Compare commits
18 Commits
master
...
alexoundos
| Author | SHA1 | Date |
|---|---|---|
 Alexander
|
c9f2c2b9df | |
 Inex Code
|
2c2bb80006 | |
Alexander Tomokhov
|
5685a9e128 | |
|
Inex Code
|
f8befb0e3d | |
|
Inex Code
|
1464d7f3bd | |
|
Inex Code
|
d02524bb8f | |
|
Inex Code
|
23155b3c96 | |
|
Inex Code
|
6c07cc024b | |
|
Inex Code
|
5710f5892b | |
|
Inex Code
|
325dc40f34 | |
|
Inex Code
|
25d7bc6ec5 | |
|
Inex Code
|
29b855818d | |
|
Inex Code
|
e0ad80b4ca | |
|
Inex Code
|
e8a25ec565 | |
|
Inex Code
|
d41cf6a4db | |
|
Inex Code
|
2f0107ce3b | |
|
Inex Code
|
8f72f60286 | |
|
Inex Code
|
58e4f3acd8 |
|
|
@ -1,4 +1,5 @@
|
|||
userdata/userdata.json
|
||||
userdata/tokens.json
|
||||
hardware-configuration.nix
|
||||
networking.nix
|
||||
networking.nix
|
||||
/result
|
||||
|
|
|
|||
|
|
@ -0,0 +1,69 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
mc
|
||||
nixpkgs-fmt
|
||||
tcpdump
|
||||
];
|
||||
environment = {
|
||||
shellAliases = {
|
||||
cp = "cp --reflink=auto";
|
||||
diff = "diff --color";
|
||||
dmesg = "dmesg --time-format=iso";
|
||||
grep = "grep --color";
|
||||
};
|
||||
variables = {
|
||||
HISTCONTROL = "ignoredups:ignorespace";
|
||||
HISTFILESIZE = "10000";
|
||||
HISTSIZE = "10000";
|
||||
TIME_STYLE = "long-iso";
|
||||
};
|
||||
etc."inputrc".text = ''
|
||||
set colored-stats on
|
||||
set bell-style none
|
||||
set blink-matching-paren on
|
||||
set editing-mode vi
|
||||
set keyseq-timeout 0
|
||||
set show-mode-in-prompt on
|
||||
set keymap vi-insert
|
||||
set vi-ins-mode-string \1\e[6 q\2
|
||||
set vi-cmd-mode-string \1\e[2 q\2
|
||||
'';
|
||||
};
|
||||
|
||||
programs.neovim = {
|
||||
enable = true;
|
||||
vimAlias = true;
|
||||
defaultEditor = true;
|
||||
configure = {
|
||||
packages.myPlugin = with pkgs.vimPlugins; {
|
||||
#start = [ vim-nix ];
|
||||
start = [ vim-lastplace vim-nix nerdtree ];
|
||||
#opt = [ YouCompleteMe ];
|
||||
};
|
||||
customRC = ''
|
||||
set nocompatible
|
||||
set tabstop=8
|
||||
set expandtab
|
||||
set shiftwidth=4
|
||||
if $TERM == 'linux'
|
||||
hi Visual cterm=reverse
|
||||
endif
|
||||
" au FileType nix exec 'syntax clear nixString'
|
||||
'';
|
||||
};
|
||||
};
|
||||
programs.htop.enable = true;
|
||||
programs.tmux.enable = true;
|
||||
|
||||
#systemd.services.netdata.serviceConfig = {
|
||||
# ExecStartPre = "${pkgs.tmux}/bin/tmux -S /run/netdata/tmux.socket new-session -s my-session -d";
|
||||
# ExecStopPost = "${pkgs.tmux}/bin/tmux -S /run/netdata/tmux.socket kill-session -t my-session";
|
||||
#};
|
||||
|
||||
#systemd.services.phpfpm-nextcloud.serviceConfig = {
|
||||
# #User = "nextcloud";
|
||||
# ExecStartPre = "${pkgs.tmux}/bin/tmux -S /run/phpfpm/tmux.socket new-session -s my-session -d";
|
||||
# ExecStopPost = "${pkgs.tmux}/bin/tmux -S /run/phpfpm/tmux.socket kill-session -t my-session";
|
||||
#};
|
||||
}
|
||||
|
|
@ -8,6 +8,7 @@ let
|
|||
if cfg.direction == ""
|
||||
then ""
|
||||
else "--direction=${cfg.direction}";
|
||||
api-user = "sp-api-user";
|
||||
in
|
||||
{
|
||||
options.services.selfprivacy-api = {
|
||||
|
|
@ -18,30 +19,25 @@ in
|
|||
Enable SelfPrivacy API service
|
||||
'';
|
||||
};
|
||||
enableSwagger = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Enable Swagger UI
|
||||
'';
|
||||
};
|
||||
b2Bucket = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
B2 bucket
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
