diff --git a/class/desktop/codium.nix b/class/desktop/codium.nix deleted file mode 100644 index 40442ef..0000000 --- a/class/desktop/codium.nix +++ /dev/null @@ -1,3 +0,0 @@ -{pkgs, ...}: { - environment.systemPackages = [pkgs.vscodium-fhs]; -} diff --git a/class/desktop/default.nix b/class/desktop/default.nix index b2eaa69..1b09e22 100644 --- a/class/desktop/default.nix +++ b/class/desktop/default.nix @@ -1,6 +1,5 @@ { imports = [ - ./codium.nix ./compatibility.nix ./docker.nix ./fish.nix @@ -17,5 +16,6 @@ ./plasma.nix ./printing.nix ./syncthing.nix + ./vscode.nix ]; } diff --git a/class/desktop/mullvad.nix b/class/desktop/mullvad.nix index 35f4b65..0190f98 100644 --- a/class/desktop/mullvad.nix +++ b/class/desktop/mullvad.nix @@ -1,5 +1,8 @@ -{ +{pkgs, ...}: { environment.persistence."/persist".directories = ["/etc/mullvad-vpn"]; - services.mullvad-vpn.enable = true; + services.mullvad-vpn = { + enable = true; + package = pkgs.mullvad-vpn; + }; } diff --git a/class/desktop/networking.nix b/class/desktop/networking.nix index 3ecec8f..064d360 100644 --- a/class/desktop/networking.nix +++ b/class/desktop/networking.nix @@ -2,7 +2,6 @@ environment.persistence."/persist".directories = ["/etc/NetworkManager"]; services.resolved.enable = true; - services.opensnitch.enable = true; networking = { networkmanager = { diff --git a/class/desktop/vscode.nix b/class/desktop/vscode.nix new file mode 100644 index 0000000..582e92d --- /dev/null +++ b/class/desktop/vscode.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + environment.systemPackages = [pkgs.vscode-fhs]; +} diff --git a/common/bash.nix b/common/bash.nix index 555b661..1551d74 100644 --- a/common/bash.nix +++ b/common/bash.nix @@ -3,30 +3,32 @@ pkgs, ... }: { - programs.direnv.enable = true; - programs.command-not-found.enable = false; + programs = { + direnv.enable = true; + command-not-found.enable = false; - programs.bash = { - promptInit = '' - if [[ -v SSH_CLIENT && -v SSH_CONNECTION && -v SSH_TTY ]]; then - PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' - else - PS1='\[\033[01;34m\]\w\[\033[00m\]\$ ' - fi - ''; - interactiveShellInit = '' - shopt -s histappend - HISTCONTROL='ignoredups:ignorespace' - HISTSIZE=1000 - HISTFILESIZE=10000 + bash = { + promptInit = '' + if [[ -v SSH_CLIENT && -v SSH_CONNECTION && -v SSH_TTY ]]; then + PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' + else + PS1='\[\033[01;34m\]\w\[\033[00m\]\$ ' + fi + ''; + interactiveShellInit = '' + shopt -s histappend + HISTCONTROL='ignoredups:ignorespace' + HISTSIZE=1000 + HISTFILESIZE=10000 - shopt -s globstar - shopt -s nullglob - shopt -s extglob + shopt -s globstar + shopt -s nullglob + shopt -s extglob - shopt -s checkwinsize + shopt -s checkwinsize - eval "$(${lib.getExe pkgs.direnv} hook bash)" - ''; + eval "$(${lib.getExe pkgs.direnv} hook bash)" + ''; + }; }; } diff --git a/common/default.nix b/common/default.nix index 36ffa85..f9e0703 100644 --- a/common/default.nix +++ b/common/default.nix @@ -6,6 +6,8 @@ ./dbus.nix ./fs.nix ./fwupd.nix + ./git.nix + ./helix.nix ./nix.nix ./opengl.nix ./openssh.nix diff --git a/common/git.nix b/common/git.nix new file mode 100644 index 0000000..d8ac829 --- /dev/null +++ b/common/git.nix @@ -0,0 +1,6 @@ +{ + programs.git = { + enable = true; + lfs.enable = true; + }; +} diff --git a/common/helix.nix b/common/helix.nix new file mode 100644 index 0000000..2b29ccf --- /dev/null +++ b/common/helix.nix @@ -0,0 +1,15 @@ +{ + lib, + pkgs, + ... +}: let + package = pkgs.helix; +in { + environment = { + systemPackages = [package]; + variables = { + EDITOR = lib.getExe package; + VISUAL = lib.getExe package; + }; + }; +} diff --git a/flake.lock b/flake.lock index 871252e..4bfcdb4 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1703433843, - "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=", + "lastModified": 1707830867, + "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", "owner": "ryantm", "repo": "agenix", - "rev": "417caa847f9383e111d1397039c9d4337d024bf0", + "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", "type": "github" }, "original": { @@ -77,11 +77,11 @@ }, "hardware": { "locked": { - "lastModified": 1706834982, - "narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=", + "lastModified": 1707842204, + "narHash": "sha256-M+HAq1qWQBi/gywaMZwX0odU+Qb/XeqVeANGKRBDOwU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "83e571bb291161682b9c3ccd48318f115143a550", + "rev": "f1b2f71c86a5b1941d20608db0b1e88a07d31303", "type": "github" }, "original": { @@ -212,11 +212,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1706732774, - "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", + "lastModified": 1707689078, + "narHash": "sha256-UUGmRa84ZJHpGZ1WZEBEUOzaPOWG8LZ0yPg1pdDF/yM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", + "rev": "f9d39fb9aff0efee4a3d5f4a6d7c17701d38a1d8", "type": "github" }, "original": { diff --git a/hosts/abacus/conduit.nix b/hosts/abacus/conduit.nix new file mode 100644 index 0000000..7afda11 --- /dev/null +++ b/hosts/abacus/conduit.nix @@ -0,0 +1,78 @@ +{ + config, + pkgs, + ... +}: let + inherit (config.networking) domain; + subdomain = "matrix"; + jsonFormat = pkgs.formats.json {}; + wellKnownServer = jsonFormat.generate "well-known-matrix-server" { + "m.server" = "${subdomain}.${domain}:443"; + }; + wellKnownClient = jsonFormat.generate "well-known-matrix-client" { + "m.homeserver".base_url = "https://${subdomain}.${domain}"; + }; +in { + services.matrix-conduit = { + enable = true; + + settings.global = { + server_name = domain; + + address = "127.0.0.1"; + port = 8010; + + database_backend = "rocksdb"; + + allow_registration = false; + }; + }; + + systemd.services.conduit.serviceConfig.LimitNOFILE = 8192; + + services.nginx.virtualHosts = { + ${domain}.locations = { + "=/.well-known/matrix/server" = { + alias = wellKnownServer; + + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + "=/.well-known/matrix/client" = { + alias = wellKnownClient; + + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + }; + + "${subdomain}.${domain}" = { + enableACME = true; + forceSSL = true; + quic = true; + + locations = { + "/".return = "404"; + + "/_matrix/" = { + proxyPass = "http://${config.services.matrix-conduit.settings.global.address}:${toString config.services.matrix-conduit.settings.global.port}$request_uri"; + proxyWebsockets = true; + + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + }; + + extraConfig = '' + merge_slashes off; + ''; + }; + }; +} diff --git a/hosts/abacus/default.nix b/hosts/abacus/default.nix index 6e6244c..0d36b8a 100644 --- a/hosts/abacus/default.nix +++ b/hosts/abacus/default.nix @@ -2,12 +2,13 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") + ./conduit.nix + ./forgejo.nix ./mailserver.nix + ./navidrome.nix ./nextcloud.nix ./nginx.nix - ./static.nix ./vaultwarden.nix - # TODO: dendrite/conduit, gitea/forgejo ]; nixpkgs.hostPlatform = "aarch64-linux"; diff --git a/hosts/abacus/forgejo.nix b/hosts/abacus/forgejo.nix new file mode 100644 index 0000000..fc787f6 --- /dev/null +++ b/hosts/abacus/forgejo.nix @@ -0,0 +1,38 @@ +{config, ...