diff --git a/flake.nix b/flake.nix index e0656f2..05509cb 100644 --- a/flake.nix +++ b/flake.nix @@ -28,13 +28,19 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + + simple-nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs @ { - nixpkgs, home-manager, + nixpkgs, nix-xilinx, peerix, + simple-nixos-mailserver, sops-nix, zremap, ... @@ -79,7 +85,7 @@ ./common/suspend.nix ./mediabox/configuration.nix ./mediabox/hardware-configuration.nix - ./modules/qbittorrent.nix + ./modules/qbittorrent.nix sops-nix.nixosModules.sops home-manager.nixosModules.home-manager { @@ -117,6 +123,17 @@ } ]; }; + magpie = nixpkgs.lib.nixosSystem { + system = "arm64-linux"; + modules = [ + {_module.args = inputs;} + ./magpie/configuration.nix + ./magpie/hardware-configuration.nix + sops-nix.nixosModules.sops + simple-nixos-mailserver.nixModule + (builtins.toPath "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix") + ]; + }; }; devShell.x86_64-linux = pkgs.mkShell { diff --git a/magpie/configuration.nix b/magpie/configuration.nix new file mode 100644 index 0000000..d74693d --- /dev/null +++ b/magpie/configuration.nix @@ -0,0 +1,189 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + pkgs, + ... +}: { + imports = [ ]; + + nix.optimise.automatic = true; + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.grub.devices = ["/dev/sda"]; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.alice = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # firefox + # thunderbird + # ]; + # }; + + users.users.root.initialHashedPassword = ""; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0gyN7DzF7+sinneq7++fT93dNWe9ttKnLZJEb0LVs7UxPtz/ovlxnktAgEtSh7NUUGKPILGG6+YG/Jz3pb4cLuQHtavIQ2mIzIbiNl+c80gLNPulfOrC3KyCacYnlcEpoV+4yvMPLDf+5ySilYoF30CSIo8B7B4PSwO3/I20oXXY0zeVmYKs65BY8OrR8PDdtPpuqGcTdPpVSrooZQoykriFeejBb0Jn7qWO7vmsTyUZZIP4nKKUyqE6iFZ2zv+J3mYfuoglQKO1+kqcCYCef0sheLZGD4/QIIL8HJ9yNWb6OQhu7MEv1NowuHkviImwVO3actZ1/x4lrWt4mY+bGglVwA90u1KZUQ10qKQ2xCG2ZHE9DSxWxpI/Yq2P4pLA/XSkYFPpzmoD9c6cpv0WLAvmQrEVkqK0xXo+KszUlyGy5sVJl7/h1fZ8YhWsWUnU1XJFmKLaomUZflL3h7X6xJNVPzZmso8l1INdCvIBDu+G84kAp1/aFalSJMyjTgvCc1hxhAVYhmrc3msGH0Jk8CcPBwYa0BH4EryacdupOS/c5VxAbdyuizEgitP1ylRmydVVDEItPNXFvpWdyEehf/VmsUXqL48mBzfvi6feD5AzKjPaQNaATpxLs9Sl9CMxSy27ahHwEK6dek1wm7nkoSIDSRWfGhYKr3lUg0emAYQ==" + ]; + + environment.systemPackages = with pkgs; [ + curl + fd + file + fzf + fzy + git + htop + neovim + tig + unzip + wget + zip + mosh + ]; + + mailserver = { + enable = true; + debug = false; + fqdn = "mail.project-cloud.net"; + domains = ["project-cloud.net"]; + enableSubmissionSsl = false; + enableImap = false; + enableImapSsl = false; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "gitea@project-cloud.net" = { + hashedPasswordFile = "/var/mail_pass"; + aliases = ["git@project-cloud.net"]; + }; + }; + certificateScheme = 3; + }; + + services.journald.extraConfig = ''SystemMaxUse=50M ''; + services.logind.extraConfig = ''KillUserProcesses=yes ''; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + services.openssh.enable = true; + services.opendkim.enable = true; + services.restya-board = { + enable = true; + virtualHost.serverName = "kanban.project-cloud.net"; + }; + services.nextcloud = { + enable = true; + hostName = "project-cloud.net"; + package = pkgs.nextcloud27; + config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; + https = true; + caching = { + redis = true; + apcu = false; + }; + extraOptions = { + redis = { + host = "/run/redis-nextcloud/redis.sock"; + port = 0; + }; + "memcache.local" = "\\OC\\Memcache\\Redis"; + "memcache.distributed" = "\\OC\\Memcache\\Redis"; + "memcache.locking" = "\\OC\\Memcache\\Redis"; + }; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + }; + virtualHosts.