Xetibo/DashNix
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
DashNix/hardware/server/configuration.nix

341 lines
10 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, pkgs, unstable, ... }:
let
nextcloud_pw = (builtins.readFile /etc/nixos/nextcloud);
forgejo_pw = (builtins.readFile /etc/nixos/dbpw/forgejo);
matrix_pw = (builtins.readFile /etc/nixos/dbpw/matrix-synapse);
mautrix_signal_pw = (builtins.readFile /etc/nixos/dbpw/mautrix_signal);
mautrix_whatsapp_pw = (builtins.readFile /etc/nixos/dbpw/mautrix_whatsapp);
mautrix_discord_pw = (builtins.readFile /etc/nixos/dbpw/mautrix_discord);
fqdn = "matrix.${config.networking.domain}";
baseUrl = "https://${fqdn}";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
networking.hostName = "dashie";
networking.domain = "dashie.org";
imports = [
./hardware-configuration.nix
./mautrix-whatsapp.nix
./mautrix-discord.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "ntfs" ];
# Set your time zone.
time.timeZone = "Europe/Zurich";
# Define a user account. Don't forget to set a password with passwd.
users.users.root.hashedPassword = "!";
users.users.dashie = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = [
unstable.neovim
pkgs.fuse
pkgs.ntfs3g
pkgs.rsync
];
openssh.authorizedKeys.keyFiles = [
/home/dashie/server.pub
];
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
services.mautrix-whatsapp-dashie.enable = true;
services.mautrix-discord-dashie.enable = true;
services.matrix-synapse.enable = true;
services.mautrix-signal.enable = true;
services.matrix-synapse.settings = {
server_name = "matrix.dashie.org";
database.name = "psycopg2";
database.args.user = "matrix-synapse";
database.args.password = "${matrix_pw}";
public_baseurl = "https://matrix.dashie.org";
enable_registration = true;
enable_registration_without_verification = true;
suppress_key_server_warning = true;
max_upload_size = "1G";
listeners = [
{
port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
services.mautrix-whatsapp-dashie.settings = {
appservice = {
id = "whatsapp";
database = {
type = "postgres";
uri = "postgresql:///mautrix_whatsapp?host=/run/postgresql&sslmode=disable&user=mautrix_whatsapp&password=${mautrix_whatsapp_pw}";
};
};
bridge = {
encryption = {
allow = true;
default = true;
required = true;
};
displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}}";
permissions = {
"@fabio.lenherr:matrix.org" = "admin";
"@dashie:matrix.dashie.org" = "admin";
};
};
};
services.mautrix-signal.settings = {
appservice = {
id = "signal";
database = {
type = "postgres";
uri = "postgresql:///mautrix_signal?host=/run/postgresql&sslmode=disable&user=mautrix_signal&password=${mautrix_signal_pw}";
};
};
bridge = {
encryption = {
allow = true;
default = true;
required = true;
};
displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
permissions = {
"@fabio.lenherr:matrix.org" = "admin";
"@dashie:matrix.dashie.org" = "admin";
};
};
};
services.mautrix-discord-dashie.settings = {
appservice = {
id = "discord";
database = {
type = "postgres";
uri = "postgresql:///mautrix_discord?host=/run/postgresql&sslmode=disable&user=mautrix_discord&password=${mautrix_discord_pw}";
};
};
bridge = {
displayname_template = "{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}";
permissions = {
"@fabio.lenherr:matrix.org" = "admin";
"@dashie:matrix.dashie.org" = "admin";
};
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.nginx.virtualHosts."dashie.org" = {
addSSL = true;
enableACME = true;
root = "/var/www/dashie.org/";
};
security.acme.certs."dashie.org".extraDomainNames = [ "cloud.dashie.org" "matrix.dashie.org" "git.dashie.org" "navi.dashie.org" ];
services.nginx.virtualHosts."cloud.dashie.org" = {
addSSL = true;
enableACME = true;
locations."/*".proxyPass = "http://127.0.0.1:12002";
};
services.nginx.virtualHosts."git.dashie.org" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3000";