users.users = {
|
||||
${api-user} = {
|
||||
group = api-user;
|
||||
isSystemUser = true;
|
||||
createHome = false;
|
||||
};
|
||||
};
|
||||
users.groups.${api-user} = { };
|
||||
|
||||
|
||||
systemd.services.selfprivacy-api = {
|
||||
description = "API Server used to control system from the mobile application";
|
||||
environment = config.nix.envVars // {
|
||||
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||
HOME = "/root";
|
||||
#HOME = "/root";
|
||||
PYTHONUNBUFFERED = "1";
|
||||
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
||||
B2_BUCKET = cfg.b2Bucket;
|
||||
} // config.networking.proxy.envVars;
|
||||
path = [
|
||||
"/var/"
|
||||
|
|
@ -53,15 +49,20 @@ in
|
|||
pkgs.gitMinimal
|
||||
config.nix.package.out
|
||||
pkgs.nixos-rebuild
|
||||
pkgs.rclone
|
||||
pkgs.restic
|
||||
pkgs.mkpasswd
|
||||
pkgs.util-linux
|
||||
pkgs.e2fsprogs
|
||||
pkgs.iproute2
|
||||
pkgs.fuse-overlayfs
|
||||
pkgs.fuse
|
||||
];
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "network-online.target" ];
|
||||
serviceConfig = {
|
||||
# FIXME
|
||||
# User = api-user;
|
||||
User = "root";
|
||||
ExecStart = "${pkgs.selfprivacy-graphql-api}/bin/app.py";
|
||||
Restart = "always";
|
||||
|
|
@ -74,8 +75,6 @@ in
|
|||
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||
HOME = "/root";
|
||||
PYTHONUNBUFFERED = "1";
|
||||
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
||||
B2_BUCKET = cfg.b2Bucket;
|
||||
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
|
||||
} // config.networking.proxy.envVars;
|
||||
path = [
|
||||
|
|
@ -88,11 +87,14 @@ in
|
|||
pkgs.gitMinimal
|
||||
config.nix.package.out
|
||||
pkgs.nixos-rebuild
|
||||
pkgs.rclone
|
||||
pkgs.restic
|
||||
pkgs.mkpasswd
|
||||
pkgs.util-linux
|
||||
pkgs.e2fsprogs
|
||||
pkgs.iproute2
|
||||
pkgs.fuse-overlayfs
|
||||
pkgs.fuse
|
||||
];
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "network-online.target" ];
|
||||
|
|
|
|||
|
|
@ -2,8 +2,6 @@
|
|||
{
|
||||
services.selfprivacy-api = {
|
||||
enable = true;
|
||||
enableSwagger = config.services.userdata.api.enableSwagger;
|
||||
b2Bucket = config.services.userdata.backup.bucket;
|
||||
};
|
||||
|
||||
users.users."selfprivacy-api" = {
|
||||
|
|
|
|||
|
|
@ -1,29 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
cfg = config.services.userdata;
|
||||
in
|
||||
{
|
||||
services.restic.backups = {
|
||||
options = {
|
||||
passwordFile = "/etc/restic/resticPasswd";
|
||||
repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}";
|
||||
initialize = true;
|
||||
paths = [
|
||||
"/var/dkim"
|
||||
"/var/vmail"
|
||||
];
|
||||
timerConfig = {
|
||||
OnCalendar = [ "daily" ];
|
||||
};
|
||||
user = "restic";
|
||||
pruneOpts = [
|
||||
"--keep-daily 5"
|
||||
];
|
||||
};
|
||||
};
|
||||
users.users.restic = {
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
group = "restic";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,7 +1,13 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/22-11.tar.gz";
|
||||
url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/22-11-backups.tar.gz";
|
||||
nix-overlay = (import (builtins.fetchTarball url-overlay));
|
||||
nixos-unstable-path =
|
||||
builtins.fetchTarball {
|
||||
url = "https://github.com/NixOS/nixpkgs/archive/c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad.tar.gz";
|
||||
sha256 = "04msycqlccsk1wa78syc4l60557iia6yvarp5pvp0qn1j55mq9f5";
