{ config, pkgs, ... }: let envsubstConfiguration = pkgs.callPackage /data/nixos/envsubst-configuration.nix { }; config = rec { TLD = envsubstConfiguration.TLD; nextcloudDomain = "cloud.${TLD}"; gitPort = "81"; openSSHPort = 23841; elementDomain = "element.${TLD}"; matrixDomain = "matrix.${TLD}"; matrixServerJSON = { "m.server" = "${matrixDomain}:443"; }; matrixClientJSON = { "m.homeserver" = { "base_url" = "https://${TLD}"; }; }; matrixPort = 8008; static-sites = [ "boneco" "pdfs-da-d-maria" ]; docs-projects = [ "songbooks" "mediator" ]; }; static-site-from-repo = repo-name: { "${repo-name}.${config.TLD}" = { forceSSL = true; enableACME = true; root = pkgs.stdenv.mkDerivation { name = repo-name; src = fetchTarball "https://git.euandreh.xyz/${repo-name}/snapshot/master.tar.gz"; phases = "unpackPhase buildPhase"; buildPhase = '' mkdir $out cp index.html $out cp favicon.ico $out ''; }; }; }; docs-site-for-project = project-name: { "${project-name}.${config.TLD}" = { forceSSL = true; enableACME = true; extraConfig = '' location = / { return 301 en/master/; } root /data/static/${project-name}/; ''; }; }; pkgsUnstable = import (builtins.fetchTarball { url = "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz"; }) { }; in { imports = [ ./hardware-configuration.nix ]; boot.loader.grub = { enable = true; version = 2; device = "/dev/vda"; }; networking = { useDHCP = false; interfaces.ens3.useDHCP = true; }; nix = { gc = { automatic = true; options = "--delete-older-than 7d"; }; # min-free 1G extraOptions = '' min-free = ${toString (1024 * 1024 * 1024)} ''; }; environment = { systemPackages = with pkgs; [ vim git gitAndTools.git-annex gotop ]; shellAliases = { l = "ls -lahF"; }; }; networking.firewall.allowedTCPPorts = [ config.openSSHPort # HTTP and HTPPS: NGINX 80 443 ]; security.acme = { acceptTerms = true; email = "eu@euandre.org"; }; services = { openssh = { enable = true; permitRootLogin = "no"; passwordAuthentication = false; ports = [ config.openSSHPort ]; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = builtins.fold (repo: acc: acc // static-site-from-repo repo) {} config.static-sites // builtins.fold (project: acc: acc // docs-site-for-project project) {} config.docs-projects // { "${config.TLD}" = { locations."= /.well-known/matrix/server".extraConfig = '' add_header Content-Type application/json; return 200 '${builtins.toJSON config.matrixServerJSON}'; ''; locations."= /.well-known/matrix/client".extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON config.matrixClientJSON}'; ''; }; "${config.matrixDomain}" = { enableACME = true; forceSSL = true; locations."/_matrix" = { proxyPass = "http://[::1]:${toString config.matrixPort}"; }; }; "${config.elementDomain}" = { enableACME = true; forceSSL = true; root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { "base_url" = "https://${config.matrixDomain}"; "server_name" = "https://${config.matrixDomain}"; }; }; }; }; "${config.nextcloudDomain}" = { forceSSL = true; enableACME = true; }; "git.${config.TLD}" = { forceSSL = true; enableACME = true; extraConfig = '' location = /favicon.ico { alias /data/favicons/git.ico; } location / { proxy_pass http://localhost:${config.gitPort}; } ''; }; "ci.${config.TLD}" = { forceSSL = true; enableACME = true; root = "/data/static/ci-logs/"; }; }; }; nextcloud = { enable = true; package = pkgs.nextcloud19; nginx.enable = true; hostName = config.nextcloudDomain; https = true; maxUploadSize = "4G"; autoUpdateApps.enable = true; config = { overwriteProtocol = "https"; dbtype = "sqlite"; adminuser = "andreh"; adminpassFile = "/data/secrets/nextcloud-admin.txt"; }; }; lighttpd = { enable = true; port = pkgs.lib.toInt config.gitPort; cgit = { enable = true; subdir = ""; configText = '' enable-blame=1 enable-commit-graph=1 enable-follow-links=1 enable-index-owner=0 enable-log-filecount=1 enable-log-linecount=1 root-desc=public repositories root-readme=/data/git/about.html readme=:README.md readme=:README readme=:README.rst readme=:README.org max-repodesc-length=120 remove-suffix=1 root-title=EuAndreh's git repositories snapshots=tar.gz zip source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh scan-path=/data/git ''; }; }; logrotate = { enable = true; extraConfig = '' compress /data/static/ci-logs/**/*.log { rotate 30 daily olddir /data/static/logrotate/ createolddir 744 andreh users su andreh users } ''; }; matrix-synapse = { enable = true; server_name = config.matrixDomain; # I created the new user by temporarily setting this to true enable_registration = false; database_type = "sqlite3"; listeners = [{ port = config.matrixPort; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [{ names = [ "client" "federation" ]; compress = false; }]; }]; }; cron = { enable = true; systemCronJobs = [ "0 12 * * * root /data/cron/borg.sh" ]; }; }; users = { mutableUsers = false; extraUsers.andreh = { uid = 1000; isNormalUser = true; extraGroups = [ "wheel" ]; hashedPassword = builtins.readFile "/data/secrets/user-hash.txt"; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org" ]; }; }; system = { stateVersion = "20.03"; autoUpgrade = { enable = true; allowReboot = true; }; }; }