magpie: add base files

flake.nix

@@ -28,13 +28,19 @@
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    simple-nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs @ {
-    nixpkgs,
     home-manager,
+    nixpkgs,
     nix-xilinx,
     peerix,
+    simple-nixos-mailserver,
     sops-nix,
     zremap,
     ...
@@ -79,7 +85,7 @@
           ./common/suspend.nix
           ./mediabox/configuration.nix
           ./mediabox/hardware-configuration.nix
-	  ./modules/qbittorrent.nix
+          ./modules/qbittorrent.nix
           sops-nix.nixosModules.sops
           home-manager.nixosModules.home-manager
           {
@@ -117,6 +123,17 @@
           }
         ];
       };
+      magpie = nixpkgs.lib.nixosSystem {
+        system = "arm64-linux";
+        modules = [
+          {_module.args = inputs;}
+          ./magpie/configuration.nix
+          ./magpie/hardware-configuration.nix
+          sops-nix.nixosModules.sops
+          simple-nixos-mailserver.nixModule
+          (builtins.toPath "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix")
+        ];
+      };
     };
 
     devShell.x86_64-linux = pkgs.mkShell {

magpie/configuration.nix

@@ -0,0 +1,189 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [ ];
+
+  nix.optimise.automatic = true;
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.grub.devices = ["/dev/sda"];
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.alice = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  #   packages = with pkgs; [
+  #     firefox
+  #     thunderbird
+  #   ];
+  # };
+
+  users.users.root.initialHashedPassword = "";
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0gyN7DzF7+sinneq7++fT93dNWe9ttKnLZJEb0LVs7UxPtz/ovlxnktAgEtSh7NUUGKPILGG6+YG/Jz3pb4cLuQHtavIQ2mIzIbiNl+c80gLNPulfOrC3KyCacYnlcEpoV+4yvMPLDf+5ySilYoF30CSIo8B7B4PSwO3/I20oXXY0zeVmYKs65BY8OrR8PDdtPpuqGcTdPpVSrooZQoykriFeejBb0Jn7qWO7vmsTyUZZIP4nKKUyqE6iFZ2zv+J3mYfuoglQKO1+kqcCYCef0sheLZGD4/QIIL8HJ9yNWb6OQhu7MEv1NowuHkviImwVO3actZ1/x4lrWt4mY+bGglVwA90u1KZUQ10qKQ2xCG2ZHE9DSxWxpI/Yq2P4pLA/XSkYFPpzmoD9c6cpv0WLAvmQrEVkqK0xXo+KszUlyGy5sVJl7/h1fZ8YhWsWUnU1XJFmKLaomUZflL3h7X6xJNVPzZmso8l1INdCvIBDu+G84kAp1/aFalSJMyjTgvCc1hxhAVYhmrc3msGH0Jk8CcPBwYa0BH4EryacdupOS/c5VxAbdyuizEgitP1ylRmydVVDEItPNXFvpWdyEehf/VmsUXqL48mBzfvi6feD5AzKjPaQNaATpxLs9Sl9CMxSy27ahHwEK6dek1wm7nkoSIDSRWfGhYKr3lUg0emAYQ=="
+  ];
+
+  environment.systemPackages = with pkgs; [
+    curl
+    fd
+    file
+    fzf
+    fzy
+    git
+    htop
+    neovim
+    tig
+    unzip
+    wget
+    zip
+    mosh
+  ];
+
+  mailserver = {
+    enable = true;
+    debug = false;
+    fqdn = "mail.project-cloud.net";
+    domains = ["project-cloud.net"];
+    enableSubmissionSsl = false;
+    enableImap = false;
+    enableImapSsl = false;
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "gitea@project-cloud.net" = {
+        hashedPasswordFile = "/var/mail_pass";
+        aliases = ["git@project-cloud.net"];
+      };
+    };
+    certificateScheme = 3;
+  };
+
+  services.journald.extraConfig = ''SystemMaxUse=50M '';
+  services.logind.extraConfig = ''KillUserProcesses=yes '';
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
+  services.openssh.enable = true;
+  services.opendkim.enable = true;
+  services.restya-board = {
+    enable = true;
+    virtualHost.serverName = "kanban.project-cloud.net";
+  };
+  services.nextcloud = {
+    enable = true;
+    hostName = "project-cloud.net";
+    package = pkgs.nextcloud27;
+    config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}";
+    https = true;
+    caching = {
+      redis = true;
+      apcu = false;
+    };
+    extraOptions = {
+      redis = {
+        host = "/run/redis-nextcloud/redis.sock";
+        port = 0;
+      };
+      "memcache.local" = "\\OC\\Memcache\\Redis";
+      "memcache.distributed" = "\\OC\\Memcache\\Redis";
+      "memcache.locking" = "\\OC\\Memcache\\Redis";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts.${config.services.nextcloud.hostName} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+    virtualHosts.${config.services.gitea.settings.server.domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.gitea.settings.server.httpPort}";
+      };
+    };
+    virtualHosts.${config.services.restya-board.virtualHost.serverName} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.restya-board.virtualHost.listenPort}";
+      };
+    };
+  };
+
+  services.redis.servers.nextcloud = {
+    enable = true;
+    user = "nextcloud";
+    port = 0;
+  };
+
+  services.gitea = {
+    enable = true;
+    appName = "Project Cloud Gitea server";
+    database = {
+      type = "postgres";
+      passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
+    };
+    settings.server.domain = "git.project-cloud.net";
+    settings.server.rootUrl = "https://git.project-cloud.net/";
+    settings.server.httpPort = 3001;
+    extraConfig = let
+      docutils =
+        pkgs.python3.withPackages (ps: with ps; [docutils pygments]);
+    in ''
+      [mailer]
+      ENABLED        = true
+      FROM 	     = project.cloud@gmx.com
+      PROTOCOL       = smtp
+      SMTP_ADDR      = mail.gmx.com
+      HOST           = mail.gmx.com:587
+      SMTP_PORT      = 587
+      IS_TLS_ENABLED = false
+      USER           = project.cloud@gmx.com
+      PASSWD         = TS0obCMiuktEAS2x6lQ3
+      [service]
+      REGISTER_EMAIL_CONFIRM = true
+      [markup.restructuredtext]
+      ENABLED = true
+      FILE_EXTENSIONS = .rst
+      RENDER_COMMAND = ${docutils}/bin/rst2html.py
+      IS_INPUT_FILE = false
+    '';
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "asmir.abdulahovic@gmail.com";
+  };
+
+  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+  sops.secrets."postgres/gitea_dbpass" = {
+    sopsFile = ./secrets/postgres.yaml;
+    owner = config.users.users.gitea.name;
+  };
+
+  networking.hostName = "magpie";
+  networking.wireless.enable = false;
+  networking.firewall.enable = false;
+  networking.firewall.allowedTCPPorts = [80 443 587];
+  networking.firewall.allowedUDPPorts = [];
+  networking.networkmanager.enable = true;
+
+  system.stateVersion = "22.11";
+}

