diff --git a/config/common/users.nix b/config/common/users.nix index 1f17e6b..6bc7138 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -6,8 +6,7 @@ extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKHlANxRo9NEU6GHMCiAhv3Kxbxd6mOrOiMBw3bGohOAAAABHNzaDo= emelie@flap-fed" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE7/U/Mk1jGofcommKmPfG+qwybiFH1nFkXzUqGiXSy/AAAABHNzaDo= emelie@thinky-fed" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed" ]; }; diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix index 2c929e1..6d317be 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/config/hosts/grondahl/configuration.nix @@ -13,6 +13,9 @@ ./services/restic.nix ./services/synapse.nix ./services/postgres.nix + #./services/mail.nix + #./services/containers.nix + #./services/redis.nix ]; boot.loader.grub.enable = true; diff --git a/config/hosts/grondahl/data/secrets/authentik_env b/config/hosts/grondahl/data/secrets/authentik_env new file mode 100644 index 0000000..52c1631 Binary files /dev/null and b/config/hosts/grondahl/data/secrets/authentik_env differ diff --git a/config/hosts/grondahl/data/secrets/email_noreply b/config/hosts/grondahl/data/secrets/email_noreply index babe205..851aa9f 100644 Binary files a/config/hosts/grondahl/data/secrets/email_noreply and b/config/hosts/grondahl/data/secrets/email_noreply differ diff --git a/config/hosts/grondahl/data/secrets/mobilizon_env b/config/hosts/grondahl/data/secrets/mobilizon_env new file mode 100644 index 0000000..2f1635d Binary files /dev/null and b/config/hosts/grondahl/data/secrets/mobilizon_env differ diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix index 89f5c01..2b87a11 100644 Binary files a/config/hosts/grondahl/data/secrets/secrets.nix and b/config/hosts/grondahl/data/secrets/secrets.nix differ diff --git a/config/hosts/grondahl/data/secrets/synapse_db_password b/config/hosts/grondahl/data/secrets/synapse_db_password new file mode 100644 index 0000000..c2cd71a Binary files /dev/null and b/config/hosts/grondahl/data/secrets/synapse_db_password differ diff --git a/config/hosts/grondahl/services/containers.nix b/config/hosts/grondahl/services/containers.nix new file mode 100644 index 0000000..7d814f0 --- /dev/null +++ b/config/hosts/grondahl/services/containers.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: + +{ + config.virtualisation.oci-containers = { + backend = "podman"; + containers = { + #mobilizon = { + # image = "framasoft/mobilizon"; + # ports = [ "127.0.0.1:4000:4000" ]; + # volumes = [ + # "/var/lib/mobilizon/uploads:/var/lib/mobilizon/uploads" + # "/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432" + # ]; + # environmentFiles = [ config.secrets.files.mobilizon_env.file ]; + # }; + authentik-server = { + image = "ghcr.io/goauthentik/server:stable"; + ports = [ + "127.0.0.1:9000:9000" + "127.0.0.1:9443:9443" + ]; + volumes = [ + "/var/lib/authentik/media:/media" + "/var/lib/authentik/templates:/templates" + "/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432" + "/run/redis/redis.sock:/run/redis/redis.sock" + ]; + environmentFiles = [ config.secrets.files.authentik_env.file ]; + cmd = ["server"]; + }; + authentik-worker = { + image = "ghcr.io/goauthentik/server:stable"; + volumes = [ + "/var/lib/authentik/backups:/backups" + "/var/lib/authentik/media:/media" + "/var/lib/authentik/certs:/certs" + "/var/lib/authentik/templates:/templates" + ]; + environmentFiles = [ config.secrets.files.authentik_env.file ]; + cmd = ["worker"]; + }; + }; + }; + + config.systemd.services.create-authentik-pod = with config.virtualisation.oci-containers; { + serviceConfig.Type = "oneshot"; + wantedBy = [ "podman-authentik-server.service" "podman-authentik-worker.service" ]; + script = '' + ${pkgs.podman}/bin/podman pod exists authentik || \ + ${pkgs.podman}/bin/podman pod create -n authentik -p '127.0.0.1:9000:9000' -p '127.0.0.1:9443:9443' + ''; + }; +} diff --git a/config/hosts/grondahl/services/mail.nix b/config/hosts/grondahl/services/mail.nix new file mode 100644 index 0000000..6aef8d3 --- /dev/null +++ b/config/hosts/grondahl/services/mail.