diff --git a/.gitignore b/.gitignore index 9dc7bc1..f5c773e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ secrets/ -modules/services/matrix/secrets.yaml +modules/services/matrix/default.nix diff --git a/flake.lock b/flake.lock index 27771ae..a1acbfc 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,6 @@ { "nodes": { +<<<<<<< HEAD "agenix": { "inputs": { "darwin": "darwin", @@ -23,6 +24,8 @@ "type": "github" } }, +======= +>>>>>>> refs/remotes/origin/master "alejandra": { "inputs": { "fenix": "fenix", @@ -338,27 +341,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -457,7 +439,7 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_2", + "systems": "systems", "xdph": "xdph" }, "locked": { @@ -901,11 +883,10 @@ }, "root": { "inputs": { - "agenix": "agenix", "alejandra": "alejandra", "catppuccin": "catppuccin", "catppuccin-bat": "catppuccin-bat", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "hypr-contrib": "hypr-contrib", "hyprland": "hyprland", "hyprpicker": "hyprpicker", @@ -934,21 +915,6 @@ } }, "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", diff --git a/flake.nix b/flake.nix index a4028e6..b175984 100644 --- a/flake.nix +++ b/flake.nix @@ -30,16 +30,9 @@ url = "github:catppuccin/bat"; flake = false; }; - - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; - - iceshrimp = { - url = "git+https://iceshrimp.dev/iceshrimp/packaging"; - }; }; - outputs = { nixpkgs, self, iceshrimp, agenix, catppuccin, ...} @ inputs: + outputs = { nixpkgs, self, iceshrimp, catppuccin, ...} @ inputs: let selfPkgs = import ./pkgs; username = "liv"; @@ -73,7 +66,7 @@ modules = [( import ./hosts/violet )]; - specialArgs = { host="violet"; inherit self inputs username agenix iceshrimp ; }; + specialArgs = { host="violet"; inherit self inputs username iceshrimp ; }; }; vm = nixpkgs.lib.nixosSystem { diff --git a/hosts/violet/default.nix b/hosts/violet/default.nix index 9369fcf..953a68c 100644 --- a/hosts/violet/default.nix +++ b/hosts/violet/default.nix @@ -1,11 +1,10 @@ -{ pkgs, config, iceshrimp, agenix, ... }: +{ pkgs, config, iceshrimp, ... }: { imports = [ ./hardware-configuration.nix ./../../modules/core ./../../modules/services/violet.nix iceshrimp.nixosModules.default - agenix.nixosModules.default ]; networking.hostName = "violet"; diff --git a/modules/home/packages.nix b/modules/home/packages.nix index 2c5d5bf..016b376 100644 --- a/modules/home/packages.nix +++ b/modules/home/packages.nix @@ -22,6 +22,7 @@ gimp darktable lazygit + gitleaks # TODO: adds pre-commit hook libreoffice xfce.thunar prismlauncher diff --git a/modules/services/iceshrimp.nix b/modules/services/iceshrimp.nix index 69dc2f7..dfe32f6 100644 --- a/modules/services/iceshrimp.nix +++ b/modules/services/iceshrimp.nix @@ -2,26 +2,29 @@ { services = { - postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; + # postgresql = { + # enable = true; + # initialScript = pkgs.writeText "iceshrimp.sql" '' + # CREATE ROLE "iceshrimp" WITH LOGIN PASSWORD 'uph2reeloo3aeDae4muc'; + # CREATE DATABASE "iceshrimp" WITH OWNER "iceshrimp" + # TEMPLATE template0 + # LC_COLLATE = "C" + # LC_CTYPE = "C"; + # ''; + # }; - iceshrimp = { - enable = true; - settings = { - url = "https://fedi.liv.town"; # The domain your Iceshrimp UI will be served on. - settings.db.host = "/run/postgresql"; # omitting this setting causes some configurations to fail - }; - dbPasswordFile = /var/iceshrimp/dbPasswordFile; - secretConfig = /var/iceshrimp/secretConfig.yml; - }; + # > "@liv the nix package is sadly broken at the moment" + # iceshrimp = { + # enable = true; + # settings = { + # configureNginx = true; + # createDb = true; + # url = "https://fedi.liv.town"; # The domain your Iceshrimp UI will be served on. + # # settings.db.host = "/run/postgresql"; # omitting this setting causes some configurations to fail + # }; + # dbPasswordFile = /var/iceshrimp/dbPasswordFile; + # secretConfig = /var/iceshrimp/secretConfig.yml; + # }; }; } diff --git a/modules/services/invidious.nix b/modules/services/invidious.nix new file mode 100644 index 0000000..9c51edd --- /dev/null +++ b/modules/services/invidious.nix @@ -0,0 +1,21 @@ +{ config, ... }: +{ + services.invidious = { + enable = true; + port = 8001; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + clientMaxBodySize = "40M"; + virtualHosts = { + "video.liv.town" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; + }; + }; + }; +} diff --git a/modules/services/liv-town.nix b/modules/services/liv-town.nix new file mode 100644 index 0000000..90a76f5 --- /dev/null +++ b/modules/services/liv-town.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + virtualisation.docker = { + enable = true; + autoPrune.enable = true; + # enableNvidia = true; + }; + + users.users.liv = { + extraGroups = [ "docker" ]; + }; + + virtualisation.oci-containers = { + backend = "docker"; + containers."livdottown" = { + image = "ghcr.io/ahwxorg/liv.town:latest"; + ports = [ + "0.0.0.0:4321:8080" + ]; + }; + }; +} diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix deleted file mode 100644 index e717fc3..0000000 --- a/modules/services/matrix/default.