diff --git a/README.md b/README.md index 71254ad..cb8679e 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This is the repository for the NixOS configurations of the Katzen Café (Katzen - [x] Penpot - [x] Forgejo - [ ] Vault -- [ ] Jitsi +- [x] Jitsi - [x] Mumble - [ ] Nextcloud - [ ] Karton diff --git a/flake.lock b/flake.lock index 4653e50..e3f4509 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1689948211, - "narHash": "sha256-XVDDrerEzYucD6cL7nNW7dNfGhDnhfpB+rbuDvlaWrc=", + "lastModified": 1690376079, + "narHash": "sha256-IJiajoljCMUGlp1bwT/loXs1B3RH2FXpLepnqvcPNEY=", "owner": "hercules-ci", "repo": "arion", - "rev": "9ba47f9fbb8650158d9983e19b53206586be4382", + "rev": "f0436c8478d1b5530c115a6b1202c4478dfe2f81", "type": "github" }, "original": { @@ -44,11 +44,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1690660551, - "narHash": "sha256-4F5dkDy52pLeP8Pnxz/rFzFx6ckL7bZkY0VazaEcr7U=", + "lastModified": 1690952814, + "narHash": "sha256-Mv7zH8BIjtsUSsdgE8UvFdMvwJ+FXQAb5bHsJKzYHMM=", "owner": "famedly", "repo": "conduit", - "rev": "afd8112e25a86918c7f9ac657523698b2e0315f4", + "rev": "06ab707c79b58df2eca96add0f419755e3522bdf", "type": "gitlab" }, "original": { @@ -361,11 +361,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1690031011, - "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=", + "lastModified": 1691006197, + "narHash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "12303c652b881435065a98729eb7278313041e49", + "rev": "66aedfd010204949cb225cf749be08cb13ce1813", "type": "github" }, "original": { @@ -425,11 +425,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1690148897, - "narHash": "sha256-l/j/AX1d2K79EWslwgWR2+htkzCbtjKZsS5NbWXnhz4=", + "lastModified": 1690927903, + "narHash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac1acba43b2f9db073943ff5ed883ce7e8a40a2c", + "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86", "type": "github" }, "original": { diff --git a/modules/base-stuff.nix b/modules/base-stuff.nix index b4fb3c2..c183ccb 100644 --- a/modules/base-stuff.nix +++ b/modules/base-stuff.nix @@ -13,23 +13,26 @@ #]; #}; #networking.useDHCP = lib.mkDefault true; + systemd.services."NetworkManager-wait-oline".enable = false; networking = { nameservers = [ "9.9.9.9" "149.112.112.112" ]; hostName = "katzen-cafe"; networkmanager = { enable = true; - unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" ]; + unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" "interface-name:ve-nextcloud" ]; }; firewall.allowedTCPPorts = [ 22 80 443 ]; + firewall.checkReversePath = false; # firewall.allowedUDPPorts = [ 25568 25569 ]; nat = { enable = true; - internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" ]; + internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" "ve-nextcloud" ]; externalInterface = "enp1s0"; }; + interfaces."enp1s0" = { ipv6.addresses = [{ address = "2a01:4f8:c17:c51f::"; diff --git a/modules/containers/default.nix b/modules/containers/default.nix index a0384f4..e40264d 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -5,5 +5,6 @@ ./phtanumb-wiki.nix ./calckey.nix ./penpot.nix + ./nextcloud.nix ]; } diff --git a/modules/containers/katzencafe-wiki.nix b/modules/containers/katzencafe-wiki.nix index 3d90326..d691be7 100644 --- a/modules/containers/katzencafe-wiki.nix +++ b/modules/containers/katzencafe-wiki.nix @@ -28,7 +28,7 @@ database = { type = "mysql"; }; - virtualHost = { + httpd.virtualHost = { hostName = "wiki.katzen.cafe"; adminAddr = "admin@katzen.cafe"; listen = [ diff --git a/modules/containers/nextcloud.nix b/modules/containers/nextcloud.nix new file mode 100644 index 0000000..d1a425f --- /dev/null +++ b/modules/containers/nextcloud.nix @@ -0,0 +1,64 @@ +{ pkgs, ... }: +{ + containers."nextcloud" = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.0.3.1"; + localAddress = "10.0.3.2"; + bindMounts = { + "/var/lib/nextcloud" = { + hostPath = "/nextcloud/data"; + isReadOnly = false; + }; + "/var/lib/postgresql" = { + hostPath = "/nextcloud/db"; + isReadOnly = false; + }; + "/var/secret" = { + hostPath = "/nextcloud/secret"; + isReadOnly = true; + }; + }; + config = { config, pkgs, ... }: { + networking.firewall.enable = false; + environment.etc."resolv.conf".text = "nameserver 9.9.9.9"; + services.nextcloud = { + enable = true; + https = true; + config = { + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + adminpassFile = "/var/secret/nextcloud-admin-pass"; + trustedProxies = [ "10.0.3.1" ]; + }; + hostName = "wolke.katzen.cafe"; + package = pkgs.nextcloud27; + extraApps = with config.services.nextcloud.package.packages.apps; { + inherit bookmarks calendar contacts; + user_oidc = pkgs.fetchNextcloudApp rec { + url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v1.3.3/user_oidc-v1.3.3.tar.gz"; + sha256 = "sha256-s8xr25a40/ot7KDv3Vn7WBm4Pb13LzzK62ZNYufXQ2w"; + }; + }; + }; + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + system.stateVersion = "23.05"; + }; + }; + deployment.keys = { + "nextcloud-admin-pass" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/nextcloud-admin-pass" ]; + destDir = "/nextcloud/secret"; + permissions = "0604"; + }; + }; +} \ No newline at end of file diff --git a/modules/containers/penpot.nix b/modules/containers/penpot.nix index 804e09c..b79136e 100644 --- a/modules/containers/penpot.nix +++ b/modules/containers/penpot.nix @@ -15,7 +15,7 @@ depends_on = [ "penpot-postgres" "penpot-redis" ]; networks = [ "penpot" ]; environment = { - "PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc"; + "PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc enable-smtp"; "PENPOT_PREPL_HOST" = "0.0.0.0"; "PENPOT_PUBLIC_URI" = "https://design.katzen.cafe"; @@ -35,16 +35,15 @@ "PENPOT_OIDC_BASE_URI" = "https://auth.katzen.cafe/realms/katzen.cafe/"; #"PENPOT_OIDC_" = ""; - #"PENPOT_SMTP_DEFAULT_FROM" = "Penpot "; - #"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot "; - #"PENPOT_SMTP_HOST" = "smtp.migadu.com"; - #"PENPOT_SMTP_PORT" = "587"; - #"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de"; - #"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}"; - #"PENPOT_SMTP_TLS" = "true"; - #"PENPOT_SMTP_SSL" = "false"; + "PENPOT_SMTP_DEFAULT_FROM" = "Penpot "; + "PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot "; + "PENPOT_SMTP_HOST" = "mail.katzen.cafe"; + "PENPOT_SMTP_PORT" = "465"; + "PENPOT_SMTP_USERNAME" = "noreply@katzen.cafe"; + "PENPOT_SMTP_TLS" = "true"; + # "PENPOT_SMTP_SSL" = "true"; }; - env_file = [ "/penpot/secret/oidcPpSecret" ]; + env_file = [ "/var/lib/secrets/penpot-secrets" ]; }; "penpot-frontend".service = { image = "penpotapp/frontend:latest"; @@ -84,9 +83,9 @@ }; }; deployment.keys = { - "oidcPpSecret" = { - keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-keycloak-secret" ]; - destDir = "/penpot/secret/"; + "penpot-secrets" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-secrets" ]; + destDir = "/var/lib/secrets"; }; }; } diff --git a/modules/forgejo.nix b/modules/forgejo.nix index 44a60fc..6c967b3 100644 --- a/modules/forgejo.nix +++ b/modules/forgejo.nix @@ -29,25 +29,19 @@ }; mailer = { ENABLED = true; - FROM = "forge@noreply.katzen.cafe"; - MAILER_TYPE = "smtp"; + FROM = "noreply@katzen.cafe"; + PROTOCOL = "smtps"; SMTP_ADDR = "mail.katzen.cafe"; SMTP_PORT = 465; - IS_TLS_ENABLED = true; - USER = "forge@noreply.katzen.cafe"; + USER = "noreply@katzen.cafe"; }; }; - mailerPasswordFile = "/forgejo/secret/mailerPassword"; + mailerPasswordFile = "/var/lib/secrets/noreply-mail-pw-plain"; }; deployment.keys = { - "forgejoDbPw" = { - keyCommand = [ "cat" "/home/jade/keys-tmp/forgejo-db-pw" ]; - destDir = "/forgejo/secret/"; - permissions = "0604"; - }; - "mailerPassword" = { - keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mailer-pw-forgejo" ]; - destDir = "/forgejo/secret/"; + "noreply-mail-pw-plain" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw-plain" ]; + destDir = "/var/lib/secrets"; permissions = "0604"; }; }; diff --git a/modules/mailserver.nix b/modules/mailserver.nix index cf058c9..b1aff48 100644 --- a/modules/mailserver.nix +++ b/modules/mailserver.nix @@ -5,23 +5,14 @@ enable = true; fqdn = "mail.katzen.cafe"; sendingFqdn = "katzen.cafe"; - domains = [ "katzen.cafe" "noreply.katzen.cafe" ]; + domains = [ "katzen.cafe" ]; loginAccounts = { "admin@katzen.cafe" = { hashedPasswordFile = "/var/lib/secrets/admin-mail-pw"; aliases = [ "postmaster@katzen.cafe" "abuse@katzen.cafe" ]; }; - "ck@noreply.katzen.cafe" = { - hashedPasswordFile = "/var/lib/secrets/noreply-mail-ck"; - }; - "forge@noreply.katzen.cafe" = { - hashedPasswordFile = "/var/lib/secrets/noreply-mail-forgejo"; - }; - "keycloak@noreply.katzen.cafe" = { - hashedPasswordFile = "/var/lib/secrets/noreply-mail-keycloak"; - }; - "penpot@noreply.katzen.cafe" = { - hashedPasswordFile = "/var/lib/secrets/noreply-mail-penpot"; + "noreply@katzen.cafe" = { + hashedPasswordFile = "/var/lib/secrets/noreply-mail-pw"; }; }; certificateScheme = "acme-nginx"; @@ -31,20 +22,8 @@ keyCommand = [ "cat" "/home/jade/keys-tmp/admin-mail-pw" ]; destDir = "/var/lib/secrets"; }; - "noreply-mail-ck" = { - keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-ck" ]; - destDir = "/var/lib/secrets"; - }; - "noreply-mail-forgejo" = { - keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-forgejo" ]; - destDir = "/var/lib/secrets"; - }; - "noreply-mail-keycloak" = { - keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-keycloak" ]; - destDir = "/var/lib/secrets"; - }; - "noreply-mail-penpot" = { - keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-penpot" ]; + "noreply-mail-pw" = { + keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw" ]; destDir = "/var/lib/secrets"; }; }; diff --git a/modules/monitoring.nix b/modules/monitoring.nix index 864e8f7..32db40f 100644 --- a/modules/monitoring.nix +++ b/modules/monitoring.nix @@ -5,14 +5,17 @@ exporters = { node = { enable = true; - enabledCollectors = [ "systemd" ]; + enabledCollectors = [ "systemd" "processes" ]; }; + nginx = { + enable = true; + }; }; scrapeConfigs = [ { job_name = "katzencafe"; static_configs = [{ - targets = [ "127.0.0.1:9100" ]; + targets = [ "127.0.0.1:9100" "127.0.0.1:9113"]; }]; } ]; @@ -25,6 +28,13 @@ http_port = 2343; http_addr = "127.0.0.1"; }; + smtp = { + enabled = true; + user = "noreply@katzen.cafe"; + password = "$__file{/var/lib/secrets/noreply-mail-pw-plain}"; + host = "mail.katzen.cafe:465"; + from_address = "noreply@katzen.cafe"; + }; }; }; diff --git a/modules/proxy.nix b/modules/proxy.nix index 3711d4c..acebee0 100644 --- a/modules/proxy.nix +++ b/modules/proxy.nix @@ -11,6 +11,10 @@ group = "nginx"; keyType = "rsa4096"; }; + "miau.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; "forge.katzen.cafe" = { group = "nginx"; keyType = "rsa4096"; @@ -47,6 +51,10 @@ group = "nginx"; keyType = "rsa4096"; }; + "wolke.katzen.cafe" = { + group = "nginx"; + keyType = "rsa4096"; + }; # "prosody.katzen.cafe" = { # group = "prosody"; # keyType = "rsa4096"; @@ -70,6 +78,13 @@ statusPage = true; virtualHosts = { + "miau.katzen.cafe" = { + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/var/www/miau"; + }; + }; "_.katzen.cafe" = { # Catchall vhost, will redirect users to HTTPS for all vhosts serverAliases = [ "*.katzen.cafe" ]; @@ -78,6 +93,7 @@ }; locations."/" = { return = "301 https://$host$request_uri"; + root = "/var/www/miau"; }; }; "grafana.katzen.cafe" = { @@ -151,6 +167,16 @@ proxyPass = "http://10.0.1.2"; }; }; + "wolke.katzen.cafe" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.0.3.2"; + }; + extraConfig = '' + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ''; + }; "hc-vault.katzen.cafe" = { forceSSL = true; enableACME = true;