Merge branch 'parsons-init' into 'main'
init parsons See merge request hacc/infra/haccfiles!75
This commit is contained in:
commit
15225932f0
|
@ -1,16 +1,16 @@
|
||||||
stages:
|
stages:
|
||||||
- build
|
- build
|
||||||
|
|
||||||
|
build-parsons:
|
||||||
|
tags:
|
||||||
|
- nix
|
||||||
|
stage: build
|
||||||
|
script:
|
||||||
|
- nix-build -A deploy.parsons
|
||||||
|
|
||||||
build-nixda:
|
build-nixda:
|
||||||
tags:
|
tags:
|
||||||
- nix
|
- nix
|
||||||
stage: build
|
stage: build
|
||||||
script:
|
script:
|
||||||
- nix-build -A deploy.nixda
|
- nix-build -A deploy.nixda
|
||||||
|
|
||||||
build-hainich:
|
|
||||||
tags:
|
|
||||||
- nix
|
|
||||||
stage: build
|
|
||||||
script:
|
|
||||||
- nix-build -A deploy.hainich
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, modules, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
sources = import ../nix/sources.nix;
|
sources = import ../nix/sources.nix;
|
||||||
|
@ -7,10 +7,10 @@ in {
|
||||||
../modules
|
../modules
|
||||||
./users.nix
|
./users.nix
|
||||||
(sources.home-manager + "/nixos")
|
(sources.home-manager + "/nixos")
|
||||||
(sources.pbb-nixfiles + "/modules/nftables")
|
modules.network.nftables
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
||||||
boot.kernelParams = [ "quiet" ];
|
boot.kernelParams = [ "quiet" ];
|
||||||
|
|
||||||
networking.domain = lib.mkDefault "hacc.space";
|
networking.domain = lib.mkDefault "hacc.space";
|
||||||
|
@ -77,7 +77,8 @@ in {
|
||||||
|
|
||||||
services.nginx.appendHttpConfig = ''
|
services.nginx.appendHttpConfig = ''
|
||||||
access_log off;
|
access_log off;
|
||||||
|
add_header Permissions-Policy "interest-cohort=()";
|
||||||
'';
|
'';
|
||||||
|
|
||||||
petabyte.nftables.enable = true;
|
networking.nftables.enable = true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,6 +2,10 @@ rec {
|
||||||
sources = import ./nix/sources.nix;
|
sources = import ./nix/sources.nix;
|
||||||
pkgs = import ./pkgs {};
|
pkgs = import ./pkgs {};
|
||||||
inherit (pkgs) lib;
|
inherit (pkgs) lib;
|
||||||
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") { inherit pkgs; hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs; }) hosts groups;
|
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") {
|
||||||
|
inherit pkgs sources;
|
||||||
|
inherit ((import sources.nix-hexchen) {}) modules;
|
||||||
|
hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs;
|
||||||
|
}) hosts groups;
|
||||||
deploy = import (sources.nix-hexchen + "/lib/deploy.nix") { inherit pkgs hosts groups; };
|
deploy = import (sources.nix-hexchen + "/lib/deploy.nix") { inherit pkgs hosts groups; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,140 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
../../common
|
|
||||||
./encboot.nix
|
|
||||||
./hardware.nix
|
|
||||||
./services/murmur.nix
|
|
||||||
./services/mail.nix
|
|
||||||
./services/hedgedoc_hacc.nix
|
|
||||||
./services/hedgedoc_i4f.nix
|
|
||||||
../../common
|
|
||||||
# ./wireguard.nix
|
|
||||||
./services/nginx.nix
|
|
||||||
# ./k8s.nix
|
|
||||||
./services/ghost_waszumfff.nix
|
|
||||||
./services/gitlab-runner.nix
|
|
||||||
./services/lantifa.nix
|
|
||||||
./services/syncthing.nix
|
|
||||||
./services/monitoring.nix
|
|
||||||
./services/workadventure.nix
|
|
||||||
./services/mattermost.nix
|
|
||||||
];
|
|
||||||
boot.loader.grub.enable = true;
|
|
||||||
boot.loader.grub.version = 2;
|
|
||||||
boot.loader.grub.device = "/dev/sda";
|
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
|
||||||
|
|
||||||
# stop *something* from loading ip_tables and breaking nftables
|
|
||||||
boot.blacklistedKernelModules = [ "ip_tables" "ip6_tables" "x_tables"];
|
|
||||||
|
|
||||||
|
|
||||||
# networking
|
|
||||||
networking.hostName = "hainich";
|
|
||||||
networking.hostId = "8a58cb2f";
|
|
||||||
networking.useDHCP = true;
|
|
||||||
networking.interfaces.enp6s0.ipv4.addresses = [
|
|
||||||
{
|
|
||||||
address = "46.4.63.148";
|
|
||||||
prefixLength = 27;
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
|
||||||
address = "46.4.63.158";
|
|
||||||
prefixLength = 27;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
networking.interfaces.enp6s0.ipv6.addresses = [ {
|
|
||||||
address = "2a01:4f8:140:84c9::1";
|
|
||||||
prefixLength = 64;
|
|
||||||
} ];
|
|
||||||
networking.defaultGateway = "46.4.63.129";
|
|
||||||
networking.nameservers = [
|
|
||||||
"1.1.1.1" "1.0.0.1"
|
|
||||||
"2606:4700:4700::1111" "2606:4700:4700::1001"
|
|
||||||
];
|
|
||||||
networking.defaultGateway6 = {
|
|
||||||
address = "fe80::1";
|
|
||||||
interface = "enp6s0";
|
|
||||||
};
|
|
||||||
|
|
||||||
hacc.nftables.nat.enable = true;
|
|
||||||
networking.nat.internalInterfaces = ["ve-+"];
|
|
||||||
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];
|
|
||||||
networking.nat.externalInterface = "enp6s0";
|
|
||||||
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
|
||||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
|
||||||
# networking.firewall.enable = false;
|
|
||||||
|
|
||||||
# misc
|
|
||||||
time.timeZone = "UTC";
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
wget vim git
|
|
||||||
];
|
|
||||||
|
|
||||||
services.openssh.enable = true;
|
|
||||||
services.openssh.ports = [ 22 62954 ];
|
|
||||||
|
|
||||||
users.users.root = {
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata"
|
|
||||||
];
|
|
||||||
initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/";
|
|
||||||
# shell = pkgs.fish;
|
|
||||||
};
|
|
||||||
|
|
||||||
# storage stuffs!
|
|
||||||
services.zfs = {
|
|
||||||
autoSnapshot = {
|
|
||||||
enable = true;
|
|
||||||
frequent = 12;
|
|
||||||
hourly = 18;
|
|
||||||
daily = 3;
|
|
||||||
weekly = 0;
|
|
||||||
monthly = 0;
|
|
||||||
};
|
|
||||||
autoScrub = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.kernelPackages = pkgs.linuxPackages;
|
|
||||||
|
|
||||||
services.restic.backups.tardis = {
|
|
||||||
passwordFile = "/etc/restic/system";
|
|
||||||
s3CredentialsFile = "/etc/restic/system.s3creds";
|
|
||||||
paths = [
|
|
||||||
"/data"
|
|
||||||
"/home"
|
|
||||||
"/run/florinori"
|
|
||||||
"/var/lib/containers/codimd/var/lib/codimd"
|
|
||||||
"/var/lib/containers/codimd/var/backup/postgresql"
|
|
||||||
"/var/lib/containers/hedgedoc-i4f/var/lib/codimd"
|
|
||||||
"/var/lib/containers/hedgedoc-i4f/var/backup/postgresql"
|
|
||||||
"/var/lib/containers/lantifa/var/lib/mediawiki"
|
|
||||||
"/var/lib/containers/lantifa/var/backup/mysql"
|
|
||||||
"/var/lib/murmur"
|
|
||||||
"/var/lib/syncthing"
|
|
||||||
];
|
|
||||||
pruneOpts = [
|
|
||||||
"--keep-daily 7"
|
|
||||||
"--keep-weekly 5"
|
|
||||||
"--keep-monthly 3"
|
|
||||||
];
|
|
||||||
repository = "b2:tardis-hainich:system";
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
|
||||||
# settings for stateful data, like file locations and database versions
|
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
||||||
# this value at the release version of the first install of this system.
|
|
||||||
# Before changing this value read the documentation for this option
|
|
||||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
||||||
system.stateVersion = "20.03"; # Did you read the comment?
|
|
||||||
}
|
|
|
@ -1,28 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
boot.initrd.kernelModules = [ "r8169" ]; # add network card driver
|
|
||||||
boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface
|
|
||||||
boot.initrd.network = {
|
|
||||||
enable = true;
|
|
||||||
ssh = {
|
|
||||||
enable = true;
|
|
||||||
port = 2222;
|
|
||||||
# TODO: Modify system config so that this works
|
|
||||||
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
|
|
||||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
||||||
hostKeys = [ /run/keys/ecdsa_host ];
|
|
||||||
};
