# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: let fqdn = let join = hostName: domain: hostName + ".${domain}"; in join config.networking.hostName config.networking.domain; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; # Boot boot.loader.grub.enable = false; boot.loader.raspberryPi.enable = true; boot.loader.raspberryPi.version = 4; # Kernel configuration boot.kernelPackages = pkgs.linuxPackages_rpi4; boot.kernelParams = ["cma=64M" "console=tty0"]; # Enable additional firmware (such as Wi-Fi drivers). hardware.enableRedistributableFirmware = true; networking.hostName = "bib3"; # Define your hostname. networking.domain = "de"; # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; networking.interfaces.eth0.useDHCP = true; networking.interfaces.wlan0.useDHCP = true; security.acme.email = "webmaster@bib3.de"; security.acme.acceptTerms = true; # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; # console = { # font = "Lat2-Terminus16"; # keyMap = "us"; # }; # Set your time zone. time.timeZone = "UTC"; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # pinentryFlavor = "gnome3"; # }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; services.postgresql = { enable = true; ensureDatabases = [ "nextcloud" ]; ensureUsers = [ { name = "nextcloud"; ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; } ]; initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; }; services.nginx = { enable = true; # only recommendedProxySettings and recommendedGzipSettings are strictly required, # but the rest make sense as well recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "default_server" = { root = "/var/www/default"; }; # This host section can be placed on a different host than the rest, # i.e. to delegate from the host being accessible as ${config.networking.domain} # to another host actually running the Matrix homeserver. "${config.networking.domain}" = { locations."= /.well-known/matrix/server".extraConfig = let # use 443 instead of the default 8448 port to unite # the client-server and server-server port for simplicity server = { "m.server" = "${fqdn}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; locations."= /.well-known/matrix/client".extraConfig = let client = { "m.homeserver" = { "base_url" = "https://${fqdn}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file in '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; }; # Reverse proxy for Matrix client-server and server-server communication ${fqdn} = { enableACME = true; forceSSL = true; # Or do a redirect instead of the 404, or whatever is appropriate for you. # But do not put a Matrix Web client here! See the Element web section below. locations."/".extraConfig = '' return 404; ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { proxyPass = "http://[::1]:8008"; # without a trailing / }; }; "nextcloud.${fqdn}" = { forceSSL = true; enableACME = true; }; }; }; services.matrix-synapse = { enable = true; server_name = config.networking.domain; listeners = [ { port = 8008; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = false; } ]; } ]; }; services.nextcloud = { enable = true; hostName = "nextcloud." + fqdn; nginx.enable = true; config = { dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql"; dbname = "nextcloud"; adminpassFile = "/var/lib/nextcloud/config/adminpass"; adminuser = "root"; }; }; systemd.services."nextcloud-setup" = { requires = [ "postgresql.service" ]; after = [ "postgresql.service" ]; }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.loooph = { isNormalUser = true; home = "/home/loooph"; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCboBeXmDWM6Em3hwvAbbHbAmSV0fY+95Q+cM9ocx0a loooph@Loooph-Desktop" ]; }; nix.gc.automatic = true; nix.gc.options = "--delete-older-than 30d"; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "20.03"; # Did you read the comment? # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ wget vim git htop tmux openssl ]; }