Restructure folders

config/common/data/pubkeys/despondos_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7

config/common/services/nginx.nix

@@ -0,0 +1,43 @@
+{ ... }:
+{
+    services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}

config/common/services/ssh.nix

@@ -0,0 +1,24 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
+    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+  };
+
+  programs.ssh.knownHosts = {
+    despondos = {
+      hostNames = [ "despondos.nao.sh" ];
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+    };
+  };
+
+  services.sshguard = {
+    enable = true;
+    blocktime = 300;
+  };
+}

config/hosts/grondahl/configuration.nix

@@ -0,0 +1,85 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./data/secrets/secrets.nix
+    ../../common/services/ssh.nix
+    ./services/acme.nix
+    ./services/coturn.nix
+    ./services/nginx.nix
+    ./services/restic.nix
+    ./services/synapse.nix
+    ./services/postgres.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/vda";
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
+  networking = {
+    hostName = "grondahl";
+    useDHCP = false;
+    interfaces = {
+      "ens3" = {
+        ipv4.addresses = [ {
+          address = "107.189.30.157";
+          prefixLength = 24;
+        } ];
+        ipv6.addresses = [ {
+          address = "2605:6400:30:ef32::1";
+          prefixLength = 48;
+        } ];
+      };
+    };
+    defaultGateway = "107.189.30.1";
+    defaultGateway6 = {
+      address = "2605:6400:30::1";
+      interface = "ens3";
+    };
+    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+  };
+
+  time.timeZone = "Europe/Copenhagen";
+
+  security.sudo.wheelNeedsPassword = false;
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  users.groups.acme.members = [ "nginx" "turnserver" ];
+  users.groups.backup.members = [ "matrix-synapse" "postgres" ];
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    iotop
+    dig
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+
+  system.stateVersion = "21.05";
+
+}

config/hosts/grondahl/hardware-configuration.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/8c343c61-87b5-493c-984c-634f59814f3d";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/2cd0615d-c517-4153-907e-6d8dd9d0e7fc"; }
+    ];
+
+}

config/hosts/grondahl/services/acme.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@anarkafem.dev";
+    certs."anarkafem.dev" = {
+      extraDomainNames = [ "*.anarkafem.dev" ];
+      dnsProvider = "hurricane";
+      credentialsFile = config.secrets.files.acme_anarkafem_dev.file;
+    };
+  };
+}
+

config/hosts/grondahl/services/coturn.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    realm = "turn.anarkafem.dev";
+    relay-ips = [
+      "107.189.30.157"
+      "2605:6400:30:ef32::1"
+    ];
+    no-tcp-relay = true;
+    extraConfig = "
+    cipher-list=\"HIGH\"
+    no-loopback-peers
+    no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/anarkafem.dev/fullchain.pem";
+    pkey = "/var/lib/acme/anarkafem.dev/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+}

config/hosts/grondahl/services/nginx.nix

@@ -0,0 +1,24 @@
+{
+  imports = [ ../../../common/services/nginx.nix ];
+  services.nginx.virtualHosts = {
+    "anarkafem.dev" = {
+      useACMEHost = "anarkafem.dev";
+      forceSSL = true;
+      locations."/".root = "/var/www/anarkafem.dev/public";
+      locations."/_matrix/".proxyPass = "http://127.0.0.1:8008";
+      locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+      locations."/.well-known/matrix/" = {
+        root = "/var/www/matrix/public";
+        extraConfig = ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Strict-Transport-Security $hsts_header;
+          add_header Referrer-Policy "origin-when-cross-origin";
+          add_header X-Frame-Options "DENY";
+          add_header X-Content-Type-Options "nosniff";
+          add_header X-XSS-Protection "1; mode=block";
+        '';
+      };
+    };
+  };
+}

config/hosts/grondahl/services/postgres.nix

@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+                      CREATE ROLE synapse;
+                      CREATE DATABASE synapse WITH OWNER synapse
+                          TEMPLATE template0
+                          LC_COLLATE = "C"
+                          LC_CTYPE = "C"
+                          ENCODING = "UTF8";
+    '';
+    authentication = pkgs.lib.mkOverride 10 ''
+        local all all trust
+        host all all ::1/128 trust
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/postgresql/backup";
+    databases = [ "synapse" ];
+    startAt = "02:30";
+    compression = "none";
+  };
+}
+

