loooph
/
bib3.de-nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: loooph:81128d5861478c8c41bad972d48660ef2dd14558
Branches Tags
loooph:master
..
compare: loooph:c49b874fc0d34fb96687c7454d0fc45afed9d306
Branches Tags
loooph:master

No commits in common. "81128d5861478c8c41bad972d48660ef2dd14558" and "c49b874fc0d34fb96687c7454d0fc45afed9d306" have entirely different histories.
81128d5861 ... c49b874fc0

9 changed files with 0 additions and 507 deletions
Show Stats Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,5 +0,0 @@
secret
*.swp
hardware-configuration.nix
result

79
configuration.nix
View File

@ -1,79 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./matrix-synapse.nix
./nginx.nix
./openldap.nix
./fail2ban.nix
./git.nix
./postgres.nix
./sd.nix
];
# Boot
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
services.journald.extraConfig = ''
MaxRetentionSec=7day
'';
# Kernel configuration
boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelParams = [ "console=ttyAMA0,115200n8" ];
# Enable additional firmware (such as Wi-Fi drivers).
hardware.enableRedistributableFirmware = true;
networking.hostName = "levitest"; # Define your hostname.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
security.acme.email = "webmaster@bib3.de";
security.acme.acceptTerms = true;
# Set your time zone.
time.timeZone = "UTC";
# Enable the OpenSSH daemon.
services.openssh.enable = true;
networking.firewall.allowPing = false;
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# Define a user account. Don't forget to set a password with passwd.
users.users.loooph = {
isNormalUser = true;
home = "/home/loooph";
extraGroups = [ "wheel" ]; # Enable sudo for the user.
};
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 30d";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.03"; # Did you read the comment?
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim_configurable vimPlugins.ale vimPlugins.vim-nix git htop tmux openssl fd
];
}

7
fail2ban.nix
View File

@ -1,7 +0,0 @@
{config, pkgs, ...}:
{
services.fail2ban = {
enable = true;
};
}

26
git.nix
View File

@ -1,26 +0,0 @@
{ config, pkgs, ... }:
let
fqdn = "git.bib3.de";
in
{
services.nginx = {
enable = true;
virtualHosts.${fqdn} = {
forceSSL = true;
enableACME=true;
locations."/".proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
client_max_body_size 0;
'';
};
};
services.gitea = {
enable = true;
rootUrl = "https://git.bib3.de";
httpAddress = "127.0.0.1";
disableRegistration = true;
cookieSecure = true;
};
}

75
matrix-synapse.nix
View File

@ -1,75 +0,0 @@
{ config, pkgs, ... }:
let
fqdn = "matrix.bib3.de";
in {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.nginx = {
enable = true;
virtualHosts.${fqdn} = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix" = {
proxyPass = "http://[::1]:8008";
};
extraConfig = ''
client_max_body_size 0;
'';
};
};
services.matrix-synapse = {
enable = true;
max_upload_size = "100M";
server_name = fqdn;
registration_shared_secret = "aKCsb4AQyx7NPLDtyfRSR3ifmCDMb9NDMvaQnCznmI0VTHLNrckKQ8PNKOACYwkU";
listeners = [
{
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-ldap3 ];
extraConfig = ''
password_providers:
- module: "ldap_auth_provider.LdapAuthProvider"
config:
enabled: true
mode: "search"
uri: "ldap://bib3.de:389"
start_tls: true
base: "ou=users,o=bib3,c=DE"
attributes:
uid: "cn"
mail: "mail"
name: "givenName"
'';
};
}

40
nginx.nix
View File

@ -1,40 +0,0 @@
{ config, pkgs, ... }:
let
fqdn = "bib3.de";
in
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
# nginx would warn otherwise
mapHashBucketSize = 64;
virtualHosts = {
${fqdn} = {
forceSSL = true;
enableACME = true;
root = "/var/www/default";
locations = {
"/" = {
index = "anmachspruch.mp4";
};
};
};
"www.${fqdn}" = {
enableACME = true;
root = "/var/www/default";
locations = {
"/" = {
index = "anmachspruch.mp4";
};
};
};
};
};
}

219
openldap.nix
View File

@ -1,219 +0,0 @@
{config, pkgs, ...}:
{
# let's hope this works
security.acme.certs."bib3.de".postRun = ''
install -o openldap -g openldap -m 700 -d /var/lib/acme/bib3.de /var/lib/ssl/openldap
install -o openldap -g openldap -m 600 /var/lib/acme/bib3.de/* /var/lib/ssl/openldap
'';
services.openldap = {
enable = true;
settings = {
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={-1}frontend" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{-1}frontend";
};
};
"olcDatabase={0}config" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [ "{0}to * by * none break" ];
};
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap";
olcSuffix = "o=bib3,c=DE";
};
};
};
attrs = {
objectClass = "olcGlobal";
olcTLSCipherSuite = "DEFAULT";
olcTLSCACertificateFile = "/var/lib/ssl/openldap/chain.pem";
olcTLSCertificateFile = "/var/lib/ssl/openldap/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/ssl/openldap/key.pem";
};
};
declarativeContents = {
"o=bib3,c=DE" = ''
dn: o=bib3, c=DE
objectclass: organization
dn: ou=users, o=bib3, c=DE
objectclass: organizationalUnit
ou: users
dn: cn=test, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
objectclass: PosixAccount
uid: test
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/bib3.de/test
loginShell: /run/current-system/sw/bin/bash
sn:
givenName:
mail:
userPassword: {CRYPT}$6$GRvHa9J1FuDnxZu4$oZT75ZDoh78JQ1GNQGtzftlL9HO6HPzouxdGsbyBCyDld/9skUC78/8m6YW.KE3k5p6pWMAZs.4iYvrhvDfwe.
dn: cn=loooph, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$C906P7N7ZbqxjC38$BezcmyYs1XR45cAqUDkuoUyca2fchXzNnvhZsB/TmR5Py6M9xEERdIm9anyXkVMwVvBrMn9LujVXxKxSpuz.1.
dn: cn=lmux, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$NGdlZVYAvETLQAb2$AXyC9myezCAGGq94HvyKRgjpvt04MGZXcMSMS5vP10Y.LzPot/DyRdIvx2LBs9rsOtTGsFYPCpTx7dnEK1LDs0
dn: cn=imoc, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
cn: imoc
sn:
givenName:
mail:
userPassword: {CRYPT}$6$3xZm8NPt32CZ4oEJ$B4ptPV2eMuf76bSCkb6siYpft1aa4NObdokMjscNaicMfaMCiwyM0s4R2me3EAOZiPXSl36DMTFl5MaZHBHqP1
dn: cn=andrej0913, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$qI3fENURGFHYMVeN$tdqfgaA/Uex.p1DC7YUSXQ4P0tqAsUAUMkrtk68LKLmswLBcz3C2KLbglm4XIYUdEjw2fkWNbPLtrF/.d17nF.
dn: cn=gallaron, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$vbhMLZRZmvLcXvP6$U3Q81g7FVuo4jnK.0Yy12PdL0Eqso4Thjlc3YnRGJe9tyfeovKdSeNPhEPDGNhIzFZdnmsVYzJO/xnbb0ub1c0
dn: cn=anon, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$e8EvCa/QTDNYMASu$JQ3F9gcgOZ/ADV4TtLBoHBWtapECY7noFFhJUqM54sR3uvV8Mb008K/H4/Y0./Ad3xEVDo7A5XziT14NxrsXo.
dn: cn=pear, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$gar1dJcweztqJSZl$NzVvkfXcTbxm4nuBS0UE//2bseA.FEq4paRZyZFof1ECEbICvf5.7ebRb/D8Jwa.5Hog/k9ZwJ9OtfLuZ7phG/
dn: cn=clymen, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$LBoVn0HpmBtkzK/I$Wu44jPkMq8t1eudg7wNHvpZVDELl1ZHZFepZVzYgtVoy7nTCBrggYn7w4CdoKEPfzD8SrkcEG2LDBBjIoaqBs.
dn: cn=bao, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$3bm2EIkpGr4BUTIX$jeaIhD/73lkb3.4BWZyfIUbAZPtg//U0Y3Xz/Zol0y4fh35rHgTLNblKvRC4i/Yz0Y64EZyt3Fbe7eub2VlJG.
dn: cn=ritzga, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$IhG5rX4tH2o8n74B$ZLRx3kEhUe7gCcI.W1Pp9vgpLV6HeVysVeRxwdGmPmEweWKTN7eiLXNjRPI4k80tDnsOA8bKdg69YWKWKi5o00
dn: cn=sythelux, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$Idk3eX1mk2h87JdF$2tgpeocD.W4AMeAZKy8EmHxD6gC1.Gr.LY7.1t6.cBwDhc.T9C9AlfT74i13xt648rTcu4Mgl302ZVB77vvqc0
dn: cn=ej, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$6E/NwzDxsyU90srA$VIEaxQaWaGoEs51yZvem9UZJXz2bstQEd5Bc3HeajEE3ZAcFaCsEMEUMt8wnp27gTUj/91wfLCaK16xF5C4hB0
dn: cn=jakob, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$k33tC5ACS/.fqwUG$m.x4tov5VYsIHeG2tOG6ZmulZt8PwuiaTV.DYbkw2DIQynuw7igcLJZ4l1ZHPQuzxeB5DTsk3X/EAp4Ri97/S0
dn: cn=coolpod, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$nqNm7molatCIvQL0$LaZycxCYrkgI1Xkh8mC2ItckMLg/e8Xj/udAq3zBANiJBU47Sju9o2I20JYrsqG19MeGAXfCr20iVQeAT1atV0
dn: cn=trotzi, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$m3ZGCNnlsyLc7ETo$9lFKERB7fihYha9hJPXajpMgP0VlicqyABj3qJRRHzfLkMN8IftrRgnMc4/DNRehCJDDLCJXF.PTJ4SK5X.qw/
dn: cn=muln1993, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$mJZkGLnaBf1JYYhn$Ye8nx4tKjjXAap6TD0nHkTDxC3dkeUZc0agqM2wLmKjLVhY6q5YgDxdmWSwngnUz5eUsgu1xszAZkycZwo4NI1
dn: cn=sschmidt, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$A2q7qP2ixm2O58Ae$j8jroZLmR2hWTsIvtQKEO8J7tBFmyW1DKM.LXJaP9G4aCnLSZ30EzLZN446Cz3nVDSS5oC5DAk46Fo2fcJTfP/
dn: cn=fennel, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$h.cPmeWyHursgygn$3A7geff6OxRdH.fdr4Wi9VMp7aLnPceEcpTBV11bRw3D0dttGBWOMv8yiqKu4o0AT2OJIv6ABIfY0Z6URDhlI0
dn: cn=enk, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$73CY61UhTPzTdvPy$d/R.8SYekHZMvTRgbBkEwzjG6RW6jw3wpFrUB/WsxDdK9BNCEyAOMLrBxlWAntldAd2vlpkTc/6wME5qMng63.
dn: cn=merlinobolt, ou=users, o=bib3, c=DE
objectclass: InetOrgPerson
sn:
givenName:
mail:
userPassword: {CRYPT}$6$MBNh42EIkqwk9q2.$nacPz6Hc.12AJZs/ZgapM5uOdB3urdU2ARq8gOgwJ6pWPD8zMnrdrTELMvitbCkBWScdKRscHmUBwl2V3c0Xc0
'';
};
};
# TODO move users to seperate files
}

32
postgres.nix
View File

@ -1,32 +0,0 @@
{ config, pkgs, ... }:
{
services.postgresql = {
enable = true;
settings = {
wal_level = "minimal";
max_wal_senders = 0;
fsync = false;
synchronous_commit = false;
full_page_writes = false;
wal_compression = true;
checkpoint_timeout = "1d";
checkpoint_completion_target = 0.9;
checkpoint_flush_after = 0;
min_wal_size = "32MB";
max_wal_size = "64MB";
max_connections = 100;
shared_buffers = "128MB";
effective_cache_size = "384MB";
maintenance_work_mem = "32MB";
wal_buffers = "64MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 4;
work_mem = "32MB";
max_worker_processes = 2;
max_parallel_workers_per_gather = 1;
max_parallel_workers = 2;
};
};
}

24
sd.nix
View File

@ -1,24 +0,0 @@
{ config, pkgs, ... }:
let
fqdn = "schwulesding.de";
in
{
services.nginx = {
enable = true;
virtualHosts = {
${fqdn} = {
forceSSL = true;
enableACME = true;
root = "/var/www/schwulesding";
};
"www.${fqdn}" = {
enableACME = true;
root = "/var/www/schwulesding";
};
};
};
}