loopback"; - }; - api_permissions = { - "console commands" = { - from = [ "ejabberd_ctl" ]; - who = "all"; - what = "*"; + access_rules = { + c2s = { + deny = "blocked"; + allow = "all"; + }; + } // mapAttrs' (n: v: nameValuePair n { allow = v; }) { + local = "local"; + announce = "admin"; + configure = "admin"; + muc_create = "local"; + pubsub_createnode = "local"; + trusted_network = "loopback"; }; - "admin access" = { - who = { - access.allow = toACLs [ - "local" - "admin" - ]; - oauth = { - scope = "ejabberd:admin"; + api_permissions = { + "console commands" = { + from = [ "ejabberd_ctl" ]; + who = "all"; + what = "*"; + }; + "admin access" = { + who = { access.allow = toACLs [ - "loopback" + "local" "admin" ]; + oauth = { + scope = "ejabberd:admin"; + access.allow = toACLs [ + "loopback" + "admin" + ]; + }; }; + what = [ + "*" + "!stop" + "!start" + ]; }; - what = [ - "*" - "!stop" - "!start" - ]; - }; - "public commands" = { - who.ip = "127.0.0.1/8"; - what = [ - "status" - "connected_users_number" - ]; - }; - }; - shaper = { - normal = { - rate = 3000; - burst_size = 20000; - }; - fast = 100000; - }; - shaper_rules = { - max_user_sessions = 10; - max_user_offline_messages = { - "5000" = "admin"; - "100" = "all"; - }; - c2s_shaper = { - none = "admin"; - normal = "all"; - }; - s2s_shaper = "fast"; - }; - modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({ - announce.access = "announce"; - http_upload = { - put_url = "https://@HOST@:5443/upload"; - custom_headers = { - Access-Control-Allow-Origin = "https://@HOST@"; - Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS"; - Access-Control-Allow-Headers = "Content-Type"; + "public commands" = { + who.ip = "127.0.0.1/8"; + what = [ + "status" + "connected_users_number" + ]; }; }; - mam = { - assume_mam_usage = true; - default = "always"; - }; - muc = { - access = [ "allow" ]; - access_admin = [ { allow = "admin"; } ]; - access_create = "muc_create"; - access_persistent = "muc_create"; - access_mam = [ "allow" ]; - default_room_options.mam = true; - }; - offline.access_max_user_messages = "max_user_offline_messages"; - proxy65 = { - access = "local"; - max_connections = 5; + shaper = { + normal = { + rate = 3000; + burst_size = 20000; + }; + fast = 100000; }; - pubsub = { - access_createnode = "pubsub_createnode"; - plugins = [ - "flat" - "pep" - ]; - force_node_config."storage:bookmarks".access_model = "whitelist"; + shaper_rules = { + max_user_sessions = 10; + max_user_offline_messages = { + "5000" = "admin"; + "100" = "all"; + }; + c2s_shaper = { + none = "admin"; + normal = "all"; + }; + s2s_shaper = "fast"; }; - register.ip_access = "trusted_network"; - roster.versioning = true; - stream_mgmt.resend_on_timeout = "if_offline"; - version.show_os = false; - } // foldl' (a: x: a // { ${x} = {}; }) {} [ - "adhoc" "admin_extra" "avatar" - "blocking" "bosh" - "caps" "carboncopy" "client_state" "configure" - "disco" - "fail2ban" - "http_api" - "last" - "mqtt" "muc_admin" - "ping" "privacy" "private" "push" "push_keepalive" - "s2s_dialback" "shared_roster" "stun_disco" - "vcard" "vcard_xupdate" - ]); - }); - package = unstable.ejabberd.override { + modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({ + announce.access = "announce"; + http_upload = { + put_url = "https://@HOST@:5443/upload"; + custom_headers = { + Access-Control-Allow-Origin = "https://@HOST@"; + Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS"; + Access-Control-Allow-Headers = "Content-Type"; + }; + }; + mam = { + assume_mam_usage = true; + default = "always"; + }; + muc = { + access = [ "allow" ]; + access_admin = [{ allow = "admin"; }]; + access_create = "muc_create"; + access_persistent = "muc_create"; + access_mam = [ "allow" ]; + default_room_options.mam = true; + }; + offline.access_max_user_messages = "max_user_offline_messages"; + proxy65 = { + access = "local"; + max_connections = 5; + }; + pubsub = { + access_createnode = "pubsub_createnode"; + plugins = [ + "flat" + "pep" + ]; + force_node_config."storage:bookmarks".access_model = "whitelist"; + }; + register.ip_access = "trusted_network"; + roster.versioning = true; + stream_mgmt.resend_on_timeout = "if_offline"; + version.show_os = false; + } // foldl' (a: x: a // { ${x} = { }; }) { } [ + "adhoc" + "admin_extra" + "avatar" + "blocking" + "bosh" + "caps" + "carboncopy" + "client_state" + "configure" + "disco" + "fail2ban" + "http_api" + "last" + "mqtt" + "muc_admin" + "ping" + "privacy" + "private" + "push" + "push_keepalive" + "s2s_dialback" + "shared_roster" + "stun_disco" + "vcard" + "vcard_xupdate" + ]); + }); + package = pkgs.ejabberd.override { withZlib = true; withTools = true; }; }; security.acme.certs.${fqdn} = { - extraDomainNames = map (x: "${x}.${fqdn}") [ - "pubsub" - "proxy" - "upload" - "conference" - ]; +# extraDomainNames = map (x: "${x}.${fqdn}") [ +# "pubsub" +# "proxy" +# "upload" +# "conference" +# ]; group = "ejabberd-cert"; postRun = "systemctl restart ejabberd.service"; }; users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ]; security.dhparams = { enable = true; - params.nginx = {}; + params.nginx = { }; }; networking.firewall.allowedTCPPorts = [ - 5222 # xmpp-client - 5223 # xmpp-client - 5269 # xmpp-server - 5280 # xmpp-bosh - 5443 # https - 3478 # xmpp-stun + 5222 # xmpp-client + 5223 # xmpp-client + 5269 # xmpp-server + 5280 # xmpp-bosh + 5443 # https + 3478 # xmpp-stun ]; } diff --git a/services/mailserver.nix b/services/mailserver.nix index 3bd75a4..7807e0b 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -1,17 +1,18 @@ -{ hashedPasswordFile } :{ pkgs,... }: +{ hashedPasswordFile }: { pkgs, ... }: { - mailserver = { - fqdn = "mail.crashoverburn.com"; - domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; - enable = true; - # A list of all login accounts. To create the password hashes, use - # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' - loginAccounts = { - "crash@crashoverburn.com" = { - inherit hashedPasswordFile; - aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; - }; - }; - certificateScheme = "acme-nginx"; - }; -}
\ No newline at end of file + mailserver = { + stateVersion = 3; + fqdn = "mail.crashoverburn.com"; + domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; + enable = true; + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "crash@crashoverburn.com" = { + inherit hashedPasswordFile; + aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; + }; + }; + certificateScheme = "acme-nginx"; + }; +} diff --git a/services/movim.nix b/services/movim.nix index 25759a4..27b273b 100644 --- a/services/movim.nix +++ b/services/movim.nix @@ -1,24 +1,28 @@ { fqdn }: { config, lib, pkgs, inputs, ... }: let - certs = config.security.acme.certs; - certDirectory = "${certs.${fqdn}.directory}"; - port = config.services.murmur.port; - dbfolder = "/persist/replicable/murmur/murmur.sqlite"; + port =2024; in { - users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ]; +# Nginx configuration + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; services.movim = { enable = true; - domain = "social.${fqdn}"; + domain = "${fqdn}"; + port = 2024; # WebSocket port + podConfig = { - locale = "en"; + timezone = "UTC"; description = "OverBurnSocial"; xmppdomain = fqdn; }; - serverAliases = [ - "pics.${config.movim.domain}" - ]; - enableACME = true; - forceHttps = true; - }; -}; + nginx = + { + forceSSL = true; + useACMEHost = "crashoverburn.com"; + }; + }; +} diff --git a/services/murmur.nix b/services/murmur.nix index e3d5d60..f40774f 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -1,4 +1,4 @@ -{ fqdn } :{ pkgs, config, self, ... }: +{ fqdn }: { pkgs, config, self, ... }: let certs = config.security.acme.certs; certDirectory = "${certs.${fqdn}.directory}"; @@ -36,7 +36,7 @@ in bandwidth = 64000000; clientCertRequired = true; hostName = "10.0.1.30"; -# registerHostname = "${fqdn}"; + # registerHostname = "${fqdn}"; #registerName = "crashoverburn.com"; sslCert = "${certDirectory}/fullchain.pem"; sslKey = "${certDirectory}/key.pem"; @@ -53,21 +53,21 @@ in security.acme.certs.${fqdn} = { group = "murmur-cert"; postRun = "systemctl restart murmur.service"; + webroot = "/var/lib/acme/acme-challenge/"; }; users.groups.murmur-cert.members = [ "murmur" "nginx" ]; - - services.nginx = { - enable = true; - virtualHosts.${fqdn} = { - listenAddresses = [ - "10.0.1.30" - ]; - #useACMEHost = "crashoverburn.com"; - enableACME = true; - forceSSL = true; - locations."/".return = "301 https://crashoverburn.com"; - }; - }; +# services.nginx = { +# enable = true; +# virtualHosts.${fqdn} = { +# listenAddresses = [ +# "10.0.1.30" +# ]; +# useACMEHost = "crashoverburn.com"; +# #enableACME = true; +# forceSSL = true; +# locations."/".return = "301 https://crashoverburn.com/mumble"; +# }; +# }; } diff --git a/services/website.nix b/services/website.nix index d36f538..784f3b3 100644 --- a/services/website.nix +++ b/services/website.nix @@ -1,14 +1,37 @@ { webroot }: { config, lib, pkgs, ... }: +let +fqdn = "crashoverburn.com"; +in { - services.nginx.enable = true; - services.nginx.virtualHosts."crashoverburn.com" = { - addSSL = true; - enableACME = true; - root = webroot; + users.users.nginx.extraGroups = [ "acme" ]; + security.acme.certs."${fqdn}" = + { + extraDomainNames= map (x: "${x}.${fqdn}") + [ + "pubsub" + "proxy" + "upload" + "conference" + "social" + "pics.social" + ]; + webroot = "/var/lib/acme/acme-challenge/"; }; - services.nginx.virtualHosts."crashoverburn.online" = { - addSSL = true; - enableACME = true; - root = webroot; + services.nginx = { + enable = true; + virtualHosts = { + "${fqdn}" = { + forceSSL = true; + enableACME = true; + #useACMEHost = "crashoverburn.com"; + locations."/".root = webroot; + }; + "crashoverburn.online" = { + forceSSL = true; + #useACMEHost = "crashoverburn.com"; + enableACME = true; + locations."/".root = webroot; + }; + }; }; } |