config/hosts/grondahl/services/restic.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.restic.backups = {
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/grondahl/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+  };
+}
+

config/hosts/grondahl/services/synapse.nix

@@ -0,0 +1,73 @@
+{ config, ... }:
+
+{
+  services.matrix-synapse = {
+    enable = true;
+    server_name = "anarkafem.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "100M";
+    database_type = "psycopg2";
+    database_user = "synapse";
+    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.anarkafem.dev:3478?transport=udp"
+      "turn:turn.anarkafem.dev:3478?transport=tcp"
+      "turn:turn.anarkafem.dev:3479?transport=udp"
+      "turn:turn.anarkafem.dev:3479?transport=tcp"
+      "turns:turn.anarkafem.dev:5349?transport=udp"
+      "turns:turn.anarkafem.dev:5349?transport=tcp"
+      "turns:turn.anarkafem.dev:5350?transport=udp"
+      "turns:turn.anarkafem.dev:5350?transport=tcp"
+    ];
+    report_stats = false;
+    withJemalloc = true;
+    servers = { "anarkafem.dev" = {}; };
+    extraConfig = ''
+      default_room_version: "9"
+      auto_join_rooms:
+        - "#suf-aalborg:anarkafem.dev"
+    '';
+    logConfig = ''
+      version: 1
+
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+      handlers:
+          console:
+              class: logging.StreamHandler
+              formatter: precise
+
+      loggers:
+          synapse.storage.SQL:
+              # beware: increasing this to DEBUG will make synapse log sensitive
+              # information such as access tokens.
+              level: INFO
+
+      root:
+          level: INFO
+          handlers: [console]
+
+      disable_existing_loggers: false
+    '';
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "127.0.0.1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+  };
+}
+    

config/hosts/mail/configuration.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ 
+    ./hardware-configuration.nix 
+    ../../common/services/ssh.nix
+    #./services/restic.nix
+    ./services/mail.nix
+    ./services/acme.nix
+    ./data/secrets/secrets.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  networking.hostName = "mail";
+  networking.hostId = "1e04e84b";
+  time.timeZone = "Europe/Copenhagen";
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:624a::1"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    iotop
+    dig
+  ];
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+  # Use hetzner firewall instead
+  networking.firewall.enable = false;
+  system.stateVersion = "21.05";
+
+}

config/hosts/mail/hardware-configuration.nix

@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "rpool/safe/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/9c3c66f5-bf5a-4a2a-88a2-fc2ef312d7ef"; }
+    ];
+
+}

config/hosts/mail/services/acme.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@graven.dev";
+  };
+}
+

config/hosts/mail/services/mail.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
+      # And set its hash
+      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.graven.dev";
+    domains = [ "anarkafem.dev" ];
+
+    loginAccounts = {
+      "noreply@anarkafem.dev" = {
+        hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
+      };
+    };
+    certificateScheme = 3;
+  };
+}

config/hosts/mail/services/restic.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+
+{
+
+  services.restic.backups = {
+    "mail" = {
+      paths = [ "/var/vmail" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/mail/mail";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "02:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "virtualMail";
+    };
+  };
+}

config/hosts/rudiger/configuration.nix

@@ -0,0 +1,87 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./data/secrets/secrets.nix
+      ../../common/services/ssh.nix
+      ./services/acme.nix
+      ./services/nextcloud.nix
+      ./services/nginx.nix
+      ./services/postgres.nix
+      ./services/redis.nix
+      ./services/restic.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  time.timeZone = "Europe/Copenhagen";
+
+  networking = {
+    hostName = "rudiger";
+    hostId = "8c7b66a4";
+    useDHCP = false;
+    tempAddresses = "disabled";
+    interfaces = {
+      "ens3" = {
+        ipv4.addresses = [ {
+          address = "202.61.202.170";
+          prefixLength = 22;
+        } ];
+        ipv6.addresses = [ {
+          address = "2a03:4000:5a:c61::1";
+          prefixLength = 64;
+        } ];
+      };
+    };
+    defaultGateway = "202.61.200.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "ens3";
+    };
+    nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+  };
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    iotop
+    dig
+  ];
+  security.sudo.wheelNeedsPassword = false;
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" "redis.service" ];
+    after = [ "postgresql.service" "redis.service" ];
+  };
+
+  users.groups.redis.members = [ "nextcloud" ];
+  users.groups.backup.members = [ "nextcloud" "postgres" ];
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  system.stateVersion = "21.05";
+
+}

