diff options
Diffstat (limited to 'services')
| -rw-r--r-- | services/cgit.nix | 26 | ||||
| -rw-r--r-- | services/ejabberd.nix | 425 | ||||
| -rw-r--r-- | services/mailserver.nix | 33 | ||||
| -rw-r--r-- | services/movim.nix | 32 | ||||
| -rw-r--r-- | services/murmur.nix | 30 | ||||
| -rw-r--r-- | services/website.nix | 41 |
6 files changed, 316 insertions, 271 deletions
diff --git a/services/cgit.nix b/services/cgit.nix index fcfa77f..72f94dc 100644 --- a/services/cgit.nix +++ b/services/cgit.nix @@ -1,8 +1,8 @@ -{ fqdn } :{ pkgs, ... }: +{ fqdn }: { pkgs, ... }: { - services.uwsgi = { + services.uwsgi = { enable = true; - user = "public"; + user = "public"; group = "nginx"; plugins = [ "cgi" "python3" ]; @@ -24,7 +24,7 @@ services.gitolite = { enable = true; - user = "git"; + user = "git"; group = "git"; adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com"; extraGitoliteRc = '' @@ -33,16 +33,16 @@ ''; }; - users.extraUsers.public = - { - extraGroups = [ "git" "nginx"]; - isSystemUser = true; - group = "users"; - }; + users.extraUsers.public = + { + extraGroups = [ "git" "nginx" ]; + isSystemUser = true; + group = "users"; + }; services.nginx.virtualHosts."${fqdn}" = { - addSSL = true; - enableACME = true; + forceSSL = true; + useACMEHost = "crashoverburn.com"; root = "${pkgs.cgit}/cgit"; locations = { "/" = { @@ -58,7 +58,7 @@ uwsgi_read_timeout 600; ''; }; - }; + }; }; systemd.services.create-cgit-cache = { diff --git a/services/ejabberd.nix b/services/ejabberd.nix index f2057ac..935a409 100644 --- a/services/ejabberd.nix +++ b/services/ejabberd.nix @@ -1,6 +1,6 @@ { fqdn }: { config, lib, pkgs, inputs, ... }: let - unstable = inputs.nixpkgs_unstable.legacyPackages.x86_64-linux; + #unstable = inputs.nixpkgs_unstable.legacyPackages.x86_64-linux; inherit (builtins) toJSON; inherit (pkgs) writeText; inherit (pkgs.lib.lists) foldl'; @@ -9,236 +9,253 @@ let certs = config.security.acme.certs; certDirectory = certs.${fqdn}.directory; -in { +in +{ services.ejabberd = { enable = true; imagemagick = true; - configFile = let - toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s; - dhfile = config.security.dhparams.params.nginx.path; - toACLs = map (x: { acl = x; }); - in writeText "ejabberd.yml" (toJSON { - hosts = [ fqdn ]; - loglevel = 4; - s2s_cafile = "/etc/ssl/certs/ca-certificates.crt"; - ca_file = "/etc/ssl/certs/ca-certificates.crt"; - certfiles = [ "${certDirectory}/*.pem" ]; - listen = map (x: x // { ip = "10.0.1.30"; }) [ - { - inherit dhfile; - port = 5222; - module = "ejabberd_c2s"; - max_stanza_size = 262144; - shaper = "c2s_shaper"; - access = "c2s"; - starttls_required = true; - } - { - inherit dhfile; - port = 5223; - tls = true; - module = "ejabberd_c2s"; - max_stanza_size = 262144; - shaper = "c2s_shaper"; - access = "c2s"; - starttls_required = true; - } - { - inherit dhfile; - port = 5269; - module = "ejabberd_s2s_in"; - max_stanza_size = 524288; - } - { - inherit dhfile; - port = 5443; - module = "ejabberd_http"; - tls = true; - request_handlers = toPaths { - admin = "ejabberd_web_admin"; - api = "mod_http_api"; - bosh = "mod_bosh"; - captcha = "ejabberd_captcha"; - upload = "mod_http_upload"; - ws = "ejabberd_http_ws"; - }; - } - { - inherit dhfile; - port = 5280; - module = "ejabberd_http"; - request_handlers = toPaths { - admin = "ejabberd_web_admin"; - ".well-known/acme-challenge" = "ejabberd_acme"; - }; - } - { - port = 3478; - transport = "udp"; - module = "ejabberd_stun"; - use_turn = true; - turn_ipv4_address = "193.16.42.36"; - } - { - port = 1883; - module = "mod_mqtt"; - backlog = 1000; - } - ]; - s2s_use_starttls = "required"; - acl = { - local.user_regexp = ""; - loopback.ip = [ - "127.0.0.1/8" - "::1/128" + configFile = + let + toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s; + dhfile = config.security.dhparams.params.nginx.path; + toACLs = map (x: { acl = x; }); + in + writeText "ejabberd.yml" (toJSON { + hosts = [ fqdn ]; + loglevel = 4; + s2s_cafile = "/etc/ssl/certs/ca-certificates.crt"; + ca_file = "/etc/ssl/certs/ca-certificates.crt"; + certfiles = [ "${certDirectory}/*.pem" ]; + listen = map (x: x // { ip = "10.0.1.30"; }) [ + { + inherit dhfile; + port = 5222; + module = "ejabberd_c2s"; + max_stanza_size = 262144; + shaper = "c2s_shaper"; + access = "c2s"; + starttls_required = true; + } + { + inherit dhfile; + port = 5223; + tls = true; + module = "ejabberd_c2s"; + max_stanza_size = 262144; + shaper = "c2s_shaper"; + access = "c2s"; + starttls_required = true; + } + { + inherit dhfile; + port = 5269; + module = "ejabberd_s2s_in"; + max_stanza_size = 524288; + } + { + inherit dhfile; + port = 5443; + module = "ejabberd_http"; + tls = true; + request_handlers = toPaths { + admin = "ejabberd_web_admin"; + api = "mod_http_api"; + bosh = "mod_bosh"; + captcha = "ejabberd_captcha"; + upload = "mod_http_upload"; + ws = "ejabberd_http_ws"; + }; + } + { + inherit dhfile; + port = 5280; + module = "ejabberd_http"; + request_handlers = toPaths { + admin = "ejabberd_web_admin"; + ".well-known/acme-challenge" = "ejabberd_acme"; + }; + } + { + port = 3478; + transport = "udp"; + module = "ejabberd_stun"; + use_turn = true; + turn_ipv4_address = "193.16.42.36"; + } + { + port = 1883; + module = "mod_mqtt"; + backlog = 1000; + } ]; - admin.user = [ "crash@${fqdn}" ]; - }; - access_rules = { - c2s = { - deny = "blocked"; - allow = "all"; + s2s_use_starttls = "required"; + acl = { + local.user_regexp = ""; + loopback.ip = [ + "127.0.0.1/8" + "::1/128" + ]; + admin.user = [ "crash@${fqdn}" ]; }; - } // mapAttrs' (n: v: nameValuePair n { allow = v; }) { - local = "local"; - announce = "admin"; - configure = "admin"; - muc_create = "local"; - pubsub_createnode = "local"; - trusted_network = "loopback"; - }; - api_permissions = { - "console commands" = { - from = [ "ejabberd_ctl" ]; - who = "all"; - what = "*"; + access_rules = { + c2s = { + deny = "blocked"; + allow = "all"; + }; + } // mapAttrs' (n: v: nameValuePair n { allow = v; }) { + local = "local"; + announce = "admin"; + configure = "admin"; + muc_create = "local"; + pubsub_createnode = "local"; + trusted_network = "loopback"; }; - "admin access" = { - who = { - access.allow = toACLs [ - "local" - "admin" - ]; - oauth = { - scope = "ejabberd:admin"; + api_permissions = { + "console commands" = { + from = [ "ejabberd_ctl" ]; + who = "all"; + what = "*"; + }; + "admin access" = { + who = { access.allow = toACLs [ - "loopback" + "local" "admin" ]; + oauth = { + scope = "ejabberd:admin"; + access.allow = toACLs [ + "loopback" + "admin" + ]; + }; }; + what = [ + "*" + "!stop" + "!start" + ]; }; - what = [ - "*" - "!stop" - "!start" - ]; - }; - "public commands" = { - who.ip = "127.0.0.1/8"; - what = [ - "status" - "connected_users_number" - ]; - }; - }; - shaper = { - normal = { - rate = 3000; - burst_size = 20000; - }; - fast = 100000; - }; - shaper_rules = { - max_user_sessions = 10; - max_user_offline_messages = { - "5000" = "admin"; - "100" = "all"; - }; - c2s_shaper = { - none = "admin"; - normal = "all"; - }; - s2s_shaper = "fast"; - }; - modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({ - announce.access = "announce"; - http_upload = { - put_url = "https://@HOST@:5443/upload"; - custom_headers = { - Access-Control-Allow-Origin = "https://@HOST@"; - Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS"; - Access-Control-Allow-Headers = "Content-Type"; + "public commands" = { + who.ip = "127.0.0.1/8"; + what = [ + "status" + "connected_users_number" + ]; }; }; - mam = { - assume_mam_usage = true; - default = "always"; - }; - muc = { - access = [ "allow" ]; - access_admin = [ { allow = "admin"; } ]; - access_create = "muc_create"; - access_persistent = "muc_create"; - access_mam = [ "allow" ]; - default_room_options.mam = true; - }; - offline.access_max_user_messages = "max_user_offline_messages"; - proxy65 = { - access = "local"; - max_connections = 5; + shaper = { + normal = { + rate = 3000; + burst_size = 20000; + }; + fast = 100000; }; - pubsub = { - access_createnode = "pubsub_createnode"; - plugins = [ - "flat" - "pep" - ]; - force_node_config."storage:bookmarks".access_model = "whitelist"; + shaper_rules = { + max_user_sessions = 10; + max_user_offline_messages = { + "5000" = "admin"; + "100" = "all"; + }; + c2s_shaper = { + none = "admin"; + normal = "all"; + }; + s2s_shaper = "fast"; }; - register.ip_access = "trusted_network"; - roster.versioning = true; - stream_mgmt.resend_on_timeout = "if_offline"; - version.show_os = false; - } // foldl' (a: x: a // { ${x} = {}; }) {} [ - "adhoc" "admin_extra" "avatar" - "blocking" "bosh" - "caps" "carboncopy" "client_state" "configure" - "disco" - "fail2ban" - "http_api" - "last" - "mqtt" "muc_admin" - "ping" "privacy" "private" "push" "push_keepalive" - "s2s_dialback" "shared_roster" "stun_disco" - "vcard" "vcard_xupdate" - ]); - }); - package = unstable.ejabberd.override { + modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({ + announce.access = "announce"; + http_upload = { + put_url = "https://@HOST@:5443/upload"; + custom_headers = { + Access-Control-Allow-Origin = "https://@HOST@"; + Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS"; + Access-Control-Allow-Headers = "Content-Type"; + }; + }; + mam = { + assume_mam_usage = true; + default = "always"; + }; + muc = { + access = [ "allow" ]; + access_admin = [{ allow = "admin"; }]; + access_create = "muc_create"; + access_persistent = "muc_create"; + access_mam = [ "allow" ]; + default_room_options.mam = true; + }; + offline.access_max_user_messages = "max_user_offline_messages"; + proxy65 = { + access = "local"; + max_connections = 5; + }; + pubsub = { + access_createnode = "pubsub_createnode"; + plugins = [ + "flat" + "pep" + ]; + force_node_config."storage:bookmarks".access_model = "whitelist"; + }; + register.ip_access = "trusted_network"; + roster.versioning = true; + stream_mgmt.resend_on_timeout = "if_offline"; + version.show_os = false; + } // foldl' (a: x: a // { ${x} = { }; }) { } [ + "adhoc" + "admin_extra" + "avatar" + "blocking" + "bosh" + "caps" + "carboncopy" + "client_state" + "configure" + "disco" + "fail2ban" + "http_api" + "last" + "mqtt" + "muc_admin" + "ping" + "privacy" + "private" + "push" + "push_keepalive" + "s2s_dialback" + "shared_roster" + "stun_disco" + "vcard" + "vcard_xupdate" + ]); + }); + package = pkgs.ejabberd.override { withZlib = true; withTools = true; }; }; security.acme.certs.${fqdn} = { - extraDomainNames = map (x: "${x}.${fqdn}") [ - "pubsub" - "proxy" - "upload" - "conference" - ]; +# extraDomainNames = map (x: "${x}.${fqdn}") [ +# "pubsub" +# "proxy" +# "upload" +# "conference" +# ]; group = "ejabberd-cert"; postRun = "systemctl restart ejabberd.service"; }; users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ]; security.dhparams = { enable = true; - params.nginx = {}; + params.nginx = { }; }; networking.firewall.allowedTCPPorts = [ - 5222 # xmpp-client - 5223 # xmpp-client - 5269 # xmpp-server - 5280 # xmpp-bosh - 5443 # https - 3478 # xmpp-stun + 5222 # xmpp-client + 5223 # xmpp-client + 5269 # xmpp-server + 5280 # xmpp-bosh + 5443 # https + 3478 # xmpp-stun ]; } diff --git a/services/mailserver.nix b/services/mailserver.nix index 3bd75a4..7807e0b 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -1,17 +1,18 @@ -{ hashedPasswordFile } :{ pkgs,... }: +{ hashedPasswordFile }: { pkgs, ... }: { - mailserver = { - fqdn = "mail.crashoverburn.com"; - domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; - enable = true; - # A list of all login accounts. To create the password hashes, use - # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' - loginAccounts = { - "crash@crashoverburn.com" = { - inherit hashedPasswordFile; - aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; - }; - }; - certificateScheme = "acme-nginx"; - }; -}