|
|
||||||
# TODO: curl some webhook here to alert?
|
|
||||||
# possibly quite hard to do, we only have limited wget or netcat available
|
|
||||||
# how this all works:
|
|
||||||
# when someone logs in via ssh, they are prompted to unlock the zfs volume
|
|
||||||
# afterwards zfs is killed in order for the boot to progress
|
|
||||||
# timeout of 120s still applies afaik
|
|
||||||
postCommands = ''
|
|
||||||
zpool import zroot
|
|
||||||
zpool import dpool
|
|
||||||
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,52 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ];
|
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "zroot/root/nixos";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/nix" =
|
|
||||||
{ device = "zroot/root/nixos/nix";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/home" =
|
|
||||||
{ device = "dpool/home";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/containers" =
|
|
||||||
{ device = "dpool/containers";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/docker" =
|
|
||||||
{ device = "dpool/docker";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/gitlab-runner" =
|
|
||||||
{ device = "dpool/gitlab-runner";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/data" =
|
|
||||||
{ device = "dpool/data";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335";
|
|
||||||
fsType = "ext2";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
nix.maxJobs = lib.mkDefault 12;
|
|
||||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
|
||||||
}
|
|
|
@ -1,125 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
{
|
|
||||||
services.etcd = {
|
|
||||||
advertiseClientUrls = [
|
|
||||||
"https://[2a0d:eb04:8:10::1]:2379"
|
|
||||||
];
|
|
||||||
listenClientUrls = [
|
|
||||||
"https://[2a0d:eb04:8:10::1]:2379"
|
|
||||||
];
|
|
||||||
listenPeerUrls = [
|
|
||||||
"https://[::1]:2380"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
services.kubernetes = {
|
|
||||||
roles = [ "master" "node" ];
|
|
||||||
flannel.enable = false;
|
|
||||||
addons.dns = {
|
|
||||||
enable = true;
|
|
||||||
clusterIp = "2a0d:eb04:8:11::53";
|
|
||||||
reconcileMode = "EnsureExists";
|
|
||||||
};
|
|
||||||
pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
|
|
||||||
apiserver = {
|
|
||||||
advertiseAddress = "2a0d:eb04:8:10::1";
|
|
||||||
extraSANs = [
|
|
||||||
"2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
|
|
||||||
];
|
|
||||||
bindAddress = "::";
|
|
||||||
insecureBindAddress = "::1";
|
|
||||||
etcd = {
|
|
||||||
servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
|
|
||||||
};
|
|
||||||
serviceClusterIpRange = "2a0d:eb04:8:11::/120";
|
|
||||||
extraOpts = "--allow-privileged=true";
|
|
||||||
};
|
|
||||||
controllerManager = {
|
|
||||||
bindAddress = "::";
|
|
||||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
|
||||||
};
|
|
||||||
kubelet = {
|
|
||||||
address = "::";
|
|
||||||
clusterDns = "2a0d:eb04:8:11::53";
|
|
||||||
};
|
|
||||||
proxy = {
|
|
||||||
bindAddress = "::";
|
|
||||||
};
|
|
||||||
scheduler = {
|
|
||||||
address = "::1" ;
|
|
||||||
};
|
|
||||||
apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
|
|
||||||
clusterCidr = "2a0d:eb04:8:12::/64";
|
|
||||||
easyCerts = true;
|
|
||||||
masterAddress = "hainich.hacc.space";
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall = {
|
|
||||||
allowedTCPPorts = [ 80 443 6443 ];
|
|
||||||
trustedInterfaces = [
|
|
||||||
"cbr0" "tunnat64"
|
|
||||||
];
|
|
||||||
extraCommands = ''
|
|
||||||
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
|
||||||
iptables -A FORWARD -i tunnat64 -j ACCEPT
|
|
||||||
|
|
||||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
|
||||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
|
||||||
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
|
||||||
|
|
||||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
|
||||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
|
||||||
'';
|
|
||||||
extraStopCommands = ''
|
|
||||||
iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
|
||||||
iptables -D FORWARD -i tunnat64 -j ACCEPT
|
|
||||||
|
|
||||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
|
||||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
|
||||||
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
|
||||||
|
|
||||||
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
|
||||||
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.tayga = (let
|
|
||||||
config = pkgs.writeText "tayga.conf" ''
|
|
||||||
tun-device tunnat64
|
|
||||||
ipv4-addr 10.255.255.254
|
|
||||||
prefix 2a0d:eb04:8:10:64::/96
|
|
||||||
dynamic-pool 10.255.255.0/24
|
|
||||||
map 10.255.255.1 2a0d:eb04:8:10::1
|
|
||||||
map 10.255.255.2 2a0d:eb04:8:11::2
|
|
||||||
strict-frag-hdr 1
|
|
||||||
'';
|
|
||||||
startScript = pkgs.writeScriptBin "tayga-start" ''
|
|
||||||
#! ${pkgs.runtimeShell} -e
|
|
||||||
${pkgs.iproute}/bin/ip link set up tunnat64 || true
|
|
||||||
${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
|
|
||||||
${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
|
|
||||||
${pkgs.tayga}/bin/tayga -d --config ${config}
|
|
||||||
'';
|
|
||||||
in {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "network.target" ];
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = ''${startScript}/bin/tayga-start'';
|
|
||||||
};
|
|
||||||
});
|
|
||||||
|
|
||||||
networking.interfaces.cbr0.ipv6.routes = [{
|
|
||||||
address = "2a0d:eb04:8:10::";
|
|
||||||
prefixLength = 60;
|
|
||||||
}];
|
|
||||||
|
|
||||||
networking.interfaces.tunnat64 = {
|
|
||||||
virtual = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# openebs expects some stuff to be there.
|
|
||||||
system.activationScripts.openebs = ''
|
|
||||||
mkdir -p /usr/lib /usr/sbin
|
|
||||||
ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
|
|
||||||
ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
|
|
||||||
'';
|
|
||||||
}
|
|
|
@ -1,32 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
virtualisation.oci-containers.containers."ghost-waszumfff" = {
|
|
||||||
autoStart = true;
|
|
||||||
environment = {
|
|
||||||
url = "https://waszumfff.4future.dev";
|
|
||||||
};
|
|
||||||
image = "ghost:alpine";
|
|
||||||
ports = [ "127.0.0.1:2368:2368" ];
|
|
||||||
volumes = [ "/run/florinori:/var/lib/ghost/content" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/run/florinori" =
|
|
||||||
{ device = "dpool/k8s/florinori";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."waszumfff.4future.dev" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:2368";
|
|
||||||
extraConfig = "
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,42 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
services.prometheus = {
|
|
||||||
enable = true;
|
|
||||||
webExternalUrl = "https://stats.hacc.space";
|
|
||||||
exporters = {
|
|
||||||
dovecot = {
|
|
||||||
enable = true;
|
|
||||||
scopes = [ "user" "global" ];
|
|
||||||
socketPath = "/var/run/dovecot2/old-stats";
|
|
||||||
};
|
|
||||||
nginx.enable = true;
|
|
||||||
node.enable = true;
|
|
||||||
postfix = {
|
|
||||||
enable = true;
|
|
||||||
systemd.enable = true;
|
|
||||||
};
|
|
||||||
rspamd.enable = true;
|
|
||||||
};
|
|
||||||
scrapeConfigs = (lib.mapAttrsToList (name: val:
|
|
||||||
{
|
|
||||||
job_name = "${name}-${config.networking.hostName}";
|
|
||||||
static_configs = [{
|
|
||||||
targets = [ "localhost:${toString val.port}" ];
|
|
||||||
labels.host = config.networking.hostName;
|
|
||||||
}];
|
|
||||||
}
|
|
||||||
) (lib.filterAttrs (_: val: val.enable) config.services.prometheus.exporters));
|
|
||||||
};
|
|
||||||
|
|
||||||
services.dovecot2.extraConfig = ''
|
|
||||||
mail_plugins = $mail_plugins old_stats
|
|
||||||
service old-stats {
|
|
||||||
unix_listener old-stats {
|
|
||||||
user = dovecot-exporter
|
|
||||||
group = dovecot-exporter
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
services.nginx.statusPage = true;
|
|
||||||
}
|
|
|
@ -1,56 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
security.acme.email = "info+acme@hacc.space";
|
|
||||||
services.nginx.enable = true;
|
|
||||||
services.nginx.package = pkgs.nginx.override {
|
|
||||||
modules = [ pkgs.nginxModules.rtmp ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# services.nginx.recommendedProxySettings = true;
|
|
||||||
|
|
||||||
services.nginx.virtualHosts = let
|
|
||||||
in {
|
|
||||||
# let all empty subdomains pointing to hainich return 404
|
|
||||||
"hainich.hacc.space" = {
|
|
||||||
default = true;
|
|
||||||
locations."/".return = "404";
|
|
||||||
};
|
|
||||||
"hacc.space" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/".return = "301 https://hacc.earth";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 1935 ];
|
|
||||||
services.nginx = {
|
|
||||||
appendHttpConfig = ''
|
|
||||||
add_header Permissions-Policy "interest-cohort=()";
|
|
||||||
'';
|
|
||||||
appendConfig = ''
|
|
||||||
rtmp {
|
|
||||||
server {
|
|
||||||
listen 1935;
|
|
||||||
application cutiestream {
|
|
||||||
live on;
|
|
||||||
allow publish all;
|
|
||||||
allow play all;
|
|
||||||
}
|
|
||||||
application ingest {
|
|
||||||
live on;
|
|
||||||
|
|
||||||
record all;
|
|
||||||
record_path /data/ingest;
|
|
||||||
record_unique on;
|
|
||||||
|
|
||||||
# include /var/secrets/ingest.conf;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
|
|
||||||
}
|
|
|
@ -1,102 +0,0 @@
|
||||||
{pkgs, lib, config, ...}:
|
|
||||||
|
|
||||||
let
|
|
||||||
sources = import ../../../nix/sources.nix {};
|
|
||||||
# why the double outPath? Dunno, just niv things …
|
|
||||||
workadventure-nix = sources.workadventure.outPath.outPath;
|
|
||||||
haccmap = sources.haccmap.outPath.outPath;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
# not the most intuitive of container names, but "workadventure" is too long
|
|
||||||
containers.wa-void = {
|
|
||||||
|
|
||||||
# we'll need the outer config to get the turn secret inside the container,
|
|
||||||
# and I'm feeling haskelly so config' it is!
|
|
||||||
config = let config' = config; in {config, pkgs, ...}: {
|
|
||||||
imports = [ workadventure-nix ];
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
||||||
|
|
||||||
services.workadventure."void.hacc.space" = {
|
|
||||||
packageset = (
|
|
||||||
import "${workadventure-nix}/wapkgs.nix" {
|
|
||||||
inherit pkgs lib;
|
|
||||||
}
|
|
||||||
).workadventure-xce;
|
|
||||||
|
|
||||||
nginx = {
|
|
||||||
default = true;
|
|
||||||
domain = "void.hacc.space";
|
|
||||||
maps = {
|
|
||||||
serve = true;
|
|
||||||
path = "${haccmap}/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
|
|
||||||
|
|
||||||
commonConfig = {
|
|
||||||
webrtc.stun.url = "stun:turn.hacc.space:3478";
|
|
||||||
webrtc.turn = {
|
|
||||||
url = "turn:46.4.63.148";
|
|
||||||
user = "turn";
|
|
||||||
password = config'.services.coturn.static-auth-secret;
|
|
||||||
};
|
|
||||||
jitsi.url = "meet.ffmuc.net";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
privateNetwork = true;
|
|
||||||
hostAddress6 = "fd00::42:14";
|
|
||||||
localAddress6 = "fd00::42:16";
|
|
||||||
|
|
||||||
autoStart = true;
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
services.coturn = {
|
|
||||||
enable = true;
|
|
||||||
realm = "turn.hacc.space";
|
|
||||||
# this is a static "secret" that is also compiled into workadventure,
|
|
||||||
# so it seems ok to put it into the nix store
|
|
||||||
static-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
|
|
||||||
use-auth-secret = true;
|
|
||||||
no-cli = true;
|
|
||||||
no-tcp-relay = true;
|
|
||||||
|
|
||||||
cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
|
|
||||||
pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
virtualHosts."void.hacc.space" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://[${config.containers.wa-void.localAddress6}]";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
# this isn't actually needed, but acme requires a webserver to serve
|
|
||||||
# challanges, so I guess it's easier to just define a virtualHost here
|
|
||||||
virtualHosts."turn.hacc.space" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
networking.firewall = with config.services.coturn;
|
|
||||||
let
|
|
||||||
ports = [ listening-port tls-listening-port ];
|
|
||||||
in {
|
|
||||||
allowedTCPPorts = [ 80 ] ++ ports;
|
|
||||||
allowedUDPPorts = ports;
|
|
||||||
allowedUDPPortRanges = [
|
|
||||||
{ from = min-port; to = max-port; }
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
{
|
|
||||||
systemd.services.wireguard-upstream = {
|
|
||||||
wants = [ "wg-upstream-key.service" ];
|
|
||||||
after = [ "wg-upstream-key.service" ];
|
|
||||||
};
|
|
||||||
networking.wireguard.interfaces.upstream = {
|
|
||||||
ips = [ "2a0d:eb04:8:ffff:2::2/128" ];
|
|
||||||
generatePrivateKeyFile = true;
|
|
||||||
privateKeyFile = "/etc/wireguard/upstream.key";
