RGBCube/ncc
1
Fork 0
mirror of https://github.com/RGBCube/ncc synced 2025-07-29 19:17:45 +00:00
Code Issues Activity

Start refactor

Browse source
This commit is contained in:
RGBCube 2025-01-11 15:51:21 +03:00
parent 99b7ccfadb
commit 06cce18e72
155 changed files with 2139 additions and 3738 deletions
Download patch file Download diff file Expand all files Collapse all files

23
hosts/cube/acme/default.nix
View file

@ -1,23 +0,0 @@
{ config, lib, ... }: with lib;
let
inherit (config.networking) domain;
in systemConfiguration {
secrets.acmeEnvironment.file = ./environment.age;
security.acme = {
acceptTerms = true;
defaults = {
environmentFile = config.secrets.acmeEnvironment.path;
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1";
email = "security@${domain}";
};
certs.${domain} = {
extraDomainNames = [ "*.${domain}" ];
group = "nginx";
};
};
}

BIN
hosts/cube/acme/environment.age
View file

Binary file not shown.

55
hosts/cube/default.nix
View file

@ -1,55 +0,0 @@
{ config, lib, keys, ... }: with lib; merge
(systemConfiguration {
system.stateVersion = "23.05";
nixpkgs.hostPlatform = "x86_64-linux";
secrets.id.file = ./id.age;
secrets.rgbPassword.file = ./password.rgb.age;
users.users = {
root.hashedPasswordFile = config.secrets.rgbPassword.path;
rgb = sudoUser {
description = "RGB";
openssh.authorizedKeys.keys = keys.admins;
hashedPasswordFile = config.secrets.rgbPassword.path;
};
backup = normalUser {
description = "Backup";
openssh.authorizedKeys.keys = keys.all;
hashedPasswordFile = config.secrets.rgbPassword.path;
};
};
services.openssh = {
banner = ''
_______________________________________
/ If God doesn't destroy San Francisco, \
| He should apologize to Sodom and |
\ Gomorrah. /
---------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
'';
hostKeys = [{
type = "ed25519";
path = config.secrets.id.path;
}];
};
networking = {
ipv4 = "5.255.78.70";
domain = "rgbcu.be";
};
})
(homeConfiguration {
home.stateVersion = "23.11";
})

158
hosts/cube/forgejo/default.nix
View file

@ -1,158 +0,0 @@
{ self, config, lib, pkgs, ... }: with lib;
let
inherit (config.networking) domain;
fqdn = "git.${domain}";
port = 8001;
in systemConfiguration {
secrets.forgejoMailPassword = {
file = self + /hosts/disk/mail/password.plain.age;
owner = "forgejo";
};
secrets.forgejoRunnerPassword = {
file = ./password.runner.age;
owner = "forgejo";
};
services.postgresql = {
ensureDatabases = [ "forgejo" ];
ensureUsers = [{
name = "forgejo";
ensureDBOwnership = true;
}];
};
services.restic.backups = genAttrs config.resticHosts (const {
paths = [ "/var/lib/gitea-runner" "/var/lib/forgejo" ];
});
users.groups.gitea-runner = {};
users.users.gitea-runner = systemUser {
extraGroups = [ "docker" ];
group = "gitea-runner";
home = "/var/lib/gitea-runner";
};
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.runner-01 = enabled {
name = "runner-01";
url = fqdn;
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
"act:docker://ghcr.io/catthehacker/ubuntu:act-latest"
];
tokenFile = config.secrets.forgejoRunnerPassword.path;
settings = {
cache.enabled = true;
capacity = 4;
container.network = "host";
};
hostPackages = with pkgs; [
bash
coreutils
curl
gitMinimal
sudo
wget
];
};
};
services.openssh.settings.AcceptEnv = mkForce "SHELLS COLOTERM GIT_PROTOCOL";
services.forgejo = enabled {
lfs = enabled;
secrets.mailer.PASSWD = config.secrets.forgejoMailPassword.path;
database = {
socket = "/run/postgresql";
type = "postgres";
};
settings = let
description = "RGBCube's Forge of Shitty Software";
in {
default.APP_NAME = description;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "https://${fqdn}";
};
attachment.ALLOWED_TYPES = "*/*";
cache.ENABLED = true;
mailer = {
ENABLED = true;
PROTOCOL = "smtps";
SMTP_ADDR = self.disk.mailserver.fqdn;
USER = "git@${domain}";
};
other = {
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
SHOW_FOOTER_VERSION = false;
};
packages.ENABLED = false;
repository = {
DEFAULT_BRANCH = "master";
DEFAULT_MERGE_STYLE = "rebase-merge";
DEFAULT_REPO_UNITS = "repo.code, repo.issues, repo.pulls, repo.actions";
DEFAULT_PUSH_CREATE_PRIVATE = false;
ENABLE_PUSH_CREATE_ORG = true;
ENABLE_PUSH_CREATE_USER = true;
DISABLE_STARS = true;
};
"repository.upload" = {
FILE_MAX_SIZE = 100;
MAX_FILES = 10;
};
server = {
DOMAIN = domain;
ROOT_URL = "https://${fqdn}/";
LANDING_PAGE = "/explore";
HTTP_ADDR = "::1";
HTTP_PORT = port;
SSH_PORT = head config.services.openssh.ports;
DISABLE_ROUTER_LOG = true;
};
service.DISABLE_REGISTRATION = true;
session = {
COOKIE_SECURE = true;
SAME_SITE = "strict";
};
"ui.meta" = {
AUTHOR = description;
DESCRIPTION = description;
};
};
};
services.nginx.virtualHosts.${fqdn} = merge config.sslTemplate {
locations."/".proxyPass = "http://[::1]:${toString port}";
};
}