|
||||
};
|
||||
nixos-unstable = import nixos-unstable-path {};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
|
|
@ -11,14 +17,13 @@ in
|
|||
./files.nix
|
||||
./volumes.nix
|
||||
./users.nix
|
||||
./mailserver/system/mailserver.nix
|
||||
#./mailserver/system/mailserver.nix
|
||||
./vpn/ocserv.nix
|
||||
./api/api.nix
|
||||
./api/api-module.nix
|
||||
./social/pleroma.nix
|
||||
./letsencrypt/acme.nix
|
||||
./letsencrypt/resolve.nix
|
||||
./backup/restic.nix
|
||||
./passmgr/bitwarden.nix
|
||||
./webserver/nginx.nix
|
||||
./webserver/memcached.nix
|
||||
|
|
@ -26,6 +31,14 @@ in
|
|||
./resources/limits.nix
|
||||
./videomeet/jitsi.nix
|
||||
./git/gitea.nix
|
||||
|
||||
./alexoundos.nix
|
||||
#./prometheus-grafana.nix
|
||||
#./victoriametrics-grafana.nix
|
||||
./netdata.nix
|
||||
#./example-systemd-service.nix
|
||||
"${nixos-unstable-path}/nixos/modules/services/mail/stalwart-mail.nix"
|
||||
(import ./stalwart.nix nixos-unstable)
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [ (nix-overlay) ];
|
||||
|
|
@ -74,7 +87,7 @@ in
|
|||
openFirewall = false;
|
||||
};
|
||||
programs.ssh = {
|
||||
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
|
||||
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
|
||||
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
|
@ -96,6 +109,9 @@ in
|
|||
automatic = true;
|
||||
options = "--delete-older-than 7d";
|
||||
};
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes repl-flake
|
||||
'';
|
||||
};
|
||||
services.journald.extraConfig = "SystemMaxUse=500M";
|
||||
boot.kernel.sysctl = {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,62 @@
|
|||
{ pkgs, ... }:
|
||||
let
|
||||
service-name = "example-service";
|
||||
user = "example-service-user";
|
||||
in
|
||||
{
|
||||
users.users = {
|
||||
${user} = {
|
||||
group = user;
|
||||
isNormalUser = true;
|
||||
createHome = false;
|
||||
};
|
||||
};
|
||||
users.groups.${user} = { };
|
||||
|
||||
systemd.services.${service-name} = {
|
||||
serviceConfig = {
|
||||
User = user;
|
||||
Group = user;
|
||||
|
||||
# Runtime directory and mode
|
||||
RuntimeDirectory = service-name;
|
||||
RuntimeDirectoryMode = "0750";
|
||||
# State directory and mode
|
||||
StateDirectory = service-name;
|
||||
StateDirectoryMode = "0750";
|
||||
# Cache directory and mode
|
||||
CacheDirectory = service-name;
|
||||
CacheDirectoryMode = "0750";
|
||||
# Logs directory and mode
|
||||
LogsDirectory = service-name;
|
||||
LogsDirectoryMode = "0750";
|
||||
# Configuration directory and mode
|
||||
ConfigurationDirectory = service-name;
|
||||
ConfigurationDirectoryMode = "0755";
|
||||
|
||||
# Sandboxing
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = "read-only";
|
||||
PrivateTmp = true;
|
||||
ProtectControlGroups = true;
|
||||
PrivateMounts = true;
|
||||
|
||||
ExecStart = "${pkgs.tmux}/bin/tmux -S /run/${service-name}/tmux.socket new-session -s my-session -d";
|
||||
ExecStop = "${pkgs.tmux}/bin/tmux -S /run/${service-name}/tmux.socket kill-session -t my-session";
|
||||
Type = "forking";
|
||||
};
|
||||
|
||||
#confinement.enable = true;
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
extraCommands = ''
|
||||
iptables -t filter -I OUTPUT 1 -m owner --uid-owner ${user} -m state --state NEW -j REJECT
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -t filter -D OUTPUT 1 -m owner --uid-owner ${user} -m state --state NEW
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
28
files.nix
28
files.nix
|
|
@ -18,13 +18,14 @@ in
|
|||
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
||||
in
|
||||
[
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
|
||||
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
||||
"d /var/lib/restic 0600 restic - - -"
|
||||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
||||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
|
||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
|
||||
"d /var/sieve 0770 virtualMail virtualMail - -"
|
||||
"d /var/www/root 0750 nginx nginx - -"
|
||||
];
|
||||
system.activationScripts =
|
||||
let
|
||||
|
|
@ -56,25 +57,6 @@ in
|
|||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
||||
'';
|
||||
resticCredentials = ''
|
||||
mkdir -p /root/.config/rclone
|
||||
chmod 0400 /root/.config/rclone
|
||||
chown root:root /root/.config/rclone
|
||||
echo '[backblaze]' > /root/.config/rclone/rclone.conf
|
||||
echo 'type = b2' >> /root/.config/rclone/rclone.conf
|
||||
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
|
||||
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
|
||||
|
||||
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
|
||||
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
|
||||
|
||||
chmod 0400 /root/.config/rclone/rclone.conf
|
||||
chown root:root /root/.config/rclone/rclone.conf
|
||||
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
|
||||
chmod 0400 /var/lib/restic/pass
|
||||
chown restic /var/lib/restic/pass
|
||||
'';
|
||||
pleromaCredentials =
|
||||
if cfg.pleroma.enable then ''
|
||||
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
||||
|
|
|
|||
|
|
@ -1,27 +1,32 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.userdata;
|
||||
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
|
||||
in
|
||||
{
|
||||
users.groups.acmerecievers = {
|
||||
members = [ "nginx" "dovecot2" "postfix" "virtualMail" "ocserv" ];
|
||||
members = [ "nginx" "dovecot2" "postfix" "virtualMail" "ocserv" "stalwart-mail" ];
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "${cfg.username}@${cfg.domain}";
|
||||
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
|
||||
dnsPropagationCheck = false;
|
||||
dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
|
||||
reloadServices = [ "nginx" ];
|
||||
};
|
||||
certs = lib.mkForce {
|
||||
"${cfg.domain}" = {
|
||||
"wildcard-${cfg.domain}" = {
|
||||
domain = "*.${cfg.domain}";
|
||||
extraDomainNames = [ "${cfg.domain}" ];
|
||||
group = "acmerecievers";
|
||||
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
||||
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||
};
|
||||
"${cfg.domain}" = {
|
||||
domain = cfg.domain;
|
||||
group = "acmerecievers";
|
||||
webroot = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,50 @@
|
|||
{ config, pkgs, ...}:
|
||||
let
|
||||
domain = config.services.userdata.domain;
|
||||
in
|
||||
{
|
||||
services.netdata = {
|
||||
enable = true;
|
||||
package = pkgs.netdata.override {
|
||||
withCloud = false; # don't need Netdata Cloud integration
|
||||
withSsl = false; # we proxy-pass via nginx, which does SSL
|
||||
};
|
||||
config = {
|
||||
#global = {
|
||||
# "default port" = 19191;
|
||||
# "page cache size" = 96;
|
||||
#};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
#why not use "enableACME"?