config/hosts/rudiger/hardware-configuration.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F220-781F";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/nextcloud" =
+    { device = "rpool/safe/nextcloud";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/52f7db16-b51b-4b8c-bfea-46184bb3099e"; }
+    ];
+}

config/hosts/rudiger/services/acme.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@graven.dev";
+  };
+}
+

config/hosts/rudiger/services/nextcloud.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+{
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.graven.dev";
+    https = true;
+    package = pkgs.nextcloud22;
+    autoUpdateApps.enable = true;
+    maxUploadSize = "10G";
+    webfinger = true;
+    caching.redis = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      defaultPhoneRegion = "DK";
+      adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file;
+      adminuser = "root";
+    };
+  };
+}

config/hosts/rudiger/services/nginx.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [ ../../../common/services/nginx.nix ];
+  services.nginx.virtualHosts."cloud.graven.dev" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+}

config/hosts/rudiger/services/postgres.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+     { name = "nextcloud";
+       ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+     }
+    ];
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/postgresql/backup";
+    databases = [ "synapse" ];
+    startAt = "02:30";
+    compression = "none";
+  };
+
+}

config/hosts/rudiger/services/redis.nix

@@ -0,0 +1,10 @@
+{ config, ...  }:
+{
+  services.redis = {
+    enable = true;
+    unixSocket = "/run/redis/redis.sock";
+    vmOverCommit = true;
+    unixSocketPerm = 770;
+    #requirePassfile = config.secrets.files.redis_pass.file;
+  }; 
+}

config/hosts/rudiger/services/restic.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.restic.backups = {
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "04:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "nextcloud" = {
+      paths = [ "/var/lib/nextcloud/data" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "04:30"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "nextcloud";
+    };
+  };
+}
+

config/hosts/wind/configuration.nix

@@ -0,0 +1,81 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ 
+    ./hardware-configuration.nix 
+    ../../common/services/ssh.nix
+    ./services/acme.nix
+    ./services/coturn.nix
+    ./services/nginx.nix
+    ./services/postgres.nix
+    ./services/synapse.nix
+    ./services/ttrss.nix
+    ./services/gitea.nix
+    ./services/restic.nix
+    ./services/vaultwarden.nix
+		./services/wireguard.nix
+    ./data/secrets/secrets.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  networking.hostName = "wind";
+  networking.hostId = "929e7fb7";
+  time.timeZone = "Europe/Copenhagen";
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  users.users.deploy = {
+    isNormalUser = true;
+    extraGroups = [ "nginx" ];
+    openssh.authorizedKeys.keys = [ 
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    iotop
+    dig
+  ];
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+  # Use hetzner firewall instead
+  networking.firewall.enable = false;
+  # networking.firewall.allowedTCPPorts = [ 22 80 443 3478 5349 ];
+  # networking.firewall.allowedUDPPorts = [ 3478 5349 ]
+  # networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
+
+  users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
+  users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];
+
+  system.stateVersion = "21.05";
+
+}

config/hosts/wind/hardware-configuration.nix

@@ -0,0 +1,76 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+      #(modulesPath + "/profiles/hardened.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/85B8-9142";
+      fsType = "vfat";
+    };
+
+  fileSystems."/var/lib/matrix-synapse" =
+    { device = "rpool/safe/synapse";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/postgresql" =
+    { device = "rpool/safe/postgres";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/acme" =
+    { device = "rpool/safe/acme";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/www" =
+    { device = "rpool/safe/webroot";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/tt-rss" =
+    { device = "rpool/safe/tt-rss";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/gitea" =
+    { device = "rpool/safe/gitea";
+      fsType = "zfs";
+    };
+  fileSystems."/var/lib/vaultwarden" =
+    { device = "rpool/safe/vaultwarden";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/e70cc088-a54e-4cd8-88ec-91944e5ff989"; }
+    ];
+
+}

config/hosts/wind/services/acme.nix

@@ -0,0 +1,21 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@graven.dev";
+		certs = {
+			"graven.dev" = {
+				extraDomainNames = [ "*.graven.dev" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_dev.file;
+			};
+			"graven.se" = {
+				extraDomainNames = [ "*.graven.se" ];
+				dnsProvider = "hurricane";
+				credentialsFile = config.secrets.files.acme_graven_se.file;
+			};
+		};
+  };
+}
+