|
|
||||||
listenPort = 51820;
|
|
||||||
peers = [
|
|
||||||
{
|
|
||||||
allowedIPs = [ "::/0" ];
|
|
||||||
endpoint = "103.105.50.220:51823";
|
|
||||||
publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY=";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
postSetup = ''
|
|
||||||
${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128
|
|
||||||
${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
networking.interfaces.lo.ipv6 = {
|
|
||||||
addresses = [{
|
|
||||||
address = "2a0d:eb04:8:10::1";
|
|
||||||
prefixLength = 128;
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
networking.defaultGateway6 = {
|
|
||||||
address = "2a0d:eb04:8:ffff:2::1";
|
|
||||||
interface = "upstream";
|
|
||||||
};
|
|
||||||
}
|
|
95
hosts/parsons/configuration.nix
Normal file
95
hosts/parsons/configuration.nix
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
{ config, lib, pkgs, sources, modules, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
../../common
|
||||||
|
./hardware.nix
|
||||||
|
modules.encboot
|
||||||
|
modules.network.nftables modules.nftnat
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
|
||||||
|
../../services/nextcloud
|
||||||
|
../../services/mattermost.nix
|
||||||
|
../../services/thelounge.nix
|
||||||
|
../../services/murmur.nix
|
||||||
|
../../services/hedgedoc-hacc.nix
|
||||||
|
../../services/hedgedoc-i4f.nix
|
||||||
|
../../services/mail.nix
|
||||||
|
../../services/syncthing.nix
|
||||||
|
../../services/gitlab.nix
|
||||||
|
../../services/nginx-pages.nix
|
||||||
|
../../services/gitlab-runner.nix
|
||||||
|
../../services/unifi.nix
|
||||||
|
../../services/lantifa.nix
|
||||||
|
|
||||||
|
./lxc.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
hexchen.encboot = {
|
||||||
|
enable = true;
|
||||||
|
dataset = "-a";
|
||||||
|
networkDrivers = [ "igb" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.version = 2;
|
||||||
|
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||||
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
|
|
||||||
|
networking.hostId = "b2867696";
|
||||||
|
networking.useDHCP = true;
|
||||||
|
networking.nftables.enable = true;
|
||||||
|
hexchen.nftables.nat.enable = true;
|
||||||
|
networking.nat.internalInterfaces = ["ve-+"];
|
||||||
|
networking.nat.externalInterface = "enp35s0";
|
||||||
|
|
||||||
|
networking.interfaces.enp35s0.ipv6.addresses = [{
|
||||||
|
address = "2a01:4f9:3a:2ddb::1";
|
||||||
|
prefixLength = 64;
|
||||||
|
}];
|
||||||
|
networking.defaultGateway6 = {
|
||||||
|
address = "fe80::1";
|
||||||
|
interface = "enp35s0";
|
||||||
|
};
|
||||||
|
boot = {
|
||||||
|
kernelModules = [ "nf_nat_ftp" ];
|
||||||
|
kernel.sysctl = {
|
||||||
|
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
||||||
|
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
virtualHosts = {
|
||||||
|
"parsons.hacc.space" = {
|
||||||
|
default = true;
|
||||||
|
locations."/".return = "404";
|
||||||
|
};
|
||||||
|
"hacc.space" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".return = "302 https://hacc.earth";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
services.restic.backups.tardis = {
|
||||||
|
passwordFile = "/persist/restic/system";
|
||||||
|
s3CredentialsFile = "/persist/restic/system.s3creds";
|
||||||
|
paths = [
|
||||||
|
"/home"
|
||||||
|
"/persist"
|
||||||
|
];
|
||||||
|
pruneOpts = [
|
||||||
|
"--keep-daily 7"
|
||||||
|
"--keep-weekly 5"
|
||||||
|
"--keep-monthly 3"
|
||||||
|
];
|
||||||
|
repository = "b2:tardis-parsons:system";
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "21.05";
|
||||||
|
}
|
65
hosts/parsons/hardware.nix
Normal file
65
hosts/parsons/hardware.nix
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "zroot/local/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/daf2a731-952f-45c7-9c25-49e1a2f56062";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "zroot/local/nix";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/persist" =
|
||||||
|
{ device = "zroot/safe/persist";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/home" =
|
||||||
|
{ device = "zroot/safe/home";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/root" =
|
||||||
|
{ device = "zroot/safe/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/cache/restic-backups-tardis" =
|
||||||
|
{ device = "zroot/safe/restic-cache";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/tmp" =
|
||||||
|
{ device = "zroot/local/tmp";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/persist/data" =
|
||||||
|
{ device = "dpool/safe/data";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/docker" =
|
||||||
|
{ device = "zroot/local/docker";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
}
|
36
hosts/parsons/lxc.nix
Normal file
36
hosts/parsons/lxc.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
networking.bridges.lxcbr0.interfaces = [];
|
||||||
|
networking.interfaces.lxcbr0.ipv4.addresses = [
|
||||||
|
{
|
||||||
|
address = "10.1.2.1";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
networking.nat.internalInterfaces = [ "lxcbr0" ];
|
||||||
|
|
||||||
|
virtualisation.lxc.enable = true;
|
||||||
|
virtualisation.lxc.systemConfig = ''
|
||||||
|
lxc.bdev.zfs.root = zroot/safe/containers/lxc
|
||||||
|
lxc.lxcpath = /persist/lxc
|
||||||
|
'';
|
||||||
|
|
||||||
|
users.users.root.subUidRanges = [{ count = 65536; startUid = 100000; }];
|
||||||
|
users.users.root.subGidRanges = [{ count = 65536; startGid = 100000; }];
|
||||||
|
|
||||||
|
environment.etc."lxc/share".source = "${pkgs.lxc}/share/lxc";
|
||||||
|
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."onlyoffice.infra4future.de" = {
|
||||||
|
locations."/".proxyPass = "http://10.1.2.233:80";
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."auth.infra4future.de" = {
|
||||||
|
locations."/".proxyPass = "http://10.1.2.104:8080";
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -16,8 +16,6 @@ let
|
||||||
[ { ServiceSettings.SiteURL = cfg.siteUrl;
|
[ { ServiceSettings.SiteURL = cfg.siteUrl;
|
||||||
ServiceSettings.ListenAddress = cfg.listenAddress;
|
ServiceSettings.ListenAddress = cfg.listenAddress;
|
||||||
TeamSettings.SiteName = cfg.siteName;
|
TeamSettings.SiteName = cfg.siteName;
|
||||||
SqlSettings.DriverName = "postgres";
|
|
||||||
SqlSettings.DataSource = database;
|
|
||||||
}
|
}
|
||||||
cfg.extraConfig
|
cfg.extraConfig
|
||||||
];
|
];
|
||||||
|
|
746
modules/nextcloud.nix
Normal file
746
modules/nextcloud.nix
Normal file
|
@ -0,0 +1,746 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.nextcloud-patched;
|
||||||
|
fpm = config.services.phpfpm.pools.nextcloud;
|
||||||
|
|
||||||
|
phpPackage =
|
||||||
|
let
|
||||||
|
base = pkgs.php74;
|
||||||
|
in
|
||||||
|
base.buildEnv {
|
||||||
|
extensions = { enabled, all }: with all;
|
||||||
|
enabled ++ [
|
||||||
|
apcu redis memcached imagick
|
||||||
|
];
|
||||||
|
extraConfig = phpOptionsStr;
|
||||||
|
};
|
||||||
|
|
||||||
|
toKeyValue = generators.toKeyValue {
|
||||||
|
mkKeyValue = generators.mkKeyValueDefault {} " = ";
|
||||||
|
};
|
||||||
|
|
||||||
|
phpOptions = {
|
||||||
|
upload_max_filesize = cfg.maxUploadSize;
|
||||||
|
post_max_size = cfg.maxUploadSize;
|
||||||
|
memory_limit = cfg.maxUploadSize;
|
||||||
|
} // cfg.phpOptions
|
||||||
|
// optionalAttrs cfg.caching.apcu {
|
||||||
|
"apc.enable_cli" = "1";
|
||||||
|
};
|
||||||
|
phpOptionsStr = toKeyValue phpOptions;
|
||||||
|
|
||||||
|
occ = pkgs.writeScriptBin "nextcloud-occ" ''
|
||||||
|
#! ${pkgs.runtimeShell}
|
||||||
|
cd ${cfg.package}
|
||||||
|
sudo=exec
|
||||||
|
if [[ "$USER" != nextcloud ]]; then
|
||||||
|
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
|
||||||
|
fi
|
||||||
|
export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config"
|
||||||
|
$sudo \
|
||||||
|
${phpPackage}/bin/php \
|
||||||
|
occ $*
|
||||||
|
'';
|
||||||
|
|
||||||
|
inherit (config.system) stateVersion;
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
(mkRemovedOptionModule [ "services" "nextcloud-patched" "nginx" "enable" ] ''
|
||||||
|
The nextcloud module supports `nginx` as reverse-proxy by default and doesn't
|
||||||
|
support other reverse-proxies officially.
|
||||||
|
|
||||||
|
However it's possible to use an alternative reverse-proxy by
|
||||||
|
|
||||||
|
* disabling nginx
|
||||||
|
* setting `listen.owner` & `listen.group` in the phpfpm-pool to a different value
|
||||||
|
|
||||||
|
Further details about this can be found in the `Nextcloud`-section of the NixOS-manual
|
||||||
|
(which can be openend e.g. by running `nixos-help`).
|
||||||
|
'')
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.nextcloud-patched = {
|
||||||
|
enable = mkEnableOption "nextcloud";
|
||||||
|
hostName = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "FQDN for the nextcloud instance.";
|
||||||
|
};
|
||||||
|
home = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/lib/nextcloud";
|
||||||
|
description = "Storage path of nextcloud.";
|
||||||
|
};
|
||||||
|
logLevel = mkOption {
|
||||||
|
type = types.ints.between 0 4;
|
||||||
|
default = 2;
|
||||||
|
description = "Log level value between 0 (DEBUG) and 4 (FATAL).";
|
||||||
|
};
|
||||||
|
https = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Use https for generated links.";
|
||||||
|
};
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
description = "Which package to use for the Nextcloud instance.";
|
||||||
|
relatedPackages = [ "nextcloud18" "nextcloud19" "nextcloud20" "nextcloud21" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
maxUploadSize = mkOption {
|
||||||
|
default = "512M";
|
||||||
|
type = types.str;
|
||||||
|
description = ''
|
||||||
|
Defines the upload limit for files. This changes the relevant options
|
||||||
|
in php.ini and nginx if enabled.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
skeletonDirectory = mkOption {
|
||||||
|
default = "";
|
||||||
|
type = types.str;
|
||||||
|
description = ''
|
||||||
|
The directory where the skeleton files are located. These files will be
|
||||||
|
copied to the data directory of new users. Leave empty to not copy any
|
||||||
|
skeleton files.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
webfinger = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Enable this option if you plan on using the webfinger plugin.
|
||||||
|
The appropriate nginx rewrite rules will be added to your configuration.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
phpOptions = mkOption {
|
||||||
|
type = types.attrsOf types.str;
|
||||||
|
default = {
|
||||||
|
short_open_tag = "Off";
|
||||||
|
expose_php = "Off";
|
||||||
|
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
|
||||||
|
display_errors = "stderr";
|
||||||
|
"opcache.enable_cli" = "1";
|
||||||
|
"opcache.interned_strings_buffer" = "8";
|
||||||
|
"opcache.max_accelerated_files" = "10000";
|
||||||
|
"opcache.memory_consumption" = "128";
|
||||||
|
"opcache.revalidate_freq" = "1";
|
||||||
|
"opcache.fast_shutdown" = "1";
|
||||||
|
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
||||||
|
catch_workers_output = "yes";
|
||||||
|
};
|
||||||
|
description = ''
|
||||||
|
Options for PHP's php.ini file for nextcloud.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
poolSettings = mkOption {
|
||||||
|
type = with types; attrsOf (oneOf [ str int bool ]);
|
||||||
|
default = {
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = "32";
|
||||||
|
"pm.start_servers" = "2";
|
||||||
|
"pm.min_spare_servers" = "2";
|
||||||
|
"pm.max_spare_servers" = "4";
|
||||||
|
"pm.max_requests" = "500";
|
||||||
|
};
|
||||||
|
description = ''
|
||||||
|
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
poolConfig = mkOption {
|
||||||
|
type = types.nullOr types.lines;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
dbtype = mkOption {
|
||||||
|
type = types.enum [ "sqlite" "pgsql" "mysql" ];
|
||||||
|
default = "sqlite";
|
||||||
|
description = "Database type.";
|
||||||
|
};
|
||||||
|
dbname = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = "nextcloud";
|
||||||
|
description = "Database name.";
|
||||||
|
};
|
||||||
|
dbuser = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = "nextcloud";
|
||||||
|
description = "Database user.";
|
||||||
|
};
|
||||||
|
dbpass = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Database password. Use <literal>dbpassFile</literal> to avoid this
|
||||||
|
being world-readable in the <literal>/nix/store</literal>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
dbpassFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
The full path to a file that contains the database password.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
dbhost = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = "localhost";
|
||||||
|
description = ''
|
||||||
|
Database host.