|
||||
#sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
#sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
|
||||
#root = "/var/www/social.${domain}";
|
||||
#forceSSL = true;
|
||||
#extraConfig = ''
|
||||
# add_header Strict-Transport-Security $hsts_header;
|
||||
# #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
# add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
# add_header X-Frame-Options DENY;
|
||||
# add_header X-Content-Type-Options nosniff;
|
||||
# add_header X-XSS-Protection "1; mode=block";
|
||||
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
# expires 10m;
|
||||
#'';
|
||||
locations = {
|
||||
"/netdata/" = {
|
||||
proxyPass = "http://127.0.0.1:19999/";
|
||||
};
|
||||
};
|
||||
};
|
||||
# TODO Netdata must communicate with nginx via unix domain socket as
|
||||
# described here: https://learn.netdata.cloud/docs/configuring/securing-netdata-agents/reverse-proxies/nginx#limit-direct-access-to-netdata
|
||||
|
||||
systemd.services.netdata.serviceConfig = {
|
||||
IPAddressDeny = "any";
|
||||
IPAddressAllow = "localhost";
|
||||
};
|
||||
}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
};
|
||||
systemd = {
|
||||
enable = true;
|
||||
};
|
||||
process = {
|
||||
enable = true;
|
||||
#settings.process_names = [];
|
||||
};
|
||||
};
|
||||
scrapeConfigs = [{
|
||||
job_name = "nodes";
|
||||
static_configs = [{
|
||||
targets = [
|
||||
"127.0.0.1:9100" # node exporter
|
||||
"127.0.0.1:9558" # systemd exporter
|
||||
"127.0.0.1:9256" # process exporter
|
||||
];
|
||||
}];
|
||||
}];
|
||||
};
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
provision = {
|
||||
enable = true;
|
||||
datasources.settings.datasources = [{
|
||||
name = "Prometheus";
|
||||
type = "prometheus";
|
||||
access = "proxy";
|
||||
url = "http://127.0.0.1:9090";
|
||||
}];
|
||||
};
|
||||
settings = {
|
||||
server = {
|
||||
http_port = 30000;
|
||||
#domain = "meow-corp.xyz";
|
||||
domain = "localhost";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -35,13 +35,13 @@
|
|||
};
|
||||
nginx = {
|
||||
serviceConfig = {
|
||||
cpuAccounting = true;
|
||||
cpuQuota = "70%";
|
||||
memoryAccounting = true;
|
||||
memoryMax = "768M";
|
||||
startLimitIntervalSec = 500;
|
||||
startLimitBurst = 5;
|
||||
blockIOWeigth = 10;
|
||||
CpuAccounting = true;
|
||||
CpuQuota = "70%";
|
||||
MemoryAccounting = true;
|
||||
MemoryMax = "768M";
|
||||
StartLimitIntervalSec = 500;
|
||||
StartLimitBurst = 5;
|
||||
BlockIOWeigth = 10;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -0,0 +1,83 @@
|
|||
nixos-unstable: { config, ... }:
|
||||
let
|
||||
#certs = import "${nixos-unstable.path}/nixos/tests/common/acme/server/snakeoil-certs.nix";
|
||||
#domain = certs.domain;
|
||||
domain = config.services.userdata.domain;
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 143 587 ];
|
||||
|
||||
#security.pki.certificateFiles = [ certs.ca.cert ];
|
||||
|
||||
services.stalwart-mail.enable = true;
|
||||
services.stalwart-mail.package = nixos-unstable.stalwart-mail;
|
||||
services.stalwart-mail.settings = {
|
||||
server.hostname = domain;
|
||||
|
||||
certificate."meow" = {
|
||||
#cert = "file://${certs.${domain}.cert}";
|
||||
#private-key = "file://${certs.${domain}.key}";
|
||||
cert = "file:///var/lib/acme/${domain}/fullchain.pem";
|
||||
private-key = "file:///var/lib/acme/${domain}/key.pem";
|
||||
};
|
||||
|
||||
server.tls = {
|
||||
certificate = "meow";
|
||||
enable = true;
|
||||
implicit = false;
|
||||
};
|
||||
|
||||
server.listener = {
|
||||
"smtp-submission" = {
|
||||
bind = [ "0.0.0.0:587" ];
|
||||
protocol = "smtp";
|
||||
};
|
||||
|
||||
"imap" = {
|
||||
bind = [ "0.0.0.0:143" ];
|
||||
protocol = "imap";
|
||||
};
|
||||
};
|
||||
session.auth.mechanisms = [ "PLAIN" ];
|
||||
session.auth.directory = "in-memory";
|
||||
jmap.directory = "in-memory"; # shared with imap
|
||||
|
||||
session.rcpt.directory = "in-memory";
|
||||
queue.outbound.next-hop = [ "local" ];
|
||||
|
||||
directory."in-memory" = {
|
||||
type = "memory";
|
||||
users = [
|
||||
{
|
||||
name = "alice";
|
||||
secret = "BAAfdWJ2";
|
||||
email = [ "alice@${domain}" ];
|
||||
}
|
||||
{
|
||||
name = "bob";
|
||||
