summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flake.lock101
-rw-r--r--flake.nix13
-rw-r--r--openstack.nix2
-rw-r--r--secrets/gandi_dns01_token7
-rw-r--r--services/acme_server.nix23
-rw-r--r--services/ejabberd.nix13
-rw-r--r--services/mailserver.nix4
-rw-r--r--services/movim.nix28
-rw-r--r--services/murmur.nix27
-rw-r--r--services/website.nix44
10 files changed, 134 insertions, 128 deletions
diff --git a/flake.lock b/flake.lock
index 345c5f2..22243c5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -19,15 +19,15 @@
"flake-compat": {
"flake": false,
"locked": {
- "lastModified": 1747046372,
- "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
- "owner": "edolstra",
+ "lastModified": 1767039857,
+ "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+ "owner": "NixOS",
"repo": "flake-compat",
- "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+ "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github"
},
"original": {
- "owner": "edolstra",
+ "owner": "NixOS",
"repo": "flake-compat",
"type": "github"
}
@@ -45,11 +45,11 @@
]
},
"locked": {
- "lastModified": 1750779888,
- "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+ "lastModified": 1769939035,
+ "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
"owner": "cachix",
"repo": "git-hooks.nix",
- "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+ "rev": "a8ca480175326551d6c4121498316261cbb5b260",
"type": "github"
},
"original": {
@@ -82,14 +82,16 @@
},
"nixinate": {
"inputs": {
- "nixpkgs": "nixpkgs"
+ "nixpkgs": [
+ "nixpkgs"
+ ]
},
"locked": {
- "lastModified": 1755705508,
- "narHash": "sha256-2xmMgKwvgof0Yjio/UP+g5y+K2OYwxQo186antX2v68=",
+ "lastModified": 1765412487,
+ "narHash": "sha256-nSpxVxFc9akfhKGB1G8PCa07k5k1yZehzb6q/mjI4cs=",
"owner": "DarthPJB",
"repo": "nixinate",
- "rev": "edf603eed92c5c93b301b056c243b360da74a474",
+ "rev": "0ce4103a3f5a0fd23cc3af60957adc00ddea06dc",
"type": "github"
},
"original": {
@@ -100,59 +102,27 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1653060744,
- "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
- "owner": "nixos",
- "repo": "nixpkgs",
- "rev": "dfd82985c273aac6eced03625f454b334daae2e8",
- "type": "github"
- },
- "original": {
- "owner": "nixos",
- "ref": "nixos-unstable",
- "repo": "nixpkgs",
- "type": "github"
- }
- },
- "nixpkgs-25_05": {
- "locked": {
- "lastModified": 1753749649,
- "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=",
+ "lastModified": 1771369470,
+ "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a",
+ "rev": "0182a361324364ae3f436a63005877674cf45efb",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "nixos-25.05",
+ "ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1755593991,
- "narHash": "sha256-BA9MuPjBDx/WnpTJ0EGhStyfE7hug8g85Y3Ju9oTsM4=",
+ "lastModified": 1763678758,
+ "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "a58390ab6f1aa810eb8e0f0fc74230e7cc06de03",
- "type": "github"
- },
- "original": {
- "owner": "NixOS",
- "ref": "nixos-25.05",
- "repo": "nixpkgs",
- "type": "github"
- }
- },
- "nixpkgs_3": {
- "locked": {
- "lastModified": 1694959747,
- "narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=",
- "owner": "NixOS",
- "repo": "nixpkgs",
- "rev": "970a59bd19eff3752ce552935687100c46e820a5",
+ "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b",
"type": "github"
},
"original": {
@@ -162,18 +132,18 @@
"type": "github"
}
},
- "nixpkgs_4": {
+ "nixpkgs_3": {
"locked": {
- "lastModified": 1753939845,
- "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=",
+ "lastModified": 1770650459,
+ "narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "94def634a20494ee057c76998843c015909d6311",
+ "rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "nixos-unstable",
+ "ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
@@ -181,21 +151,21 @@
"root": {
"inputs": {
"nixinate": "nixinate",
- "nixpkgs": "nixpkgs_2",
+ "nixpkgs": "nixpkgs",
"secrix": "secrix",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
},
"secrix": {
"inputs": {
- "nixpkgs": "nixpkgs_3"
