Restructure folders, add mail host

The entire file structure has been reorganised into stable and unstable to separate deployments running on either channel. A `mail` host running Simple Nix Mailserver has also been added for testing to see if it's a good alternative to soverin as well as SMTP for other services.
2021-11-20 07:18:18 +01:00 · 2021-11-20 07:18:18 +01:00 · 90eb0c3708
commit 90eb0c3708
parent 51ba0ae296
78 changed files with 535 additions and 1 deletions
--- a/unstable/config/hosts/grondahl/services/acme.nix
+++ b/unstable/config/hosts/grondahl/services/acme.nix
@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@anarkafem.dev";
+    certs."anarkafem.dev" = {
+      extraDomainNames = [ "*.anarkafem.dev" ];
+      dnsProvider = "hurricane";
+      credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
+    };
+  };
+}
+
--- a/unstable/config/hosts/grondahl/services/coturn.nix
+++ b/unstable/config/hosts/grondahl/services/coturn.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    realm = "turn.anarkafem.dev";
+    relay-ips = [
+      "107.189.30.157"
+      "2605:6400:30:ef32::1"
+    ];
+    no-tcp-relay = true;
+    extraConfig = "
+    cipher-list=\"HIGH\"
+    no-loopback-peers
+    no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/anarkafem.dev/fullchain.pem";
+    pkey = "/var/lib/acme/anarkafem.dev/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+}
--- a/unstable/config/hosts/grondahl/services/mail.nix
+++ b/unstable/config/hosts/grondahl/services/mail.nix
@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
+      # And set its hash
+      sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "anarkafem.dev";
+    domains = [ "anarkafem.dev" ];
+    loginAccounts = {
+      "noreply@anarkafem.dev" = {
+        hashedPasswordFile = config.secrets.files.email_noreply.file;
+
+      };
+    };
+    certificateScheme = 3;
+  };
+}
+
--- a/unstable/config/hosts/grondahl/services/nginx.nix
+++ b/unstable/config/hosts/grondahl/services/nginx.nix
@ -0,0 +1,24 @@
+{
+  imports = [ ../../../common/services/nginx.nix ];
+  services.nginx.virtualHosts = {
+    "anarkafem.dev" = {
+      useACMEHost = "anarkafem.dev";
+      forceSSL = true;
+      locations."/".root = "/var/www/anarkafem.dev/public";
+      locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
+      locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+      locations."/.well-known/matrix/" = {
+        root = "/var/www/matrix/public";
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Strict-Transport-Security $hsts_header;
+          add_header Referrer-Policy "origin-when-cross-origin";
+          add_header X-Frame-Options "DENY";
+          add_header X-Content-Type-Options "nosniff";
+          add_header X-XSS-Protection "1; mode=block";
+        '';
+      };
+    };
+  };
+}
--- a/unstable/config/hosts/grondahl/services/postgres.nix
+++ b/unstable/config/hosts/grondahl/services/postgres.nix
@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+                      CREATE ROLE synapse;
+                      CREATE DATABASE synapse WITH OWNER synapse
+                          TEMPLATE template0
+                          LC_COLLATE = "C"
+                          LC_CTYPE = "C"
+                          ENCODING = "UTF8";
+    '';
+    authentication = pkgs.lib.mkOverride 10 ''
+        local all all trust
+        host all all ::1/128 trust
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/postgresql/backup";
+    databases = [ "synapse" ];
+    startAt = "02:30";
+    compression = "none";
+  };
+}
+
--- a/unstable/config/hosts/grondahl/services/restic.nix
+++ b/unstable/config/hosts/grondahl/services/restic.nix
@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.restic.backups = {
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+  };
+}
+
--- a/unstable/config/hosts/grondahl/services/synapse.nix
+++ b/unstable/config/hosts/grondahl/services/synapse.nix
@ -0,0 +1,72 @@
+{ config, ... }:
+
+{
+  services.matrix-synapse = {
+    enable = true;
+    server_name = "anarkafem.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "20M";
+    database_type = "psycopg2";
+    database_user = "synapse";
+    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.anarkafem.dev:3478?transport=udp"
+      "turn:turn.anarkafem.dev:3478?transport=tcp"
+      "turn:turn.anarkafem.dev:3479?transport=udp"
+      "turn:turn.anarkafem.dev:3479?transport=tcp"
+      "turns:turn.anarkafem.dev:5349?transport=udp"
+      "turns:turn.anarkafem.dev:5349?transport=tcp"
+      "turns:turn.anarkafem.dev:5350?transport=udp"
+      "turns:turn.anarkafem.dev:5350?transport=tcp"
+    ];
+    report_stats = false;
+    withJemalloc = true;
+    servers = { "anarkafem.dev" = {}; };
+    extraConfig = ''
+      auto_join_rooms:
+        - "#suf-aalborg:anarkafem.dev"
+    '';
+    logConfig = ''
+      version: 1
+
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+      handlers:
+          console:
+              class: logging.StreamHandler
+              formatter: precise
+
+      loggers:
+          synapse.storage.SQL:
+              # beware: increasing this to DEBUG will make synapse log sensitive
+              # information such as access tokens.
+              level: INFO
+
+      root:
+          level: INFO
+          handlers: [console]
+
+      disable_existing_loggers: false
+    '';
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "127.0.0.1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+  };
+}
+