From 761d5c684df74aabfeda7db13cf24b93ed77a1f2 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 30 Aug 2020 17:21:53 +0000 Subject: [PATCH] use modular config --- configuration.nix | 121 +++------------------------------------------ matrix-synapse.nix | 58 ++++++++++++++++++++++ nextcloud.nix | 51 +++++++++++++++++++ nginx.nix | 23 +++++++++ 4 files changed, 138 insertions(+), 115 deletions(-) create mode 100644 matrix-synapse.nix create mode 100644 nextcloud.nix create mode 100644 nginx.nix diff --git a/configuration.nix b/configuration.nix index 729cff8..a5da3dd 100644 --- a/configuration.nix +++ b/configuration.nix @@ -4,15 +4,13 @@ { config, pkgs, ... }: -let - fqdn = - let - join = hostName: domain: hostName + ".${domain}"; - in join config.networking.hostName config.networking.domain; -in { +{ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./nextcloud.nix + ./matrix-synapse.nix + ./nginx.nix ]; # Boot @@ -27,16 +25,14 @@ in { # Enable additional firmware (such as Wi-Fi drivers). hardware.enableRedistributableFirmware = true; - networking.hostName = "bib3"; # Define your hostname. - networking.domain = "de"; - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.hostName = "levitest"; # Define your hostname. # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; networking.interfaces.eth0.useDHCP = true; - networking.interfaces.wlan0.useDHCP = true; + security.acme.email = "webmaster@bib3.de"; security.acme.acceptTerms = true; @@ -66,23 +62,6 @@ in { services.openssh.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - services.postgresql = { - enable = true; - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [ - { name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - } - ]; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - services.nginx = { enable = true; # only recommendedProxySettings and recommendedGzipSettings are strictly required, @@ -96,97 +75,9 @@ in { "default_server" = { root = "/var/www/default"; }; - - # This host section can be placed on a different host than the rest, - # i.e. to delegate from the host being accessible as ${config.networking.domain} - # to another host actually running the Matrix homeserver. - "${config.networking.domain}" = { - locations."= /.well-known/matrix/server".extraConfig = - let - # use 443 instead of the default 8448 port to unite - # the client-server and server-server port for simplicity - server = { "m.server" = "${fqdn}:443"; }; - in '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server}'; - ''; - locations."= /.well-known/matrix/client".extraConfig = - let - client = { - "m.homeserver" = { "base_url" = "https://${fqdn}"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; - # ACAO required to allow element-web on any URL to request this json file - in '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; - }; - - # Reverse proxy for Matrix client-server and server-server communication - ${fqdn} = { - enableACME = true; - forceSSL = true; - - # Or do a redirect instead of the 404, or whatever is appropriate for you. - # But do not put a Matrix Web client here! See the Element web section below. - locations."/".extraConfig = '' - return 404; - ''; - - # forward all Matrix API calls to the synapse Matrix homeserver - locations."/_matrix" = { - proxyPass = "http://[::1]:8008"; # without a trailing / - }; - }; - - "nextcloud.${fqdn}" = { - forceSSL = true; - enableACME = true; - }; }; }; - services.matrix-synapse = { - enable = true; - server_name = config.networking.domain; - listeners = [ - { - port = 8008; - bind_address = "::1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; - }; - - services.nextcloud = { - enable = true; - hostName = "nextcloud." + fqdn; - nginx.enable = true; - config = { - dbtype = "pgsql"; - dbuser = "nextcloud"; - dbhost = "/run/postgresql"; - dbname = "nextcloud"; - adminpassFile = "/var/lib/nextcloud/config/adminpass"; - adminuser = "root"; - }; - }; - - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - }; - # Define a user account. Don't forget to set a password with ‘passwd’. users.users.loooph = { isNormalUser = true; diff --git a/matrix-synapse.nix b/matrix-synapse.nix new file mode 100644 index 0000000..3ce2a4f --- /dev/null +++ b/matrix-synapse.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: + +let + fqdn = "matrix.bib3.de"; +in { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts.${fqdn} = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + return 404; + ''; + + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + server_name = fqdn; + listeners = [ + { + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + }; +} diff --git a/nextcloud.nix b/nextcloud.nix new file mode 100644 index 0000000..0fca7da --- /dev/null +++ b/nextcloud.nix @@ -0,0 +1,51 @@ +{config, pkgs, ...}: +let + fqdn = "nextcloud.bib3.de"; +in { + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts.${fqdn} = { + forceSSL = true; + enableACME = true; + }; + }; + + services.nextcloud = { + enable = true; + hostName = fqdn; + nginx.enable = true; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + adminpassFile = "/var/lib/nextcloud/config/adminpass"; + adminuser = "root"; + }; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + +} diff --git a/nginx.nix b/nginx.nix new file mode 100644 index 0000000..5833161 --- /dev/null +++ b/nginx.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: + +let + fqdn = "bib3.de"; +in +{ + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + ${fqdn} = { + forceSSL=true; + enableACME=true; + root = "/var/www/default"; + }; + }; + }; +} +