\ No newline at end of file + mailserver = { + stateVersion = 3; + fqdn = "mail.crashoverburn.com"; + domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; + enable = true; + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "crash@crashoverburn.com" = { + inherit hashedPasswordFile; + aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; + }; + }; + certificateScheme = "acme-nginx"; + }; +} diff --git a/services/movim.nix b/services/movim.nix index 25759a4..27b273b 100644 --- a/services/movim.nix +++ b/services/movim.nix @@ -1,24 +1,28 @@ { fqdn }: { config, lib, pkgs, inputs, ... }: let - certs = config.security.acme.certs; - certDirectory = "${certs.${fqdn}.directory}"; - port = config.services.murmur.port; - dbfolder = "/persist/replicable/murmur/murmur.sqlite"; + port =2024; in { - users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ]; +# Nginx configuration + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; services.movim = { enable = true; - domain = "social.${fqdn}"; + domain = "${fqdn}"; + port = 2024; # WebSocket port + podConfig = { - locale = "en"; + timezone = "UTC"; description = "OverBurnSocial"; xmppdomain = fqdn; }; - serverAliases = [ - "pics.${config.movim.domain}" - ]; - enableACME = true; - forceHttps = true; - }; -}; + nginx = + { + forceSSL = true; + useACMEHost = "crashoverburn.com"; + }; + }; +} diff --git a/services/murmur.nix b/services/murmur.nix index e3d5d60..f40774f 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -1,4 +1,4 @@ -{ fqdn } :{ pkgs, config, self, ... }: +{ fqdn }: { pkgs, config, self, ... }: let certs = config.security.acme.certs; certDirectory = "${certs.${fqdn}.directory}"; @@ -36,7 +36,7 @@ in bandwidth = 64000000; clientCertRequired = true; hostName = "10.0.1.30"; -# registerHostname = "${fqdn}"; + # registerHostname = "${fqdn}"; #registerName = "crashoverburn.com"; sslCert = "${certDirectory}/fullchain.pem"; sslKey = "${certDirectory}/key.pem"; @@ -53,21 +53,21 @@ in security.acme.certs.${fqdn} = { group = "murmur-cert"; postRun = "systemctl restart murmur.service"; + webroot = "/var/lib/acme/acme-challenge/"; }; users.groups.murmur-cert.members = [ "murmur" "nginx" ]; - - services.nginx = { - enable = true; - virtualHosts.${fqdn} = { - listenAddresses = [ - "10.0.1.30" - ]; - #useACMEHost = "crashoverburn.com"; - enableACME = true; - forceSSL = true; - locations."/".return = "301 https://crashoverburn.com"; - }; - }; +# services.nginx = { +# enable = true; +# virtualHosts.${fqdn} = { +# listenAddresses = [ +# "10.0.1.30" +# ]; +# useACMEHost = "crashoverburn.com"; +# #enableACME = true; +# forceSSL = true; +# locations."/".return = "301 https://crashoverburn.com/mumble"; +# }; +# }; } diff --git a/services/website.nix b/services/website.nix index d36f538..784f3b3 100644 --- a/services/website.nix +++ b/services/website.nix @@ -1,14 +1,37 @@ { webroot }: { config, lib, pkgs, ... }: +let +fqdn = "crashoverburn.com"; +in { - services.nginx.enable = true; - services.nginx.virtualHosts."crashoverburn.com" = { - addSSL = true; - enableACME = true; - root = webroot; + users.users.nginx.extraGroups = [ "acme" ]; + security.acme.certs."${fqdn}" = + { + extraDomainNames= map (x: "${x}.${fqdn}") + [ + "pubsub" + "proxy" + "upload" + "conference" + "social" + "pics.social" + ]; + webroot = "/var/lib/acme/acme-challenge/"; }; - services.nginx.virtualHosts."crashoverburn.online" = { - addSSL = true; - enableACME = true; - root = webroot; + services.nginx = { + enable = true; + virtualHosts = { + "${fqdn}" = { + forceSSL = true; + enableACME = true; + #useACMEHost = "crashoverburn.com"; + locations."/".root = webroot; + }; + "crashoverburn.online" = { + forceSSL = true; + #useACMEHost = "crashoverburn.com"; + enableACME = true; + locations."/".root = webroot; + }; + }; }; } |