10
hosts/cube/forgejo/password.runner.age
View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw 7yIsoOHvJRbNV4J0HxwKHVUaScp0hNXB/DLX1UrSsys
CSFy5ta8rbBPeUw1TEZDSLNV+v5Q+PDcKYwWkFQBv5M
-> ssh-ed25519 CzqbPQ 8xO/hPZZP9D1AddhcKLaLdB2Ch1sTBMsm/xgXYW/6y0
/dACny3vjrpms1oEEj5gBFd/Cjx2P37JKk+BKui/TgA
-> ssh-ed25519 f5VzMA AQc4W4u7jTN9qzhm344xYfT7t/AQSbV8sPAOXo2c4EY
YF2pb/iv9b52RBD91cvMN9ABge+Oswr1bUbJxr0xP7k
--- 9KEPq+2YLjFJeeuapOVQ/9Lf/bKkIcZnjsaNJCK9W2s
sk™i<EFBFBD>¨94možp붷躦Wv¼vûðO„^v¦3ÊÕ\
ôCk(t¤¾l<16>®Ì$<24><0E>=š*jIJÞA:žÞ]ÚÜ

83
hosts/cube/grafana/default.nix
View file

@ -1,83 +0,0 @@
{ self, config, lib, ... }: with lib;
let
inherit (config.networking) domain;
fqdn = "metrics.${domain}";
port = 8000;
in systemConfiguration {
secrets.grafanaPassword = {
file = ./password.age;
owner = "grafana";
};
secrets.grafanaMailPassword = {
file = self + /hosts/disk/mail/password.plain.age;
owner = "grafana";
};
services.postgresql = {
ensureDatabases = [ "grafana" ];
ensureUsers = [{
name = "grafana";
ensureDBOwnership = true;
}];
};
services.restic.backups = genAttrs config.resticHosts (const {
paths = [ "/var/lib/grafana" ];
});
systemd.services.grafana = {
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
};
services.grafana = enabled {
provision = enabled;
settings = {
analytics.reporting_enabled = false;
database.host = "/run/postgresql";
database.type = "postgres";
database.user = "grafana";
server.domain = fqdn;
server.http_addr = "[::1]";
server.http_port = port;
users.default_theme = "system";
};
settings.security = {
admin_email = "metrics@${domain}";
admin_password = "$__file{${config.secrets.grafanaPassword.path}}";
admin_user = "admin";
cookie_secure = true;
disable_gravatar = true;
disable_initial_admin_creation = true; # Just in case.
};
settings.smtp = {
enabled = true;
password = "$__file{${config.secrets.grafanaMailPassword.path}}";
startTLS_policy = "MandatoryStartTLS";
ehlo_identity = "metrics@${domain}";
from_address = "metrics@${domain}";
from_name = "Metrics";
host = "${self.disk.mailserver.fqdn}:${toString config.services.postfix.relayPort}";
};
};
services.nginx.virtualHosts.${fqdn} = merge config.sslTemplate {
locations."/" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
};
}

10
hosts/cube/grafana/password.age
View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw 8RuMWyMIVBwAX7r/A+P0nscmsW9KTpt56b+le5dOz3o
D1syuLeAeAdVmEtXE6BTFKjrCcJYB58gUfbr9gCN9gM
-> ssh-ed25519 CzqbPQ LWqVp66/EnvhmF3R3fGB9RXq8YA9/1HvhkP8b7fL5no
cQGRxNoR7EdwkuyH8L748V3iTCxmDOs1cDvC7whiOiM
-> ssh-ed25519 f5VzMA By51kxuXGN75sqnhDAJLOVKobXxxsqmZvBi43kPs8g8
xWeGyCzxGckOYCqRMxjmVN1VirTJHtqS21/uBfwaiMo
--- LgeEowlRzUo1IyGr4jdD5ysCx2KdnlhfKRUHaesilO0
˜,æ ܼ®Ãß½x†¿Dà@ÎçÁü¾QP/oÁ:
v1ß<EFBFBD>;ÆÈÍì÷· ?‰

23
hosts/cube/hardware.nix
View file

@ -1,23 +0,0 @@
{ lib, modulesPath, ... }: with lib;
systemConfiguration {
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
boot.loader.grub = enabled {
device = "/dev/vda";
};
boot.initrd.availableKernelModules = [
"ata_piix"
"sr_mod"
"uhci_hcd"
"virtio_blk"
"virtio_pci"
];
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
options = [ "noatime" ];
};
}