}: let + virtualHostName = "tea.${config.networking.domain}"; +in { + services.forgejo = { + enable = true; + + database.type = "postgres"; + + lfs.enable = true; + + settings = { + session = { + COOKIE_SECURE = true; + PROVIDER = "db"; + }; + + service = { + DISABLE_REGISTRATION = true; + }; + + server = { + PROTOCOL = "http"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 8020; + DOMAIN = virtualHostName; + ROOT_URL = "https://${virtualHostName}/"; + }; + }; + }; + + services.nginx.virtualHosts.${virtualHostName} = { + enableACME = true; + forceSSL = true; + quic = true; + + locations."/".proxyPass = "http://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; +} diff --git a/hosts/abacus/mailserver.nix b/hosts/abacus/mailserver.nix index cb9fdcc..a675c77 100644 --- a/hosts/abacus/mailserver.nix +++ b/hosts/abacus/mailserver.nix @@ -1,6 +1,16 @@ -{config, ...}: let - inherit (config.networking) domain; - inherit (config.networking) fqdn; +{ + config, + pkgs, + ... +}: let + inherit (config.networking) domain fqdn; + + wellKnownMtaSts = pkgs.writeText "" '' + version: STSv1 + mode: enforce + mx: ${fqdn} + max_age: 86400 + ''; in { age.secrets.mail-lukas.file = ../../secrets/mail-lukas.age; @@ -19,7 +29,7 @@ in { loginAccounts = { "lukas@${domain}" = { hashedPasswordFile = config.age.secrets.mail-lukas.path; - aliases = ["postmaster@${domain}"]; + aliases = ["postmaster@${domain}" "vault@${domain}"]; }; }; @@ -30,9 +40,20 @@ in { services.dovecot2.sieve.extensions = ["fileinto"]; services.nginx.virtualHosts."mta-sts.${domain}" = { - locations."= /.well-known/mta-sts.txt".return = ''200 "version: STSv1\nmode: enforce\nmx: ${fqdn}\nmax_age: 86400"''; enableACME = true; forceSSL = true; quic = true; + + locations = { + "/".return = "404"; + + "=/.well-known/mta-sts.txt" = { + alias = wellKnownMtaSts; + + extraConfig = '' + default_type text/plain; + ''; + }; + }; }; } diff --git a/hosts/abacus/navidrome.nix b/hosts/abacus/navidrome.nix new file mode 100644 index 0000000..5c7c393 --- /dev/null +++ b/hosts/abacus/navidrome.nix @@ -0,0 +1,24 @@ +{config, ...}: { + services.navidrome = { + enable = true; + settings = { + Address = "127.0.0.1"; + Port = 8030; + MusicFolder = "/srv/music"; + }; + }; + + services.nginx.virtualHosts."navi.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + quic = true; + + locations."/".proxyPass = "http://${config.services.navidrome.settings.Address}:${builtins.toString config.services.navidrome.settings.Port}"; + }; + + fileSystems.${config.services.navidrome.settings.MusicFolder} = { + device = "/dev/disk/by-label/music"; + fsType = "btrfs"; + options = ["compress=zstd" "noatime"]; + }; +} diff --git a/hosts/abacus/nextcloud.nix b/hosts/abacus/nextcloud.nix index 40b43a6..069c5d0 100644 --- a/hosts/abacus/nextcloud.nix +++ b/hosts/abacus/nextcloud.nix @@ -2,9 +2,7 @@ config, pkgs, ... -}: let - hostName = "cloud.${config.networking.domain}"; -in { +}: { age.secrets.nextcloud-lukas = { file = ../../secrets/nextcloud-lukas.age; owner = "nextcloud"; @@ -29,7 +27,7 @@ in { enable = true; package = pkgs.nextcloud28; - inherit hostName; + hostName = "cloud.${config.networking.domain}"; https = true; configureRedis = true; @@ -61,7 +59,7 @@ in { }; }; - services.nginx.virtualHosts.