loooph
/
bib3.de-nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

after cp

master
loooph 2021-08-31 20:43:21 +02:00
parent 6467e32ce5
commit b1d1abb614
13 changed files with 431 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
configuration.nix
View File

@ -12,20 +12,27 @@
./matrix-synapse.nix ./matrix-synapse.nix
./nginx.nix ./nginx.nix
./openldap.nix ./openldap.nix
./syncthing.nix #./syncthing.nix
./fail2ban.nix ./fail2ban.nix
./git.nix ./git.nix
./mail.nix #./jitsi.nix
./postgres.nix
./sd.nix
#./mail.nix
#./ldap-posix.nix
]; ];
# Boot # Boot
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = true; #boot.loader.raspberryPi.enable = true;
boot.loader.raspberryPi.version = 4; #boot.loader.raspberryPi.version = 4;
boot.loader.generic-extlinux-compatible.enable = true;
#boot.loader.generationsDir.enable = true;
# Kernel configuration # Kernel configuration
boot.kernelPackages = pkgs.linuxPackages_rpi4; boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelParams = ["cma=64M" "console=tty0"]; #hardware.deviceTree.kernelPackage = pkgs.linux_rpi4;
boot.kernelParams = [ "console=ttyAMA0,115200n8" ];
# Enable additional firmware (such as Wi-Fi drivers). # Enable additional firmware (such as Wi-Fi drivers).
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
@ -38,6 +45,18 @@
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;
# simple wireguard vpn
#networking.wireguard.interfaces.wg0 = {
# ips = [ "10.0.69.1/24" ];
# privateKey = "EEMw16rqdUCLwuhSlGYINXwUGo+kj88EBTBjl/6QwFU=";
# listenPort = 51666;
# peers = [
# {
# allowedIPs = [ "10.0.69.0/24" ];
# publicKey = "uFNoJWwVEWHMn7FRrxQm//pDXsKXLyIA4x3y6Q9+wlY=";
# }
# ];
#};
security.acme.email = "webmaster@bib3.de"; security.acme.email = "webmaster@bib3.de";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@ -45,32 +64,20 @@
# Set your time zone. # Set your time zone.
time.timeZone = "UTC"; time.timeZone = "UTC";
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# pinentryFlavor = "gnome3";
# };
# List services that you want to enable:
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
networking.firewall.allowPing = false; networking.firewall.allowPing = false;
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; networking.firewall.allowedTCPPorts = [ 22 80 443 ];
networking.firewall.allowedUDPPorts = [ 51666 ]; # Wireguard
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables -A INPUT -p tcp -s 95.90.121.54 -j ACCEPT iptables -A INPUT -p tcp -s 95.90.117.138 -j ACCEPT
''; '';
services.fail2ban.enable = true;
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users.users.loooph = { users.users.loooph = {
isNormalUser = true; isNormalUser = true;
home = "/home/loooph"; home = "/home/loooph";
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCboBeXmDWM6Em3hwvAbbHbAmSV0fY+95Q+cM9ocx0a loooph@Loooph-Desktop" ];
}; };
nix.gc.automatic = true; nix.gc.automatic = true;
@ -87,7 +94,7 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget vim git htop tmux openssl fd wget vim_configurable vimPlugins.ale vimPlugins.vim-nix git htop tmux openssl fd
]; ];
} }

4
git.nix
View File

@ -10,11 +10,15 @@ in
forceSSL = true; forceSSL = true;
enableACME=true; enableACME=true;
locations."/".proxyPass = "http://127.0.0.1:3000"; locations."/".proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
client_max_body_size 0;
'';
}; };
}; };
services.gitea = { services.gitea = {
enable = true; enable = true;
rootUrl = "https://git.bib3.de";
httpAddress = "127.0.0.1"; httpAddress = "127.0.0.1";
disableRegistration = true; disableRegistration = true;
cookieSecure = true; cookieSecure = true;

18
jitsi.nix Normal file
View File

@ -0,0 +1,18 @@
{config, pkgs, ...}:
let fqdn = "treffen.bib3.de"; in
{
services.jitsi-meet = {
enable = true;
hostName = "${fqdn}";
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
services.nginx.virtualHosts.${fqdn} = {
enableACME = true;
forceSSL = true;
};
}