secret = "6eeuHZS3";
|
||||
email = [ "bob@${domain}" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
#auth.dkim = {
|
||||
# #sign = [ { if = "listener"; ne = "smtp"; then = ["rsa"]; }
|
||||
# # { else = ["rsa"]; } ];
|
||||
# sign = [ "rsa" ];
|
||||
#};
|
||||
#signature."rsa" = {
|
||||
# private-key = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4xFGe+tfbZbYTvDPTnoTGiV8NUOY1747fBK04X0VriBN/taRbiqyL/rzczErCKBL+R2Hr6A3ptS+zDWN/7L/PJw3QWhB5M5YWQTdMKYLXwmQlldGmp107iKzVpg2m3Qv4ipXgrzkSDLbt/snf77sCPOGZNp2SJ5DOzyKETOq0RwIDAQAB";
|
||||
# domain = "${domain}";
|
||||
# selector = "rsa_default";
|
||||
# headers = ["From" "To" "Date" "Subject" "Message-ID"];
|
||||
# algorithm = "rsa-sha256";
|
||||
# canonicalization = "relaxed/relaxed";
|
||||
# expire = "10d";
|
||||
# set-body-length = false;
|
||||
# report = true;
|
||||
#};
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
|
|
@ -74,13 +74,6 @@ in
|
|||
# API options #
|
||||
###############
|
||||
api = {
|
||||
enableSwagger = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Enable Swagger UI
|
||||
'';
|
||||
type = types.bool;
|
||||
};
|
||||
skippedMigrations = mkOption {
|
||||
default = [ ];
|
||||
description = ''
|
||||
|
|
@ -194,7 +187,7 @@ in
|
|||
description = ''
|
||||
Password authentication for SSH
|
||||
'';
|
||||
default = true;
|
||||
default = false;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ in
|
|||
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
||||
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
|
||||
api = {
|
||||
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
|
||||
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
|
||||
};
|
||||
dns = {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,62 @@
|
|||
let
|
||||
prometheus-yaml = builtins.toFile "prometheus.yml" ''
|
||||
"scrape_configs": [
|
||||
{
|
||||
"job_name": "nodes",
|
||||
"static_configs": [
|
||||
{
|
||||
"labels": {},
|
||||
"targets": [
|
||||
"127.0.0.1:9100",
|
||||
"127.0.0.1:9558",
|
||||
"127.0.0.1:9256"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
'';
|
||||
in
|
||||
{
|
||||
services.prometheus = {
|
||||
enable = false;
|
||||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
};
|
||||
systemd = {
|
||||
enable = true;
|
||||
};
|
||||
process = {
|
||||
enable = true;
|
||||
#settings.process_names = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.victoriametrics = {
|
||||
enable = true;
|
||||
extraOptions = [ "-promscrape.config=${prometheus-yaml}" ];
|
||||
};
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
provision = {
|
||||
enable = true;
|
||||
datasources.settings.datasources = [
|
||||
{
|
||||
name = "Victoriametrics2";
|
||||
type = "prometheus";
|
||||
access = "proxy";
|
||||
url = "http://127.0.0.1:8428";
|
||||
}
|
||||
];
|
||||
};
|
||||
settings = {
|
||||
server = {
|
||||
http_port = 30000;
|
||||
#domain = "meow-corp.xyz";
|
||||
domain = "localhost";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -20,8 +20,7 @@ in
|
|||
|
||||
virtualHosts = {
|
||||
"${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
@ -33,10 +32,15 @@ in
|
|||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
expires 10m;
|
||||
'';
|
||||
locations = {
|
||||
"/" = {
|
||||
root = "/var/www/root";
|
||||
};
|
||||
};
|
||||
};
|
||||
"vpn.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
@ -50,8 +54,8 @@ in
|
|||
'';
|
||||
};
|
||||
"git.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
@ -70,8 +74,8 @@ in
|
|||
};
|
||||
};
|
||||
"cloud.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
@ -90,8 +94,8 @@ in
|
|||
};
|
||||
};
|
||||
"password.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
@ -110,8 +114,8 @@ in
|
|||
};
|
||||
};
|
||||
"api.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
@ -131,8 +135,8 @@ in
|
|||
};
|
||||
};
|
||||
"social.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
root = "/var/www/social.${domain}";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
|
@ -152,10 +156,10 @@ in
|
|||
};
|
||||
};
|
||||
"meet.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
useACMEHost = "wildcard-${domain}";
|
||||
enableACME = false;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue