diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix deleted file mode 100644 index 0a783ca..0000000 Binary files a/config/hosts/grondahl/data/secrets/secrets.nix and /dev/null differ diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/stable/config/common/data/pubkeys/despondos_host_ed25519_key.pub similarity index 100% rename from config/common/data/pubkeys/despondos_host_ed25519_key.pub rename to stable/config/common/data/pubkeys/despondos_host_ed25519_key.pub diff --git a/stable/config/common/services/nginx.nix b/stable/config/common/services/nginx.nix new file mode 100644 index 0000000..60f4b8f --- /dev/null +++ b/stable/config/common/services/nginx.nix @@ -0,0 +1,43 @@ +{ ... }: +{ + services.nginx = { + #enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; +} diff --git a/config/common/services/ssh.nix b/stable/config/common/services/ssh.nix similarity index 100% rename from config/common/services/ssh.nix rename to stable/config/common/services/ssh.nix diff --git a/stable/config/hosts/mail/configuration.nix b/stable/config/hosts/mail/configuration.nix new file mode 100644 index 0000000..44fa832 --- /dev/null +++ b/stable/config/hosts/mail/configuration.nix @@ -0,0 +1,58 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../common/services/ssh.nix + #./services/restic.nix + ./services/mail.nix + ./services/acme.nix + ./data/secrets/secrets.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + boot.supportedFilesystems = ["zfs"]; + services.zfs.autoSnapshot.enable = true; + services.zfs.autoScrub.enable = true; + + networking.hostName = "mail"; + networking.hostId = "1e04e84b"; + time.timeZone = "Europe/Copenhagen"; + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:624a::1"; prefixLength = 64; } ]; + networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + + users.users.emelie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + vim + htop + iotop + dig + ]; + + nix = { + autoOptimiseStore = true; + trustedUsers = [ + "root" + "@wheel" + ]; + }; + + + # Use hetzner firewall instead + networking.firewall.enable = false; + system.stateVersion = "21.05"; + +} diff --git a/stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev b/stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev new file mode 100644 index 0000000..8756cf3 Binary files /dev/null and b/stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev differ diff --git a/stable/config/hosts/mail/data/secrets/secrets.nix b/stable/config/hosts/mail/data/secrets/secrets.nix new file mode 100644 index 0000000..42a986c Binary files /dev/null and b/stable/config/hosts/mail/data/secrets/secrets.nix differ diff --git a/stable/config/hosts/mail/data/secrets/ssh_key b/stable/config/hosts/mail/data/secrets/ssh_key new file mode 100644 index 0000000..d99f226 Binary files /dev/null and b/stable/config/hosts/mail/data/secrets/ssh_key differ diff --git a/stable/config/hosts/mail/data/secrets/ssh_key.pub b/stable/config/hosts/mail/data/secrets/ssh_key.pub new file mode 100644 index 0000000..04225ea Binary files /dev/null and b/stable/config/hosts/mail/data/secrets/ssh_key.pub differ diff --git a/stable/config/hosts/mail/hardware-configuration.nix b/stable/config/hosts/mail/hardware-configuration.nix new file mode 100644 index 0000000..90e8d09 --- /dev/null +++ b/stable/config/hosts/mail/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/minimal.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/safe/root"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/safe/home"; + fsType = "zfs"; + }; + + fileSystems."/var" = + { device = "rpool/safe/var"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "rpool/local/nix"; + fsType = "zfs"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/9c3c66f5-bf5a-4a2a-88a2-fc2ef312d7ef"; } + ]; + +} diff --git a/config/hosts/rudiger/services/acme.nix b/stable/config/hosts/mail/services/acme.nix similarity index 100% rename from config/hosts/rudiger/services/acme.nix rename to stable/config/hosts/mail/services/acme.nix diff --git a/stable/config/hosts/mail/services/mail.nix b/stable/config/hosts/mail/services/mail.nix new file mode 100644 index 0000000..f6f1184 --- /dev/null +++ b/stable/config/hosts/mail/services/mail.nix @@ -0,0 +1,25 @@ +{ config, ... }: + +{ + imports = [ + (builtins.fetchTarball { + # Pick a commit from the branch you are interested in + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz"; + # And set its hash + sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; + }) + ]; + + mailserver = { + enable = true; + fqdn = "mail.graven.dev"; + domains = [ "anarkafem.dev" ]; + + loginAccounts = { + "noreply@anarkafem.dev" = { + hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; + }; + }; + certificateScheme = 3; + }; +} diff --git a/config/hosts/wind/services/restic.nix b/stable/config/hosts/mail/services/restic.nix similarity index 100% rename from config/hosts/wind/services/restic.nix rename to stable/config/hosts/mail/services/restic.nix diff --git a/config/sources/default.nix b/stable/config/sources/default.nix similarity index 100% rename from config/sources/default.nix rename to stable/config/sources/default.nix diff --git a/stable/config/sources/nix/sources.json b/stable/config/sources/nix/sources.json new file mode 100644 index 0000000..3098061 --- /dev/null +++ b/stable/config/sources/nix/sources.json @@ -0,0 +1,50 @@ +{ + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c", + "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-hardware": { + "branch": "master", + "description": "A collection of NixOS modules covering hardware quirks.", + "homepage": "", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "5a7e613703ea349fd46b3fa2f3dfe3bd5444d591", + "sha256": "088z9p9ycsvnghqbksxrssk43wfsnm9caks9lch90jp2x8c8aw7x", + "type": "tarball", + "url": "https://github.com/NixOS/nixos-hardware/archive/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs": { + "branch": "nixos-21.05", + "description": "Nix Packages collection", + "homepage": "", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4", + "sha256": "1xsp0xyrf8arjkf4wi09n96kbg0r8igsmzx8bhc1nj4nr078p0pg", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/46251a79f752ae1d46ef733e8e9760b6d3429da4.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixus": { + "branch": "master", + "description": null, + "homepage": "", + "owner": "Infinisil", + "repo": "nixus", + "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57", + "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb", + "type": "tarball", + "url": "https://github.com/Infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/config/sources/nix/sources.nix b/stable/config/sources/nix/sources.nix similarity index 100% rename from config/sources/nix/sources.nix rename to stable/config/sources/nix/sources.nix diff --git a/stable/deploy/default.nix b/stable/deploy/default.nix new file mode 100644 index 0000000..0373339 --- /dev/null +++ b/stable/deploy/default.nix @@ -0,0 +1,24 @@ +let + sources = import ../config/sources; +in import "${sources.nixus}" {} ({ config, ... }: { + + defaults = { name, ... }: { + configuration = { lib, ... }: { + networking.hostName = lib.mkDefault name; + }; + + # use our nixpkgs from niv + nixpkgs = sources.nixpkgs; + }; + + nodes = { + mail = { lib, config, ... }: { + host = "emelie@mail.graven.dev"; + configuration = ../config/hosts/mail/configuration.nix; + switchTimeout = 300; + successTimeout = 300; + #ignoreFailingSystemdUnits = true; + }; + }; +}) + diff --git a/stable/result b/stable/result new file mode 120000 index 0000000..fc926f2 --- /dev/null +++ b/stable/result @@ -0,0 +1 @@ +/nix/store/i50n7iakdlfmy4s7d90djnz30q4qskh5-deploy \ No newline at end of file diff --git a/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub new file mode 100644 index 0000000..6367ffa --- /dev/null +++ b/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7 diff --git a/config/common/services/nginx.nix b/unstable/config/common/services/nginx.nix similarity index 100% rename from config/common/services/nginx.nix rename to unstable/config/common/services/nginx.nix diff --git a/unstable/config/common/services/ssh.nix b/unstable/config/common/services/ssh.nix new file mode 100644 index 0000000..2a918d9 --- /dev/null +++ b/unstable/config/common/services/ssh.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; + hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ]; + kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; + macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + }; + + programs.ssh.knownHosts = { + despondos = { + hostNames = [ "despondos.nao.sh" ]; + publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; + }; + }; + + services.sshguard = { + enable = true; + blocktime = 300; + }; +} diff --git a/config/hosts/grondahl/configuration.nix b/unstable/config/hosts/grondahl/configuration.nix similarity index 98% rename from config/hosts/grondahl/configuration.nix rename to unstable/config/hosts/grondahl/configuration.nix