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ pkgs, lib, config, agenix, ... }: -let - fqdn = "liv.town"; - baseUrl = "https://${fqdn}"; - clientConfig."m.homeserver".base_url = baseUrl; - serverConfig."m.server" = "${fqdn}:443"; - mkWellKnown = data: '' - default_type application/json; - # add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in { - security.acme = { - acceptTerms = true; - defaults.email = "ahwx@ahwx.org"; - }; - - services = { - # postgresql.enable = true; - # postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' - # CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - # CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - # TEMPLATE template0 - # LC_COLLATE = "C" - # LC_CTYPE = "C"; - # ''; - - nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - # Hardened TLS and HSTS preloading - appendHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Do not add HSTS header to HTTP requests. - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # This might create errors - # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - # If the A and AAAA DNS records on example.org do not point on the same host as the - # records for myhostname.example.org, you can easily move the /.well-known - # virtualHost section of the code to the host that is serving example.org, while - # the rest stays on myhostname.example.org with no other changes required. - # This pattern also allows to seamlessly move the homeserver from - # myhostname.example.org to myotherhost.example.org by only changing the - # /.well-known redirection target. - "${fqdn}" = { - enableACME = true; - forceSSL = true; - # This section is not needed if the server_name of matrix-synapse is equal to - # the domain (i.e. example.org from @foo:example.org) and the federation port - # is 8448. - # Further reference can be found in the docs about delegation under - # https://element-hq.github.io/synapse/latest/delegate.html - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # Further reference can be found in the upstream docs at - # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - # It's also possible to do a redirect here or something else, this vhost is not - # needed for Matrix. It's recommended though to *not put* element - # here, see also the section about Element. - locations."/".extraConfig = '' - return 404; - ''; - # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash - # *must not* be used here. - locations."/_matrix".proxyPass = "http://[::1]:8008"; - # Forward requests for e.g. SSO and password-resets. - locations."/_synapse/client".proxyPass = "http://[::1]:8008"; - locations."wp-login.php".return = "301 https://hil-speed.hetzner.com/10GB.bin"; - }; - }; - }; - - postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - matrix-synapse = { - enable = true; - settings = { - database.name = "psycopg2"; - database.args = { - user = "matrix-synapse"; - password = "synapse"; - }; - server_name = "${fqdn}"; - public_baseurl = "https://${fqdn}"; - enable_registration = false; - registration_shared_secret = config.age.secrets.matrix-synapse; - #macaroon_secret_key = config.age.secrets.matrix-synapse; - listeners = [ - { port = 8008; - bind_addresses = [ "::1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ { - names = [ "client" "federation" ]; - compress = true; - } ]; - } - ]; - }; - }; - }; -} diff --git a/modules/services/matrix/secrets.yaml b/modules/services/matrix/secrets.yaml new file mode 100644 index 0000000..357c281 --- /dev/null +++ b/modules/services/matrix/secrets.yaml @@ -0,0 +1,3 @@ +registration_shared_secret: "" + +report_stats: false diff --git a/modules/services/mumble.nix b/modules/services/mumble.nix new file mode 100644 index 0000000..14c9487 --- /dev/null +++ b/modules/services/mumble.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.murmur = { + enable = true; + openFirewall = true; + }; +} diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix new file mode 100644 index 0000000..64089db --- /dev/null +++ b/modules/services/nextcloud.nix @@ -0,0 +1,87 @@ +{ config, ... }: +{ + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults = { + email = "ahwx@ahwx.org"; + }; + }; + + services.nextcloud = { + enable = true; + home = "/var/nextcloud/home"; + https = true; + configureRedis = false; # caching + maxUploadSize = "10G"; + hostName = "cloud.liv.town"; + + config = { + adminuser = "liv"; + adminpassFile = "/var/nextcloud/AdminPass"; + }; + + settings = { + trusted_domains = [ + "cloud.liv.town" + ]; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + }; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Hardened TLS and HSTS preloading + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Do not add HSTS header to HTTP requests. + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + + virtualHosts = { + "${config.services.nextcloud.hostName}" = { + enableACME = true; + forceSSL = true; + locations = { + "/".proxyPass = "http://localhost:8080"; + "/".proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/modules/services/violet.nix b/modules/services/violet.nix index 21b656a..8af50fe 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -1,6 +1,8 @@ { ...}: { imports = [(import ./iceshrimp.nix)] + ++ [(import ./invidious.nix)] + ++ [(import ./mumble.nix)] ++ [(import ./matrix/default.nix)]; # ++ [(import ./tmux.nix)]; }