aboutsummaryrefslogtreecommitdiffstats
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/by-name/server2/configuration.nix60
-rw-r--r--hosts/by-name/server2/secrets/nextcloud/adminpassFile.age14
-rw-r--r--hosts/by-name/server3/configuration.nix39
-rwxr-xr-xhosts/by-name/server3/secrets/dkim/gen_key.sh33
-rw-r--r--hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age16
-rw-r--r--hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public1
-rw-r--r--hosts/by-name/server3/secrets/rocie/login.age16
-rw-r--r--hosts/by-name/server3/websites.nix36
-rw-r--r--hosts/default.nix1
9 files changed, 206 insertions, 10 deletions
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix
index 95f0ade..8cdd45d 100644
--- a/hosts/by-name/server2/configuration.nix
+++ b/hosts/by-name/server2/configuration.nix
@@ -1,4 +1,8 @@
-{config, ...}: {
+{
+ lib,
+ pkgs,
+ ...
+}: {
imports = [
./networking.nix # network configuration that just works
./hardware.nix
@@ -12,14 +16,13 @@
};
vhack = {
- back = {
+ atuin-sync = {
enable = true;
- repositories = {
- "${config.services.gitolite.dataDir}/repositories/vhack.eu/nixos-server.git" = {
- domain = "issues.foss-syndicate.org";
- port = 9220;
- };
- };
+ fqdn = "atuin-sync.vhack.eu";
+ };
+ git-back = {
+ enable = true;
+ domain = "issues.foss-syndicate.org";
};
backup = {
enable = true;
@@ -27,6 +30,15 @@
privatePassword = ./secrets/backup/backuppass.age;
user = "u384702-sub3";
};
+ dns = {
+ enable = true;
+ openFirewall = true;
+ interfaces = [
+ "185.16.61.132"
+ "2a03:4000:a:106::1"
+ ];
+ zones = import ../../../zones {inherit lib;};
+ };
etesync = {
enable = true;
secretFile = ./secrets/etesync/secret_file.age;
@@ -49,10 +61,18 @@
enable = true;
fqdn = "mail.foss-syndicate.org";
};
+ nextcloud = {
+ enable = true;
+ package = pkgs.nextcloud33;
+ hostname = "nextcloud.vhack.eu";
+ adminpassFile = ./secrets/nextcloud/adminpassFile.age;
+ };
+
nginx = {
enable = true;
redirects = {
"source.foss-syndicate.org" = "https://git.foss-syndicate.org/vhack.eu/nixos-server";
+ "source.vhack.eu" = "https://source.foss-syndicate.org";
};
};
nixconfig.enable = true;
@@ -65,6 +85,30 @@
};
redlib.enable = true;
rust-motd.enable = true;
+ sharkey = {
+ enable = true;
+ fqdn = "sharkey.vhack.eu";
+ settings = {
+ id = "aidx";
+
+ maxNoteLength = 8192;
+ maxFileSize = 1024 * 1024 * 1024;
+ proxyRemoteFiles = true;
+
+ # > At the suggestion of Sharkey maintainers,
+ # > this allows the server to run multiple workers
+ # > and without this (and postgres tuning), the instance runs slowly.
+ # Copied from: https://github.com/sodiboo/system/blob/b63c7b27f49043e8701b3ff5e1441cd27d5a2fff/sharkey.mod.nix#L21-L23
+ clusterLimit = 3;
+
+ signToActivityPubGet = true;
+ CheckActivityPubGetSigned = false;
+ };
+ };
+ taskchampion-sync = {
+ enable = true;
+ fqdn = "taskchampion.vhack.eu";
+ };
users.enable = true;
};
diff --git a/hosts/by-name/server2/secrets/nextcloud/adminpassFile.age b/hosts/by-name/server2/secrets/nextcloud/adminpassFile.age
new file mode 100644
index 0000000..2b831f3
--- /dev/null
+++ b/hosts/by-name/server2/secrets/nextcloud/adminpassFile.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxanRqM3pOT29DWitxUERF
+RjRURVZUWGpOSzFoZVpCSzJIN0RGZDAzWEZzCkczaExmOGgxQUQwV2NleUdHMXBB
+eTZLZXpGZE1hcXBhWWhVcEQ5OFBQWUkKLT4gWDI1NTE5IG5DVmlEaDhTWk9xaWs2
+TnF1K1ZtK2UyeDgvOEFlbVUzc0V1VnZoSmFobEkKczNrSGdwZEVxVFNES3dzcVgy
+SmRYNS9WR29mNGNCQW84bHZsZzNTRGZCQQotPiBzc2gtZWQyNTUxOSBYUG94RFEg
+Y2ZQd25odWRRbUdqM3gxMzBrQ1Y3UjRwQ0JsRldtblRaYnVKWHZud2p5awpZdkNm
+bk82RVVId2tsOXlKb2psa25pNFpManN4bjQwblBWUWdGaWxxQ1B3Ci0+ICNqaTBs
+KE8tZ3JlYXNlIE1KZGEgNzAKSGNMSlRGTzN5d3ZXcFZNTkxlZHprVlVQTzJ4K2Vp
+MG1YMTFHRmV6L2tMMGUKLS0tIE44WHBBZk1qcmRnK2lPczdiQ294SW50UFdrUHUw
+d0EreHNod29LL2pjd2cKw1rpd83gONZaOiV5lQ+QOtIZzoIkaOvRD/8avsbeFsP7
+AB/jiOfOwYJ0DVbNMjopwnzpcAFsLWs6Gg0wQhjNsl349TIcTAS0xLTJYTm8DwQy
+FmzftPMHAuJ/IPGzb3hQOFqpuFAPkunfiOgZ/N7N/+LLNMC5NxkkSH8m8gDBCCk=
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix
index b87dc67..5960932 100644
--- a/hosts/by-name/server3/configuration.nix
+++ b/hosts/by-name/server3/configuration.nix
@@ -1,4 +1,4 @@
-{config, ...}: {
+{lib, ...}: {
imports = [
./networking.nix # network configuration that just works
./hardware.nix
@@ -11,7 +11,25 @@
privatePassword = ./secrets/backup/backuppass.age;
user = "u384702-sub4";
};
+ dns = {
+ enable = true;
+ openFirewall = true;
+ interfaces = [
+ "92.60.38.179"
+ "2a03:4000:33:25b::4f4e"
+ ];
+ zones = import ../../../zones {inherit lib;};
+ };
fail2ban.enable = true;
+ rocie = {
+ enable = true;
+ domain = "rocie.vhack.eu";
+ loginSecret = ./secrets/rocie/login.age;
+ };
+ nix-sync = {
+ enable = true;
+ domains = import ./websites.nix {};
+ };
mastodon = {
enable = true;
domain = "mastodon.vhack.eu";
@@ -54,6 +72,25 @@
"/var/log"
];
};
+ stalwart-mail = {
+ # enable = false;
+ # fqdn = "mail.vhack.eu";
+ # admin = "admin@vhack.eu";
+ # security = {
+ # dkimKeys = let
+ # loadKey = name: {
+ # dkimPublicKey = builtins.readFile (./secrets/dkim + "/${name}-public");
+ # dkimPrivateKeyPath = ./secrets/dkim + "/${name}-private.age";
+ # keyAlgorithm = "ed25519-sha256";
+ # };
+ # in {
+ # "mail.vhack.eu" = loadKey "mail.vhack.eu";
+ # };
+ # verificationMode = "strict";
+ # };
+ # openFirewall = true;
+ # principals = null;
+ };
postgresql.enable = true;
rust-motd.enable = true;
users.enable = true;
diff --git a/hosts/by-name/server3/secrets/dkim/gen_key.sh b/hosts/by-name/server3/secrets/dkim/gen_key.sh
new file mode 100755
index 0000000..61da156
--- /dev/null
+++ b/hosts/by-name/server3/secrets/dkim/gen_key.sh
@@ -0,0 +1,33 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -p rage -p openssl -p bash -i bash --impure
+
+# shellcheck shell=bash
+
+cd "$(dirname "$0")" || {
+ echo "No basedir?!"
+ exit 1
+}
+
+key_name="$1"
+[ -z "$key_name" ] && {
+ echo "Usage: $0 KEY_NAME IDENTITY"
+ exit 2
+}
+
+openssl genpkey \
+ -algorithm ed25519 \
+ -out - |
+ tee >(openssl pkey \
+ -pubout \
+ -out - |
+ openssl asn1parse \
+ -offset 12 \
+ -noout \
+ -out - |
+ base64 --wrap 0 >"$key_name-public") |
+ rage --encrypt \
+ --armor \
+ --recipient "age1mshh4ynzhhzhff25tqwkg4j054g3xwrfznh98ycchludj9wjj48qn2uffn" \
+ >"$key_name-private.age"
+
+# vim: ft=sh
diff --git a/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age
new file mode 100644
index 0000000..8d66808
--- /dev/null
+++ b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEtVSWhiOVR1N1Q5bTBV
+NXRMMm42VlR5NitSWlhiSFpUZDZQSlloWlJ3ClA3ZEJSU2dDbmRVL0NMZlFOVU5J
+V1lEbDM0MlN3S3dZMUkyc1pQZVVpdDAKLT4gWDI1NTE5IFk4YnFFZmFLTlA0WENY
+K3FGME1CbUV4b0Z4V1FIRFBmNVphYmhCMG1QVkkKOGhFcnl3Y2hZQU8rY0ROMTlq
+d0lUVG8rRWpPNm4vWkw2WFROU3NJalgzWQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+UDV4YUdZRWZieHN4RVU1WWEvdlFRVHpTL1V5Q3Nya1kvNjFxVytpS1NGawpUWnlR
+RmtQL1Z1ZFkwTC9ua3VVb05VQVlLemtuOCtLSkdxbFE5U2wyM0xZCi0+IFktZ3Jl
+YXNlCk56M0t2NXB3QVpjYTNFdkEvMmpDZXBPcWlLNXNWL2tPalNMM1g0KzBJL2xz
+T1gvTldRLzNxM25BOUhFZml3dFQKSnNMeHBXK3BrS2pWVU1uTkNKZ3BnaGt2Ci0t
+LSBuWURsUEYxRkx3bVQzU3JTcGlwUTFCZ09IRWIrNExUclhPSmdGdUtNOFlFCuKw
+PBh8U5VmweDGoY+xFXw/nqTqrKw9gZyUR2vbnHdnN9y8BToht7prsEaAn//DVivI
+GMFGMhbPYTumWnEiTho8ZqQv5tKiDdIGV/9YghzUdHtMnzfO7q5ztrFYx19qjgi/
+lW17WyY8Jk2DZIH3icYweTICx9IU5K11DNj6WgNGDe8/fAyfuHTekE8sZtHPDw76
+M3wkUZM=
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public
new file mode 100644
index 0000000..fa5d243
--- /dev/null
+++ b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public
@@ -0,0 +1 @@
+U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg=
diff --git a/hosts/by-name/server3/secrets/rocie/login.age b/hosts/by-name/server3/secrets/rocie/login.age
new file mode 100644
index 0000000..0a6b8d3
--- /dev/null
+++ b/hosts/by-name/server3/secrets/rocie/login.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWN3ZFdjMyNjBvQXQ1YVYz
+OTBHMWYvbk5xK1ArVDYvMmZEUFF5dHRSajFNCkFXSCtPV2VVdW50amVVMVYxYXBK
+SHd4bXRXSEw0ZnJ3TTMvbmZGTStFbEUKLT4gWDI1NTE5IDZYMFJKWVBPVmc5QmFK
+M0xGNGNJZHNnRWxBcytaZXU3VWlqMzQvdDdhbm8KcVlIZTlRYVBZNEx1djZJbURD
+Qy9NUTEwYVN0VjhZbkc3TTNuUWd0QTFjcwotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+SnZ0czg2OUszeFJIbmNpU2RDV2tnMVRlUUVvMk5BTWcwbFFibDVzQXZUbwpJbkVC
+bFFqYzJZQTFQWDM4Zk42ZzE4Q2kzQlh4aTRtMHUyRlgrWlc1WUtjCi0+IFFELWdy
+ZWFzZQpCMDVUczNTa01KS2hFREhpM0k5L3ZHT0NDUEtVck1iZE13cnVkSi9Kdk80
+WXU1M3A0V1pZbGxZaVNGanZRUnE4CmYwUlo4QlVFTjc4YlFaQjZyU3BybTAwaTVP
+WHc2K1FyYzduT0RBYWtEa0xSREEKLS0tIExFSThrd2xGT3lEU1p6VXE0eWpZUG5z
+ZlVXMWJFS0NxczhycXl1VWc1bmsK4Dq740IgQP9CnGtkUrwWxM4QUOnQTgWe1YbI
+LtC471ykB4YlPIbMiqUdnBuFZQ9cBAOT2YuicxbI+/2Rb/mSRV0l8dGKpc2fqOVy
+zLLcX8A48NfmcbPeUtlv/HnVfu6Fe7X91V0bw6eMjWSvvcpQXsaIAd7TEPTpexCs
+gfAWd+brZMq6VzwslklxO4S5ZIu0jUSz4q6covAuxfEW3hdSbIg=
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server3/websites.nix b/hosts/by-name/server3/websites.nix
new file mode 100644
index 0000000..ece6247
--- /dev/null
+++ b/hosts/by-name/server3/websites.nix
@@ -0,0 +1,36 @@
+{...}: let
+ mkWkd = domain: {
+ domain = "openpgpkey.${domain}";
+ repositoryUrl = "https://git.foss-syndicate.org/vhack.eu/pgp-wkd";
+ extraSettings = {
+ locations."/.well-known/openpgpkey/".extraConfig = ''
+ default_type application/octet-stream;
+
+ # Came from: https://www.uriports.com/blog/setting-up-openpgp-web-key-directory/
+ # No idea if it is actually necessary
+ # add_header Access-Control-Allow-Origin * always;
+ '';
+ };
+ };
+in [
+ {
+ domain = "vhack.eu";
+ repositoryUrl = "https://codeberg.org/vhack.eu/website";
+ }
+ {
+ domain = "b-peetz.de";
+ repositoryUrl = "https://git.foss-syndicate.org/bpeetz/b-peetz.de";
+ }
+
+ # Trinitrix
+ {
+ domain = "trinitrix.vhack.eu";
+ repositoryUrl = "https://codeberg.org/trinitrix/website";
+ }
+
+ # WKD
+ (mkWkd "b-peetz.de")
+ (mkWkd "s-schoeffel.de")
+ (mkWkd "sils.li")
+ (mkWkd "vhack.eu")
+]
diff --git a/hosts/default.nix b/hosts/default.nix
index f53ee35..664c376 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -12,7 +12,6 @@
useShards = false;
baseDirectory = ./by-name;
fileName = "configuration.nix";
- finalizeFunction = name: value: value;
};
mkNixosConfiguration = _: value:
generated by cgit v1.3.1 (git 2.54.0) at 2026-05-31 12:26:30 +0000