|
||||||
|
|
||||||
|
Note: for using Unix authentication with PostgreSQL, this should be
|
||||||
|
set to <literal>/run/postgresql</literal>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
dbport = mkOption {
|
||||||
|
type = with types; nullOr (either int str);
|
||||||
|
default = null;
|
||||||
|
description = "Database port.";
|
||||||
|
};
|
||||||
|
dbtableprefix = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = "Table prefix in Nextcloud database.";
|
||||||
|
};
|
||||||
|
adminuser = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "root";
|
||||||
|
description = "Admin username.";
|
||||||
|
};
|
||||||
|
adminpass = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Admin password. Use <literal>adminpassFile</literal> to avoid this
|
||||||
|
being world-readable in the <literal>/nix/store</literal>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
adminpassFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
The full path to a file that contains the admin's password. Must be
|
||||||
|
readable by user <literal>nextcloud</literal>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
extraTrustedDomains = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
Trusted domains, from which the nextcloud installation will be
|
||||||
|
acessible. You don't need to add
|
||||||
|
<literal>services.nextcloud.hostname</literal> here.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
trustedProxies = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
Trusted proxies, to provide if the nextcloud installation is being
|
||||||
|
proxied to secure against e.g. spoofing.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
overwriteProtocol = mkOption {
|
||||||
|
type = types.nullOr (types.enum [ "http" "https" ]);
|
||||||
|
default = null;
|
||||||
|
example = "https";
|
||||||
|
|
||||||
|
description = ''
|
||||||
|
Force Nextcloud to always use HTTPS i.e. for link generation. Nextcloud
|
||||||
|
uses the currently used protocol by default, but when behind a reverse-proxy,
|
||||||
|
it may use <literal>http</literal> for everything although Nextcloud
|
||||||
|
may be served via HTTPS.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultPhoneRegion = mkOption {
|
||||||
|
default = null;
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
example = "DE";
|
||||||
|
description = ''
|
||||||
|
<warning>
|
||||||
|
<para>This option exists since Nextcloud 21! If older versions are used,
|
||||||
|
this will throw an eval-error!</para>
|
||||||
|
</warning>
|
||||||
|
|
||||||
|
<link xlink:href="https://www.iso.org/iso-3166-country-codes.html">ISO 3611-1</link>
|
||||||
|
country codes for automatic phone-number detection without a country code.
|
||||||
|
|
||||||
|
With e.g. <literal>DE</literal> set, the <literal>+49</literal> can be omitted for
|
||||||
|
phone-numbers.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
caching = {
|
||||||
|
apcu = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Whether to load the APCu module into PHP.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
redis = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Whether to load the Redis module into PHP.
|
||||||
|
You still need to enable Redis in your config.php.
|
||||||
|
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
memcached = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Whether to load the Memcached module into PHP.
|
||||||
|
You still need to enable Memcached in your config.php.
|
||||||
|
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
autoUpdateApps = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Run regular auto update of all apps installed from the nextcloud app store.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
startAt = mkOption {
|
||||||
|
type = with types; either str (listOf str);
|
||||||
|
default = "05:00:00";
|
||||||
|
example = "Sun 14:00:00";
|
||||||
|
description = ''
|
||||||
|
When to run the update. See `systemd.services.<name>.startAt`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
occ = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = occ;
|
||||||
|
internal = true;
|
||||||
|
description = ''
|
||||||
|
The nextcloud-occ program preconfigured to target this Nextcloud instance.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
extraOptions = mkOption {
|
||||||
|
type = types.attrs;
|
||||||
|
default = "";
|
||||||
|
description = ''
|
||||||
|
Extra options which should be appended to nextcloud's config.php file
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
secretFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Secret options which will be appended to nextcloud's config.php file (written in JSON, in the same
|
||||||
|
form as the `extraOptions` option).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable (mkMerge [
|
||||||
|
{ assertions = let acfg = cfg.config; in [
|
||||||
|
{ assertion = !(acfg.dbpass != null && acfg.dbpassFile != null);
|
||||||
|
message = "Please specify no more than one of dbpass or dbpassFile";
|
||||||
|
}
|
||||||
|
{ assertion = ((acfg.adminpass != null || acfg.adminpassFile != null)
|
||||||
|
&& !(acfg.adminpass != null && acfg.adminpassFile != null));
|
||||||
|
message = "Please specify exactly one of adminpass or adminpassFile";
|
||||||
|
}
|
||||||
|
{ assertion = versionOlder cfg.package.version "21" -> cfg.config.defaultPhoneRegion == null;
|
||||||
|
message = "The `defaultPhoneRegion'-setting is only supported for Nextcloud >=21!";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
warnings = []
|
||||||
|
++ (optional (cfg.poolConfig != null) ''
|
||||||
|
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
|
||||||
|
Please migrate your configuration to config.services.nextcloud.poolSettings.
|
||||||
|
'')
|
||||||
|
++ (optional (versionOlder cfg.package.version "18") ''
|
||||||
|
A legacy Nextcloud install (from before NixOS 20.03) may be installed.
|
||||||
|
|
||||||
|
You're currently deploying an older version of Nextcloud. This may be needed
|
||||||
|
since Nextcloud doesn't allow major version upgrades that skip multiple
|
||||||
|
versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18).
|
||||||
|
|
||||||
|
It is assumed that Nextcloud will be upgraded from version 16 to 17.
|
||||||
|
|
||||||
|
* If this is a fresh install, there will be no upgrade to do now.
|
||||||
|
|
||||||
|
* If this server already had Nextcloud installed, first deploy this to your
|
||||||
|
server, and wait until the upgrade to 17 is finished.
|
||||||
|
|
||||||
|
Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to
|
||||||
|
Nextcloud version 18. Please note that Nextcloud 19 is already out and it's
|
||||||
|
recommended to upgrade to nextcloud19 after that.
|
||||||
|
'')
|
||||||
|
++ (optional (versionOlder cfg.package.version "19") ''
|
||||||
|
A legacy Nextcloud install (from before NixOS 20.09) may be installed.
|
||||||
|
|
||||||
|
If/After nextcloud18 is installed successfully, you can safely upgrade to
|
||||||
|
nextcloud19. If not, please upgrade to nextcloud18 first since Nextcloud doesn't
|
||||||
|
support upgrades that skip multiple versions (i.e. an upgrade from 17 to 19 isn't
|
||||||
|
possible, but an upgrade from 18 to 19).
|
||||||
|
'')
|
||||||
|
++ (optional (versionOlder cfg.package.version "21") ''
|
||||||
|
The latest Nextcloud release is v21 which can be installed by setting
|
||||||
|
`services.nextcloud.package` to `pkgs.nextcloud21`. Please note that if you're
|
||||||
|
on `pkgs.nextcloud19`, you'll have to install `pkgs.nextcloud20` first.
|
||||||
|
'');
|
||||||
|
|
||||||
|
services.nextcloud-patched.package = with pkgs;
|
||||||
|
mkDefault (
|
||||||
|
if pkgs ? nextcloud
|
||||||
|
then throw ''
|
||||||
|
The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default
|
||||||
|
nextcloud defined in an overlay, please set `services.nextcloud.package` to
|
||||||
|
`pkgs.nextcloud`.
|
||||||
|
''
|
||||||
|
else if versionOlder stateVersion "20.03" then nextcloud17
|
||||||
|
else if versionOlder stateVersion "20.09" then nextcloud18
|
||||||
|
else nextcloud19
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
{ systemd.timers.nextcloud-cron = {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnBootSec = "5m";
|
||||||
|
timerConfig.OnUnitActiveSec = "15m";
|
||||||
|
timerConfig.Unit = "nextcloud-cron.service";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
# When upgrading the Nextcloud package, Nextcloud can report errors such as
|
||||||
|
# "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly"
|
||||||
|
# Restarting phpfpm on Nextcloud package update fixes these issues (but this is a workaround).
|
||||||
|
phpfpm-nextcloud.restartTriggers = [ cfg.package ];
|
||||||
|
|
||||||
|
nextcloud-setup = let
|
||||||
|
c = cfg.config;
|
||||||
|
writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]";
|
||||||
|
overrideConfig = pkgs.writeText "nextcloud-config.php" ''
|
||||||
|
<?php
|
||||||
|
${optionalString (c.dbpassFile != null) ''
|
||||||
|
function nix_read_pwd() {
|
||||||
|
$file = "${c.dbpassFile}";
|
||||||
|
if (!file_exists($file)) {
|
||||||
|
throw new \RuntimeException(sprintf(
|
||||||
|
"Cannot start Nextcloud, dbpass file %s set by NixOS doesn't exist!",
|
||||||
|
$file
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
return trim(file_get_contents($file));
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
${optionalString (cfg.secretFile != null) ''
|
||||||
|
function nix_read_secrets() {
|
||||||
|
$file = "${cfg.secretFile}";
|
||||||
|
if (!file_exists($file)) {
|
||||||
|
throw new \RuntimeException(sprintf(
|
||||||
|
"Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!",
|
||||||
|
$file
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
return json_decode(file_get_contents($file));
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
$CONFIG = [
|
||||||
|
'apps_paths' => [
|
||||||
|
[ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ],
|
||||||
|
[ 'path' => '${cfg.home}/store-apps', 'url' => '/store-apps', 'writable' => true ],
|
||||||
|
],
|
||||||
|
'datadirectory' => '${cfg.home}/data',
|
||||||
|
'skeletondirectory' => '${cfg.skeletonDirectory}',
|
||||||
|
${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
|
||||||
|
'log_type' => 'syslog',
|
||||||
|
'log_level' => '${builtins.toString cfg.logLevel}',
|
||||||
|
${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"}
|
||||||
|
${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"}
|
||||||
|
${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"}
|
||||||
|
${optionalString (c.dbport != null) "'dbport' => '${toString c.dbport}',"}
|
||||||
|
${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"}
|
||||||
|
${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"}
|
||||||
|
${optionalString (c.dbpass != null) "'dbpassword' => '${c.dbpass}',"}
|
||||||
|
${optionalString (c.dbpassFile != null) "'dbpassword' => nix_read_pwd(),"}
|
||||||
|
'dbtype' => '${c.dbtype}',
|
||||||
|
'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)},
|
||||||
|
'trusted_proxies' => ${writePhpArrary (c.trustedProxies)},
|
||||||
|
${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"}
|
||||||
|
];
|
||||||
|
|
||||||
|
$EXTRACONFIG = json_decode('${builtins.toJSON cfg.extraOptions}', true);
|
||||||
|
|
||||||
|
array_push($CONFIG, $EXTRACONFIG);
|
||||||
|
${optionalString (cfg.secretFile != null) "array_push($CONFIG, nix_read_secrets());"}
|
||||||
|
'';
|
||||||
|
occInstallCmd = let
|
||||||
|
dbpass = if c.dbpassFile != null
|
||||||
|
then ''"$(<"${toString c.dbpassFile}")"''
|
||||||
|
else if c.dbpass != null
|
||||||
|
then ''"${toString c.dbpass}"''
|
||||||
|
else ''""'';
|
||||||
|
adminpass = if c.adminpassFile != null
|
||||||
|
then ''"$(<"${toString c.adminpassFile}")"''
|
||||||
|
else ''"${toString c.adminpass}"'';
|
||||||
|
installFlags = concatStringsSep " \\\n "
|
||||||
|
(mapAttrsToList (k: v: "${k} ${toString v}") {
|
||||||
|
"--database" = ''"${c.dbtype}"'';