15
ldap-posix.nix Normal file
View File

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
users.ldap = {
base = "ou=users,o=bib3,c=DE";
useTLS = true;
daemon.enable = true;
enable = true;
server = "ldap://127.0.0.1";
loginPam = true;
timeLimit = 10;
};
security.pam.services.sshd.makeHomeDir = true;
}

31
mail.nix
View File

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
(builtins.fetchTarball { (builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-20.03/nixos-mailserver-nixos-20.03.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-20.03/nixos-mailserver-nixos-20.09.tar.gz";
sha256 = "02k25bh4pg31cx40ri4ynjw65ahy0mmj794hi5i1yn48j56vdbkj"; sha256 = "02k25bh4pg31cx40ri4ynjw65ahy0mmj794hi5i1yn48j56vdbkj";
}) })
]; ];
@ -23,6 +23,35 @@
hashedPassword = "$6$/gNzrl3XvdKYD.aF$0Amy4k4PgrhIuvzEP9yfbIvGhmNP/kQ1a.NlTHjd.01qt38/f02zFUkcI/Rb/tltW17rn8Q73.ckDJ.EvIoLb0"; hashedPassword = "$6$/gNzrl3XvdKYD.aF$0Amy4k4PgrhIuvzEP9yfbIvGhmNP/kQ1a.NlTHjd.01qt38/f02zFUkcI/Rb/tltW17rn8Q73.ckDJ.EvIoLb0";
}; };
}; };
};
services.dovecot2.extraConfig = ''
auth_debug = yes
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
'';
environment.etc."dovecot/dovecot-ldap.conf.ext" = {
mode = "0600";
text = ''
hosts = 127.0.0.1
ldap_version = 3
tls = yes
base = ou=users,o=bib3,c=DE
user_attrs = =home=/home/bib3/%{ldap:cn},cn=uid,o=gid
user_filter = (&(objectClass=InetOrgPerson)(cn=%n))
pass_attrs = cn=user,userPassword=password
pass_filter = (&(objectClass=InetOrgPerson)(cn=%n))
default_pass_scheme = SHA512
'';
uid = config.ids.uids.dovecot2;
gid = config.ids.gids.dovecot2;
}; };
} }

7
matrix-synapse.nix
View File

@ -33,12 +33,18 @@ in {
locations."/_matrix" = { locations."/_matrix" = {
proxyPass = "http://[::1]:8008"; proxyPass = "http://[::1]:8008";
}; };
extraConfig = ''
client_max_body_size 0;
'';
}; };
}; };
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
max_upload_size = "100M";
server_name = fqdn; server_name = fqdn;
registration_shared_secret = "aKCsb4AQyx7NPLDtyfRSR3ifmCDMb9NDMvaQnCznmI0VTHLNrckKQ8PNKOACYwkU";
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
@ -54,6 +60,7 @@ in {
]; ];
} }
]; ];
plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-ldap3 ];
extraConfig = '' extraConfig = ''
password_providers: password_providers:
- module: "ldap_auth_provider.LdapAuthProvider" - module: "ldap_auth_provider.LdapAuthProvider"

17
modules/services/mediagoblin/default.nix Normal file
View File

@ -0,0 +1,17 @@
{lib, pkgs, config,...}:
with lib;
let
cfg = config.services.mediagoblin;
in {
options.services.mediagoblin = {
enable = mkEnableOption "mediagoblin service";
};
config = mkIf cfg.enable {
systemd.services.mediagoblin = {
wantedBy = [ "networking.target" ];
serviceConfig.ExecStart = "${pkgs.mediagoblin}/bin/mediagoblin";
};
};
}

7
murmur.nix Normal file
View File

@ -0,0 +1,7 @@
let host = "bib3.de"; in
{
services.murmur = {
enable = true;
hostname = "$host";
};
}

12
nginx.nix
View File

@ -10,13 +10,21 @@ in
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
# nginx would warn otherwise
mapHashBucketSize = 64;
virtualHosts = { virtualHosts = {
${fqdn} = { ${fqdn} = {
forceSSL=true; forceSSL = true;
enableACME=true; enableACME = true;
root = "/var/www/default"; root = "/var/www/default";
}; };
"www.${fqdn}" = {
enableACME = true;
#globalRedirect = "${fqdn}";
root = "/var/www/default";
};
}; };
}; };
} }