index c7a1ea9..4282811 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/unstable/config/hosts/grondahl/configuration.nix @@ -12,6 +12,7 @@ ./services/restic.nix ./services/synapse.nix ./services/postgres.nix + ./services/mail.nix ]; boot.loader.grub.enable = true; diff --git a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev b/unstable/config/hosts/grondahl/data/secrets/acme_anarkafem_dev similarity index 100% rename from config/hosts/grondahl/data/secrets/acme_anarkafem_dev rename to unstable/config/hosts/grondahl/data/secrets/acme_anarkafem_dev diff --git a/unstable/config/hosts/grondahl/data/secrets/email_noreply b/unstable/config/hosts/grondahl/data/secrets/email_noreply new file mode 100644 index 0000000..babe205 Binary files /dev/null and b/unstable/config/hosts/grondahl/data/secrets/email_noreply differ diff --git a/config/hosts/grondahl/data/secrets/restic_pass b/unstable/config/hosts/grondahl/data/secrets/restic_pass similarity index 100% rename from config/hosts/grondahl/data/secrets/restic_pass rename to unstable/config/hosts/grondahl/data/secrets/restic_pass diff --git a/unstable/config/hosts/grondahl/data/secrets/secrets.nix b/unstable/config/hosts/grondahl/data/secrets/secrets.nix new file mode 100644 index 0000000..89f5c01 Binary files /dev/null and b/unstable/config/hosts/grondahl/data/secrets/secrets.nix differ diff --git a/config/hosts/grondahl/data/secrets/ssh_key b/unstable/config/hosts/grondahl/data/secrets/ssh_key similarity index 100% rename from config/hosts/grondahl/data/secrets/ssh_key rename to unstable/config/hosts/grondahl/data/secrets/ssh_key diff --git a/config/hosts/grondahl/data/secrets/ssh_key.pub b/unstable/config/hosts/grondahl/data/secrets/ssh_key.pub similarity index 100% rename from config/hosts/grondahl/data/secrets/ssh_key.pub rename to unstable/config/hosts/grondahl/data/secrets/ssh_key.pub diff --git a/config/hosts/grondahl/data/secrets/synapse_macaroon_secret b/unstable/config/hosts/grondahl/data/secrets/synapse_macaroon_secret similarity index 100% rename from config/hosts/grondahl/data/secrets/synapse_macaroon_secret rename to unstable/config/hosts/grondahl/data/secrets/synapse_macaroon_secret diff --git a/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret b/unstable/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret similarity index 100% rename from config/hosts/grondahl/data/secrets/synapse_registration_shared_secret rename to unstable/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret diff --git a/config/hosts/grondahl/data/secrets/turn_shared_secret b/unstable/config/hosts/grondahl/data/secrets/turn_shared_secret similarity index 100% rename from config/hosts/grondahl/data/secrets/turn_shared_secret rename to unstable/config/hosts/grondahl/data/secrets/turn_shared_secret diff --git a/config/hosts/grondahl/hardware-configuration.nix b/unstable/config/hosts/grondahl/hardware-configuration.nix similarity index 100% rename from config/hosts/grondahl/hardware-configuration.nix rename to unstable/config/hosts/grondahl/hardware-configuration.nix diff --git a/config/hosts/grondahl/services/acme.nix b/unstable/config/hosts/grondahl/services/acme.nix similarity index 100% rename from config/hosts/grondahl/services/acme.nix rename to unstable/config/hosts/grondahl/services/acme.nix diff --git a/config/hosts/grondahl/services/coturn.nix b/unstable/config/hosts/grondahl/services/coturn.nix similarity index 100% rename from config/hosts/grondahl/services/coturn.nix rename to unstable/config/hosts/grondahl/services/coturn.nix diff --git a/unstable/config/hosts/grondahl/services/mail.nix b/unstable/config/hosts/grondahl/services/mail.nix new file mode 100644 index 0000000..3591384 --- /dev/null +++ b/unstable/config/hosts/grondahl/services/mail.nix @@ -0,0 +1,25 @@ +{ config, ... }: +{ + imports = [ + (builtins.fetchTarball { + # Pick a commit from the branch you are interested in + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz"; + # And set its hash + sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5"; + }) + ]; + + mailserver = { + enable = true; + fqdn = "anarkafem.dev"; + domains = [ "anarkafem.dev" ]; + loginAccounts = { + "noreply@anarkafem.dev" = { + hashedPasswordFile = config.secrets.files.email_noreply.file; + + }; + }; + certificateScheme = 3; + }; +} + diff --git a/config/hosts/grondahl/services/nginx.nix b/unstable/config/hosts/grondahl/services/nginx.nix similarity index 100% rename from