|
||||||
|
# The following attributes are optional depending on the type of
|
||||||
|
# database. Those that evaluate to null on the left hand side
|
||||||
|
# will be omitted.
|
||||||
|
${if c.dbname != null then "--database-name" else null} = ''"${c.dbname}"'';
|
||||||
|
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
|
||||||
|
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
|
||||||
|
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
|
||||||
|
"--database-pass" = dbpass;
|
||||||
|
${if c.dbtableprefix != null
|
||||||
|
then "--database-table-prefix" else null} = ''"${toString c.dbtableprefix}"'';
|
||||||
|
"--admin-user" = ''"${c.adminuser}"'';
|
||||||
|
"--admin-pass" = adminpass;
|
||||||
|
"--data-dir" = ''"${cfg.home}/data"'';
|
||||||
|
});
|
||||||
|
in ''
|
||||||
|
${occ}/bin/nextcloud-occ maintenance:install \
|
||||||
|
${installFlags}
|
||||||
|
'';
|
||||||
|
occSetTrustedDomainsCmd = concatStringsSep "\n" (imap0
|
||||||
|
(i: v: ''
|
||||||
|
${occ}/bin/nextcloud-occ config:system:set trusted_domains \
|
||||||
|
${toString i} --value="${toString v}"
|
||||||
|
'') ([ cfg.hostName ] ++ cfg.config.extraTrustedDomains));
|
||||||
|
|
||||||
|
in {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
before = [ "phpfpm-nextcloud.service" ];
|
||||||
|
path = [ occ ];
|
||||||
|
script = ''
|
||||||
|
chmod og+x ${cfg.home}
|
||||||
|
|
||||||
|
${optionalString (c.dbpassFile != null) ''
|
||||||
|
if [ ! -r "${c.dbpassFile}" ]; then
|
||||||
|
echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "$(<${c.dbpassFile})" ]; then
|
||||||
|
echo "dbpassFile ${c.dbpassFile} is empty!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
''}
|
||||||
|
${optionalString (c.adminpassFile != null) ''
|
||||||
|
if [ ! -r "${c.adminpassFile}" ]; then
|
||||||
|
echo "adminpassFile ${c.adminpassFile} is not readable by nextcloud:nextcloud! Aborting..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "$(<${c.adminpassFile})" ]; then
|
||||||
|
echo "adminpassFile ${c.adminpassFile} is empty!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
''}
|
||||||
|
|
||||||
|
ln -sf ${cfg.package}/apps ${cfg.home}/
|
||||||
|
|
||||||
|
# create nextcloud directories.
|
||||||
|
# if the directories exist already with wrong permissions, we fix that
|
||||||
|
for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do
|
||||||
|
if [ ! -e $dir ]; then
|
||||||
|
install -o nextcloud -g nextcloud -d $dir
|
||||||
|
elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then
|
||||||
|
chgrp -R nextcloud $dir
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
|
||||||
|
|
||||||
|
# Do not install if already installed
|
||||||
|
if [[ ! -e ${cfg.home}/config/config.php ]]; then
|
||||||
|
${occInstallCmd}
|
||||||
|
fi
|
||||||
|
|
||||||
|
${occ}/bin/nextcloud-occ upgrade
|
||||||
|
|
||||||
|
${occ}/bin/nextcloud-occ config:system:delete trusted_domains
|
||||||
|
${occSetTrustedDomainsCmd}
|
||||||
|
'';
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
serviceConfig.User = "nextcloud";
|
||||||
|
};
|
||||||
|
nextcloud-cron = {
|
||||||
|
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
serviceConfig.User = "nextcloud";
|
||||||
|
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php";
|
||||||
|
};
|
||||||
|
nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable {
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all";
|
||||||
|
serviceConfig.User = "nextcloud";
|
||||||
|
startAt = cfg.autoUpdateApps.startAt;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.phpfpm = {
|
||||||
|
pools.nextcloud = {
|
||||||
|
user = "nextcloud";
|
||||||
|
group = "nextcloud";
|
||||||
|
phpOptions = phpOptionsStr;
|
||||||
|
phpPackage = phpPackage;
|
||||||
|
phpEnv = {
|
||||||
|
NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
||||||
|
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
|
||||||
|
};
|
||||||
|
settings = mapAttrs (name: mkDefault) {
|
||||||
|
"listen.owner" = config.services.nginx.user;
|
||||||
|
"listen.group" = config.services.nginx.group;
|
||||||
|
} // cfg.poolSettings;
|
||||||
|
extraConfig = cfg.poolConfig;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.nextcloud = {
|
||||||
|
home = "${cfg.home}";
|
||||||
|
group = "nextcloud";
|
||||||
|
createHome = true;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
|
||||||
|
|
||||||
|
environment.systemPackages = [ occ ];
|
||||||
|
|
||||||
|
services.nginx.enable = mkDefault true;
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${cfg.hostName} = let
|
||||||
|
major = toInt (versions.major cfg.package.version);
|
||||||
|
in {
|
||||||
|
root = cfg.package;
|
||||||
|
locations = {
|
||||||
|
"= /robots.txt" = {
|
||||||
|
priority = 100;
|
||||||
|
extraConfig = ''
|
||||||
|
allow all;
|
||||||
|
log_not_found off;
|
||||||
|
access_log off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"= /" = {
|
||||||
|
priority = 100;
|
||||||
|
extraConfig = ''
|
||||||
|
if ( $http_user_agent ~ ^DavClnt ) {
|
||||||
|
return 302 /remote.php/webdav/$is_args$args;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/" = {
|
||||||
|
priority = 900;
|
||||||
|
extraConfig = "rewrite ^ /index.php;";
|
||||||
|
};
|
||||||
|
"~ ^/store-apps" = {
|
||||||
|
priority = 201;
|
||||||
|
extraConfig = "root ${cfg.home};";
|
||||||
|
};
|
||||||
|
"^~ /.well-known" = {
|
||||||
|
priority = 210;
|
||||||
|
extraConfig = ''
|
||||||
|
absolute_redirect off;
|
||||||
|
location = /.well-known/carddav {
|
||||||
|
return 301 /remote.php/dav;
|
||||||
|
}
|
||||||
|
location = /.well-known/caldav {
|
||||||
|
return 301 /remote.php/dav;
|
||||||
|
}
|
||||||
|
location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
|
||||||
|
return 301 /index.php$request_uri;
|
||||||
|
}
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = ''
|
||||||
|
return 404;
|
||||||
|
'';
|
||||||
|
"~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = ''
|
||||||
|
return 404;
|
||||||
|
'';
|
||||||
|
"~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = {
|
||||||
|
priority = 500;
|
||||||
|
extraConfig = ''
|
||||||
|
include ${config.services.nginx.package}/conf/fastcgi.conf;
|
||||||
|
fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
|
||||||
|
set $path_info $fastcgi_path_info;
|
||||||
|
try_files $fastcgi_script_name =404;
|
||||||
|
fastcgi_param PATH_INFO $path_info;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
|
||||||
|
fastcgi_param modHeadersAvailable true;
|
||||||
|
fastcgi_param front_controller_active true;
|
||||||
|
fastcgi_pass unix:${fpm.socket};
|
||||||
|
fastcgi_intercept_errors on;
|
||||||
|
fastcgi_request_buffering off;
|
||||||
|
fastcgi_read_timeout 120s;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = ''
|
||||||
|
try_files $uri /index.php$request_uri;
|
||||||
|
expires 6M;
|
||||||
|
access_log off;
|
||||||
|
'';
|
||||||
|
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
|
||||||
|
try_files $uri/ =404;
|
||||||
|
index index.php;
|
||||||
|
'';
|
||||||
|
"~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
|
||||||
|
try_files $uri /index.php$request_uri;
|
||||||
|
access_log off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
extraConfig = ''
|
||||||
|
index index.php index.html /index.php$request_uri;
|
||||||
|
expires 1m;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header X-Robots-Tag none;
|
||||||
|
add_header X-Download-Options noopen;
|
||||||
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
|
add_header X-Frame-Options sameorigin;
|
||||||
|
add_header Referrer-Policy no-referrer;
|
||||||
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||||
|
client_max_body_size ${cfg.maxUploadSize};
|
||||||
|
fastcgi_buffers 64 4K;
|
||||||
|
fastcgi_hide_header X-Powered-By;
|
||||||
|
gzip on;
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_comp_level 4;
|
||||||
|
gzip_min_length 256;
|
||||||
|
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||||
|
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||||
|
|
||||||
|
${optionalString cfg.webfinger ''
|
||||||
|
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||||
|
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
|
]);
|
||||||
|
}
|
|
@ -36,14 +36,12 @@ in {
|
||||||
boot = {
|
boot = {
|
||||||
kernelModules = [ "nf_nat_ftp" ];
|
kernelModules = [ "nf_nat_ftp" ];
|
||||||
kernel.sysctl = {
|
kernel.sysctl = {
|
||||||
"net.ipv4.conf.all.forwarding" = mkOverride 98 true;
|
"net.ipv4.conf.all.forwarding" = mkOverride 90 true;
|
||||||
"net.ipv4.conf.default.forwarding" = mkOverride 98 true;
|
"net.ipv4.conf.default.forwarding" = mkOverride 90 true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
petabyte.nftables = {
|
networking.nftables = {
|
||||||
enable = true;
|
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
table ip nat {
|
table ip nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
|
|
|
@ -6,15 +6,15 @@
|
||||||
"type": "git"
|
"type": "git"
|
||||||
},
|
},
|
||||||
"home-manager": {
|
"home-manager": {
|
||||||
"branch": "release-20.09",
|
"branch": "release-21.05",
|
||||||
"description": "Manage a user environment using Nix [maintainer=@rycee] ",
|
"description": "Manage a user environment using Nix [maintainer=@rycee] ",
|
||||||
"homepage": "https://nix-community.github.io/home-manager/",
|
"homepage": "https://nix-community.github.io/home-manager/",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "49706878e1580d796cc99b63574310405935113f",
|
"rev": "b39647e52ed3c0b989e9d5c965e598ae4c38d7ef",
|
||||||
"sha256": "07f903ij0czyhly8kvwjazvz3s6kflxzh5fs6j8781lkxsy47i9f",
|
"sha256": "0xw1vgwfdn75rgamcsi5j1iqfl0j06x8xp92k24wr9hayfr5m400",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nix-community/home-manager/archive/49706878e1580d796cc99b63574310405935113f.tar.gz",
|
"url": "https://github.com/nix-community/home-manager/archive/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"mattermost-server": {
|
"mattermost-server": {
|
||||||
|
@ -23,19 +23,19 @@
|
||||||
"homepage": "https://mattermost.com",
|
"homepage": "https://mattermost.com",
|
||||||
"owner": "mattermost",
|
"owner": "mattermost",
|
||||||
"repo": "mattermost-server",
|
"repo": "mattermost-server",
|
||||||
"rev": "37b1e6d048fc8302c727c3bc7ce73ac32c2ba93c",
|
"rev": "868b8d91db6e8a0525a9e93c50a388625d426a4a",
|
||||||
"sha256": "1k0jn3a9nafbhvwn0d0rc2pj80mx7iz2scjbqkz96c5yzw3lyj79",
|
"sha256": "1vihpmy7253yl87arlz8y9rahk1q69blykwm3172dk1hxajr7c13",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.0.tar.gz",
