diff options
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/by-name/server2/configuration.nix | 58 | ||||
-rw-r--r-- | hosts/by-name/server2/secrets/nextcloud/adminpassFile.age | 14 | ||||
-rw-r--r-- | hosts/by-name/server3/configuration.nix | 34 | ||||
-rwxr-xr-x | hosts/by-name/server3/secrets/dkim/gen_key.sh | 33 | ||||
-rw-r--r-- | hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age | 16 | ||||
-rw-r--r-- | hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public | 1 | ||||
-rw-r--r-- | hosts/by-name/server3/websites.nix | 36 | ||||
-rw-r--r-- | hosts/default.nix | 1 |
8 files changed, 183 insertions, 10 deletions
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix index 95f0ade..65e3b24 100644 --- a/hosts/by-name/server2/configuration.nix +++ b/hosts/by-name/server2/configuration.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + lib, + ... +}: { imports = [ ./networking.nix # network configuration that just works ./hardware.nix @@ -12,14 +16,13 @@ }; vhack = { - back = { + atuin-sync = { enable = true; - repositories = { - "${config.services.gitolite.dataDir}/repositories/vhack.eu/nixos-server.git" = { - domain = "issues.foss-syndicate.org"; - port = 9220; - }; - }; + fqdn = "atuin-sync.vhack.eu"; + }; + git-back = { + enable = true; + domain = "issues.foss-syndicate.org"; }; backup = { enable = true; @@ -27,6 +30,15 @@ privatePassword = ./secrets/backup/backuppass.age; user = "u384702-sub3"; }; + dns = { + enable = true; + openFirewall = true; + interfaces = [ + "185.16.61.132" + "2a03:4000:a:106::1" + ]; + zones = import ../../../zones {inherit lib;}; + }; etesync = { enable = true; secretFile = ./secrets/etesync/secret_file.age; @@ -49,10 +61,16 @@ enable = true; fqdn = "mail.foss-syndicate.org"; }; + nextcloud = { + enable = true; + hostname = "nextcloud.vhack.eu"; + adminpassFile = ./secrets/nextcloud/adminpassFile.age; + }; nginx = { enable = true; redirects = { "source.foss-syndicate.org" = "https://git.foss-syndicate.org/vhack.eu/nixos-server"; + "source.vhack.eu" = "https://source.foss-syndicate.org"; }; }; nixconfig.enable = true; @@ -65,6 +83,30 @@ }; redlib.enable = true; rust-motd.enable = true; + sharkey = { + enable = true; + fqdn = "sharkey.vhack.eu"; + settings = { + id = "aidx"; + + maxNoteLength = 8192; + maxFileSize = 1024 * 1024 * 1024; + proxyRemoteFiles = true; + + # > At the suggestion of Sharkey maintainers, + # > this allows the server to run multiple workers + # > and without this (and postgres tuning), the instance runs slowly. + # Copied from: https://github.com/sodiboo/system/blob/b63c7b27f49043e8701b3ff5e1441cd27d5a2fff/sharkey.mod.nix#L21-L23 + clusterLimit = 3; + + signToActivityPubGet = true; + CheckActivityPubGetSigned = false; + }; + }; + taskchampion-sync = { + enable = true; + fqdn = "taskchampion.vhack.eu"; + }; users.enable = true; }; diff --git a/hosts/by-name/server2/secrets/nextcloud/adminpassFile.age b/hosts/by-name/server2/secrets/nextcloud/adminpassFile.age new file mode 100644 index 0000000..2b831f3 --- /dev/null +++ b/hosts/by-name/server2/secrets/nextcloud/adminpassFile.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxanRqM3pOT29DWitxUERF +RjRURVZUWGpOSzFoZVpCSzJIN0RGZDAzWEZzCkczaExmOGgxQUQwV2NleUdHMXBB +eTZLZXpGZE1hcXBhWWhVcEQ5OFBQWUkKLT4gWDI1NTE5IG5DVmlEaDhTWk9xaWs2 +TnF1K1ZtK2UyeDgvOEFlbVUzc0V1VnZoSmFobEkKczNrSGdwZEVxVFNES3dzcVgy +SmRYNS9WR29mNGNCQW84bHZsZzNTRGZCQQotPiBzc2gtZWQyNTUxOSBYUG94RFEg +Y2ZQd25odWRRbUdqM3gxMzBrQ1Y3UjRwQ0JsRldtblRaYnVKWHZud2p5awpZdkNm +bk82RVVId2tsOXlKb2psa25pNFpManN4bjQwblBWUWdGaWxxQ1B3Ci0+ICNqaTBs +KE8tZ3JlYXNlIE1KZGEgNzAKSGNMSlRGTzN5d3ZXcFZNTkxlZHprVlVQTzJ4K2Vp +MG1YMTFHRmV6L2tMMGUKLS0tIE44WHBBZk1qcmRnK2lPczdiQ294SW50UFdrUHUw +d0EreHNod29LL2pjd2cKw1rpd83gONZaOiV5lQ+QOtIZzoIkaOvRD/8avsbeFsP7 +AB/jiOfOwYJ0DVbNMjopwnzpcAFsLWs6Gg0wQhjNsl349TIcTAS0xLTJYTm8DwQy +FmzftPMHAuJ/IPGzb3hQOFqpuFAPkunfiOgZ/N7N/+LLNMC5NxkkSH8m8gDBCCk= +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix index b87dc67..6966e58 100644 --- a/hosts/by-name/server3/configuration.nix +++ b/hosts/by-name/server3/configuration.nix @@ -1,4 +1,4 @@ -{config, ...}: { +{lib, ...}: { imports = [ ./networking.nix # network configuration that just works ./hardware.nix @@ -11,7 +11,20 @@ privatePassword = ./secrets/backup/backuppass.age; user = "u384702-sub4"; }; + dns = { + enable = true; + openFirewall = true; + interfaces = [ + "92.60.38.179" + "2a03:4000:33:25b::4f4e" + ]; + zones = import ../../../zones {inherit lib;}; + }; fail2ban.enable = true; + nix-sync = { + enable = true; + domains = import ./websites.nix {}; + }; mastodon = { enable = true; domain = "mastodon.vhack.eu"; @@ -54,6 +67,25 @@ "/var/log" ]; }; + stalwart-mail = { + enable = true; + fqdn = "mail.vhack.eu"; + admin = "admin@vhack.eu"; + security = { + dkimKeys = let + loadKey = name: { + dkimPublicKey = builtins.readFile (./secrets/dkim + "/${name}-public"); + dkimPrivateKeyPath = ./secrets/dkim + "/${name}-private.age"; + keyAlgorithm = "ed25519-sha256"; + }; + in { + "mail.vhack.eu" = loadKey "mail.vhack.eu"; + }; + verificationMode = "strict"; + }; + openFirewall = true; + principals = null; + }; postgresql.enable = true; rust-motd.enable = true; users.enable = true; diff --git a/hosts/by-name/server3/secrets/dkim/gen_key.sh b/hosts/by-name/server3/secrets/dkim/gen_key.sh new file mode 100755 index 0000000..61da156 --- /dev/null +++ b/hosts/by-name/server3/secrets/dkim/gen_key.sh @@ -0,0 +1,33 @@ +#! /usr/bin/env nix-shell +#! nix-shell -p rage -p openssl -p bash -i bash --impure + +# shellcheck shell=bash + +cd "$(dirname "$0")" || { + echo "No basedir?!" + exit 1 +} + +key_name="$1" +[ -z "$key_name" ] && { + echo "Usage: $0 KEY_NAME IDENTITY" + exit 2 +} + +openssl genpkey \ + -algorithm ed25519 \ + -out - | + tee >(openssl pkey \ + -pubout \ + -out - | + openssl asn1parse \ + -offset 12 \ + -noout \ + -out - | + base64 --wrap 0 >"$key_name-public") | + rage --encrypt \ + --armor \ + --recipient "age1mshh4ynzhhzhff25tqwkg4j054g3xwrfznh98ycchludj9wjj48qn2uffn" \ + >"$key_name-private.age" + +# vim: ft=sh diff --git a/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age new file mode 100644 index 0000000..8d66808 --- /dev/null +++ b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEtVSWhiOVR1N1Q5bTBV +NXRMMm42VlR5NitSWlhiSFpUZDZQSlloWlJ3ClA3ZEJSU2dDbmRVL0NMZlFOVU5J +V1lEbDM0MlN3S3dZMUkyc1pQZVVpdDAKLT4gWDI1NTE5IFk4YnFFZmFLTlA0WENY +K3FGME1CbUV4b0Z4V1FIRFBmNVphYmhCMG1QVkkKOGhFcnl3Y2hZQU8rY0ROMTlq +d0lUVG8rRWpPNm4vWkw2WFROU3NJalgzWQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +UDV4YUdZRWZieHN4RVU1WWEvdlFRVHpTL1V5Q3Nya1kvNjFxVytpS1NGawpUWnlR +RmtQL1Z1ZFkwTC9ua3VVb05VQVlLemtuOCtLSkdxbFE5U2wyM0xZCi0+IFktZ3Jl +YXNlCk56M0t2NXB3QVpjYTNFdkEvMmpDZXBPcWlLNXNWL2tPalNMM1g0KzBJL2xz +T1gvTldRLzNxM25BOUhFZml3dFQKSnNMeHBXK3BrS2pWVU1uTkNKZ3BnaGt2Ci0t +LSBuWURsUEYxRkx3bVQzU3JTcGlwUTFCZ09IRWIrNExUclhPSmdGdUtNOFlFCuKw +PBh8U5VmweDGoY+xFXw/nqTqrKw9gZyUR2vbnHdnN9y8BToht7prsEaAn//DVivI +GMFGMhbPYTumWnEiTho8ZqQv5tKiDdIGV/9YghzUdHtMnzfO7q5ztrFYx19qjgi/ +lW17WyY8Jk2DZIH3icYweTICx9IU5K11DNj6WgNGDe8/fAyfuHTekE8sZtHPDw76 +M3wkUZM= +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public new file mode 100644 index 0000000..fa5d243 --- /dev/null +++ b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public @@ -0,0 +1 @@ +U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg= diff --git a/hosts/by-name/server3/websites.nix b/hosts/by-name/server3/websites.nix new file mode 100644 index 0000000..466f1e9 --- /dev/null +++ b/hosts/by-name/server3/websites.nix @@ -0,0 +1,36 @@ +{...}: let + mkWkd = domain: { + domain = "openpgpkey.${domain}"; + repositoryUrl = "https://git.foss-syndicate.org/vhack.eu/pgp-wkd.git"; + extraSettings = { + locations."/.well-known/openpgpkey/".extraConfig = '' + default_type application/octet-stream; + + # Came from: https://www.uriports.com/blog/setting-up-openpgp-web-key-directory/ + # No idea if it is actually necessary + # add_header Access-Control-Allow-Origin * always; + ''; + }; + }; +in [ + { + domain = "vhack.eu"; + repositoryUrl = "https://codeberg.org/vhack.eu/website.git"; + } + { + domain = "b-peetz.de"; + repositoryUrl = "https://git.foss-syndicate.org/bpeetz/b-peetz.de.git"; + } + + # Trinitrix + { + domain = "trinitrix.vhack.eu"; + repositoryUrl = "https://codeberg.org/trinitrix/website.git"; + } + + # WKD + (mkWkd "b-peetz.de") + (mkWkd "s-schoeffel.de") + (mkWkd "sils.li") + (mkWkd "vhack.eu") +] diff --git a/hosts/default.nix b/hosts/default.nix index f53ee35..664c376 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -12,7 +12,6 @@ useShards = false; baseDirectory = ./by-name; fileName = "configuration.nix"; - finalizeFunction = name: value: value; }; mkNixosConfiguration = _: value: |