nixos-config/hosts/france.nix

{ config, pkgs, lib, ... }:

with lib;
let
  domain = "fudo.org";
  hostname = "france.${domain}";
  mail-hostname = "mail.${domain}";
  host_ipv4 = "208.81.3.117";
  # Use a special IP for git.fudo.org, since it needs to be SSH-able
  git_ipv4 = "208.81.3.126";
  all-hostnames = [];

  acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
  acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
  acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";

  fudo-ca = "/etc/nixos/static/fudo_ca.pem";

  minecraft-data-dir = "/srv/minecraft/data";

  system-mail-directory = "/srv/mail";

in {

  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/sda";
  };

  imports = [
    ../hardware-configuration.nix

    ../defaults.nix
  ];

  # services.openssh = {
  #   listenAddresses = [
  #     {
  #       addr = host_ipv4;
  #       port = 22;
  #     }
  #   ];
  # };

  fudo.common = {
    # Sets some server-common settings. See /etc/nixos/fudo/profiles/...
    profile = "server";

    # Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
    site = "portage";

    domain = domain;

    www-root = /srv/www;

    local-networks = [
      "208.81.1.128/28"
      "208.81.3.112/28"
      "172.17.0.0/16"
      "127.0.0.0/8"
    ];
  };

  environment.systemPackages = with pkgs; [
    docker
    lxd
    multipath-tools
    nix-prefetch-docker
    tshark
  ];

  fudo.prometheus = {
    enable = true;
    hostname = "metrics.fudo.org";
    service-discovery-dns = {
      node =    [ "node._metrics._tcp.fudo.org" ];
      postfix = [ "postfix._metrics._tcp.fudo.org" ];
      dovecot = [ "dovecot._metrics._tcp.fudo.org" ];
      rspamd =  [ "rspamd._metrics._tcp.fudo.org" ];
    };
  };

  fudo.grafana = {
    enable = true;
    hostname = "monitor.fudo.org";
    smtp-username = "metrics";
    smtp-password-file = "/srv/grafana/secure/smtp.passwd";
    admin-password-file = "/srv/grafana/secure/admin.passwd";
    secret-key-file = "/srv/grafana/secure/secret.key";
    prometheus-host = "metrics.fudo.org";
    database = {
      name = "grafana";
      hostname = "localhost";
      user = "grafana";
      password-file = /srv/grafana/secure/db.passwd;
    };
  };

  # So that grafana waits for postgresql
  systemd.services.grafana.after = [
    "postgresql.service"
  ];

  fudo.postgresql = {
    enable = true;
    ssl-private-key = (acme-private-key hostname);
    ssl-certificate = (acme-certificate hostname);
    keytab = "/srv/postgres/secure/postgres.keytab";

    # We allow connections from local networks. Auth is still required. Outside
    # of these networks, no access is allowed.
    #
    # TODO: that's probably too strict, allow kerberos connections from anywhere?
    local-networks = [
      "208.81.1.128/28"
      "208.81.3.112/28"
      "192.168.11.1/24"
      "127.0.0.1/8"
      "172.17.0.0/16"
    ];

    users = {
      fudo_git = {
        password = fileContents "/srv/git/secure/db.passwd";
        databases = {
          fudo_git = "ALL PRIVILEGES";
        };
      };
      grafana = {
        password = fileContents "/srv/grafana/secure/db.passwd";
        databases = {
          grafana = "ALL PRIVILEGES";
        };
      };
      mattermost = {
        password = fileContents "/srv/mattermost/secure/db.passwd";
        databases = {
          mattermost = "ALL PRIVILEGES";
        };
      };
      webmail = {
        password = fileContents "/srv/webmail/secure/db.passwd";
        databases = {
          webmail = "ALL PRIVILEGES";
        };
      };
      niten = {};
    };

    local-users = [
      "fudo_git"
    ];

    databases = {
      fudo_git = ["niten"];
      grafana = ["niten"];
      mattermost = ["niten"];
      webmail = ["niten"];
    };
  };

  # Not all users need access to france; don't allow LDAP-user access.
  fudo.authentication.enable = false;

  # But we DO run an LDAP auth server. Should be better-named.
  fudo.auth = {
    server = {
      enable = true;
      base = "dc=fudo,dc=org";
      organization = "Fudo";
      rootpw-file = "/srv/ldap/secure/root.pw";
      kerberos-host = "france.fudo.org";
      kerberos-keytab = "/srv/ldap/secure/ldap.keytab";

      sslCert = "/srv/ldap/france.fudo.org.pem";
      sslKey = "/srv/ldap/secure/france.fudo.org-key.pem";
      sslCACert = fudo-ca;

      # We're using fudo-generated certs for now, but we should move to ACME
      # once I can figure out how to correctly produce the ca.pem file. Until
      # then, the server will fail to start using these certs. See:
      # https://serverfault.com/a/834565

      # sslCert = (acme-bare-cert hostname);
      # sslKey = (acme-private-key hostname);
      # sslCACert = acme-ca;

      # TODO: loop over v4 and v6 IPs.
      listen-uris = [
        "ldap:///"
        "ldaps:///"
        # "ldap://${host_ipv4}/"
        # "ldaps://${host_ipv4}/"
        # "ldap://localhost/"
        # "ldaps://localhost/"
        # "ldap://127.0.1.1/"
        # "ldaps://127.0.1.1/"
        "ldapi:///"
      ];

      users = import ../fudo/users.nix;

      groups = import ../fudo/groups.nix;

      system-users = import ../fudo/system-users.nix;
    };

    # Heimdal Kerberos server
    kdc = {
      enable = true;
      database-path = "/var/heimdal/heimdal";
      realm = "FUDO.ORG";
      mkey-file = "/var/heimdal/m-key";
      acl-file = "/etc/heimdal/kdc.acl";
      bind-addresses = [
        host_ipv4
        "127.0.0.1"
        "127.0.1.1"
      ];
    };
  };

  # TODO: not used yet
  fudo.acme.hostnames = all-hostnames;

  fudo.mail-server = import ../fudo/email.nix { inherit config; } // {
    enableContainer = true;
    debug = true;
    monitoring = true;

    hostname = mail-hostname;

    postfix.ssl-certificate = (acme-certificate mail-hostname);
    postfix.ssl-private-key = (acme-private-key mail-hostname);
    dovecot.ssl-certificate = (acme-certificate mail-hostname);
    dovecot.ssl-private-key = (acme-private-key mail-hostname);

    state-directory = "${system-mail-directory}/var";
    mail-directory = "${system-mail-directory}/mailboxes";

    dovecot.ldap = {
      reader-dn = "cn=user_db_reader,dc=fudo,dc=org";
      reader-passwd = fileContents /srv/ldap/secure/user_db.passwd;

      # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.
      server-urls = [ "ldap://france.fudo.org" ];
    };

    clamav.enable = true;

    dkim.signing = true;
  };

  fudo.webmail = {
    enable = true;

    sites = {
      "webmail.fudo.link" = {
        title = "Fudo Link Webmail";
        favicon = "/etc/nixos/static/fudo.link/favicon.ico";
        mail-server = mail-hostname;
        domain = "fudo.link";
        edit-mode = "Plain";
        layout-mode = "bottom";
        database = {
          name = "webmail";
          hostname = "localhost";
          user = "webmail";
          password-file = "/srv/webmail/secure/db.passwd";
        };
      };

      "webmail.test.fudo.org" = {
        title = "Fudo Webmail";
        favicon = "/etc/nixos/static/fudo.org/favicon.ico";
        mail-server = mail-hostname;
        domain = "fudo.org";
        edit-mode = "Plain";
        database = {
          name = "webmail";
          hostname = "localhost";
          user = "webmail";
          password-file = "/srv/webmail/secure/db.passwd";
        };
      };

      "webmail.fudo.org" = {
        title = "Fudo Webmail";
        favicon = "/etc/nixos/static/fudo.org/favicon.ico";
        mail-server = mail-hostname;
        domain = "fudo.org";
        edit-mode = "Plain";
        database = {
          name = "webmail";
          hostname = "localhost";
          user = "webmail";
          password-file = "/srv/webmail/secure/db.passwd";
        };
      };

      "webmail.test.selby.ca" = {
        title = "Selby Webmail";
        favicon = "/etc/nixos/static/selby.ca/favicon.ico";
        mail-server = mail-hostname;
        domain = "selby.ca";
        database = {
          name = "webmail";
          hostname = "localhost";
          user = "webmail";
          password-file = "/srv/webmail/secure/db.passwd";
        };
      };

