This commit is contained in:
Schrottkatze 2023-08-05 18:46:25 +02:00
parent 02a6440717
commit 4353c90e2b
11 changed files with 146 additions and 70 deletions

View file

@ -10,7 +10,7 @@ This is the repository for the NixOS configurations of the Katzen Café (Katzen
- [x] Penpot - [x] Penpot
- [x] Forgejo - [x] Forgejo
- [ ] Vault - [ ] Vault
- [ ] Jitsi - [x] Jitsi
- [x] Mumble - [x] Mumble
- [ ] Nextcloud - [ ] Nextcloud
- [ ] Karton - [ ] Karton

View file

@ -7,11 +7,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1689948211, "lastModified": 1690376079,
"narHash": "sha256-XVDDrerEzYucD6cL7nNW7dNfGhDnhfpB+rbuDvlaWrc=", "narHash": "sha256-IJiajoljCMUGlp1bwT/loXs1B3RH2FXpLepnqvcPNEY=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "arion", "repo": "arion",
"rev": "9ba47f9fbb8650158d9983e19b53206586be4382", "rev": "f0436c8478d1b5530c115a6b1202c4478dfe2f81",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -44,11 +44,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1690660551, "lastModified": 1690952814,
"narHash": "sha256-4F5dkDy52pLeP8Pnxz/rFzFx6ckL7bZkY0VazaEcr7U=", "narHash": "sha256-Mv7zH8BIjtsUSsdgE8UvFdMvwJ+FXQAb5bHsJKzYHMM=",
"owner": "famedly", "owner": "famedly",
"repo": "conduit", "repo": "conduit",
"rev": "afd8112e25a86918c7f9ac657523698b2e0315f4", "rev": "06ab707c79b58df2eca96add0f419755e3522bdf",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -361,11 +361,11 @@
}, },
"nixpkgsUnstable": { "nixpkgsUnstable": {
"locked": { "locked": {
"lastModified": 1690031011, "lastModified": 1691006197,
"narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=", "narHash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "12303c652b881435065a98729eb7278313041e49", "rev": "66aedfd010204949cb225cf749be08cb13ce1813",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -425,11 +425,11 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1690148897, "lastModified": 1690927903,
"narHash": "sha256-l/j/AX1d2K79EWslwgWR2+htkzCbtjKZsS5NbWXnhz4=", "narHash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ac1acba43b2f9db073943ff5ed883ce7e8a40a2c", "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -13,23 +13,26 @@
#]; #];
#}; #};
#networking.useDHCP = lib.mkDefault true; #networking.useDHCP = lib.mkDefault true;
systemd.services."NetworkManager-wait-oline".enable = false;
networking = { networking = {
nameservers = [ "9.9.9.9" "149.112.112.112" ]; nameservers = [ "9.9.9.9" "149.112.112.112" ];
hostName = "katzen-cafe"; hostName = "katzen-cafe";
networkmanager = { networkmanager = {
enable = true; enable = true;
unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" ]; unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" "interface-name:ve-nextcloud" ];
}; };
firewall.allowedTCPPorts = [ 22 80 443 ]; firewall.allowedTCPPorts = [ 22 80 443 ];
firewall.checkReversePath = false;
# firewall.allowedUDPPorts = [ 25568 25569 ]; # firewall.allowedUDPPorts = [ 25568 25569 ];
nat = { nat = {
enable = true; enable = true;
internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" ]; internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" "ve-nextcloud" ];
externalInterface = "enp1s0"; externalInterface = "enp1s0";
}; };
interfaces."enp1s0" = { interfaces."enp1s0" = {
ipv6.addresses = [{ ipv6.addresses = [{
address = "2a01:4f8:c17:c51f::"; address = "2a01:4f8:c17:c51f::";

View file

@ -5,5 +5,6 @@
./phtanumb-wiki.nix ./phtanumb-wiki.nix
./calckey.nix ./calckey.nix
./penpot.nix ./penpot.nix
./nextcloud.nix
]; ];
} }

View file

@ -28,7 +28,7 @@
database = { database = {
type = "mysql"; type = "mysql";
}; };
virtualHost = { httpd.virtualHost = {
hostName = "wiki.katzen.cafe"; hostName = "wiki.katzen.cafe";
adminAddr = "admin@katzen.cafe"; adminAddr = "admin@katzen.cafe";
listen = [ listen = [

View file

@ -0,0 +1,64 @@
{ pkgs, ... }:
{
containers."nextcloud" = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.3.1";
localAddress = "10.0.3.2";
bindMounts = {
"/var/lib/nextcloud" = {
hostPath = "/nextcloud/data";
isReadOnly = false;
};
"/var/lib/postgresql" = {
hostPath = "/nextcloud/db";
isReadOnly = false;
};
"/var/secret" = {
hostPath = "/nextcloud/secret";
isReadOnly = true;
};
};
config = { config, pkgs, ... }: {
networking.firewall.enable = false;
environment.etc."resolv.conf".text = "nameserver 9.9.9.9";
services.nextcloud = {
enable = true;
https = true;
config = {
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminpassFile = "/var/secret/nextcloud-admin-pass";
trustedProxies = [ "10.0.3.1" ];
};
hostName = "wolke.katzen.cafe";
package = pkgs.nextcloud27;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit bookmarks calendar contacts;
user_oidc = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v1.3.3/user_oidc-v1.3.3.tar.gz";
sha256 = "sha256-s8xr25a40/ot7KDv3Vn7WBm4Pb13LzzK62ZNYufXQ2w";
};
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
system.stateVersion = "23.05";
};
};
deployment.keys = {
"nextcloud-admin-pass" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/nextcloud-admin-pass" ];
destDir = "/nextcloud/secret";
permissions = "0604";
};
};
}

View file

@ -15,7 +15,7 @@
depends_on = [ "penpot-postgres" "penpot-redis" ]; depends_on = [ "penpot-postgres" "penpot-redis" ];
networks = [ "penpot" ]; networks = [ "penpot" ];
environment = { environment = {
"PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc"; "PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc enable-smtp";
"PENPOT_PREPL_HOST" = "0.0.0.0"; "PENPOT_PREPL_HOST" = "0.0.0.0";
"PENPOT_PUBLIC_URI" = "https://design.katzen.cafe"; "PENPOT_PUBLIC_URI" = "https://design.katzen.cafe";
@ -35,16 +35,15 @@
"PENPOT_OIDC_BASE_URI" = "https://auth.katzen.cafe/realms/katzen.cafe/"; "PENPOT_OIDC_BASE_URI" = "https://auth.katzen.cafe/realms/katzen.cafe/";
#"PENPOT_OIDC_" = ""; #"PENPOT_OIDC_" = "";
#"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>"; "PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply@katzen.cafe>";
#"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>"; "PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply@katzen.cafe>";
#"PENPOT_SMTP_HOST" = "smtp.migadu.com"; "PENPOT_SMTP_HOST" = "mail.katzen.cafe";
#"PENPOT_SMTP_PORT" = "587"; "PENPOT_SMTP_PORT" = "465";
#"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de"; "PENPOT_SMTP_USERNAME" = "noreply@katzen.cafe";
#"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}"; "PENPOT_SMTP_TLS" = "true";
#"PENPOT_SMTP_TLS" = "true"; # "PENPOT_SMTP_SSL" = "true";
#"PENPOT_SMTP_SSL" = "false";
}; };
env_file = [ "/penpot/secret/oidcPpSecret" ]; env_file = [ "/var/lib/secrets/penpot-secrets" ];
}; };
"penpot-frontend".service = { "penpot-frontend".service = {
image = "penpotapp/frontend:latest"; image = "penpotapp/frontend:latest";
@ -84,9 +83,9 @@
}; };
}; };
deployment.keys = { deployment.keys = {
"oidcPpSecret" = { "penpot-secrets" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-keycloak-secret" ]; keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-secrets" ];
destDir = "/penpot/secret/"; destDir = "/var/lib/secrets";
}; };
}; };
} }

View file

@ -29,25 +29,19 @@
}; };
mailer = { mailer = {
ENABLED = true; ENABLED = true;
FROM = "forge@noreply.katzen.cafe"; FROM = "noreply@katzen.cafe";
MAILER_TYPE = "smtp"; PROTOCOL = "smtps";
SMTP_ADDR = "mail.katzen.cafe"; SMTP_ADDR = "mail.katzen.cafe";
SMTP_PORT = 465; SMTP_PORT = 465;
IS_TLS_ENABLED = true; USER = "noreply@katzen.cafe";
USER = "forge@noreply.katzen.cafe";
}; };
}; };
mailerPasswordFile = "/forgejo/secret/mailerPassword"; mailerPasswordFile = "/var/lib/secrets/noreply-mail-pw-plain";
}; };
deployment.keys = { deployment.keys = {
"forgejoDbPw" = { "noreply-mail-pw-plain" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/forgejo-db-pw" ]; keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw-plain" ];
destDir = "/forgejo/secret/"; destDir = "/var/lib/secrets";
permissions = "0604";
};
"mailerPassword" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mailer-pw-forgejo" ];
destDir = "/forgejo/secret/";
permissions = "0604"; permissions = "0604";
}; };
}; };