316
openldap.nix
View File

@ -9,146 +9,216 @@
services.openldap = { services.openldap = {
enable = true; enable = true;
dataDir = "/var/lib/openldap"; #database = "mdb";
rootpwFile = "/etc/nixos/secret/openldaproot.pw"; #dataDir = "/var/lib/openldap";
suffix = "o=bib3,c=DE"; #rootpwFile = "/etc/nixos/secret/openldaproot.pw";
rootdn = "cn=admin,o=bib3,c=DE"; #suffix = "o=bib3,c=DE";
extraConfig = '' #rootdn = "cn=admin,o=bib3,c=DE";
TLSCipherSuite DEFAULT settings = {
TLSCACertificateFile /var/lib/ssl/openldap/chain.pem children = {
TLSCertificateFile /var/lib/ssl/openldap/cert.pem "cn=schema".includes = [
TLSCertificateKeyFile /var/lib/ssl/openldap/key.pem "${pkgs.openldap}/etc/schema/core.ldif"
''; "${pkgs.openldap}/etc/schema/cosine.ldif"
declarativeContents = '' "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
dn: o=bib3, c=DE "${pkgs.openldap}/etc/schema/nis.ldif"
objectclass: organization ];
"olcDatabase={-1}frontend" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{-1}frontend";
};
};
"olcDatabase={0}config" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [ "{0}to * by * none break" ];
};
};
dn: ou=users, o=bib3, c=DE "olcDatabase={1}mdb" = {
objectclass: organizationalUnit attrs = {
ou: users objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap";
olcSuffix = "o=bib3,c=DE";
};
};
};
dn: cn=loooph, ou=users, o=bib3, c=DE attrs = {
objectclass: InetOrgPerson objectClass = "olcGlobal";
cn: loooph olcTLSCipherSuite = "DEFAULT";
sn: olcTLSCACertificateFile = "/var/lib/ssl/openldap/chain.pem";
givenName: olcTLSCertificateFile = "/var/lib/ssl/openldap/cert.pem";
mail: olcTLSCertificateKeyFile = "/var/lib/ssl/openldap/key.pem";
userPassword: {CRYPT}$6$C906P7N7ZbqxjC38$BezcmyYs1XR45cAqUDkuoUyca2fchXzNnvhZsB/TmR5Py6M9xEERdIm9anyXkVMwVvBrMn9LujVXxKxSpuz.1. };
};
dn: cn=lmux, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
cn: lmux
sn:
givenName:
mail:
userPassword: {CRYPT}$6$NGdlZVYAvETLQAb2$AXyC9myezCAGGq94HvyKRgjpvt04MGZXcMSMS5vP10Y.LzPot/DyRdIvx2LBs9rsOtTGsFYPCpTx7dnEK1LDs0
dn: cn=imoc, ou=users, o=bib3, c=DE declarativeContents = {
objectclass: InetOrgPerson "o=bib3,c=DE" = ''
cn: imoc dn: o=bib3, c=DE
sn: objectclass: organization
givenName:
mail:
userPassword: {CRYPT}$6$3xZm8NPt32CZ4oEJ$B4ptPV2eMuf76bSCkb6siYpft1aa4NObdokMjscNaicMfaMCiwyM0s4R2me3EAOZiPXSl36DMTFl5MaZHBHqP1
dn: cn=andrej0913, ou=users, o=bib3, c=DE dn: ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: organizationalUnit
sn: ou: users
givenName:
mail:
userPassword: {CRYPT}$6$qI3fENURGFHYMVeN$tdqfgaA/Uex.p1DC7YUSXQ4P0tqAsUAUMkrtk68LKLmswLBcz3C2KLbglm4XIYUdEjw2fkWNbPLtrF/.d17nF.
dn: cn=gallaron, ou=users, o=bib3, c=DE dn: cn=test, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: objectclass: PosixAccount
givenName: uid: test
mail: uidNumber: 2000
userPassword: {CRYPT}$6$vbhMLZRZmvLcXvP6$U3Q81g7FVuo4jnK.0Yy12PdL0Eqso4Thjlc3YnRGJe9tyfeovKdSeNPhEPDGNhIzFZdnmsVYzJO/xnbb0ub1c0 gidNumber: 2000