      "webmail.selby.ca" = {
        title = "Selby Webmail";
        favicon = "/etc/nixos/static/selby.ca/favicon.ico";
        mail-server = mail-hostname;
        domain = "selby.ca";
        database = {
          name = "webmail";
          hostname = "localhost";
          user = "webmail";
          password-file = "/srv/webmail/secure/db.passwd";
        };
      };
    };
  };

  fudo.chat = {
    enable = true;

    hostname = "chat.fudo.org";
    site-name = "Fudo Chat";
    smtp-server = "mail.fudo.org";
    smtp-user = "chat";
    smtp-password-file = "/srv/mattermost/secure/smtp.passwd";
    database = {
      name = "mattermost";
      hostname = "localhost";
      user = "mattermost";
      password-file = "/srv/mattermost/secure/db.passwd";
    };
  };

  fudo.git = {
    enable = true;
    hostname = "git.fudo.org";
    site-name = "Fudo Git";
    user = "fudo_git";
    database = {
      user = "fudo_git";
      password-file = /srv/git/secure/db.passwd;
      hostname = "127.0.0.1";
      name = "fudo_git";
    };
    repository-dir = /srv/git/repo;
    state-dir = /srv/git/state;
    ssh = {
      listen-ip = git_ipv4;
      listen-port = 2222;
    };
  };

  networking = {
    hostName = hostname;

    dhcpcd.enable = false;
    useDHCP = false;

    # TODO: fix IPv6
    enableIPv6 = false;

    # Create a bridge for VMs to use
    macvlans = {
      extif0 = {
        interface = "enp4s0f0";
        mode = "bridge";
      };
      extif1 = {
        interface = "enp4s0f0";
        mode = "bridge";
      };
      intif0 = {
        interface = "enp4s0f1";
        mode = "bridge";
      };
    };

    interfaces = {
      extif0 = {
        # result of:
        # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
        macAddress = "02:d4:e8:3b:10:2f";
        ipv4.addresses = [
          {
            address = host_ipv4;
            prefixLength = 28;
          }
        ];
      };
      extif1 = {
        macAddress = "02:6d:e2:e1:ad:ca";
        ipv4.addresses = [
          {
            address = git_ipv4;
            prefixLength = 28;
          }
        ];
      };
      intif0 = {
        # result of:
        # echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
        macAddress = "02:ba:ba:e9:08:21";
        ipv4.addresses = [
          {
            address = "192.168.11.1";
            prefixLength = 24;
          }
        ];
      };
    };
  };

  hardware.bluetooth.enable = false;

  virtualisation = {
    docker = {
      enable = true;
      enableOnBoot = true;

      autoPrune = {
        enable = true;
      };
    };

    lxd = {
      enable = true;
    };
  };

  fileSystems = {
    "/srv/archiva" = {
      fsType = "btrfs";
      options = ["subvol=archiva"];
      label = "pool0";
    };
    "/srv/grafana" = {
      fsType = "btrfs";
      options = ["subvol=grafana"];
      label = "pool0";
    };
    "${system-mail-directory}" = {
      fsType = "btrfs";
      options = ["subvol=mail"];
      label = "pool0";
    };
    "/srv/gitlab" = {
      fsType = "btrfs";
      options = ["subvol=gitlab"];
      label = "pool0";
    };
    "/var/lib/lxd/storage-pools/pool0" = {
      fsType = "btrfs";
      label = "pool0";
      device = "/dev/disk/by-label/pool0";
    };
    "/var/lib/lxd/storage-pools/pool1" = {
      fsType = "btrfs";
      label = "pool1";
      device = "/dev/france-user/fudo-user";
    };
  };

  users = {
    extraUsers = {
      archiva = {
        isNormalUser = false;
        group = "nogroup";
        uid = 8001;
      };

      fudo_git = {
        isNormalUser = false;
        uid = 8006;
      };
    };
  };

  fudo.system = {
    disableTransparentHugePages = true;
    postHugePageServices = ["redis.service"];
  };

  security.acme.certs = {
    "archiva.fudo.org".email = config.fudo.common.admin-email;
    "git.fudo.org".email = config.fudo.common.admin-email;
  };

  services = {

    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;

      virtualHosts = {
        "archiva.fudo.org" = {
          enableACME = true;
          forceSSL = true;

          locations."/" = {
            proxyPass = "http://127.0.0.1:8001";
            extraConfig = ''
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-By $server_addr:$server_port;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
              '';
          };
        };

        # Needed to grab a cert for the mail server.
        "mail.fudo.org" = {
          enableACME = true;
          globalRedirect = "webmail.fudo.org";
        };
      };
    };
  };

  docker-containers = {
    archiva = {
      image = "xetusoss/archiva";
      ports = ["127.0.0.1:8001:8080"];
      # Ugly: name-to-uid lookup fails.
      user = toString config.users.users.archiva.uid;
      volumes = [
        "/srv/archiva:/archiva-data"
      ];
      environment = {
        # Not directly connected to the world anyway
        SSL_ENABLED = "false";
      };
    };
  };