11
hosts/cube/id.age
View file

@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw YN0Cb+kyG3YXy5M4EXoijLRmGMjO1q2U+KxSPIc0FXE
pDeBwpWP1F/+rKGnKcmIZ7rTqGhAgO+bZoW0Fm/P4KA
-> ssh-ed25519 CzqbPQ AViDLwkL2z0htUhLNnxK+25SeDNETpRD7TxEe3KiClg
qr0QX65nb5aIu2BzdKthIdS7FEwotgGXMyLQ6goGpF0
-> ssh-ed25519 f5VzMA tSMV6ZkLc6+/SLA8IpWLmQngeQ8b1N/fQzlAP7xF0Ao
GW6YyVj8KlMjL4xzSVCHlOEajPqYi1ytu3RBLbov70k
--- r3znXRy2jH0r6yH94WnUQ8VbrGuKJRwHAMD9y/M4+Gs
V×È¢ðQª-õ\|L“è”|º2YWqÇ<71>CæÁpn0Šåê %v¯tá Úæ¯Õ53|Èï+3ó—,„ÖÏwZцL27'Ý£ÚîeÛ­ÍÌÚwUê<~̦WÒmµß¯yÚ:tçy &ËÍ©‡àpÓ/<2F>Æ–Y»ÂÕ†Åü–ÌXQÖ]¶6³àýY”Lh†ÎC-ôÞÑüxŠ{u†Äüd?¸øb¬Ì<ÆGùߤêŒi™D ”V#à{—_ï׳·±+0B;0JÆðssý†¼zO¯ÀA ð¹1˜Árj £©9ç«•‰Í_¯É<>¨å âlóÀѤÕ3v× ÜMíÀË
#(³ºU ôw¬ƒ#jI ÄôÓΣöpú‰šX™3YâûH-
˜ÉÖÌW#zÊ!¿Š@Îs <kÚ"ýx°M)>ŠW³9¬=7Z,‰ùc÷¤…߈R¸>\B§…ƒú&uµ½ŸÊë¥z«júî†ä½¬ˆ]Ô ñß<C3B1>¢%²†XzXàÔÞ­ÙÃ]hk£Ôû.åšrÇÐe.àÚã

140
hosts/cube/matrix/default.nix
View file

@ -1,140 +0,0 @@
{ config, lib, ... }: with lib;
let
inherit (config.networking) domain;
sitePath = "/var/www/site";
chatDomain = "chat.${domain}";
syncDomain = "sync.${domain}";
wellKnownResponse = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${strings.toJSON data}';
'';
clientConfig."m.homeserver".base_url = "https://${chatDomain}";
clientConfig."org.matrix.msc3575.proxy".url = "https://${syncDomain}";
serverConfig."m.server" = "${chatDomain}:443";
wellKnownResponseConfig.locations = {
"= /.well-known/matrix/client".extraConfig = wellKnownResponse clientConfig;
"= /.well-known/matrix/server".extraConfig = wellKnownResponse serverConfig;
};
notFoundLocationConfig = {
locations."/".extraConfig = "return 404;";
extraConfig = "error_page 404 /404.html;";
locations."/404".extraConfig = "internal;";
locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
};
synapsePort = 8002;
syncPort = 8003;
in serverSystemConfiguration {
secrets.matrixSecret = {
file = ./password.secret.age;
owner = "matrix-synapse";
};
secrets.matrixSyncPassword = {
file = ./password.sync.age;
owner = "matrix-synapse";
};
services.postgresql = {
ensureDatabases = [ "matrix-synapse" "matrix-sliding-sync" ];
ensureUsers = [
{
name = "matrix-synapse";
ensureDBOwnership = true;
}
{
name = "matrix-sliding-sync";
ensureDBOwnership = true;
}
];
};
services.restic.backups = genAttrs config.resticHosts (const {
paths = [ "/var/lib/matrix-synapse" "/var/lib/matrix-sliding-sync" ];
});
services.matrix-synapse = enabled {
withJemalloc = true;
configureRedisLocally = true;
settings.redis.enabled = true;
extras = [ "postgres" "url-preview" "user-search" ];
log.root.level = "WARNING"; # Shut the fuck up.
settings = {
server_name = domain;
# We are not setting web_client_location since the root is not accessible
# from the outside web at all. Only /_matrix is reverse proxied to.
database.name = "psycopg2";
report_stats = false;
enable_metrics = true;
metrics_flags.known_servers = true;
expire_access_token = true;
url_preview_enabled = true;
# Trusting Matrix.org.
suppress_key_server_warning = true;
};
# Sets registration_shared_secret.
extraConfigFiles = [ config.secrets.matrixSecret.path ];
settings.listeners = [{
port = synapsePort;
bind_addresses = [ "::1" ];
tls = false;
type = "http";
x_forwarded = true;
resources = [{
compress = false;
names = [ "client" "federation" ];
}];
}];
};
services.nginx.virtualHosts.${domain} = wellKnownResponseConfig;
services.nginx.virtualHosts.${chatDomain} = merge config.sslTemplate wellKnownResponseConfig notFoundLocationConfig {
root = "${sitePath}";
locations."/_matrix".proxyPass = "http://[::1]:${toString synapsePort}";
locations."/_synapse/client".proxyPass = "http://[::1]:${toString synapsePort}";
};
services.matrix-sliding-sync = enabled {
environmentFile = config.age.secrets.matrixSyncPassword.path;
settings = {
SYNCV3_SERVER = "https://${chatDomain}";
SYNCV3_DB = "postgresql:///matrix-sliding-sync?host=/run/postgresql";
SYNCV3_BINDADDR = "[::1]:${toString syncPort}";
};
};
services.nginx.virtualHosts.${syncDomain} = merge config.sslTemplate notFoundLocationConfig {
root = sitePath;
locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)"
.proxyPass = "http://[::1]:${toString synapsePort}";
locations."~ ^(\\/_matrix|\\/_synapse\\/client)"
.proxyPass = "http://[::1]:${toString syncPort}";
};
}