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: +{ + imports = [ + (builtins.fetchTarball { + # Pick a commit from the branch you are interested in + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz"; + # And set its hash + sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44"; + }) + ]; + + mailserver = { + enable = true; + fqdn = "anarkafem.dev"; + domains = [ "anarkafem.dev" ]; + + # A list of all login accounts. To create the password hashes, use + # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 + loginAccounts = { + "noreply@anarkafem.dev" = { + hashedPasswordFile = config.secrets.files.email_noreply.file; + }; + }; + + keyFile = config.security.acme.certs."anarkafem.dev".directory + "/key.pem"; + certificateFile = config.security.acme.certs."anarkafem.dev".directory + "/cert.pem"; + certificateScheme = 1; + }; +} diff --git a/config/hosts/grondahl/services/nginx.nix b/config/hosts/grondahl/services/nginx.nix index 505f79b..d313927 100644 --- a/config/hosts/grondahl/services/nginx.nix +++ b/config/hosts/grondahl/services/nginx.nix @@ -20,5 +20,15 @@ ''; }; }; + "cal.anarkafem.dev" = { + useACMEHost = "anarkafem.dev"; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:4000"; + }; + "auth.anarkafem.dev" = { + useACMEHost = "anarkafem.dev"; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:9000"; + }; }; } diff --git a/config/hosts/grondahl/services/postgres.nix b/config/hosts/grondahl/services/postgres.nix index e092165..950c67a 100644 --- a/config/hosts/grondahl/services/postgres.nix +++ b/config/hosts/grondahl/services/postgres.nix @@ -1,26 +1,55 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { services.postgresql = { enable = true; package = pkgs.postgresql_13; + extraPlugins = with config.services.postgresql.package.pkgs; [ + postgis + ]; + ensureDatabases = [ + "matrix-synapse" + "mobilizon" + "authentik" + ]; + ensureUsers = [ + { + name = "matrix-synapse"; + ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; + } + { + name = "mobilizon"; + ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES"; + } + { + name = "authentik"; + ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES"; + } + ]; initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE synapse; - CREATE DATABASE synapse WITH OWNER synapse + CREATE ROLE matrix-synapse; + CREATE DATABASE matrix-synapse WITH OWNER matrix-synapse TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C" ENCODING = "UTF8"; ''; - authentication = pkgs.lib.mkOverride 10 '' - local all all trust - host all all ::1/128 trust - ''; + settings = { password_encryption = "scram-sha-256"; }; + authentication = pkgs.lib.mkForce '' + local all postgres peer + local all matrix-synapse peer + local all mobilizon scram-sha-256 + local all authentik scram-sha-256 + ''; }; services.postgresqlBackup = { enable = true; location = "/var/lib/postgresql/backup"; - databases = [ "synapse" ]; + databases = [ + "matrix-synapse" + "mobilizon" + "authentik" + ]; startAt = "02:30"; compression = "none"; }; diff --git a/config/hosts/grondahl/services/redis.nix b/config/hosts/grondahl/services/redis.nix new file mode 100644 index 0000000..6a001e1 --- /dev/null +++ b/config/hosts/grondahl/services/redis.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + services.redis = { + enable = true; + unixSocket = "/run/redis/redis.sock"; + vmOverCommit = true; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; + }; +} + diff --git a/config/hosts/grondahl/services/synapse.nix b/config/hosts/grondahl/services/synapse.nix index 9d0c32e..210914f 100644 --- a/config/hosts/grondahl/services/synapse.nix +++ b/config/hosts/grondahl/services/synapse.nix @@ -9,8 +9,9 @@ turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file; max_upload_size = "100M"; database_type = "psycopg2"; - database_user = "synapse"; - database_name = "synapse"; + database_args = { + password = builtins.toString config.secrets.files.synapse_db_password.file; + }; turn_uris = [ "turn:turn.anarkafem.dev:3478?transport=udp" "turn:turn.anarkafem.dev:3478?transport=tcp" diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix index 4651a6e..af4cc48 100644 --- a/config/hosts/rudiger/services/postgres.nix +++ b/config/hosts/rudiger/services/postgres.nix @@ -2,18 +2,21 @@ { services.postgresql = { enable = true; - ensureDatabases = [ "nextcloud" ]; + ensureDatabases = [ + "nextcloud" + ]; ensureUsers = [ - { name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - } + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } ]; }; services.postgresqlBackup = { enable = true; location = "/var/lib/postgresql/backup"; - databases = [ "synapse" ]; + databases = [ "nextcloud" ]; startAt = "02:30"; compression = "none"; };