  ###
  # Minecraft
  ###

  fudo.minecraft-server = {
    enable = true;
    package = pkgs.minecraft-server_1_16_1;
    data-dir = minecraft-data-dir;
    world-name = "selbyland";
    motd = "Welcome to the Selby Minecraft server.";
  };
}
Currently broken config... 2020-01-15 09:24:11 -08:00			`{ config, pkgs, lib, ... }:`
Initial re-checki 2019-12-25 15:20:36 -08:00
Currently broken config... 2020-01-15 09:24:11 -08:00			`with lib;`
Initial re-checki 2019-12-25 15:20:36 -08:00			`let`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`domain = "fudo.org";`
			`hostname = "france.${domain}";`
france -> mail for cert 2020-07-26 08:22:28 -07:00			`mail-hostname = "mail.${domain}";`
Currently broken config... 2020-01-15 09:24:11 -08:00			`host_ipv4 = "208.81.3.117";`
Piles o' changes 2020-06-06 18:58:13 -07:00			`# Use a special IP for git.fudo.org, since it needs to be SSH-able`
Switch from gitlab to gitea. 2020-07-20 17:16:52 -07:00			`git_ipv4 = "208.81.3.126";`
Currently broken config... 2020-01-15 09:24:11 -08:00			`all-hostnames = [];`
Initial re-checki 2019-12-25 15:20:36 -08:00
Currently broken config... 2020-01-15 09:24:11 -08:00			`acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";`
			`acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";`
			`acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";`

			`fudo-ca = "/etc/nixos/static/fudo_ca.pem";`
Initial re-checki 2019-12-25 15:20:36 -08:00
Currently broken config... 2020-01-15 09:24:11 -08:00			`minecraft-data-dir = "/srv/minecraft/data";`
Initial re-checki 2019-12-25 15:20:36 -08:00
Currently broken config... 2020-01-15 09:24:11 -08:00			`system-mail-directory = "/srv/mail";`

			`in {`

			`boot.loader.grub = {`
			`enable = true;`
			`version = 2;`
			`device = "/dev/sda";`
			`};`
Initial re-checki 2019-12-25 15:20:36 -08:00
			`imports = [`
			`../hardware-configuration.nix`
Currently broken config... 2020-01-15 09:24:11 -08:00
			`../defaults.nix`
			`];`

Switch from gitlab to gitea. 2020-07-20 17:16:52 -07:00			`# services.openssh = {`
			`# listenAddresses = [`
			`# {`
			`# addr = host_ipv4;`
			`# port = 22;`
			`# }`
			`# ];`
			`# };`

In a pretty good working state 2020-02-03 17:07:46 -08:00			`fudo.common = {`
			`# Sets some server-common settings. See /etc/nixos/fudo/profiles/...`
			`profile = "server";`

			`# Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...`
			`site = "portage";`

			`domain = domain;`

			`www-root = /srv/www;`

			`local-networks = [`
			`"208.81.1.128/28"`
			`"208.81.3.112/28"`
			`"172.17.0.0/16"`
			`"127.0.0.0/8"`
			`];`
			`};`
Initial re-checki 2019-12-25 15:20:36 -08:00
			`environment.systemPackages = with pkgs; [`
Currently broken config... 2020-01-15 09:24:11 -08:00			`docker`
Initial re-checki 2019-12-25 15:20:36 -08:00			`lxd`
			`multipath-tools`
Currently broken config... 2020-01-15 09:24:11 -08:00			`nix-prefetch-docker`
Piles o' changes 2020-06-06 18:58:13 -07:00			`tshark`
Initial re-checki 2019-12-25 15:20:36 -08:00			`];`

Currently broken config... 2020-01-15 09:24:11 -08:00			`fudo.prometheus = {`
Initial re-checki 2019-12-25 15:20:36 -08:00			`enable = true;`
Currently broken config... 2020-01-15 09:24:11 -08:00			`hostname = "metrics.fudo.org";`
			`service-discovery-dns = {`
			`node = [ "node._metrics._tcp.fudo.org" ];`
			`postfix = [ "postfix._metrics._tcp.fudo.org" ];`
			`dovecot = [ "dovecot._metrics._tcp.fudo.org" ];`
			`rspamd = [ "rspamd._metrics._tcp.fudo.org" ];`
			`};`
			`};`

			`fudo.grafana = {`
			`enable = true;`
			`hostname = "monitor.fudo.org";`
			`smtp-username = "metrics";`
			`smtp-password-file = "/srv/grafana/secure/smtp.passwd";`
			`admin-password-file = "/srv/grafana/secure/admin.passwd";`
			`secret-key-file = "/srv/grafana/secure/secret.key";`
			`prometheus-host = "metrics.fudo.org";`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`database = {`
			`name = "grafana";`
			`hostname = "localhost";`
			`user = "grafana";`
			`password-file = /srv/grafana/secure/db.passwd;`
			`};`
Currently broken config... 2020-01-15 09:24:11 -08:00			`};`

			`# So that grafana waits for postgresql`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`systemd.services.grafana.after = [`
			`"postgresql.service"`
Currently broken config... 2020-01-15 09:24:11 -08:00			`];`

			`fudo.postgresql = {`
			`enable = true;`
			`ssl-private-key = (acme-private-key hostname);`
			`ssl-certificate = (acme-certificate hostname);`
			`keytab = "/srv/postgres/secure/postgres.keytab";`

			`# We allow connections from local networks. Auth is still required. Outside`
			`# of these networks, no access is allowed.`
			`#`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`# TODO: that's probably too strict, allow kerberos connections from anywhere?`
Currently broken config... 2020-01-15 09:24:11 -08:00			`local-networks = [`
			`"208.81.1.128/28"`
			`"208.81.3.112/28"`
			`"192.168.11.1/24"`
			`"127.0.0.1/8"`
			`"172.17.0.0/16"`
			`];`
In a pretty good working state 2020-02-03 17:07:46 -08:00
			`users = {`
Piles o' changes 2020-06-06 18:58:13 -07:00			`fudo_git = {`
			`password = fileContents "/srv/git/secure/db.passwd";`
			`databases = {`
			`fudo_git = "ALL PRIVILEGES";`
			`};`
			`};`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`grafana = {`
			`password = fileContents "/srv/grafana/secure/db.passwd";`
			`databases = {`
			`grafana = "ALL PRIVILEGES";`
			`};`
			`};`
			`mattermost = {`
			`password = fileContents "/srv/mattermost/secure/db.passwd";`
			`databases = {`
			`mattermost = "ALL PRIVILEGES";`
			`};`
			`};`
			`webmail = {`
			`password = fileContents "/srv/webmail/secure/db.passwd";`
			`databases = {`
			`webmail = "ALL PRIVILEGES";`
			`};`
			`};`
			`niten = {};`
			`};`

Piles o' changes 2020-06-06 18:58:13 -07:00			`local-users = [`
			`"fudo_git"`
			`];`

In a pretty good working state 2020-02-03 17:07:46 -08:00			`databases = {`
Piles o' changes 2020-06-06 18:58:13 -07:00			`fudo_git = ["niten"];`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`grafana = ["niten"];`
			`mattermost = ["niten"];`
			`webmail = ["niten"];`
			`};`
Currently broken config... 2020-01-15 09:24:11 -08:00			`};`

			`# Not all users need access to france; don't allow LDAP-user access.`
			`fudo.authentication.enable = false;`

			`# But we DO run an LDAP auth server. Should be better-named.`
			`fudo.auth = {`
			`server = {`
			`enable = true;`
			`base = "dc=fudo,dc=org";`
			`organization = "Fudo";`
			`rootpw-file = "/srv/ldap/secure/root.pw";`
			`kerberos-host = "france.fudo.org";`
			`kerberos-keytab = "/srv/ldap/secure/ldap.keytab";`

			`sslCert = "/srv/ldap/france.fudo.org.pem";`
			`sslKey = "/srv/ldap/secure/france.fudo.org-key.pem";`
			`sslCACert = fudo-ca;`

			`# We're using fudo-generated certs for now, but we should move to ACME`
			`# once I can figure out how to correctly produce the ca.pem file. Until`
			`# then, the server will fail to start using these certs. See:`
			`# https://serverfault.com/a/834565`

			`# sslCert = (acme-bare-cert hostname);`
			`# sslKey = (acme-private-key hostname);`
			`# sslCACert = acme-ca;`

			`# TODO: loop over v4 and v6 IPs.`
			`listen-uris = [`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`"ldap:///"`
			`"ldaps:///"`
			`# "ldap://${host_ipv4}/"`
			`# "ldaps://${host_ipv4}/"`
			`# "ldap://localhost/"`
			`# "ldaps://localhost/"`
			`# "ldap://127.0.1.1/"`
			`# "ldaps://127.0.1.1/"`
Currently broken config... 2020-01-15 09:24:11 -08:00			`"ldapi:///"`
			`];`

			`users = import ../fudo/users.nix;`

			`groups = import ../fudo/groups.nix;`
Initial re-checki 2019-12-25 15:20:36 -08:00
Currently broken config... 2020-01-15 09:24:11 -08:00			`system-users = import ../fudo/system-users.nix;`
			`};`

