From 8e9b074467006c76768efe04cf1fb1ef9d652c67 Mon Sep 17 00:00:00 2001 From: sefidel Date: Wed, 24 Jan 2024 13:29:27 +0900 Subject: initial commit --- .gitignore | 3 + LICENSE | 17 + README.md | 4 + flake.lock | 492 +++++++++++ flake.nix | 37 + lib/README.md | 13 + lib/attrs.nix | 26 + lib/default.nix | 18 + lib/misc.nix | 9 + lib/modules.nix | 54 ++ lib/system.nix | 22 + modules/README.md | 9 + modules/cachix/caches/nix-community.nix | 12 + modules/cachix/default.nix | 23 + modules/flakes.nix | 36 + modules/nix.nix | 34 + modules/persistence.nix | 47 + modules/security.nix | 69 ++ modules/services/_template.nix | 13 + modules/services/acme.nix | 52 ++ modules/services/akkoma/blocklist.toml | 164 ++++ modules/services/akkoma/default.nix | 102 +++ modules/services/akkoma/favicon-withbg.png | Bin 0 -> 17371 bytes modules/services/akkoma/favicon.png | Bin 0 -> 16693 bytes modules/services/akkoma/logo.png | Bin 0 -> 1304 bytes modules/services/akkoma/logo.svg | 71 ++ modules/services/akkoma/robots.txt | 2 + modules/services/akkoma/terms-of-service.html | 26 + modules/services/authentik.nix | 69 ++ modules/services/backup.nix | 81 ++ modules/services/cgit/cgit-exotic.css | 953 +++++++++++++++++++++ modules/services/cgit/default.nix | 129 +++ modules/services/cinny-web.nix | 34 + modules/services/coredns/_corefile.nix | 3 + modules/services/coredns/default.nix | 18 + modules/services/coturn.nix | 64 ++ modules/services/dovecot.nix | 18 + modules/services/element-web.nix | 47 + modules/services/fail2ban.nix | 20 + modules/services/git-daemon/_git-daemon-module.nix | 137 +++ modules/services/git-daemon/default.nix | 31 + modules/services/gitolite/default.nix | 110 +++ modules/services/gitolite/fix-refs | 9 + modules/services/gitolite/post-receive | 19 + modules/services/gitolite/rename | 63 ++ modules/services/jitsi.nix | 43 + modules/services/ldap.nix | 76 ++ .../matrix-bridge/_mautrix-discord-module.nix | 205 +++++ .../matrix-bridge/_mautrix-signal-module.nix | 204 +++++ modules/services/matrix-bridge/default.nix | 390 +++++++++ modules/services/matrix-homeserver.nix | 190 ++++ modules/services/matrix-moderation.nix | 58 ++ modules/services/metrics.nix | 169 ++++ modules/services/nebula.nix | 18 + modules/services/nginx.nix | 37 + modules/services/nixos-mailserver.nix | 159 ++++ modules/services/obsidian-livesync.nix | 63 ++ modules/services/postgresql.nix | 34 + modules/services/rss.nix | 64 ++ modules/services/searx.nix | 50 ++ modules/services/sefidel-web.nix | 26 + modules/services/soju.nix | 40 + modules/services/tailscale.nix | 22 + modules/services/vikunja.nix | 50 ++ modules/sops.nix | 19 + 65 files changed, 5077 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 lib/README.md create mode 100644 lib/attrs.nix create mode 100644 lib/default.nix create mode 100644 lib/misc.nix create mode 100644 lib/modules.nix create mode 100644 lib/system.nix create mode 100644 modules/README.md create mode 100644 modules/cachix/caches/nix-community.nix create mode 100644 modules/cachix/default.nix create mode 100644 modules/flakes.nix create mode 100644 modules/nix.nix create mode 100644 modules/persistence.nix create mode 100644 modules/security.nix create mode 100644 modules/services/_template.nix create mode 100644 modules/services/acme.nix create mode 100644 modules/services/akkoma/blocklist.toml create mode 100644 modules/services/akkoma/default.nix create mode 100644 modules/services/akkoma/favicon-withbg.png create mode 100644 modules/services/akkoma/favicon.png create mode 100644 modules/services/akkoma/logo.png create mode 100644 modules/services/akkoma/logo.svg create mode 100644 modules/services/akkoma/robots.txt create mode 100644 modules/services/akkoma/terms-of-service.html create mode 100644 modules/services/authentik.nix create mode 100644 modules/services/backup.nix create mode 100644 modules/services/cgit/cgit-exotic.css create mode 100644 modules/services/cgit/default.nix create mode 100644 modules/services/cinny-web.nix create mode 100644 modules/services/coredns/_corefile.nix create mode 100644 modules/services/coredns/default.nix create mode 100644 modules/services/coturn.nix create mode 100644 modules/services/dovecot.nix create mode 100644 modules/services/element-web.nix create mode 100644 modules/services/fail2ban.nix create mode 100644 modules/services/git-daemon/_git-daemon-module.nix create mode 100644 modules/services/git-daemon/default.nix create mode 100644 modules/services/gitolite/default.nix create mode 100644 modules/services/gitolite/fix-refs create mode 100644 modules/services/gitolite/post-receive create mode 100644 modules/services/gitolite/rename create mode 100644 modules/services/jitsi.nix create mode 100644 modules/services/ldap.nix create mode 100644 modules/services/matrix-bridge/_mautrix-discord-module.nix create mode 100644 modules/services/matrix-bridge/_mautrix-signal-module.nix create mode 100644 modules/services/matrix-bridge/default.nix create mode 100644 modules/services/matrix-homeserver.nix create mode 100644 modules/services/matrix-moderation.nix create mode 100644 modules/services/metrics.nix create mode 100644 modules/services/nebula.nix create mode 100644 modules/services/nginx.nix create mode 100644 modules/services/nixos-mailserver.nix create mode 100644 modules/services/obsidian-livesync.nix create mode 100644 modules/services/postgresql.nix create mode 100644 modules/services/rss.nix create mode 100644 modules/services/searx.nix create mode 100644 modules/services/sefidel-web.nix create mode 100644 modules/services/soju.nix create mode 100644 modules/services/tailscale.nix create mode 100644 modules/services/vikunja.nix create mode 100644 modules/sops.