nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove stuff that's no longer needed

This commit is contained in:
Niten 2021-03-01 17:03:48 -06:00
parent 72cf88bdec
commit 946f3597ef
45 changed files with 0 additions and 5333 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

269
defaults.nix
View File

@ -1,269 +0,0 @@
# Ref: https://learnxinyminutes.com/docs/nix/
{ config, pkgs, lib, ... }:
let state-version = "20.03";
in {
imports = [
./hardware-configuration.nix
./packages/local.nix
./config
./bash.nix
<home-manager/nixos>
];
nixpkgs.config.allowUnfree = true;
security.acme.acceptTerms = true;
environment.systemPackages = with pkgs; [
asdf
atop
autoconf
automake
bash
boot
bind
binutils
# bpytop
btrfs-progs
bundix
byobu
cdrtools
cargo
certbot
clang
curl
doomEmacsInit
dpkg
enca
fail2ban
file
fortune
gcc
git
gnumake
gnupg
google-cloud-sdk
guile
heimdalFull
home-manager
imagemagick
ipfs
iptables
jq
kerberos
leiningen
libisofs
lispPackages.alexandria
lispPackages.cl-ppcre
lispPackages.clx
lispPackages.quicklisp
lsof
lshw
mkpasswd
ncurses5
nixfmt
nix-index
nix-prefetch-git
nmap
oidentd
openldap
openssh
openssl_1_1
openssh_gssapi
pciutils
pv
pwgen
ruby
rustc
sbcl
screen
service-wrapper
stdenv
telnet
texlive.combined.scheme-basic
tmux
unzip
vim
wget
xclip
yubikey-manager
yubikey-personalization
];
system.stateVersion = state-version;
system.autoUpgrade.enable = true;
environment.etc.current-nixos-config.source = ./.;
krb5.enable = true;
krb5.kerberos = pkgs.heimdalFull;
services.xserver = {
layout = "us";
xkbVariant = "dvp";
xkbOptions = "ctrl:nocaps";
};
console = { useXkbConfig = true; };
i18n = { defaultLocale = "en_US.UTF-8"; };
programs = {
mosh.enable = true;
ssh = {
startAgent = false;
extraConfig = ''
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
'';
};
bash.enableCompletion = true;
mtr.enable = true;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
fish = { enable = true; };
};
services = {
emacs = {
defaultEditor = true;
enable = true;
};
cron = { enable = true; };
openssh = {
enable = true;
startWhenNeeded = true;
permitRootLogin = "prohibit-password";
extraConfig = ''
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
'';
};
pcscd = { enable = true; };
udev.packages = with pkgs; [ yubikey-personalization ];
};
environment.shellInit = ''
${pkgs.gnupg}/bin/gpg-connect-agent /bye
export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
'';
security.pam = {
# TODO: add yubico?
services = {
sshd = {
# This should only ask for a code if ~/.google_authenticator exists, but it asks anyway.
# googleAuthenticator.enable = true;
makeHomeDir = true;
sshAgentAuth = true;
};
};
};
users.extraUsers = {
node = {
isSystemUser = true;
group = "nogroup";
};
};
users.groups = { fudosys = { gid = 888; }; };
users.extraUsers = {
niten = {
isNormalUser = true;
uid = 10000;
createHome = true;
description = "Niten";
extraGroups = [
"wheel"
"audio"
"video"
"disk"
"floppy"
"lp"
"cdrom"
"tape"
"dialout"
"adm"
"input"
"systemd-journal"
"fudosys"
"libvirtd"
];
group = "users";
home = "/home/niten";
hashedPassword =
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoWkjyeIfgwm0b78weToVYOQSD0RQ0qbNzpsN5NokbIFv2/980kLtnYrQEgIJ/JwMLlT3uJYacbCT5/a6Fb8oLxNpj0AF1EKaWZ3Rrlg72Sq+9SEwJwWWmZizX83sovMwUBMaUp6jWLhAhPpzBW5pfc5YWoc89wxGbELSwzgt5EgHbSJgvDnaHSp3fVaY01wfDXbL/oO160iNe7wv2HLMZu/FkWBkIjz6HmoGJJzYM89bUpHbyYG28lmCHB/8UPog5/BsjOn3/qupgf4zh6mMdMsXLvbR2jVwVjxcEMj9N5nCvc+Y3oi7Mij6VNrWbhkaAJMEzeMhWYrF3/pFQxUqG37aK3d0gw9kp5tMDLIlAPX4y1lfA87pIzoa0+Alql0CJQA1IJvp9SFG7lBmSthWQLmZvwwfoGg/ZjF6rOgsVoZ8TizpQnydWJDr6NboU9LL9Oa64OM5Rs0AU3cR2UbOF4QIcWFJ/7oDe3dOnfZ8QYqx9eXJyxoAUpDanaaTHYBiAKkeOBwQU+MVLKCcONKw9FZclf/1TpDB5b3/JeUFANjHQTv0UXA4YYU7iCx6H7XB4qwwtU9O19CGQYYfCfULX12/fRpYJw6VJaQWyyU4Bn5dk/dcB2nGI36jwbLMfhbUTIApujioAnd/GQIMakHEZ1+syPhMx9BxMkZb99B0A1Q== openpgp:0x4EC95B64"
];
};
reaper = {
isNormalUser = true;
uid = 10049;
createHome = true;
description = "Reaper";
extraGroups = [
"wheel"
"audio"
"video"
"disk"
"floppy"
"lp"
"cdrom"
"tape"
"dialout"
"adm"
"input"
"systemd-journal"
"fudosys"
"libvirtd"
];
group = "users";
home = "/home/reaper";
hashedPassword =
"$6$YVCI6kiGcG5EVMT$t9lYEXjAhbnh7YkvJJPAbrzL8XE/AASsKFlWWeS.fDjBi/8S7zwXTHF0j41nDUfC//3viysn0tIOQKyZTHhzG.";
};
fudo = {
isSystemUser = true;
uid = 888;
description = "Fudo System User";
group = "fudosys";
};
};
home-manager.users = {
niten = import ./users/niten.nix { inherit config pkgs lib; };
root = import ./users/root.nix { inherit config pkgs lib; };
};
systemd.services.fudo-environment-init = {
enable = true;
description = "Fudo common settings.";
wantedBy = [ "default.target" ];
# Careful, this WILL run many times
script = ''
# Create a directory for system user homedirs if it doesn't already exist
if [ ! -d /var/home ]; then
mkdir -p /var/home
chmod +x /var/home
fi
'';
};
}

20
fudo/alias-users.nix
View File

@ -1,20 +0,0 @@
# A map of email aliases to a list of users (useful for system and bulk aliases)
let
admin-users = ["reaper@fudo.org" "niten@fudo.org"];
in {
root = admin-users;
postmaster = admin-users;
www-data = admin-users;
hostmaster = admin-users;
webmaster = admin-users;
ftp = admin-users;
irc = admin-users;
admin = admin-users;
system = admin-users;
asdf = ["mswaffer@gmail.com" "bouncetest@fudo.org"];
network-info = ["niten@fudo.org"];
}

34
fudo/email.nix
View File

@ -1,34 +0,0 @@
# Fudo email settings
{ config }:
{
domain = "fudo.org";
local-domains = [
"${config.networking.hostName}"
"selby.ca"
"mail.selby.ca"
"fudo.im"
"mail.fudo.im"
"fudo.ca"
"mail.fudo.ca"
"fudo.link"
"mail.fudo.link"
"selbyhomecentre.com"
"stewartsoundservices.ca"
"rogerwongphoto.com"
"chat.fudo.org"
];
alias-users = import ./alias-users.nix;
user-aliases = import ./user-aliases.nix;
sender-blacklist = import ./sender-blacklist.nix;
recipient-blacklist = import ./recipient-blacklist.nix;
trusted-networks = [
"208.81.1.128/28"
"208.81.3.112/28"
"192.168.11.0/24"
"127.0.0.0/8"
];
}

268
fudo/fudo.org.nix
View File

@ -1,268 +0,0 @@
{ config, ... }:
{
dnssec = true;
mx = ["mail.fudo.org"];
hosts = {
cisco = {
ip-addresses = [ "198.163.150.211" ];
description = "\"allbran\" \"converge\"";
};
cisco-int = {
ip-addresses = [ "10.73.77.10" ];
description = "\"fruitloops\" \"aironet\"";
};
cupid = {
ip-addresses = [ "208.38.36.100" ];
};
docker = {
ip-addresses = [ "208.81.3.126" ];
};
france = {
ip-addresses = [ "208.81.3.117" ];
ssh-fingerprints = [
"4 1 c95a198f504a589fc62893a95424b12f0b24732d"
"4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96"
"1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94"
"1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80"
];
};
frankfurt = {
ip-addresses = [ "208.81.3.120" ];
ipv6-addresses = [ "2605:e200:d200:1:5054:ff:fe8c:9738" ];
ssh-fingerprints = [
"2 1 4b9e4ed16a6b3fe6d41ed0f5cdeed853cc101e12"
"2 2 286ce32326874fe8aa15e3fd60b176b906ebd87306109f7c250d077db4ba85c5"
"3 1 3531dfd2f240ce0cd548b748462f78451df3f081"
"3 2 338809345ed38eb6808fd468067a74b2a8000fd8cc3bc016b9f977050bf1bba8"
"1 1 fb9ba707daa78243f8a8801f024fe790516b99a7"
"1 2 407f9692fedbd83449f0daf1cf795258b561a7e9c7e8072577cc84ffc0c84130"
];
};
germany = {
ip-addresses = [ "208.81.3.116" ];
ipv6-addresses = [ "2605:e200:d200:1:78d9:d8ff:fe0f:dd88" ];
ssh-fingerprints = [
"2 1 5609a728a91d7e52a6060ea7f3a7790005ba5e81"
"2 2 520a8eb3b9013837ac3ab4b28254f96b7718f9613e751a20dc488bf7d967b485"
"3 1 ee5b49888a36a34e7d4ee0d18626c82a16c2fcdf"
"3 2 d5e44cf2d85032638d49c030a9ccbff6638198c354efcb11bf173017d1257f49"
"1 1 9915d2515d7acdb38924d8829925113d5ce80b88"
"1 2 a7c866306e9661b8b568b2de282367c84065301d6228e58e57e6c4d3d33e3051"
];
};
hanover = {
ip-addresses = [ "208.81.1.130" ];
ipv6-addresses = [ "2605:e200:d100:1:5054:ff:fe61:ac8b" ];
};
localhost = {
ip-addresses = [ "127.0.0.1" ];
};
lsbb-gba = {
ip-addresses = [ "199.101.56.34" ];
};
lsbb-abg = {
ip-addresses = [ "199.101.56.38" ];
};
lsbb-hwd = {
ip-addresses = [ "199.101.56.106" ];
};
lsbb-hcl = {
ip-addresses = [ "199.101.56.110" ];
};
procul = {
ip-addresses = [ "172.86.179.18" ];
};
prunel = {
ip-addresses = [ "208.81.3.123" ];
};
mbix = {
ip-addresses = [ "208.81.7.146" ];
};
ns3-fudo = {
ip-addresses = [ "208.75.74.205" ];
};
ns3-dair = {
ip-addresses = [ "208.75.74.205" ];
};
ns4-fudo = {
ip-addresses = [ "208.75.75.157" ];
};
ns4-dair = {
ip-addresses = [ "208.75.75.157" ];
};
paris = {
ip-addresses = [ "208.81.3.125" ];
ipv6-addresses = [ "2605:e200:d200:1:5054:ff:fe67:d0c1" ];
ssh-fingerprints = [
"2 1 9fe9e689a36316831ffafffc22c85913748670a6"
"2 2 f2ce57bf470c907604b79b6ef031c928a64a81031e78892fd475bbcf65ae728b"
"3 1 5c56e93a20868886ffe76e1fab012989ce8e995f"
"3 2 af4f383cb349fc3b2496a0bf0911da3a09f98a6d4d2a3c81bb0fb23a45bde950"
"4 1 71a1d35c32b4445b98ce339696f155e1d4c39bd5"
"4 2 a9e4810a24bd52082c9bb2b1019a9de7d7983246fecb454dd8d918ac5a11af81"
"1 1 18e8dd7cac48f1ac6103ec21c279e339d8690be1"
"1 2 72e4aa05c733441da57c464e6540486f5306b6768d784dd97c666e16629d77a0"
];
};
probe = {
ip-addresses = [ "208.81.3.119" ];
};
tours = {
ip-addresses = [ "208.81.3.121" ];
ipv6-addresses = [ "2605:e200:d200:1:5054:ff:fe95:34e5" ];
ssh-fingerprints = [
"2 2 41cddf1457880c7e86fa3838eabdbbe7cf803f98998ed406319ba3e43036964c"
"3 1 89b72a740ef6ef7ad9aaf5fe2178d356cdc7ee5b"
"3 2 c39346def56817aaf4c64db5667ccc6aeb400ff1166125fe630b63b5eab0ef29"
"4 1 049b1e6ef1d338d35e97baf312d8a371a266b7d1"
"4 2 1a889e43148ea1ded9f8bc60799ccf1bc32cb084946c8815abed6cc31f212594"
"1 1 bae37560759ec8dba35755473fbb346f9dc4e333"
"1 2 3d0d5efe2da329ea19b191f227c3aaad45271c651717ec3315cda131e992bbcf"
];
};
};
default-host = "208.81.3.117";
srv-records = {
tcp = {
domain = [
{
host = "ns1.fudo.org";
port = 53;
}
{
host = "ns2.fudo.org";
port = 53;
}
{
host = "ns3.fudo.org";
port = 53;
}
{
host = "ns4.fudo.org";
port = 53;
}
];
ssh = [{
host = "france.fudo.org";
port = 22;
}];
smtp = [{
host = "mail.fudo.org";
port = 25;
}];
submission = [{
host = "mail.fudo.org";
port = 587;
}];
kerberos = [{
host = "france.fudo.org";
port = 88;
}];
imaps = [{
host = "mail.fudo.org";
port = 993;
}];
ldap = [{
host = "france.fudo.org";
port = 389;
}];
ldaps = [{
host = "france.fudo.org";
port = 636;
}];
pop3s = [{
host = "mail.fudo.org";
port = 995;
}];
http = [{
host = "wiki.fudo.org";
port = 80;
}];
https = [{
host = "wiki.fudo.org";
port = 80;
}];
xmpp-server = [{
host = "fudo.im";
port = 5269;
}];
xmpp-client = [{
host = "fudo.im";
port = 5222;
}];
};
udp = {
domain = [
{
host = "ns1.fudo.org";
port = 53;
}
{
host = "ns2.fudo.org";
port = 53;
}
{
host = "ns3.fudo.org";
port = 53;
}
{
host = "ns4.fudo.org";
port = 53;
}
];
kerberos = [{
host = "france.fudo.org";
port = 88;
}];
kerberos-master = [{
host = "france.fudo.org";
port = 88;
}];
kpasswd = [{
host = "france.fudo.org";
port = 464;
}];
xmpp-server = [{
host = "fudo.im";
port = 5269;
}];
};
};
aliases = {
pop = "mail.fudo.org.";
smtp = "mail.fudo.org.";
imap = "mail.fudo.org.";
webmail = "france.fudo.org.";
archiva = "france.fudo.org.";
auth = "france.fudo.org.";
backplane = "france.fudo.org.";
chat = "france.fudo.org.";
de = "germany.fudo.org.";
fr = "france.fudo.org.";
git = "france.fudo.org.";
metrics = "france.fudo.org.";
minecraft = "france.fudo.org.";
monitor = "france.fudo.org.";
user = "paris.fudo.org.";
u = "user.fudo.org.";
w = "www.fudo.org.";
ww = "www.fudo.org.";
www = "hanover.fudo.org.";
wiki = "hanover.fudo.org.";
};
extra-dns-records = [
''_kerberos IN TXT "FUDO.ORG"''
''@ IN TXT "v=spf1 mx ip4:208.81.3.112/28 ip6:2605:e200:d200::1/48 -all"''
''@ IN SPF "v=spf1 mx ip4:208.81.3.112/28 ip6:2605:e200:d200::1/48 -all"''
];
dmarc-report-address = "dmarc-report@fudo.org";
}

120
fudo/groups.nix
View File

@ -1,120 +0,0 @@
{
admin = {
gid = 1000;
description = "Admin User Group";
members = [
"niten"
"reaper"
"swaff"
];
};
fudo = {
gid = 1001;
description = "Fudo User Group";
members = [
"andrew"
"animus"
"anorthe"
"ark"
"ben"
"brian"
"chad"
"ckoo"
"dabar"
"dana"
"darryl"
"debo"
"flowchart"
"gaijin"
"gubbs"
"helen"
"jess"
"jill"
"jinny"
"joker4ever"
"jun"
"kevin"
"kevinyinjunjie"
"kris"
"laura"
"leefolio"
"niten"
"r3d3"
"reaper"
"rob"
"saphira"
"slickoil"
"splat1"
"stewartd"
"swaff"
"theblacksun"
"xiaoxuan"
"zimm"
];
};
selby = {
gid = 1002;
description = "Selby User Group";
members = [
"andrew"
"brian"
"darryl"
"helen"
"jess"
"ken"
"kevin"
"laura"
"niten"
"rob"
"vee"
"xiaoxuan"
];
};
www-fudo = {
gid = 1005;
description = "Fudo Web Group";
members = [
"niten"
"reaper"
"www-data"
];
};
fudo_admin = {
gid = 1031;
description = "Fudo Administrators";
members = [
"niten"
"reaper"
];
};
sea_media = {
gid = 1077;
description = "Media group for Niten's home in Seattle";
members = [
"ken"
"niten"
"reaper"
"xiaoxuan"
];
};
fudo_shell = {
gid = 1078;
description = "Users with shell access to fudo hosts";
members = [
"ansyg"
"joker4ever"
"kevinyinjunjie"
"niten"
"omefire"
"reaper"
"swaff"
];
};
}