homeDirectory: /home/bib3.de/test
loginShell: /run/current-system/sw/bin/bash
sn:
givenName:
mail:
userPassword: {CRYPT}$6$GRvHa9J1FuDnxZu4$oZT75ZDoh78JQ1GNQGtzftlL9HO6HPzouxdGsbyBCyDld/9skUC78/8m6YW.KE3k5p6pWMAZs.4iYvrhvDfwe.
dn: cn=anon, ou=users, o=bib3, c=DE dn: cn=loooph, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$ip1kNMpHggg2Psvw$1P.88EI6k3Hvez5xtpZkbeTdvlAO/UKaWVJ3Pn/NM3C/dqy9H2OI1AY3csu9pNKyioEJmbg/GpCUd8CtkHBJI. userPassword: {CRYPT}$6$C906P7N7ZbqxjC38$BezcmyYs1XR45cAqUDkuoUyca2fchXzNnvhZsB/TmR5Py6M9xEERdIm9anyXkVMwVvBrMn9LujVXxKxSpuz.1.
dn: cn=lmux, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$NGdlZVYAvETLQAb2$AXyC9myezCAGGq94HvyKRgjpvt04MGZXcMSMS5vP10Y.LzPot/DyRdIvx2LBs9rsOtTGsFYPCpTx7dnEK1LDs0
dn: cn=pear, ou=users, o=bib3, c=DE dn: cn=imoc, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: cn: imoc
givenName: sn:
mail: givenName:
userPassword: {CRYPT}$6$gar1dJcweztqJSZl$NzVvkfXcTbxm4nuBS0UE//2bseA.FEq4paRZyZFof1ECEbICvf5.7ebRb/D8Jwa.5Hog/k9ZwJ9OtfLuZ7phG/ mail:
userPassword: {CRYPT}$6$3xZm8NPt32CZ4oEJ$B4ptPV2eMuf76bSCkb6siYpft1aa4NObdokMjscNaicMfaMCiwyM0s4R2me3EAOZiPXSl36DMTFl5MaZHBHqP1
dn: cn=clymen, ou=users, o=bib3, c=DE dn: cn=andrej0913, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$8mm3LWImMTN5dnau$G/W1AmZkiHScDEt6iekgj/NedxFtyaxEnK4w68R0FrUXtmot4A6rd1/kkECJQo74yUmPwdvkt.7.wYAr4gp/U/ userPassword: {CRYPT}$6$qI3fENURGFHYMVeN$tdqfgaA/Uex.p1DC7YUSXQ4P0tqAsUAUMkrtk68LKLmswLBcz3C2KLbglm4XIYUdEjw2fkWNbPLtrF/.d17nF.
dn: cn=bao, ou=users, o=bib3, c=DE dn: cn=gallaron, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$3bm2EIkpGr4BUTIX$jeaIhD/73lkb3.4BWZyfIUbAZPtg//U0Y3Xz/Zol0y4fh35rHgTLNblKvRC4i/Yz0Y64EZyt3Fbe7eub2VlJG. userPassword: {CRYPT}$6$vbhMLZRZmvLcXvP6$U3Q81g7FVuo4jnK.0Yy12PdL0Eqso4Thjlc3YnRGJe9tyfeovKdSeNPhEPDGNhIzFZdnmsVYzJO/xnbb0ub1c0
dn: cn=ritzga, ou=users, o=bib3, c=DE dn: cn=anon, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$78sfQR79Le/EgTSb$ao/C1OT1bMKH508rg453M4ZJvXIwwa8OCZribUy5suTflXhs4XSyQnt/17Ra/Zf.pk03TtrsAf/OYw4wf/ol30 userPassword: {CRYPT}$6$e8EvCa/QTDNYMASu$JQ3F9gcgOZ/ADV4TtLBoHBWtapECY7noFFhJUqM54sR3uvV8Mb008K/H4/Y0./Ad3xEVDo7A5XziT14NxrsXo.
dn: cn=sythelux, ou=users, o=bib3, c=DE dn: cn=pear, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$Idk3eX1mk2h87JdF$2tgpeocD.W4AMeAZKy8EmHxD6gC1.Gr.LY7.1t6.cBwDhc.T9C9AlfT74i13xt648rTcu4Mgl302ZVB77vvqc0 userPassword: {CRYPT}$6$gar1dJcweztqJSZl$NzVvkfXcTbxm4nuBS0UE//2bseA.FEq4paRZyZFof1ECEbICvf5.7ebRb/D8Jwa.5Hog/k9ZwJ9OtfLuZ7phG/
dn: cn=ej, ou=users, o=bib3, c=DE dn: cn=clymen, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$6E/NwzDxsyU90srA$VIEaxQaWaGoEs51yZvem9UZJXz2bstQEd5Bc3HeajEE3ZAcFaCsEMEUMt8wnp27gTUj/91wfLCaK16xF5C4hB0 userPassword: {CRYPT}$6$LBoVn0HpmBtkzK/I$Wu44jPkMq8t1eudg7wNHvpZVDELl1ZHZFepZVzYgtVoy7nTCBrggYn7w4CdoKEPfzD8SrkcEG2LDBBjIoaqBs.
dn: cn=jakob, ou=users, o=bib3, c=DE dn: cn=bao, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$k33tC5ACS/.fqwUG$m.x4tov5VYsIHeG2tOG6ZmulZt8PwuiaTV.DYbkw2DIQynuw7igcLJZ4l1ZHPQuzxeB5DTsk3X/EAp4Ri97/S0 userPassword: {CRYPT}$6$3bm2EIkpGr4BUTIX$jeaIhD/73lkb3.4BWZyfIUbAZPtg//U0Y3Xz/Zol0y4fh35rHgTLNblKvRC4i/Yz0Y64EZyt3Fbe7eub2VlJG.
dn: cn=coolpod, ou=users, o=bib3, c=DE dn: cn=ritzga, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$nqNm7molatCIvQL0$LaZycxCYrkgI1Xkh8mC2ItckMLg/e8Xj/udAq3zBANiJBU47Sju9o2I20JYrsqG19MeGAXfCr20iVQeAT1atV0 userPassword: {CRYPT}$6$78sfQR79Le/EgTSb$ao/C1OT1bMKH508rg453M4ZJvXIwwa8OCZribUy5suTflXhs4XSyQnt/17Ra/Zf.pk03TtrsAf/OYw4wf/ol30
dn: cn=trotzi, ou=users, o=bib3, c=DE dn: cn=sythelux, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$m3ZGCNnlsyLc7ETo$9lFKERB7fihYha9hJPXajpMgP0VlicqyABj3qJRRHzfLkMN8IftrRgnMc4/DNRehCJDDLCJXF.PTJ4SK5X.qw/ userPassword: {CRYPT}$6$Idk3eX1mk2h87JdF$2tgpeocD.W4AMeAZKy8EmHxD6gC1.Gr.LY7.1t6.cBwDhc.T9C9AlfT74i13xt648rTcu4Mgl302ZVB77vvqc0
dn: cn=muln1993, ou=users, o=bib3, c=DE dn: cn=ej, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$mJZkGLnaBf1JYYhn$Ye8nx4tKjjXAap6TD0nHkTDxC3dkeUZc0agqM2wLmKjLVhY6q5YgDxdmWSwngnUz5eUsgu1xszAZkycZwo4NI1 userPassword: {CRYPT}$6$6E/NwzDxsyU90srA$VIEaxQaWaGoEs51yZvem9UZJXz2bstQEd5Bc3HeajEE3ZAcFaCsEMEUMt8wnp27gTUj/91wfLCaK16xF5C4hB0
dn: cn=sschmidt, ou=users, o=bib3, c=DE dn: cn=jakob, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson objectclass: InetOrgPerson
sn: sn:
givenName: givenName:
mail: mail:
userPassword: {CRYPT}$6$A2q7qP2ixm2O58Ae$j8jroZLmR2hWTsIvtQKEO8J7tBFmyW1DKM.LXJaP9G4aCnLSZ30EzLZN446Cz3nVDSS5oC5DAk46Fo2fcJTfP/ userPassword: {CRYPT}$6$k33tC5ACS/.fqwUG$m.x4tov5VYsIHeG2tOG6ZmulZt8PwuiaTV.DYbkw2DIQynuw7igcLJZ4l1ZHPQuzxeB5DTsk3X/EAp4Ri97/S0
'';
dn: cn=coolpod, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$nqNm7molatCIvQL0$LaZycxCYrkgI1Xkh8mC2ItckMLg/e8Xj/udAq3zBANiJBU47Sju9o2I20JYrsqG19MeGAXfCr20iVQeAT1atV0
dn: cn=trotzi, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$m3ZGCNnlsyLc7ETo$9lFKERB7fihYha9hJPXajpMgP0VlicqyABj3qJRRHzfLkMN8IftrRgnMc4/DNRehCJDDLCJXF.PTJ4SK5X.qw/
dn: cn=muln1993, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$mJZkGLnaBf1JYYhn$Ye8nx4tKjjXAap6TD0nHkTDxC3dkeUZc0agqM2wLmKjLVhY6q5YgDxdmWSwngnUz5eUsgu1xszAZkycZwo4NI1
dn: cn=sschmidt, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$A2q7qP2ixm2O58Ae$j8jroZLmR2hWTsIvtQKEO8J7tBFmyW1DKM.LXJaP9G4aCnLSZ30EzLZN446Cz3nVDSS5oC5DAk46Fo2fcJTfP/
dn: cn=fennel, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$h.cPmeWyHursgygn$3A7geff6OxRdH.fdr4Wi9VMp7aLnPceEcpTBV11bRw3D0dttGBWOMv8yiqKu4o0AT2OJIv6ABIfY0Z6URDhlI0
dn: cn=enk, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$73CY61UhTPzTdvPy$d/R.8SYekHZMvTRgbBkEwzjG6RW6jw3wpFrUB/WsxDdK9BNCEyAOMLrBxlWAntldAd2vlpkTc/6wME5qMng63.
dn: cn=merlinobolt, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$MBNh42EIkqwk9q2.$nacPz6Hc.12AJZs/ZgapM5uOdB3urdU2ARq8gOgwJ6pWPD8zMnrdrTELMvitbCkBWScdKRscHmUBwl2V3c0Xc0
'';
};
}; };
# TODO move users to seperate files # TODO move users to seperate files
} }

40
pkgs/servers/mediagoblin/default.nix Normal file
View File

@ -0,0 +1,40 @@
#{ lib, stdenv, fetchurl, ... }:
with import <nixpkgs> {};
stdenv.mkDerivation rec {
pname = "mediagoblin";
version = "0.11.0";
src = fetchurl {
url = "https://git.savannah.gnu.org/cgit/${pname}.git/snapshot/${pname}-${version}.tar.gz";
sha256 = "1izvnd6x8bmvw36cjpfgmgh7f2gnbf7mni3s29svdjp0ww4szzxn";
};
doCheck = true;
nativeBuildInputs = [
autoconf
m4
nodejs
python3
python3Packages.certifi
python3Packages.lxml
python3Packages.pillow
python3Packages.virtualenv
];
buildInputs = [
sqlite
];
meta = with lib; {
description = "media publishing platform that anyone can run";
longDescription = ''
MediaGoblin is a free software media publishing platform that anyone can run. You can think of it as a decentralized alternative to Flickr, YouTube, SoundCloud, etc.
'';
homepage = "https://mediagoblin.org/";
license = licenses.gpl3Plus;
};
}

32
postgres.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, pkgs, ... }:
{
services.postgresql = {
enable = true;
settings = {
wal_level = "minimal";
max_wal_senders = 0;
fsync = false;
synchronous_commit = false;
full_page_writes = false;
wal_compression = true;
checkpoint_timeout = "1d";
checkpoint_completion_target = 0.9;
checkpoint_flush_after = 0;
min_wal_size = "32MB";
max_wal_size = "64MB";
max_connections = 100;
shared_buffers = "128MB";
effective_cache_size = "384MB";
maintenance_work_mem = "32MB";
wal_buffers = "64MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 4;
work_mem = "32MB";
max_worker_processes = 2;
max_parallel_workers_per_gather = 1;
max_parallel_workers = 2;
};
};
}

31
sd.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, pkgs, ... }:
let
fqdn = "schwulesding.de";
in
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
# nginx would warn otherwise
mapHashBucketSize = 64;
virtualHosts = {
${fqdn} = {
forceSSL = true;
enableACME = true;
root = "/var/www/schwulesding";
};
"www.${fqdn}" = {
enableACME = true;
#globalRedirect = "${fqdn}";
root = "/var/www/schwulesding";
};
};
};
}