Browse Source

initial commit

master
Dale 4 months ago
commit
3c1c480bc9

+ 16
- 0
config/blog-deiru-tokyo.nix View File

@@ -0,0 +1,16 @@
{
services.nginx.virtualHosts."blog.deiru.tokyo" = {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:2368;
proxy_redirect off;
'';
};
};
}

+ 17
- 0
config/cloud-deiru-tokyo.nix View File

@@ -0,0 +1,17 @@
{
services.nextcloud = {
enable = true;
home = "/data/cloud";
https = true;
hostName = "cloud.deiru.tokyo";
nginx.enable = false;
config = {
dbtype = "pgsql";
dbname = "nextcloud";
dbuser = "cloud";
dbhost = "localhost";
adminuser = "admin";
adminpass = "gargamel";
};
};
}

+ 27
- 0
config/gitea.nix View File

@@ -0,0 +1,27 @@
{
services.gitea = {
enable = true;
appName = "Gensokyo Code";
domain = "code.gensokyo.social";
rootUrl = "https://code.gensokyo.social";
stateDir = "/data/gitea/gitea";
repositoryRoot = "/data/gitea/git/repositories";
user = "gitea";
httpPort = 3001;
database = {
type = "postgres";
name = "gitea";
user = "gitea";
createDatabase = false;
socket = "/tmp/";
};
};

services.nginx.virtualHosts."code.gensokyo.social" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001";
};
};
}

+ 10
- 0
config/koding.nix View File

@@ -0,0 +1,10 @@
{
services.nginx.virtualHosts."kd.gensokyo.social" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8090";
};
};

}

+ 9
- 0
config/lab.nix View File

@@ -0,0 +1,9 @@
{
services.nginx.virtualHosts."lab.deiru.tokyo" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8081";
};
};
}

+ 6
- 0
config/mariadb.nix View File

@@ -0,0 +1,6 @@
{ pkgs, ... }:

{
services.mysql.package = pkgs.mariadb;
services.mysql.enable = true;
}

+ 9
- 0
config/mcmap.nix View File

@@ -0,0 +1,9 @@
{
services.nginx.virtualHosts."mcmap.gensokyo.social" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8123";
};
};
}

+ 9
- 0
config/miracle-tv-live.nix View File

@@ -0,0 +1,9 @@
{
services.nginx.virtualHosts."miracle-tv.live" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/data/miracle-tv/miracle-tv-live";
};
};
}

+ 87
- 0
config/mstdn.nix View File

@@ -0,0 +1,87 @@
{
services.nginx.virtualHosts."status.gensokyo.social" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8080";
};
};

services.nginx.virtualHosts."gensokyo.social" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
keepalive_timeout 70;
sendfile on;
client_max_body_size 80m;

root /data/mstdn/public;

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

add_header Strict-Transport-Security "max-age=31536000";



index index.html index.htm;
location / {
try_files $uri @proxy;
}


location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
try_files $uri @proxy;
}

location /sw.js {
add_header Cache-Control "public, max-age=0";
try_files $uri @proxy;
}

location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;

proxy_pass http://127.0.0.1:3000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

tcp_nodelay on;
}

location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";

proxy_pass http://127.0.0.1:4000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

tcp_nodelay on;
}

error_page 500 501 502 503 504 /500.html;
'';
};
}

+ 10
- 0
config/murmur.nix View File

@@ -0,0 +1,10 @@
{
services.murmur = {
enable = true;
registerName = "GenSoc";
registerHostname = "gensokyo.social";
registerUrl = "https://gensokyo.social";
clientCertRequired = true;
imgMsgLength = 2097152;
};
}

+ 9
- 0
config/nginx.nix View File

@@ -0,0 +1,9 @@
{
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
clientMaxBodySize = "512m";
};
}

+ 9
- 0
config/pissburg.nix View File

@@ -0,0 +1,9 @@
{
services.nginx.virtualHosts."whitecishetmen.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/data/pissburg";
};
};
}

+ 13
- 0
config/search.nix View File

@@ -0,0 +1,13 @@
{
services.searx = {
enable = true;
configFile = "/data/searx/settings.yml";
};
services.nginx.virtualHosts."search.gensokyo.social" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8888";
};
};
}

+ 7
- 0
config/shadowsocks.nix View File

@@ -0,0 +1,7 @@
{
services.shadowsocks = {
enable = true;
port = 445;
passwordFile = "/data/shadowsocks/password";
};
}