190
fudo/profiles/common-ui.nix
View File

@ -1,190 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
profile = config.fudo.common.profile;
common-packages = with pkgs; [
ffmpeg-full
libfixposix
mono
nomacs
oraclejdk
python37Packages.youtube-dl
sqlite
system-config-printer
];
gui-packages = with pkgs; [
cool-retro-term
corefonts
chrome-gnome-shell
chromium
emacs
evince
firefox
gimp
glxinfo
gnome3.gnome-shell
gnome3.gnome-session
google-chrome
gtk2
gtk2-x11
gtk3
gtkimageview
i3lock
mplayer
mpv
pdftk
racket
redshift
rhythmbox
shotwell
spotify
(steam.override {
nativeOnly = true;
extraPkgs = pkgs: [
mono
fmodex
gtk3
gtk3-x11
libgdiplus
zlib
];
withJava = true;
}).run
virtmanager
xorg.xev
xzgv
virtmanager-qt
];
cfg = config.fudo.common;
in mkIf ((profile == "desktop") || (profile == "laptop")) {
environment.systemPackages =
common-packages ++ (if cfg.enable-gui then gui-packages else []);
nixpkgs.config.allowBroken = true;
services.avahi = {
enable = true;
browseDomains = [config.fudo.common.domain];
domainName = config.fudo.common.domain;
};
# splash screen
boot.plymouth.enable = false;
boot.tmpOnTmpfs = true;
services.xserver = if cfg.enable-gui then {
enable = true;
layout = "us";
xkbVariant = "dvp";
xkbOptions = "ctrl:nocaps";
desktopManager.gnome3.enable = true;
displayManager.gdm.enable = true;
# displayManager.defaultSession = "gnome";
windowManager.stumpwm.enable = true;
# windowManager.session = pkgs.lib.singleton {
# name = "stumpwm";
# start = ''
# ${pkgs.lispPackages.stumpwm}/bin/stumpwm &
# waidPID=$!
# '';
# };
} else {
layout = "us";
xkbVariant = "dvp";
xkbOptions = "ctrl:nocaps";
};
services.gnome3 = mkIf cfg.enable-gui {
evolution-data-server.enable = pkgs.lib.mkForce false;
gnome-user-share.enable = pkgs.lib.mkForce false;
};
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
};
services.dbus.socketActivated = true;
sound.enable = true;
hardware.pulseaudio.enable = true;
fonts = mkIf cfg.enable-gui {
enableFontDir = true;
#fontconfig.antialias = true;
fontconfig.enable = true;
#fontconfig.penultimate.enable = true;
#fontconfig.subpixel.lcdfilter = "default";
fonts = with pkgs; [
cantarell_fonts
dejavu_fonts
dina-font
dosemu_fonts
fira-code
fira-code-symbols
freefont_ttf
liberation_ttf
mplus-outline-fonts
#nerdfonts
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
proggyfonts
terminus_font
ubuntu_font_family
ucsFonts
ultimate-oldschool-pc-font-pack
unifont
vistafonts
xlibs.fontadobe100dpi
xlibs.fontadobe75dpi
xlibs.fontadobeutopia100dpi
xlibs.fontadobeutopia75dpi
xlibs.fontadobeutopiatype1
xlibs.fontarabicmisc
xlibs.fontbh100dpi
xlibs.fontbh75dpi
xlibs.fontbhlucidatypewriter100dpi
xlibs.fontbhlucidatypewriter75dpi
xlibs.fontbhttf
xlibs.fontbhtype1
xlibs.fontbitstream100dpi
xlibs.fontbitstream75dpi
xlibs.fontbitstreamtype1
xlibs.fontcronyxcyrillic
xlibs.fontcursormisc
xlibs.fontdaewoomisc
xlibs.fontdecmisc
xlibs.fontibmtype1
xlibs.fontisasmisc
xlibs.fontjismisc
xlibs.fontmicromisc
xlibs.fontmisccyrillic
xlibs.fontmiscethiopic
xlibs.fontmiscmeltho
xlibs.fontmiscmisc
xlibs.fontmuttmisc
xlibs.fontschumachermisc
xlibs.fontscreencyrillic
xlibs.fontsonymisc
xlibs.fontsunmisc
xlibs.fontwinitzkicyrillic
xlibs.fontxfree86type1
];
};
}

10
fudo/profiles/default.nix
View File

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./common-ui.nix
./desktop.nix
./laptop.nix
./server.nix
];
}

8
fudo/profiles/desktop.nix
View File

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
mkIf (config.fudo.common.profile == "desktop") {
networking = {
networkmanager.enable = mkForce false;
};
}

33
fudo/profiles/laptop.nix
View File

@ -1,33 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.fudo.laptop = {
use-network-manager = mkOption {
type = types.bool;
description = "Use NetworkManager instead of wpa_supplicant.";
default = false;
};
};
config = mkIf (config.fudo.common.profile == "laptop") {
environment.systemPackages = with pkgs; [ acpi upower wpa_supplicant ];
networking = if (config.fudo.laptop.use-network-manager) then {
networkmanager.enable = true;
} else {
networkmanager.enable = false;
wireless = {
enable = true;
userControlled = {
enable = true;
group = "wheel";
};
networks = {
"sea.fudo.org" = { psk = "DahHaocheiD5"; };
"Pixel_9041" = { psk = "ea72027e4e6"; };
};
};
};
};
}

77
fudo/profiles/server.nix
View File

@ -1,77 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" ''
if [ $# -ne 1 ]; then
echo "FAILED: no sync file provided."
exit 1
fi
WALL=${pkgs.utillinux}/bin/wall
if [ -f $1 ]; then
$WALL "$1 exists, rebooting system"
${pkgs.systemd}/bin/reboot
else
$WALL "$1 does not exist, aborting reboot."
fi
exit 0
'';
test-config = pkgs.writeShellScriptBin "fudo-test-config" ''
if [ $# -gt 1 ]; then
echo "usage: $0 [timeout]"
exit 1
elif [ $# -eq 1 ]; then
TIMEOUT=$1
else
TIMEOUT=15m
fi
SYNCFILE=$TMP/sync-$(date +"%Y%m%d-%H%M%N")
touch $SYNCFILE
${pkgs.utillinux}/bin/wall "Launching config. System will restart in $TIMEOUT if $SYNCFILE still exists."
systemd-run --on-active=$TIMEOUT ${reboot-if-necessary} $SYNCFILE
nixos-rebuild test
exit 0
'';
in {
config = mkIf (config.fudo.common.profile == "server") {
environment = {
systemPackages = with pkgs; [
emacs-nox
ldns
ldns.examples
jdk12_headless
racket-minimal
reboot-if-necessary
test-config
];
noXlibs = true;
};
security = {
hideProcessInformation = true;
};
networking = {
networkmanager.enable = mkForce false;
};
boot.tmpOnTmpfs = true;
services.xserver.enable = false;
programs = {
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
};
}

3
fudo/recipient-blacklist.nix
View File

@ -1,3 +0,0 @@
# Emails for which we won't accept any email.
[]

81
fudo/selby.ca.nix
View File

@ -1,81 +0,0 @@
{ host_ipv4, config }:
{
dnssec = true;
mx = ["mail.fudo.org"];
hosts = {
forum = {
ip-addresses = [ "208.81.3.117" ];
};
};
default-host = "208.81.3.117";
srv-records = {
tcp = {
domain = [{
host = "ns1.fudo.org";
port = "53";
}];
ssh = [{
host = "france.fudo.org";
port = 22;
}];
submission = [{
host = "mail.fudo.org";
port = 587;
}];
kerberos = [{
host = "auth.fudo.org";
port = 88;
}];
imaps = [{
host = "mail.fudo.org";
port = 993;
}];
pop3s = [{
host = "mail.fudo.org";
port = 995;
}];
http = [{
host = "forum.selby.ca";
port = 80;
}];
https = [{
host = "forum.selby.ca";
port = 80;
}];
};
udp = {
domain = [{
host = "auth.fudo.org";
port = 53;
}];
kerberos = [{
host = "auth.fudo.org";
port = 88;
}];
};
};
aliases = {
pop = "mail.fudo.org.";
smtp = "mail.fudo.org.";
imap = "mail.fudo.org.";
mail = "mail.fudo.org.";
ns1 = "ns1.fudo.org.";
ns2 = "ns2.fudo.org.";
webmail = "france.fudo.org.";
forum = "frankfurt.fudo.org.";
};
extra-dns-records = [
''_kerberos IN TXT "FUDO.ORG"''
''@ IN TXT "v=spf1 mx ip4:${host_ipv4}/29 -all"''
''@ IN SPF "v=spf1 mx ip4:${host_ipv4}/29 -all"''
];
dmarc-report-address = "dmarc-report@selby.ca";
}

8
fudo/sender-blacklist.nix
View File

@ -1,8 +0,0 @@
# We won't forward email from these addresses, because they were used for
# spamming. Learn2passward!
[
"animus@fudo.org"
"ark@fudo.org"
"theblacksun@fudo.org"
]

10
fudo/sites/default.nix
View File

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./joes.nix
./portage.nix
./russell.nix
./seattle.nix
];
}

55
fudo/sites/joes.nix
View File

@ -1,55 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.networking.hostName;
gateway = "172.86.179.17";
local-domain = "informis.land";
admin = "admin@${local-domain}";
in {
config = mkIf (config.fudo.common.site == "joes") {
time.timeZone = "America/Winnipeg";
services.cron = {
mailto = admin;
};
networking = {
domain = local-domain;
search = [ local-domain "fudo.org" ];
firewall.enable = false;
defaultGateway = gateway;
# defaultGateway6 = gateway6;
hosts = {
"127.0.0.1" = [
"${config.networking.hostName}.${local-domain}"
config.networking.hostName
];
};
};
krb5.libdefaults.default_realm = "INFORMIS.LAND";
fudo.node-exporter = {
enable = false;
hostname = hostname;
};
security.acme.certs."${hostname}.${local-domain}" = {
email = "admin@${local-domain}";
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
};
};
}

60
fudo/sites/portage.nix
View File

@ -1,60 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
admin = "admin@fudo.org";
nameservers = [
"1.1.1.1"
"208.81.7.14"
"2606:4700:4700::1111"
];
hostname = config.networking.hostName;
gateway = "208.81.3.113";
gateway6 = "2605:e200:d200:1::1";
in {
config = mkIf (config.fudo.common.site == "portage") {
time.timeZone = "America/Winnipeg";
services.cron = {
mailto = admin;
};
networking = {
domain = "fudo.org";
search = ["fudo.org"];
firewall.enable = false;
nameservers = nameservers;
defaultGateway = gateway;
# defaultGateway6 = gateway6;
};
fudo.node-exporter = {
enable = true;
hostname = hostname;
};
security.acme.certs.${hostname} = {
email = "admin@fudo.org";
# plugins = [
# "fullchain.pem"
# "full.pem"
# "key.pem"
# "chain.pem"
# "cert.pem"
# ];
};
# TODO: We...could run nginx in a container
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
};
};
}

167
fudo/sites/russell.nix
View File

@ -1,167 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
admin = "admin@fudo.org";
local-domain = "rus.selby.ca";
gateway = "10.0.0.1";
nameservers = [ "10.0.0.1" ];
hostname = config.networking.hostName;
in {
config = mkIf (config.fudo.common.site == "russell") {
time.timeZone = "America/Winnipeg";
services.cron = { mailto = admin; };
networking = {
domain = "rus.selby.ca";
search = [ local-domain "fudo.org" "selby.ca" ];
nameservers = nameservers;
# Don't set the gateway if we ARE the gateway.
# This is the most generic way I can think of to do that. local-network is really
# about running all the local servers (DNS, DHCP, and providing gateway).
defaultGateway =
optionalString (config.fudo.local-network.enable != true) gateway;
enableIPv6 = true;
# Necessary to make sure than Kerberos and Avahi both work (the former
# needs the full reverse-lookup name of the server, the latter wants
# `hostname` to return just the host itself.
hosts = {
"127.0.0.1" = [
"${config.networking.hostName}.${local-domain}"
config.networking.hostName
];
};
};
krb5.libdefaults.default_realm = "FUDO.ORG";
users.extraUsers = {
guest = {
isNormalUser = true;
uid = 1000;
description = "Guest User";
extraGroups =
[ "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input" ];
};
ken = {
isNormalUser = true;
uid = 10035;
createHome = true;
description = "Ken Selby";
extraGroups =
[ "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input" ];
group = "users";
home = "/home/selby/ken";
hashedPassword =
"$6$EwK9fpbH8$gYVzYY1IYw2/G0wCeUxXrZZqvjWCkCZbBqCOhxowbMuYtC5G0vp.AoYhVKWOJcHJM2c7TdPmAdnhLIe2KYStf.";
};
xiaoxuan = {
isNormalUser = true;
uid = 10065;
createHome = true;
description = "Xiaoxuan Jin";
extraGroups =
[ "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input" ];
group = "users";
home = "/home/xiaoxuan";
hashedPassword =
"$6$C8lYHrK7KvdKm/RE$cHZ2hg5gEOEjTV8Zoayik8sz5h.Vh0.ClCgOlQn8l/2Qx/qdxqZ7xCsAZ1GZ.IEyESfhJeJbjLpykXDwPpfVF0";
};
};
fudo.common.domain = "sea.fudo.org";
fudo.local-network = {
domain = "${local-domain}";
network = "10.0.0.0/16";
dhcp-dynamic-network = "10.0.1.0/24";
enable-reverse-mappings = true;
srv-records = {
tcp = {
domain = [{
port = 53;
host = "clunk.${local-domain}";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerberos-adm = [{
port = 88;
host = "france.fudo.org";
}];
ssh = [{
port = 22;
host = "clunk.${local-domain}";
}];
};
udp = {
domain = [{
port = 53;
host = "clunk.${local-domain}";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerboros-master = [{
port = 88;
host = "france.fudo.org";
}];
kpasswd = [{
port = 464;
host = "france.fudo.org";
}];
};
};
aliases = { dns-hole = "clunk"; };
hosts = {
clunk = {
ip-address = "10.0.0.1";
mac-address = "02:44:d1:eb:c3:6b";
};
dns-proxy = {
ip-address = "10.0.0.2";
# This is just an alias for clunk's primary interface
};
google-wifi = {
ip-address = "10.0.0.11";
mac-address = "70:3a:cb:c0:3b:09";
};
pselby-work = {
ip-address = "10.0.0.151";
mac-address = "00:50:b6:aa:bd:b3";
};
downstairs-desktop = {
ip-address = "10.0.0.100";
mac-address = "90:b1:1c:8e:29:cf";
};
upstairs-desktop = {
ip-address = "10.0.0.101";
mac-address = "80:e8:2c:22:65:c2";
};
};
};
};
}

343
fudo/sites/seattle.nix
View File

@ -1,343 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
admin = "niten@fudo.org";
local-domain = "sea.fudo.org";
gateway = "10.0.0.1";
nameservers = [ "10.0.0.1" ];
in {
config = mkIf (config.fudo.common.site == "seattle") {
time.timeZone = "America/Los_Angeles";
services.printing = { enable = true; };
services.cron = { mailto = admin; };
krb5.libdefaults.default_realm = "FUDO.ORG";
networking = {
domain = local-domain;
search = [ local-domain "fudo.org" ];
firewall.enable = false;
nameservers = nameservers;
# Don't set the gateway if we ARE the gateway.
# This is the most generic way I can think of to do that. local-network is really
# about running all the local servers (DNS, DHCP, and providing gateway).
defaultGateway =
optionalString (config.fudo.local-network.enable != true) gateway;
enableIPv6 = true;
# Necessary to make sure than Kerberos and Avahi both work (the former
# needs the full reverse-lookup name of the server, the latter wants
# `hostname` to return just the host itself.
hosts = {
"127.0.0.1" = [
"${config.networking.hostName}.${local-domain}"
config.networking.hostName
];
};
};
users.extraUsers = {
guest = {
isNormalUser = true;
uid = 1000;
description = "Guest User";
extraGroups =
[ "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input" ];
};
ken = {
isNormalUser = true;
uid = 10035;
createHome = true;
description = "Ken Selby";
extraGroups =
[ "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input" ];
group = "users";
home = "/home/selby/ken";
hashedPassword =
"$6$EwK9fpbH8$gYVzYY1IYw2/G0wCeUxXrZZqvjWCkCZbBqCOhxowbMuYtC5G0vp.AoYhVKWOJcHJM2c7TdPmAdnhLIe2KYStf.";
};
xiaoxuan = {
isNormalUser = true;
uid = 10065;
createHome = true;
description = "Xiaoxuan Jin";
extraGroups =
[ "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input" ];
group = "users";
home = "/home/xiaoxuan";
hashedPassword =
"$6$C8lYHrK7KvdKm/RE$cHZ2hg5gEOEjTV8Zoayik8sz5h.Vh0.ClCgOlQn8l/2Qx/qdxqZ7xCsAZ1GZ.IEyESfhJeJbjLpykXDwPpfVF0";
};
kevin = {
isNormalUser = true;
createHome = true;
home = "/home/kevin";
hashedPassword = "";
};
};
fileSystems."/mnt/documents" = {
device = "whitedwarf.${local-domain}:/volume1/Documents";
fsType = "nfs4";
};
fileSystems."/mnt/downloads" = {
device = "whitedwarf.${local-domain}:/volume1/Downloads";
fsType = "nfs4";
};
fileSystems."/mnt/music" = {
device = "doraemon.${local-domain}:/volume1/Music";
fsType = "nfs4";
};
fileSystems."/mnt/video" = {
device = "doraemon.${local-domain}:/volume1/Video";
fsType = "nfs4";
};
# fileSystems."/mnt/security" = {
# device = "panopticon.${local-domain}:/srv/kerberos/data";
# fsType = "nfs4";
# };
fileSystems."/mnt/cargo_video" = {
device = "cargo.${local-domain}:/volume1/video";
fsType = "nfs4";
};
fileSystems."/mnt/photo" = {
device = "cargo.${local-domain}:/volume1/pictures";
fsType = "nfs4";
};
fudo.common.domain = "sea.fudo.org";
fudo.local-network = {
domain = "${local-domain}";
aliases = {
kadmin = "nostromo";
kdc = "nostromo";
photo = "doraemon";
music = "doraemon";
panopticon = "lambda";
panopticon-od = "lambda";
ipfs = "nostromo";
hole = "nostromo";
pihole = "nostromo";
dns-hole = "nostromo";
mon-1 = "srv-1";
};
network = "10.0.0.0/16";
dhcp-dynamic-network = "10.0.1.0/24";
enable-reverse-mappings = true;
srv-records = {
tcp = {
domain = [{
port = 53;
host = "nostromo.sea.fudo.org";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerberos-adm = [{
port = 88;
host = "france.fudo.org";
}];
ssh = [{
port = 22;
host = "nostromo.sea.fudo.org";
}];
ldap = [{
port = 389;
host = "france.fudo.org";
}];
};
udp = {
domain = [{
port = 53;
host = "nostromo.sea.fudo.org";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerboros-master = [{
port = 88;
host = "france.fudo.org";
}];
kpasswd = [{
port = 464;
host = "france.fudo.org";
}];
};
};
hosts = {
nostromo = {
ip-address = "10.0.0.1";
mac-address = "46:54:76:06:f1:10";
};
lm = {
ip-address = "10.0.0.2";
mac-address = "00:23:7d:e6:d9:ea";
};
lambda = {
ip-address = "10.0.0.3";
mac-address = "02:50:f6:52:9f:9d";
};
switch-master = {
ip-address = "10.0.0.5";
mac-address = "00:14:1C:B6:BB:40";
};
google-wifi = {
ip-address = "10.0.0.7";
mac-address = "7C:D9:5C:9F:6F:E9";
};
# lm = {
# ip-address = "10.0.0.21";
# mac-address = "52:54:00:D8:34:92";
# };
cam-entrance = {
ip-address = "10.0.0.31";
mac-address = "9c:8e:cd:0e:99:7b";
};
cam-driveway = {
ip-address = "10.0.0.32";
mac-address = "9c:8e:cd:0d:3b:09";
};
cam-deck = {
ip-address = "10.0.0.33";
mac-address = "9c:8e:cd:0e:98:c8";
};
cargo = {
ip-address = "10.0.0.50";
mac-address = "00:11:32:75:d8:b7";
};
whitedwarf = {
ip-address = "10.0.0.51";
mac-address = "00:11:32:12:14:1d";
};
doraemon = {
ip-address = "10.0.0.52";
mac-address = "00:11:32:0a:06:c5";
};
android = {
ip-address = "10.0.0.81";
mac-address = "00:16:3e:43:39:fc";
};
retro-wired = {
ip-address = "10.0.0.82";
mac-address = "dc:a6:32:6b:57:43";
};
retro = {
ip-address = "10.0.0.83";
mac-address = "dc:a6:32:6b:57:45";
};
monolith = {
ip-address = "10.0.0.100";
mac-address = "6c:62:6d:c8:b0:d8";
};
taipan = {
ip-address = "10.0.0.107";
mac-address = "52:54:00:34:c4:78";
};
spark = {
ip-address = "10.0.0.108";
mac-address = "78:24:af:04:f7:dd";
};
hyperion = {
ip-address = "10.0.0.109";
mac-address = "52:54:00:33:46:de";
};
zbox = {
ip-address = "10.0.0.110";
mac-address = "02:dd:80:52:83:9b";
};
ubiquiti-wifi = {
ip-address = "10.0.0.126";
mac-address = "04:18:d6:20:48:fb";
};
generator-wireless = {
ip-address = "10.0.0.130";
mac-address = "B8:27:EB:A6:32:26";
};
brother-wireless = {
ip-address = "10.0.0.160";
mac-address = "c0:38:96:64:49:65";
};
nest = {
ip-address = "10.0.0.176";
mac-address = "18:b4:30:16:7c:5a";
};
xixi-phone = {
ip-address = "10.0.0.193";
mac-address = "48:43:7c:75:89:42";
};
ipad = {
ip-address = "10.0.0.202";
mac-address = "9c:35:eb:48:6e:71";
};
cam-front = {
ip-address = "10.0.0.203";
mac-address = "c4:d6:55:3e:b4:c3";
};
family-tv = {
ip-address = "10.0.0.205";
mac-address = "84:a4:66:3a:b1:f8";
};
babycam = {
ip-address = "10.0.0.206";
mac-address = "08:ea:40:59:5f:9e";
};
workphone = {
ip-address = "10.0.0.211";
mac-address = "a8:8e:24:5c:12:67";
};
chromecast-2 = {
ip-address = "10.0.0.215";
mac-address = "a4:77:33:59:a2:ba";
};
front-light = {
ip-address = "10.0.0.221";
mac-address = "94:10:3e:48:94:ed";
};
# Ceph network
srv-1 = {
ip-address = "10.0.10.1";
mac-address = "02:65:d7:00:7d:1b";
};
node-1 = {
ip-address = "10.0.10.101";
mac-address = "00:1e:06:36:81:cf";
};
node-2 = {
ip-address = "10.0.10.102";
mac-address = "00:1e:06:36:ec:3e";
};
node-3 = {
ip-address = "10.0.10.103";
mac-address = "00:1e:06:36:ec:4b";
};
node-4 = {
ip-address = "10.0.10.104";
mac-address = "00:1e:06:36:dd:8c";
};
};
};
};
}

21
fudo/system-users.nix
View File

@ -1,21 +0,0 @@
{
replicator = {
description = "Database Replicator";
hashed-password = "{SHA}HpiRMyxLR+0ZFHz/COvG9lcNYyQ=";
};
auth_reader = {
description = "System Authenticator";
hashed-password = "{MD5}N36/kQ64mev1HARddvVk7Q==";
};
user_db_reader = {
description = "User Database Reader";
hashed-password = "{SSHA}IVKhrB+wMOCI/CCzbJW8sNDbH67ZTMBv";
};
jabber = {
description = "Jabber Server";
hashed-password = "{SSHA}KlQpe0n+NP0WcJUniHTD+JzUugzLo8Ib";
};
}

33
fudo/user-aliases.nix
View File

@ -1,33 +0,0 @@
# A map of user to a list of email aliases (better for users with multiple nicknames)
{
"niten@fudo.link" = [
"ertian@fudo.org"
"peter@fudo.org"
"peter@fudo.link"
"pselby@fudo.org"
"yiliu@fudo.org"
"forum@selby.ca"
"peter@selby.ca"
];
"xiaoxuan@fudo.org" = [
"xixi@fudo.org"
"claire@fudo.org"
"xixi@selby.ca"
"claire@selby.ca"
];
"reaper@fudo.org" = [
"cricket@fudo.org"
"jstewart@fudo.org"
"jonathan@fudo.org"
"reaper@fudo.link"
];
"swaff@fudo.org" = [ "mark@fudo.org" ];
"ken@selby.ca" = [ "kselby@selby.ca" ];
}

442
fudo/users.nix
View File

@ -1,442 +0,0 @@
# Generate a hashed password using slappasswd.
{
niten = {
uid = 10000;
group = "admin";
common-name = "Peter Selby";
hashed-password = "{SSHA}dF/5NGkafL8M1kpa3LYZKdh0Pc7a02gA";
};
andrew = {
uid = 10001;
group = "selby";
common-name = "Andrew Selby";
hashed-password = "";
};
animus = {
uid = 10002;
group = "fudo";
common-name = "James Frazer";
hashed-password = "";
};
ark = {
uid = 10005;
group = "fudo";
common-name = "Roger Wong";
hashed-password = "";
};
ben = {
uid = 10007;
group = "fudo";
common-name = "Ben";
hashed-password = "{MD5}v0jY5bADu30cAR1Uu/eWYQ==";
};
chad = {
uid = 10011;
group = "fudo";
common-name = "Chad Isbister";
hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA==";
};
ckoo = {
uid = 10014;
group = "fudo";
common-name = "Jason Bush";
hashed-password = "{MD5}KMFeaBc7e/gVzL/QUT0mYw==";
};
dana = {
uid = 10015;
group = "fudo";
common-name = "Dana Eftodie";
hashed-password = "{MD5}+ijTylKau4uot2kGMqKSTA==";
};
jill = {
uid = 10030;
group = "fudo";
common-name = "Jill Isbister";
hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA==";
};
joker4ever = {
uid = 10033;
group = "fudo";
common-name = "Jack Clarke";
hashed-password = "{SSHA}w78XwSax9WywIDujMxEoO7o87d2LDJRo";
};
ken = {
uid = 10035;
group = "selby";
common-name = "Ken Selby";
hashed-password = "{SSHA}YvtkEpqsReXcMdrzlui/ZmhIUKN42YO1";
# hashed-password = "{SSHA}flr48Sao0/fUp8yl9zFpm8ERnI7qYTds";
# hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc";
};
reaper = {
uid = 10049;
group = "admin";
common-name = "Jonathan Stewart";
hashed-password = "{MD5}EBvifhJ6z9dIDx0KWkAPoQ==";
};
slickoil = {
uid = 10052;
group = "fudo";
common-name = "Connor Cooley";
hashed-password = "{MD5}8Qrpagi8TYnZQdFoYe02rA==";
};
splat1 = {
uid = 10053;
group = "fudo";
common-name = "Matt Evans";
hashed-password = "{MD5}JeHNutGTBMHOqFgVlYjfpw==";
};
swaff = {
uid = 10055;
group = "fudo";
common-name = "Mark Swaffer";
hashed-password = "{MD5}C5gIsLsaKSvIPydu4uzhNg==";
};
brian = {
uid = 10056;
group = "selby";
common-name = "Brian Selby";
hashed-password = "{crypt}$1$npZLTPEO$p2bTx8TTlCg7XNiivTJsC1";
};
rob = {
uid = 10057;
group = "selby";
common-name = "Robert Selby";
hashed-password = "{crypt}HD1ESf1hAGdks";
};
tarbash = {
uid = 10059;
group = "fudo";
common-name = "Neville";
hashed-password = "{crypt}$1$cE6lVNbC$PLjlE9vK77SKNKwJBKiT//";
};
darryl = {
uid = 10060;
group = "selby";
common-name = "Darryl Kissick";
hashed-password = "{crypt}$1$oUNTMyKU$oUs6JqBRTPKE9A/sEzlSY0";
};
ayumi = {
uid = 10061;
group = "fudo";
common-name = "Ayumi Kira";
hashed-password = "{MD5}5OkpooOLxw94nF1lOfn/ZQ==";
};
saphira = {
uid = 10063;
group = "fudo";
common-name = "Elizabeth Stewart";
hashed-password = "{crypt}$1$cQ/Zq25x$fUQfUtpMB.f3rBWzttPns.";
};
banen = {
uid = 10064;
group = "fudo";
common-name = "Travis Neis";
hashed-password = "{crypt}$1$cyfM/Vni$vIuirRln.MnWActOR6t8S.";
};
xiaoxuan = {
uid = 10065;
group = "fudo";
common-name = "Xiaoxuan Jin";
hashed-password = "{MD5}iecbyMpyVkmOaMBzSFy58Q==";
};
thibor = {
uid = 10066;
group = "fudo";
common-name = "";
hashed-password = "{crypt}$1$HzQOn3zV$ogkeS5ByWrFstYo0FhXB/.";
};
flowchart = {
uid = 10067;
group = "fudo";
common-name = "BH Bieterse";
hashed-password = "{crypt}$1$lQMZ42RZ$aAOsLHP0i.yfvD1a1EVsA/";
};
gubbs = {
uid = 10068;
group = "fudo";
common-name = "Lorcan Gavin";
hashed-password = "{MD5}AIf4bJZyHCnvJVL3YHRnIg==";
};
debo = {
uid = 10069;
group = "fudo";
common-name = "Deborah Osti";
hashed-password = "{crypt}$1$5wEBGh/8$Ggp2JAI/rQiBXxJ89G0iq1";
};
leefolio = {
uid = 10070;
group = "fudo";
common-name = "Ze Artiste";
hashed-password = "{crypt}$1$LRlAYBst$sS1bPu8yEPrdYkQhoZhAq1";
};
zimm = {
uid = 10071;
group = "fudo";
common-name = "Ross Drinkwater";
hashed-password = "{SSHA}er1cgYDNPJsfLwtqYLopKMGMxiZZRGdY";
};
gaijin = {
uid = 10072;
group = "fudo";
common-name = "Tetsuo Torigai";
hashed-password = "{crypt}$1$bw8hyDXm$pMLLUtlDlVLwBTZiC0Lzf0";
};
anorthe = {
uid = 10073;
group = "fudo";
common-name = "Bonnie Wong";
hashed-password = "{crypt}$1$DORfHzbp$nJkk0OXd7WzYDxx8LbdMK.";
};
stewartd = {
uid = 10076;
group = "fudo";
common-name = "Dwight Stewart";
hashed-password = "{MD5}e2GSmH+l4ZZ808snWsFNYw==";
};
jess = {
uid = 10078;
group = "selby";
common-name = "Jessica Selby";
hashed-password = "{MD5}2tbtZre16apUTNtRIK98nQ==";
};
kevin = {
uid = 10079;
group = "selby";
common-name = "Kevin Selby";
hashed-password = "{crypt}$1$UYKrkMEe$SAABgc1pCBYgPFIMepNrM.";
};
theblacksun = {
uid = 10080;
group = "fudo";
common-name = "Brendan Goodfellow";
hashed-password = "{MD5}Hmw6pFYYT87nmpLp0QxcQw==";
};
kris = {
uid = 10082;
group = "selby";
common-name = "Kris Huberdeau";
hashed-password = "{SSHA}RUYeAEUyblnCWa9uBzY9nwsmoksy8P3Y";
};
jun = {
uid = 10083;
group = "fudo";
common-name = "Junichi Suzuki";
hashed-password = "{crypt}$1$ExfgQXb8$b1ihvMRbG2dWbnlmzzI/h.";
};
jinny = {
uid = 10084;
group = "fudo";
common-name = "Hye-jin Kim";
hashed-password = "{crypt}$1$6cld82N8$5a9ovCPXSacDmK3TWDaF30";
};
helen = {
uid = 10086;
group = "selby";
common-name = "Helen Selby";
hashed-password = "{SSHA}uckUXX09MjYq9++sF3f9b2IY8a9UBIxm";
};
vee = {
uid = 10087;
group = "selby";
common-name = "Vee Selby";
hashed-password = "snoinuer";
};
dabar = {
uid = 10088;
group = "fudo";
common-name = "Dan Bernardic";
hashed-password = "{MD5}ULrk46YUeUZQrl0+wAQiWA==";
};
r3d3 = {
uid = 10089;
group = "fudo";
common-name = "Derek Veroni";
hashed-password = "{SHA}2XyijGDovUhA1/Z/XR+9h9Ia4fY=";
};
laura = {
uid = 10090;
group = "selby";
common-name = "Laura Selby";
hashed-password = "{MD5}MI65czN0duIudMhYH+BU9Q==";
};
tuk = {
uid = 10091;
group = "fudo";
common-name = "Taku Koba";
hashed-password = "{MD5}DQuoQluy50128r8MxAmFkQ==";
};
aki = {
uid = 10092;
group = "fudo";
common-name = "Akihito Mori";
hashed-password = "{MD5}oGAt2kJGKMqX+CmfV1w/GA==";
};
ansyg = {
uid = 10095;
group = "fudo";
common-name = "Anseok Joo";
hashed-password = "{MD5}AHhHl02D3uDmWhPJZ6QPOw==";
};
jackie = {
uid = 10097;
group = "selby";
common-name = "Jackie Selby";
hashed-password = "{MD5}fa6JfWySlH63sITsxrTt0Q==";
};
mtopf = {
uid = 10100;
group = "fudo";
common-name = "Michael Topf";
hashed-password = "{MD5}/pleD8SiLhmnRr1RVspNcA==";
};
tat = {
uid = 10101;
group = "fudo";
common-name = "Tatsuro Akano";
hashed-password = "{MD5}fAV5GX8UdjsXIFjU0Ex4SA==";
};
blatzkrieg = {
uid = 10102;
group = "fudo";
common-name = "Brendan Blatz";
hashed-password = "{MD5}1nE/ndFwGbfH/wLagxvt8w==";
};
ellie = {
uid = 10103;
group = "fudo";
common-name = "Ellie Lee";
hashed-password = "{MD5}gzjwt+kw2nmvJ1FKFTpSZA==";
};
alan = {
uid = 10104;
group = "fudo";
common-name = "Alan Wong";
hashed-password = "{MD5}WhohVE4xfo9RIOw1kG3s1Q==";
};
omefire = {
uid = 10105;
group = "fudo";
common-name = "Omar Mefire";
hashed-password = "{SSHA}W6KWo26wl/nawpV++wMqsKdwrIwrait5";
};
gordon = {
uid = 10106;
group = "fudo";
common-name = "Gordon Stewart";
hashed-password = "{SSHA}jaCOc1ZjCI9klVR+v676lIBOidEg7/u0";
};
jeramy = {
uid = 10107;
group = "selby";
common-name = "Jeramy Ewbank";
hashed-password = "{MD5}8j8vTniyRzylmeTNUoRwWA==";
};
lauren = {
uid = 10108;
group = "selby";
common-name = "Lauren Hotel";
hashed-password = "{SSHA}1q/MC5LKROlIT1nDrKrMvcFAXFtcQXIR";
# hashed-password = "{SSHA}DKnhrycmXSu4HKWFPeBXA9xvZ0ytgXIpZA10tg==";
};
# Used to send alerts from grafana
metrics = {
uid = 10109;
group = "fudo";
common-name = "Fudo Metrics";
hashed-password = "{SSHA}FveEVy6kljQZey0xp0nF62SMlO5nATJ1";
};
testuser = {
uid = 10110;
group = "fudo";
common-name = "Test User";
hashed-password = "{SSHA}LSz1WjWfjRwAM3xm+QZ71vFj997dnZC6";
};
# Used to send messages from the chat server
chat = {
uid = 10111;
group = "fudo";
common-name = "Fudo Chat";
hashed-password = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7";
};
kevinyinjunjie = {
uid = 10112;
group = "fudo";
common-name = "Kevin";
hashed-password = "{SSHA}1onx6HPMKCJvmLnRf1tiWFJ1D92DEtnl";
};
netinfo = {
uid = 10113;
group = "fudo";
common-name = "Network Info Mailer";
hashed-password = "{SSHA}UQHfW0IzjIbRU6VV+DraxvZFWt0to3oc";
};
selby-forum = {
uid = 10114;
group = "selby";
common-name = "Selby Forum";
hashed-password = "{SSHA}f7eDNuwFXRhvants5cJJ/FGtkCKheY2Q";
};
}

14
hardware.nix
View File

@ -1,14 +0,0 @@
{ config, ... }:
let
current-hostname = config.instance.hostname;
hardware-config = config.fudo.hosts.${current-hostname}.hardware-config;
import-hardware-config = hostname: {
imports = [ hardware-config ];
};
in {
imports =
[ (import-hardware-config current-hostname) ];
}

46
hosts/atom.nix
View File

@ -1,46 +0,0 @@
{ config, pkgs, ... }:
let
hostname = "atom";
in {
imports = [
../defaults.nix
../hardware-configuration.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = hostname;
environment.systemPackages = with pkgs; [
glxinfo
hll2380dw-cups
usbutils
];
fudo.common = {
profile = "laptop";
site = "seattle";
};
hardware.cpu.amd.updateMicrocode = true;
programs = {
bash.enableCompletion = true;
};
fudo.laptop.use-network-manager = false;
fudo.common.enable-gui = true;
hardware.opengl.driSupport32Bit = true;
hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
hardware.opengl.driSupport = true;
hardware.pulseaudio.support32Bit = true;
hardware.bluetooth.enable = true;
}

165
hosts/clunk.nix
View File

@ -1,165 +0,0 @@
{ lib, config, pkgs, ... }:
let
hostname = "clunk";
host-internal-ip = "10.0.0.1";
dns-proxy-ip = "10.0.0.2";
inherit (lib.strings) concatStringsSep;
in {
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot = { runSize = "50%"; };
hardware.bluetooth.enable = false;
imports = [ ../defaults.nix ../hardware-configuration.nix ];
fudo.common = {
profile = "server";
site = "russell";
};
fudo.local-network = {
enable = true;
dns-servers = [ host-internal-ip ];
gateway = host-internal-ip;
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" "::1" ];
# Using a pihole running in docker, see below
recursive-resolver = "${host-internal-ip} port 5353";
server-ip = host-internal-ip;
};
networking = {
hostName = hostname;
nameservers = [ host-internal-ip ];
# Create a bridge for VMs to use
macvlans = {
intif0 = {
interface = "enp2s0";
mode = "bridge";
};
};
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
};
interfaces = {
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
enp1s0.useDHCP = true;
intif0 = {
useDHCP = false;
# Result of:
# echo clunk-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:44:d1:eb:c3:6b";
ipv4.addresses = [
{
address = host-internal-ip;
prefixLength = 22;
}
{
address = dns-proxy-ip;
prefixLength = 32;
}
];
};
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "intif0" ];
};
};
fudo = {
garbage-collector = {
enable = true;
timing = "hourly";
};
secure-dns-proxy = {
enable = true;
port = 53;
upstream-dns = [
"https://1.1.1.1/dns-query"
"https://1.0.0.1/dns-query"
#"https://9.9.9.9/dns-query"
];
bootstrap-dns = "1.1.1.1";
listen-ips = [ dns-proxy-ip ];
};
};
environment.systemPackages = with pkgs; [ dnsproxy ];
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
};
docker-containers = {
pihole = {
image = "pihole/pihole:v5.1.2";
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
ServerIP = host-internal-ip;
VIRTUAL_HOST = "dns-hole.rus.selby.ca";
# Not working?
DNS1 = dns-proxy-ip;
#DNS1 = "1.1.1.1";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = {
"dns-hole.rus.selby.ca" = {
serverAliases = [
"pihole.rus.selby.ca"
"hole.rus.selby.ca"
"pihole"
"dns-hole"
"hole"
];
locations."/" = {
proxyPass = "http://127.0.0.1:3080";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};
}

598
hosts/france.nix
View File

@ -1,598 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
domain = "fudo.org";
hostname = "france.${domain}";
mail-hostname = "mail.${domain}";
host_ipv4 = "208.81.3.117";
# Use a special IP for git.fudo.org, since it needs to be SSH-able
link_ipv4 = "208.81.3.126";
all-hostnames = [ ];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";
fudo-ca = "/etc/nixos/static/fudo_ca.pem";
minecraft-data-dir = "/srv/minecraft/data";
system-mail-directory = "/srv/mail";
in {
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
};
imports = [
../hardware-configuration.nix
../defaults.nix
./france/jabber.nix
./france/backplane.nix
./france/selby-forum.nix
];
environment.systemPackages = with pkgs; [
docker
lxd
multipath-tools
nix-prefetch-docker
powerdns
tshark
vanilla-forum
];
fudo.common = {
# Sets some server-common settings. See /etc/nixos/fudo/profiles/...
profile = "server";
# Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
site = "portage";
domain = domain;
www-root = /srv/www;
local-networks =
[ "208.81.1.128/28" "208.81.3.112/28" "172.17.0.0/16" "127.0.0.0/8" ];
};
fudo.prometheus = {
enable = true;
hostname = "metrics.fudo.org";
service-discovery-dns = {
node = [ "node._metrics._tcp.fudo.org" ];
postfix = [ "postfix._metrics._tcp.fudo.org" ];
dovecot = [ "dovecot._metrics._tcp.fudo.org" ];
rspamd = [ "rspamd._metrics._tcp.fudo.org" ];
};
};
fudo.grafana = {
enable = true;
hostname = "monitor.fudo.org";
smtp-username = "metrics";
smtp-password-file = "/srv/grafana/secure/smtp.passwd";
admin-password-file = "/srv/grafana/secure/admin.passwd";
secret-key-file = "/srv/grafana/secure/secret.key";
prometheus-host = "metrics.fudo.org";
database = {
name = "grafana";
hostname = "localhost";
user = "grafana";
password-file = /srv/grafana/secure/db.passwd;
};
};
# So that grafana waits for postgresql
systemd.services.grafana.after = [ "postgresql.service" ];
fudo.postgresql = {
enable = true;
ssl-private-key = (acme-private-key hostname);
ssl-certificate = (acme-certificate hostname);
keytab = "/srv/postgres/secure/postgres.keytab";
# We allow connections from local networks. Auth is still required. Outside
# of these networks, no access is allowed.
#
# TODO: that's probably too strict, allow kerberos connections from anywhere?
local-networks = [
"208.81.1.128/28"
"208.81.3.112/28"
"192.168.11.1/24"
"127.0.0.1/8"
"172.17.0.0/16"
];
users = {
fudo_git = {
password-file = "/srv/git/secure/db.passwd";
databases = {
fudo_git = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
grafana = {
password-file = "/srv/grafana/secure/db.passwd";
databases = {
grafana = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
mattermost = {
password-file = "/srv/mattermost/secure/db.passwd";
databases = {
mattermost = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
webmail = {
password-file = "/srv/webmail/secure/db.passwd";
databases = {
webmail = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
niten = { };
};
local-users = [ "niten" "fudo_git" ];
databases = {
fudo_git = { users = [ "niten" ]; };
grafana = { users = [ "niten" ]; };
mattermost = { users = [ "niten" ]; };
webmail = { users = [ "niten" ]; };
};
};
fudo.dns = {
enable = true;
identity = "france.fudo.org";
nameservers = {
ns1 = {
ip-addresses = [ "208.81.3.117" ];
ipv6-addresses = [ "2605:e200:d200:1:5054:ff:fe8c:9738" ];
description = "Nameserver 1, france, in Winnipeg, MB, CA";
rp = "reaper reaper.rp";
};
ns2 = {
ip-addresses = [ "209.117.102.102" ];
ipv6-addresses = [ "2001:470:1f16:40::2" ];
description = "Nameserver 2, musashi, in Winnipeg, MB, CA";
rp = "reaper reaper.rp";
};
ns3 = {
ip-addresses = [ "104.131.53.95" ];
ipv6-addresses = [ "2604:a880:800:10::8:7001" ];
description =
"Nameserver 3, ns2.henchmman21.net, in New York City, NY, US";
rp = "reaper reaper.rp";
};
ns4 = {
ip-addresses = [ "204.42.254.5" ];
ipv6-addresses = [ "2001:418:3f4::5" ];
description = "Nameserver 4, puck.nether.net, in Chicago, IL, US";
rp = "reaper reaper.rp";
};
};
listen-ips = [ host_ipv4 ];
domains = { "fudo.org" = import ../fudo/fudo.org.nix { inherit config; }; };
};
# Not all users need access to france; don't allow LDAP-user access.
fudo.authentication.enable = false;
# But we DO run an LDAP auth server. Should be better-named.
fudo.auth = {
server = {
enable = true;
base = "dc=fudo,dc=org";
organization = "Fudo";
rootpw-file = "/srv/ldap/secure/root.pw";
kerberos-host = "france.fudo.org";
kerberos-keytab = "/srv/ldap/secure/ldap.keytab";
sslCert = "/srv/ldap/france.fudo.org.pem";
sslKey = "/srv/ldap/secure/france.fudo.org-key.pem";
sslCACert = fudo-ca;
# We're using fudo-generated certs for now, but we should move to ACME
# once I can figure out how to correctly produce the ca.pem file. Until
# then, the server will fail to start using these certs. See:
# https://serverfault.com/a/834565
# sslCert = (acme-bare-cert hostname);
# sslKey = (acme-private-key hostname);
# sslCACert = acme-ca;
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
users = import ../fudo/users.nix;
groups = import ../fudo/groups.nix;
system-users = import ../fudo/system-users.nix;
};
# Heimdal Kerberos server
kdc = {
enable = true;
database-path = "/var/heimdal/heimdal";
realm = "FUDO.ORG";
mkey-file = "/var/heimdal/m-key";
acl-file = "/etc/heimdal/kdc.acl";
bind-addresses = [ host_ipv4 "127.0.0.1" "127.0.1.1" ];
};
};
# TODO: not used yet
fudo.acme.hostnames = all-hostnames;
fudo.client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
fudo.mail-server = import ../fudo/email.nix { inherit config; } // {
enableContainer = true;
debug = true;
monitoring = true;
hostname = mail-hostname;
postfix.ssl-certificate = (acme-certificate mail-hostname);
postfix.ssl-private-key = (acme-private-key mail-hostname);
dovecot.ssl-certificate = (acme-certificate mail-hostname);
dovecot.ssl-private-key = (acme-private-key mail-hostname);
state-directory = "${system-mail-directory}/var";
mail-directory = "${system-mail-directory}/mailboxes";
dovecot.ldap = {
reader-dn = "cn=user_db_reader,dc=fudo,dc=org";
reader-passwd = fileContents /srv/ldap/secure/user_db.passwd;
# FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.
server-urls = [ "ldap://france.fudo.org" ];
};
clamav.enable = true;
dkim.signing = true;
};
fudo.webmail = {
enable = true;
sites = {
"webmail.fudo.link" = {
title = "Fudo Link Webmail";
favicon = "/etc/nixos/static/fudo.link/favicon.ico";
mail-server = mail-hostname;
domain = "fudo.link";
edit-mode = "Plain";
layout-mode = "bottom";
database = {
name = "webmail";
hostname = "localhost";
user = "webmail";
password-file = "/srv/webmail/secure/db.passwd";
};
};
"webmail.test.fudo.org" = {
title = "Fudo Webmail";
favicon = "/etc/nixos/static/fudo.org/favicon.ico";
mail-server = mail-hostname;
domain = "fudo.org";
edit-mode = "Plain";
database = {
name = "webmail";
hostname = "localhost";
user = "webmail";
password-file = "/srv/webmail/secure/db.passwd";
};
};
"webmail.fudo.org" = {
title = "Fudo Webmail";
favicon = "/etc/nixos/static/fudo.org/favicon.ico";
mail-server = mail-hostname;
domain = "fudo.org";
edit-mode = "Plain";
database = {
name = "webmail";
hostname = "localhost";
user = "webmail";
password-file = "/srv/webmail/secure/db.passwd";
};
};
"webmail.test.selby.ca" = {
title = "Selby Webmail";
favicon = "/etc/nixos/static/selby.ca/favicon.ico";
mail-server = mail-hostname;
domain = "selby.ca";
database = {
name = "webmail";
hostname = "localhost";
user = "webmail";
password-file = "/srv/webmail/secure/db.passwd";
};
};
"webmail.selby.ca" = {
title = "Selby Webmail";
favicon = "/etc/nixos/static/selby.ca/favicon.ico";
mail-server = mail-hostname;
domain = "selby.ca";
database = {
name = "webmail";
hostname = "localhost";
user = "webmail";
password-file = "/srv/webmail/secure/db.passwd";
};
};
};
};
fudo.chat = {
enable = true;
hostname = "chat.fudo.org";
site-name = "Fudo Chat";
smtp-server = "mail.fudo.org";
smtp-user = "chat";
smtp-password-file = "/srv/mattermost/secure/smtp.passwd";
database = {
name = "mattermost";
hostname = "localhost";
user = "mattermost";
password-file = "/srv/mattermost/secure/db.passwd";
};
};
fudo.git = {
enable = true;
hostname = "git.fudo.org";
site-name = "Fudo Git";
user = "fudo_git";
database = {
user = "fudo_git";
password-file = /srv/git/secure/db.passwd;
hostname = "127.0.0.1";
name = "fudo_git";
};
repository-dir = /srv/git/repo;
state-dir = /srv/git/state;
ssh = {
listen-ip = link_ipv4;
listen-port = 2222;
};
};
networking = {
hostName = hostname;
dhcpcd.enable = false;
useDHCP = false;
# TODO: fix IPv6
enableIPv6 = true;
# Create a bridge for VMs to use
macvlans = {
extif0 = {
interface = "enp4s0f0";
mode = "bridge";
};
extif1 = {
interface = "enp4s0f0";
mode = "bridge";
};
intif0 = {
interface = "enp4s0f1";
mode = "bridge";
};
};
interfaces = {
extif0 = {
# result of:
# echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:d4:e8:3b:10:2f";
ipv4.addresses = [{
address = host_ipv4;
prefixLength = 28;
}];
};
extif1 = {
macAddress = "02:6d:e2:e1:ad:ca";
ipv4.addresses = [{
address = link_ipv4;
prefixLength = 28;
}];
};
intif0 = {
# result of:
# echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:ba:ba:e9:08:21";
ipv4.addresses = [{
address = "192.168.11.1";
prefixLength = 24;
}];
};
};
};
hardware.bluetooth.enable = false;
virtualisation = {
docker = {
enable = true;
enableOnBoot = true;
autoPrune = { enable = true; };
};
lxd = { enable = true; };
};
fileSystems = {
"/srv/archiva" = {
fsType = "btrfs";
options = [ "subvol=archiva" ];
label = "pool0";
};
"/srv/grafana" = {
fsType = "btrfs";
options = [ "subvol=grafana" ];
label = "pool0";
};
"${system-mail-directory}" = {
fsType = "btrfs";
options = [ "subvol=mail" ];
label = "pool0";
};
"/srv/gitlab" = {
fsType = "btrfs";
options = [ "subvol=gitlab" ];
label = "pool0";
};
"/var/lib/lxd/storage-pools/pool0" = {
fsType = "btrfs";
label = "pool0";
device = "/dev/disk/by-label/pool0";
};
"/var/lib/lxd/storage-pools/pool1" = {
fsType = "btrfs";
label = "pool1";
device = "/dev/france-user/fudo-user";
};
};
users = {
extraUsers = {
archiva = {
isNormalUser = false;
group = "nogroup";
uid = 8001;
};
fudo_git = {
isNormalUser = false;
uid = 8006;
};
};
};
security.acme.certs = {
"archiva.fudo.org".email = config.fudo.common.admin-email;
"git.fudo.org".email = config.fudo.common.admin-email;
"mail.fudo.org".email = config.fudo.common.admin-email;
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"archiva.fudo.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
# Needed to grab a cert for the mail server.
"mail.fudo.org" = {
enableACME = true;
# Stopped relocating all because we need /metrics/... paths to remain unforwarded
locations."/" = {
return = "301 https://webmail.fudo.org$request_uri";
};
};
};
};
};
docker-containers = {
archiva = {
image = "xetusoss/archiva";
ports = [ "127.0.0.1:8001:8080" ];
# Ugly: name-to-uid lookup fails.
user = toString config.users.users.archiva.uid;
volumes = [ "/srv/archiva:/archiva-data" ];
environment = {
# Not directly connected to the world anyway
SSL_ENABLED = "false";
PROXY_BASE_URL = "https://archiva.fudo.org/";
};
};
};
fudo.ipfs = {
enable = true;
users = [ "niten" "reaper" ];
api-address = "/ip4/${host_ipv4}/tcp/5001";
};
###
# Minecraft
###
fudo.minecraft-server = {
enable = true;
package = pkgs.minecraft-server_1_16_4;
data-dir = minecraft-data-dir;
world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server.";
};
}

121
hosts/france/backplane.nix
View File

@ -1,121 +0,0 @@
{ pkgs, lib, config, ... }:
with lib;
let
in {
config = {
users = {
users = {
backplane-powerdns = {
isSystemUser = true;
};
backplane-dns = {
isSystemUser = true;
};
};
groups = {
backplane-powerdns = {
members = [ "backplane-powerdns" ];
};
backplane-dns = {
members = [ "backplane-dns" ];
};
};
};
fudo = {
password.file-generator = {
dns_backplane_powerdns = {
file = "/srv/backplane/dns/secure/db_powerdns.passwd";
user = config.services.postgresql.superUser;
group = "backplane-powerdns";
restart-services = [
"backplane-dns-config-generator.service"
"postgresql-password-setter.service"
"backplane-powerdns.service"
];
};
dns_backplane_database = {
file = "/srv/backplane/dns/secure/db_backplane.passwd";
user = config.services.postgresql.superUser;
group = "backplane-dns";
restart-services = [
"backplane-dns.service"
"postgresql-password-setter.service"
];
};
};
postgresql = {
enable = true;
required-services = [ "fudo-passwords.target" ];
users = {
backplane_powerdns = {
password-file = "/srv/backplane/dns/secure/db_powerdns.passwd";
databases = {
backplane_dns = {
access = "CONNECT";
# entity-access = {
# "ALL TABLES IN SCHEMA public" = "SELECT";
# };
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
backplane_dns = {
password-file = "/srv/backplane/dns/secure/db_backplane.passwd";
databases = {
backplane_dns = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
};
databases = {
backplane_dns = {
users = ["niten"];
};
};
};
backplane.dns = {
enable = true;
listen-v4-addresses = [ "208.81.3.126" ];
listen-v6-addresses = [ "[2605:e200:d200:1:6d:e2ff:fee1:adca]" ];
required-services = [ "fudo-passwords.target" ];
user = "backplane-dns";
group = "backplane-dns";
database = {
username = "backplane_powerdns";
database = "backplane_dns";
# Uses an IP to avoid cyclical dependency...not really relevant, but
# whatever
host = "127.0.0.1";
password-file = "/srv/backplane/dns/secure/db_powerdns.passwd";
};
backplane = {
host = "backplane.fudo.org";
role = "service-dns";
password-file = "/srv/backplane/dns/secure/backplane.passwd";
database = {
username = "backplane_dns";
database = "backplane_dns";
host = "127.0.0.1";
password-file = "/srv/backplane/dns/secure/db_backplane.passwd";
};
};
};
};
};
}

180
hosts/france/forum-config/config-defaults.php
View File

@ -1,180 +0,0 @@
<?php if (!defined('APPLICATION')) exit();
// DO NOT EDIT THIS FILE. If you want to override the settings in this file then edit config.php.
// This is the global application configuration file that sets up default values for configuration settings.
$Configuration = [];
// Auto-enable some addons.
$Configuration['EnabledPlugins']['stubcontent'] = true;
$Configuration['EnabledPlugins']['swagger-ui'] = true;
$Configuration['EnabledApplications']['Dashboard'] = 'dashboard';
$Configuration['EnabledPlugins']['rich-editor'] = true;
// ImageUpload
$Configuration['ImageUpload']['Limits']['Enabled'] = false;
$Configuration['ImageUpload']['Limits']['Width'] = '1000';
$Configuration['ImageUpload']['Limits']['Height'] = '1400';
// Database defaults.
$Configuration['Database']['Engine'] = 'MySQL';
$Configuration['Database']['Host'] = 'dbhost';
$Configuration['Database']['Name'] = 'dbname';
$Configuration['Database']['User'] = 'dbuser';
$Configuration['Database']['Password'] = '';
$Configuration['Database']['CharacterEncoding'] = 'utf8mb4';
$Configuration['Database']['DatabasePrefix'] = 'GDN_';
$Configuration['Database']['ExtendedProperties']['Collate'] = 'utf8mb4_unicode_ci';
$Configuration['Database']['ConnectionOptions'] = [
12 => false, // PDO::ATTR_PERSISTENT
1000 => true, // PDO::MYSQL_ATTR_USE_BUFFERED_QUERY (missing in some PHP installations)
];
// Use a dirty cache by default. Try Vanilla with memcached!
$Configuration['Cache']['Enabled'] = true;
$Configuration['Cache']['Method'] = 'dirtycache';
$Configuration['Cache']['Filecache']['Store'] = PATH_CACHE.'/Filecache';
// Technical content stuff.
$Configuration['Garden']['ContentType'] = 'text/html';
$Configuration['Garden']['Locale'] = 'en';
$Configuration['Garden']['LocaleCodeset'] = 'UTF8';
$Configuration['HotReload']['IP'] = '127.0.0.1';
$Configuration['ContentSecurityPolicy']['ScriptSrc']['AllowedDomains'] = [];
// Site specifics.
$Configuration['Garden']['Installed'] = false; // Has Garden been installed yet? This blocks setup when true.
$Configuration['Garden']['Title'] = 'Vanilla';
$Configuration['Garden']['Domain'] = '';
$Configuration['Garden']['WebRoot'] = false; // You can set this value if you are using htaccess to direct into the application, but the correct webroot isn't being recognized.
$Configuration['Garden']['StripWebRoot'] = false;
$Configuration['Garden']['AllowSSL'] = true;
$Configuration['Garden']['PrivateCommunity'] = false;
$Configuration['Garden']['Forms']['HoneypotName'] = 'hpt';
// Developer stuff.
$Configuration['Garden']['Debug'] = false;
$Configuration['Garden']['Errors']['LogFile'] = '';
$Configuration['Garden']['FolderBlacklist'] = ['.', '..', '_svn', '.git']; // Folders we should never search for classes.
// User registration & authentication.
$Configuration['Garden']['Session']['Length'] = '15 minutes';
$Configuration['Garden']['Cookie']['Salt'] = ''; // We do this during setup, chill.
$Configuration['Garden']['Cookie']['Name'] = 'Vanilla';
$Configuration['Garden']['Cookie']['Path'] = '/';
$Configuration['Garden']['Cookie']['Domain'] = '';
$Configuration['Garden']['Cookie']['HashMethod'] = 'md5'; // md5 or sha1
$Configuration['Garden']['Authenticator']['DefaultScheme'] = 'password'; // Types include 'Password', 'Handshake', 'Openid'
$Configuration['Garden']['Authenticator']['RegisterUrl'] = '/entry/register?Target=%2$s';
$Configuration['Garden']['Authenticator']['SignInUrl'] = '/entry/signin?Target=%2$s';
$Configuration['Garden']['Authenticator']['SignOutUrl'] = '/entry/signout/{Session_TransientKey}?Target=%2$s';
$Configuration['Garden']['Authenticator']['EnabledSchemes'] = ['password'];
$Configuration['Garden']['Authenticator']['SyncScreen'] = "smart";
$Configuration['Garden']['Authenticators']['password']['Name'] = "Password";
$Configuration['Garden']['UserAccount']['AllowEdit'] = true; // Allow users to edit their account information? (SSO requires accounts be edited in external system).
$Configuration['Garden']['Registration']['Method'] = 'Captcha'; // Options are: Basic, Captcha, Approval, Invitation
$Configuration['Garden']['Registration']['InviteExpiration'] = '1 week'; // When invitations expire. This will be plugged into strtotime().
$Configuration['Garden']['Registration']['InviteRoles'] = 'FALSE';
$Configuration['Garden']['Registration']['ConfirmEmail'] = false;
$Configuration['Garden']['Registration']['MinPasswordLength'] = 6;
$Configuration['Garden']['Registration']['NameUnique'] = true;
$Configuration['Garden']['TermsOfService'] = '/home/termsofservice'; // The url to the terms of service.
$Configuration['Garden']['Password']['MinLength'] = 6;
$Configuration['Garden']['Roles']['Manage'] = true; // @deprecated
// Garden security features
$Configuration['Garden']['Security']['Hsts']['IncludeSubDomains'] = false;
$Configuration['Garden']['Security']['Hsts']['Preload'] = false;
$Configuration['Garden']['Security']['Hsts']['MaxAge'] = 604800;
// Outgoing email.
$Configuration['Garden']['Email']['UseSmtp'] = false;
$Configuration['Garden']['Email']['SmtpHost'] = '';
$Configuration['Garden']['Email']['SmtpUser'] = '';
$Configuration['Garden']['Email']['SmtpPassword'] = '';
$Configuration['Garden']['Email']['SmtpPort'] = '25';
$Configuration['Garden']['Email']['SmtpSecurity'] = ''; // ssl/tls
$Configuration['Garden']['Email']['MimeType'] = 'text/plain';
$Configuration['Garden']['Email']['SupportName'] = 'Support';
$Configuration['Garden']['Email']['SupportAddress'] = '';
// Contact with the mothership.
$Configuration['Garden']['UpdateCheckUrl'] = 'https://open.vanillaforums.com/addons/update';
$Configuration['Garden']['AddonUrl'] = 'https://open.vanillaforums.com/addons';
$Configuration['Garden']['VanillaUrl'] = 'https://open.vanillaforums.com';
// File handling.
$Configuration['Garden']['CanProcessImages'] = false;
$Configuration['Garden']['Upload']['MaxFileSize'] = '50M';
$Configuration['Garden']['Upload']['AllowedFileExtensions'] = [
'txt', 'jpg', 'jpeg', 'gif', 'png', 'bmp', 'tiff', 'ico', 'zip', 'gz', 'tar.gz', 'tgz', 'psd', 'ai', 'pdf', 'doc', 'xls', 'ppt', 'docx', 'xlsx', 'pptx', 'log', 'rar', '7z'
];
$Configuration['Garden']['Profile']['MaxHeight'] = 560;
$Configuration['Garden']['Profile']['MaxWidth'] = 560;
$Configuration['Garden']['Thumbnail']['Size'] = 200;
// Appearance.
$Configuration['Garden']['Theme'] = 'keystone';
$Configuration['Garden']['MobileTheme'] = 'mobile';
$Configuration['Garden']['Menu']['Sort'] = ['Dashboard', 'Discussions', 'Questions', 'Activity', 'Applicants', 'Conversations', 'User'];
$Configuration['Garden']['ThemeOptions']['Styles']['Key'] = 'Default';
$Configuration['Garden']['ThemeOptions']['Styles']['Value'] = '%s_default';
// Profiles.
$Configuration['Garden']['Profile']['Public']= true;
$Configuration['Garden']['Profile']['ShowAbout'] = true;
$Configuration['Garden']['Profile']['EditPhotos'] = true; // false to disable user photo editing
$Configuration['Garden']['Profile']['EditUsernames'] = false;
$Configuration['Garden']['BannedPhoto'] = 'https://images.v-cdn.net/banned_large.png';
// Embedding forum & comments.
$Configuration['Garden']['Embed']['CommentsPerPage'] = 50;
$Configuration['Garden']['Embed']['SortComments'] = 'desc';
$Configuration['Garden']['Embed']['PageToForum'] = true;
$Configuration['Garden']['SignIn']['Popup'] = true; // Should the sign-in link pop up or go to it's own page? (SSO requires going to it's own external page)
// User experience & formatting.
$Configuration['Garden']['InputFormatter'] = 'Rich'; // Html, BBCode, Markdown, Text, Rich
$Configuration['Garden']['MobileInputFormatter'] = 'Rich';
$Configuration['Garden']['Html']['AllowedElements'] = "a, abbr, acronym, address, area, audio, b, bdi, bdo, big, blockquote, br, caption, center, cite, code, col, colgroup, dd, del, details, dfn, div, dl, dt, em, figure, figcaption, font, h1, h2, h3, h4, h5, h6, hgroup, hr, i, img, ins, kbd, li, map, mark, menu, meter, ol, p, pre, q, s, samp, small, span, strike, strong, sub, sup, summary, table, tbody, td, tfoot, th, thead, time, tr, tt, u, ul, var, video, wbr";
$Configuration['Garden']['Search']['Mode'] = 'boolean'; // matchboolean, match, boolean, like
$Configuration['Garden']['EditContentTimeout'] = 3600; // -1 means no timeout. 0 means immediate timeout. > 0 is in seconds. 60 * 60 = 3600 (aka 1hr)
$Configuration['Garden']['Format']['Mentions'] = true;
$Configuration['Garden']['Format']['Hashtags'] = false;
$Configuration['Garden']['Format']['YouTube'] = true;
$Configuration['Garden']['Format']['Vimeo'] = true;
$Configuration['Garden']['Format']['EmbedSize'] = 'normal'; // tiny/small/normal/big/huge or WIDTHxHEIGHT
// Default preferences. Setting these to 'false' disables them globally.
$Configuration['Preferences']['Email']['ConversationMessage'] = '1';
$Configuration['Preferences']['Email']['BookmarkComment'] = '1';
$Configuration['Preferences']['Email']['ParticipateComment'] = '0';
$Configuration['Preferences']['Email']['WallComment'] = '0';
$Configuration['Preferences']['Email']['ActivityComment'] = '0';
$Configuration['Preferences']['Email']['DiscussionComment'] = '0';
$Configuration['Preferences']['Email']['Mention'] = '0';
$Configuration['Preferences']['Popup']['ConversationMessage'] = '1';
$Configuration['Preferences']['Popup']['BookmarkComment'] = '1';
$Configuration['Preferences']['Popup']['ParticipateComment'] = '0';
$Configuration['Preferences']['Popup']['WallComment'] = '1';
$Configuration['Preferences']['Popup']['ActivityComment'] = '1';
$Configuration['Preferences']['Popup']['DiscussionComment'] = '1';
$Configuration['Preferences']['Popup']['Mention'] = '1';
// Module visibility and sorting.
$Configuration['Garden']['Modules']['ShowGuestModule'] = true;
$Configuration['Garden']['Modules']['ShowSignedInModule'] = false;
$Configuration['Garden']['Modules']['ShowRecentUserModule'] = false;
$Configuration['Modules']['Dashboard']['Panel'] = ['MeModule', 'UserBoxModule', 'ActivityFilterModule', 'UserPhotoModule', 'ProfileFilterModule', 'SideMenuModule', 'UserInfoModule', 'GuestModule', 'Ads'];
$Configuration['Modules']['Dashboard']['Content'] = ['MessageModule', 'MeModule', 'UserBoxModule', 'ProfileOptionsModule', 'Notices', 'ActivityFilterModule', 'ProfileFilterModule', 'Content', 'Ads'];
$Configuration['Modules']['Vanilla']['Panel'] = ['MeModule', 'UserBoxModule', 'GuestModule', 'NewDiscussionModule', 'DiscussionFilterModule', 'SignedInModule', 'Ads'];
$Configuration['Modules']['Vanilla']['Content'] = ['MessageModule', 'MeModule', 'UserBoxModule', 'NewDiscussionModule', 'ProfileOptionsModule', 'Notices', 'NewConversationModule', 'NewDiscussionModule', 'DiscussionFilterModule', 'CategoryModeratorsModule', 'Content', 'Ads'];
$Configuration['Modules']['Conversations']['Panel'] = ['MeModule', 'UserBoxModule', 'NewConversationModule', 'SignedInModule', 'GuestModule', 'Ads'];
$Configuration['Modules']['Conversations']['Content'] = ['MessageModule', 'MeModule', 'UserBoxModule', 'NewConversationModule', 'Notices', 'Content', 'Ads'];
// Routes.
$Configuration['Routes']['DefaultController'] = 'discussions';
$Configuration['Routes']['DefaultForumRoot'] = 'discussions';
$Configuration['Routes']['Default404'] = ['dashboard/home/filenotfound', 'NotFound'];
$Configuration['Routes']['DefaultPermission'] = ['dashboard/home/unauthorized', 'NotAuthorized'];
$Configuration['Routes']['UpdateMode'] = 'dashboard/home/updatemode';

104
hosts/france/forum-config/config.php.nix
View File

@ -1,104 +0,0 @@
{ config }:
''
<?php if (!defined("APPLICATION")) exit();
// Database defaults.
$Configuration["Database"]["Engine"] = "MySQL";
$Configuration["Database"]["Host"] = "${config.database-host}";
$Configuration["Database"]["Name"] = "${config.database-name}";
$Configuration["Database"]["User"] = "${config.database-user}";
$Configuration["Database"]["Password"] = readfile("${config.database-password-file}");
// Site specifics.
$Configuration["Garden"]["Installed"] = false; // Has Garden been installed yet? This blocks setup when true.
$Configuration["Garden"]["Title"] = "${config.site-name}";
$Configuration["Garden"]["Domain"] = "${config.site-domain}";
$Configuration["Garden"]["PrivateCommunity"] = true;
// User registration & authentication.
$Configuration["Garden"]["Session"]["Length"] = "60 minutes";
$Configuration["Garden"]["Cookie"]["Name"] = "Selby Forum";
$Configuration["Garden"]["Registration"]["Method"] = "Approval"; // Options are: Basic, Captcha, Approval, Invitatino
$Configuration["Garden"]["Registration"]["ConfirmEmail"] = true;
$Configuration["Garden"]["Registration"]["MinPasswordLength"] = 8;
$Configuration["Garden"]["Registration"]["NameUnique"] = true;
$Configuration["Garden"]["Password"]["MinLength"] = 6;
// Outgoing email.
$Configuration["Garden"]["Email"]["UseSmtp"] = true;
$Configuration["Garden"]["Email"]["SmtpHost"] = "${config.smtp-host}";
$Configuration["Garden"]["Email"]["SmtpUser"] = "${config.smtp-user}";
$Configuration["Garden"]["Email"]["SmtpPassword"] = readfile("${config.smtp-password-file}");
$Configuration["Garden"]["Email"]["SmtpPort"] = "25";
$Configuration["Garden"]["Email"]["SmtpSecurity"] = "tls"; // ssl/tls
$Configuration["Garden"]["Email"]["MimeType"] = "text/plain";
$Configuration["Garden"]["Email"]["SupportName"] = "Selby Forum";
$Configuration["Garden"]["Email"]["SupportAddress"] = "forum@selby.ca";
// File handling.
$Configuration["Garden"]["CanProcessImages"] = true;
$Configuration["Garden"]["Upload"]["MaxFileSize"] = "50M";
$Configuration["Garden"]["Upload"]["AllowedFileExtensions"] = [
"txt", "jpg", "jpeg", "gif", "png", "bmp", "tiff", "ico", "zip", "gz", "tar.gz", "tgz", "psd", "ai", "pdf", "doc", "xls", "ppt", "docx", "xlsx", "pptx", "log", "rar", "7z"
];
$Configuration["Garden"]["Profile"]["MaxHeight"] = 560;
$Configuration["Garden"]["Profile"]["MaxWidth"] = 560;
$Configuration["Garden"]["Thumbnail"]["Size"] = 200;
// Appearance.
$Configuration["Garden"]["Theme"] = "keystone";
$Configuration["Garden"]["MobileTheme"] = "mobile";
$Configuration["Garden"]["Menu"]["Sort"] = ["Dashboard", "Discussions", "Questions", "Activity", "Applicants", "Conversations", "User"];
$Configuration["Garden"]["ThemeOptions"]["Styles"]["Key"] = "Default";
$Configuration["Garden"]["ThemeOptions"]["Styles"]["Value"] = "%s_default";
// Profiles.
$Configuration["Garden"]["Profile"]["Public"]= true;
$Configuration["Garden"]["Profile"]["ShowAbout"] = true;
$Configuration["Garden"]["Profile"]["EditPhotos"] = true; // false to disable user photo editing
$Configuration["Garden"]["Profile"]["EditUsernames"] = false;
$Configuration["Garden"]["BannedPhoto"] = "https://images.v-cdn.net/banned_large.png";
// Embedding forum & comments.
$Configuration["Garden"]["Embed"]["CommentsPerPage"] = 50;
$Configuration["Garden"]["Embed"]["SortComments"] = "desc";
$Configuration["Garden"]["Embed"]["PageToForum"] = true;
$Configuration["Garden"]["SignIn"]["Popup"] = true; // Should the sign-in link pop up or go to it"s own page? (SSO requires going to it"s own external page)
// User experience & formatting.
$Configuration["Garden"]["InputFormatter"] = "Rich"; // Html, BBCode, Markdown, Text, Rich
$Configuration["Garden"]["MobileInputFormatter"] = "Rich";
$Configuration["Garden"]["Html"]["AllowedElements"] = "a, abbr, acronym, address, area, audio, b, bdi, bdo, big, blockquote, br, caption, center, cite, code, col, colgroup, dd, del, details, dfn, div, dl, dt, em, figure, figcaption, font, h1, h2, h3, h4, h5, h6, hgroup, hr, i, img, ins, kbd, li, map, mark, menu, meter, ol, p, pre, q, s, samp, small, span, strike, strong, sub, sup, summary, table, tbody, td, tfoot, th, thead, time, tr, tt, u, ul, var, video, wbr";
$Configuration["Garden"]["Search"]["Mode"] = "boolean"; // matchboolean, match, boolean, like
$Configuration["Garden"]["EditContentTimeout"] = 3600; // -1 means no timeout. 0 means immediate timeout. > 0 is in seconds. 60 * 60 = 3600 (aka 1hr)
$Configuration["Garden"]["Format"]["Mentions"] = true;
$Configuration["Garden"]["Format"]["Hashtags"] = false;
$Configuration["Garden"]["Format"]["YouTube"] = true;
$Configuration["Garden"]["Format"]["Vimeo"] = true;
$Configuration["Garden"]["Format"]["EmbedSize"] = "normal"; // tiny/small/normal/big/huge or WIDTHxHEIGHT
// Module visibility and sorting.
$Configuration["Garden"]["Modules"]["ShowGuestModule"] = true;
$Configuration["Garden"]["Modules"]["ShowSignedInModule"] = false;
$Configuration["Garden"]["Modules"]["ShowRecentUserModule"] = false;
$Configuration["Modules"]["Dashboard"]["Panel"] = ["MeModule", "UserBoxModule", "ActivityFilterModule", "UserPhotoModule", "ProfileFilterModule", "SideMenuModule", "UserInfoModule", "GuestModule", "Ads"];
$Configuration["Modules"]["Dashboard"]["Content"] = ["MessageModule", "MeModule", "UserBoxModule", "ProfileOptionsModule", "Notices", "ActivityFilterModule", "ProfileFilterModule", "Content", "Ads"];
$Configuration["Modules"]["Vanilla"]["Panel"] = ["MeModule", "UserBoxModule", "GuestModule", "NewDiscussionModule", "DiscussionFilterModule", "SignedInModule", "Ads"];
$Configuration["Modules"]["Vanilla"]["Content"] = ["MessageModule", "MeModule", "UserBoxModule", "NewDiscussionModule", "ProfileOptionsModule", "Notices", "NewConversationModule", "NewDiscussionModule", "DiscussionFilterModule", "CategoryModeratorsModule", "Content", "Ads"];
$Configuration["Modules"]["Conversations"]["Panel"] = ["MeModule", "UserBoxModule", "NewConversationModule", "SignedInModule", "GuestModule", "Ads"];
$Configuration["Modules"]["Conversations"]["Content"] = ["MessageModule", "MeModule", "UserBoxModule", "NewConversationModule", "Notices", "Content", "Ads"];
// Routes.
$Configuration["Routes"]["DefaultController"] = "discussions";
$Configuration["Routes"]["DefaultForumRoot"] = "discussions";
$Configuration["Routes"]["Default404"] = ["dashboard/home/filenotfound", "NotFound"];
$Configuration["Routes"]["DefaultPermission"] = ["dashboard/home/unauthorized", "NotAuthorized"];
$Configuration["Routes"]["UpdateMode"] = "dashboard/home/updatemode";
// Cache.
$Configuration['Cache']['Enabled'] = true;
$Configuration['Cache']['Method'] = 'memcached';
$Configuration['Cache']['Filecache']['Store'] = PATH_CACHE.'/Filecache';
$Configuration['memcached']['Store'] = '${config.memcached-server}';
''

89
hosts/france/forum-config/constants.php
View File

@ -1,89 +0,0 @@
<?php if (!defined('APPLICATION')) exit();
/**
* Framework constants.
*
* @copyright 2009-2019 Vanilla Forums Inc.
* @license GPL-2.0-only
* @package Core
* @since 2.0
*/
// If you want to change where these paths are located on your server, edit these constants.
if (!defined('PATH_CACHE')) {
define('PATH_CACHE', STATE_ROOT.DS.'cache');
}
if (!defined('PATH_UPLOADS')) {
define('PATH_UPLOADS', STATE_ROOT.DS.'uploads');
}
// You should not change these paths.
define('PATH_APPLICATIONS', PATH_ROOT.'/applications');
define('PATH_PLUGINS', PATH_ROOT.'/plugins');
define('PATH_THEMES', PATH_ROOT.'/themes');
define('PATH_LIBRARY', PATH_ROOT.'/library');
define('PATH_LIBRARY_CORE', PATH_LIBRARY.'/core');
// Delivery type enumerators:
define('DELIVERY_TYPE_ALL', 'ALL'); // Deliver an entire page
define('DELIVERY_TYPE_ASSET', 'ASSET'); // Deliver all content for the requested asset
define('DELIVERY_TYPE_VIEW', 'VIEW'); // Deliver only the view
define('DELIVERY_TYPE_BOOL', 'BOOL'); // Deliver only the success status (or error) of the request
define('DELIVERY_TYPE_NONE', 'NONE'); // Deliver nothing
define('DELIVERY_TYPE_MESSAGE', 'MESSAGE'); // Just deliver messages.
define('DELIVERY_TYPE_DATA', 'DATA'); // Just deliver the data.
// Delivery method enumerators
define('DELIVERY_METHOD_XHTML', 'XHTML');
define('DELIVERY_METHOD_JSON', 'JSON');
define('DELIVERY_METHOD_XML', 'XML');
/**
* @since 2.1
*/
define('DELIVERY_METHOD_TEXT', 'TXT');
define('DELIVERY_METHOD_PLAIN', 'PLAIN');
define('DELIVERY_METHOD_RSS', 'RSS');
define('DELIVERY_METHOD_ATOM', 'ATOM');
// Handler enumerators:
define('HANDLER_TYPE_NORMAL', 'NORMAL'); // Standard call to a method on the object.
define('HANDLER_TYPE_EVENT', 'EVENT'); // Call to an event handler.
define('HANDLER_TYPE_OVERRIDE', 'OVERRIDE'); // Call to a method override.
define('HANDLER_TYPE_NEW', 'NEW'); // Call to a new object method.
// Dataset type enumerators:
define('DATASET_TYPE_ARRAY', 'array');
define('DATASET_TYPE_OBJECT', 'object');
// Syndication enumerators:
define('SYNDICATION_NONE', 'NONE');
define('SYNDICATION_RSS', 'RSS');
define('SYNDICATION_ATOM', 'ATOM');
// Debug error types.
define('TRACE_INFO', 'Info');
define('TRACE_ERROR', 'Error');
define('TRACE_WARNING', 'Warning');
define('TRACE_NOTICE', 'Notice');
// Environment
define('ENVIRONMENT_PHP_VERSION', '7.1');
if (!defined('E_USER_DEPRECATED')) {
define('E_USER_DEPRECATED', E_USER_WARNING);
}
define('SPAM', 'SPAM');
define('UNAPPROVED', 'UNAPPROVED');
// Numeric keys for Vanilla's addon types.
define('ADDON_TYPE_PLUGIN', 1);
define('ADDON_TYPE_THEME', 2);
define('ADDON_TYPE_LOCALE', 4);
define('ADDON_TYPE_APPLICATION', 5);
define('ADDON_TYPE_CORE', 10);
// Use this constant if you are sick of looking up how to format dates to go into the database.
const MYSQL_DATE_FORMAT = 'Y-m-d H:i:s';
// Signal we did all this ^.
define('VANILLA_CONSTANTS', true);

81
hosts/france/forum-config/environment.php.nix
View File

@ -1,81 +0,0 @@
{ state-root, static-root, config-root, ... }:
''
<?php
/**
* Bare minimum setup of the environment to use Vanilla"s classes.
*
* @author Alexandre (DaazKu) Chouinard <alexandre.c@vanillaforums.com>
* @copyright 2009-2019 Vanilla Forums Inc.
* @license GPL-2.0-only
*/
if (PHP_VERSION_ID < 70100) {
die("Vanilla requires PHP 7.1 or greater.");
}
// Define the constants we need to get going.
if (!defined("APPLICATION")) {
define("APPLICATION", "Vanilla");
}
if (!defined("APPLICATION_VERSION")) {
// Rules for the versioning
// {OSS version}-{Cloud release version}-{? SNAPSHOT if it"s a dev build}
define("APPLICATION_VERSION", "3.3");
}
if (!defined("DS")) {
define("DS", DIRECTORY_SEPARATOR);
}
if (!defined("STATE_ROOT")) {
define("STATE_ROOT", "${state-root}");
}
if (!defined("PATH_ROOT")) {
define("PATH_ROOT", "${static-root}");
}
// Disable Phar stream
stream_wrapper_unregister("phar");
/**
* Bootstrap Before
*
* This file gives developers the opportunity to hook into Garden before any
* real work has been done. Nothing has been included yet, aside from this file.
* No Garden features are available yet.
*/
$isWeb = PHP_SAPI !== "cli" && isset($_SERVER["REQUEST_METHOD"]);
if ($isWeb && file_exists(STATE_ROOT."/conf/bootstrap.before.php")) {
require_once STATE_ROOT."/conf/bootstrap.before.php";
}
/**
* Define Core Constants
*
* Garden depends on the presence of a certain base set of defines that allow it
* to be aware of its own place within the system. These are conditionally
* defined here, in case they"ve already been set by a zealous bootstrap.before.
*/
// Path to the primary configuration file.
if (!defined("PATH_CONF")) {
define("PATH_CONF", "${config-root}");
}
// Include default constants.
require_once PATH_CONF."/constants.php";
// Make sure a default time zone is set.
// Do NOT edit this. See config `Garden.GuestTimeZone`.
date_default_timezone_set("UTC");
// Make sure the mb_* functions are utf8.
if (function_exists("mb_internal_encoding")) {
mb_internal_encoding("UTF-8");
}
// Include the core autoloader.
if (!include_once PATH_ROOT."/vendor/autoload.php") {
die("Could not find the autoloader. Did you forget to run 'composer install' in ".PATH_ROOT."?\n");
}
spl_autoload_register([Vanilla\AliasLoader::class, "autoload"]);
''

29
hosts/france/forum-config/index.php
View File

@ -1,29 +0,0 @@
<?php
/**
* Application Gateway.
*
* @copyright 2009-2019 Vanilla Forums Inc.
* @license GPL-2.0-only
* @package Core
* @since 2.0
*/
// Report and track all errors.
error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR | E_COMPILE_ERROR | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR);
ini_set('display_errors', 0);
ini_set('track_errors', 1);
ob_start();
// Minimal environment needed to use most of Vanilla's framework.
require_once(getenv("SELBY_FORUM_ROOT") . '/environment.php' );
// Require the bootstrap to configure the application.
require_once(SELBY_FORUM_ROOT . '/bootstrap.php');
// Create and configure the dispatcher.
$dispatcher = Gdn::dispatcher();
// Process the request.
$dispatcher->start();
$dispatcher->dispatch();