magpie/hardware-configuration.nix

@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/118de1e5-f23e-4af3-a10a-054eded78152";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/4FEE-DEED";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

magpie/secrets/postgres.yaml

@@ -0,0 +1,22 @@
+postgres:
+    gitea_dbpass: ENC[AES256_GCM,data:0eoBapsuSw==,iv:COi2rWxM4+4EZEguEUVtguQTGkGQIQNfMns3EUokNX8=,tag:uCou612aK2TOVgSogAWliw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS3BpdTY5anY3c2JYeTFE
+            NzZhb3BoZ1MwU0phTlpDcXp0Qmo2MTE2c1dFCmRuSkpIR2FDSU5jYTE1TVZ0Rndj
+            YUFua3Jwb0s4ZHZnRmUwenVWSWV1ZzgKLS0tIGhBN3Fic2MydnV3WEJkRlRxb3Fx
+            UldNemFjVVFrUFc1UGZiZkYzTHZKRUkKZ1jv4MBP2r4zMPucjnYm7Iv+bEdjzaRT
+            8jiFkU0hosPhJqgIk4x2HDQO0B6w7x71ZJbOieIyyZAy+u0xRiVN1g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-05-08T18:26:22Z"
+    mac: ENC[AES256_GCM,data:Tu1uDNlU8Xf/E9mF1rXc+cIsVFyiLAT/HHB8Kca6F96FNYHBaBEq3Cx3UhHOxw26HqGAjMpDEkf/a8KMjiwYSYzTKfee7V+v7k+qKx180b6iMQlmixMFpMB5UficFQ4Ncoq+h51MI3YtuyN93ewTlxZ1xEkKyVffYs2SARtusfM=,iv:C7NOzIAR/DnRXOBAacvahTrTcVQm/HHJIDUUYqruB9I=,tag:iNI0lp5B4aBEVDq5rwpfPQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3