+ 49
- 0
config/synapse.nix View File

@@ -0,0 +1,49 @@
{
services.matrix-synapse = {
enable = true;
server_name = "m.gensokyo.social";
registration_shared_secret = "y9gvIl782nvV015hMACix7xnIQxHOLSL";
turn_shared_secret = "20xhQWfafNZGneuHkDyFRTt33AhkDioQ";
database_type = "sqlite3";
dataDir = "/data/synapse";
listeners = [{
port = 8448;
bind_address = "";
type = "http";
tls = true;
x_forwarded = false;
resources = [
{ names = ["federation"]; compress = false; }
];
} {
port = 8008;
bind_address = "";
type = "http";
tls = false;
x_forwarded = false;
resources = [
{ names = ["client" "webclient"]; compress = true; }
];
}];
};
services.nginx.virtualHosts."m.gensokyo.social" = {
serverName = "m.gensokyo.social";
enableACME = true;
forceSSL = true;
root = "/data/synapse/www";

extraConfig = ''
index index.html;
'';

locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008";
};

locations."~ /.well-known" = {
extraConfig = ''
allow all;
'';
};
};
}

+ 9
- 0
config/tgproxy.nix View File

@@ -0,0 +1,9 @@
{
services.nginx.virtualHosts."tg.gensokyo.social" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:445";
};
};
}

+ 63
- 0
config/users.nix View File

@@ -0,0 +1,63 @@
{
users.mutableUsers = false;
users.users = {
deiru = {
isNormalUser = true;
home = "/data/deiru";
extraGroups = [ "wheel" "networkmanager" "docker" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFvGXYPvi4yZ7DZDD/yPdWs6D9m4MgegO7/2J7A3eOquj36eU+BkMm9WwhLUMry3awG9V6KdizGw6LET4nBvniNk24YpUaxYs8oBGxCUFCXAYiq+2EgL0sgciyfuC9sl56e/zn+hCK+SkW/Nwxm7lNnzcCBwZTUxfwzTuumdHdBj2p+0V15JpvRufAQyRh5R96l2n7JhcTuZzcY+l8hG88OEW5qp8Zb8XbFeF12e7xY9KIwekG7Y7iKf/chxc/9bVywQUo78Ay+eyPDf8tYFaOEjSIGDV9+faLvPB2CJfGnjYE+msrwsMGuLe0tOAmqSq7ParbRKzhqLVw1DbUQKFX DESKTOP-EOD5IDV\Ilya@DESKTOP-EOD5IDV"
];
};

tgstation = {
isNormalUser = true;
home = "/data/tgstation";
extraGroups = [ "docker" ];
};

jarezzz = {
isNormalUser = true;
home = "/data/jarezzz";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCshM18zdXxtpbaKkET9ow+dVrU6nFHgfBrEa5GXLcEuOiex2ddvW5/Xy5h1lAQJmmEWxVbFSqjbdhPlmtqa0vjwaJ0Icg2bk/X6z+iaG7qVPMcVp0Ao/WUxgefnEoClRKPAKZ5m9YX3KUygtsEjzIPW3nzu1CZ1Bfz1EeiHD6X/NrEh5AzHePQ0gJiOjNJt8RNKIPyz/N8Kgal2RJVQ2lNEEmJVr9FyPPXe4+DbU7yNGE2jqU3MXjfEPegENqPmV3K0RcSsv52QkeMkkbjO/l/CQidKninMlX0nVcjZXQT5GbdAPEBL0s6pDEMhukbqWU3A/QmPo6BSRhVliI1tHjmzJgBsekGx2IpuY1tbfk91tbVOEdSRb6ZLmp2TL0fWfZNYxAxMwoMfz85iVeZ25Nl0wbS1EF82KXZ1Sc+fnSo/l+nYdsvwVK4OwZJ+Nul9XPNTE4xGRFSZGTiy71USjEKHRfIUyANpCJ7fUqszO1JTatFHQQ+xdV/+7lHxKc0ZG0= Shoggoth@Shoggoth-Yog"
];
};

mstdn = {
isNormalUser = true;
home = "/data/mstdn";
extraGroups = [ "docker" ];
};

koding = {
isNormalUser = true;
home = "/data/koding";
extraGroups = [ "docker" ];
};

miracletv = {
isNormalUser = true;
home = "/data/miracle-tv";
extraGroups = [ "web" "docker" ];
};
cloud = {
isNormalUser = true;
home = "/data/cloud";
extraGroups = [ "docker" ];
};
minecraft = {
isNormalUser = true;
home = "/data/minecraft";

openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFvGXYPvi4yZ7DZDD/yPdWs6D9m4MgegO7/2J7A3eOquj36eU+BkMm9WwhLUMry3awG9V6KdizGw6LET4nBvniNk24YpUaxYs8oBGxCUFCXAYiq+2EgL0sgciyfuC9sl56e/zn+hCK+SkW/Nwxm7lNnzcCBwZTUxfwzTuumdHdBj2p+0V15JpvRufAQyRh5R96l2n7JhcTuZzcY+l8hG88OEW5qp8Zb8XbFeF12e7xY9KIwekG7Y7iKf/chxc/9bVywQUo78Ay+eyPDf8tYFaOEjSIGDV9+faLvPB2CJfGnjYE+msrwsMGuLe0tOAmqSq7ParbRKzhqLVw1DbUQKFX DESKTOP-EOD5IDV\Ilya@DESKTOP-EOD5IDV"
];