${config.services.gitea.settings.server.domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.gitea.settings.server.httpPort}"; + }; + }; + virtualHosts.${config.services.restya-board.virtualHost.serverName} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.restya-board.virtualHost.listenPort}"; + }; + }; + }; + + services.redis.servers.nextcloud = { + enable = true; + user = "nextcloud"; + port = 0; + }; + + services.gitea = { + enable = true; + appName = "Project Cloud Gitea server"; + database = { + type = "postgres"; + passwordFile = config.sops.secrets."postgres/gitea_dbpass".path; + }; + settings.server.domain = "git.project-cloud.net"; + settings.server.rootUrl = "https://git.project-cloud.net/"; + settings.server.httpPort = 3001; + extraConfig = let + docutils = + pkgs.python3.withPackages (ps: with ps; [docutils pygments]); + in '' + [mailer] + ENABLED = true + FROM = project.cloud@gmx.com + PROTOCOL = smtp + SMTP_ADDR = mail.gmx.com + HOST = mail.gmx.com:587 + SMTP_PORT = 587 + IS_TLS_ENABLED = false + USER = project.cloud@gmx.com + PASSWD = TS0obCMiuktEAS2x6lQ3 + [service] + REGISTER_EMAIL_CONFIRM = true + [markup.restructuredtext] + ENABLED = true + FILE_EXTENSIONS = .rst + RENDER_COMMAND = ${docutils}/bin/rst2html.py + IS_INPUT_FILE = false + ''; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "asmir.abdulahovic@gmail.com"; + }; + + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets."postgres/gitea_dbpass" = { + sopsFile = ./secrets/postgres.yaml; + owner = config.users.users.gitea.name; + }; + + networking.hostName = "magpie"; + networking.wireless.enable = false; + networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [80 443 587]; + networking.firewall.allowedUDPPorts = []; + networking.networkmanager.enable = true; + + system.stateVersion = "22.11"; +} diff --git a/magpie/hardware-configuration.nix b/magpie/hardware-configuration.nix new file mode 100644 index 0000000..aa127f1 --- /dev/null +++ b/magpie/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/118de1e5-f23e-4af3-a10a-054eded78152"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/4FEE-DEED"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/magpie/secrets/postgres.yaml b/magpie/secrets/postgres.yaml new file mode 100644 index 0000000..b36e633 --- /dev/null +++ b/magpie/secrets/postgres.yaml @@ -0,0 +1,22 @@ +postgres: + gitea_dbpass: ENC[AES256_GCM,data:0eoBapsuSw==,iv:COi2rWxM4+4EZEguEUVtguQTGkGQIQNfMns3EUokNX8=,tag:uCou612aK2TOVgSogAWliw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS3BpdTY5anY3c2JYeTFE + NzZhb3BoZ1MwU0phTlpDcXp0Qmo2MTE2c1dFCmRuSkpIR2FDSU5jYTE1TVZ0Rndj + YUFua3Jwb0s4ZHZnRmUwenVWSWV1ZzgKLS0tIGhBN3Fic2MydnV3WEJkRlRxb3Fx + UldNemFjVVFrUFc1UGZiZkYzTHZKRUkKZ1jv4MBP2r4zMPucjnYm7Iv+bEdjzaRT + 8jiFkU0hosPhJqgIk4x2HDQO0B6w7x71ZJbOieIyyZAy+u0xRiVN1g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-08T18:26:22Z" + mac: ENC[AES256_GCM,data:Tu1uDNlU8Xf/E9mF1rXc+cIsVFyiLAT/HHB8Kca6F96FNYHBaBEq3Cx3UhHOxw26HqGAjMpDEkf/a8KMjiwYSYzTKfee7V+v7k+qKx180b6iMQlmixMFpMB5UficFQ4Ncoq+h51MI3YtuyN93ewTlxZ1xEkKyVffYs2SARtusfM=,iv:C7NOzIAR/DnRXOBAacvahTrTcVQm/HHJIDUUYqruB9I=,tag:iNI0lp5B4aBEVDq5rwpfPQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3