${hostName} = { + services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { enableACME = true; forceSSL = true; quic = true; diff --git a/hosts/abacus/nginx.nix b/hosts/abacus/nginx.nix index f64f01f..596d154 100644 --- a/hosts/abacus/nginx.nix +++ b/hosts/abacus/nginx.nix @@ -15,6 +15,36 @@ recommendedProxySettings = true; recommendedTlsSettings = true; recommendedZstdSettings = true; - commonHttpConfig = "access_log syslog:server=unix:/dev/log;"; + commonHttpConfig = '' + error_log stderr; + access_log /var/log/nginx/access.log; + ''; + + virtualHosts = let + inherit (config.networking) domain; + in { + "~.*" = { + default = true; + rejectSSL = true; + + globalRedirect = domain; + }; + + ${domain} = { + enableACME = true; + forceSSL = true; + quic = true; + + root = "/var/www/${domain}"; + }; + + "log.${domain}" = { + enableACME = true; + forceSSL = true; + quic = true; + + root = "/var/www/log.${domain}"; + }; + }; }; } diff --git a/hosts/abacus/static.nix b/hosts/abacus/static.nix deleted file mode 100644 index 6c2f7e0..0000000 --- a/hosts/abacus/static.nix +++ /dev/null @@ -1,20 +0,0 @@ -{config, ...}: { - services.nginx = { - virtualHosts = let - inherit (config.networking) domain; - in { - ${domain} = { - root = "/var/www/${domain}"; - enableACME = true; - forceSSL = true; - quic = true; - }; - "log.${domain}" = { - root = "/var/www/log.${domain}"; - enableACME = true; - forceSSL = true; - quic = true; - }; - }; - }; -} diff --git a/hosts/abacus/vaultwarden.nix b/hosts/abacus/vaultwarden.nix index e065203..023552c 100644 --- a/hosts/abacus/vaultwarden.nix +++ b/hosts/abacus/vaultwarden.nix @@ -1,20 +1,38 @@ {config, ...}: let inherit (config.networking) domain; + virtualHostName = "vault.${domain}"; in { services.vaultwarden = { enable = true; config = { + DOMAIN = "https://${virtualHostName}"; + SIGNUPS_ALLOWED = false; + INVITATIONS_ALLOWED = true; + INVITATION_ORG_NAME = domain; + + SMTP_HOST = config.mailserver.fqdn; + SMTP_PORT = 587; + SMTP_SECURITY = "force_tls"; + SMTP_TIMEOUT = 15; + + SMTP_FROM = "vault@${domain}"; + SMTP_FROM_NAME = "Vaultwarden"; + ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = 8000; }; }; - services.nginx.virtualHosts."vault.${domain}" = { - locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}"; + services.nginx.virtualHosts.${virtualHostName} = { enableACME = true; forceSSL = true; quic = true; + + locations."/" = { + proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}"; + proxyWebsockets = true; + }; }; } diff --git a/hosts/glacier/default.nix b/hosts/glacier/default.nix index c4dfc09..adeb5d3 100644 --- a/hosts/glacier/default.nix +++ b/hosts/glacier/default.nix @@ -1,5 +1,4 @@ { - pkgs, inputs, modulesPath, ... diff --git a/part b/part index 17e9ddf..c1e4922 100755 --- a/part +++ b/part @@ -92,7 +92,7 @@ while true; do mainfs=$mainblkdev break ;; - *) printf '%s\n' 'Please answer with yes or no' 1>&2 ;; + *) printf 'Please answer with yes or no\n' 1>&2 ;; esac done diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 176400a..406f733 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,5 +15,6 @@ let in { "user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts); "mail-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; + "vaultwarden.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; "nextcloud-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; } diff --git a/secrets/vaultwarden.age b/secrets/vaultwarden.age new file mode 100644 index 0000000..22179b4 Binary files /dev/null and b/secrets/vaultwarden.age differ