33
hosts/france/forum-config/index.php.nix
View File

@ -1,33 +0,0 @@
{ environment-file, bootstrap-file, ... }:
''
<?php
/**
* Application Gateway.
*
* @copyright 2009-2019 Vanilla Forums Inc.
* @license GPL-2.0-only
* @package Core
* @since 2.0
*/
// Report and track all errors.
error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR | E_COMPILE_ERROR | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR);
ini_set('display_errors', 0);
ini_set('track_errors', 1);
ob_start();
// Minimal environment needed to use most of Vanilla's framework.
require_once("${environment-file}");
// Require the bootstrap to configure the application.
require_once("${bootstrap-file}");
// Create and configure the dispatcher.
$dispatcher = Gdn::dispatcher();
// Process the request.
$dispatcher->start();
$dispatcher->dispatch();
''

262
hosts/france/jabber.nix
View File

@ -1,262 +0,0 @@
{ pkgs, lib, config, ... }:
with lib;
let
backplane-auth = "/etc/nixos/static/backplane-auth.scm";
host-passwd-file = "/srv/jabber/secret/hosts-passwd.scm";
service-passwd-file = "/srv/jabber/secret/services-passwd.scm";
cert-basedir = "/var/lib/ejabberd/certs";
target-certs = ["key" "cert" "chain" "fullchain"];
cert-origin = hostname: filename: "/var/lib/acme/${hostname}/${filename}.pem";
cert-target = hostname: filename: "${cert-basedir}/${hostname}-${filename}.pem";
move-server-certs = hostnames:
let
move-server-cert = hostname:
map (filename: ''
ensure_exists ${cert-origin hostname filename}
cp -L ${cert-origin hostname filename} ${cert-target hostname filename}
'')
target-certs;
in pkgs.writeShellScript "move-server-certs" ''
function ensure_exists() {
FILENAME=$1
if [ ! -e $FILENAME ]; then
echo "file does not exist: $FILENAME"
exit 1
fi
}
if [ -d ${cert-basedir} ]; then
mkdir ${cert-basedir}
fi
${concatStringsSep "\n" (concatMap move-server-cert hostnames)}
chown -R ${config.services.ejabberd.user}:${config.services.ejabberd.group} ${cert-basedir}
exit 0
'';
remove-server-certs = pkgs.writeShellScript "ejabberd-rm-combined-certs" ''
rm ${cert-basedir}/*.pem
'';
in {
config = {
security.acme.certs."fudo.im".email = "admin@fudo.org";
security.acme.certs."backplane.fudo.org".email = "admin@fudo.org";
systemd = {
services = {
ejabberd-generate-certs = {
enable = true;
description = "Generate required SSL certs for ejabberd.";
wantedBy = [ "ejabberd.service" ];
after = [
"acme-backplane.fudo.org.service"
"acme-fudo.im.service"
];
serviceConfig = {
Type = "oneshot";
ExecStart = "${move-server-certs ["fudo.im" "backplane.fudo.org"]}";
RemainAfterExit = true;
ExecStop = remove-server-certs;
StandardOutput = "journal";
};
};
ejabberd = {
requires = [ "ejabberd-generate-certs.service" ];
environment = {
FUDO_HOST_PASSWD_FILE = host-passwd-file;
FUDO_SERVICE_PASSWD_FILE = service-passwd-file;
};
};
ejabberd-hostfile-watcher = {
description = "Watch the ejabberd host file and restart if changes occur.";
serviceConfig.Type = "oneshot";
after = [ "ejabberd.service" ];
script = ''
SYSCTL=${pkgs.systemd}/bin/systemctl
if $SYSCTL is-active --quiet ejabberd.service; then
echo "restarting ejabberd.service because hostfile has changed."
$SYSCTL restart ejabberd.service
fi
'';
};
ejabberd-servicefile-watcher = {
description = "Watch the ejabberd service file and restart if changes occur.";
serviceConfig.Type = "oneshot";
after = [ "ejabberd.service" ];
script = ''
SYSCTL=${pkgs.systemd}/bin/systemctl
if $SYSCTL is-active --quiet ejabberd.service; then
echo "restarting ejabberd.service because servicefile has changed."
$SYSCTL restart ejabberd.service
fi
'';
};
};
paths = {
ejabberd-hostfile-watcher = {
pathConfig.PathChanged = host-passwd-file;
};
ejabberd-servicefile-watcher = {
pathConfig.PathChanged = service-passwd-file;
};
};
};
services = {
nginx = {
virtualHosts = {
"backplane.fudo.org" = {
enableACME = true;
};
"fudo.im" = {
enableACME = true;
};
};
};
ejabberd = {
enable = true;
configFile = pkgs.writeText "ejabberd-config.yml" (builtins.toJSON {
loglevel = 4;
access_rules = {
c2s = { allow = "all"; };
announce = { allow = "admin"; };
configure = { allow = "admin"; };
pubsub_createnode = { allow = "local"; };
};
acl = {
admin = {
user = [
"niten@fudo.org"
];
};
};
hosts = [
"fudo.im"
"backplane.fudo.org"
];
listen = [
{
port = 5222;
module = "ejabberd_c2s";
ip = "0.0.0.0";
starttls = true;
starttls_required = true;
}
];
certfiles =
concatMap (hostname: map (filename: cert-target hostname filename) target-certs)
["fudo.im" "backplane.fudo.org"];
host_config = {
"fudo.im" = {
auth_method = "ldap";
ldap_servers = ["auth.fudo.org"];
ldap_port = 389;
ldap_rootdn = "cn=jabber,dc=fudo,dc=org";
ldap_password = fileContents /srv/jabber/secret/ldap.passwd;
ldap_base = "ou=members,dc=fudo,dc=org";
ldap_filter = "(objectClass=posixAccount)";
ldap_uids = { uid = "%u"; };
modules = {
mod_adhoc = {};
mod_announce = {};
mod_avatar = {};
mod_blocking = {};
mod_caps = {};
mod_carboncopy = {};
mod_client_state = {};
mod_configure = {};
mod_disco = {};
mod_fail2ban = {};
mod_last = {};
mod_offline = {
access_max_user_messages = 5000;
};
mod_ping = {};
mod_privacy = {};
mod_private = {};
mod_pubsub = {
access_createnode = "pubsub_createnode";
ignore_pep_from_offline = true;
last_item_cache = false;
plugins = [
"flat"
"pep"
];
};
mod_roster = {};
mod_stream_mgmt = {};
mod_time = {};
mod_vcard = {
search = false;
};
mod_vcard_xupdate = {};
mod_version = {};
};
};
"backplane.fudo.org" = {
auth_method = "external";
extauth_program = "${pkgs.guile}/bin/guile -s ${backplane-auth}";
extauth_pool_size = 3;
auth_use_cache = true;
modules = {
mod_adhoc = {};
mod_caps = {};
mod_carboncopy = {};
mod_client_state = {};
mod_configure = {};
mod_disco = {};
mod_fail2ban = {};
mod_last = {};
mod_offline = {
access_max_user_messages = 5000;
};
mod_ping = {};
mod_pubsub = {
access_createnode = "pubsub_createnode";
ignore_pep_from_offline = true;
last_item_cache = false;
plugins = [
"flat"
"pep"
];
};
mod_roster = {};
mod_stream_mgmt = {};
mod_time = {};
mod_version = {};
};
};
};
});
};
};
};
}

119
hosts/france/selby-forum-discourse-unused.nix
View File

@ -1,119 +0,0 @@
{ config, lib, pkgs, ... }:
let
hostname = "forum.test.selby.ca";
local-port = "3157";
postgres-host = "france.fudo.org";
config-path = "/srv/selby-forum/conf";
redis-data-path = "/srv/selby-forum/redis-data";
sidekiq-data-path = "/srv/selby-forum/sidekiq-data";
discourse-data-path = "/srv/selby-forum/discourse-data";
postgres-data-path = "/srv/selby-forum/postgres-data";
env-file = "/srv/selby-forum/private/env";
ensure-dir-and-ownership = ownership: dir: ''
if [ ! -d ${dir} ]; then
mkdir -p ${dir}
fi
chown -R ${ownership} ${dir}
chmod 700 ${dir}
'';
in {
config = {
users.users = {
selby-discourse = {
isSystemUser = true;
# This is stupid: needs to be 1001, see bitnami docs
uid = 1001;
};
};
security.acme.certs.${hostname}.email = "niten@fudo.org";
services.nginx = {
enable = true;
virtualHosts = {
"${hostname}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${local-port}";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};
docker-containers = let
docker-flags = [ "--network=selby-discourse" "--env-file=${env-file}" ];
discourse-env = {
DISCOURSE_USERNAME = "admin";
DISCOURSE_SITENAME = "Selby Forum";
DISCOURSE_EMAIL = "forum@selby.ca";
DISCOURSE_HOSTNAME = hostname;
POSTGRESQL_HOST = "selby-discourse-postgres";
DISCOURSE_POSTGRESQL_USERNAME = "discourse_selby_forum";
DISCOURSE_POSTGRESQL_NAME = "discourse_selby_forum";
# note: passwords are stored in env-file
REDIS_HOST = "selby-discourse-redis";
# note: password is store in env-file
};
in {
selby-discourse = {
image = "bitnami/discourse:2.6.0";
ports = [ "127.0.0.1:${local-port}:3000" ];
# user = toString config.users.users.selby-discourse.uid;
volumes = [
"${config-path}:/opt/bitnami/discourse/mounted-conf"
"${discourse-data-path}:/bitnami"
];
extraDockerOptions = docker-flags;
environment = discourse-env;
};
selby-discourse-redis = {
image = "bitnami/redis:6.0";
user = toString config.users.users.selby-discourse.uid;
volumes = [ "${redis-data-path}:/bitnami/redis/data" ];
extraDockerOptions = docker-flags;
environment = { };
};
selby-discourse-sidekiq = {
image = "bitnami/discourse:2.6.0";
# user = toString config.users.users.selby-discourse.uid;
volumes = [ "${sidekiq-data-path}:/bitnami" ];
cmd = [ "nami" "start" "--foreground" "discourse-sidekiq" ];
extraDockerOptions = docker-flags;
environment = discourse-env;
};
selby-discourse-postgres = {
image = "bitnami/postgresql:13";
# user = toString config.users.users.selby-discourse.uid;
volumes = [ "${postgres-data-path}:/bitnami/postgresql" ];
extraDockerOptions = docker-flags;
environment = {
POSTGRESQL_DATABASE = "discourse_selby_forum";
POSTGRESQL_USERNAME = "discourse_selby_forum";
};
};
};
};
}

197
hosts/france/selby-forum.nix
View File

@ -1,197 +0,0 @@
{ config, lib, pkgs, ... }:
let
hostname = "forum.test.selby.ca";
mariadb-tag = "10";
mariadb-port = "13306";
mariadb-data-path = "/srv/selby-forum/mariadb-data";
mariadb-root-env-file = "/srv/selby-forum/private/mariadb-env";
mariadb-env-file = "/srv/selby-forum/private/mariadb-root-env";
mariadb-username = "forum_selby_ca";
mariadb-database = "forum_selby_ca";
mariadb-password-file = "/srv/selby-forum/private/mariadb-user-passwd";
smtp-password-file = "srv/selby-forum/private/smtp-passwd";
fastcgi-params = "include ${pkgs.nginx}/conf/fastcgi_params";
memcached-tag = "1.6-alpine";
memcached-port = "11219";
environment = pkgs.writeTextDir "/environment.php"
(import ./forum-config/environment.php.nix {
static-root = "${pkgs.vanilla-forum}";
state-root = "/srv/selby-forum/state";
config-root = "/etc/selby-forum";
});
index = pkgs.writeTextDir "/index.php" (import ./forum-config/index.php.nix {
environment-file = "${environment}/environment.php";
bootstrap-file = "${pkgs.vanilla-forum}/bootstrap.php";
});
selby-forum-pkg = pkgs.symlinkJoin {
name = "selby-forum";
paths = [ pkgs.vanilla-forum index ];
};
in {
config = {
environment.etc = {
"selby-forum/config-defaults.php" = {
uid = config.users.users.nginx.uid;
mode = "0600";
source = ./forum-config/config-defaults.php;
};
"selby-forum/constants.php" = {
uid = config.users.users.nginx.uid;
mode = "0600";
source = ./forum-config/constants.php;
};
"selby-forum/config.php" = {
uid = config.users.users.nginx.uid;
mode = "0600";
text = import ./forum-config/config.php.nix {
config = {
database-host = "127.0.0.1:${mariadb-port}";
database-name = mariadb-database;
database-user = mariadb-username;
database-password-file = mariadb-password-file;
site-name = "Selby Forum";
site-domain = "forum.selby.ca";
smtp-host = "mail.fudo.org";
smtp-user = "selby-forum";
smtp-password-file = smtp-password-file;
memcached-server = "127.0.0.1:${memcached-port}";
};
};
};
};
docker-containers = {
selby-forum-mariadb = {
image = "mariadb:${mariadb-tag}";
ports = [ "127.0.0.1:${mariadb-port}:3306" ];
volumes = [ "${mariadb-data-path}:/var/lib/mysql" ];
environment = {
MYSQL_USER = mariadb-username;
MYSQL_DATABASE = mariadb-database;
};
extraDockerOptions = [
"--env-file=${mariadb-root-env-file}"
"--env-file=${mariadb-env-file}"
];
};
selby-forum-memcached = {
image = "memcached:${memcached-tag}";
ports = [ "127.0.0.1:${memcached-port}:11211" ];
};
};
security.acme.certs."${hostname}".email = "niten@fudo.org";
services = {
phpfpm = {
pools.selby-forum = {
user = "nginx";
group = "nginx";
settings = {
"pm" = "dynamic";
"pm.max_children" = 50;
"pm.start_servers" = 5;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 8;
};
phpOptions = ''
memory_limit = 500M
file_uploads = On
allow_url_fopen = On
short_open_tag = On
upload_max_filesize = 100M
max_execution_time = 360
date.timezone = America/Winnipeg
'';
};
};
nginx = {
enable = true;
virtualHosts = {
"${hostname}" = let
forbidden-rxs = [
"^.htaccess$"
"^/conf/"
"^/cache/"
"^/cgi-bin/"
"^/uploads/imports/"
"^/vendor/"
];
forbidden-rx-entry = entry:
lib.nameValuePair "~* ${entry}" {
return = "403";
extraConfig = "deny all;";
};
forbidden-rx-entries =
builtins.listToAttrs (map forbidden-rx-entry forbidden-rxs);
in {
enableACME = true;
forceSSL = true;
root = "${selby-forum-pkg}/";
locations = forbidden-rx-entries // {
"/" = {
index = "index.php";
tryFiles = "$uri @vanilla";
};
"@vanilla" = {
extraConfig = ''
rewrite ^ /index.php$request_uri last;
'';
};
"~* ^/index.php($|/)" = {
extraConfig = ''
expires -1;
${fastcgi-params};
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root/index.php;
fastcgi_param X_REWRITE 1;
fastcgi_pass unix:${config.services.phpfpm.pools.selby-forum.socket};
'';
};
};
};
};
};
};
systemd.services = {
phpfpm-selby-forum-socket-perm = {
wantedBy = [ "multi-user.target" "nginx.service" ];
before = [ "nginx.service" ];
description =
"Change ownership of the phpfpm socket for selby forum once it's started.";
requires = [ "phpfpm-selby-forum.service" ];
after = [ "phpfpm.target" "phpfpm-selby-forum.service" ];
serviceConfig = {
ExecStart = ''
${pkgs.coreutils}/bin/chown nginx:nginx ${config.services.phpfpm.pools.selby-forum.socket}
'';
};
};
};
};
}

81
hosts/lambda.nix
View File

@ -1,81 +0,0 @@
{ lib, config, pkgs, ... }:
let
hostname = "lambda";
host-internal-ip = "10.0.0.3";
host-storage-ip = "10.0.10.1";
inherit (lib.strings) concatStringsSep;
in {
boot.kernelModules = [ "kvm-amd" ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-label/nixos-root";
hardware.bluetooth.enable = false;
imports = [ ../defaults.nix ../hardware-configuration.nix ];
fudo.common = {
profile = "server";
site = "seattle";
};
fudo.slynk = { enable = true; };
networking = {
hostName = hostname;
nameservers = [ host-internal-ip ];
# Create a bridge for VMs to use
macvlans = {
extif0 = {
interface = "enp3s0f1";
mode = "bridge";
};
storageif0 = {
interface = "enp4s0f1";
mode = "bridge";
};
};
interfaces = {
enp3s0f0.useDHCP = false;
enp3s0f1.useDHCP = false;
enp4s0f0.useDHCP = false;
enp4s0f1.useDHCP = false;
extif0 = {
useDHCP = false;
macAddress = "02:50:f6:52:9f:9d";
ipv4.addresses = [{
address = host-internal-ip;
prefixLength = 22;
}
# {
# address = "10.0.10.2";
# prefixLength = 24;
# }
];
};
storageif0 = {
useDHCP = false;
macAddress = "02:65:d7:00:7d:1b";
ipv4.addresses = [{
address = host-storage-ip;
prefixLength = 24;
}];
};
};
};
fudo.ipfs = {
enable = true;
users = [ "niten" ];
api-address = "/ip4/${host-internal-ip}/tcp/5001";
};
}