};
};
}

+ 34
- 0
config/wireguard.nix View File

@@ -0,0 +1,34 @@
{
networking.nat.enable = true;
networking.nat.externalInterface = "eno1";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall.extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno1 -j MASQUERADE
'';
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];

# The port that Wireguard listens to. Must be accessible by the client.
listenPort = 51820;

# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/data/wireguard/keys/privateKey";

peers = [
{
publicKey = "MFMNteIb/thD0vFFvaZPZTvpJDmDVqvIEdTjoffRGiM=";
allowedIPs = [ "10.100.0.2/32" ];
}
{
publicKey = "bQFMfsuFQKWI02qV6e33FK03wbZhyL8Pwu+3X6tUCi4=";
allowedIPs = [ "10.100.0.3/32" ];
}
];
};
};
}

+ 49
- 0
config/xmpp.nix View File

@@ -0,0 +1,49 @@
{config, lib, pkgs, ...}:

{
security.acme.certs."prosody-gensokyo.social" ={
domain = "gensokyo.social";
user = "root";
group = "prosody";
allowKeysForGroup = true;
webroot = config.security.acme.certs."gensokyo.social".webroot;
postRun = "systemctl restart prosody";
};

services.nginx.virtualHosts."upload.gensokyo.social" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://upload.gensokyo.social:5280";
};
};

services.prosody = {
enable = true;
dataDir = "/data/prosody";
modules.http_files = true;
allowRegistration = true;
s2sSecureAuth = true;
extraModules = [ "cloud_notify" "private" "vcard" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist" "mam" "carbons" "smacks"];
extraConfig = ''
storage = "sql"
sql = { driver = "SQLite3", database = "prosody.sqlite" }
Component "conference.gensokyo.social" "muc"
'';
admins = [ "Deiru@gensokyo.social" ];
extraPluginPaths = [ "/data/prosody/modules" ];
virtualHosts = {
"gensokyo.social" = {
domain = "gensokyo.social";
enabled = true;
ssl.key = "/var/lib/acme/prosody-gensokyo.social/key.pem";
ssl.cert = "/var/lib/acme/prosody-gensokyo.social/fullchain.pem";
extraConfig = ''
Component "upload.gensokyo.social" "http_upload"
http_host = "upload.gensokyo.social"
http_external_url = "https://upload.gensokyo.social/"
'';
};
};
};
}

+ 74
- 0
configuration.nix View File

@@ -0,0 +1,74 @@
{ config, pkgs, ... }:

{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./config/users.nix
./config/nginx.nix
./config/mstdn.nix
./config/koding.nix
./config/gitea.nix
./config/synapse.nix
./config/murmur.nix
./config/mcmap.nix
# ./config/lab.nix
./config/mariadb.nix
./config/miracle-tv-live.nix
./config/blog-deiru-tokyo.nix
./config/wireguard.nix
./config/search.nix
./config/xmpp.nix
./config/shadowsocks.nix
./config/pissburg.nix
];

boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

security.sudo.enable = true;
security.sudo.wheelNeedsPassword = false;

networking.hostName = "gensokyo.social";
time.timeZone = "Europe/Moscow";

environment.systemPackages = with pkgs; [
wget vim jre8 git
];

virtualisation.docker.enable = true;

fileSystems."/data" = {
device = "/dev/sda3";
fsType = "ext4";
};

services.openssh = {
enable = true;
permitRootLogin = "no";
};

services.netdata = {
enable = true;
};

services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
local all all peer
local gitea gitea peer
host nextcloud cloud localhost trust
'';
};

# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 80 22 222 443 8448 25565 25566 25567 64738 451 51820 5222 5269 445 27015 27016];
networking.firewall.allowedUDPPorts = [ 80 22 222 443 8448 25565 25566 25567 64738 451 1337 51820 445 27015 27016];


# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

+ 29
- 0
hardware-configuration.nix View File

@@ -0,0 +1,29 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:

{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];

boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];

fileSystems."/" =
{ device = "/dev/disk/by-uuid/0d80b447-5ac3-4990-a646-84b6a2cc362c";
fsType = "ext4";
};

fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0EAE-6C6F";
fsType = "vfat";
};

swapDevices = [ ];

nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

Loading…
Cancel
Save