+ "nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1753137768,
- "narHash": "sha256-bCQ8IHak1hF38amAgz2YKIEwteU5eAkgoC0fwfoRxO0=",
+ "lastModified": 1763929380,
+ "narHash": "sha256-Yc7gZME/lcHoJH6bMPCG7CyjKWhOLJPqLI8MXtyKPHo=",
"owner": "platonic-systems",
"repo": "secrix",
- "rev": "f783b038ee639a589affcf3c612187dafcfa0476",
+ "rev": "c6e3ca7af47c329dcf442a3d017ae171eee5612f",
"type": "github"
},
"original": {
@@ -209,15 +179,14 @@
"blobs": "blobs",
"flake-compat": "flake-compat",
"git-hooks": "git-hooks",
- "nixpkgs": "nixpkgs_4",
- "nixpkgs-25_05": "nixpkgs-25_05"
+ "nixpkgs": "nixpkgs_3"
},
"locked": {
- "lastModified": 1754605910,
- "narHash": "sha256-kVWxzm44ywJTb4REfwWCYXnROISykG0yE+X5A3Gov24=",
+ "lastModified": 1770659507,
+ "narHash": "sha256-RVZno9CypFN3eHxfULKN1K7mb/Cq0HkznnWqnshxpWY=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
- "rev": "57d9624c71ca65bee69b30d72b11f6c5257e9500",
+ "rev": "781e833633ebc0873d251772a74e4400a73f5d78",
"type": "gitlab"
},
"original": {
diff --git a/flake.nix b/flake.nix
index cf325d8..e3cf8e4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,10 +2,13 @@
description = "CrashOverBurn.com";
# TODO: cgit, ejabber signup
inputs = {
- nixinate.url = "github:DarthPJB/nixinate";
+ nixinate = {
+ url = "github:DarthPJB/nixinate";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
secrix.url = "github:platonic-systems/secrix";
- #nixpkgs_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
- nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";
+ nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
+ #nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
};
@@ -19,7 +22,7 @@
in
{
formatter.x86_64-linux = pkgs.nixpkgs-fmt;
- apps.x86_64-linux = (nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; });
+ apps.x86_64-linux = (nixinate.lib.genDeploy.x86_64-linux self) // ({ secrix = secrix self; });
devShell.x86_64-linux =
pkgs.mkShell {
buildInputs = with pkgs; [ figlet tmux ];
@@ -65,6 +68,8 @@
inputs.secrix.nixosModules.default
./openstack.nix
./users/commander.nix
+
+ (import ./services/acme_server.nix { fqdn = "crashoverburn.com"; })
(import ./services/cgit.nix { fqdn = "code.${fqdn}"; })
(import ./services/murmur.nix { fqdn = "mumble.${fqdn}"; })
(import ./services/movim.nix { fqdn = "social.${fqdn}"; })
diff --git a/openstack.nix b/openstack.nix
index 4424fc9..3af4393 100644
--- a/openstack.nix
+++ b/openstack.nix
@@ -2,7 +2,7 @@
{
nix = {
settings.trusted-users = [ "root" "commander" ];
- package = pkgs.nixVersions.latest;
+ package = pkgs.nixVersions.latest;
extraOptions = ''
experimental-features = nix-command flakes
'';
diff --git a/secrets/gandi_dns01_token b/secrets/gandi_dns01_token
new file mode 100644
index 0000000..423998c
--- /dev/null
+++ b/secrets/gandi_dns01_token
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 fT5adw zMOJktMt4vFGjWyktd1eVcMIel/bqjd4AxcyxNxkOj0
+D0ppBHBQXfFoqhdIZboEAA3CbaJxLkZwMQb+ExHI/q8
+-> ssh-ed25519 N8OrBw XOb30eQP06p9X0j5nGU/jEEmVOJRlC1QnaJ/g1+Hj14
+5M+St2/6qJ7/gwuBCkor/8kMs3VL8gExE905ulHARNg
+--- nUiyKRLforZ1ty5qFwkKY5oXxFYg+1I+V/h532aAFiI
+,C0G=1CsH uTDlAXaRB?P)^KYh 2E]S`쁔_a^{Gk %:jPJ \ No newline at end of file
diff --git a/services/acme_server.nix b/services/acme_server.nix
new file mode 100644
index 0000000..bd6961b
--- /dev/null
+++ b/services/acme_server.nix
@@ -0,0 +1,23 @@
+{ fqdn }: { pkgs, config, lib, ... }:
+let
+ inherit fqdn;
+in
+{
+ users.groups.acme = { };
+
+ /* trigger the actual certificate generation for additional hostname */
+ security.acme.certs."${fqdn}" = {
+ extraDomainNames = [ "mail.crashoverburn.com"];
+ };
+
+ secrix.system.secrets.dns01.encrypted.file = ../secrets/gandi_dns01_token;
+ # Configure ACME appropriately
+ security.acme.acceptTerms = true;
+ security.acme.defaults = {
+ dnsProvider = "gandiv5";
+ group = "acme";
+ environmentFile = config.secrix.system.secrets.dns01.decrypted.path;
+ # We don't need to wait for propagation since this is a local DNS server
+ dnsPropagationCheck = false;
+ };
+}
diff --git a/services/ejabberd.nix b/services/ejabberd.nix
index 935a409..7149a0d 100644
--- a/services/ejabberd.nix
+++ b/services/ejabberd.nix
@@ -236,12 +236,13 @@ in
};
};
security.acme.certs.${fqdn} = {
-# extraDomainNames = map (x: "${x}.${fqdn}") [
-# "pubsub"
-# "proxy"
-# "upload"
-# "conference"
-# ];
+ # extraDomainNames = map (x: "${x}.${fqdn}") [
+ # "pubsub"
+ # "proxy"
+ # "upload"
+ # "conference"
+ # ];
+ #useACMEHost = "crashoverburn.com";
group = "ejabberd-cert";
postRun = "systemctl restart ejabberd.service";
};
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 7807e0b..015f0df 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,4 +1,4 @@
-{ hashedPasswordFile }: { pkgs, ... }:
+{ hashedPasswordFile }: { config, pkgs, ... }:
{
mailserver = {
stateVersion = 3;
@@ -13,6 +13,6 @@
aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ];
};
};
- certificateScheme = "acme-nginx";
+ x509.useACMEHost = config.mailserver.fqdn;
};
}
diff --git a/services/movim.nix b/services/movim.nix
index 27b273b..4d9ce31 100644
--- a/services/movim.nix
+++ b/services/movim.nix
@@ -1,26 +1,26 @@
{ fqdn }: { config, lib, pkgs, inputs, ... }:
let
- port =2024;
+ port = 2024;
in
{
-# Nginx configuration
+ # Nginx configuration
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
- services.movim = {
- enable = true;
- domain = "${fqdn}";
- port = 2024; # WebSocket port
-
- podConfig = {
- timezone = "UTC";
- description = "OverBurnSocial";
- xmppdomain = fqdn;
- };
- nginx =
- {
+ services.movim = {
+ enable = true;
+ domain = "${fqdn}";
+ port = 2024; # WebSocket port
+
+ podConfig = {
+ timezone = "UTC";
+ description = "OverBurnSocial";
+ xmppdomain = fqdn;
+ };
+ nginx =
+ {
forceSSL = true;
useACMEHost = "crashoverburn.com";
};
diff --git a/services/murmur.nix b/services/murmur.nix
index f40774f..6e2ed7b 100644
--- a/services/murmur.nix
+++ b/services/murmur.nix
@@ -51,23 +51,24 @@ in
${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
'';
security.acme.certs.${fqdn} = {
+ #useACMEHost = "crashoverburn.com";
group = "murmur-cert";
postRun = "systemctl restart murmur.service";
- webroot = "/var/lib/acme/acme-challenge/";
+ #webroot = "/var/lib/acme/acme-challenge/";
};
users.groups.murmur-cert.members = [ "murmur" "nginx" ];
-# services.nginx = {
-# enable = true;
-# virtualHosts.${fqdn} = {
-# listenAddresses = [
-# "10.0.1.30"
-# ];
-# useACMEHost = "crashoverburn.com";
-# #enableACME = true;
-# forceSSL = true;
-# locations."/".return = "301 https://crashoverburn.com/mumble";
-# };
-# };
+ # services.nginx = {
+ # enable = true;
+ # virtualHosts.${fqdn} = {
+ # listenAddresses = [
+ # "10.0.1.30"
+ # ];
+ # useACMEHost = "crashoverburn.com";
+ # #enableACME = true;
+ # forceSSL = true;
+ # locations."/".return = "301 https://crashoverburn.com/mumble";
+ # };
+ # };
}
diff --git a/services/website.nix b/services/website.nix
index 784f3b3..b15ffa2 100644
--- a/services/website.nix
+++ b/services/website.nix
@@ -1,37 +1,37 @@
{ webroot }: { config, lib, pkgs, ... }:
-let
-fqdn = "crashoverburn.com";
+let
+ fqdn = "crashoverburn.com";
in
{
users.users.nginx.extraGroups = [ "acme" ];
- security.acme.certs."${fqdn}" =
- {
- extraDomainNames= map (x: "${x}.${fqdn}")
+ security.acme.certs."${fqdn}" =
+ {
+ extraDomainNames = map (x: "${x}.${fqdn}")
[
- "pubsub"
- "proxy"
- "upload"
- "conference"
- "social"
- "pics.social"
- ];
- webroot = "/var/lib/acme/acme-challenge/";
- };
+ "pubsub"
+ "proxy"
+ "upload"
+ "conference"
+ "social"
+ "pics.social"
+ ];
+ # webroot = "/var/lib/acme/acme-challenge/";
+ };
services.nginx = {
enable = true;
virtualHosts = {
"${fqdn}" = {
forceSSL = true;
- enableACME = true;
- #useACMEHost = "crashoverburn.com";
+ #enableACME = true;
+ useACMEHost = "crashoverburn.com";
locations."/".root = webroot;
};
- "crashoverburn.online" = {
- forceSSL = true;
- #useACMEHost = "crashoverburn.com";
- enableACME = true;
- locations."/".root = webroot;
- };
+ # "crashoverburn.online" = {
+ # forceSSL = true;
+ # useACMEHost = "crashoverburn.com";
+ #enableACME = true;
+ # locations."/".root = webroot;
+ # };
};
};
}