			`# Heimdal Kerberos server`
			`kdc = {`
			`enable = true;`
			`database-path = "/var/heimdal/heimdal";`
			`realm = "FUDO.ORG";`
			`mkey-file = "/var/heimdal/m-key";`
			`acl-file = "/etc/heimdal/kdc.acl";`
			`bind-addresses = [`
			`host_ipv4`
			`"127.0.0.1"`
			`"127.0.1.1"`
			`];`
			`};`
			`};`

			`# TODO: not used yet`
			`fudo.acme.hostnames = all-hostnames;`

			`fudo.mail-server = import ../fudo/email.nix { inherit config; } // {`
			`enableContainer = true;`
			`debug = true;`
			`monitoring = true;`

			`hostname = mail-hostname;`

			`postfix.ssl-certificate = (acme-certificate mail-hostname);`
			`postfix.ssl-private-key = (acme-private-key mail-hostname);`
			`dovecot.ssl-certificate = (acme-certificate mail-hostname);`
			`dovecot.ssl-private-key = (acme-private-key mail-hostname);`

			`state-directory = "${system-mail-directory}/var";`
			`mail-directory = "${system-mail-directory}/mailboxes";`
Initial re-checki 2019-12-25 15:20:36 -08:00
Merged frace 2020-07-20 23:16:30 -07:00			`dovecot.ldap = {`
			`reader-dn = "cn=user_db_reader,dc=fudo,dc=org";`
			`reader-passwd = fileContents /srv/ldap/secure/user_db.passwd;`
Initial re-checki 2019-12-25 15:20:36 -08:00
Merged frace 2020-07-20 23:16:30 -07:00			`# FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.`
			`server-urls = [ "ldap://france.fudo.org" ];`
			`};`
Currently broken config... 2020-01-15 09:24:11 -08:00
			`clamav.enable = true;`

			`dkim.signing = true;`
Initial re-checki 2019-12-25 15:20:36 -08:00			`};`

In a pretty good working state 2020-02-03 17:07:46 -08:00			`fudo.webmail = {`
			`enable = true;`

			`sites = {`
			`"webmail.fudo.link" = {`
			`title = "Fudo Link Webmail";`
			`favicon = "/etc/nixos/static/fudo.link/favicon.ico";`
			`mail-server = mail-hostname;`
			`domain = "fudo.link";`
			`edit-mode = "Plain";`
			`layout-mode = "bottom";`
			`database = {`
			`name = "webmail";`
			`hostname = "localhost";`
			`user = "webmail";`
Changes for SEA 2020-02-18 10:58:47 -08:00			`password-file = "/srv/webmail/secure/db.passwd";`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`};`
			`};`
Piles o' changes 2020-06-06 18:58:13 -07:00
			`"webmail.test.fudo.org" = {`
			`title = "Fudo Webmail";`
			`favicon = "/etc/nixos/static/fudo.org/favicon.ico";`
france -> mail for cert 2020-07-26 08:22:28 -07:00			`mail-server = mail-hostname;`
			`domain = "fudo.org";`
			`edit-mode = "Plain";`
			`database = {`
			`name = "webmail";`
			`hostname = "localhost";`
			`user = "webmail";`
			`password-file = "/srv/webmail/secure/db.passwd";`
			`};`
			`};`

			`"webmail.fudo.org" = {`
			`title = "Fudo Webmail";`
			`favicon = "/etc/nixos/static/fudo.org/favicon.ico";`
			`mail-server = mail-hostname;`
Fixed minecraft. 2020-07-20 10:12:09 -07:00			`domain = "fudo.org";`
Piles o' changes 2020-06-06 18:58:13 -07:00			`edit-mode = "Plain";`
			`database = {`
			`name = "webmail";`
			`hostname = "localhost";`
			`user = "webmail";`
Merged frace 2020-07-20 23:16:30 -07:00			`password-file = "/srv/webmail/secure/db.passwd";`
Piles o' changes 2020-06-06 18:58:13 -07:00			`};`
			`};`

			`"webmail.test.selby.ca" = {`
			`title = "Selby Webmail";`
			`favicon = "/etc/nixos/static/selby.ca/favicon.ico";`
france -> mail for cert 2020-07-26 08:22:28 -07:00			`mail-server = mail-hostname;`
			`domain = "selby.ca";`
			`database = {`
			`name = "webmail";`
			`hostname = "localhost";`
			`user = "webmail";`
			`password-file = "/srv/webmail/secure/db.passwd";`
			`};`
			`};`

			`"webmail.selby.ca" = {`
			`title = "Selby Webmail";`
			`favicon = "/etc/nixos/static/selby.ca/favicon.ico";`
			`mail-server = mail-hostname;`
Fixed minecraft. 2020-07-20 10:12:09 -07:00			`domain = "selby.ca";`
Piles o' changes 2020-06-06 18:58:13 -07:00			`database = {`
			`name = "webmail";`
			`hostname = "localhost";`
			`user = "webmail";`
Merged frace 2020-07-20 23:16:30 -07:00			`password-file = "/srv/webmail/secure/db.passwd";`
Piles o' changes 2020-06-06 18:58:13 -07:00			`};`
			`};`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`};`
			`};`

			`fudo.chat = {`
			`enable = true;`

			`hostname = "chat.fudo.org";`
			`site-name = "Fudo Chat";`
france -> mail for cert 2020-07-26 08:22:28 -07:00			`smtp-server = "mail.fudo.org";`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`smtp-user = "chat";`
Changes for SEA 2020-02-18 10:58:47 -08:00			`smtp-password-file = "/srv/mattermost/secure/smtp.passwd";`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`database = {`
			`name = "mattermost";`
			`hostname = "localhost";`
			`user = "mattermost";`
Changes for SEA 2020-02-18 10:58:47 -08:00			`password-file = "/srv/mattermost/secure/db.passwd";`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`};`
			`};`

Piles o' changes 2020-06-06 18:58:13 -07:00			`fudo.git = {`
			`enable = true;`
Switch from gitlab to gitea. 2020-07-20 17:16:52 -07:00			`hostname = "git.fudo.org";`
Piles o' changes 2020-06-06 18:58:13 -07:00			`site-name = "Fudo Git";`
			`user = "fudo_git";`
			`database = {`
			`user = "fudo_git";`
			`password-file = /srv/git/secure/db.passwd;`
			`hostname = "127.0.0.1";`
			`name = "fudo_git";`
			`};`
			`repository-dir = /srv/git/repo;`
			`state-dir = /srv/git/state;`
Switch from gitlab to gitea. 2020-07-20 17:16:52 -07:00			`ssh = {`
			`listen-ip = git_ipv4;`
			`listen-port = 2222;`
			`};`
Piles o' changes 2020-06-06 18:58:13 -07:00			`};`

Initial re-checki 2019-12-25 15:20:36 -08:00			`networking = {`
			`hostName = hostname;`

			`dhcpcd.enable = false;`
			`useDHCP = false;`

Currently broken config... 2020-01-15 09:24:11 -08:00			`# TODO: fix IPv6`
			`enableIPv6 = false;`
Initial re-checki 2019-12-25 15:20:36 -08:00
			`# Create a bridge for VMs to use`
			`macvlans = {`
			`extif0 = {`
			`interface = "enp4s0f0";`
			`mode = "bridge";`
			`};`
Piles o' changes 2020-06-06 18:58:13 -07:00			`extif1 = {`
			`interface = "enp4s0f0";`
			`mode = "bridge";`
			`};`
Initial re-checki 2019-12-25 15:20:36 -08:00			`intif0 = {`
			`interface = "enp4s0f1";`
			`mode = "bridge";`
			`};`
			`};`

			`interfaces = {`
			`extif0 = {`
Piles o' changes 2020-06-06 18:58:13 -07:00			`# result of:`
			`# echo $FQDN-extif\|md5sum\|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'`
Initial re-checki 2019-12-25 15:20:36 -08:00			`macAddress = "02:d4:e8:3b:10:2f";`
			`ipv4.addresses = [`
			`{`
Currently broken config... 2020-01-15 09:24:11 -08:00			`address = host_ipv4;`
Initial re-checki 2019-12-25 15:20:36 -08:00			`prefixLength = 28;`
			`}`
			`];`
			`};`
Piles o' changes 2020-06-06 18:58:13 -07:00			`extif1 = {`
			`macAddress = "02:6d:e2:e1:ad:ca";`
			`ipv4.addresses = [`
			`{`
Switch from gitlab to gitea. 2020-07-20 17:16:52 -07:00			`address = git_ipv4;`
Piles o' changes 2020-06-06 18:58:13 -07:00			`prefixLength = 28;`
			`}`
			`];`
			`};`
Initial re-checki 2019-12-25 15:20:36 -08:00			`intif0 = {`
Piles o' changes 2020-06-06 18:58:13 -07:00			`# result of:`
			`# echo $FQDN-intif\|md5sum\|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'`
Initial re-checki 2019-12-25 15:20:36 -08:00			`macAddress = "02:ba:ba:e9:08:21";`
			`ipv4.addresses = [`
			`{`
			`address = "192.168.11.1";`
			`prefixLength = 24;`
			`}`
			`];`
			`};`
			`};`
			`};`