View file

@ -5,23 +5,14 @@
enable = true; enable = true;
fqdn = "mail.katzen.cafe"; fqdn = "mail.katzen.cafe";
sendingFqdn = "katzen.cafe"; sendingFqdn = "katzen.cafe";
domains = [ "katzen.cafe" "noreply.katzen.cafe" ]; domains = [ "katzen.cafe" ];
loginAccounts = { loginAccounts = {
"admin@katzen.cafe" = { "admin@katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/admin-mail-pw"; hashedPasswordFile = "/var/lib/secrets/admin-mail-pw";
aliases = [ "postmaster@katzen.cafe" "abuse@katzen.cafe" ]; aliases = [ "postmaster@katzen.cafe" "abuse@katzen.cafe" ];
}; };
"ck@noreply.katzen.cafe" = { "noreply@katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-ck"; hashedPasswordFile = "/var/lib/secrets/noreply-mail-pw";
};
"forge@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-forgejo";
};
"keycloak@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-keycloak";
};
"penpot@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-penpot";
}; };
}; };
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
@ -31,20 +22,8 @@
keyCommand = [ "cat" "/home/jade/keys-tmp/admin-mail-pw" ]; keyCommand = [ "cat" "/home/jade/keys-tmp/admin-mail-pw" ];
destDir = "/var/lib/secrets"; destDir = "/var/lib/secrets";
}; };
"noreply-mail-ck" = { "noreply-mail-pw" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-ck" ]; keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-forgejo" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-forgejo" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-keycloak" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-keycloak" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-penpot" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-penpot" ];
destDir = "/var/lib/secrets"; destDir = "/var/lib/secrets";
}; };
}; };

View file

@ -5,14 +5,17 @@
exporters = { exporters = {
node = { node = {
enable = true; enable = true;
enabledCollectors = [ "systemd" ]; enabledCollectors = [ "systemd" "processes" ];
};
nginx = {
enable = true;
}; };
}; };
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "katzencafe"; job_name = "katzencafe";
static_configs = [{ static_configs = [{
targets = [ "127.0.0.1:9100" ]; targets = [ "127.0.0.1:9100" "127.0.0.1:9113"];
}]; }];
} }
]; ];
@ -25,6 +28,13 @@
http_port = 2343; http_port = 2343;
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
}; };
smtp = {
enabled = true;
user = "noreply@katzen.cafe";
password = "$__file{/var/lib/secrets/noreply-mail-pw-plain}";
host = "mail.katzen.cafe:465";
from_address = "noreply@katzen.cafe";
};
}; };
}; };

View file

@ -11,6 +11,10 @@
group = "nginx"; group = "nginx";
keyType = "rsa4096"; keyType = "rsa4096";
}; };
"miau.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
"forge.katzen.cafe" = { "forge.katzen.cafe" = {
group = "nginx"; group = "nginx";
keyType = "rsa4096"; keyType = "rsa4096";
@ -47,6 +51,10 @@
group = "nginx"; group = "nginx";
keyType = "rsa4096"; keyType = "rsa4096";
}; };
"wolke.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
# "prosody.katzen.cafe" = { # "prosody.katzen.cafe" = {
# group = "prosody"; # group = "prosody";
# keyType = "rsa4096"; # keyType = "rsa4096";
@ -70,6 +78,13 @@
statusPage = true; statusPage = true;
virtualHosts = { virtualHosts = {
"miau.katzen.cafe" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/var/www/miau";
};
};
"_.katzen.cafe" = { "_.katzen.cafe" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts # Catchall vhost, will redirect users to HTTPS for all vhosts
serverAliases = [ "*.katzen.cafe" ]; serverAliases = [ "*.katzen.cafe" ];
@ -78,6 +93,7 @@
}; };
locations."/" = { locations."/" = {
return = "301 https://$host$request_uri"; return = "301 https://$host$request_uri";
root = "/var/www/miau";
}; };
}; };
"grafana.katzen.cafe" = { "grafana.katzen.cafe" = {
@ -151,6 +167,16 @@
proxyPass = "http://10.0.1.2"; proxyPass = "http://10.0.1.2";
}; };
}; };
"wolke.katzen.cafe" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.0.3.2";
};
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'';
};
"hc-vault.katzen.cafe" = { "hc-vault.katzen.cafe" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;