31
hosts/monolith.nix
View File

@ -1,31 +0,0 @@
{ config, pkgs, ... }:
let
hostname = "monolith";
in {
imports = [
../defaults.nix
../networks/sea.fudo.org.nix
../profiles/desktop.nix
../hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
glxinfo
];
networking.hostName = hostname;
services.xserver.videoDrivers = ["nvidia"];
hardware.bluetooth.enable = false;
hardware.opengl.driSupport32Bit = true;
hardware.opengl.driSupport = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
}

239
hosts/nostromo.nix
View File

@ -1,239 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
hostname = "nostromo";
host-internal-ip = "10.0.0.1";
in {
environment.systemPackages = with pkgs; [
dnsproxy
google-photos-uploader
libguestfs-with-appliance
libvirt
powerdns
virtmanager
];
boot.kernelModules = [ "kvm-amd" ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
hardware.bluetooth.enable = false;
imports = [ ../defaults.nix ../hardware-configuration.nix ];
fudo.common = {
profile = "server";
site = "seattle";
};
fudo.local-network = {
enable = true;
# See fudo/sites/seattle.nix for general settings
dns-servers = [ host-internal-ip ];
gateway = host-internal-ip;
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" ];
# Using a pihole running in docker, see below
recursive-resolver = "${host-internal-ip} port 5353";
server-ip = host-internal-ip;
};
fudo.slynk = {
# NOTE: for now, had to do: XDG_RUNTIME_DIR=/run/user/$UID systemctl start --user slynk
enable = true;
};
# systemd.network.networks.eno2 = {
# dhcpV6Config = {
# IPv6PrefixDelegation = "dhcpv6";
# PrefixDelegationHint = 60;
# };
# };
systemd.network.networks.eno2 = {
extraConfig = {
IPv6AcceptRA = true;
IPv6PrefixDelegation = "dhcpv6";
};
};
networking = {
hostName = hostname;
nameservers = [ host-internal-ip ];
dhcpcd.extraConfig = ''
interface eno2
ia_na 1
ia_pd 2 eno2/0
'';
# Create a bridge for VMs to use
macvlans = {
intif0 = {
interface = "eno1";
mode = "bridge";
};
};
interfaces = {
eno1.useDHCP = false;
eno3.useDHCP = false;
eno4.useDHCP = false;
enp33s0f0.useDHCP = false;
enp33s0f1.useDHCP = false;
enp9s0f0.useDHCP = false;
enp9s0f1.useDHCP = false;
eno2 = { useDHCP = true; };
intif0 = {
useDHCP = false;
macAddress = "46:54:76:06:f1:10";
ipv4.addresses = [
{
address = host-internal-ip;
prefixLength = 22;
}
{
address = "10.0.10.2";
prefixLength = 24;
}
];
};
};
nat = {
enable = true;
externalInterface = "eno2";
internalInterfaces = [ "intif0" ];
};
};
users = {
users = { fudo-client = { isSystemUser = true; }; };
groups = {
backplane-powerdns = { members = [ "backplane-powerdns" ]; };
backplane-dns = { members = [ "backplane-dns" ]; };
};
};
fudo = {
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "eno2";
password-file = "/srv/client/secure/client.passwd";
};
secure-dns-proxy = {
enable = true;
port = 3535;
upstream-dns = [
"https://cloudflare-dns.com/dns-query"
# "https://dns.adguard.com/dns-query"
];
bootstrap-dns = "1.1.1.1";
};
netinfo-email = {
enable = true;
env-file = "/srv/netinfo/secure/env";
};
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
libvirtd = {
enable = true;
qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown";
};
};
docker-containers = {
pihole = {
image = "pihole/pihole:4.3.2-1";
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
ServerIP = host-internal-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = "1.1.1.1";
DNS2 = "8.8.8.8";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
# TODO: DNS-over-HTTPS via cloudflared
# extraDockerOptions = [
# "--dns=1.1.1.1"
# ];
};
};
fudo.ipfs = {
enable = true;
users = [ "niten" ];
api-address = "/ip4/${host-internal-ip}/tcp/5001";
};
security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org";
security.acme.certs."sea-camera-od.fudo.link".email = "niten@fudo.org";
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"sea-camera.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"sea-camera-od.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon-od.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"pihole.sea.fudo.org" = {
serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ];
locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
};
};
};
};
}

320
hosts/procul.nix
View File

@ -1,320 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
hostname = "procul";
domain = "informis.land";
mail-hostname = hostname;
host_ipv4 = "172.86.179.18";
host-fqdn = "${hostname}.${domain}";
all-hostnames = [];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";
fudo-ca = "/etc/nixos/static/fudo_ca.pem";
in {
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sdb";
};
imports = [
../hardware-configuration.nix
../defaults.nix
../informis/users.nix
];
networking = {
hostName = hostname;
# provided by secure-dns-proxy
nameservers = [ "127.0.0.1" ];
dhcpcd.enable = false;
useDHCP = false;
# TODO: fix IPv6
enableIPv6 = true;
# Create a bridge for VMs to use
macvlans = {
extif0 = {
interface = "enp0s25";
mode = "bridge";
};
};
# For WireGuard
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "wgtun0" ];
};
interfaces = {
extif0 = {
# result of:
# echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:e2:b7:db:e8:af";
ipv4.addresses = [
{
address = host_ipv4;
prefixLength = 29;
}
];
};
};
};
hardware.bluetooth.enable = false;
users = {
users = {
gituser = {
isSystemUser = true;
group = "nogroup";
};
};
};
fudo = {
common = {
# Sets some server-common settings. See /etc/nixos/fudo/profiles/...
profile = "server";
# Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
site = "joes";
domain = domain;
admin-email = "admin@${domain}";
local-networks = [
"172.86.179.16/29"
"208.81.1.128/28"
"208.81.3.112/28"
"172.17.0.0/16"
"127.0.0.0/8"
];
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
# Not all users need access to procul; don't allow LDAP-user access.
authentication.enable = false;
auth.kdc = {
enable = true;
database-path = "/var/heimdal/heimdal";
realm = "INFORMIS.LAND";
mkey-file = "/srv/heimdal/secure/m-key";
acl-file = "/etc/heimdal/kdc.acl";
bind-addresses = [
host_ipv4
"127.0.0.1"
"127.0.1.1"
];
};
system.tmpOnTmpfs = false;
secure-dns-proxy = {
enable = true;
upstream-dns = [ "https://cloudflare-dns.com/dns-query" ];
bootstrap-dns = "1.1.1.1";
listen-ips = [ "127.0.0.1" ];
port = 53;
};
dns = {
enable = true;
dns-hosts = {
"ns1.informis.land" = "172.86.179.18";
"ns2.informis.land" = "172.86.179.18";
};
listen-ips = [host_ipv4];
domains = {
"informis.land" = import ../informis/informis.land.nix {
inherit host_ipv4 config;
};
};
};
mail-server = {
enable = true;
debug = true;
domain = domain;
hostname = "${host-fqdn}";
monitoring = false;
mail-user = "mailuser";
mail-user-id = 525;
mail-group = "mailgroup";
clamav.enable = true;
dkim.signing = true;
dovecot = {
ssl-certificate = acme-certificate "imap.${domain}";
ssl-private-key = acme-private-key "imap.${domain}";
};
postfix = {
ssl-certificate = acme-certificate "smtp.${domain}";
ssl-private-key = acme-private-key "smtp.${domain}";
};
# This should NOT include the primary domain
local-domains = [
host-fqdn
"smtp.${domain}"
];
mail-directory = "/srv/mailserver/mail";
state-directory = "/srv/mailserver/state";
trusted-networks = [
"172.86.179.16/29"
"127.0.0.0/16"
];
alias-users = {
root = ["niten"];
postmaster = ["niten"];
hostmaster = ["niten"];
webmaster = ["niten"];
system = ["niten"];
admin = ["niten"];
dmarc-report = ["niten"];
};
};
postgresql = {
enable = true;
ssl-certificate = (acme-certificate host-fqdn);
ssl-private-key = (acme-private-key host-fqdn);
keytab = "/srv/postgres/secure/postgres.keytab";
local-networks = [
"172.86.179.16/29"
"127.0.0.0/16"
];
users = {
gituser = {
password-file = "/srv/git/secure/db.passwd";
databases = {
git = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE";
};
};
};
};
};
databases = {
git = {
users = ["niten"];
};
};
};
git = {
enable = true;
hostname = "git.informis.land";
site-name = "informis git";
user = "gituser";
repository-dir = /srv/git/repo;
state-dir = /srv/git/state;
database = {
user = "gituser";
password-file = /srv/git/secure/db.passwd;
hostname = "127.0.0.1";
name = "git";
};
};
acme = {
enable = true;
admin-address = "admin@${domain}";
hostnames = [
"informis.land"
"imap.informis.land"
"smtp.informis.land"
"gemini.informis.land"
];
};
};
security.acme.certs.${host-fqdn}.email = "admin@${domain}";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"${host-fqdn}" = {
enableACME = true;
forceSSL = true;
};
};
};
fudo.vpn = {
# fer some fuckin reason this sets the default gw to the vpn interface
enable = false;
network = "10.100.0.0/16";
server-ip = host_ipv4;
private-key-file = "/srv/wireguard/secure/secret.key";
peers = {
peter = "/srv/wireguard/clients/peter.key";
ken = "/srv/wireguard/clients/ken.key";
helen = "/srv/wireguard/clients/helen.key";
};
};
informis.cl-gemini = {
enable = true;
server-ip = host_ipv4;
document-root = "/srv/gemini/root";
ssl-private-key = "/srv/gemini/private/key.pem";
ssl-certificate = "/srv/gemini/private/cert.pem";
slynk-port = 4005;
textfiles-archive = "/srv/gemini/textfiles";
feeds = {
viator = {
title = "viator's phlog";
path = "/home/viator/gemini-public/feed/";
url = "gemini://informis.land/user/viator/feed/";
};
};
};
}

63
hosts/spark.nix
View File

@ -1,63 +0,0 @@
{ config, pkgs, ... }:
let
hostname = "spark";
in {
imports = [
../defaults.nix
../hardware-configuration.nix
];
nixpkgs.config.permittedInsecurePackages = [
"google-chrome-81.0.4044.138"
];
environment.systemPackages = with pkgs; [
# androidStudioPackages.canary
androidenv.androidPkgs_9_0.platform-tools
cmake
glxinfo
opencv4
qemu_kvm
signal-cli
signal-desktop
teamviewer
thunderbird
wireshark
];
fudo.common = {
profile = "desktop";
site = "seattle";
enable-gui = true;
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi = {
canTouchEfiVariables = true;
};
programs = {
adb.enable = true;
bash.enableCompletion = true;
};
networking.hostName = hostname;
hardware.bluetooth.enable = false;
hardware.opengl.driSupport32Bit = true;
hardware.opengl.driSupport = true;
services = {
trezord.enable = true;
};
virtualisation.libvirtd = {
enable = true;
qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown";
};
}

90
hosts/zbox.nix
View File

@ -1,90 +0,0 @@
{ config, pkgs, ... }:
let
hostname = "zbox";
in {
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
imports = [
../defaults.nix
../hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
androidenv.androidPkgs_9_0.platform-tools
android-studio
dnsproxy
glxinfo
hll2380dw-cups
nodejs
signal-desktop
thunderbird
usbutils
];
fudo.common = {
profile = "desktop";
site = "seattle";
enable-gui = true;
};
fudo.slynk = {
enable = true;
};
hardware.cpu.intel.updateMicrocode = true;
programs = {
adb.enable = true;
bash.enableCompletion = true;
};
services.xserver = {
videoDrivers = ["nvidia"];
# displayManager.gdm.wayland = false;
};
hardware.opengl.driSupport32Bit = true;
hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
hardware.opengl.driSupport = true;
hardware.pulseaudio.support32Bit = true;
networking = {
hostName = hostname;
macvlans = {
intif0 = {
interface = "eno1";
mode = "bridge";
};
};
interfaces = {
eno1.useDHCP = false;
intif0 = {
macAddress = "02:dd:80:52:83:9b";
useDHCP = false;
ipv4.addresses = [
{
address = "10.0.0.110";
prefixLength = 24;
}
];
};
};
};
hardware.bluetooth.enable = true;
users.users.niten = {
extraGroups = ["adbusers"];
};
virtualisation.lxd.enable = true;
}

98
informis/informis.land.nix
View File

@ -1,98 +0,0 @@
{ host_ipv4, config }:
{
dnssec = true;
mx = ["smtp.informis.land"];
hosts = {
procul = {
ip-addresses = [ "172.86.179.18" ];
ssh-fingerprints = [
"4 1 2a8e086d3589ce50b58c55bc35638af8da23988e"
"4 2 55a9f7c0addf08bb24c62ced954574db6e95eff38ee56d6a2cff312d20eb910e"
"1 1 d089902f60751b3d35b5329bf7b906df254d5fa7"
"1 2 8deebf42bbc40881a327f561bffd5d7bd328a4fc94d4e4ce8c502a9c6cbdfb92"
];
};
};
default-host = "172.86.179.18";
srv-records = {
tcp = {
domain = [{
host = "ns1.informis.land";
port = 53;
}];
ssh = [{
host = "procul.informis.land";
port = 22;
}];
submission = [{
host = "procul.informis.land";
port = 587;
}];
kerberos = [{
host = "procul.informis.land";
port = 88;
}];
kerberos-adm = [{
host = "procul.informis.land";
port = 749;
}];
imaps = [{
host = "procul.informis.land";
port = 993;
priority = 0;
}];
pop3s = [{
host = "procul.informis.land";
port = 995;
priority = 10;
}];
http = [{
host = "procul.informis.land";
port = 80;
}];
https = [{
host = "procul.informis.land";
port = 443;
}];
};
udp = {
domain = [{
host = "ns1.informis.land";
port = 53;
}];
kerberos = [{
host = "procul.informis.land";
port = 88;
}];
kerberos-master = [{
host = "procul.informis.land";
port = 88;
}];
kpasswd = [{
host = "procul.informis.land";
port = 464;
}];
};
};
aliases = {
smtp = "procul.informis.land.";
imap = "procul.informis.land.";
gemini = "procul.informis.land.";
git = "procul.informis.land.";
};
extra-dns-records = [
''_kerberos IN TXT "INFORMIS.LAND"''
''@ IN TXT "v=spf1 mx ip4:${host_ipv4}/29 -all"''
''@ IN SPF "v=spf1 mx ip4:${host_ipv4}/29 -all"''
];
dmarc-report-address = "dmarc-report@informis.land";
}

14
informis/users.nix
View File

@ -1,14 +0,0 @@
{ config, ... }:
{
config = {
users.users = {
viator = {
isNormalUser = true;
description = "Viator";
createHome = true;
hashedPassword = "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
};
};
};
}

64
users/niten.nix
View File

@ -1,64 +0,0 @@
{ config, pkgs, lib, ... }:
let
name = "Niten";
email = "niten@fudo.org";
in {
programs = {
bash = { enable = true; };
git = {
enable = true;
userName = name;
userEmail = email;
};
};
xresources.properties = {
"Xft.antialias" = 1;
"Xft.autohint" = 0;
"Xft.dpi" = 192;
"Xft.hinting" = 1;
"Xft.hintstyle" = "hintfull";
"Xft.lcdfilter" = "lcddefault";
};
services.gpg-agent.enable = true;
# services.redshift = {
# enable = true;
# latitude = "51.0";
# longitude = "47.0";
# brightness.day = "1";
# brightness.night = "0.5";
# tray = true;
# };
home = {
file = {
".doom.d" = {
source = pkgs.doom-emacs-config;
recursive = true;
onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh";
};
".k5login" = {
source = pkgs.writeText "niten-k5login" ''
niten@FUDO.ORG
niten/root@FUDO.ORG
niten@INFORMIS.LAND
niten/root@INFORMIS.LAND
'';
};
};
sessionVariables = {
EDITOR = "emacsclient -t";
ALTERNATE_EDITOR = "";
# Don't put duplicates or whitespace in bash history
HISTCONTROL = "ignoredups:ignorespace";
};
};
}

43
users/root.nix
View File

@ -1,43 +0,0 @@
{ config, pkgs, lib, ... }:
let
name = "Root";
email = "root@fudo.org";
in {
programs = {
git = {
enable = true;
userName = name;
userEmail = email;
};
};
services.gpg-agent.enable = true;
home = {
file = {
".doom.d" = {
source = pkgs.doom-emacs-config;
recursive = true;
onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh";
};
".k5login" = {
source = pkgs.writeText "niten-k5login" ''
niten@FUDO.ORG
niten/root@FUDO.ORG
niten@INFORMIS.LAND
niten/root@INFORMIS.LAND
'';
};
};
sessionVariables = {
EDITOR = "emacsclient -t";
ALTERNATE_EDITOR = "";
HISTCONTROL = "ignoredups:ignorespace";
};
};
}