From e1b05d65451cce58205a2c4b3d84f706b04fb17e Mon Sep 17 00:00:00 2001 From: John Bargman Date: Sat, 30 Nov 2024 13:15:05 +0000 Subject: reorg and update; add cgit --- commander.nix | 29 ------ ejabberd.nix | 243 ------------------------------------------------ flake.lock | 110 ++++++++++------------ flake.nix | 46 +++------ machines/overburn-1.nix | 13 +++ openstack.nix | 2 +- services/cgit.nix | 103 ++++++++++++++++++++ services/ejabberd.nix | 243 ++++++++++++++++++++++++++++++++++++++++++++++++ services/mailserver.nix | 17 ++++ services/website.nix | 14 +++ users/commander.nix | 29 ++++++ website.nix | 14 --- 12 files changed, 479 insertions(+), 384 deletions(-) delete mode 100755 commander.nix delete mode 100644 ejabberd.nix create mode 100644 machines/overburn-1.nix create mode 100644 services/cgit.nix create mode 100644 services/ejabberd.nix create mode 100644 services/mailserver.nix create mode 100644 services/website.nix create mode 100755 users/commander.nix delete mode 100644 website.nix diff --git a/commander.nix b/commander.nix deleted file mode 100755 index 294d269..0000000 --- a/commander.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, pkgs, ... }: -{ - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - programs.ssh.enableAskPassword = false; - programs.gnupg.agent = - { - pinentryFlavor = "tty"; - enable = true; - enableSSHSupport = true; - }; - security.sudo.wheelNeedsPassword = false; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.commander = { - isNormalUser = true; - uid = 1009; - name = "commander"; - description = "system administration"; - createHome = true; - home = "/home/commander"; - hashedPassword = "$6$irFKKFRDPP$H5EaeHornoVvWcKtUBj.29tPvw.SspaSi/vOPGc3GG2bW//M.ld3E7E3XCevJ6vn175A/raHvNIotXayvMqzz0"; - openssh.authorizedKeys.keys = - [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 darthpjb@gmail.com" - ]; - extraGroups = [ "wheel" "dialout" "disk" "networkManager" ]; # Enable ‘sudo’ for the user. - }; -} diff --git a/ejabberd.nix b/ejabberd.nix deleted file mode 100644 index f18cfe6..0000000 --- a/ejabberd.nix +++ /dev/null @@ -1,243 +0,0 @@ -{ fqdn }: { config, lib, pkgs, ... }: -let - inherit (builtins) toJSON; - inherit (pkgs) writeText; - inherit (pkgs.lib.lists) foldl'; - inherit (pkgs.lib.attrsets) mapAttrs' nameValuePair; - inherit (config.networking) domain; - - certs = config.security.acme.certs; - certDirectory = certs.${fqdn}.directory; -in { - services.ejabberd = { - enable = true; - imagemagick = true; - configFile = let - toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s; - dhfile = config.security.dhparams.params.nginx.path; - toACLs = map (x: { acl = x; }); - in writeText "ejabberd.yml" (toJSON { - hosts = [ fqdn ]; - loglevel = 4; - s2s_cafile = "/etc/ssl/certs/ca-certificates.crt"; - ca_file = "/etc/ssl/certs/ca-certificates.crt"; - certfiles = [ "${certDirectory}/*.pem" ]; - listen = map (x: x // { ip = "10.0.1.30"; }) [ - { - inherit dhfile; - port = 5222; - module = "ejabberd_c2s"; - max_stanza_size = 262144; - shaper = "c2s_shaper"; - access = "c2s"; - starttls_required = true; - } - { - inherit dhfile; - port = 5223; - tls = true; - module = "ejabberd_c2s"; - max_stanza_size = 262144; - shaper = "c2s_shaper"; - access = "c2s"; - starttls_required = true; - } - { - inherit dhfile; - port = 5269; - module = "ejabberd_s2s_in"; - max_stanza_size = 524288; - } - { - inherit dhfile; - port = 5443; - module = "ejabberd_http"; - tls = true; - request_handlers = toPaths { - admin = "ejabberd_web_admin"; - api = "mod_http_api"; - bosh = "mod_bosh"; - captcha = "ejabberd_captcha"; - upload = "mod_http_upload"; - ws = "ejabberd_http_ws"; - }; - } - { - inherit dhfile; - port = 5280; - module = "ejabberd_http"; - request_handlers = toPaths { - admin = "ejabberd_web_admin"; - ".well-known/acme-challenge" = "ejabberd_acme"; - }; - } - { - port = 3478; - transport = "udp"; - module = "ejabberd_stun"; - use_turn = true; - turn_ipv4_address = "193.16.42.36"; - } - { - port = 1883; - module = "mod_mqtt"; - backlog = 1000; - } - ]; - s2s_use_starttls = "required"; - acl = { - local.user_regexp = ""; - loopback.ip = [ - "127.0.0.1/8" - "::1/128" - ]; - admin.user = [ "crash@${fqdn}" ]; - }; - access_rules = { - c2s = { - deny = "blocked"; - allow = "all"; - }; - } // mapAttrs' (n: v: nameValuePair n { allow = v; }) { - local = "local"; - announce = "admin"; - configure = "admin"; - muc_create = "local"; - pubsub_createnode = "local"; - trusted_network = "loopback"; - }; - api_permissions = { - "console commands" = { - from = [ "ejabberd_ctl" ]; - who = "all"; - what = "*"; - }; - "admin access" = { - who = { - access.allow = toACLs [ - "local" - "admin" - ]; - oauth = { - scope = "ejabberd:admin"; - access.allow = toACLs [ - "loopback" - "admin" - ]; - }; - }; - what = [ - "*" - "!stop" - "!start" - ]; - }; - "public commands" = { - who.ip = "127.0.0.1/8"; - what = [ - "status" - "connected_users_number" - ]; - }; - }; - shaper = { - normal = { - rate = 3000; - burst_size = 20000; - }; - fast = 100000; - }; - shaper_rules = { - max_user_sessions = 10; - max_user_offline_messages = { - "5000" = "admin"; - "100" = "all"; - }; - c2s_shaper = { - none = "admin"; - normal = "all"; - }; - s2s_shaper = "fast"; - }; - modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({ - announce.access = "announce"; - http_upload = { - put_url = "https://@HOST@:5443/upload"; - custom_headers = { - Access-Control-Allow-Origin = "https://@HOST@"; - Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS"; - Access-Control-Allow-Headers = "Content-Type"; - }; - }; - mam = { - assume_mam_usage = true; - default = "always"; - }; - muc = { - access = [ "allow" ]; - access_admin = [ { allow = "admin"; } ]; - access_create = "muc_create"; - access_persistent = "muc_create"; - access_mam = [ "allow" ]; - default_room_options.mam = true; - }; - offline.access_max_user_messages = "max_user_offline_messages"; - proxy65 = { - access = "local"; - max_connections = 5; - }; - pubsub = { - access_createnode = "pubsub_createnode"; - plugins = [ - "flat" - "pep" - ]; - force_node_config."storage:bookmarks".access_model = "whitelist"; - }; - register.ip_access = "trusted_network"; - roster.versioning = true; - stream_mgmt.resend_on_timeout = "if_offline"; - version.show_os = false; - } // foldl' (a: x: a // { ${x} = {}; }) {} [ - "adhoc" "admin_extra" "avatar" - "blocking" "bosh" - "caps" "carboncopy" "client_state" "configure" - "disco" - "fail2ban" - "http_api" - "last" - "mqtt" "muc_admin" - "ping" "privacy" "private" "push" "push_keepalive" - "s2s_dialback" "shared_roster" "stun_disco" - "vcard" "vcard_xupdate" - ]); - }); - package = pkgs.ejabberd.override { - withZlib = true; - withTools = true; - }; - }; - security.acme.certs.${fqdn} = { - extraDomainNames = map (x: "${x}.${fqdn}") [ - "pubsub" - "proxy" - "upload" - "conference" - ]; - group = "ejabberd-cert"; - postRun = "systemctl restart ejabberd.service"; - }; - users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ]; - security.dhparams = { - enable = true; - params.nginx = {}; - }; - networking.firewall.allowedTCPPorts = [ - 5222 # xmpp-client - 5223 # xmpp-client - 5269 # xmpp-server - 5280 # xmpp-bosh - 5443 # https - 3478 # xmpp-stun - ]; -} diff --git a/flake.lock b/flake.lock index 4edfa53..71343f3 100644 --- a/flake.lock +++ b/flake.lock @@ -4,14 +4,15 @@ "inputs": { "darwin": "darwin", "home-manager": "home-manager", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "systems": "systems" }, "locked": { - "lastModified": 1690228878, - "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "owner": "ryantm", "repo": "agenix", - "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "type": "github" }, "original": { @@ -44,11 +45,11 @@ ] }, "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "type": "github" }, "original": { @@ -61,11 +62,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -82,11 +83,11 @@ ] }, "locked": { - "lastModified": 1682203081, - "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "owner": "nix-community", "repo": "home-manager", - "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "type": "github" }, "original": { @@ -100,11 +101,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1688141737, - "narHash": "sha256-qHrNMYWukOKmKVf6wXOGKj1xxUnOGjvTRbt/PLLXuBE=", + "lastModified": 1708891350, + "narHash": "sha256-VOQrKK7Df/IVuNki+NshVuGkTa/Tw0GigPjWcZff6kk=", "owner": "matthewcroughan", "repo": "nixinate", - "rev": "7902ae845e6cc5bd450e510cdf5e009a6e4a44d9", + "rev": "452f33c60df5b72ad0858f5f2cf224bdf1f17746", "type": "github" }, "original": { @@ -115,11 +116,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677676435, - "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { @@ -129,33 +130,18 @@ "type": "github" } }, - "nixpkgs-22_11": { + "nixpkgs-24_05": { "locked": { - "lastModified": 1669558522, - "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, - "nixpkgs-23_05": { - "locked": { - "lastModified": 1684782344, - "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.05", + "ref": "nixos-24.05", "type": "indirect" } }, @@ -177,27 +163,27 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1694048570, - "narHash": "sha256-PEQptwFCVaJ+jLFJgrZll2shQ9VI/7xVhrCYkJo8iIw=", + "lastModified": 1732749044, + "narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4f77ea639305f1de0a14d9d41eef83313360638c", + "rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_4": { "locked": { - "lastModified": 1670751203, - "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", "type": "github" }, "original": { @@ -208,11 +194,11 @@ }, "nixpkgs_unstable": { "locked": { - "lastModified": 1693985761, - "narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=", + "lastModified": 1732758367, + "narHash": "sha256-RzaI1RO0UXqLjydtz3GAXSTzHkpb/lLD1JD8a0W4Wpo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0bffda19b8af722f8069d09d8b6a24594c80b352", + "rev": "fa42b5a5f401aab8a32bd33c9a4de0738180dc59", "type": "github" }, "original": { @@ -236,16 +222,14 @@ "blobs": "blobs", "flake-compat": "flake-compat", "nixpkgs": "nixpkgs_4", - "nixpkgs-22_11": "nixpkgs-22_11", - "nixpkgs-23_05": "nixpkgs-23_05", - "utils": "utils" + "nixpkgs-24_05": "nixpkgs-24_05" }, "locked": { - "lastModified": 1689976554, - "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=", + "lastModified": 1722877200, + "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", "type": "gitlab" }, "original": { @@ -254,18 +238,18 @@ "type": "gitlab" } }, - "utils": { + "systems": { "locked": { - "lastModified": 1605370193, - "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "type": "github" }, "original": { - "owner": "numtide", - "repo": "flake-utils", + "owner": "nix-systems", + "repo": "default", "type": "github" } } diff --git a/flake.nix b/flake.nix index 4eda89e..4f7d5f9 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ nixinate.url = "github:matthewcroughan/nixinate"; agenix.url = "github:ryantm/agenix"; nixpkgs_unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; }; @@ -14,6 +14,7 @@ pkgs = nixpkgs.legacyPackages.x86_64-linux; webroot = "${self}/webroot"; fqdn = "crashoverburn.com"; + hashedPasswordFile = "${self}/password.file"; in { formatter.x86_64-linux = pkgs.nixpkgs-fmt; @@ -59,41 +60,18 @@ nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ - simple-nixos-mailserver.nixosModule - { - mailserver = { - fqdn = "mail.crashoverburn.com"; - domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; - enable = true; - # A list of all login accounts. To create the password hashes, use - # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' - loginAccounts = { - "crash@crashoverburn.com" = { - hashedPasswordFile = "${self}/password.file"; - aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; - }; - }; - certificateScheme = "acme-nginx"; - }; - } agenix.nixosModules.default + simple-nixos-mailserver.nixosModule ./openstack.nix - (import ./website.nix { inherit webroot; }) - (import ./ejabberd.nix { inherit fqdn; }) - ./commander.nix - { - networking.hostName = "crashoverburn"; - security.acme = { - acceptTerms = true; - defaults.email = "postmaster@mail.crashoverburn.com"; - }; - environment.systemPackages = [ - pkgs.btop - pkgs.tmux - pkgs.neovim - ]; + ./users/commander.nix + (import ./services/cgit.nix { inherit pkgs; inherit fqdn; }) + (import ./services/website.nix { inherit webroot; }) + (import ./services/ejabberd.nix { inherit fqdn; }) + (import ./services/mailserver.nix { inherit pkgs; inherit hashedPasswordFile; }) + ./machines/overburn-1.nix + { imports = [ - "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix" + "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix" ]; _module.args.nixinate = { host = "193.16.42.36"; @@ -102,7 +80,7 @@ hermetic = true; buildOn = "local"; }; - } + } ]; }; }; diff --git a/machines/overburn-1.nix b/machines/overburn-1.nix new file mode 100644 index 0000000..27fa908 --- /dev/null +++ b/machines/overburn-1.nix @@ -0,0 +1,13 @@ +{ webroot, fqdn, pkgs, ... }: +{ + networking.hostName = "crashoverburn-1"; + security.acme = { + acceptTerms = true; + defaults.email = "postmaster@mail.crashoverburn.com"; + }; + environment.systemPackages = [ + pkgs.btop + pkgs.tmux + pkgs.neovim + ]; +} \ No newline at end of file diff --git a/openstack.nix b/openstack.nix index ebf4eca..fb16308 100644 --- a/openstack.nix +++ b/openstack.nix @@ -2,7 +2,7 @@ { nix = { settings.trusted-users = [ "root" "commander" ]; - package = pkgs.nixUnstable; + package = pkgs.nixVersions.latest; #Unstable; extraOptions = '' experimental-features = nix-command flakes ''; diff --git a/services/cgit.nix b/services/cgit.nix new file mode 100644 index 0000000..a7795ac --- /dev/null +++ b/services/cgit.nix @@ -0,0 +1,103 @@ +{ pkgs, fqdn, ... }: +{ + services.uwsgi = { + enable = true; + user = "public"; + group = "users"; + plugins = [ "cgi" ]; + + instance = { + type = "emperor"; + vassals = { + cgit = { + type = "normal"; + master = "true"; + socket = "/run/uwsgi/cgit.sock"; + procname-master = "uwsgi cgit"; + plugins = [ "cgi" ]; + cgi = "${pkgs.cgit}/cgit/cgit.cgi"; + }; + }; + }; + }; + + services.gitolite = { + enable = true; + user = "git"; + group = "git"; + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com"; + extraGitoliteRc = '' + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = '.*'; + ''; + }; + + users.extraUsers.public = + { + isSystemUser = true; + group = "git"; + }; + + services.nginx.virtualHosts."code.${fqdn}" = { + addSSL = true; + enableACME = true; + root = "${pkgs.cgit}/cgit"; + locations = { + "/" = { + extraConfig = '' + try_files $uri @cgit; + ''; + }; + "@cgit" = { + extraConfig = '' + uwsgi_pass unix:/run/uwsgi/cgit.sock; + include ${pkgs.nginx}/conf/uwsgi_params; + uwsgi_modifier1 9; + ''; + }; + }; + }; + + systemd.services.create-cgit-cache = { + description = "Create cache directory for cgit"; + enable = true; + wantedBy = [ "uwsgi.service" ]; + serviceConfig = { + type = "oneshot"; + }; + script = '' + mkdir /run/cgit + chown -R public:users /run/cgit + ''; + }; + + environment.etc."cgitrc".text = '' + virtual-root=/ + + cache-size=1000 + cache-root=/run/cgit + + root-title=~/projects + root-desc=code.