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f3790b5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +result +*.qcow2 +**/**/.DS_Store diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f08ca97 --- /dev/null +++ b/LICENSE @@ -0,0 +1,17 @@ +ISC License +=================================== + +Copyright (c) 2024, sefidel + +Permission to use, copy, modify, and/or distribute this software for any purpose +with or without fee is hereby granted, provided that the above copyright notice +and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND +FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER +TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF +THIS SOFTWARE. + diff --git a/README.md b/README.md new file mode 100644 index 0000000..43d47eb --- /dev/null +++ b/README.md @@ -0,0 +1,4 @@ +exotic->infra-modules +============= + +High-level NixOS configuration modules for exotic.sh infrastructure. diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..4735c71 --- /dev/null +++ b/flake.lock @@ -0,0 +1,492 @@ +{ + "nodes": { + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "unstable" + ], + "nixpkgs-23-05": "nixpkgs-23-05", + "poetry2nix": "poetry2nix" + }, + "locked": { + "lastModified": 1704822856, + "narHash": "sha256-LHng0EWMNh/1pRIitisMzu4XVHswjDZpfAa5cfRO6kE=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "8ff62523708d1a3e9cf99891aaa7692dafd445a5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1704822648, + "narHash": "sha256-N6FeNUlenbBQPAAUSqC+2GWFfte3G+Zfu5KGVJOqNZQ=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "1cd000dfe204b9605c85e6cebc051586a0329604", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2023.10.6", + "repo": "authentik", + "type": "github" + } + }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1703656108, + "narHash": "sha256-hCSUqdFJKHHbER8Cenf5JRzjMlBjIdwdftGQsO0xoJs=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "033643a45a4a920660ef91caa391fbffb14da466", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703102458, + "narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=", + "owner": "nix-community", + "repo": "napalm", + "rev": "edcb26c266ca37c9521f6a97f33234633cbec186", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "napalm", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698974481, + "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "4bb5e752616262457bc7ca5882192a564c0472d2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_2", + "nixpkgs": [ + "unstable" + ], + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1703666786, + "narHash": "sha256-SLPNpM/rI8XPyVJAxMYAe+n6NiYSpuXvdwPILHP4yZI=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "b5023b36a1f6628865cb42b4353bd2ddde0ea9f4", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1673606088, + "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23-05": { + "locked": { + "lastModified": 1701615100, + "narHash": "sha256-7VI84NGBvlCTduw2aHLVB62NvCiZUlALLqBe5v684Aw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e9f06adb793d1cca5384907b3b8a4071d5d7cb19", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1701253981, + "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": "systems_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1701861752, + "narHash": "sha256-QfrE05P66856b1SMan69NPhjc9e82VtLxBKg3yiQGW8=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "9fc487b32a68473da4bf9573f85b388043c5ecda", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, + "root": { + "inputs": { + "authentik-nix": "authentik-nix", + "impermanence": "impermanence", + "nixos-mailserver": "nixos-mailserver", + "sefidel-web": "sefidel-web", + "sops-nix": "sops-nix", + "unstable": "unstable" + } + }, + "sefidel-web": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1696069380, + "narHash": "sha256-KKTX1XKGnglV+vGbvKjduT2QjE2snbyy8R7nNuXvnMc=", + "ref": "refs/heads/main", + "rev": "305ee346ca81883de4fc6575460021a57cacefeb", + "revCount": 6, + "type": "git", + "url": "https://git.exotic.sh/pub/sefidel/sefidel-web" + }, + "original": { + "type": "git", + "url": "https://git.exotic.sh/pub/sefidel/sefidel-web" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "unstable" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1704908274, + "narHash": "sha256-74W9Yyomv3COGRmKi8zvyA5tL2KLiVkBeaYmYLjXyOw=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c0b3a5af90fae3ba95645bbf85d2b64880addd76", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699786194, + "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "unstable": { + "locked": { + "lastModified": 1704722960, + "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..823a86f --- /dev/null +++ b/flake.nix @@ -0,0 +1,37 @@ +{ + description = "exotic.sh shared system modules"; + + inputs = { + unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + impermanence.url = "github:nix-community/impermanence"; + + authentik-nix.url = "github:nix-community/authentik-nix"; + authentik-nix.inputs.nixpkgs.follows = "unstable"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "unstable"; + + nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + nixos-mailserver.inputs.nixpkgs.follows = "unstable"; + + sefidel-web.url = "git+https://git.exotic.sh/pub/sefidel/sefidel-web"; + }; + + outputs = { self, unstable, ... } @ inputs: + let + inherit (lib.my) mapModulesRec mapModulesRec'; + + system = "x86_64-linux"; + + pkgs = import unstable { inherit system; }; + + lib = unstable.lib.extend + (self: super: { my = import ./lib { inherit pkgs inputs; lib = self; }; }); + in + { + lib = lib.my; + + nixosModules = mapModulesRec ./modules import; + }; +} diff --git a/lib/README.md b/lib/README.md new file mode 100644 index 0000000..21ca023 --- /dev/null +++ b/lib/README.md @@ -0,0 +1,13 @@ +infra->lib +========== + +Attribution +----------- + +Most of the 'moving parts' of this is largely copied/modified from: + +- [hlissner/dotfiles][hlissner]: 2023-Feb, MIT (C) Henrik Lissner +- [NobbZ/nixos-config][nobbz]: 2022, MIT (C) Nobert Melzer + +[hlissner]: https://github.com/hlissner/dotfiles +[nobbz]: https://github.com/NobbZ/nixos-config diff --git a/lib/attrs.nix b/lib/attrs.nix new file mode 100644 index 0000000..0f8ebd1 --- /dev/null +++ b/lib/attrs.