9
hosts/cube/matrix/password.secret.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw StDMwwxCWcdMkWnDUt2pA1PINfLt1M+H+J3Y2P/mxnk
GL+g8U3bWjtN0wC5kgPFmDH6ptLk3qCVofqHF6d9gg4
-> ssh-ed25519 CzqbPQ 3O4JTSO7S3oZ28YCMGLzD7ILzSphLfj7wHZFnklQlQg
MP/45MWFIcGH4kDytDO2rVzXZ+ls+Y3tCSdp3S9A3EA
-> ssh-ed25519 f5VzMA 2avBGy/8FgfUfreAfO7tJ4g3zRzMBkUxN3G+IqLk6GM
vsEj8QMWRYYz844Gbf7hNpfMyRqoytaruRUOxQZj3NM
--- AugFTj/dABkP+jM/sYBSZKMjUH+BeifJ455bdt+bKZA
Ñ&·•¨µòö2Tÿp²ÉUC”F<E2809D>D7Z•F&l$~¨ýHŸì"£õ”;¨×~é­ |÷g>¾î½žiÅî_#¨Ý{•#%‰˜FwJRýî<C3BD>­.ÑËoç)z§œrn-»Žk@gÝ_kÚ¹+¿šÍWRÀmÂzƒp 

9
hosts/cube/matrix/password.sync.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw T319LGGGp0tzS0vevrIUOZKoGYQ1NX0KOWqkqTLumh8
449QEoppibas2HtJJPJMQXcZeHEU9vJyZJV2NnYiXCY
-> ssh-ed25519 CzqbPQ i3wvtVCcnGGKibtvOd7pApma03sal+krPZcXobRfk2U
GpmrpAgQqRkDbXRq/WMAulZFNKlEXo2ZzBJdAJTHePA
-> ssh-ed25519 f5VzMA SSVe9YKEjtWIg3ZIlFYBDZasfzL4HN7frgaC24S1ZTk
S5u4oWUgHiSvvF0XKtVSPkgCOQ0dzIZUqnhRbCeCPt4
--- tnWULd4aX4DFcQn1+typTWtIw+2wEoQ4OO3mvCkFgEs
…iÎr<EFBFBD>ú¹š…ò— ¡xoÃ7¡ÙâÐkä$Ö¯š‰çYFXBëIMc²Þ„?cnáo0WLè†ÅfMña ‡o»+ 'ù‰ÎÏÒ&p*<9ºPë©#}Wñ¿Ð žàì·MíBú~¢‰7

116
hosts/cube/nextcloud/default.nix
View file

@ -1,116 +0,0 @@
{ config, lib, pkgs, ... }: with lib;
let
inherit (config.networking) domain;
fqdn = "cloud.${domain}";
nextcloudPackage = pkgs.nextcloud29;
in systemConfiguration {
secrets.nextcloudPassword = {
file = ./password.age;
owner = "nextcloud";
};
secrets.nextcloudExporterPassword = {
file = ./password.age;
owner = "nextcloud-exporter";
};
services.prometheus.exporters.nextcloud = enabled {
listenAddress = "[::]";
username = "admin";
url = "https://${fqdn}";
passwordFile = config.secrets.nextcloudExporterPassword.path;
};
services.postgresql = {
ensureDatabases = [ "nextcloud" ];
ensureUsers = [{
name = "nextcloud";
ensureDBOwnership = true;
}];
};
services.restic.backups = genAttrs config.resticHosts (const {
paths = [ "/var/lib/nextcloud" ];
});
systemd.services.nextcloud-setup = {
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
script = mkAfter ''
nextcloud-occ theming:config name "RGBCube's Depot"
nextcloud-occ theming:config slogan "RGBCube's storage of insignificant data."
nextcloud-occ theming:config color "#000000"
nextcloud-occ theming:config background backgroundColor
nextcloud-occ theming:config logo ${./icon.gif}
'';
};
services.nextcloud = enabled {
package = nextcloudPackage;
hostName = fqdn;
https = true;
configureRedis = true;
config.adminuser = "admin";
config.adminpassFile = config.secrets.nextcloudPassword.path;
config.dbhost = "/run/postgresql";
config.dbtype = "pgsql";
settings = {
default_phone_region = "TR";
# Even with manual SMTP configuration, Nextcloud fails to communicate properly
# and fails to send mail. PHP moment?
# mail_smtphost = "::1"; # FIXME: Will need to use SMTP.
# mail_smtpmode = "sendmail";
# mail_from_address = "cloud";
maintenance_window_start = 1;
# No clue why it was syslog.
# What are the NixOS module authors on?
log_type = "file";
};
settings.enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
phpOptions = {
"opcache.interned_strings_buffer" = "16";
output_buffering = "off";
};
extraAppsEnable = true;
extraApps = {
inherit (nextcloudPackage.packages.apps)
bookmarks calendar contacts deck
forms impersonate mail # groupfolders impersonate mail
maps notes polls previewgenerator; # tasks;
# Add: files_markdown files_texteditor memories news
};
nginx.recommendedHttpHeaders = true;
};
services.nginx.virtualHosts.${fqdn} = config.sslTemplate;
}

BIN
hosts/cube/nextcloud/icon.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 767 KiB

BIN
hosts/cube/nextcloud/password.age
View file

Binary file not shown.

43
hosts/cube/nginx.nix
View file

@ -1,43 +0,0 @@
{ lib, pkgs, ... }: with lib;
systemConfiguration {
networking.firewall = {
allowedTCPPorts = [ 443 80 ];
allowedUDPPorts = [ 443 ];
};
services.prometheus.exporters.nginx = enabled {
listenAddress = "[::]";
};
services.nginx = enabled {
package = pkgs.nginxQuic;
statusPage = true;
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header Referrer-Policy no-referrer;
# add_header X-Frame-Options DENY;
# add_header X-Content-Type-Options nosniff;
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
}

BIN
hosts/cube/password.rgb.age
View file

Binary file not shown.

15
hosts/cube/podman.nix
View file

@ -1,15 +0,0 @@
{ lib, ... }: with lib;
systemConfiguration {
virtualisation.podman = enabled {
dockerCompat = true;
dockerSocket = enabled;
defaultNetwork.settings.dns_enabled = true;
autoPrune = enabled {
dates = "weekly";
flags = [ "--all" ];
};
};
}

125
hosts/cube/postgresql.nix
View file

@ -1,125 +0,0 @@
{ config, lib, pkgs, ... }: with lib; merge
(systemConfiguration {
services.prometheus.exporters.postgres = enabled {
listenAddress = "[::]";
runAsLocalSuperUser = true;
};
services.restic.backups = genAttrs config.resticHosts (const {
paths = [ "/tmp/postgresql-dump.sql.gz" ];
backupPrepareCommand = ''
${config.services.postgresql.package}/bin/pg_dumpall --clean \
| ${lib.getExe pkgs.gzip} --rsyncable \
> /tmp/postgresql-dump.sql.gz
'';
backupCleanupCommand = ''
rm /tmp/postgresql-dump.sql.gz
'';
});
services.postgresql = enabled {
package = pkgs.postgresql_14;
enableJIT = true;
initdbArgs = [ "--locale=C" "--encoding=UTF8" ];
initialScript = pkgs.writeText "grant-root-perms" ''
GRANT pg_read_all_data TO root;
GRANT pg_write_all_data TO root;
'';
authentication = mkOverride 10 ''
# Type Database DBUser Authentication
local all all peer
'';
ensureUsers = [
{
name = "postgres";
ensureClauses = {
createdb = true;
createrole = true;
login = true;
replication = true;
superuser = true;
};
}
{
name = "root";
ensureClauses = {
createdb = true;
createrole = true;
login = true;
replication = true;
superuser = true;
};
}
];
settings = {
listen_addresses = mkForce "";
# https://pgconfigurator.cybertec.at/
max_connections = 100;
superuser_reserved_connections = 3;
# Memory Settings
shared_buffers = "1024 MB";
work_mem = "32 MB";
maintenance_work_mem = "320 MB";
huge_pages = "off";
effective_cache_size = "3 GB";
effective_io_concurrency = 1; # Concurrent IO only really activated if OS supports posix_fadvise function.
random_page_cost = 4; # Speed of random disk access relative to sequential access (1.0).
# Monitoring
shared_preload_libraries = "pg_stat_statements"; # Per statement resource usage stats.
track_io_timing = "on"; # Measure exact block IO times.
track_functions = "pl"; # Track execution times of pl-language procedures if any.
# Replication
wal_level = "replica";
max_wal_senders = 0;
synchronous_commit = "on";
# Checkpointing
checkpoint_timeout = "15 min";
checkpoint_completion_target = 0.9;
max_wal_size = "1024 MB";
min_wal_size = "512 MB";
# WAL writing
wal_compression = "on";
wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default).
wal_writer_delay = "200ms";
wal_writer_flush_after = "1MB";
# Background writer
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
# Parallel queries
max_worker_processes = 2;
max_parallel_workers_per_gather = 1;
max_parallel_maintenance_workers = 1;
max_parallel_workers = 2;
parallel_leader_participation = "on";
# Advanced features
enable_partitionwise_join = "on";
enable_partitionwise_aggregate = "on";
jit = "on";
max_slot_wal_keep_size = "1000 MB";
track_wal_io_timing = "on";
};
};
})
(systemPackages (with pkgs; [
postgresql
]))

36
hosts/cube/prometheus.nix
View file

@ -1,36 +0,0 @@
{ self, config, lib, ... }: with lib;
systemConfiguration {
services.grafana.provision.datasources.settings = {
datasources = [{
name = "Prometheus";
type = "prometheus";
url = "http://[::1]:${toString config.services.prometheus.port}";
orgId = 1;
}];
deleteDatasources = [{
name = "Prometheus";
orgId = 1;
}];
};
services.prometheus = enabled {
listenAddress = "[::]";
retentionTime = "1w";
scrapeConfigs = with lib; let
configToScrapeConfig = name: { config, ... }: pipe config.services.prometheus.exporters [
(filterAttrs (name: value: name != "minio" && name != "unifi-poller" && value.enable or false))
(mapAttrsToList (expName: expConfig: {
job_name = "${expName}-${name}";
static_configs = [{
targets = [ "${name}:${toString expConfig.port}" ];
}];
}))
];
in flatten (mapAttrsToList configToScrapeConfig self.nixosConfigurations);
};
}

54
hosts/cube/site.nix
View file

@ -1,54 +0,0 @@
{ config, lib, ... }: with lib;
let
inherit (config.networking) domain;
sitePath = "/var/www/site";
notFoundLocationConfig = {
extraConfig = "error_page 404 /404.html;";
locations."/404".extraConfig = "internal;";
};
in systemConfiguration {
services.nginx = enabled {
appendHttpConfig = ''
map $http_origin $allow_origin {
~^https://.+\.${domain}$ $http_origin;
}
map $http_origin $allow_methods {
~^https://.+\.${domain}$ "GET, HEAD, OPTIONS";
}
'';
virtualHosts.${domain} = merge config.sslTemplate notFoundLocationConfig {
root = sitePath;
locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";
locations."/assets/".extraConfig = ''
add_header Access-Control-Allow-Origin $allow_origin;
add_header Access-Control-Allow-Methods $allow_methods;
if ($request_method = OPTIONS) {
add_header Content-Type text/plain;
add_header Content-Length 0;
return 204;
}
expires 24h;
'';
};
virtualHosts."www.${domain}" = merge config.sslTemplate {
locations."/".extraConfig = "return 301 https://${domain}$request_uri;";
};
virtualHosts._ = merge config.sslTemplate notFoundLocationConfig {
root = sitePath;
locations."/".extraConfig = "return 404;";
locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
};
};
}

56
hosts/disk/default.nix
View file

@ -1,56 +0,0 @@
{ config, lib, keys, ... }: with lib; merge
(systemConfiguration {
system.stateVersion = "23.11";
nixpkgs.hostPlatform = "x86_64-linux";
secrets.id.file = ./id.age;
secrets.floppyPassword.file = ./password.floppy.age;
users.users = {
root.hashedPasswordFile = config.secrets.floppyPassword.path;
floppy = sudoUser {
description = "Floppy";
openssh.authorizedKeys.keys = keys.admins;
hashedPasswordFile = config.secrets.floppyPassword.path;
};
backup = normalUser {
description = "Backup";
openssh.authorizedKeys.keys = keys.all;
hashedPasswordFile = config.secrets.floppyPassword.path;
};
};
services.openssh.hostKeys = [{
type = "ed25519";
path = config.secrets.id.path;
}];
networking = {
ipv4 = "23.164.232.40";
ipv6 = "2602:f9f7::40";
domain = "rgbcu.be";
defaultGateway = "23.164.232.1";
defaultGateway6 = "2602:f9f7::1";
interfaces.ens32 = {
ipv4.addresses = [{
address = config.networking.ipv4;
prefixLength = 25;
}];
ipv6.addresses = [{
address = config.networking.ipv6;
prefixLength = 64;
}];
};
};
})
(homeConfiguration {
home.stateVersion = "23.11";
})

34
hosts/disk/hardware.nix
View file

@ -1,34 +0,0 @@
{ config, lib, ... }: with lib;
systemConfiguration {
boot.loader = {
systemd-boot = enabled {
editor = false;
};
efi.canTouchEfiVariables = true;
};
boot.initrd.availableKernelModules = [
"ahci"
"ata_piix"
"nvme"
"sr_mod"
];
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
options = [ "noatime" ];
};
fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
options = [ "noatime" ];
};
swapDevices = [{
device = "/dev/disk/by-label/swap";
}];
}

BIN
hosts/disk/id.age
View file

Binary file not shown.

55
hosts/disk/mail/default.nix
View file

@ -1,55 +0,0 @@
{ self, config, lib, ... }: with lib;
let
inherit (config.networking) domain;
fqdn = "mail1.${domain}";
in systemConfiguration {
imports = [(self + /hosts/cube/acme)];
secrets.mailPassword.file = ./password.hash.age;
services.prometheus.exporters.postfix = enabled {
listenAddress = "[::]";
};
services.restic.backups = genAttrs config.resticHosts (const {
paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ];
});
mailserver = enabled {
fqdn = mkDefault fqdn;
domains = mkDefault [ domain ];
certificateScheme = "acme";
# We use systemd-resolved instead of Knot Resolver.
localDnsResolver = false;
hierarchySeparator = "/";
useFsLayout = true;
dkimKeyDirectory = "/var/lib/dkim";
mailDirectory = "/var/lib/mail";
sieveDirectory = "/var/lib/sieve";
vmailUserName = "mail";
vmailGroupName = "mail";
dmarcReporting = enabled {
domain = head config.mailserver.domains;
organizationName = "Doofemshmirtz Evil Inc.";
};
fullTextSearch = enabled {
indexAttachments = true;
};
loginAccounts."contact@${head config.mailserver.domains}" = {
aliases = [ "@${head config.mailserver.domains}" ];
hashedPasswordFile = config.secrets.mailPassword.path;
};
};
}

BIN
hosts/disk/mail/password.hash.age
View file

Binary file not shown.

15
hosts/disk/mail/password.plain.age
View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw AZFDaJ2juVpQRex9baxUPiFC4xZyna2G6ysYA4aFQkU
Cg1SJWa8PTiMDB5fOQYx7WcbfPri7nFsuCZuCRquD8c
-> ssh-ed25519 spFFQA vBOffcs6nE2VcGzkQBlhfy0GIWz+/7L09CJ5cQzRhQg
b4ZWVCSDdiF+5zMNK1b+wvG2esRfU+otY5OnVCTvRBo
-> ssh-ed25519 CzqbPQ jPL7pBXMF4QIYkULJhlvinx1hnr+aJclp8jpuLIlp2g
ud5StShENlRhlO+JJyaJciLKVUGW1XQPmPk1u9KXOKo
-> ssh-ed25519 dASlBQ LIRlKcAHsI3kf0MSuR7lpbTXCYRL1g2JjLZs4msYCAw
7o3ESCqC3Jm/5NK52IDGkx0ZQkAZY8eyiBgf9y5mUCI
-> ssh-ed25519 f5VzMA FUHuEsI2aebZiTwODrXpKJnAV4EyaUGE/+gDxwsVixY
XyEpcL1XXuoQU6erVRE2Sv9x8PisaXDBZHdWdelQPTE
-> ssh-ed25519 V6IHIQ IlarCBGBKJGagqo6cL5VhhnETwDdy/nJZ0EoBtfmrH0
QE6Z9Dk5mFcLF0hb1oG53ZWwhf+v0Ena90ocXEk50a0
--- 7kXJ0xIQb1yooKiZ70qZz/5kJvnE7K6uvgFu63PXQC0
6Ö<E280BA>g<EFBFBD>¸ù¿U }õçc;Då)ºex2<78>}†v±Æ`¶kíz#ȱ(

10
hosts/disk/password.floppy.age
View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 spFFQA GwQd6KJsc9NzOs7fVBTyeusvYtpD2KjOqsitNqmgxAg
2U1KsgcT4cKNOjFCWlDfilSfe5+EIW/94nsMITcntSM
-> ssh-ed25519 CzqbPQ G7MWCZj/l2DaviWkph1NBxiMlxjxKO+/jcpPQ5rM+yU
6Nzzd6X+SRkLcdMIm2CQdkimq6UqD/bsTYObgglq5Ns
-> ssh-ed25519 f5VzMA Yho8qwQjRfrjepTOYCvos0pEidzf4sRRkgcZFIx7Th0
K6M3CmEGuZBk5kUFsv31AB8p/KgdcpjXU5uayFQr6ws
--- vzZtwqbz/MdrNaAQ3SYEoeGrHP+yYiI+kv451wRlkdw

p˜­~T³¦úå×ÅáÒÕó»õ¤Í<C2A4>¤(±EdÙÃ\ì$U¶{å "ì l5E[JæœÕõ<C395>.<2E>jõBÀ¿@§T¿u&b«-ÁpPRF¡ç<C2A1>zg"‹ˆÂËâ<r°B3羺îÛ°»…

9
hosts/disk/site6.nix
View file

@ -1,9 +0,0 @@
{ self, lib, ... }: with lib;
systemConfiguration {
imports = [
(self + /hosts/cube/acme)
(self + /hosts/cube/nginx.nix)
(self + /hosts/cube/site.nix)
];
}

56
hosts/nine/default.nix
View file

@ -1,56 +0,0 @@
{ config, lib, keys, ... }: with lib; merge
(systemConfiguration {
system.stateVersion = "23.11";
nixpkgs.hostPlatform = "aarch64-linux";
secrets.id.file = ./id.age;
secrets.sevenPassword.file = ./password.seven.age;
users.users = {
root.hashedPasswordFile = config.secrets.sevenPassword.path;
seven = sudoUser {
description = "Hungry Seven";
openssh.authorizedKeys.keys = keys.admins;
hashedPasswordFile = config.secrets.sevenPassword.path;
};
backup = normalUser {
description = "Backup";
openssh.authorizedKeys.keys = keys.all;
hashedPasswordFile = config.secrets.sevenPassword.path;
};
};
services.openssh.hostKeys = [{
type = "ed25519";
path = config.secrets.id.path;
}];
networking = {
ipv4 = "152.53.2.105";
ipv6 = "2a0a:4cc0::12d9";
domain = "rgbcu.be";
defaultGateway = "152.53.0.1";
defaultGateway6 = "fe80::1";
interfaces.enp4s0 = {
ipv4.addresses = [{
address = config.networking.ipv4;
prefixLength = 22;
}];
ipv6.addresses = [{
address = config.networking.ipv6;
prefixLength = 64;
}];
};
};
})
(homeConfiguration {
home.stateVersion = "23.11";
})

BIN
hosts/nine/github2forgejo/environment.age
View file

Binary file not shown.

12
hosts/nine/github2forgejo/github2forgejo.nix
View file

@ -1,12 +0,0 @@
{ config, lib, ... }: with lib;
systemConfiguration {
secrets.github2forgejoEnvironment = {
file = ./environment.age;
owner = "github2forgejo";
};
services.github2forgejo = enabled {
environmentFile = config.secrets.github2forgejoEnvironment.path;
};
}

31
hosts/nine/hardware.nix
View file

@ -1,31 +0,0 @@
{ config, lib, modulesPath, ... }: with lib;
systemConfiguration {
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
boot.loader.grub = enabled {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
zramSwap = enabled;
}

BIN
hosts/nine/id.age
View file

Binary file not shown.

16
hosts/nine/mail2.nix
View file

@ -1,16 +0,0 @@
{ config, self, lib, ... }: with lib;
let
inherit (config.networking) domain;
fqdn = "mail2.${domain}";
in systemConfiguration {
imports = [(self + /hosts/disk/mail)];
mailserver = {
inherit fqdn;
# Not [ domain ] because this is a backup mailserver. contact@mail2.rgbcu.be.
domains = [ fqdn ];
};
}

BIN
hosts/nine/password.seven.age
View file

Binary file not shown.

9
hosts/pala/blueman.nix
View file

@ -1,9 +0,0 @@
{ lib, ... }: with lib;
systemConfiguration {
services.blueman = enabled;
hardware.bluetooth = enabled {
powerOnBoot = true;
};
}

32
hosts/pala/default.nix
View file

@ -1,24 +1,16 @@
{ config, lib, ... }: with lib; merge
lib: lib.darwinSystem {
networking.hostName = "pala";
(systemConfiguration {
system.stateVersion = "24.11";
nixpkgs.hostPlatform = "aarch64-linux";
time.timeZone = "Europe/Istanbul";
secrets.saidPassword.file = ./password.said.age;
users.users = {
root.hashedPasswordFile = config.secrets.saidPassword.path;
said = sudoUser (desktopUser {
description = "Said";
hashedPasswordFile = config.secrets.saidPassword.path;
});
users.users.pala = {
name = "pala";
home = "/Users/pala";
};
})
(homeConfiguration {
home.stateVersion = "24.11";
})
home-manager.users.pala.home = {
stateVersion = "25.05";
homeDirectory = "/Users/pala";
};
nixpkgs.hostPlatform = "aarch64-darwin";
system.stateVersion = 5;
}

35
hosts/pala/hardware.nix
View file

@ -1,35 +0,0 @@
{ config, lib, ... }: with lib;
systemConfiguration {
virtualisation.vmware.guest = enabled;
boot.loader = {
systemd-boot = enabled {
editor = false;
};
efi.canTouchEfiVariables = true;
};
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"sr_mod"
];
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "btrfs";
options = [ "relatime" ];
};
fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
options = [ "relatime" "fmask=0077" "dmask=0077" ];
};
swapDevices = [{
device = "/dev/disk/by-label/swap";
}];
}

9
hosts/pala/password.said.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 CzqbPQ ozAGsEreYHlTYUsRF2mk2HyHsgPFWgG5OnQVHCqjWBU
w6j8Cl7h/TVKBgZ36fJIime4GUDaA75+NAH7BYyQ9rg
-> ssh-ed25519 CzqbPQ eMmV1mSSS+yyI9GznqmBwDEUYPcsIN2uxSyrP3sW+S0
RAIaJhBIIdSfOufhKsoFs8LELJ1bzskeGreSB+qn41o
-> ssh-ed25519 CzqbPQ CDg4IuWX7dLXjOGKj61VbXsULFJjlyr9DZ5bWq3iLmI
b/EK8IoDlN6IoZ9bfG64iQprTqxH6OGK6t9/Vg5KFaw
--- rVFs9eG5vCmvV6TTx1bKIg9bksEZ7nCazlMAu2aJqBw
If$WbÓ<Òaºy/H9 @®<XŒ¡ß]X(»yô<79>)#9WMƒ Nö Y•R~<7E>Í`,iüÃРK©ú½ü4°Aª íÛÆêäåc?ôö€\2NÃʹ§­öÓåÆicý±y