{ config, pkgs, ... }: with import ; { imports = [ # TODO TLS ./base.nix { krebs.exim-smarthost.dkim = mkForce (singleton rec { domain = "viljetic.de"; private_key = { path = "/run/krebs.secret/${domain}.dkim_private_key"; owner.name = "exim"; source-path = "${config.ni-key-path}/${domain}.dkim.priv"; }; }); krebs.tinc.retiolum = { privkey = { path = "${config.krebs.tinc.retiolum.user.home}/tinc.rsa_key.priv"; owner = config.krebs.tinc.retiolum.user; source-path = "${config.ni-key-path}/retiolum.rsa_key.priv"; }; }; } { services.nginx.enable = true; services.nginx.appendHttpConfig = '' server { listen 80 default_server; server_name _; return 404; } server { listen 443 default_server; server_name _; return 404; } ''; services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.krebsco.de" "cgit.ni.krebsco.de" "cgit.ni.viljetic.de" "cgit.viljetic.de" ]; } # [upstream-nginx] { # [upstream-nginx] krebs.nginx.servers.cgit.server-names = [ # [upstream-nginx] "cgit.krebsco.de" # [upstream-nginx] "cgit.ni.krebsco.de" # [upstream-nginx] "cgit.ni.viljetic.de" # [upstream-nginx] "cgit.viljetic.de" # [upstream-nginx] ]; # [upstream-nginx] } { services.nginx.virtualHosts."viljetic.de" = { enableACME = true; forceSSL = true; sslCertificate = "/var/lib/acme/viljetic.de/fullchain.pem"; sslCertificateKey = "/var/lib/acme/viljetic.de/key.pem"; root = pkgs.viljetic-pages; }; # [upstream-nginx] #krebs.nginx.servers.ni-retiolum = { # [upstream-nginx] # server-names = singleton "ni.r"; # [upstream-nginx] # locations = [ # [upstream-nginx] # (nameValuePair "= /retiolum-hosts.tar.bz2" '' # [upstream-nginx] # root ${config.krebs.tinc.retiolum.hostsArchive}; # [upstream-nginx] # '') # [upstream-nginx] # ]; # [upstream-nginx] #}; # [upstream-nginx] # TODO make public_html also available to ni, ni.retiolum (AKA default) # [upstream-nginx] krebs.nginx.servers."https://viljetic.de" = { # [upstream-nginx] server-names = singleton "viljetic.de"; # [upstream-nginx] listen = mkForce []; # disable default # [upstream-nginx] ssl = { # [upstream-nginx] enable = true; # [upstream-nginx] certificate = "/var/lib/acme/viljetic.de/fullchain.pem"; # [upstream-nginx] certificate_key = "/var/lib/acme/viljetic.de/key.pem"; # [upstream-nginx] }; # [upstream-nginx] locations = [ # [upstream-nginx] (nameValuePair "/" '' # [upstream-nginx] root ${pkgs.viljetic-pages}; # [upstream-nginx] '') # [upstream-nginx] (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' # [upstream-nginx] alias /home/$1/public_html$2; # [upstream-nginx] '') # [upstream-nginx] ]; # [upstream-nginx] }; # [upstream-nginx] krebs.nginx.servers."http://viljetic.de" = { # [upstream-nginx] server-names = singleton "viljetic.de"; # [upstream-nginx] locations = [ # [upstream-nginx] (nameValuePair "/.well-known/acme-challenge/" '' # [upstream-nginx] root /var/lib/acme/viljetic.de/; # [upstream-nginx] '') # [upstream-nginx] (nameValuePair "/" '' # [upstream-nginx] return 301 https://viljetic.de$request_uri; # [upstream-nginx] '') # [upstream-nginx] ]; # [upstream-nginx] }; security.acme = { certs."viljetic.de" = { email = "tomislav@viljetic.de"; #webroot = "/var/lib/acme/viljetic.de"; plugins = [ "account_key.json" "key.pem" "fullchain.pem" ]; user = "nginx"; postRun = /* sh */ '' ${pkgs.systemd}/bin/systemctl reload nginx ''; }; }; } { krebs.github-hosts-sync = { enable = true; ssh-identity-file = "${config.ni-key-path}/github-hosts-sync.ssh.id_ed25519"; }; tv.iptables.input-internet-accept-tcp = singleton config.krebs.github-hosts-sync.port; } { tv.charybdis = { enable = true; ssl_cert = ./certs/charybdis.crt.pem; ssl_dh_params = { path = "${config.tv.charybdis.user.home}/charybdis.dh.pem"; owner = config.tv.charybdis.user; source-path = "${config.ni-key-path}/charybdis.dh.pem"; }; ssl_private_key = { path = "${config.tv.charybdis.user.home}/charybdis.key.pem"; owner = config.tv.charybdis.user; source-path = "${config.ni-key-path}/charybdis.key.pem"; }; }; tv.iptables.input-retiolum-accept-tcp = [ config.tv.charybdis.port config.tv.charybdis.sslport ]; } { services.nginx.virtualHosts."jabber.viljetic.de" = { enableACME = true; forceSSL = true; sslCertificate = "/var/lib/acme/jabber.viljetic.de/fullchain.pem"; sslCertificateKey = "/var/lib/acme/jabber.viljetic.de/key.pem"; }; #[upstream-nginx] # TODO we define krebs.nginx.servers."https://jabber.viljetic.de" only #[upstream-nginx] # because krebs.nginx.servers."https://viljetic.de" will serve #[upstream-nginx] # jabber.viljetic.de otherwise. #[upstream-nginx] krebs.nginx.servers."https://jabber.viljetic.de" = { #[upstream-nginx] server-names = singleton "jabber.viljetic.de"; #[upstream-nginx] listen = mkForce []; # disable default #[upstream-nginx] ssl = { #[upstream-nginx] enable = true; #[upstream-nginx] certificate = "/var/lib/acme/jabber.viljetic.de/fullchain.pem"; #[upstream-nginx] certificate_key = "/var/lib/acme/jabber.viljetic.de/key.pem"; #[upstream-nginx] }; #[upstream-nginx] }; #[upstream-nginx] krebs.nginx.servers."http://jabber.viljetic.de" = { #[upstream-nginx] server-names = singleton "jabber.viljetic.de"; #[upstream-nginx] locations = [ #[upstream-nginx] (nameValuePair "/.well-known/acme-challenge/" '' #[upstream-nginx] root /var/lib/acme/jabber.viljetic.de/; #[upstream-nginx] '') #[upstream-nginx] (nameValuePair "/" '' #[upstream-nginx] return 301 http://jabber.viljetic.de$request_uri; #[upstream-nginx] '') #[upstream-nginx] ]; #[upstream-nginx] }; # TODO do we need to restart ejabberd when certfile changes? # TODO restart ejabberd when /etc/hosts changes? tv.ejabberd = { enable = true; hosts = [ "jabber.viljetic.de" ]; certfile = { path = "${config.tv.ejabberd.user.home}/ejabberd.pem"; owner = config.tv.ejabberd.user; source-path = "/var/lib/acme/jabber.viljetic.de/key+fullchain.pem"; }; }; tv.iptables.input-internet-accept-tcp = [ "xmpp-client" "xmpp-server" ]; security.acme = { certs."jabber.viljetic.de" = { email = "tomislav@viljetic.de"; #webroot = "/var/lib/acme/jabber.viljetic.de"; plugins = [ "account_key.json" "key.pem" "fullchain.pem" ]; user = "nginx"; postRun = /* sh */ '' ( set -efu # XXX add missing newline ${pkgs.coreutils}/bin/cat \ /var/lib/acme/jabber.viljetic.de/key.pem \ /var/lib/acme/jabber.viljetic.de/fullchain.pem \ > /var/lib/acme/jabber.viljetic.de/key+fullchain.pem # TODO restarting secret will restart ejabberd (and others :/) # TODO reload ${pkgs.systemd}/bin/systemctl restart secret ) ''; }; }; } ]; boot.loader.grub.devices = [ config.ni-disk ]; boot.loader.grub.splashImage = null; environment.systemPackages = [ pkgs.htop pkgs.iptables (pkgs.writeDashBin "ni-upload-iso" '' export NIX_PATH=${config.ni-nix-path} set -efux ${pkgs.nix}/bin/nix-build \ -A config.system.build.isoImage \ -I nixos-config=${config.ni-nix-path}/nixos-config/install.nix \ -o ${config.ni-nix-path}/isoImage \ ${config.ni-nix-path}/nixpkgs/nixos ftpHost=$(${pkgs.jq}/bin/jq -r .ftp.host ${config.ni-key-path}/kvm-info.json); \ ${pkgs.curl}/bin/curl -n --netrc-file ${config.ni-key-path}/upload-iso.netrc \ -T ${config.ni-nix-path}/isoImage/iso/ni-install.iso \ "ftp://$ftpHost/cdrom/ni-install.iso" '') ]; fileSystems = { "/" = { device = "${config.ni-disk}-part1"; fsType = "btrfs"; options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; }; networking.hostName = "ni"; services.timesyncd.enable = true; services.openssh = { enable = true; hostKeys = lib.singleton ({ type = "ed25519"; path = "${config.ni-key-path}/ssh.id_ed25519"; }); }; tv.iptables.enable = true; tv.iptables.accept-echo-request = "internet"; tv.iptables.input-internet-accept-tcp = [ "http" "https" "ssh" ]; }