loooph
/
bib3.de-nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

after cp

master
loooph 2021-08-31 20:43:21 +02:00
parent 6467e32ce5
commit b1d1abb614
13 changed files with 431 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
configuration.nix
View File

@ -12,20 +12,27 @@
./matrix-synapse.nix ./matrix-synapse.nix
./nginx.nix ./nginx.nix
./openldap.nix ./openldap.nix
./syncthing.nix #./syncthing.nix
./fail2ban.nix ./fail2ban.nix
./git.nix ./git.nix
./mail.nix #./jitsi.nix
./postgres.nix
./sd.nix
#./mail.nix
#./ldap-posix.nix
]; ];
# Boot # Boot
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = true; #boot.loader.raspberryPi.enable = true;
boot.loader.raspberryPi.version = 4; #boot.loader.raspberryPi.version = 4;
boot.loader.generic-extlinux-compatible.enable = true;
#boot.loader.generationsDir.enable = true;
# Kernel configuration # Kernel configuration
boot.kernelPackages = pkgs.linuxPackages_rpi4; boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelParams = ["cma=64M" "console=tty0"]; #hardware.deviceTree.kernelPackage = pkgs.linux_rpi4;
boot.kernelParams = [ "console=ttyAMA0,115200n8" ];
# Enable additional firmware (such as Wi-Fi drivers). # Enable additional firmware (such as Wi-Fi drivers).
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
@ -38,6 +45,18 @@
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;
# simple wireguard vpn
#networking.wireguard.interfaces.wg0 = {
# ips = [ "10.0.69.1/24" ];
# privateKey = "EEMw16rqdUCLwuhSlGYINXwUGo+kj88EBTBjl/6QwFU=";
# listenPort = 51666;
# peers = [
# {
# allowedIPs = [ "10.0.69.0/24" ];
# publicKey = "uFNoJWwVEWHMn7FRrxQm//pDXsKXLyIA4x3y6Q9+wlY=";
# }
# ];
#};
security.acme.email = "webmaster@bib3.de"; security.acme.email = "webmaster@bib3.de";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@ -45,32 +64,20 @@
# Set your time zone. # Set your time zone.
time.timeZone = "UTC"; time.timeZone = "UTC";
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# pinentryFlavor = "gnome3";
# };
# List services that you want to enable:
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
networking.firewall.allowPing = false; networking.firewall.allowPing = false;
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; networking.firewall.allowedTCPPorts = [ 22 80 443 ];
networking.firewall.allowedUDPPorts = [ 51666 ]; # Wireguard
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables -A INPUT -p tcp -s 95.90.121.54 -j ACCEPT iptables -A INPUT -p tcp -s 95.90.117.138 -j ACCEPT
''; '';
services.fail2ban.enable = true;
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users.users.loooph = { users.users.loooph = {
isNormalUser = true; isNormalUser = true;
home = "/home/loooph"; home = "/home/loooph";
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCboBeXmDWM6Em3hwvAbbHbAmSV0fY+95Q+cM9ocx0a loooph@Loooph-Desktop" ];
}; };
nix.gc.automatic = true; nix.gc.automatic = true;
@ -87,7 +94,7 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget vim git htop tmux openssl fd wget vim_configurable vimPlugins.ale vimPlugins.vim-nix git htop tmux openssl fd
]; ];
} }

4
git.nix
View File

@ -10,11 +10,15 @@ in
forceSSL = true; forceSSL = true;
enableACME=true; enableACME=true;
locations."/".proxyPass = "http://127.0.0.1:3000"; locations."/".proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
client_max_body_size 0;
'';
}; };
}; };
services.gitea = { services.gitea = {
enable = true; enable = true;
rootUrl = "https://git.bib3.de";
httpAddress = "127.0.0.1"; httpAddress = "127.0.0.1";
disableRegistration = true; disableRegistration = true;
cookieSecure = true; cookieSecure = true;

18
jitsi.nix Normal file
View File

@ -0,0 +1,18 @@
{config, pkgs, ...}:
let fqdn = "treffen.bib3.de"; in
{
services.jitsi-meet = {
enable = true;
hostName = "${fqdn}";
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
services.nginx.virtualHosts.${fqdn} = {
enableACME = true;
forceSSL = true;
};
}