config/hosts/grondahl/services/nginx.nix rename to unstable/config/hosts/grondahl/services/nginx.nix diff --git a/config/hosts/grondahl/services/postgres.nix b/unstable/config/hosts/grondahl/services/postgres.nix similarity index 100% rename from config/hosts/grondahl/services/postgres.nix rename to unstable/config/hosts/grondahl/services/postgres.nix diff --git a/config/hosts/grondahl/services/restic.nix b/unstable/config/hosts/grondahl/services/restic.nix similarity index 100% rename from config/hosts/grondahl/services/restic.nix rename to unstable/config/hosts/grondahl/services/restic.nix diff --git a/config/hosts/grondahl/services/synapse.nix b/unstable/config/hosts/grondahl/services/synapse.nix similarity index 100% rename from config/hosts/grondahl/services/synapse.nix rename to unstable/config/hosts/grondahl/services/synapse.nix diff --git a/config/hosts/rudiger/configuration.nix b/unstable/config/hosts/rudiger/configuration.nix similarity index 100% rename from config/hosts/rudiger/configuration.nix rename to unstable/config/hosts/rudiger/configuration.nix diff --git a/config/hosts/rudiger/data/secrets/nc_admin_pass b/unstable/config/hosts/rudiger/data/secrets/nc_admin_pass similarity index 100% rename from config/hosts/rudiger/data/secrets/nc_admin_pass rename to unstable/config/hosts/rudiger/data/secrets/nc_admin_pass diff --git a/config/hosts/rudiger/data/secrets/redis_pass b/unstable/config/hosts/rudiger/data/secrets/redis_pass similarity index 100% rename from config/hosts/rudiger/data/secrets/redis_pass rename to unstable/config/hosts/rudiger/data/secrets/redis_pass diff --git a/config/hosts/rudiger/data/secrets/restic_pass b/unstable/config/hosts/rudiger/data/secrets/restic_pass similarity index 100% rename from config/hosts/rudiger/data/secrets/restic_pass rename to unstable/config/hosts/rudiger/data/secrets/restic_pass diff --git a/config/hosts/rudiger/data/secrets/secrets.nix b/unstable/config/hosts/rudiger/data/secrets/secrets.nix similarity index 100% rename from config/hosts/rudiger/data/secrets/secrets.nix rename to unstable/config/hosts/rudiger/data/secrets/secrets.nix diff --git a/config/hosts/rudiger/data/secrets/ssh_key b/unstable/config/hosts/rudiger/data/secrets/ssh_key similarity index 100% rename from config/hosts/rudiger/data/secrets/ssh_key rename to unstable/config/hosts/rudiger/data/secrets/ssh_key diff --git a/config/hosts/rudiger/data/secrets/ssh_key.pub b/unstable/config/hosts/rudiger/data/secrets/ssh_key.pub similarity index 100% rename from config/hosts/rudiger/data/secrets/ssh_key.pub rename to unstable/config/hosts/rudiger/data/secrets/ssh_key.pub diff --git a/config/hosts/rudiger/hardware-configuration.nix b/unstable/config/hosts/rudiger/hardware-configuration.nix similarity index 100% rename from config/hosts/rudiger/hardware-configuration.nix rename to unstable/config/hosts/rudiger/hardware-configuration.nix diff --git a/unstable/config/hosts/rudiger/services/acme.nix b/unstable/config/hosts/rudiger/services/acme.nix new file mode 100644 index 0000000..62ae467 --- /dev/null +++ b/unstable/config/hosts/rudiger/services/acme.nix @@ -0,0 +1,9 @@ +{ config, ... }: + +{ + security.acme = { + acceptTerms = true; + email = "admin+certs@graven.dev"; + }; +} + diff --git a/config/hosts/rudiger/services/nextcloud.nix b/unstable/config/hosts/rudiger/services/nextcloud.nix similarity index 100% rename from config/hosts/rudiger/services/nextcloud.nix rename to unstable/config/hosts/rudiger/services/nextcloud.nix diff --git a/config/hosts/rudiger/services/nginx.nix b/unstable/config/hosts/rudiger/services/nginx.nix similarity index 100% rename from config/hosts/rudiger/services/nginx.nix rename to unstable/config/hosts/rudiger/services/nginx.nix diff --git a/config/hosts/rudiger/services/postgres.nix b/unstable/config/hosts/rudiger/services/postgres.nix similarity index 100% rename from config/hosts/rudiger/services/postgres.nix rename to unstable/config/hosts/rudiger/services/postgres.nix diff --git a/config/hosts/rudiger/services/redis.nix b/unstable/config/hosts/rudiger/services/redis.nix similarity index 100% rename from config/hosts/rudiger/services/redis.nix rename to unstable/config/hosts/rudiger/services/redis.nix diff --git a/config/hosts/rudiger/services/restic.nix b/unstable/config/hosts/rudiger/services/restic.nix similarity index 100% rename from config/hosts/rudiger/services/restic.nix rename to unstable/config/hosts/rudiger/services/restic.nix diff --git a/config/hosts/wind/configuration.nix