# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = []; nix.optimise.automatic = true; nix.settings.experimental-features = ["nix-command" "flakes"]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.grub.devices = ["/dev/sda"]; boot.loader.efi.canTouchEfiVariables = true; boot.kernelPackages = pkgs.linuxPackages_latest; # Set your time zone. time.timeZone = "Europe/Berlin"; # Define a user account. Don't forget to set a password with ‘passwd’. # users.users.alice = { # isNormalUser = true; # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. # packages = with pkgs; [ # firefox # thunderbird # ]; # }; users.users.root.initialHashedPassword = ""; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0gyN7DzF7+sinneq7++fT93dNWe9ttKnLZJEb0LVs7UxPtz/ovlxnktAgEtSh7NUUGKPILGG6+YG/Jz3pb4cLuQHtavIQ2mIzIbiNl+c80gLNPulfOrC3KyCacYnlcEpoV+4yvMPLDf+5ySilYoF30CSIo8B7B4PSwO3/I20oXXY0zeVmYKs65BY8OrR8PDdtPpuqGcTdPpVSrooZQoykriFeejBb0Jn7qWO7vmsTyUZZIP4nKKUyqE6iFZ2zv+J3mYfuoglQKO1+kqcCYCef0sheLZGD4/QIIL8HJ9yNWb6OQhu7MEv1NowuHkviImwVO3actZ1/x4lrWt4mY+bGglVwA90u1KZUQ10qKQ2xCG2ZHE9DSxWxpI/Yq2P4pLA/XSkYFPpzmoD9c6cpv0WLAvmQrEVkqK0xXo+KszUlyGy5sVJl7/h1fZ8YhWsWUnU1XJFmKLaomUZflL3h7X6xJNVPzZmso8l1INdCvIBDu+G84kAp1/aFalSJMyjTgvCc1hxhAVYhmrc3msGH0Jk8CcPBwYa0BH4EryacdupOS/c5VxAbdyuizEgitP1ylRmydVVDEItPNXFvpWdyEehf/VmsUXqL48mBzfvi6feD5AzKjPaQNaATpxLs9Sl9CMxSy27ahHwEK6dek1wm7nkoSIDSRWfGhYKr3lUg0emAYQ==" ]; environment.systemPackages = with pkgs; [ curl fd file fzf fzy git htop neovim tig unzip wget zip mosh ]; mailserver = { enable = true; debug = false; fqdn = "mail.project-cloud.net"; domains = ["project-cloud.net"]; enableSubmissionSsl = false; enableImap = false; enableImapSsl = false; # A list of all login accounts. To create the password hashes, use # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { "gitea@project-cloud.net" = { hashedPasswordFile = config.sops.secrets."gitea_mail_pw_hash".path; aliases = ["git@project-cloud.net"]; }; }; certificateScheme = 3; }; services.journald.extraConfig = ''SystemMaxUse=50M ''; services.logind.extraConfig = ''KillUserProcesses=yes ''; services.openssh.settings.PermitRootLogin = "prohibit-password"; services.openssh.enable = true; services.opendkim.enable = true; services.miniflux = { enable = true; adminCredentialsFile = config.sops.secrets."miniflux_env".path; config = { LISTEN_ADDR = "localhost:5001"; BASE_URL = "https://miniflux.project-cloud.net"; }; }; services.restya-board = { enable = true; /* virtualHost.serverName = "board.project-cloud.net"; */ virtualHost.listenHost = "localhost"; virtualHost.listenPort = 4001; }; services.nextcloud = { enable = true; hostName = "project-cloud.net"; package = pkgs.nextcloud27; config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; https = true; caching = { redis = true; apcu = false; }; extraOptions = { redis = { host = "/run/redis-nextcloud/redis.sock"; port = 0; }; "memcache.local" = "\\OC\\Memcache\\Redis"; "memcache.distributed" = "\\OC\\Memcache\\Redis"; "memcache.locking" = "\\OC\\Memcache\\Redis"; }; }; services.nginx = { enable = true; package = pkgs.nginxQuic; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts.${config.services.nextcloud.hostName} = { quic = true; forceSSL = true; enableACME = true; }; virtualHosts."miniflux.project-cloud.net" = { quic = true; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:5001"; }; }; virtualHosts.${config.services.gitea.settings.server.DOMAIN} = { quic = true; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString config.services.gitea.settings.server.HTTP_PORT}"; }; }; virtualHosts."board.project-cloud.net" = { quic = true; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString config.services.restya-board.virtualHost.listenPort}"; }; }; }; services.redis.servers.nextcloud = { enable = true; user = "nextcloud"; port = 0; }; services.gitea = { enable = true; appName = "Project Cloud Gitea server"; database = { type = "postgres"; passwordFile = config.sops.secrets."postgres/gitea_dbpass".path; }; settings.server.DOMAIN = "git.project-cloud.net"; settings.server.HTTP_PORT = 3001; extraConfig = let docutils = pkgs.python3.withPackages (ps: with ps; [docutils pygments]); in '' [mailer] ENABLED = true FROM = project.cloud@gmx.com PROTOCOL = smtp SMTP_ADDR = mail.gmx.com HOST = mail.gmx.com:587 SMTP_PORT = 587 IS_TLS_ENABLED = false USER = project.cloud@gmx.com PASSWD = TS0obCMiuktEAS2x6lQ3 [service] REGISTER_EMAIL_CONFIRM = true [markup.restructuredtext] ENABLED = true FILE_EXTENSIONS = .rst RENDER_COMMAND = ${docutils}/bin/rst2html.py IS_INPUT_FILE = false ''; }; security.acme = { acceptTerms = true; defaults.email = "asmir.abdulahovic@gmail.com"; }; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.secrets."postgres/gitea_dbpass" = { sopsFile = ./secrets/postgres.yaml; owner = config.users.users.gitea.name; }; sops.secrets."miniflux_env" = { sopsFile = ./secrets/miniflux.yaml; }; sops.secrets."gitea_mail_pw_hash" = { sopsFile = ./secrets/gitea_mail_pw_hash.yaml; }; networking.hostName = "magpie"; networking.wireless.enable = false; networking.firewall.enable = false; networking.firewall.allowedTCPPorts = [80 443 587]; networking.firewall.allowedUDPPorts = []; networking.networkmanager.enable = true; system.stateVersion = "22.11"; }