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with builtins; +with lib; +rec { + # attrsToList + attrsToList = attrs: + mapAttrsToList (name: value: { inherit name value; }) attrs; + + # mapFilterAttrs :: + # (name -> value -> bool) + # (name -> value -> { name = any; value = any; }) + # attrs + mapFilterAttrs = pred: f: attrs: filterAttrs pred (mapAttrs' f attrs); + + # Generate an attribute set by mapping a function over a list of values. + genAttrs' = values: f: listToAttrs (map f values); + + # anyAttrs :: (name -> value -> bool) attrs + anyAttrs = pred: attrs: + any (attr: pred attr.name attr.value) (attrsToList attrs); + + # countAttrs :: (name -> value -> bool) attrs + countAttrs = pred: attrs: + count (attr: pred attr.name attr.value) (attrsToList attrs); +} diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..a275c09 --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,18 @@ +{ inputs, lib, pkgs, ... }: + +let + inherit (lib) makeExtensible attrValues foldr; + inherit (modules) mapModules; + + modules = import ./modules.nix { + inherit lib; + self.attrs = import ./attrs.nix { inherit lib; self = { }; }; + }; + + mylib = makeExtensible (self: + with self; mapModules ./. + (file: import file { inherit self lib pkgs inputs; })); +in +mylib.extend + (self: super: + foldr (a: b: a // b) { } (attrValues super)) diff --git a/lib/misc.nix b/lib/misc.nix new file mode 100644 index 0000000..484d0d5 --- /dev/null +++ b/lib/misc.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +rec { + # ifd3f/infra + wrapFile = name: path: + (pkgs.runCommand name { inherit path; } '' + cp -r "$path" "$out" + ''); +} diff --git a/lib/modules.nix b/lib/modules.nix new file mode 100644 index 0000000..ef7c289 --- /dev/null +++ b/lib/modules.nix @@ -0,0 +1,54 @@ +{ self, lib, ... }: + +let + inherit (builtins) attrValues readDir pathExists concatLists; + inherit (lib) id mapAttrsToList filterAttrs hasPrefix hasSuffix nameValuePair removeSuffix; + inherit (self.attrs) mapFilterAttrs; +in +rec { + mapModules = dir: fn: + mapFilterAttrs + (n: v: + v != null && + !(hasPrefix "_" n)) + (n: v: + let path = "${toString dir}/${n}"; in + if v == "directory" && pathExists "${path}/default.nix" + then nameValuePair n (fn path) + else if v == "regular" && + n != "default.nix" && + hasSuffix ".nix" n + then nameValuePair (removeSuffix ".nix" n) (fn path) + else nameValuePair "" null) + (readDir dir); + + mapModules' = dir: fn: + attrValues (mapModules dir fn); + + mapModulesRec = dir: fn: + mapFilterAttrs + (n: v: + v != null && + !(hasPrefix "_" n)) + (n: v: + let path = "${toString dir}/${n}"; in + if v == "directory" + then nameValuePair n (mapModulesRec path fn) + else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n + then nameValuePair (removeSuffix ".nix" n) (fn path) + else nameValuePair "" null) + (readDir dir); + + mapModulesRec' = dir: fn: + let + dirs = + mapAttrsToList + (k: _: "${dir}/${k}") + (filterAttrs + (n: v: v == "directory" && !(hasPrefix "_" n)) + (readDir dir)); + files = attrValues (mapModules dir id); + paths = files ++ concatLists (map (d: mapModulesRec' d id) dirs); + in + map fn paths; +} diff --git a/lib/system.nix b/lib/system.nix new file mode 100644 index 0000000..8fc4dce --- /dev/null +++ b/lib/system.nix @@ -0,0 +1,22 @@ +{ self, inputs, lib, pkgs, ... }: + +with lib; +with lib.my; +{ + mkSystem = path: attrs @ { ... }: { + imports = [ + { + networking.hostName = mkDefault + (removeSuffix ".nix" (baseNameOf path)); + system.configurationRevision = self.rev or "dirty"; + } + ../. # /default.nix + (import path) + ]; + }; + + mapSystems = dir: attrs @ { system ? system, ... }: + mapModules dir + (hostPath: mkSystem hostPath attrs); +} + diff --git a/modules/README.md b/modules/README.md new file mode 100644 index 0000000..25031dc --- /dev/null +++ b/modules/README.md @@ -0,0 +1,9 @@ +infra->modules +============== + +This is all the modules used to configure our systems based on its purposes. + +As of now, it doesn't have any clear "naming convention", but generally it's +`` for a module configuring one thing, `` otherwise. + +e.g) `dendrite` -> `dendrite`, `prometheus`, `grafana` -> `metrics` diff --git a/modules/cachix/caches/nix-community.nix b/modules/cachix/caches/nix-community.nix new file mode 100644 index 0000000..d323939 --- /dev/null +++ b/modules/cachix/caches/nix-community.nix @@ -0,0 +1,12 @@ +{ config, lib, ... }: + +{ + nix.settings = { + substituters = [ + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; +} diff --git a/modules/cachix/default.nix b/modules/cachix/default.nix new file mode 100644 index 0000000..5222457 --- /dev/null +++ b/modules/cachix/default.nix @@ -0,0 +1,23 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.modules.cachix; + + folder = ./caches; + toImport = name: value: folder + ("/" + name); + filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; + imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); +in +{ + inherit imports; + + options.modules.cachix = { + enable = mkEnableOption "cachix"; + }; + + config = mkIf cfg.enable { + nix.settings.substituters = [ "https://cache.nixos.org/" ]; + environment.systemPackages = [ pkgs.cachix ]; + }; +} diff --git a/modules/flakes.nix b/modules/flakes.nix new file mode 100644 index 0000000..4297fda --- /dev/null +++ b/modules/flakes.nix @@ -0,0 +1,36 @@ +{ config, inputs, pkgs, lib, ... }: + +with lib; +let + base = "/etc/nixpkgs/channels"; + nixpkgsPath = "${base}/nixpkgs"; + nixpkgsSmallPath = "${base}/nixpkgsSmall"; + nixpkgs2111Path = "${base}/nixpkgs2111"; +in +{ + options.nix.flakes.enable = mkEnableOption "nix flakes"; + + config = lib.mkIf config.nix.flakes.enable { + nix = { + package = pkgs.nixUnstable; + experimentalFeatures = "nix-command flakes"; + + registry.nixpkgs.flake = inputs.unstable; + registry.nixpkgsSmall.flake = inputs.unstable-small; + registry.nixpkgs2111.flake = inputs.nixpkgs-2111; + + nixPath = [ + "nixpkgs=${nixpkgsPath}" + "nixpkgsSmall=${nixpkgsSmallPath}" + "nixpkgs2111=${nixpkgs2111Path}" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + }; + + systemd.tmpfiles.rules = [ + "L+ ${nixpkgsPath} - - - - ${inputs.unstable}" + "L+ ${nixpkgsSmallPath} - - - - ${inputs.unstable-small}" + "L+ ${nixpkgs2111Path} - - - - ${inputs.nixpkgs-2111}" + ]; + }; +} diff --git a/modules/nix.nix b/modules/nix.nix new file mode 100644 index 0000000..8396739 --- /dev/null +++ b/modules/nix.nix @@ -0,0 +1,34 @@ +{ config, lib, ... }: + +let + allowed = config.nix.allowedUnfree; +in +{ + options.nix = { + experimentalFeatures = lib.mkOption { + type = lib.types.separatedString " "; + default = ""; + description = '' + Enables experimental features + ''; + }; + + allowedUnfree = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = '' + Allows for unfree packages by their name. + ''; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf (config.nix.experimentalFeatures != "") { nix.extraOptions = "experimental-features = ${config.nix.experimentalFeatures}"; }) + (lib.mkIf (allowed != [ ]) { nixpkgs.config.allowUnfreePredicate = (pkg: __elem (lib.getName pkg) allowed); }) + { nix.settings.auto-optimise-store = lib.mkDefault true; } + { + nix.gc.automatic = lib.mkDefault true; + nix.gc.options = lib.mkDefault "--delete-older-than 10d"; + } + ]; +} diff --git a/modules/persistence.nix b/modules/persistence.nix new file mode 100644 index 0000000..e7a8e90 --- /dev/null +++ b/modules/persistence.nix @@ -0,0 +1,47 @@ +{ config, inputs, lib, ... }: + + +with lib; +let + cfg = config.modules.persistence; +in +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + options.modules.persistence = { + enable = mkEnableOption "impermanence persistence"; + + storagePath = lib.mkOption { + type = types.path; + description = '' + The path to persistent storage where the real + files and directories should be stored. + ''; + }; + + directories = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + }; + + config = mkIf cfg.enable { + fileSystems.${cfg.storagePath}.neededForBoot = true; + + environment.persistence.${cfg.storagePath}.directories = cfg.directories; + + services.openssh.hostKeys = [ + { + path = "${cfg.storagePath}/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "${cfg.storagePath}/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; +} diff --git a/modules/security.nix b/modules/security.nix new file mode 100644 index 0000000..d345757 --- /dev/null +++ b/modules/security.nix @@ -0,0 +1,69 @@ +{ config, lib, ... }: + +with lib; +let + cfg = config.modules.security; +in +{ + options.modules.security = { + enable = mkEnableOption "Security-related system tweaks"; + }; + + config = mkIf cfg.enable { + # Security-related system tweaks + + # Prevent replacing the running kernel without reboot. + security.protectKernelImage = true; + + # mount /tmp in ram. This makes temp file management faster + # on ssd systems, and volatile! Because it's wiped on reboot. + boot.tmp.useTmpfs = false; + boot.tmp.tmpfsSize = "80%"; + + # Purge /tmp on boot. (fallback option) + boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); + + boot.kernel.sysctl = { + # The Magic SysRq key is a key combo that allows users connected to the + # system console of a Linux kernel to perform some low-level commands. + # Disable it, since we don't need it, and is a potential security concern. + "kernel.sysrq" = 0; + + ## TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + + ## TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + }; + + boot.kernelModules = [ "tcp_bbr" ]; + }; +} diff --git a/modules/services/_template.nix b/modules/services/_template.nix new file mode 100644 index 0000000..26634a4 --- /dev/null +++ b/modules/services/_template.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: + +with lib; +let + cfg = config.modules.services._template; +in +{ + options.modules.services._template = { + enable = mkEnableOption ""; + }; + + config = mkIf cfg.enable { }; +} diff --git a/modules/services/acme.nix b/modules/services/acme.nix new file mode 100644 index 0000000..b3ebb26 --- /dev/null +++ b/modules/services/acme.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: + +with lib; +let + cfg = config.modules.services.acme; +in +{ + options.modules.services.acme = { + enable = mkEnableOption "ACME certificate manager"; + email = mkOption { + type = types.str; + description = mdDoc '' + The postmaster email address to use. + ''; + }; + certs = mkOption { + type = types.attrsOf + (types.submodule { + options = { + domain = mkOption { + type = types.nullOr types.str; + default = null; + }; + subDomains = mkOption { type = types.listOf types.str; }; + }; + }); + }; + secrets.acme-credentials = mkOption { type = types.str; description = "path to the acme environment file"; }; + }; + + config = mkIf cfg.enable { + security.acme = { + acceptTerms = true; + defaults.email = cfg.email; + certs = mapAttrs + (name: { domain, subDomains }: { + extraDomainNames = lists.forEach subDomains (elem: elem + ".${name}"); + } // { + dnsProvider = "cloudflare"; + dnsPropagationCheck = true; + credentialsFile = cfg.secrets.acme-credentials; + } // optionalAttrs (domain != null) { + domain = domain; + }) + cfg.certs; + }; + + modules.persistence.directories = [ + "/var/lib/acme" + ]; + }; +} diff --git a/modules/services/akkoma/blocklist.toml b/modules/services/akkoma/blocklist.toml new file mode 100644 index 0000000..d8f53af --- /dev/null +++ b/modules/services/akkoma/blocklist.toml @@ -0,0 +1,164 @@ +[followers_only] + +[media_nsfw] + +[reject] +"*.tk" = "Free TLD" +"*.ml" = "Free TLD" +"*.ga" = "Free TLD" +"*.cf" = "Free TLD" +"*.gq" = "Free TLD" +# Reject list from chaos.social at 2023-02-06 +"activitypub-proxy.cf" = "Only exists to evade instance blocks, details" +"activitypub-troll.cf" = "Spam" +"aethy.com" = "Lolicon" +"bae.st" = "Discrimination, racism, “free speech zone”" +"baraag.net" = "Lolicon" +"banepo.st" = "Homophobia" +"beefyboys.club" = "Discrimination, racism, “free speech zone”" +"beefyboys.win" = "Discrimination, racism, “free speech zone”" +"beta.birdsite.live" = "Twitter crossposter" +"birb.elfenban.de" = "Twitter crossposter" +"bird.evilcyberhacker.net" = "Twitter crossposter" +"bird.froth.zone" = "Twitter crossposter" +"bird.geiger.ee" = "Twitter crossposter" +"bird.im-in.space" = "Twitter crossposter" +"bird.istheguy.com" = "Twitter crossposter" +"bird.karatek.net" = "Twitter crossposter" +"bird.makeup" = "Twitter crossposter" +"bird.nzbr.de" = "Twitter crossposter" +"bird.r669.live" = "Twitter crossposter" +"bird.seafoam.space" = "Twitter crossposter" +"birdbots.leptonics.com" = "Twitter crossposter" +"birdsite.b93.dece.space" = "Twitter crossposter" +"birdsite.blazelights.dev" = "Twitter crossposter" +"birdsite.frog.fashion" = "Twitter crossposter" +"birdsite.gabeappleton.me" = "Twitter crossposter" +"birdsite.james.moody.name" = "Twitter crossposter" +"birdsite.koyu.space" = "Twitter crossposter" +"birdsite.lakedrops.com" = "Twitter crossposter" +"birdsite.link" = "Twitter crossposter" +"birdsite.monster" = "Twitter crossposter" +"birdsite.oliviaappleton.com" = "Twitter crossposter" +"birdsite.platypush.tech" = "Twitter crossposter" +"birdsite.slashdev.space" = "Twitter crossposter" +"birdsite.tcjc.uk" = "Twitter crossposter" +"birdsite.thorlaksson.com" = "Twitter crossposter" +"birdsite.toot.si" = "Twitter crossposter" +"birdsite.wilde.cloud" = "Twitter crossposter" +"birdsitelive.ffvo.dev" = "Twitter crossposter" +"birdsitelive.kevinyank.com" = "Twitter crossposter" +"birdsitelive.peanutlasko.com" = "Twitter crossposter" +"birdsitelive.treffler.cloud" = "Twitter crossposter" +"bridge.birb.space" = "Twitter crossposter" +"brighteon.social" = "“free speech zone”" +"cawfee.club" = "Discrimination, racism, “free speech zone”" +"childpawn.shop" = "Pedophilia" +"chudbuds.lol" = "Discrimination, racism, “free speech zone”" +"club.darknight-coffee.eu" = "“free speech zone”" +"clubcyberia.co" = "Homophobia" +"clube.social" = "Harassment" +"comfyboy.club" = "Discrimination, racism" +"cum.camp" = "Harassment" +"cum.salon" = "Misogynic, pedophilia" +"daishouri.moe" = "Fascism, openly advertises with swastika" +"detroitriotcity.com" = "Discrimination, racism, “free speech zone”" +"eientei.org" = "Racism, antisemitism" +"eveningzoo.club" = "Discrimination, racism, “free speech zone”" +"f.haeder.net" = "Discrimination" +"freak.university" = "Pedophilia" +"freeatlantis.com" = "Conspiracy theory instance" +"freecumextremist.com" = "Discrimination, racism, “free speech zone”" +"freefedifollowers.ga" = "Follower spam" +"freespeechextremist.com" = "Discrimination, racism, “free speech zone”" +"frennet.link" = "Discrimination, racism, “free speech zone”" +"froth.zone" = "Calls freespeechextremist their local bubble" +"gab.com/.ai, develop.gab.com" = "Discrimination, racism, “free speech zone”" +"gameliberty.club" = "“free speech zone”" +"gegenstimme.tv" = "“free speech zone”" +"genderheretics.xyz" = "Tagline “Now With 41% More Misgendering!”" +"gitmo.life" = "“free speech zone”" +"gleasonator.com" = "Transphobia, TERFs" +"glindr.org" = "Discrimination" +"glowers.club" = "Discrimination, racism, “free speech zone”" +"honkwerx.tech" = "Racism" +"iamterminally.online" = "Discrimination, racism, “free speech zone”" +"iddqd.social" = "Discrimination, racism, “free speech zone”" +"itmslaves.com" = "“free speech zone”, noagenda affiliated" +"jaeger.website" = "Discrimination, racism, “free speech zone”" +"kenfm.quadplay.tv" = "Conspiracy videos" +"kiwifarms.cc" = "Discrimination" +"lgbtfree.zone" = "Racism, transphobia, all that" +"liberdon.com" = "Conspiracy theories, transphobia, racism" +"libre.tube" = "Promotion of violence and murder, multiple other violations of our rules" +"lolicon.rocks" = "Lolicon" +"lolison.top" = "Lolicon, paedophilia" +"mastinator.com" = "Block evasion, unwanted profile mirroring, and more" +"mastodon.network" = "Instance went down, now porn spam" +"mastodon.popps.org" = "Homophobia" +"mastodong.lol" = "Admin maintains and runs activitypub-proxy.cf" +"meta-tube.de" = "Conspiracy, CoVid19 denier videos https://fediblock.org/blocklist/#meta-tube.de" +"midnightride.rs" = "Discrimination" +"misskey-forkbomb.cf" = "Spam" +"morale.ch" = "Antisemitism and more" +"mstdn.foxfam.club" = "Right wing twitter mirror" +"natehiggers.online" = "Racism" +"newjack.city" = "Exclusive to unwanted follow bots" +"nicecrew.digital" = "Discrimination, racism, “free speech zone”" +"noagendasocial.com" = "“free speech zone”, harassment" +"noagendasocial.nl" = "“free speech zone”, harassment" +"noagendatube.com" = "“free speech zone”, harassment" +"ns.auction" = "Racism etc" +"ohai.su" = "Offline" +"pawoo.net" = "Untagged nfsw content, unwanted follow bots, lolicon" +"paypig.org" = "Racism" +"pieville.net" = "Racism, antisemitism" +"pl.serialmay.link" = "Racism, transphobia" +"pl.tkammer.de" = "Transphobia" +"play.xmr.101010.pl" = "Cryptomining" +"pleroma.kitsunemimi.club" = "Discrimination" +"pleroma.narrativerry.xyz" = "Discrimination, racism, “free speech zone”" +"pleroma.nobodyhasthe.biz" = "Doxxing and discrimination" +"pleroma.rareome.ga" = "Doesn’t respect blocks or status privacy, lolicons" +"poa.st" = "Discrimination" +"podcastindex.social" = "noagenda affiliated" +"poster.place" = "Discrimination, racism, “free speech zone”, harassment in response to blocks" +"qoto.org" = "“free speech zone”, harassment" +"rapemeat.solutions" = "Lolicon and also, like, the domain name" +"rdrama.cc" = "Discrimination, “free speech zone”, racism" +"repl.co" = "Spam" +"rojogato.com" = "Harassment, “free speech zone”" +"ryona.agency" = "Alt-right trolls, harassment" +"seal.cafe" = "Discrimination, racism, “free speech zone”" +"shitpost.cloud" = "“Free speech zone”, antisemitism" +"shitposter.club" = "“Free speech zone”" +"shortstackran.ch" = "Racism, homophobia, “free speech zone”" +"shota.house" = "Lolicon" +"skippers-bin.com" = "Same admin as neckbeard.xyz, same behaviour" +"sleepy.cafe" = "Racism, harassment" +"sneak.berlin" = "privacy violation" +"sneed.social" = "Discrimination, racism, “free speech zone”, nationalism, hate speech, completely unmoderated" +"soc.ua-fediland.de" = "Spam" +"social.ancreport.com" = "Discrimination, racism, “free speech zone”" +"social.lovingexpressions.net" = "Transphobia" +"social.teci.world" = "Discrimination, racism, “free speech zone”" +"social.urspringer.de" = "Conspiracy, CoVid19 denier" +"socnet.supes.com" = "Right wing “free speech zone”" +"solagg.com" = "Scammers" +"spinster.xyz" = "Discrimination, TERFs" +"tastingtraffic.net" = "Homophobia" +"truthsocial.co.in" = "Alt-right trolls" +"tube.kenfm.de" = "Right-wing conspiracy videos" +"tube.querdenken-711.de" = "Right-wing onspiracy videos" +"tweet.pasture.moe" = "Twitter crossposter" +"tweetbridge.kogasa.de" = "Twitter crossposter" +"tweets.icu" = "Twitter crossposter" +"twitter.activitypub.actor" = "Twitter crossposter" +"twitter.doesnotexist.club" = "Twitter crossposter" +"twitterbridge.jannis.rocks" = "Twitter crossposter" +"twtr.plus" = "Twitter crossposter" +"varishangout.net" = "Transphobia and racism go unmoderated, aggressive trolling, lolicon permitted in rules" +"wiki-tube.de" = "Right-wing conspiracy videos (initial video welcomes Querdenken and KenFM)" +"wolfgirl.bar" = "Discrimination, homophobia, unmoderated trolling" +"yggdrasil.social" = "Instance rules: “No LGBTQ. Period. No homosexuality. No men who think they’re women or women who think they’re men. No made up genders.”" +"hornyjail.pro" = "Obscene speech without content warning" diff --git a/modules/services/akkoma/default.nix b/modules/services/akkoma/default.nix new file mode 100644 index 0000000..91aa2e8 --- /dev/null +++ b/modules/services/akkoma/default.nix @@ -0,0 +1,102 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.modules.services.akkoma; + + poorObfuscation = y: x: "${x}@${y}"; + federation-blocklist = lib.importTOML ./blocklist.toml; + + inherit (lib.my) wrapFile; +in +{ + options.modules.services.akkoma = { + enable = mkEnableOption "Akkoma instance"; + domain = mkOption { type = types.str; }; + realHost = mkOption { type = types.str; }; + instanceName = mkOption { type = types.str; default = "Akkoma on ${cfg.domain}"; }; + }; + + config = mkIf cfg.enable { + modules.services.postgresql.enable = true; + + services.akkoma = { + enable = true; + initDb.enable = true; + + extraStatic = { + "static/terms-of-service.html" = wrapFile "terms-of-service.html" ./terms-of-service.html; + "static/logo.svg" = wrapFile "logo.svg" ./logo.svg; + "static/logo.png" = wrapFile "logo.png" ./logo.png; + "static/logo-512.png" = wrapFile "logo-512.png" ./favicon-withbg.png; # Intentional, for PWA favicon. + "static/icon.png" = wrapFile "icon.png" ./favicon.png; + "favicon.png" = wrapFile "favicon.png" ./favicon-withbg.png; + }; + config = + let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap; + in { + ":pleroma"."Pleroma.Web.Endpoint".url.host = cfg.realHost; + ":pleroma"."Pleroma.Web.WebFinger".domain = cfg.domain; + ":pleroma".":media_proxy".enabled = false; + ":pleroma".":instance" = { + name = cfg.instanceName; + + description = "Private akkoma instance"; + email = poorObfuscation cfg.domain "postmaster"; + notify_email = poorObfuscation cfg.domain "postmaster"; + + registrations_open = false; + invites_enabled = true; + + limit = 5000; + }; + ":pleroma".":frontend_configurations" = { + pleroma_fe = mkMap { + logo = "/static/logo.png"; + }; + }; + ":pleroma".":mrf" = { + policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ]; + }; + ":pleroma".":mrf_simple" = { + followers_only = mkMap federation-blocklist.followers_only; + media_nsfw = mkMap federation-blocklist.media_nsfw; + reject = mkMap federation-blocklist.reject; + }; + ":pleroma"."Pleroma.Captcha" = { + enabled = true; + method = mkRaw "Pleroma.Captcha.Kocaptcha"; + }; + }; + + nginx = { + forceSSL = true; + useACMEHost = cfg.domain; + + locations."~ \\.(js|css|woff|woff2?|png|jpe?g|svg)$" = { + extraConfig = '' + add_header Cache-Control "public, max-age=14400, must-revalidate"; + ''; + + proxyPass = "http://unix:${config.services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".http.ip}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; + + services.nginx.virtualHosts.${cfg.domain} = { + forceSSL = true; + useACMEHost = cfg.domain; + + locations."/.well-known/host-meta" = { + extraConfig = '' + return 301 https://${cfg.realHost}$request_uri; + ''; + }; + }; + modules.persistence.directories = [ + "/var/lib/akkoma" + ]; + }; +} diff --git a/modules/services/akkoma/favicon-withbg.png b/modules/services/akkoma/favicon-withbg.png new file mode 100644 index 0000000..f9595ce Binary files /dev/null and b/modules/services/akkoma/favicon-withbg.png differ diff --git a/modules/services/akkoma/favicon.png b/modules/services/akkoma/favicon.png new file mode 100644 index 0000000..d8cbce3 Binary files /dev/null and b/modules/services/akkoma/favicon.png differ diff --git a/modules/services/akkoma/logo.png b/modules/services/akkoma/logo.png new file mode 100644 index 0000000..7744b1a Binary files /dev/null and b/modules/services/akkoma/logo.png differ diff --git a/modules/services/akkoma/logo.svg b/modules/services/akkoma/logo.svg new file mode 100644 index 0000000..68e647e --- /dev/null +++ b/modules/services/akkoma/logo.svg @@ -0,0 +1,71 @@ + + + + + + image/svg+xml + + + + + + + + + + + + + + + diff --git a/modules/services/akkoma/robots.txt b/modules/services/akkoma/robots.txt new file mode 100644 index 0000000..1f53798 --- /dev/null +++ b/modules/services/akkoma/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: / diff --git a/modules/services/akkoma/terms-of-service.html b/modules/services/akkoma/terms-of-service.html new file mode 100644 index 0000000..33c7ff3 --- /dev/null +++ b/modules/services/akkoma/terms-of-service.html @@ -0,0 +1,26 @@ + + + + +

Terms of Service

+

This is a private instance with only me and my friends. Here's the rules:

+
    +
  1. +

    No discrimination based on race, gender, sexual orientation, disabilities, or any other characteristic.

    +
    2. +
  2. +

    No harassment or doxxing towards others.

    +
    3. +
  3. +

    No promotion of violence.

    +
    4. +
  4. +

    No content that is illegal in United Kingdom, Japan, Finland, Germany, and South Korea.

    +
    5. +
  5. +

    Use content warnings for explicit or controversial content.

    +
    6. +
+

Any account that doesn't abide by the rules specified above will be terminated without prior notice.

+ + diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix new file mode 100644 index 0000000..10241b9 --- /dev/null +++ b/modules/services/authentik.nix @@ -0,0 +1,69 @@ +{ inputs, config, lib, ... }: + +with lib; +let + cfg = config.modules.services.authentik; +in +{ + imports = [ inputs.authentik-nix.nixosModules.default ]; + + options.modules.services.authentik = { + enable = mkEnableOption "Authentik - Identity Provider"; + domain = mkOption { type = types.str; }; + realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; }; + email = { + host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; }; + username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; }; + from = mkOption { type = types.str; default = cfg.email.username; }; + }; + secrets = { + authentik-envs = mkOption { type = types.path; description = "path to the environment file"; }; + }; + }; + + config = mkIf cfg.enable { + services.authentik = { + enable = true; + + environmentFile = cfg.secrets.authentik-envs; + + settings = { + email = { + host = cfg.email.host; + port = 587; + username = cfg.email.username; + use_tls = true; + use_ssl = false; + from = cfg.email.from; + }; + + cert_discovery_dir = "env://CREDENTIALS_DIRECTORY"; + }; + nginx = { + # This is configured manually since authentik-nix doesn't support + # cases where cert domain != nginx host + enable = false; + enableACME = false; + # host = cfg.realHost; + }; + }; + + modules.persistence.directories = [ + "/var/lib/private/authentik" + ]; + + systemd.services.authentik-worker.serviceConfig.LoadCredential = [ + "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem" + "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem" + ]; + + services.nginx.virtualHosts.${cfg.realHost} = { + useACMEHost = cfg.domain; + forceSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "https://localhost:9443"; + }; + }; + }; +} diff --git a/modules/services/backup.nix b/modules/services/backup.nix new file mode 100644 index 0000000..9770b43 --- /dev/null +++ b/modules/services/backup.nix @@ -0,0 +1,81 @@ +{ config, lib, ... }: + +with lib; +let + cfg = config.modules.services.backup; +in +{ + options.modules.services.backup = { + enable = mkEnableOption "borg-based backup solution"; + name = lib.mkOption { + type = lib.types.str; + default = "${config.networking.hostName}-rolling"; + description = '' + Name of the backup job + ''; + }; + + paths = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = '' + Paths to back up + ''; + }; + exclude = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = '' + Paths to exclude + ''; + }; + repo = lib.mkOption { + type = lib.types.str; + description = '' + Path to the repository to back up to + ''; + }; + repoKeyPath = lib.mkOption { + type = lib.types.str; + description = '' + Path to the repository key + ''; + }; + sshKeyPath = lib.mkOption { + type = lib.types.str; + description = '' + Path to the ssh key + ''; + }; + rsyncNet = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to enable rsync.net specific patches + ''; + }; + }; + + config = mkIf cfg.enable { + services.borgbackup.jobs.${cfg.name} = { + inherit (cfg) paths exclude repo; + + prune.keep = { + within = "1d"; # Keep all archives from the last day + daily = 7; + weekly = 4; + monthly = 3; + }; + + encryption.mode = "repokey-blake2"; + encryption.passCommand = "cat ${cfg.repoKeyPath}"; + + environment.BORG_RSH = "ssh -i ${cfg.sshKeyPath}"; + environment.BORG_REMOTE_PATH = lib.mkIf cfg.rsyncNet "/usr/local/bin/borg1/borg1"; + # use borg 1.0+ on rsync.net + extraCreateArgs = "--verbose --stats --checkpoint-interval 600"; + compression = "auto,zstd"; + startAt = "*-*-* 03:00:00"; # pgsql backup runs on 01:15:00 + persistentTimer = true; + }; + }; +} diff --git a/modules/services/cgit/cgit-exotic.css b/modules/services/cgit/cgit-exotic.css new file mode 100644 index 0000000..32117c7 --- /dev/null +++ b/modules/services/cgit/cgit-exotic.css @@ -0,0 +1,953 @@ +div#cgit { + padding: 0em; + margin: 0em; + font-family: sans-serif; + font-size: 10pt; + color: #333; + background: white; + padding: 4px; +} + +div#cgit a { + color: blue; + text-decoration: none; +} + +div#cgit a:hover { + text-decoration: underline; +} + +div#cgit table { + border-collapse: collapse; +} + +div#cgit table#header { + width: 100%; + margin-bottom: 1em; +} + +div#cgit table#header td.logo { + width: 96px; + vertical-align: top; +} + +div#cgit table#header td.main { + font-size: 250%; + padding-left: 10px; + white-space: nowrap; +} + +div#cgit table#header td.main a { + color: #000; +} + +div#cgit table#header td.form { + text-align: right; + vertical-align: bottom; + padding-right: 1em; + padding-bottom: 2px; + white-space: nowrap; +} + +div#cgit table#header td.form form, +div#cgit table#header td.form input, +div#cgit table#header td.form select { + font-size: 90%; +} + +div#cgit table#header td.sub { + color: #777; + border-top: solid 1px #ccc; + padding-left: 10px; +} + +div#cgit table.tabs { + border-bottom: solid 3px #ccc; + border-collapse: collapse; + margin-top: 2em; + margin-bottom: 0px; + width: 100%; +} + +div#cgit table.tabs td { + padding: 0px 1em; + vertical-align: bottom; +} + +div#cgit table.tabs td a { + padding: 2px 0.25em; + color: #777; + font-size: 110%; +} + +div#cgit table.tabs td a.active { + color: #000; + background-color: #ccc; +} + +div#cgit table.tabs a[href^="http://"]:after, div#cgit table.tabs a[href^="https://"]:after { + content: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAQAAAAnOwc2AAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfgAhcJDQY+gm2TAAAAHWlUWHRDb21tZW50AAAAAABDcmVhdGVkIHdpdGggR0lNUGQuZQcAAABbSURBVAhbY2BABs4MU4CwhYHBh2Erww4wrGFQZHjI8B8IgUIscJWyDHcggltQhI4zGDCcRwhChPggHIggP1QoAVmQkSETrGoHsiAEsACtBYN0oDAMbgU6EBcAAL2eHUt4XUU4AAAAAElFTkSuQmCC); + opacity: 0.5; + margin: 0 0 0 5px; +} + +div#cgit table.tabs td.form { + text-align: right; +} + +div#cgit table.tabs td.form form { + padding-bottom: 2px; + font-size: 90%; + white-space: nowrap; +} + +div#cgit table.tabs td.form input, +div#cgit table.tabs td.form select { + font-size: 90%; +} + +div#cgit div.path { + margin: 0px; + padding: 5px 2em 2px 2em; + color: #000; + background-color: #eee; +} + +div#cgit div.content { + margin: 0px; + padding: 2em; + border-bottom: solid 3px #ccc; +} + + +div#cgit table.list { + width: 100%; + border: none; + border-collapse: collapse; +} + +div#cgit table.list tr { + background: white; +} + +div#cgit table.list tr.logheader { + background: #eee; +} + +div#cgit table.list tr:nth-child(even) { + background: #f7f7f7; +} + +div#cgit table.list tr:nth-child(odd) { + background: white; +} + +div#cgit table.list tr:hover { + background: #eee; +} + +div#cgit table.list tr.nohover { + background: white; +} + +div#cgit table.list tr.nohover:hover { + background: white; +} + +div#cgit table.list tr.nohover-highlight:hover:nth-child(even) { + background: #f7f7f7; +} + +div#cgit table.list tr.nohover-highlight:hover:nth-child(odd) { + background: white; +} + +div#cgit table.list th { + font-weight: bold; + /* color: #888; + border-top: dashed 1px #888; + border-bottom: dashed 1px #888; + */ + padding: 0.1em 0.5em 0.05em 0.5em; + vertical-align: baseline; +} + +div#cgit table.list td { + border: none; + padding: 0.1em 0.5em 0.1em 0.5em; +} + +div#cgit table.list td.commitgraph { + font-family: monospace; + white-space: pre; +} + +div#cgit table.list td.commitgraph .column1 { + color: #a00; +} + +div#cgit table.list td.commitgraph .column2 { + color: #0a0; +} + +div#cgit table.list td.commitgraph .column3 { + color: #aa0; +} + +div#cgit table.list td.commitgraph .column4 { + color: #00a; +} + +div#cgit table.list td.commitgraph .column5 { + color: #a0a; +} + +div#cgit table.list td.commitgraph .column6 { + color: #0aa; +} + +div#cgit table.list td.logsubject { + font-family: monospace; + font-weight: bold; +} + +div#cgit table.list td.logmsg { + font-family: monospace; + white-space: pre; + padding: 0 0.5em; +} + +div#cgit table.list td a { + color: black; +} + +div#cgit table.list td a.ls-dir { + font-weight: bold; + color: #00f; +} + +div#cgit table.list td a:hover { + color: #00f; +} + +div#cgit img { + border: none; +} + +div#cgit input#switch-btn { + margin: 2px 0px 0px 0px; +} + +div#cgit td#sidebar input.txt { + width: 100%; + margin: 2px 0px 0px 0px; +} + +div#cgit table#grid { + margin: 0px; +} + +div#cgit td#content { + vertical-align: top; + padding: 1em 2em 1em 1em; + border: none; +} + +div#cgit div#summary { + vertical-align: top; + margin-bottom: 1em; +} + +div#cgit table#downloads { + float: right; + border-collapse: collapse; + border: solid 1px #777; + margin-left: 0.5em; + margin-bottom: 0.5em; +} + +div#cgit table#downloads th { + background-col