|
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.1.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/refs/tags/v<version>.tar.gz",
|
"url_template": "https://github.com/<owner>/<repo>/archive/refs/tags/v<version>.tar.gz",
|
||||||
"version": "5.37.0"
|
"version": "5.37.1"
|
||||||
},
|
},
|
||||||
"mattermost-webapp": {
|
"mattermost-webapp": {
|
||||||
"sha256": "0na9drwnsr5fbrv6qq38dgvd0laj3wjs734ik5s673c0azqlm4kn",
|
"sha256": "00q1kcfda2z69ijpw71a6cbj76p5f57nj7pym44pp4cadi2wz180",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://releases.mattermost.com/5.37.0/mattermost-5.37.0-linux-amd64.tar.gz",
|
"url": "https://releases.mattermost.com/5.37.1/mattermost-5.37.1-linux-amd64.tar.gz",
|
||||||
"url_template": "https://releases.mattermost.com/<version>/mattermost-<version>-linux-amd64.tar.gz",
|
"url_template": "https://releases.mattermost.com/<version>/mattermost-<version>-linux-amd64.tar.gz",
|
||||||
"version": "5.37.0"
|
"version": "5.37.1"
|
||||||
},
|
},
|
||||||
"mumble-website": {
|
"mumble-website": {
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
|
@ -57,32 +57,34 @@
|
||||||
},
|
},
|
||||||
"nix-hexchen": {
|
"nix-hexchen": {
|
||||||
"branch": "main",
|
"branch": "main",
|
||||||
"repo": "https://gitlab.com/hexchen/nixfiles.git",
|
"ref": "main",
|
||||||
"rev": "83b511d9a3754ded187891c711b3dbbef82887d3",
|
"repo": "https://gitlab.com/hexchen/nixfiles",
|
||||||
"sha256": "1024vl0bgmcb8g91pqcqc601xh90nxp82p0z9imp11fwb1fx7756",
|
"rev": "ef358992030e9a6fa975a24bf4d9aa133bc72424",
|
||||||
|
"sha256": "01hcdrpfc8g1bbc96h7gi04zmyxi9vd7392ncadwfkx5xfd2fp17",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://gitlab.com/hexchen/nixfiles/-/archive/83b511d9a3754ded187891c711b3dbbef82887d3/nixfiles-83b511d9a3754ded187891c711b3dbbef82887d3.tar.gz",
|
"url": "https://gitlab.com/hexchen/nixfiles/-/archive/ef358992030e9a6fa975a24bf4d9aa133bc72424.tar.gz",
|
||||||
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixos-mailserver": {
|
"nixos-mailserver": {
|
||||||
"ref": "nixos-20.09",
|
"branch": "nixos-21.05",
|
||||||
|
"ref": "nixos-21.05",
|
||||||
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver",
|
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver",
|
||||||
"rev": "fb1cc04c0a517d4200237b02c3472bcaf9104afb",
|
"rev": "5675b122a947b40e551438df6a623efad19fd2e7",
|
||||||
"sha256": "0vsvgxxg5cgmzwj98171j7h5l028f1yq784alb3lxgbk8znfk51y",
|
"sha256": "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/fb1cc04c0a517d4200237b02c3472bcaf9104afb/nixos-mailserver-fb1cc04c0a517d4200237b02c3472bcaf9104afb.tar.gz",
|
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7.tar.gz",
|
||||||
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"branch": "nixos-20.09",
|
"branch": "nixos-21.05",
|
||||||
"description": "Nix Packages collection",
|
"description": "Nix Packages collection",
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "068984c00e0d4e54b6684d98f6ac47c92dcb642e",
|
"rev": "2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2",
|
||||||
"sha256": "00j4xv4lhhqwry7jd67brnws4pwb8vn660n43pvxpkalbpxszwfg",
|
"sha256": "1aafqly1mcqxh0r15mrlsrs4znldhm7cizsmfp3d25lqssay6gjd",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nixos/nixpkgs/archive/068984c00e0d4e54b6684d98f6ac47c92dcb642e.tar.gz",
|
"url": "https://github.com/nixos/nixpkgs/archive/2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
|
@ -91,10 +93,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8ecc61c91a596df7d3293603a9c2384190c1b89a",
|
"rev": "fe01052444c1d66ed6ef76df2af798c9769e9e79",
|
||||||
"sha256": "0vhajylsmipjkm5v44n2h0pglcmpvk4mkyvxp7qfvkjdxw21dyml",
|
"sha256": "0z99hwxgrvlf0psicwd97kdqqcc3qngfzmcz7k68q6q868y8582y",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nixos/nixpkgs/archive/8ecc61c91a596df7d3293603a9c2384190c1b89a.tar.gz",
|
"url": "https://github.com/nixos/nixpkgs/archive/fe01052444c1d66ed6ef76df2af798c9769e9e79.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"pbb-nixfiles": {
|
"pbb-nixfiles": {
|
||||||
|
|
|
@ -10,14 +10,10 @@ let
|
||||||
newpkgs = {
|
newpkgs = {
|
||||||
alps = callPackage ./alps {};
|
alps = callPackage ./alps {};
|
||||||
|
|
||||||
docker = (pkgs.callPackage (pkgs.path + "/pkgs/applications/virtualization/docker") {
|
docker = pkgs.docker.overrideAttrs (super: {
|
||||||
iptables = pkgs.writeScriptBin "iptables" ''
|
moby = super.moby.overrideAttrs (super: {
|
||||||
#!${pkgs.runtimeShell}
|
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
|
||||||
echo docker tried to run the following iptables command: $@
|
});
|
||||||
exit 0
|
|
||||||
'';
|
|
||||||
}).docker_19_03.overrideAttrs (super: {
|
|
||||||
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
|
|
||||||
});
|
});
|
||||||
|
|
||||||
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
|
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
|
||||||
|
@ -41,6 +37,26 @@ let
|
||||||
});
|
});
|
||||||
|
|
||||||
mattermost = callPackage ./mattermost {};
|
mattermost = callPackage ./mattermost {};
|
||||||
|
|
||||||
|
# a version of the lounge with some extra css that
|
||||||
|
# hides things the hacc-voc doesn't need
|
||||||
|
thelounge-hacked = pkgs.stdenv.mkDerivation {
|
||||||
|
name = "thelounge-hacked";
|
||||||
|
src = pkgs.thelounge;
|
||||||
|
|
||||||
|
phases = [ "buildPhase" "installPhase" ];
|
||||||
|
buildPhase = ''
|
||||||
|
cp $src/* -r .
|
||||||
|
chmod 777 lib/node_modules/thelounge/public/css/style.css
|
||||||
|
cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out
|
||||||
|
cp * -r $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
inherit (unstable) bottom;
|
inherit (unstable) bottom;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
24
pkgs/thelounge/css-patch.css
Normal file
24
pkgs/thelounge/css-patch.css
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
|
||||||
|
/* Hides extra fields on connect screen */
|
||||||
|
.connect-row:nth-of-type(4) {
|
||||||
|
display: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
.connect-row:nth-of-type(2) {
|
||||||
|
display: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
.connect-row:nth-of-type(5) {
|
||||||
|
display: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Hides side panel button */
|
||||||
|
.header > button:first-child {
|
||||||
|
display: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Hides channel options button (includes leave option) */
|
||||||
|
.header > button:nth-last-child(2) {
|
||||||
|
display: none !important;
|
||||||
|
}
|
|
@ -6,14 +6,14 @@
|
||||||
concurrent = 4;
|
concurrent = 4;
|
||||||
services = {
|
services = {
|
||||||
infra4future = {
|
infra4future = {
|
||||||
buildsDir = "/var/lib/gitlab-runner/builds";
|
buildsDir = "/persist/var/lib/gitlab-runner/builds";
|
||||||
dockerImage = "nixos/nix";
|
dockerImage = "nixos/nix";
|
||||||
executor = "docker";
|
executor = "docker";
|
||||||
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
|
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
|
||||||
};
|
};
|
||||||
nix = {
|
nix = {
|
||||||
limit = 1; # don't run multiple jobs
|
limit = 1; # don't run multiple jobs
|
||||||
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
|
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
|
||||||
dockerImage = "alpine";
|
dockerImage = "alpine";
|
||||||
dockerVolumes = [
|
dockerVolumes = [
|
||||||
"/nix/store:/nix/store:ro"
|
"/nix/store:/nix/store:ro"
|
||||||
|
@ -54,7 +54,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.gitlab-runner = {
|
users.users.gitlab-runner = {
|
||||||
home = "/var/lib/gitlab-runner";
|
home = "/persist/var/lib/gitlab-runner";
|
||||||
extraGroups = [ "docker" ];
|
extraGroups = [ "docker" ];
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
168
services/gitlab.nix
Normal file
168
services/gitlab.nix
Normal file
|
@ -0,0 +1,168 @@
|
||||||
|
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||||
|
|
||||||
|
{
|
||||||
|
containers.gitlab = {
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.100.1";
|
||||||
|
localAddress = "192.168.100.7";
|
||||||
|
|
||||||
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/gitlab";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
../modules/mattermost.nix
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.gitlab = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
databaseCreateLocally = true;
|
||||||
|
|
||||||
|
host = "gitlab.infra4future.de";
|
||||||
|
https = true;
|
||||||
|
port = 443;
|
||||||
|
|
||||||
|
statePath = "/persist/gitlab";
|
||||||
|
user = "git";
|
||||||
|
databaseUsername = "git";
|
||||||
|
|
||||||
|
initialRootPasswordFile = "/persist/secrets/gitlab-root";
|
||||||
|
secrets.secretFile = "/persist/secrets/gitlab-secret";
|
||||||
|
secrets.dbFile = "/persist/secrets/gitlab-db";
|
||||||
|
secrets.otpFile = "/persist/secrets/gitlab-otp";
|
||||||
|
secrets.jwsFile = "/persist/secrets/gitlab-jws";
|
||||||
|
|
||||||
|
smtp = {
|
||||||
|
enable = true;
|
||||||
|
address = "mail.hacc.space";
|
||||||
|
port = 587;
|
||||||
|
authentication = "plain";
|
||||||
|
domain = "gitlab.infra4future.de";
|
||||||
|
enableStartTLSAuto = true;
|
||||||
|
username = "noreply@infra4future.de";
|
||||||
|
passwordFile = "/persist/secrets/noreply-pass";
|
||||||
|
};
|
||||||
|
|
||||||
|
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
|
||||||
|
extraConfig = {
|
||||||
|
pages = {
|
||||||
|
enabled = true;
|
||||||
|
host = "4future.dev";
|
||||||
|
port = 443;
|
||||||
|
https = true;
|
||||||
|
};
|
||||||
|
omniauth = {
|
||||||
|
enabled = true;
|
||||||
|
auto_sign_in_with_provider = "openid_connect";
|
||||||
|
allow_single_sign_on = ["openid_connect"];
|
||||||
|
block_auto_created_users = false;
|
||||||
|
providers = [
|
||||||
|
{
|
||||||
|
name = "openid_connect";
|
||||||
|
label = "infra4future Login";
|
||||||
|
args = {
|
||||||
|
name = "openid_connect";
|
||||||
|
scope = ["openid" "profile" "email"];
|
||||||
|
response_type = "code";
|
||||||
|
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
|
||||||
|
discovery = true;
|
||||||
|
client_auth_method = "query";
|
||||||
|
uid_field = "username";
|
||||||
|
client_options = {
|
||||||
|
identifier = "gitlab";
|
||||||
|
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
||||||
|
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.redis.enable = true;
|
||||||
|
services.postgresql.package = pkgs.postgresql_13;
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
virtualHosts."gitlab.infra4future.de" = {
|
||||||
|
default = true;
|
||||||
|
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_redirect off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
services.openssh.passwordAuthentication = false;
|
||||||
|
|
||||||
|
users.users.git = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "gitlab";
|
||||||
|
home = "/persist/gitlab/home";
|
||||||
|
uid = 165;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.coredns = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
.:53 {
|
||||||
|
forward . 1.1.1.1
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
})).config.system.build.toplevel;
|
||||||
|
};
|
||||||
|
|
||||||
|
hexchen.nftables.nat.forwardPorts = [{
|
||||||
|
ports = [ 22 ];
|
||||||
|
destination = "${config.containers.gitlab.localAddress}:22";
|
||||||
|
proto = "tcp";
|
||||||
|
}];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."gitlab.infra4future.de" = {
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_set_header X-Nginx-Proxy true;
|
||||||
|
proxy_redirect off;
|
||||||
|
'';
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."4future.dev" = {
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||||
|
serverName = "~^((.*)\.)?4future\.dev$";
|
||||||
|
useACMEHost = "4future.dev";
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme.certs."4future.dev" = {
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = "/var/lib/acme/cloudflare.pass";
|
||||||
|
extraDomainNames = [ "*.4future.dev" ];
|
||||||
|
group = config.services.nginx.group;
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,13 +1,33 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
containers.codimd = {
|
containers.pad-hacc = {
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.100.1";
|
hostAddress = "192.168.100.1";
|
||||||
localAddress = "192.168.100.3";
|
localAddress = "192.168.100.5";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
config = { config, lib, pkgs, ... }: {
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/pad-hacc";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
../modules/mattermost.nix
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
services.coredns = {
|
services.coredns = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
|
@ -33,7 +53,7 @@
|
||||||
oauth2 = {
|
oauth2 = {
|
||||||
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||||
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||||
clientID = "codimd";
|
clientID = "hedgedoc";
|
||||||
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -59,10 +79,10 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
databases = [ "codimd" ];
|
databases = [ "codimd" ];
|
||||||
startAt = "*-*-* 23:45:00";
|
startAt = "*-*-* 23:45:00";
|
||||||
|
location = "/persist/backups/postgres";
|
||||||
};
|
};
|
||||||
};
|
})).config.system.build.toplevel;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."pad.hacc.earth" = {
|
services.nginx.virtualHosts."pad.hacc.earth" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -73,16 +93,8 @@
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://192.168.100.3:3000";
|
proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_pass_request_headers on;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $http_connection;
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
'';
|
'';
|
|
@ -1,13 +1,33 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, modules, evalConfig, sources, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
containers.pad-i4f = {
|
containers.pad-i4f = {
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.100.1";
|
hostAddress = "192.168.100.1";
|
||||||
localAddress = "192.168.100.41";
|
localAddress = "192.168.100.6";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
config = { config, lib, pkgs, ... }: {
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/pad-i4f";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
../modules/mattermost.nix
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
services.coredns = {
|
services.coredns = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
|
@ -50,24 +70,17 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
databases = [ "hedgedoc" ];
|
databases = [ "hedgedoc" ];
|
||||||
startAt = "*-*-* 23:45:00";
|
startAt = "*-*-* 23:45:00";
|
||||||
|
location = "/persist/backups/postgres";
|
||||||
};
|
};
|
||||||
};
|
})).config.system.build.toplevel;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."pad.infra4future.de" = {
|
services.nginx.virtualHosts."pad.infra4future.de" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://192.168.100.41:3000";
|
proxyPass = "http://${config.containers.pad-i4f.localAddress}:3000";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_pass_request_headers on;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $http_connection;
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
'';
|
'';
|
|
@ -1,18 +1,38 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
unstable = import (import ../../../nix/sources.nix).nixpkgs-unstable {};
|
unstable = import (import ../nix/sources.nix).nixpkgs-unstable {};
|
||||||
in {
|
in {
|
||||||
containers.lantifa = {
|
containers.lantifa = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress6 = "fd00::42:14";
|
hostAddress = "192.168.100.1";
|
||||||
localAddress6 = "fd00::42:15";
|
localAddress = "192.168.100.8";
|
||||||
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/lantifa";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
config = {config, pkgs, ... }: {
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
networking.hosts."::1" = [ "wiki.lantifa.org" ];
|
boot.isContainer = true;
|
||||||
networking.firewall.enable = false;
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
hexchen.bindmounts."/var/lib/mediawiki" = "/persist/var/lib/mediawiki";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.hosts."127.0.0.1" = [ "wiki.lantifa.org" ];
|
||||||
users.users.mediawiki.extraGroups = [ "keys" ];
|
users.users.mediawiki.extraGroups = [ "keys" ];
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
services.mediawiki = {
|
services.mediawiki = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -60,8 +80,8 @@ in {
|
||||||
sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i";
|
sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i";
|
||||||
};
|
};
|
||||||
intersection = pkgs.fetchzip { # This is the DynamicPageList extension
|
intersection = pkgs.fetchzip { # This is the DynamicPageList extension
|
||||||
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_35-1adb683.tar.gz";
|
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-789511a.tar.gz";
|
||||||
sha256 = "0jh3b22vq1ml3kdj0hhhbfjsilpw39bcjbnkajgx1pcvr7haxld7";
|
sha256 = "0b5viv0d2pm1g68hynm8xbvcyw2cr3lgaxbqzdykk2yvvhc4w8j5";
|
||||||
};
|
};
|
||||||
PageForms = pkgs.fetchzip {
|
PageForms = pkgs.fetchzip {
|
||||||
url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip";
|
url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip";
|
||||||
|
@ -81,16 +101,17 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.mysql.dataDir = "/persist/mysql";
|
||||||
services.mysqlBackup = {
|
services.mysqlBackup = {
|
||||||
enable = true;
|
enable = true;
|
||||||
databases = [ "mediawiki" ];
|
databases = [ "mediawiki" ];
|
||||||
calendar = "*-*-* 23:45:00";
|
calendar = "*-*-* 23:45:00";
|
||||||
};
|
};
|
||||||
};
|
})).config.system.build.toplevel;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."wiki.lantifa.org" = {
|
services.nginx.virtualHosts."wiki.lantifa.org" = {
|
||||||
locations."/".proxyPass = "http://[" + config.containers.lantifa.localAddress6 + "]";
|
locations."/".proxyPass = "http://" + config.containers.lantifa.localAddress + "";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
|
@ -1,14 +1,12 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, sources, ... }:
|
||||||
|
|
||||||
let
|
{
|
||||||
sources = import ../../../nix/sources.nix;
|
|
||||||
in {
|
|
||||||
imports = [
|
imports = [
|
||||||
sources.nixos-mailserver.outPath
|
sources.nixos-mailserver.outPath
|
||||||
];
|
];
|
||||||
|
|
||||||
mailserver = {
|
mailserver = {
|
||||||
mailDirectory = "/data/mail";
|
mailDirectory = "/persist/mail";
|
||||||
enable = true;
|
enable = true;
|
||||||
fqdn = "mail.hacc.space";
|
fqdn = "mail.hacc.space";
|
||||||
domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];
|
domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];
|
||||||
|
@ -32,6 +30,8 @@ in {
|
||||||
"lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
|
"lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
|
||||||
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
|
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
|
||||||
|
|
||||||
|
"finance@muc.hacc.space".hashedPassword = "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";
|
||||||
|
|
||||||
# service accounts
|
# service accounts
|
||||||
"noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
"noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
||||||
"newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
|
"newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
|
||||||
|
@ -145,6 +145,8 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465";
|
script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465";
|
||||||
serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps";
|
serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps";
|
||||||
|
serviceConfig.Restart = "always";
|
||||||
|
requiredBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."mail.hacc.space" = {
|
services.nginx.virtualHosts."mail.hacc.space" = {
|
|
@ -1,34 +1,51 @@
|
||||||
{config, pkgs, lib, ...}:
|
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||||
|
|
||||||
{
|
let
|
||||||
|
mattermost = pkgs.mattermost;
|
||||||
|
in {
|
||||||
containers.mattermost = {
|
containers.mattermost = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.100.30";
|
hostAddress = "192.168.100.1";
|
||||||
localAddress = "192.168.100.31";
|
localAddress = "192.168.100.3";
|
||||||
|
|
||||||
bindMounts."/secrets" = {
|
bindMounts = {
|
||||||
hostPath = "/var/lib/mattermost/";
|
"/persist" = {
|
||||||
isReadOnly = true;
|
hostPath = "/persist/containers/mattermost";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {pkgs, config, ...}: {
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
# have to import these here, since container's dont
|
imports = [
|
||||||
# inherit imports of their environment.
|
../modules/mattermost.nix
|
||||||
imports = [ ../../../modules/mattermost.nix ];