			`hardware.bluetooth.enable = false;`

Currently broken config... 2020-01-15 09:24:11 -08:00			`virtualisation = {`
			`docker = {`
			`enable = true;`
			`enableOnBoot = true;`

			`autoPrune = {`
			`enable = true;`
			`};`
			`};`
Piles o' changes 2020-06-06 18:58:13 -07:00
			`lxd = {`
			`enable = true;`
			`};`
Currently broken config... 2020-01-15 09:24:11 -08:00			`};`

			`fileSystems = {`
			`"/srv/archiva" = {`
			`fsType = "btrfs";`
			`options = ["subvol=archiva"];`
			`label = "pool0";`
			`};`
			`"/srv/grafana" = {`
			`fsType = "btrfs";`
			`options = ["subvol=grafana"];`
			`label = "pool0";`
			`};`
			`"${system-mail-directory}" = {`
			`fsType = "btrfs";`
			`options = ["subvol=mail"];`
			`label = "pool0";`
			`};`
			`"/srv/gitlab" = {`
			`fsType = "btrfs";`
			`options = ["subvol=gitlab"];`
			`label = "pool0";`
			`};`
In a pretty good working state 2020-02-03 17:07:46 -08:00			`"/var/lib/lxd/storage-pools/pool0" = {`
			`fsType = "btrfs";`
			`label = "pool0";`
			`device = "/dev/disk/by-label/pool0";`
			`};`
			`"/var/lib/lxd/storage-pools/pool1" = {`
			`fsType = "btrfs";`
			`label = "pool1";`
			`device = "/dev/france-user/fudo-user";`
			`};`
Currently broken config... 2020-01-15 09:24:11 -08:00			`};`

Piles o' changes 2020-06-06 18:58:13 -07:00			`users = {`
			`extraUsers = {`
			`archiva = {`
			`isNormalUser = false;`
			`group = "nogroup";`
			`uid = 8001;`
			`};`
Currently broken config... 2020-01-15 09:24:11 -08:00
Piles o' changes 2020-06-06 18:58:13 -07:00			`fudo_git = {`
			`isNormalUser = false;`
			`uid = 8006;`
			`};`
			`};`
			`};`

			`fudo.system = {`
			`disableTransparentHugePages = true;`
			`postHugePageServices = ["redis.service"];`
			`};`

			`security.acme.certs = {`
			`"archiva.fudo.org".email = config.fudo.common.admin-email;`
			`"git.fudo.org".email = config.fudo.common.admin-email;`
			`};`

			`services = {`

			`nginx = {`
			`enable = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedTlsSettings = true;`

			`virtualHosts = {`
			`"archiva.fudo.org" = {`
			`enableACME = true;`
			`forceSSL = true;`

			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:8001";`
			`extraConfig = ''`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-By $server_addr:$server_port;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`'';`
			`};`
			`};`
france -> mail for cert 2020-07-26 08:22:28 -07:00
			`# Needed to grab a cert for the mail server.`
			`"mail.fudo.org" = {`
			`enableACME = true;`
			`globalRedirect = "webmail.fudo.org";`
			`};`
Piles o' changes 2020-06-06 18:58:13 -07:00			`};`
Currently broken config... 2020-01-15 09:24:11 -08:00			`};`
			`};`

			`docker-containers = {`
			`archiva = {`
			`image = "xetusoss/archiva";`
Piles o' changes 2020-06-06 18:58:13 -07:00			`ports = ["127.0.0.1:8001:8080"];`
			`# Ugly: name-to-uid lookup fails.`
			`user = toString config.users.users.archiva.uid;`
Currently broken config... 2020-01-15 09:24:11 -08:00			`volumes = [`
			`"/srv/archiva:/archiva-data"`
			`];`
			`environment = {`
			`# Not directly connected to the world anyway`
			`SSL_ENABLED = "false";`
			`};`
			`};`
			`};`

			`###`
			`# Minecraft`
			`###`

			`fudo.minecraft-server = {`
Initial re-checki 2019-12-25 15:20:36 -08:00			`enable = true;`
Fixed minecraft. 2020-07-20 10:12:09 -07:00			`package = pkgs.minecraft-server_1_16_1;`
Currently broken config... 2020-01-15 09:24:11 -08:00			`data-dir = minecraft-data-dir;`
			`world-name = "selbyland";`
			`motd = "Welcome to the Selby Minecraft server.";`
Initial re-checki 2019-12-25 15:20:36 -08:00			`};`
			`}`