diff options
54 files changed, 164 insertions, 3859 deletions
diff --git a/default.nix b/default.nix index 63f1796..e26e166 100644 --- a/default.nix +++ b/default.nix @@ -2,7 +2,44 @@ with lib; with lib.my; { - imports = mapModulesRec' (toString ./modules) import; + imports = with inputs.infra-modules.nixosModules; [ + nix + flakes + security + sops + flakes + cachix + services.acme + services.akkoma + services.authentik + services.backup + services.cgit + services.cinny-web + services.coredns + services.coturn + services.dovecot + services.element-web + services.fail2ban + services.git-daemon + services.gitolite + services.jitsi + services.ldap + services.matrix-bridge + services.matrix-homeserver + services.matrix-moderation + services.metrics + services.nebula + services.nginx + services.nixos-mailserver + services.obsidian-livesync + services.postgresql + services.rss + services.searx + services.sefidel-web + services.soju + services.tailscale + services.vikunja + ]; networking.useDHCP = mkDefault false; } @@ -8,6 +8,7 @@ "flake-utils": "flake-utils", "napalm": "napalm", "nixpkgs": [ + "infra-modules", "unstable" ], "nixpkgs-23-05": "nixpkgs-23-05", @@ -143,6 +144,21 @@ "type": "github" } }, + "flake-utils_3": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1703656108, @@ -158,13 +174,40 @@ "type": "github" } }, + "infra-modules": { + "inputs": { + "authentik-nix": "authentik-nix", + "impermanence": "impermanence", + "nixos-mailserver": "nixos-mailserver", + "sefidel-web": "sefidel-web", + "sops-nix": "sops-nix", + "unstable": [ + "unstable" + ] + }, + "locked": { + "lastModified": 1706090394, + "narHash": "sha256-vRBUWkZVMkkRb7Hk9BD+dgzvXB50Ip4rflT9P9iiY2A=", + "ref": "refs/heads/main", + "rev": "8e9b074467006c76768efe04cf1fb1ef9d652c67", + "revCount": 1, + "type": "git", + "url": "https://git.exotic.sh/infra-modules" + }, + "original": { + "type": "git", + "url": "https://git.exotic.sh/infra-modules" + } + }, "napalm": { "inputs": { "flake-utils": [ + "infra-modules", "authentik-nix", "flake-utils" ], "nixpkgs": [ + "infra-modules", "authentik-nix", "nixpkgs" ] @@ -186,6 +229,7 @@ "nix-github-actions": { "inputs": { "nixpkgs": [ + "infra-modules", "authentik-nix", "poetry2nix", "nixpkgs" @@ -210,6 +254,7 @@ "blobs": "blobs", "flake-compat": "flake-compat_2", "nixpkgs": [ + "infra-modules", "unstable" ], "nixpkgs-22_11": "nixpkgs-22_11", @@ -342,14 +387,48 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1673606088, + "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "poetry2nix": { "inputs": { "flake-utils": [ + "infra-modules", "authentik-nix", "flake-utils" ], "nix-github-actions": "nix-github-actions", "nixpkgs": [ + "infra-modules", "authentik-nix", "nixpkgs" ], @@ -372,12 +451,10 @@ }, "root": { "inputs": { - "authentik-nix": "authentik-nix", - "impermanence": "impermanence", - "nixos-mailserver": "nixos-mailserver", + "infra-modules": "infra-modules", "nixpkgs-2111": "nixpkgs-2111", - "sefidel-web": "sefidel-web", - "sops-nix": "sops-nix", + "sefidel-web": "sefidel-web_2", + "sops-nix": "sops-nix_2", "unstable": "unstable", "unstable-small": "unstable-small" } @@ -401,9 +478,29 @@ "url": "https://git.exotic.sh/pub/sefidel/sefidel-web" } }, + "sefidel-web_2": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1696069380, + "narHash": "sha256-KKTX1XKGnglV+vGbvKjduT2QjE2snbyy8R7nNuXvnMc=", + "ref": "refs/heads/main", + "rev": "305ee346ca81883de4fc6575460021a57cacefeb", + "revCount": 6, + "type": "git", + "url": "https://git.exotic.sh/pub/sefidel/sefidel-web" + }, + "original": { + "type": "git", + "url": "https://git.exotic.sh/pub/sefidel/sefidel-web" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ + "infra-modules", "unstable" ], "nixpkgs-stable": "nixpkgs-stable" @@ -422,6 +519,27 @@ "type": "github" } }, + "sops-nix_2": { + "inputs": { + "nixpkgs": [ + "unstable" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1704908274, + "narHash": "sha256-74W9Yyomv3COGRmKi8zvyA5tL2KLiVkBeaYmYLjXyOw=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c0b3a5af90fae3ba95645bbf85d2b64880addd76", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -454,6 +572,7 @@ "treefmt-nix": { "inputs": { "nixpkgs": [ + "infra-modules", "authentik-nix", "poetry2nix", "nixpkgs" @@ -6,16 +6,11 @@ unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs-2111.url = "github:nixos/nixpkgs/nixos-21.11"; - impermanence.url = "github:nix-community/impermanence"; - - authentik-nix.url = "github:nix-community/authentik-nix"; - authentik-nix.inputs.nixpkgs.follows = "unstable"; - sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "unstable"; - nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; - nixos-mailserver.inputs.nixpkgs.follows = "unstable"; + infra-modules.url = "git+https://git.exotic.sh/infra-modules"; + infra-modules.inputs.unstable.follows = "unstable"; sefidel-web.url = "git+https://git.exotic.sh/pub/sefidel/sefidel-web"; }; @@ -34,8 +29,6 @@ { lib = lib.my; - nixosModules = mapModulesRec ./modules import; - colmena = { meta = { nixpkgs = import unstable { inherit system; overlays = [ (import ./overlays) ]; }; diff --git a/modules/README.md b/modules/README.md deleted file mode 100644 index 25031dc..0000000 --- a/modules/README.md +++ /dev/null @@ -1,9 +0,0 @@ -infra->modules -============== - -This is all the modules used to configure our systems based on its purposes. - -As of now, it doesn't have any clear "naming convention", but generally it's -`<servicename>` for a module configuring one thing, `<capability>` otherwise. - -e.g) `dendrite` -> `dendrite`, `prometheus`, `grafana` -> `metrics` diff --git a/modules/cachix/caches/nix-community.nix b/modules/cachix/caches/nix-community.nix deleted file mode 100644 index d323939..0000000 --- a/modules/cachix/caches/nix-community.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, ... }: - -{ - nix.settings = { - substituters = [ - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; -} diff --git a/modules/cachix/default.nix b/modules/cachix/default.nix deleted file mode 100644 index 5222457..0000000 --- a/modules/cachix/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; -let - cfg = config.modules.cachix; - - folder = ./caches; - toImport = name: value: folder + ("/" + name); - filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; - imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in -{ - inherit imports; - - options.modules.cachix = { - enable = mkEnableOption "cachix"; - }; - - config = mkIf cfg.enable { - nix.settings.substituters = [ "https://cache.nixos.org/" ]; - environment.systemPackages = [ pkgs.cachix ]; - }; -} diff --git a/modules/flakes.nix b/modules/flakes.nix deleted file mode 100644 index 4297fda..0000000 --- a/modules/flakes.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, inputs, pkgs, lib, ... }: - -with lib; -let - base = "/etc/nixpkgs/channels"; - nixpkgsPath = "${base}/nixpkgs"; - nixpkgsSmallPath = "${base}/nixpkgsSmall"; - nixpkgs2111Path = "${base}/nixpkgs2111"; -in -{ - options.nix.flakes.enable = mkEnableOption "nix flakes"; - - config = lib.mkIf config.nix.flakes.enable { - nix = { - package = pkgs.nixUnstable; - experimentalFeatures = "nix-command flakes"; - - registry.nixpkgs.flake = inputs.unstable; - registry.nixpkgsSmall.flake = inputs.unstable-small; - registry.nixpkgs2111.flake = inputs.nixpkgs-2111; - - nixPath = [ - "nixpkgs=${nixpkgsPath}" - "nixpkgsSmall=${nixpkgsSmallPath}" - "nixpkgs2111=${nixpkgs2111Path}" - "/nix/var/nix/profiles/per-user/root/channels" - ]; - }; - - systemd.tmpfiles.rules = [ - "L+ ${nixpkgsPath} - - - - ${inputs.unstable}" - "L+ ${nixpkgsSmallPath} - - - - ${inputs.unstable-small}" - "L+ ${nixpkgs2111Path} - - - - ${inputs.nixpkgs-2111}" - ]; - }; -} diff --git a/modules/nix.nix b/modules/nix.nix deleted file mode 100644 index 8396739..0000000 --- a/modules/nix.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, ... }: - -let - allowed = config.nix.allowedUnfree; -in -{ - options.nix = { - experimentalFeatures = lib.mkOption { - type = lib.types.separatedString " "; - default = ""; - description = '' - Enables experimental features - ''; - }; - - allowedUnfree = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - description = '' - Allows for unfree packages by their name. - ''; - }; - }; - - config = lib.mkMerge [ - (lib.mkIf (config.nix.experimentalFeatures != "") { nix.extraOptions = "experimental-features = ${config.nix.experimentalFeatures}"; }) - (lib.mkIf (allowed != [ ]) { nixpkgs.config.allowUnfreePredicate = (pkg: __elem (lib.getName pkg) allowed); }) - { nix.settings.auto-optimise-store = lib.mkDefault true; } - { - nix.gc.automatic = lib.mkDefault true; - nix.gc.options = lib.mkDefault "--delete-older-than 10d"; - } - ]; -} diff --git a/modules/persistence.nix b/modules/persistence.nix deleted file mode 100644 index e7a8e90..0000000 --- a/modules/persistence.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, inputs, lib, ... }: - - -with lib; -let - cfg = config.modules.persistence; -in -{ - imports = [ - inputs.impermanence.nixosModules.impermanence - ]; - - options.modules.persistence = { - enable = mkEnableOption "impermanence persistence"; - - storagePath = lib.mkOption { - type = types.path; - description = '' - The path to persistent storage where the real - files and directories should be stored. - ''; - }; - - directories = mkOption { - type = types.listOf types.str; - default = [ ]; - }; - }; - - config = mkIf cfg.enable { - fileSystems.${cfg.storagePath}.neededForBoot = true; - - environment.persistence.${cfg.storagePath}.directories = cfg.directories; - - services.openssh.hostKeys = [ - { - path = "${cfg.storagePath}/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "${cfg.storagePath}/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - }; -} diff --git a/modules/security.nix b/modules/security.nix deleted file mode 100644 index d345757..0000000 --- a/modules/security.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.modules.security; -in -{ - options.modules.security = { - enable = mkEnableOption "Security-related system tweaks"; - }; - - config = mkIf cfg.enable { - # Security-related system tweaks - - # Prevent replacing the running kernel without reboot. - security.protectKernelImage = true; - - # mount /tmp in ram. This makes temp file management faster - # on ssd systems, and volatile! Because it's wiped on reboot. - boot.tmp.useTmpfs = false; - boot.tmp.tmpfsSize = "80%"; - - # Purge /tmp on boot. (fallback option) - boot.tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); - - boot.kernel.sysctl = { - # The Magic SysRq key is a key combo that allows users connected to the - # system console of a Linux kernel to perform some low-level commands. - # Disable it, since we don't need it, and is a potential security concern. - "kernel.sysrq" = 0; - - ## TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets (we're not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're on a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - - ## TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; - }; - - boot.kernelModules = [ "tcp_bbr" ]; - }; -} diff --git a/modules/services/_template.nix b/modules/services/_template.nix deleted file mode 100644 index 26634a4..0000000 --- a/modules/services/_template.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.modules.services._template; -in -{ - options.modules.services._template = { - enable = mkEnableOption ""; - }; - - config = mkIf cfg.enable { }; -} diff --git a/modules/services/acme.nix b/modules/services/acme.nix deleted file mode 100644 index b3ebb26..0000000 --- a/modules/services/acme.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.modules.services.acme; -in -{ - options.modules.services.acme = { - enable = mkEnableOption "ACME certificate manager"; - email = mkOption { - type = types.str; - description = mdDoc '' - The postmaster email address to use. - ''; - }; - certs = mkOption { - type = types.attrsOf - (types.submodule { - options = { - domain = mkOption { - type = types.nullOr types.str; - default = null; - }; - subDomains = mkOption { type = types.listOf types.str; }; - }; - }); - }; - secrets.acme-credentials = mkOption { type = types.str; description = "path to the acme environment file"; }; - }; - - config = mkIf cfg.enable { - security.acme = { - acceptTerms = true; - defaults.email = cfg.email; - certs = mapAttrs - (name: { domain, subDomains }: { - extraDomainNames = lists.forEach subDomains (elem: elem + ".${name}"); - } // { - dnsProvider = "cloudflare"; - dnsPropagationCheck = true; - credentialsFile = cfg.secrets.acme-credentials; - } // optionalAttrs (domain != null) { - domain = domain; - }) - cfg.certs; - }; - - modules.persistence.directories = [ - "/var/lib/acme" - ]; - }; -} diff --git a/modules/services/akkoma/blocklist.toml b/modules/services/akkoma/blocklist.toml deleted file mode 100644 index d8f53af..0000000 --- a/modules/services/akkoma/blocklist.toml +++ /dev/null @@ -1,164 +0,0 @@ -[followers_only] - -[media_nsfw] - -[reject] -"*.tk" = "Free TLD" -"*.ml" = "Free TLD" -"*.ga" = "Free TLD" -"*.cf" = "Free TLD" -"*.gq" = "Free TLD" -# Reject list from chaos.social at 2023-02-06 -"activitypub-proxy.cf" = "Only exists to evade instance blocks, details" -"activitypub-troll.cf" = "Spam" -"aethy.com" = "Lolicon" -"bae.st" = "Discrimination, racism, “free speech zone”" -"baraag.net" = "Lolicon" -"banepo.st" = "Homophobia" -"beefyboys.club" = "Discrimination, racism, “free speech zone”" -"beefyboys.win" = "Discrimination, racism, “free speech zone”" -"beta.birdsite.live" = "Twitter crossposter" -"birb.elfenban.de" = "Twitter crossposter" -"bird.evilcyberhacker.net" = "Twitter crossposter" -"bird.froth.zone" = "Twitter crossposter" |