${fqdn} + footer= + + enable-index-owner=0 + enable-http-clone=1 + noplainemail=1 + + max-atom-items=50 + + enable-git-config=1 + enable-gitweb-owner=1 + remove-suffix=1 + + snapshots=all + readme=master:README.md + + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + + project-list=/var/lib/gitolite/projects.list + scan-path=/var/lib/gitolite/repositories + ''; +} diff --git a/services/ejabberd.nix b/services/ejabberd.nix new file mode 100644 index 0000000..f18cfe6 --- /dev/null +++ b/services/ejabberd.nix @@ -0,0 +1,243 @@ +{ fqdn }: { config, lib, pkgs, ... }: +let + inherit (builtins) toJSON; + inherit (pkgs) writeText; + inherit (pkgs.lib.lists) foldl'; + inherit (pkgs.lib.attrsets) mapAttrs' nameValuePair; + inherit (config.networking) domain; + + certs = config.security.acme.certs; + certDirectory = certs.${fqdn}.directory; +in { + services.ejabberd = { + enable = true; + imagemagick = true; + configFile = let + toPaths = s: mapAttrs' (n: v: nameValuePair "/${n}" v) s; + dhfile = config.security.dhparams.params.nginx.path; + toACLs = map (x: { acl = x; }); + in writeText "ejabberd.yml" (toJSON { + hosts = [ fqdn ]; + loglevel = 4; + s2s_cafile = "/etc/ssl/certs/ca-certificates.crt"; + ca_file = "/etc/ssl/certs/ca-certificates.crt"; + certfiles = [ "${certDirectory}/*.pem" ]; + listen = map (x: x // { ip = "10.0.1.30"; }) [ + { + inherit dhfile; + port = 5222; + module = "ejabberd_c2s"; + max_stanza_size = 262144; + shaper = "c2s_shaper"; + access = "c2s"; + starttls_required = true; + } + { + inherit dhfile; + port = 5223; + tls = true; + module = "ejabberd_c2s"; + max_stanza_size = 262144; + shaper = "c2s_shaper"; + access = "c2s"; + starttls_required = true; + } + { + inherit dhfile; + port = 5269; + module = "ejabberd_s2s_in"; + max_stanza_size = 524288; + } + { + inherit dhfile; + port = 5443; + module = "ejabberd_http"; + tls = true; + request_handlers = toPaths { + admin = "ejabberd_web_admin"; + api = "mod_http_api"; + bosh = "mod_bosh"; + captcha = "ejabberd_captcha"; + upload = "mod_http_upload"; + ws = "ejabberd_http_ws"; + }; + } + { + inherit dhfile; + port = 5280; + module = "ejabberd_http"; + request_handlers = toPaths { + admin = "ejabberd_web_admin"; + ".well-known/acme-challenge" = "ejabberd_acme"; + }; + } + { + port = 3478; + transport = "udp"; + module = "ejabberd_stun"; + use_turn = true; + turn_ipv4_address = "193.16.42.36"; + } + { + port = 1883; + module = "mod_mqtt"; + backlog = 1000; + } + ]; + s2s_use_starttls = "required"; + acl = { + local.user_regexp = ""; + loopback.ip = [ + "127.0.0.1/8" + "::1/128" + ]; + admin.user = [ "crash@${fqdn}" ]; + }; + access_rules = { + c2s = { + deny = "blocked"; + allow = "all"; + }; + } // mapAttrs' (n: v: nameValuePair n { allow = v; }) { + local = "local"; + announce = "admin"; + configure = "admin"; + muc_create = "local"; + pubsub_createnode = "local"; + trusted_network = "loopback"; + }; + api_permissions = { + "console commands" = { + from = [ "ejabberd_ctl" ]; + who = "all"; + what = "*"; + }; + "admin access" = { + who = { + access.allow = toACLs [ + "local" + "admin" + ]; + oauth = { + scope = "ejabberd:admin"; + access.allow = toACLs [ + "loopback" + "admin" + ]; + }; + }; + what = [ + "*" + "!stop" + "!start" + ]; + }; + "public commands" = { + who.ip = "127.0.0.1/8"; + what = [ + "status" + "connected_users_number" + ]; + }; + }; + shaper = { + normal = { + rate = 3000; + burst_size = 20000; + }; + fast = 100000; + }; + shaper_rules = { + max_user_sessions = 10; + max_user_offline_messages = { + "5000" = "admin"; + "100" = "all"; + }; + c2s_shaper = { + none = "admin"; + normal = "all"; + }; + s2s_shaper = "fast"; + }; + modules = mapAttrs' (n: v: nameValuePair "mod_${n}" v) ({ + announce.access = "announce"; + http_upload = { + put_url = "https://@HOST@:5443/upload"; + custom_headers = { + Access-Control-Allow-Origin = "https://@HOST@"; + Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS"; + Access-Control-Allow-Headers = "Content-Type"; + }; + }; + mam = { + assume_mam_usage = true; + default = "always"; + }; + muc = { + access = [ "allow" ]; + access_admin = [ { allow = "admin"; } ]; + access_create = "muc_create"; + access_persistent = "muc_create"; + access_mam = [ "allow" ]; + default_room_options.mam = true; + }; + offline.access_max_user_messages = "max_user_offline_messages"; + proxy65 = { + access = "local"; + max_connections = 5; + }; + pubsub = { + access_createnode = "pubsub_createnode"; + plugins = [ + "flat" + "pep" + ]; + force_node_config."storage:bookmarks".access_model = "whitelist"; + }; + register.ip_access = "trusted_network"; + roster.versioning = true; + stream_mgmt.resend_on_timeout = "if_offline"; + version.show_os = false; + } // foldl' (a: x: a // { ${x} = {}; }) {} [ + "adhoc" "admin_extra" "avatar" + "blocking" "bosh" + "caps" "carboncopy" "client_state" "configure" + "disco" + "fail2ban" + "http_api" + "last" + "mqtt" "muc_admin" + "ping" "privacy" "private" "push" "push_keepalive" + "s2s_dialback" "shared_roster" "stun_disco" + "vcard" "vcard_xupdate" + ]); + }); + package = pkgs.ejabberd.override { + withZlib = true; + withTools = true; + }; + }; + security.acme.certs.${fqdn} = { + extraDomainNames = map (x: "${x}.${fqdn}") [ + "pubsub" + "proxy" + "upload" + "conference" + ]; + group = "ejabberd-cert"; + postRun = "systemctl restart ejabberd.service"; + }; + users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ]; + security.dhparams = { + enable = true; + params.nginx = {}; + }; + networking.firewall.allowedTCPPorts = [ + 5222 # xmpp-client + 5223 # xmpp-client + 5269 # xmpp-server + 5280 # xmpp-bosh + 5443 # https + 3478 # xmpp-stun + ]; +} diff --git a/services/mailserver.nix b/services/mailserver.nix new file mode 100644 index 0000000..7d6f1d8 --- /dev/null +++ b/services/mailserver.nix @@ -0,0 +1,17 @@ +{ pkgs, hashedPasswordFile, ... }: +{ + mailserver = { + fqdn = "mail.crashoverburn.com"; + domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; + enable = true; + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "crash@crashoverburn.com" = { + inherit hashedPasswordFile; + aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; + }; + }; + certificateScheme = "acme-nginx"; + }; +} \ No newline at end of file diff --git a/services/website.nix b/services/website.nix new file mode 100644 index 0000000..d36f538 --- /dev/null +++ b/services/website.nix @@ -0,0 +1,14 @@ +{ webroot }: { config, lib, pkgs, ... }: +{ + services.nginx.enable = true; + services.nginx.virtualHosts."crashoverburn.com" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crashoverburn.online" = { + addSSL = true; + enableACME = true; + root = webroot; + }; +} diff --git a/users/commander.nix b/users/commander.nix new file mode 100755 index 0000000..6bfbb74 --- /dev/null +++ b/users/commander.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: +{ + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + programs.ssh.enableAskPassword = false; + programs.gnupg.agent = + { + pinentryPackage = pkgs.pinentry-tty; + enable = true; + enableSSHSupport = true; + }; + security.sudo.wheelNeedsPassword = false; + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.commander = { + isNormalUser = true; + uid = 1009; + name = "commander"; + description = "system administration"; + createHome = true; + home = "/home/commander"; + hashedPassword = "$6$irFKKFRDPP$H5EaeHornoVvWcKtUBj.29tPvw.SspaSi/vOPGc3GG2bW//M.ld3E7E3XCevJ6vn175A/raHvNIotXayvMqzz0"; + openssh.authorizedKeys.keys = + [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com" + ]; + extraGroups = [ "wheel" "dialout" "disk" "networkManager" ]; # Enable ‘sudo’ for the user. + }; +} diff --git a/website.nix b/website.nix deleted file mode 100644 index d36f538..0000000 --- a/website.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ webroot }: { config, lib, pkgs, ... }: -{ - services.nginx.enable = true; - services.nginx.virtualHosts."crashoverburn.com" = { - addSSL = true; - enableACME = true; - root = webroot; - }; - services.nginx.virtualHosts."crashoverburn.online" = { - addSSL = true; - enableACME = true; - root = webroot; - }; -} -- cgit v1.2.3