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
# couldn't figure out how to actually overwrite modules, so now
|
# couldn't figure out how to actually overwrite modules, so now
|
||||||
# there's two mattermost modules ...
|
# there's two mattermost modules ...
|
||||||
services.mattermost-patched = {
|
services.mattermost-patched = {
|
||||||
enable = true;
|
enable = true;
|
||||||
siteUrl = "https://mattermost-beta.infra4future.de";
|
siteUrl = "https://mattermost.infra4future.de";
|
||||||
siteName = "Mattermost - Blabla for Future";
|
siteName = "Mattermost for Future";
|
||||||
listenAddress = "0.0.0.0:3000";
|
listenAddress = "0.0.0.0:3000";
|
||||||
mutableConfig = false;
|
mutableConfig = false;
|
||||||
|
|
||||||
secretConfig = "/secrets/secrets.json";
|
secretConfig = "/persist/mattermost/secrets.json";
|
||||||
|
statePath = "/persist/mattermost";
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
ServiceSettings = {
|
ServiceSettings = {
|
||||||
|
@ -56,6 +73,7 @@
|
||||||
EnableLaTeX = true;
|
EnableLaTeX = true;
|
||||||
ThreadAutoFollow = true;
|
ThreadAutoFollow = true;
|
||||||
EnableSecurityFixAlert = false;
|
EnableSecurityFixAlert = false;
|
||||||
|
CollapsedThreads = "default_on";
|
||||||
};
|
};
|
||||||
TeamSettings = {
|
TeamSettings = {
|
||||||
EnableTeamCreation = true;
|
EnableTeamCreation = true;
|
||||||
|
@ -87,7 +105,7 @@
|
||||||
EnableFileAttachments = true;
|
EnableFileAttachments = true;
|
||||||
MaxFileSize = 52428800;
|
MaxFileSize = 52428800;
|
||||||
DriverName = "local";
|
DriverName = "local";
|
||||||
Directory = "/var/lib/mattermost/uploads-storage";
|
Directory = "/persist/mattermost/upload-storage";
|
||||||
EnablePublicLink = true;
|
EnablePublicLink = true;
|
||||||
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
||||||
};
|
};
|
||||||
|
@ -120,7 +138,7 @@
|
||||||
AnnouncementSettings.EnableBanner = false;
|
AnnouncementSettings.EnableBanner = false;
|
||||||
GitLabSettings = {
|
GitLabSettings = {
|
||||||
Enable = true;
|
Enable = true;
|
||||||
Id = "mattermost-beta";
|
Id = "mattermost";
|
||||||
Scope = "";
|
Scope = "";
|
||||||
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||||
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||||
|
@ -159,8 +177,6 @@
|
||||||
ClusterSettings.Enable = false;
|
ClusterSettings.Enable = false;
|
||||||
MetricsSettings.Enable = false;
|
MetricsSettings.Enable = false;
|
||||||
GuestAccountsSettings.Enable = false;
|
GuestAccountsSettings.Enable = false;
|
||||||
# this is just the general allow-this-at-all switch; users
|
|
||||||
# still have to turn it on for themselves
|
|
||||||
FeatureFlags.CollapsedThreads = true;
|
FeatureFlags.CollapsedThreads = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -172,6 +188,17 @@
|
||||||
localDatabaseCreate = false;
|
localDatabaseCreate = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.mysql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "mattermost" ];
|
||||||
|
ensureUsers = [ {
|
||||||
|
name = "mattermost";
|
||||||
|
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
|
||||||
|
} ];
|
||||||
|
package = pkgs.mysql80;
|
||||||
|
dataDir = "/persist/mysql";
|
||||||
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||||
ensureDatabases = [ "mattermost" ];
|
ensureDatabases = [ "mattermost" ];
|
||||||
|
@ -197,21 +224,14 @@
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
})).config.system.build.toplevel;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."mattermost-beta.infra4future.de" = {
|
services.nginx.virtualHosts."mattermost.infra4future.de" = {
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
|
|
||||||
# Mattermost CSR Patch
|
# Mattermost CSR Patch
|
||||||
proxy_hide_header Content-Security-Policy;
|
proxy_hide_header Content-Security-Policy;
|
||||||
proxy_hide_header X-Frame-Options;
|
proxy_hide_header X-Frame-Options;
|
||||||
|
@ -221,11 +241,4 @@
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.nat = {
|
|
||||||
enable = true;
|
|
||||||
internalInterfaces = [ "ve-mattermost" ];
|
|
||||||
externalInterface = "enp6s0";
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
|
@ -1,8 +1,4 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, sources, ... }:
|
||||||
|
|
||||||
let
|
|
||||||
sources = import ../../../nix/sources.nix;
|
|
||||||
in
|
|
||||||
|
|
||||||
let
|
let
|
||||||
mumblesite = pkgs.stdenv.mkDerivation {
|
mumblesite = pkgs.stdenv.mkDerivation {
|
||||||
|
@ -18,6 +14,8 @@ let
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
|
||||||
|
|
||||||
services.murmur = {
|
services.murmur = {
|
||||||
enable = true;
|
enable = true;
|
||||||
logDays = -1;
|
logDays = -1;
|
140
services/nextcloud/default.nix
Normal file
140
services/nextcloud/default.nix
Normal file
|
@ -0,0 +1,140 @@
|
||||||
|
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
containers.nextcloud = {
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.100.1";
|
||||||
|
localAddress = "192.168.100.2";
|
||||||
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/nextcloud";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
../../modules/nextcloud.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.htop ];
|
||||||
|
|
||||||
|
services.nextcloud-patched = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# must be set manually; may not be incremented by more than one at
|
||||||
|
# a time, otherwise nextcloud WILL break
|
||||||
|
package = pkgs.nextcloud21;
|
||||||
|
|
||||||
|
home = "/persist/nextcloud";
|
||||||
|
https = true;
|
||||||
|
|
||||||
|
hostName = "cloud.infra4future.de";
|
||||||
|
config = {
|
||||||
|
dbtype = "pgsql";
|
||||||
|
dbuser = "nextcloud";
|
||||||
|
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||||||
|
dbname = "nextcloud";
|
||||||
|
# there's also a adminpassFile option, but for testing this seems
|
||||||
|
# enough (less fiddling with getting the file into a nixos
|
||||||
|
# container for ad-hoc setups)
|
||||||
|
adminpass = "lushfjwebrwhjebr";
|
||||||
|
adminuser = "root";
|
||||||
|
};
|
||||||
|
|
||||||
|
caching.redis = true;
|
||||||
|
|
||||||
|
# multiple pools may be doable using services.phpfpm.pools,
|
||||||
|
# but i have not tried this yet. The nextcloud module defines a
|
||||||
|
# pool "nextcloud"
|
||||||
|
poolSettings = {
|
||||||
|
pm = "dynamic";
|
||||||
|
"pm.max_children" = "32";
|
||||||
|
"pm.max_requests" = "500";
|
||||||
|
"pm.max_spare_servers" = "4";
|
||||||
|
"pm.min_spare_servers" = "2";
|
||||||
|
"pm.start_servers" = "2";
|
||||||
|
};
|
||||||
|
|
||||||
|
extraOptions = {
|
||||||
|
instanceid = "ocxlphb7fbju";
|
||||||
|
redis = {
|
||||||
|
host = "/run/redis/redis.sock";
|
||||||
|
port = 0;
|
||||||
|
dbindex = 0;
|
||||||
|
password = "secret";
|
||||||
|
timeout = 1.5;
|
||||||
|
};
|
||||||
|
datadirectory = "/persist/data/ncdata";
|
||||||
|
mail_smtpmode = "smtp";
|
||||||
|
mail_smtpsecure = "ssl";
|
||||||
|
mail_sendmailmode = "smtp";
|
||||||
|
mail_from_address = "noreply";
|
||||||
|
mail_domain = "infra4future.de";
|
||||||
|
mail_smtpauthtype = "PLAIN";
|
||||||
|
mail_smtpauth = 1;
|
||||||
|
mail_smtphost = "mail.hacc.space";
|
||||||
|
mail_smtpport = 465;
|
||||||
|
mail_smtpname = "noreply@infra4future.de";
|
||||||
|
loglevel = 0;
|
||||||
|
"overwrite.cli.url" = "https://cloud.infra4future.de";
|
||||||
|
};
|
||||||
|
|
||||||
|
# passwordsalt, secret, and mail_smtppassword go in here
|
||||||
|
secretFile = "/persist/secrets.json";
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
services.redis = {
|
||||||
|
enable = true;
|
||||||
|
unixSocket = "/var/run/redis/redis.sock";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "nextcloud" ];
|
||||||
|
ensureUsers = [
|
||||||
|
{ # by default, postgres has unix sockets enabled, and allows a
|
||||||
|
# system user `nextcloud` to log in without other authentication
|
||||||
|
name = "nextcloud";
|
||||||
|
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# ensure that postgres is running *before* running the setup
|
||||||
|
systemd.services."nextcloud-setup" = {
|
||||||
|
requires = ["postgresql.service"];
|
||||||
|
after = ["postgresql.service"];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.coredns = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
.:53 {
|
||||||
|
forward . 1.1.1.1
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
})).config.system.build.toplevel;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."cloud.infra4future.de" = {
|
||||||
|
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
32
services/nginx-pages.nix
Normal file
32
services/nginx-pages.nix
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
|
||||||
|
in {
|
||||||
|
|
||||||
|
services.nginx.virtualHosts =
|
||||||
|
listToAttrs (map (host: nameValuePair host {
|
||||||
|
useACMEHost = "infra4future.de";
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||||
|
}) domains) // {
|
||||||
|
"infra4future.de" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||||
|
};
|
||||||
|
"muc.hacc.earth" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_pass "http://${config.containers.gitlab.localAddress}:8090/infra4future/muc.hacc.earth/";
|
||||||
|
proxy_set_header Host 'hacc.4future.dev';
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme.certs."infra4future.de" = {
|
||||||
|
extraDomainNames = domains;
|
||||||
|
};
|
||||||
|
}
|
|
@ -4,6 +4,8 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
relay.enable = false;
|
relay.enable = false;
|
||||||
openDefaultPorts = true;
|
openDefaultPorts = true;
|
||||||
|
configDir = "/persist/var/lib/syncthing/";
|
||||||
|
dataDir = "/persist/data/syncthing/";
|
||||||
declarative = {
|
declarative = {
|
||||||
devices = {
|
devices = {
|
||||||
# schweby
|
# schweby
|
||||||
|
@ -36,7 +38,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
folders = {
|
folders = {
|
||||||
"/var/lib/syncthing/hacc" = {
|
"/persist/data/syncthing/hacc/" = {
|
||||||
id = "qt2ly-xvvvs";
|
id = "qt2ly-xvvvs";
|
||||||
devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
|
devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
|
||||||
type = "receiveonly";
|
type = "receiveonly";
|
86
services/thelounge.nix
Normal file
86
services/thelounge.nix
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
{ config, lib, pkgs, evalConfig, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
# necessary since overlays won't propagate into the
|
||||||
|
# container's config
|
||||||
|
thelounge = pkgs.thelounge-hacked;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
containers.thelounge = {
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.100.1";
|
||||||
|
localAddress = "192.168.100.4";
|
||||||
|
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.thelounge = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
public = true;
|
||||||
|
# respect X-Forwarded-For
|
||||||
|
reverseProxy = true;
|
||||||
|
defaults = {
|
||||||
|
name = "libera chat";
|
||||||
|
host = "irc.eu.libera.chat";
|
||||||
|
port = 6697;
|
||||||
|
# encrypt things!
|
||||||
|
tls = true;
|
||||||
|
# yes, please do actually check the cert …
|
||||||
|
rejectUnauthorized = true;
|
||||||
|
nick = "haccGuest%%%%";
|
||||||
|
join = "#hacc-webchat";
|
||||||
|
};
|
||||||
|
lockNetwork = true;
|
||||||
|
|
||||||
|
# don't log messages (default is text / sqlite)
|
||||||
|
messageStorage = [];
|
||||||
|
|
||||||
|
# darker theme
|
||||||
|
#theme = "morning";
|
||||||
|
|
||||||
|
# these three should result in having link previews
|
||||||
|
# which are fetched only by the server, then proxied
|
||||||
|
# (i.e. clients won't directly connect to arbitrary
|
||||||
|
# domains to get previews)
|
||||||
|
prefetch = true;
|
||||||
|
prefetchStorage = true;
|
||||||
|
disableMediaPreview = true;
|
||||||
|
|
||||||
|
leaveMessage = "happy haccing";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# override the package we use
|
||||||
|
systemd.services.thelounge.serviceConfig.ExecStart =
|
||||||
|
pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
|
||||||
|
|
||||||
|
services.coredns = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
.:53 {
|
||||||
|
forward . 1.1.1.1
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
})).config.system.build.toplevel;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."webchat.voc.hacc.space" = {
|
||||||
|
locations."/".proxyPass =
|
||||||
|
"http://${config.containers.thelounge.localAddress}:9000";
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
}
|
10
services/unifi.nix
Normal file
10
services/unifi.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
services.unifi = {
|
||||||
|
enable = true;
|
||||||
|
openPorts = true;
|
||||||
|
dataDir = "/persist/var/lib/unifi";
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue