nixos_flake_config/magpie/configuration.nix

{
  config,
  pkgs,
  lib,
  project-cloud,
  goatcounter,
  nvim,
  system,
  ...
}: {
  imports = [];

  nix.optimise.automatic = true;
  nix.settings.experimental-features = ["nix-command" "flakes"];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.systemd-boot.configurationLimit = 2;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "fq";
    "net.ipv4.tcp_congestion_control" = "bbr";
  };

  # Set your time zone.
  time.timeZone = "Europe/Berlin";

  users.users.root.initialHashedPassword = "";
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0gyN7DzF7+sinneq7++fT93dNWe9ttKnLZJEb0LVs7UxPtz/ovlxnktAgEtSh7NUUGKPILGG6+YG/Jz3pb4cLuQHtavIQ2mIzIbiNl+c80gLNPulfOrC3KyCacYnlcEpoV+4yvMPLDf+5ySilYoF30CSIo8B7B4PSwO3/I20oXXY0zeVmYKs65BY8OrR8PDdtPpuqGcTdPpVSrooZQoykriFeejBb0Jn7qWO7vmsTyUZZIP4nKKUyqE6iFZ2zv+J3mYfuoglQKO1+kqcCYCef0sheLZGD4/QIIL8HJ9yNWb6OQhu7MEv1NowuHkviImwVO3actZ1/x4lrWt4mY+bGglVwA90u1KZUQ10qKQ2xCG2ZHE9DSxWxpI/Yq2P4pLA/XSkYFPpzmoD9c6cpv0WLAvmQrEVkqK0xXo+KszUlyGy5sVJl7/h1fZ8YhWsWUnU1XJFmKLaomUZflL3h7X6xJNVPzZmso8l1INdCvIBDu+G84kAp1/aFalSJMyjTgvCc1hxhAVYhmrc3msGH0Jk8CcPBwYa0BH4EryacdupOS/c5VxAbdyuizEgitP1ylRmydVVDEItPNXFvpWdyEehf/VmsUXqL48mBzfvi6feD5AzKjPaQNaATpxLs9Sl9CMxSy27ahHwEK6dek1wm7nkoSIDSRWfGhYKr3lUg0emAYQ=="
  ];

  environment.systemPackages = with pkgs; [
    curl
    fd
    file
    fzf
    fzy
    git
    goatcounter.packages.${system}.goatcounter
    nvim.packages.${system}.nvim
    htop-vim
    nvim
    pciutils
    tig
    tmux
    unzip
    usbutils
    wget
    zip
  ];

  programs.mosh.enable = true;

  mailserver = {
    enable = true;
    debug = false;
    fqdn = "mail.project-cloud.net";
    domains = ["project-cloud.net"];
    enableSubmissionSsl = true;
    enableImap = false;
    enableImapSsl = true;

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "gitea@project-cloud.net" = {
        hashedPasswordFile = config.sops.secrets."gitea_mail_pw_hash".path;
        aliases = ["git@project-cloud.net"];
      };
      "asmir@project-cloud.net" = {
        hashedPasswordFile = config.sops.secrets."asmir_mail_pw_hash".path;
        aliases = ["asmir.abdulahovic@project-cloud.net"];
      };
    };
    certificateScheme = "acme-nginx";
  };

  services.journald.extraConfig = ''SystemMaxUse=50M '';
  services.logind.extraConfig = ''KillUserProcesses=yes '';
  services.openssh.settings.PermitRootLogin = "prohibit-password";
  services.openssh.enable = true;
  services.opendkim.enable = true;

  services.miniflux = {
    enable = false;
    adminCredentialsFile = config.sops.secrets."miniflux_env".path;
    config = {
      LISTEN_ADDR = "localhost:5001";
      BASE_URL = "https://miniflux.project-cloud.net";
    };
  };

  services.goatcounter = {
    enable = true;
    environmentFile = "/var/lib/goatcounter.env";
    extraArgs = ["-listen='*:8002'" "-tls=proxy"];
    database = {
      backend = "sqlite";
      name = "goatcounter";
      user = "goatcounter";
      automigrate = true;
    };
  };

  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud27;
    config.adminpassFile = config.sops.secrets."nextcloud_admin".path;
    configureRedis = true;
    hostName = "cloud.project-cloud.net";
    https = true;
    extraOptions = {
      mail_smtpmode = "sendmail";
      mail_sendmailmode = "pipe";
      enabledPreviewProviders = [
        "OC\\Preview\\BMP"
        "OC\\Preview\\GIF"
        "OC\\Preview\\HEIC"
        "OC\\Preview\\JPEG"
        "OC\\Preview\\Krita"
        "OC\\Preview\\MarkDown"
        "OC\\Preview\\MP3"
        "OC\\Preview\\OpenDocument"
        "OC\\Preview\\PNG"
        "OC\\Preview\\TXT"
        "OC\\Preview\\XBitmap"
      ];
    };
    phpOptions = {
      "opcache.jit" = "tracing";
      "opcache.jit_buffer_size" = "100M";
      "opcache.interned_strings_buffer" = "16";
    };
  };

  services.nginx = {
    enable = true;
    package = pkgs.nginxQuic;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."project-cloud.net" = {
      quic = true;
      forceSSL = true;
      enableACME = true;
      root = "${project-cloud.packages.${system}.default}/public";
    };

    virtualHosts.${config.services.nextcloud.hostName} = {
      quic = true;
      forceSSL = true;
      enableACME = true;
    };

    virtualHosts."miniflux.project-cloud.net" = {
      quic = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:5001";
      };
    };

    virtualHosts.${config.services.gitea.settings.server.DOMAIN} = {
      quic = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}";
      };
    };

    virtualHosts."stats.project-cloud.net" = {
      quic = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:8002/";
      };
    };
  };

  services.gitea = {
    enable = true;
    appName = "Project Cloud Gitea server";
    database = {
      type = "sqlite3";
      passwordFile = config.sops.secrets."gitea_db".path;
    };
    settings.server = {
      DOMAIN = "git.project-cloud.net";
      ROOT_URL = "https://git.project-cloud.net";
      DISABLE_SSH = true;
      HTTP_PORT = 3001;
      LANDING_PAGE = "explore";
    };
    settings.mailer = {
      ENABLED = true;
      FROM = "gitea@project-cloud.net";
      PROTOCOL = "sendmail";
      SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
    };

    settings.service = {
      DISABLE_REGISTRATION = true;
      REGISTER_EMAIL_CONFIRM = true;
    };

    settings."markup.restructuredtext" = let
      docutils =
        pkgs.python3.withPackages (ps: with ps; [docutils pygments]);
    in {
      ENABLED = true;
      FILE_EXTENSIONS = ".rst";
      RENDER_COMMAND = "${docutils}/bin/rst2html.py";
      IS_INPUT_FILE = false;
    };
  };

  /*
  needed for sendmail mail functionality
  */
  users.users.gitea.extraGroups = ["postdrop"];
  systemd.services.gitea.serviceConfig = {
    RestrictAddressFamilies = ["AF_NETLINK"];
    ProtectSystem = lib.mkForce false;
  };

  services._3proxy = {
    enable = true;
    services = [
      {
        type = "socks";
        auth = ["strong"];
        acl = [
          {
            rule = "allow";
            users = ["3proxy_user"];
          }
        ];
	bindPort = 13128;
      }
    ];
    usersFile = config.sops.secrets."3proxy".path;
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "asmir.abdulahovic@gmail.com";
  };

  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

  sops.secrets."miniflux_env" = {
    sopsFile = ./secrets/miniflux.yaml;
  };

  sops.secrets."gitea_mail_pw_hash" = {
    sopsFile = ./secrets/gitea_mail_pw_hash.yaml;
  };

  sops.secrets."asmir_mail_pw_hash" = {
    sopsFile = ./secrets/asmir_mail_pw_hash.yaml;
  };

  sops.secrets."gitea_db" = {
    sopsFile = ./secrets/gitea_db.yaml;
    owner = config.users.users.gitea.name;
  };

  sops.secrets."nextcloud_admin" = {
    sopsFile = ./secrets/nextcloud_admin.yaml;
    owner = config.users.users.nextcloud.name;
  };

  sops.secrets."3proxy" = {
    sopsFile = ./secrets/3proxy.yaml;
  };


  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [80 443 587 13128];
  networking.firewall.allowedUDPPorts = [];
  networking.firewall.allowPing = true;
  networking.firewall.logRefusedConnections = lib.mkDefault false;
  networking.hostName = "magpie";
  networking.networkmanager.enable = true;
  networking.wireless.enable = false;

  systemd = {
    enableEmergencyMode = false;

    watchdog = {
      runtimeTime = "20s";
      rebootTime = "30s";
    };

    sleep.extraConfig = ''
      AllowSuspend=no
      AllowHibernation=no
    '';
  };

  system.stateVersion = "22.11";
}
magpie: add base files 2023-10-01 16:03:02 +02:00			`{`
			`config,`
			`pkgs,`
magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00			`lib,`
magpie/nextcloud: change url, nginx: add next-cloud virtualhost 2023-11-14 14:42:20 +01:00			`project-cloud,`
magpie: add goatcounter 2024-01-21 14:05:17 +01:00			`goatcounter,`
magpie: add nvim overylan and package 2024-03-16 15:27:40 +01:00			`nvim,`
			`system,`
magpie: add base files 2023-10-01 16:03:02 +02:00			`...`
			`}: {`
magpie: format new files 2023-10-01 16:16:25 +02:00			`imports = [];`
magpie: add base files 2023-10-01 16:03:02 +02:00
			`nix.optimise.automatic = true;`
			`nix.settings.experimental-features = ["nix-command" "flakes"];`

			`# Use the systemd-boot EFI boot loader.`
			`boot.loader.systemd-boot.enable = true;`
magpie/boot: set configuration limit to 2 2023-11-12 18:05:03 +01:00			`boot.loader.systemd-boot.configurationLimit = 2;`
magpie: add base files 2023-10-01 16:03:02 +02:00			`boot.loader.efi.canTouchEfiVariables = true;`
			`boot.kernelPackages = pkgs.linuxPackages_latest;`
magpie/sysctl: set BRR congestion control 2023-11-06 22:26:03 +01:00			`boot.kernel.sysctl = {`
			`"net.core.default_qdisc" = "fq";`
			`"net.ipv4.tcp_congestion_control" = "bbr";`
			`};`
magpie: add base files 2023-10-01 16:03:02 +02:00
			`# Set your time zone.`
			`time.timeZone = "Europe/Berlin";`

			`users.users.root.initialHashedPassword = "";`
			`users.users.root.openssh.authorizedKeys.keys = [`
			"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0gyN7DzF7+sinneq7++fT93dNWe9ttKnLZJEb0LVs7UxPtz/ovlxnktAgEtSh7NUUGKPILGG6+YG/Jz3pb4cLuQHtavIQ2mIzIbiNl+c80gLNPulfOrC3KyCacYnlcEpoV+4yvMPLDf+5ySilYoF30CSIo8B7B4PSwO3/I20oXXY0zeVmYKs65BY8OrR8PDdtPpuqGcTdPpVSrooZQoykriFeejBb0Jn7qWO7vmsTyUZZIP4nKKUyqE6iFZ2zv+J3mYfuoglQKO1+kqcCYCef0sheLZGD4/QIIL8HJ9yNWb6OQhu7MEv1NowuHkviImwVO3actZ1/x4lrWt4mY+bGglVwA90u1KZUQ10qKQ2xCG2ZHE9DSxWxpI/Yq2P4pLA/XSkYFPpzmoD9c6cpv0WLAvmQrEVkqK0xXo+KszUlyGy5sVJl7/h1fZ8YhWsWUnU1XJFmKLaomUZflL3h7X6xJNVPzZmso8l1INdCvIBDu+G84kAp1/aFalSJMyjTgvCc1hxhAVYhmrc3msGH0Jk8CcPBwYa0BH4EryacdupOS/c5VxAbdyuizEgitP1ylRmydVVDEItPNXFvpWdyEehf/VmsUXqL48mBzfvi6feD5AzKjPaQNaATpxLs9Sl9CMxSy27ahHwEK6dek1wm7nkoSIDSRWfGhYKr3lUg0emAYQ=="
			`];`

			`environment.systemPackages = with pkgs; [`
			`curl`
			`fd`
			`file`
			`fzf`
			`fzy`
			`git`
magpie: aarch64-linux -> ${system} 2024-03-16 17:21:46 +01:00			`goatcounter.packages.${system}.goatcounter`
magpie: remove restya, add 3proxy 2024-03-17 19:33:03 +01:00			`nvim.packages.${system}.nvim`
packages: htop -> htop-vim 2023-11-11 23:07:53 +01:00			`htop-vim`
magpie: add nvim overylan and package 2024-03-16 15:27:40 +01:00			`nvim`
magpie/packages: add pcieutils, usbutils, tmux 2023-11-12 17:58:32 +01:00			`pciutils`
magpie: add base files 2023-10-01 16:03:02 +02:00			`tig`
magpie/packages: add pcieutils, usbutils, tmux 2023-11-12 17:58:32 +01:00			`tmux`
magpie: add base files 2023-10-01 16:03:02 +02:00			`unzip`
magpie/packages: add pcieutils, usbutils, tmux 2023-11-12 17:58:32 +01:00			`usbutils`
magpie: add base files 2023-10-01 16:03:02 +02:00			`wget`
			`zip`
			`];`

magpie/programs: enable mosh 2023-10-20 21:41:23 +02:00			`programs.mosh.enable = true;`

magpie: add base files 2023-10-01 16:03:02 +02:00			`mailserver = {`
			`enable = true;`
			`debug = false;`
			`fqdn = "mail.project-cloud.net";`
			`domains = ["project-cloud.net"];`
magpie/mail: enable imap 2023-10-25 20:56:34 +02:00			`enableSubmissionSsl = true;`
magpie: add base files 2023-10-01 16:03:02 +02:00			`enableImap = false;`
magpie/mail: enable imap 2023-10-25 20:56:34 +02:00			`enableImapSsl = true;`
magpie: add base files 2023-10-01 16:03:02 +02:00
			`# A list of all login accounts. To create the password hashes, use`
			`# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'`
			`loginAccounts = {`
			`"gitea@project-cloud.net" = {`
magpie/sops: rename gitea secrets file 2023-10-14 23:24:16 +02:00			`hashedPasswordFile = config.sops.secrets."gitea_mail_pw_hash".path;`
magpie: add base files 2023-10-01 16:03:02 +02:00			`aliases = ["git@project-cloud.net"];`
			`};`
magpie/mail: add account "asmir" 2023-10-20 21:10:56 +02:00			`"asmir@project-cloud.net" = {`
			`hashedPasswordFile = config.sops.secrets."asmir_mail_pw_hash".path;`
			`aliases = ["asmir.abdulahovic@project-cloud.net"];`
			`};`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`
magpie/mailserver: update configuration syntax 2023-10-17 22:51:43 +02:00			`certificateScheme = "acme-nginx";`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`

			`services.journald.extraConfig = ''SystemMaxUse=50M '';`
			`services.logind.extraConfig = ''KillUserProcesses=yes '';`
			`services.openssh.settings.PermitRootLogin = "prohibit-password";`
			`services.openssh.enable = true;`
			`services.opendkim.enable = true;`
magpie/miniflux: export url, add https cert 2023-10-13 13:29:25 +02:00
			`services.miniflux = {`
magpie/miniflux: disable 2023-11-12 19:32:23 +01:00			`enable = false;`
magpie/gitea: change mail pass 2023-10-14 23:19:24 +02:00			`adminCredentialsFile = config.sops.secrets."miniflux_env".path;`
			`config = {`
			`LISTEN_ADDR = "localhost:5001";`
			`BASE_URL = "https://miniflux.project-cloud.net";`
			`};`
magpie/miniflux: export url, add https cert 2023-10-13 13:29:25 +02:00			`};`
magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00
magpie: add goatcounter 2024-01-21 14:05:17 +01:00			`services.goatcounter = {`
			`enable = true;`
			`environmentFile = "/var/lib/goatcounter.env";`
magpie: remove restya, add 3proxy 2024-03-17 19:33:03 +01:00			`extraArgs = ["-listen='*:8002'" "-tls=proxy"];`
magpie: add goatcounter 2024-01-21 14:05:17 +01:00			`database = {`
			`backend = "sqlite";`
			`name = "goatcounter";`
			`user = "goatcounter";`
			`automigrate = true;`
			`};`
			`};`

magpie/nextcloud: tune php interpreter 2023-11-06 19:25:49 +01:00			`services.nextcloud = {`
magpie: add base files 2023-10-01 16:03:02 +02:00			`enable = true;`
			`package = pkgs.nextcloud27;`
magpie/nextcloud: add admin account/pass 2023-10-20 21:35:43 +02:00			`config.adminpassFile = config.sops.secrets."nextcloud_admin".path;`
			`configureRedis = true;`
magpie/nextcloud: change url, nginx: add next-cloud virtualhost 2023-11-14 14:42:20 +01:00			`hostName = "cloud.project-cloud.net";`
magpie: add base files 2023-10-01 16:03:02 +02:00			`https = true;`
			`extraOptions = {`
magpie/nextcloud: add admin account/pass 2023-10-20 21:35:43 +02:00			`mail_smtpmode = "sendmail";`
			`mail_sendmailmode = "pipe";`
			`enabledPreviewProviders = [`
			`"OC\\Preview\\BMP"`
			`"OC\\Preview\\GIF"`
			`"OC\\Preview\\HEIC"`
			`"OC\\Preview\\JPEG"`
			`"OC\\Preview\\Krita"`
			`"OC\\Preview\\MarkDown"`
			`"OC\\Preview\\MP3"`
			`"OC\\Preview\\OpenDocument"`
			`"OC\\Preview\\PNG"`
			`"OC\\Preview\\TXT"`
			`"OC\\Preview\\XBitmap"`
			`];`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`
magpie/nextcloud: tune php interpreter 2023-11-06 19:25:49 +01:00			`phpOptions = {`
			`"opcache.jit" = "tracing";`
			`"opcache.jit_buffer_size" = "100M";`
			`"opcache.interned_strings_buffer" = "16";`
			`};`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`

			`services.nginx = {`
			`enable = true;`
magpie: enable quic/http3 on nginx 2023-10-05 18:59:43 +02:00			`package = pkgs.nginxQuic;`
magpie: add base files 2023-10-01 16:03:02 +02:00			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
magpie/restya: remove duplicate nginx config 2023-10-05 19:53:08 +02:00
magpie/nextcloud: change url, nginx: add next-cloud virtualhost 2023-11-14 14:42:20 +01:00			`virtualHosts."project-cloud.net" = {`
			`quic = true;`
			`forceSSL = true;`
			`enableACME = true;`
magpie: aarch64-linux -> ${system} 2024-03-16 17:21:46 +01:00			`root = "${project-cloud.packages.${system}.default}/public";`
magpie/nextcloud: change url, nginx: add next-cloud virtualhost 2023-11-14 14:42:20 +01:00			`};`

magpie: add base files 2023-10-01 16:03:02 +02:00			`virtualHosts.${config.services.nextcloud.hostName} = {`
magpie: enable quic/http3 on nginx 2023-10-05 18:59:43 +02:00			`quic = true;`
magpie: add base files 2023-10-01 16:03:02 +02:00			`forceSSL = true;`
			`enableACME = true;`
			`};`
magpie/restya: remove duplicate nginx config 2023-10-05 19:53:08 +02:00
magpie/miniflux: export url, add https cert 2023-10-13 13:29:25 +02:00			`virtualHosts."miniflux.project-cloud.net" = {`
			`quic = true;`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:5001";`
			`};`
			`};`

magpie/gitea: update config syntax 2023-10-05 19:04:23 +02:00			`virtualHosts.${config.services.gitea.settings.server.DOMAIN} = {`
magpie: enable quic/http3 on nginx 2023-10-05 18:59:43 +02:00			`quic = true;`
magpie: add base files 2023-10-01 16:03:02 +02:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
magpie/gitea: update config syntax 2023-10-05 19:04:23 +02:00			`proxyPass = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}";`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`
			`};`
magpie/restya: remove duplicate nginx config 2023-10-05 19:53:08 +02:00
magpie: add goatcounter 2024-01-21 14:05:17 +01:00			`virtualHosts."stats.project-cloud.net" = {`
			`quic = true;`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:8002/";`
			`};`
			`};`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`

			`services.gitea = {`
			`enable = true;`
			`appName = "Project Cloud Gitea server";`
			`database = {`
magpie/gitea: switch to sqlite3 2023-10-17 23:51:20 +02:00			`type = "sqlite3";`
			`passwordFile = config.sops.secrets."gitea_db".path;`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`
magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00			`settings.server = {`
			`DOMAIN = "git.project-cloud.net";`
			`ROOT_URL = "https://git.project-cloud.net";`
magpie/gitea: disable registration and ssh 2023-10-17 23:14:06 +02:00			`DISABLE_SSH = true;`
magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00			`HTTP_PORT = 3001;`
magpie/gitea: move LANDING_PAGE setting to server group 2023-11-12 19:18:17 +01:00			`LANDING_PAGE = "explore";`
magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00			`};`
			`settings.mailer = {`
			`ENABLED = true;`
			`FROM = "gitea@project-cloud.net";`
			`PROTOCOL = "sendmail";`
			`SENDMAIL_PATH = "/run/wrappers/bin/sendmail";`
			`};`
magpie/gitea: update configuration syntax 2023-10-17 22:50:31 +02:00
			`settings.service = {`
magpie/gitea: disable registration and ssh 2023-10-17 23:14:06 +02:00			`DISABLE_REGISTRATION = true;`
magpie/gitea: set landing page to explore 2023-11-12 17:43:02 +01:00			`REGISTER_EMAIL_CONFIRM = true;`
magpie/gitea: update configuration syntax 2023-10-17 22:50:31 +02:00			`};`

			`settings."markup.restructuredtext" = let`
magpie: add base files 2023-10-01 16:03:02 +02:00			`docutils =`
			`pkgs.python3.withPackages (ps: with ps; [docutils pygments]);`
magpie/gitea: update configuration syntax 2023-10-17 22:50:31 +02:00			`in {`
			`ENABLED = true;`
			`FILE_EXTENSIONS = ".rst";`
			`RENDER_COMMAND = "${docutils}/bin/rst2html.py";`
			`IS_INPUT_FILE = false;`
			`};`
magpie: add base files 2023-10-01 16:03:02 +02:00			`};`

magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00			`/*`
			`needed for sendmail mail functionality`
			`*/`
			`users.users.gitea.extraGroups = ["postdrop"];`
			`systemd.services.gitea.serviceConfig = {`
			`RestrictAddressFamilies = ["AF_NETLINK"];`
			`ProtectSystem = lib.mkForce false;`
			`};`