b/unstable/config/hosts/wind/configuration.nix similarity index 100% rename from config/hosts/wind/configuration.nix rename to unstable/config/hosts/wind/configuration.nix diff --git a/config/hosts/wind/data/secrets/acme_graven_dev.env b/unstable/config/hosts/wind/data/secrets/acme_graven_dev.env similarity index 100% rename from config/hosts/wind/data/secrets/acme_graven_dev.env rename to unstable/config/hosts/wind/data/secrets/acme_graven_dev.env diff --git a/config/hosts/wind/data/secrets/restic_pass b/unstable/config/hosts/wind/data/secrets/restic_pass similarity index 100% rename from config/hosts/wind/data/secrets/restic_pass rename to unstable/config/hosts/wind/data/secrets/restic_pass diff --git a/config/hosts/wind/data/secrets/secrets.nix b/unstable/config/hosts/wind/data/secrets/secrets.nix similarity index 100% rename from config/hosts/wind/data/secrets/secrets.nix rename to unstable/config/hosts/wind/data/secrets/secrets.nix diff --git a/config/hosts/wind/data/secrets/ssh_key b/unstable/config/hosts/wind/data/secrets/ssh_key similarity index 100% rename from config/hosts/wind/data/secrets/ssh_key rename to unstable/config/hosts/wind/data/secrets/ssh_key diff --git a/config/hosts/wind/data/secrets/ssh_key.pub b/unstable/config/hosts/wind/data/secrets/ssh_key.pub similarity index 100% rename from config/hosts/wind/data/secrets/ssh_key.pub rename to unstable/config/hosts/wind/data/secrets/ssh_key.pub diff --git a/config/hosts/wind/data/secrets/synapse_macaroon_secret b/unstable/config/hosts/wind/data/secrets/synapse_macaroon_secret similarity index 100% rename from config/hosts/wind/data/secrets/synapse_macaroon_secret rename to unstable/config/hosts/wind/data/secrets/synapse_macaroon_secret diff --git a/config/hosts/wind/data/secrets/synapse_registration_shared_secret b/unstable/config/hosts/wind/data/secrets/synapse_registration_shared_secret similarity index 100% rename from config/hosts/wind/data/secrets/synapse_registration_shared_secret rename to unstable/config/hosts/wind/data/secrets/synapse_registration_shared_secret diff --git a/config/hosts/wind/data/secrets/ttrss_email_pass b/unstable/config/hosts/wind/data/secrets/ttrss_email_pass similarity index 100% rename from config/hosts/wind/data/secrets/ttrss_email_pass rename to unstable/config/hosts/wind/data/secrets/ttrss_email_pass diff --git a/config/hosts/wind/data/secrets/turn_shared_secret b/unstable/config/hosts/wind/data/secrets/turn_shared_secret similarity index 100% rename from config/hosts/wind/data/secrets/turn_shared_secret rename to unstable/config/hosts/wind/data/secrets/turn_shared_secret diff --git a/config/hosts/wind/data/secrets/vaultwarden_env b/unstable/config/hosts/wind/data/secrets/vaultwarden_env similarity index 100% rename from config/hosts/wind/data/secrets/vaultwarden_env rename to unstable/config/hosts/wind/data/secrets/vaultwarden_env diff --git a/config/hosts/wind/hardware-configuration.nix b/unstable/config/hosts/wind/hardware-configuration.nix similarity index 100% rename from config/hosts/wind/hardware-configuration.nix rename to unstable/config/hosts/wind/hardware-configuration.nix diff --git a/config/hosts/wind/services/acme.nix b/unstable/config/hosts/wind/services/acme.nix similarity index 100% rename from config/hosts/wind/services/acme.nix rename to unstable/config/hosts/wind/services/acme.nix diff --git a/config/hosts/wind/services/coturn.nix b/unstable/config/hosts/wind/services/coturn.nix similarity index 100% rename from config/hosts/wind/services/coturn.nix rename to unstable/config/hosts/wind/services/coturn.nix diff --git a/config/hosts/wind/services/gitea.nix b/unstable/config/hosts/wind/services/gitea.nix similarity index 100% rename from config/hosts/wind/services/gitea.nix rename to unstable/config/hosts/wind/services/gitea.nix diff --git a/config/hosts/wind/services/nginx.nix b/unstable/config/hosts/wind/services/nginx.nix similarity index 100% rename from config/hosts/wind/services/nginx.nix rename to unstable/config/hosts/wind/services/nginx.nix diff --git a/config/hosts/wind/services/postgres.nix b/unstable/config/hosts/wind/services/postgres.nix similarity index 100% rename from config/hosts/wind/services/postgres.nix rename to unstable/config/hosts/wind/services/postgres.nix diff --git a/unstable/config/hosts/wind/services/restic.nix b/unstable/config/hosts/wind/services/restic.nix new file mode 100644 index 0000000..083e4cc --- /dev/null +++ b/unstable/config/hosts/wind/services/restic.nix @@ -0,0 +1,47 @@ +{ config, ... }: + +{ + + services.restic.backups = { + "gitea" = { + paths = [ "/var/lib/gitea" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "02:15"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "gitea"; + }; + "postgres" = { + paths = [ "/var/lib/postgresql/backup" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "03:00"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "postgres"; + }; + "synapse" = { + paths = [ "/var/lib/matrix-synapse" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "03:30"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "matrix-synapse"; + }; + "vaultwarden" = { + paths = [ "/var/lib/bitwarden_rs" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "23:45"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "vaultwarden"; + }; + }; +} diff --git a/config/hosts/wind/services/synapse.nix b/unstable/config/hosts/wind/services/synapse.nix similarity index 100% rename from config/hosts/wind/services/synapse.nix rename to unstable/config/hosts/wind/services/synapse.nix diff --git a/config/hosts/wind/services/ttrss.nix b/unstable/config/hosts/wind/services/ttrss.nix similarity index 100% rename from config/hosts/wind/services/ttrss.nix rename to unstable/config/hosts/wind/services/ttrss.nix diff --git a/config/hosts/wind/services/vaultwarden.nix b/unstable/config/hosts/wind/services/vaultwarden.nix similarity index 100% rename from config/hosts/wind/services/vaultwarden.nix rename to unstable/config/hosts/wind/services/vaultwarden.nix diff --git a/unstable/config/sources/default.nix b/unstable/config/sources/default.nix new file mode 100644 index 0000000..ccd3ba8 --- /dev/null +++ b/unstable/config/sources/default.nix @@ -0,0 +1,11 @@ +let + sources = import ./nix/sources.nix; + + # just use standard pkgs from sources + # so that we have our applyPattches function + pkgs = import sources.nixpkgs {}; + +in { + nixus = sources.nixus; +} // sources + diff --git a/config/sources/nix/sources.json b/unstable/config/sources/nix/sources.json similarity index 100% rename from config/sources/nix/sources.json rename to unstable/config/sources/nix/sources.json diff --git a/unstable/config/sources/nix/sources.nix b/unstable/config/sources/nix/sources.nix new file mode 100644 index 0000000..1938409 --- /dev/null +++ b/unstable/config/sources/nix/sources.nix @@ -0,0 +1,174 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + + fetch_tarball = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + + fetch_git = name: spec: + let + ref = + if spec ? ref then spec.ref else + if spec ? branch then "refs/heads/${spec.branch}" else + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + in + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + + fetch_local = spec: spec.path; + + fetch_builtin-tarball = name: throw + ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; + + fetch_builtin-url = name: throw + ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; + + # + # Various helpers + # + + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: + ( + concatMapStrings (s: if builtins.isList s then "-" else s) + ( + builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) + ) + ); + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: system: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs name spec + else if spec.type == "tarball" then fetch_tarball pkgs name spec + else if spec.type == "git" then fetch_git name spec + else if spec.type == "local" then fetch_local spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball name + else if spec.type == "builtin-url" then fetch_builtin-url name + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: + let + saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: if cond then as else {}; + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null + , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , system ? builtins.currentSystem + , pkgs ? mkPkgs sources system + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; + +in +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/deploy/default.nix b/unstable/deploy/default.nix similarity index 95% rename from deploy/default.nix rename to unstable/deploy/default.nix index ee07e2e..3fdc041 100644 --- a/deploy/default.nix +++ b/unstable/deploy/default.nix @@ -1,5 +1,5 @@ let - sources = import ../config/sources; + sources = import ../unstable/config/sources; in import "${sources.nixus}" {} ({ config, ... }: { defaults = { name, ... }: {