config/hosts/wind/services/coturn.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    realm = "turn.graven.dev";
+    relay-ips = [
+      "65.21.58.38"
+      "2a01:4f9:c010:34cb::1"
+    ];
+    no-tcp-relay = true;
+    extraConfig = "
+    cipher-list=\"HIGH\"
+    no-loopback-peers
+    no-multicast-peers
+    ";
+    secure-stun = true;
+    cert = "/var/lib/acme/graven.dev/fullchain.pem";
+    pkey = "/var/lib/acme/graven.dev/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+}
+

config/hosts/wind/services/gitea.nix

@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+  services.gitea = {
+    enable = true;
+    domain = "git.graven.dev";
+    rootUrl = "https://git.graven.dev";
+    enableUnixSocket = true;
+    cookieSecure = true;
+    appName = "Graven Gitea";
+    settings = { "ui" = { "DEFAULT_THEME" = "arc-green"; }; };
+    database = {
+      type = "postgres";
+    };
+  };
+}

config/hosts/wind/services/nginx.nix

@@ -0,0 +1,126 @@
+{
+	imports = [ ../../../common/services/nginx.nix ];
+	services.nginx.virtualHosts = {
+		"graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".root = "/var/www/graven.dev/public";
+			locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+			locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
+			locations."/.well-known/matrix/" = {
+				root = "/var/www/matrix/public";
+				extraConfig = ''
+					default_type application/json;
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"rss.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+		};
+		"git.graven.dev" = {
+			useACMEHost = "graven.dev";
+			forceSSL = true;
+			locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
+		};
+		"vault.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub" = {
+				proxyPass = "http://localhost:3012";
+				proxyWebsockets = true;
+			};
+			locations."/notifications/hub/negotiate" = {
+				proxyPass = "http://localhost:8812";
+				proxyWebsockets = true;
+			};
+		};
+		"openpgpkey.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				root = "/var/www/openpgpkey";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"openpgpkey.graven.se" = {
+			forceSSL = true;
+			useACMEHost = "graven.se";
+			locations."/" = {
+				root = "/var/www/openpgpkey";
+				extraConfig = ''
+					default_type "application/octet-stream";
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"tor.graven.dev" = {
+			forceSSL = true;
+			useACMEHost = "graven.dev";
+			locations."/" = {
+				root = "/var/www/tor";
+				extraConfig = ''
+					add_header Access-Control-Allow-Origin "*";
+					add_header Strict-Transport-Security $hsts_header;
+					add_header Referrer-Policy "same-origin";
+					add_header X-Frame-Options "DENY";
+					add_header X-Content-Type-Options "nosniff";
+					add_header X-XSS-Protection "1; mode=block";
+				'';
+			};
+		};
+		"mta-sts.graven.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.graven.se" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.nao.sh" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.amandag.net" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.queersin.space" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+		"mta-sts.anarkafem.dev" = {
+			forceSSL = true;
+			enableACME = true;
+			root = "/var/www/mta-sts/public";
+		};
+	};
+}

config/hosts/wind/services/postgres.nix

@@ -0,0 +1,27 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+                      CREATE ROLE synapse;
+                      CREATE DATABASE synapse WITH OWNER synapse
+                          TEMPLATE template0
+                          LC_COLLATE = "C"
+                          LC_CTYPE = "C"
+                          ENCODING = "UTF8";
+    '';
+    authentication = pkgs.lib.mkOverride 10 ''
+        local all all trust
+        host all all ::1/128 trust
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/postgresql/backup";
+    databases = [ "synapse" ];
+    startAt = "02:30";
+    compression = "none";
+  };
+}

config/hosts/wind/services/restic.nix

@@ -0,0 +1,47 @@
+{ config, ... }:
+
+{
+
+  services.restic.backups = {
+    "gitea" = {
+      paths = [ "/var/lib/gitea" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "02:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "gitea";
+    };
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:00"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:30"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+    "vaultwarden" = {
+      paths = [ "/var/lib/bitwarden_rs" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "23:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "vaultwarden";
+    };
+  };
+}

