{ config, pkgs, lib, isUnstable, ... }: with pkgs; let gqrss = callPackage ../../pkgs/gqrss.nix { inherit isUnstable; }; icbirc = callPackage ../../pkgs/icbirc.nix { inherit isUnstable; }; mcchunkie = callPackage ../../pkgs/mcchunkie.nix { inherit isUnstable; }; pgBackupDir = "/var/backups/postgresql"; pubKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa" ]; userBase = { openssh.authorizedKeys.keys = pubKeys; }; in { _module.args.isUnstable = false; imports = [ ./hardware-configuration.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; boot.kernelParams = [ "net.ifnames=0" ]; tailscale.enable = false; sops.secrets = { synapse_signing_key = { owner = config.users.users.matrix-synapse.name; mode = "600"; sopsFile = config.xin-secrets.h.services; }; hammer_access_token = { owner = config.users.users.mjolnir.name; mode = "600"; sopsFile = config.xin-secrets.h.services; }; gqrss_token = { owner = config.users.users.qbit.name; mode = "400"; sopsFile = config.xin-secrets.h.services; }; restic_env_file = { owner = config.users.users.root.name; mode = "400"; sopsFile = config.xin-secrets.h.services; }; restic_password_file = { owner = config.users.users.root.name; mode = "400"; sopsFile = config.xin-secrets.h.services; }; }; networking = { hostName = "h"; enableIPv6 = true; useDHCP = false; defaultGateway = "23.29.118.1"; defaultGateway6 = "2602:ff16:3::1"; nameservers = [ "9.9.9.9" ]; interfaces.eth0 = { ipv4.addresses = [{ address = "23.29.118.127"; prefixLength = 24; }]; ipv6 = { addresses = [{ address = "2602:ff16:3:0:1:3a0:0:1"; prefixLength = 64; }]; }; }; firewall = { allowedTCPPorts = [ 22 80 443 53 ]; allowedUDPPorts = [ 53 ]; allowedUDPPortRanges = [{ from = 60000; to = 61000; }]; }; }; environment.systemPackages = with pkgs; [ inetutils # irc weechat weechatScripts.highmon aspell icbirc # matrix things matrix-synapse-tools.synadm matrix-synapse-tools.rust-synapse-compress-state mcchunkie restic ]; security.acme = { acceptTerms = true; defaults.email = "aaron@bolddaemon.com"; }; users.groups.mcchunkie = { }; users.users.mcchunkie = { createHome = true; isSystemUser = true; home = "/var/lib/mcchunkie"; group = "mcchunkie"; }; systemd.services.mcchunkie = { wantedBy = [ "multi-user.target" ]; serviceConfig = { User = "mcchunkie"; Group = "mcchunkie"; Restart = "always"; WorkingDirectory = "/var/lib/mcchunkie"; RuntimeDirectory = "/var/lib/mcchunkie"; ExecStart = "${mcchunkie}/bin/mcchunkie"; }; }; services = { cron = { enable = true; systemCronJobs = [ '' @hourly qbit (export GH_AUTH_TOKEN=$(cat /run/secrets/gqrss_token); cd /var/www/suah.dev/rss; ${gqrss}/bin/gqrss ; ${gqrss}/bin/gqrss -search "LibreSSL" -prefix libressl_ ) >/dev/null 2>&1'' ]; }; restic = { backups = { b2 = { initialize = true; repository = "b2:cyaspanJicyeemJedMarlEjcasOmos"; environmentFile = "${config.sops.secrets.restic_env_file.path}"; passwordFile = "${config.sops.secrets.restic_password_file.path}"; paths = [ pgBackupDir "/var/lib/synapse/media_store" "/var/www" ]; timerConfig = { OnCalendar = "00:05"; }; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10" ]; }; }; }; nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; clientMaxBodySize = "50M"; commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; # This might create errors proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; virtualHosts = { "deftly.net" = { forceSSL = true; enableACME = true; root = "/var/www/deftly.net"; extraConfig = '' location ~ ^/pub|^/patches|^/dist|^/pbp|^/screenshots|^/pharo|^/fw { autoindex on; index index.php index.html index.htm; } ''; }; "bolddaemon.com" = { forceSSL = true; enableACME = true; root = "/var/www/bolddaemon.com"; }; "relay.bolddaemon.com" = { forceSSL = true; enableACME = true; root = "/var/www/bolddaemon.com"; locations."/weechat" = { proxyWebsockets = true; proxyPass = "http://localhost:9009/weechat"; }; }; "suah.dev" = { forceSSL = true; enableACME = true; root = "/var/www/suah.dev"; extraConfig = '' location ~ ^/_got { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Ssl on; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_pass http://127.0.0.1:8043; } location ~ ^/_sms { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Ssl on; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_pass http://127.0.0.1:8044; } location ~ ^/p/ { autoindex on; } location ~ ^/recipes/ { autoindex on; } location ~* .(xml)$ { autoindex on; root /var/www/suah.dev/rss; } location ~ "([^/\s]+)(/.*)?" { set $not_serving 1; if ($request_filename = 'index.html') { set $not_serving 0; } if (-f $request_filename) { set $not_serving 0; } if ($args = "go-get=1") { add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy origin-when-cross-origin; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Content-Type text/html; return 200 ' Redirecting to docs at pkg.go.dev/mod/suah.dev/$1... '; } if ($not_serving) { add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy origin-when-cross-origin; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Content-Type text/html; return 200 ' Redirecting to docs at pkg.go.dev/mod/suah.dev/$1... '; } } ''; }; "qbit.io" = { forceSSL = true; enableACME = true; root = "/var/www/qbit.io"; }; "mammothcircus.com" = { forceSSL = true; enableACME = true; root = "/var/www/mammothcircus.com"; }; "akb.io" = { forceSSL = true; enableACME = true; root = "/var/www/akb.io"; }; "tapenet.org" = { forceSSL = true; enableACME = true; root = "/var/www/tapenet.org"; locations."/_matrix" = { proxyWebsockets = true; proxyPass = "http://127.0.0.1:8009"; }; locations."/_synapse/client" = { proxyWebsockets = true; proxyPass = "http://127.0.0.1:8009"; }; }; }; }; postgresqlBackup = { enable = true; location = pgBackupDir; }; postgresql = { enable = true; package = pkgs.postgresql_14; settings = { }; enableTCPIP = true; authentication = pkgs.lib.mkOverride 14 '' local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust ''; initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "synapse-user" LOGIN; CREATE DATABASE "synapse" WITH OWNER "synapse-user" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; ensureDatabases = [ "synapse" ]; ensureUsers = [{ name = "synapse_user"; ensurePermissions."DATABASE synapse" = "ALL PRIVILEGES"; }]; }; mjolnir = { enable = true; pantalaimon.enable = false; pantalaimon.username = "hammer"; accessTokenFile = "${config.sops.secrets.hammer_access_token.path}"; homeserverUrl = "https://tapenet.org"; protectedRooms = [ "https://matrix.to/#/#openbsd:matrix.org" "https://matrix.to/#/#go-lang:matrix.org" "https://matrix.to/#/#plan9:matrix.org" "https://matrix.to/#/#nix-openbsd:tapenet.org" ]; settings = { verboseLogging = false; protections = { wordlist = { words = [ "^https://libera.chat <-- visit!$" "^@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*" ]; }; }; managementRoom = "#moderation:tapenet.org"; automaticallyRedactForReasons = [ "spam" "racism" "advertising" ]; automaticallyReactForReasons = [ "spam" "advertising" "trolling" "racism" ]; aditionalPrefixes = [ "hammer" ]; confirmWildcardBan = false; }; }; matrix-synapse = { enable = true; dataDir = "/var/lib/synapse"; settings = { enable_registration = false; media_store_path = "/var/lib/synapse/media_store"; presence.enabled = false; public_baseurl = "https://tapenet.org"; server_name = "tapenet.org"; signing_key_path = "${config.sops.secrets.synapse_signing_key.path}"; url_preview_enabled = false; plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-mjolnir-antispam ]; database = { name = "psycopg2"; args = { database = "synapse"; user = "synapse_user"; }; }; listeners = [{ bind_addresses = [ "127.0.0.1" ]; port = 8009; resources = [ { compress = true; names = [ "client" ]; } { compress = false; names = [ "federation" ]; } ]; tls = false; type = "http"; x_forwarded = true; }]; }; }; }; users.users.qbit = userBase; system.stateVersion = "22.11"; }