magpie: remove restya, add 3proxy 2024-03-17 19:33:03 +01:00			`services._3proxy = {`
			`enable = true;`
			`services = [`
			`{`
			`type = "socks";`
			`auth = ["strong"];`
			`acl = [`
			`{`
			`rule = "allow";`
			`users = ["3proxy_user"];`
			`}`
			`];`
			`bindPort = 13128;`
			`}`
			`];`
			`usersFile = config.sops.secrets."3proxy".path;`
			`};`

magpie: add base files 2023-10-01 16:03:02 +02:00			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "asmir.abdulahovic@gmail.com";`
			`};`

			`sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];`
magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00
magpie/miniflux: export url, add https cert 2023-10-13 13:29:25 +02:00			`sops.secrets."miniflux_env" = {`
magpie: add miniflux credentials 2023-10-13 12:52:26 +02:00			`sopsFile = ./secrets/miniflux.yaml;`
			`};`

magpie/sops: rename gitea secrets file 2023-10-14 23:24:16 +02:00			`sops.secrets."gitea_mail_pw_hash" = {`
			`sopsFile = ./secrets/gitea_mail_pw_hash.yaml;`
magpie/gitea: change mail pass 2023-10-14 23:19:24 +02:00			`};`

magpie/mail: add account "asmir" 2023-10-20 21:38:28 +02:00			`sops.secrets."asmir_mail_pw_hash" = {`
			`sopsFile = ./secrets/asmir_mail_pw_hash.yaml;`
			`};`

magpie/gitea: switch to sqlite3 2023-10-17 23:51:20 +02:00			`sops.secrets."gitea_db" = {`
			`sopsFile = ./secrets/gitea_db.yaml;`
			`owner = config.users.users.gitea.name;`
			`};`

magpie/nextcloud: add admin account/pass 2023-10-20 21:35:43 +02:00			`sops.secrets."nextcloud_admin" = {`
			`sopsFile = ./secrets/nextcloud_admin.yaml;`
			`owner = config.users.users.nextcloud.name;`
			`};`

magpie: remove restya, add 3proxy 2024-03-17 19:33:03 +01:00			`sops.secrets."3proxy" = {`
			`sopsFile = ./secrets/3proxy.yaml;`
			`};`


magpie/gitea: replace smtp with sendmail, fix pass reset bug 2023-10-17 22:41:22 +02:00			`networking.firewall.enable = true;`
magpie: remove restya, add 3proxy 2024-03-17 19:33:03 +01:00			`networking.firewall.allowedTCPPorts = [80 443 587 13128];`
magpie: add base files 2023-10-01 16:03:02 +02:00			`networking.firewall.allowedUDPPorts = [];`
magpie/firewall: do not log refused connections, enable ping 2023-11-06 19:23:11 +01:00			`networking.firewall.allowPing = true;`
			`networking.firewall.logRefusedConnections = lib.mkDefault false;`
			`networking.hostName = "magpie";`
magpie: add base files 2023-10-01 16:03:02 +02:00			`networking.networkmanager.enable = true;`
magpie/firewall: do not log refused connections, enable ping 2023-11-06 19:23:11 +01:00			`networking.wireless.enable = false;`
magpie: add base files 2023-10-01 16:03:02 +02:00
magpie/systemd: disable sleep, emergencymode; setup watchdog 2023-11-06 22:16:41 +01:00			`systemd = {`
			`enableEmergencyMode = false;`

			`watchdog = {`
			`runtimeTime = "20s";`
			`rebootTime = "30s";`
			`};`

			`sleep.extraConfig = ''`
			`AllowSuspend=no`
			`AllowHibernation=no`
			`'';`
			`};`

magpie: add base files 2023-10-01 16:03:02 +02:00			`system.stateVersion = "22.11";`
			`}`