config/hosts/wind/services/synapse.nix

@@ -0,0 +1,67 @@
+{ config, ... }:
+
+{
+  services.matrix-synapse = {
+    enable = true;
+    server_name = "graven.dev";
+    enable_registration = false;
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
+    max_upload_size = "100M";
+    database_type = "psycopg2";
+    database_user = "synapse";
+    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.graven.dev:3478?transport=udp"
+      "turn:turn.graven.dev:3478?transport=tcp"
+      "turn:turn.graven.dev:3479?transport=udp"
+      "turn:turn.graven.dev:3479?transport=tcp"
+      "turns:turn.graven.dev:5349?transport=udp"
+      "turns:turn.graven.dev:5349?transport=tcp"
+      "turns:turn.graven.dev:5350?transport=udp"
+      "turns:turn.graven.dev:5350?transport=tcp"
+    ];
+    report_stats = true;
+    withJemalloc = true;
+    logConfig = ''
+      version: 1
+
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+      handlers:
+          console:
+              class: logging.StreamHandler
+              formatter: precise
+
+      loggers:
+          synapse.storage.SQL:
+              # beware: increasing this to DEBUG will make synapse log sensitive
+              # information such as access tokens.
+              level: WARN
+
+      root:
+          level: WARN
+          handlers: [console]
+
+      disable_existing_loggers: false
+    '';
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "127.0.0.1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { 
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+  };
+}
+    

config/hosts/wind/services/ttrss.nix

@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  services.tt-rss = {
+    enable = true;
+    registration.enable = true;
+    virtualHost = "rss.graven.dev";
+    selfUrlPath = "https://rss.graven.dev";
+  };
+}

config/hosts/wind/services/vaultwarden.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.secrets.files.vaultwarden_env.file;
+    backupDir = "/var/lib/bitwarden_rs/backup";
+    config = {
+      domain = "https://vault.graven.dev";
+      signupsAllowed = false;
+      rocketPort = 8812;
+      ipHeader = "X-Real-IP";
+      websocketEnabled = true;
+      websocketAddress = "127.0.0.1";
+      websocketPort = "3012";
+      #dataDir = "/var/lib/vaultwarden";
+      smtpHost = "smtp.soverin.net";
+      smtpFrom = "vaultwarden@graven.dev";
+      smtpFromName = "Vaultwarden";
+      smtpPort = 465;
+      smtpSsl = true;
+      smtpExplicitTls = true;
+      smtpAuthMechanism = "Login";
+    };
+  };
+}

config/hosts/wind/services/wireguard.nix

@@ -0,0 +1,48 @@
+{ pkgs, config, ... }:
+{
+networking.nat.enable = true;
+	networking.nat.externalInterface = "ens3";
+	networking.nat.internalInterfaces = [ "wg0" ];
+	networking.firewall = {
+		allowedUDPPorts = [ 51820 ];
+	};
+
+	networking.wireguard.interfaces = {
+		# "wg0" is the network interface name. You can name the interface arbitrarily.
+		wg0 = {
+			# Determines the IP address and subnet of the server's end of the tunnel interface.
+			ips = [ "10.100.0.1/24" ];
+
+			# The port that WireGuard listens to. Must be accessible by the client.
+			listenPort = 51820;
+
+			# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+			# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+			postSetup = ''
+				${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# This undoes the above command
+			postShutdown = ''
+				${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+			'';
+
+			# Path to the private key file.
+			#
+			# Note: The private key can also be included inline via the privateKey option,
+			# but this makes the private key world-readable; thus, using privateKeyFile is
+			# recommended.
+			privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
+
+			peers = [
+				# List of allowed peers.
+				{ # Feel free to give a meaning full name
+					# Public key of the peer (not a file path).
+					publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
+					# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+					allowedIPs = [ "10.100.0.2/32" ];
+				}
+			];
+		};
+	};
+}

config/sources/default.nix

@@ -0,0 +1,11 @@
+let
+  sources = import ./nix/sources.nix;
+
+  # just use standard pkgs from sources
+  # so that we have our applyPattches function
+  pkgs = import sources.nixpkgs {};
+
+in {
+  nixus = sources.nixus;
+} // sources
+

config/sources/nix/sources.json

@@ -0,0 +1,50 @@
+{
+    "niv": {
+        "branch": "master",
+        "description": "Easy dependency management for Nix projects",
+        "homepage": "https://github.com/nmattia/niv",
+        "owner": "nmattia",
+        "repo": "niv",
+        "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c",
+        "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm",
+        "type": "tarball",
+        "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixos-hardware": {
+        "branch": "master",
+        "description": "A collection of NixOS modules covering hardware quirks.",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "5a7e613703ea349fd46b3fa2f3dfe3bd5444d591",
+        "sha256": "088z9p9ycsvnghqbksxrssk43wfsnm9caks9lch90jp2x8c8aw7x",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs": {
+        "branch": "nixos-21.05",
+        "description": "Nix Packages collection",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4",
+        "sha256": "1xsp0xyrf8arjkf4wi09n96kbg0r8igsmzx8bhc1nj4nr078p0pg",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/46251a79f752ae1d46ef733e8e9760b6d3429da4.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixus": {
+        "branch": "master",
+        "description": null,
+        "homepage": "",
+        "owner": "Infinisil",
+        "repo": "nixus",
+        "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57",
+        "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb",
+        "type": "tarball",
+        "url": "https://github.com/Infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    }
+}

config/sources/nix/sources.nix

@@ -0,0 +1,174 @@
+# This file has been generated by Niv.
+
+let
+
+  #
+  # The fetchers. fetch_<type> fetches specs of type <type>.
+  #
+
+  fetch_file = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+      else
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+
+  fetch_tarball = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+      else
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+
+  fetch_git = name: spec:
+    let
+      ref =
+        if spec ? ref then spec.ref else
+          if spec ? branch then "refs/heads/${spec.branch}" else
+            if spec ? tag then "refs/tags/${spec.tag}" else
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+    in
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+
+  fetch_local = spec: spec.path;
+
+  fetch_builtin-tarball = name: throw
+    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=tarball -a builtin=true'';
+
+  fetch_builtin-url = name: throw
+    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=file -a builtin=true'';
+
+  #
+  # Various helpers
+  #
+
+  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
+  sanitizeName = name:
+    (
+      concatMapStrings (s: if builtins.isList s then "-" else s)
+        (
+          builtins.split "[^[:alnum:]+._?=-]+"
+            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
+        )
+    );
+
+  # The set of packages used when specs are fetched using non-builtins.
+  mkPkgs = sources: system:
+    let
+      sourcesNixpkgs =
+        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
+      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
+      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
+    in
+      if builtins.hasAttr "nixpkgs" sources
+      then sourcesNixpkgs
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+        import <nixpkgs> {}
+      else
+        abort
+          ''
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            add a package called "nixpkgs" to your sources.json.
+          '';
+
+  # The actual fetching function.
+  fetch = pkgs: name: spec:
+
+    if ! builtins.hasAttr "type" spec then
+      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+    else if spec.type == "file" then fetch_file pkgs name spec
+    else if spec.type == "tarball" then fetch_tarball pkgs name spec
+    else if spec.type == "git" then fetch_git name spec
+    else if spec.type == "local" then fetch_local spec
+    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
+    else if spec.type == "builtin-url" then fetch_builtin-url name
+    else
+      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+  # If the environment variable NIV_OVERRIDE_${name} is set, then use
+  # the path directly as opposed to the fetched source.
+  replace = name: drv:
+    let
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
+    in
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+
+  # Ports of functions for older nix versions
+
+  # a Nix version of mapAttrs if the built-in doesn't exist
+  mapAttrs = builtins.mapAttrs or (
+    f: set: with builtins;
+    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+  );
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
+  concatStrings = builtins.concatStringsSep "";
+
+  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
+  optionalAttrs = cond: as: if cond then as else {};
+
+  # fetchTarball version that is compatible between all the versions of Nix
+  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchTarball;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchTarball attrs;
+
+  # fetchurl version that is compatible between all the versions of Nix
+  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchurl;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchurl attrs;
+
+  # Create the final "sources" from the config
+  mkSources = config:
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
+    ) config.sources;
+
+  # The "config" used by the fetchers
+  mkConfig =
+    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , system ? builtins.currentSystem
+    , pkgs ? mkPkgs sources system
+    }: rec {
+      # The sources, i.e. the attribute set of spec name to spec
+      inherit sources;
+
+      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+      inherit pkgs;
+    };
+
+in
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }