diff --git a/README.md b/README.md index ed4efef..9b23b5f 100644 --- a/README.md +++ b/README.md @@ -62,10 +62,12 @@ rm -v delete_old_cluster.sh # Tarball ```bash -nix build .#nixosConfigurations.matrix.config.system.build.image +nix build .#nixosConfigurations..config.system.build.image ``` -# HTTP +# Matrix + +## HTTP Configure `berlin.ccc.de` web server to send federation traffic to the matrix server: @@ -85,7 +87,7 @@ server { } ``` -# DNS +## DNS ```dns _matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. @@ -100,7 +102,7 @@ matrix.berlin.ccc.de. IN SSHFP 4 1 62d10fa57f8a1aa7469cd9b00621e4ce8 matrix.berlin.ccc.de. IN SSHFP 4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887 ``` -# Bots +## Bots ```bash register_new_matrix_user \ @@ -110,7 +112,7 @@ register_new_matrix_user \ --password ``` -# Draupnir +## Draupnir Remove rate limit for account: diff --git a/flake.nix b/flake.nix index afe9bf0..fbc725b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,11 @@ { - description = "Matrix server for CCCB"; + description = "CCCB services"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; #flake-utils.url = "github:numtide/flake-utils"; agenix = { url = "github:ryantm/agenix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - }; + inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = @@ -90,7 +88,9 @@ }; }; } - ./configuration.nix + ./hosts/matrix.nix + + ./services/openssh.nix ./services/nginx.nix ./services/postgres.nix @@ -102,6 +102,19 @@ ./services/grafana.nix ]; }; + nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem { + #system = "x86_64-linux"; + #pkgs = import nixpkgs { inherit system; }; + inherit system; + modules = [ + agenix.nixosModules.default + { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } + + ./hosts/hedgedoc.nix + + ./services/openssh.nix + ]; + }; }; #); } diff --git a/hosts/hedgedoc.nix b/hosts/hedgedoc.nix new file mode 100644 index 0000000..0f5ed23 --- /dev/null +++ b/hosts/hedgedoc.nix @@ -0,0 +1,158 @@ +{ + config, + modulesPath, + pkgs, + lib, + ... +}: + +{ + imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; + + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + + nix = { + optimise = { + automatic = true; + dates = [ "11:00" ]; + }; + settings = { + auto-optimise-store = true; + sandbox = false; + # Allow remote updates + trusted-users = [ + "root" + "@wheel" + ]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 14d"; + }; + }; + + nixpkgs.hostPlatform = "x86_64-linux"; + + environment.systemPackages = with pkgs; [ + vim + git + ]; + + proxmoxLXC = { + manageNetwork = false; + manageHostName = false; + privileged = false; + }; + + users.users.root = { + packages = with pkgs; [ + kitty # for terminfo + fastfetch # for shits and giggles + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11" + ]; + }; + + networking = { + hostName = "hedgedoc"; + domain = "berlin.ccc.de"; + nameservers = [ + "2606:4700:4700::1111#one.one.one.one" + "2620:fe::fe#dns.quad9.net" + "1.1.1.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + ]; + useDHCP = false; + useNetworkd = true; + dhcpcd.enable = false; + nftables.enable = true; + tempAddresses = "disabled"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22 # SSH + 80 # HTTP/1 + 443 # HTTP/2 + ]; + allowedUDPPorts = [ + 443 # HTTP/3 + ]; + }; + }; + + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "en_GB.UTF-8"; + console.font = "Lat2-Terminus16"; + + services = { + fstrim.enable = false; # Let Proxmox host handle fstrim + openssh.banner = '' + __ __ __ + /\ \ /\ \ /\ \ + \ \ \___ __ \_\ \ __ __ \_\ \ ___ ___ + \ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\ + \ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/ + \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\ + \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/ + /\____/ + \_/__/ + ''; + # Cache DNS lookups to improve performance + resolved = { + enable = true; + dnssec = "allow-downgrade"; + dnsovertls = "true"; + extraConfig = '' + Cache=true + CacheFromLocalhost=true + ''; + }; + }; + + programs = { + mtr.enable = true; + vim = { + enable = true; + defaultEditor = true; + }; + htop = { + enable = true; + }; + tmux = { + enable = true; + terminal = "screen-256color"; + shortcut = "a"; + newSession = true; + clock24 = true; + }; + ssh.startAgent = true; + }; + + security = { + acme = { + acceptTerms = true; + defaults = { + validMinDays = 14; + renewInterval = "daily"; + email = "acme@xengi.de"; + group = "nginx"; + }; + }; + }; + + system.stateVersion = "25.11"; +} diff --git a/configuration.nix b/hosts/matrix.nix similarity index 77% rename from configuration.nix rename to hosts/matrix.nix index bf26909..46ec9e8 100644 --- a/configuration.nix +++ b/hosts/matrix.nix @@ -97,32 +97,20 @@ }; time.timeZone = "Europe/Berlin"; - i18n.defaultLocale = "en_US.UTF-8"; + i18n.defaultLocale = "en_GB.UTF-8"; console.font = "Lat2-Terminus16"; services = { fstrim.enable = false; # Let Proxmox host handle fstrim - openssh = { - enable = true; - settings = { - PermitEmptyPasswords = "no"; - PermitRootLogin = "prohibit-password"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - banner = '' - __ __ - /\ \__ __ /\ \ - ___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____ - /' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\ - /\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/>