15
ldap-posix.nix Normal file
View File

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
users.ldap = {
base = "ou=users,o=bib3,c=DE";
useTLS = true;
daemon.enable = true;
enable = true;
server = "ldap://127.0.0.1";
loginPam = true;
timeLimit = 10;
};
security.pam.services.sshd.makeHomeDir = true;
}

31
mail.nix
View File

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
(builtins.fetchTarball { (builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-20.03/nixos-mailserver-nixos-20.03.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-20.03/nixos-mailserver-nixos-20.09.tar.gz";
sha256 = "02k25bh4pg31cx40ri4ynjw65ahy0mmj794hi5i1yn48j56vdbkj"; sha256 = "02k25bh4pg31cx40ri4ynjw65ahy0mmj794hi5i1yn48j56vdbkj";
}) })
]; ];
@ -23,6 +23,35 @@
hashedPassword = "$6$/gNzrl3XvdKYD.aF$0Amy4k4PgrhIuvzEP9yfbIvGhmNP/kQ1a.NlTHjd.01qt38/f02zFUkcI/Rb/tltW17rn8Q73.ckDJ.EvIoLb0"; hashedPassword = "$6$/gNzrl3XvdKYD.aF$0Amy4k4PgrhIuvzEP9yfbIvGhmNP/kQ1a.NlTHjd.01qt38/f02zFUkcI/Rb/tltW17rn8Q73.ckDJ.EvIoLb0";
}; };
}; };
};
services.dovecot2.extraConfig = ''
auth_debug = yes
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
'';
environment.etc."dovecot/dovecot-ldap.conf.ext" = {
mode = "0600";
text = ''
hosts = 127.0.0.1
ldap_version = 3
tls = yes
base = ou=users,o=bib3,c=DE
user_attrs = =home=/home/bib3/%{ldap:cn},cn=uid,o=gid
user_filter = (&(objectClass=InetOrgPerson)(cn=%n))
pass_attrs = cn=user,userPassword=password
pass_filter = (&(objectClass=InetOrgPerson)(cn=%n))
default_pass_scheme = SHA512
'';
uid = config.ids.uids.dovecot2;
gid = config.ids.gids.dovecot2;
}; };
} }

7
matrix-synapse.nix
View File

@ -33,12 +33,18 @@ in {
locations."/_matrix" = { locations."/_matrix" = {
proxyPass = "http://[::1]:8008"; proxyPass = "http://[::1]:8008";
}; };
extraConfig = ''
client_max_body_size 0;
'';
}; };
}; };
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
max_upload_size = "100M";
server_name = fqdn; server_name = fqdn;
registration_shared_secret = "aKCsb4AQyx7NPLDtyfRSR3ifmCDMb9NDMvaQnCznmI0VTHLNrckKQ8PNKOACYwkU";
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
@ -54,6 +60,7 @@ in {
]; ];
} }
]; ];
plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-ldap3 ];
extraConfig = '' extraConfig = ''
password_providers: password_providers:
- module: "ldap_auth_provider.LdapAuthProvider" - module: "ldap_auth_provider.LdapAuthProvider"

17
modules/services/mediagoblin/default.nix Normal file
View File

@ -0,0 +1,17 @@
{lib, pkgs, config,...}:
with lib;
let
cfg = config.services.mediagoblin;
in {
options.services.mediagoblin = {
enable = mkEnableOption "mediagoblin service";
};
config = mkIf cfg.enable {
systemd.services.mediagoblin = {
wantedBy = [ "networking.target" ];
serviceConfig.ExecStart = "${pkgs.mediagoblin}/bin/mediagoblin";
};
};
}

7
murmur.nix Normal file
View File

@ -0,0 +1,7 @@
let host = "bib3.de"; in
{
services.murmur = {
enable = true;
hostname = "$host";
};
}

12
nginx.nix
View File

@ -10,11 +10,19 @@ in
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
# nginx would warn otherwise
mapHashBucketSize = 64;
virtualHosts = { virtualHosts = {
${fqdn} = { ${fqdn} = {
forceSSL=true; forceSSL = true;
enableACME=true; enableACME = true;
root = "/var/www/default";
};
"www.${fqdn}" = {
enableACME = true;
#globalRedirect = "${fqdn}";
root = "/var/www/default"; root = "/var/www/default";
}; };
}; };

100
openldap.nix
View File

@ -9,17 +9,54 @@
services.openldap = { services.openldap = {
enable = true; enable = true;
dataDir = "/var/lib/openldap"; #database = "mdb";
rootpwFile = "/etc/nixos/secret/openldaproot.pw"; #dataDir = "/var/lib/openldap";
suffix = "o=bib3,c=DE"; #rootpwFile = "/etc/nixos/secret/openldaproot.pw";
rootdn = "cn=admin,o=bib3,c=DE"; #suffix = "o=bib3,c=DE";
extraConfig = '' #rootdn = "cn=admin,o=bib3,c=DE";
TLSCipherSuite DEFAULT settings = {
TLSCACertificateFile /var/lib/ssl/openldap/chain.pem children = {
TLSCertificateFile /var/lib/ssl/openldap/cert.pem "cn=schema".includes = [
TLSCertificateKeyFile /var/lib/ssl/openldap/key.pem "${pkgs.openldap}/etc/schema/core.ldif"
''; "${pkgs.openldap}/etc/schema/cosine.ldif"
declarativeContents = '' "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={-1}frontend" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{-1}frontend";
};
};
"olcDatabase={0}config" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [ "{0}to * by * none break" ];
};
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap";
olcSuffix = "o=bib3,c=DE";
};
};
};
attrs = {
objectClass = "olcGlobal";
olcTLSCipherSuite = "DEFAULT";
olcTLSCACertificateFile = "/var/lib/ssl/openldap/chain.pem";
olcTLSCertificateFile = "/var/lib/ssl/openldap/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/ssl/openldap/key.pem";
};
};
declarativeContents = {
"o=bib3,c=DE" = ''
dn: o=bib3, c=DE dn: o=bib3, c=DE
objectclass: organization objectclass: organization
@ -27,9 +64,21 @@
objectclass: organizationalUnit objectclass: organizationalUnit
ou: users ou: users
dn: cn=test, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
objectclass: PosixAccount
uid: test
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/bib3.de/test
loginShell: /run/current-system/sw/bin/bash
sn:
givenName:
mail:
userPassword: {CRYPT}$6$GRvHa9J1FuDnxZu4$oZT75ZDoh78JQ1GNQGtzftlL9HO6HPzouxdGsbyBCyDld/9skUC78/8m6YW.KE3k5p6pWMAZs.4iYvrhvDfwe.
dn: cn=loooph, ou=users, o=bib3, c=DE dn: cn=loooph, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
cn: loooph
sn: sn:
givenName: givenName:
mail: mail:
@ -37,7 +86,6 @@
dn: cn=lmux, ou=users, o=bib3, c=DE dn: cn=lmux, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
cn: lmux
sn: sn:
givenName: givenName:
mail: mail:
@ -70,7 +118,7 @@
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$ip1kNMpHggg2Psvw$1P.88EI6k3Hvez5xtpZkbeTdvlAO/UKaWVJ3Pn/NM3C/dqy9H2OI1AY3csu9pNKyioEJmbg/GpCUd8CtkHBJI. userPassword: {CRYPT}$6$e8EvCa/QTDNYMASu$JQ3F9gcgOZ/ADV4TtLBoHBWtapECY7noFFhJUqM54sR3uvV8Mb008K/H4/Y0./Ad3xEVDo7A5XziT14NxrsXo.
dn: cn=pear, ou=users, o=bib3, c=DE dn: cn=pear, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
@ -84,7 +132,7 @@
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$8mm3LWImMTN5dnau$G/W1AmZkiHScDEt6iekgj/NedxFtyaxEnK4w68R0FrUXtmot4A6rd1/kkECJQo74yUmPwdvkt.7.wYAr4gp/U/ userPassword: {CRYPT}$6$LBoVn0HpmBtkzK/I$Wu44jPkMq8t1eudg7wNHvpZVDELl1ZHZFepZVzYgtVoy7nTCBrggYn7w4CdoKEPfzD8SrkcEG2LDBBjIoaqBs.
dn: cn=bao, ou=users, o=bib3, c=DE dn: cn=bao, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
@ -148,7 +196,29 @@
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$A2q7qP2ixm2O58Ae$j8jroZLmR2hWTsIvtQKEO8J7tBFmyW1DKM.LXJaP9G4aCnLSZ30EzLZN446Cz3nVDSS5oC5DAk46Fo2fcJTfP/ userPassword: {CRYPT}$6$A2q7qP2ixm2O58Ae$j8jroZLmR2hWTsIvtQKEO8J7tBFmyW1DKM.LXJaP9G4aCnLSZ30EzLZN446Cz3nVDSS5oC5DAk46Fo2fcJTfP/
dn: cn=fennel, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$h.cPmeWyHursgygn$3A7geff6OxRdH.fdr4Wi9VMp7aLnPceEcpTBV11bRw3D0dttGBWOMv8yiqKu4o0AT2OJIv6ABIfY0Z6URDhlI0
dn: cn=enk, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$73CY61UhTPzTdvPy$d/R.8SYekHZMvTRgbBkEwzjG6RW6jw3wpFrUB/WsxDdK9BNCEyAOMLrBxlWAntldAd2vlpkTc/6wME5qMng63.
dn: cn=merlinobolt, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$MBNh42EIkqwk9q2.$nacPz6Hc.12AJZs/ZgapM5uOdB3urdU2ARq8gOgwJ6pWPD8zMnrdrTELMvitbCkBWScdKRscHmUBwl2V3c0Xc0
''; '';
}; };
};
# TODO move users to seperate files # TODO move users to seperate files
} }

40
pkgs/servers/mediagoblin/default.nix Normal file
View File

@ -0,0 +1,40 @@
#{ lib, stdenv, fetchurl, ... }:
with import <nixpkgs> {};
stdenv.mkDerivation rec {
pname = "mediagoblin";
version = "0.11.0";
src = fetchurl {
url = "https://git.savannah.gnu.org/cgit/${pname}.git/snapshot/${pname}-${version}.tar.gz";
sha256 = "1izvnd6x8bmvw36cjpfgmgh7f2gnbf7mni3s29svdjp0ww4szzxn";
};
doCheck = true;
nativeBuildInputs = [
autoconf
m4
nodejs
python3
python3Packages.certifi
python3Packages.lxml
python3Packages.pillow
python3Packages.virtualenv
];
buildInputs = [
sqlite
];
meta = with lib; {
description = "media publishing platform that anyone can run";
longDescription = ''
MediaGoblin is a free software media publishing platform that anyone can run. You can think of it as a decentralized alternative to Flickr, YouTube, SoundCloud, etc.
'';
homepage = "https://mediagoblin.org/";
license = licenses.gpl3Plus;
};
}

32
postgres.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, pkgs, ... }:
{
services.postgresql = {
enable = true;
settings = {
wal_level = "minimal";
max_wal_senders = 0;
fsync = false;
synchronous_commit = false;
full_page_writes = false;
wal_compression = true;
checkpoint_timeout = "1d";
checkpoint_completion_target = 0.9;
checkpoint_flush_after = 0;
min_wal_size = "32MB";
max_wal_size = "64MB";
max_connections = 100;
shared_buffers = "128MB";
effective_cache_size = "384MB";
maintenance_work_mem = "32MB";
wal_buffers = "64MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 4;
work_mem = "32MB";
max_worker_processes = 2;
max_parallel_workers_per_gather = 1;
max_parallel_workers = 2;
};
};
}

31
sd.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, pkgs, ... }:
let
fqdn = "schwulesding.de";
in
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
# nginx would warn otherwise
mapHashBucketSize = 64;
virtualHosts = {
${fqdn} = {
forceSSL = true;
enableACME = true;
root = "/var/www/schwulesding";
};
"www.${fqdn}" = {
enableACME = true;
#globalRedirect = "${fqdn}";
root = "/var/www/schwulesding";
};
};
};
}