};
services.nginx.virtualHosts."navi.dashie.org" = {
addSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:4533";
};
services.nginx.virtualHosts."localhost" = {
listen = [
{
addr = "0.0.0.0";
port = 8448;
}
];
locations."/".proxyPass = "http://[::1]:8008";
};
services.nginx.virtualHosts."matrix.dashie.org" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix" = {
proxyPass = "http://[::1]:8008";
};
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
extraConfig =
"client_max_body_size 2G;"
;
};
services.nextcloud.enable = true;
services.nextcloud.hostName = "cloud.dashie.org";
services.nextcloud.https = true;
services.nextcloud.config = {
adminpassFile = "/etc/nixos/file2";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
dbtype = "pgsql";
dbpassFile = "/etc/nixos/nextcloud";
};
services.nextcloud.settings = {
port = 12001;
trusted_domains = [ "cloud.dashie.org" "192.168.1.23" ];
};
services.forgejo = {
enable = true;
database.passwordFile = /etc/nixos/dbpw/forgejo;
settings = {
server.DOMAIN = "git.dashie.org";
server.SSH_PORT = 12008;
server.SSH_LISTEN_PORT = 12008;
server.START_SSH_SERVER = true;
service.DISABLE_REGISTRATION = true;
};
};
services.navidrome.enable = true;
services.navidrome.settings = {
MusicFolder = "/var/lib/nextcloud/data/DashieTM/files/Share/Music";
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
initialScript = pkgs.writeText "backend-initScript" ''
CREATE DATABASE nextcloud;
CREATE USER nextcloud WITH ENCRYPTED PASSWORD '${nextcloud_pw}';
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
CREATE DATABASE forgejo;
CREATE USER forgejo WITH ENCRYPTED PASSWORD '${forgejo_pw}';
GRANT ALL PRIVILEGES ON DATABASE forgejo TO forgejo;
CREATE USER "matrix-synapse" WITH ENCRYPTED PASSWORD '${matrix_pw}'
SELECT 'CREATE DATABASE "matrix-synapse" LOCALE "C" ENCODING UTF8 TEMPLATE template0 OWNER "matrix-synapse"'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'matrix-synapse')\gexec
CREATE USER mautrix_whatsapp WITH ENCRYPTED PASSWORD '${mautrix_whatsapp_pw}'
SELECT 'CREATE DATABASE "mautrix_whatsapp" LOCALE "C" ENCODING UTF8 TEMPLATE template0 OWNER "mautrix_whatsapp"'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'mautrix_whatsapp')\gexec
CREATE USER mautrix_signal WITH ENCRYPTED PASSWORD '${mautrix_signal_pw}'
SELECT 'CREATE DATABASE "mautrix_signal" LOCALE "C" ENCODING UTF8 TEMPLATE template0 OWNER "mautrix_signal"'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'mautrix_signal')\gexec
CREATE USER mautrix_discord WITH ENCRYPTED PASSWORD '${mautrix_discord_pw}'
SELECT 'CREATE DATABASE "mautrix_discord" LOCALE "C" ENCODING UTF8 TEMPLATE template0 OWNER "mautrix_discord"'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'mautrix_discord')\gexec
'';
};
security.acme = {
acceptTerms = true;
defaults.email = "fabio.lenherr@gmail.com";
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 4534 8448 12002 12004 12006 12008 ];
};
networking.firewall.allowPing = true;
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = smbnix
netbios name = smbnix
security = user
#use sendfile = yes
max protocol = smb3
# note: localhost is the ipv6 localhost ::1
hosts allow = 192.168.1. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
public = {
path = "/mnt/Shares/Public";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.cron = {
enable = true;
systemCronJobs = [
"0 4 * * FRI nobody rsync -ato /var/lib/nextcloud/data /mnt/dump3/nextcloud"
"0 4 * * FRI nobody pg_dympall > /mnt/dump3/sqdump.sql"
];
};
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "24.05";
nix = {
extraOptions = ''
!include ${config.sops.secrets.access.path}
'';
};
sops = {
gnupg = {
home = "~/.gnupg";
sshKeyPaths = [ ];
};
defaultSopsFile = ../secrets/secrets.yaml;
secrets.access = { };
};
}
Reference in a new issue View git blame Copy permalink