Piles o' changes

2020-06-06 20:58:13 -05:00 · 2020-06-06 20:58:13 -05:00 · 9f59ff30fe
commit 9f59ff30fe
parent 2aa6b8efc6
21 changed files with 587 additions and 152 deletions
--- a/config/fudo/chat.nix
+++ b/config/fudo/chat.nix
@ -154,6 +154,8 @@ in {
      };
    };
    security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email;
    services.nginx = {
      enable = true;
--- a/config/fudo/common.nix
+++ b/config/fudo/common.nix
@ -46,5 +46,11 @@ with lib;
      description = "Path at which to store www files for serving.";
      example = /var/www;
    };
    admin-email = mkOption {
      type = types.str;
      description = "Email for administrator of this system.";
      default = "admin@fudo.org";
    };
  };
 }
--- a/config/fudo/git.nix
+++ b/config/fudo/git.nix
@ -0,0 +1,115 @@
 { pkgs, lib, config, ... }:
 with lib;
 let
  cfg = config.fudo.git;
  databaseOpts = { ... }: {
    options = {
      name = mkOption {
        type = types.str;
        description = "Database name.";
      };
      hostname = mkOption {
        type = types.str;
        description = "Hostname of the database server.";
      };
      user = mkOption {
        type = types.str;
        description = "Database username.";
      };
      password-file = mkOption {
        type = types.path;
        description = "File containing the database user's password.";
      };
    };
  };
 in {
  options.fudo.git = {
    enable = mkEnableOption "Enable Fudo git web server.";
    hostname = mkOption {
      type = types.str;
      description = "Hostname at which this git server is accessible.";
      example = "git.fudo.org";
    };
    site-name = mkOption {
      type = types.str;
      description = "Name to use for the git server.";
      default = "Fudo Git";
    };
    database = mkOption {
      type = (types.submodule databaseOpts);
      description = "Gitea database options.";
    };
    repository-dir = mkOption {
      type = types.path;
      description = "Path at which to store repositories.";
      example = /srv/git/repo;
    };
    state-dir = mkOption {
      type = types.path;
      description = "Path at which to store server state.";
      example = /srv/git/state;
    };
    user = mkOption {
      type = with types; nullOr str;
      description = "System user as which to run.";
      default = "git";
    };
  };
  config = mkIf cfg.enable {
    security.acme.certs.${cfg.hostname}.email = config.fudo.common.admin-email;
    services = {
      gitea = {
        enable = true;
        appName = cfg.site-name;
        database = {
          createDatabase = true;
          host = cfg.database.hostname;
          name = cfg.database.name;
          user = cfg.database.user;
          passwordFile = cfg.database.password-file;
        };
        domain = cfg.hostname;
        httpAddress = "127.0.0.1";
        httpPort = 3543;
        repositoryRoot = toString cfg.repository-dir;
        stateDir = toString cfg.state-dir;
        rootUrl = "https://${cfg.hostname}/";
        user = mkIf (cfg.user != null) cfg.user;
      };
      nginx = {
        enable = true;
        virtualHosts = {
          "${cfg.hostname}" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://127.0.0.1:3543";
              extraConfig = ''
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-By $server_addr:$server_port;
              proxy_set_header X-Forwarded-For $remote_addr;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
            };
          };
        };
      };
    };
  };
 }
--- a/config/fudo/grafana.nix
+++ b/config/fudo/grafana.nix
@ -5,6 +5,7 @@
 with lib;
 let
  cfg = config.fudo.grafana;
  fudo-cfg = config.fudo.common;
  database-name = "grafana";
  database-user = "grafana";
@ -73,6 +74,8 @@ in {
  };
  config = mkIf cfg.enable {
    security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
    services.nginx = {
      enable = true;
--- a/config/fudo/mail-container.nix
+++ b/config/fudo/mail-container.nix
@ -16,7 +16,7 @@ let
  container-mail-user = "mailer";
  container-mail-user-id = 542;
  container-mail-group = "mailer";
-  trusted-networks = config.fudo.common.local-networks;
+  fudo-cfg = config.fudo.common;
 in rec {
  options.fudo.mail-server.container = {
@ -25,18 +25,6 @@ in rec {
      description = "URL of the LDAP server to use for authentication.";
      example = "ldaps://auth.fudo.org/";
    };
    # host-ip = mkOption {
    #   type = types.str;
    #   description = "The IP to assign to this server, for communication with the mail server container.";
    #   default = "10.110.0.1";
    # };
    # container-ip = mkOption {
    #   type = types.str;
    #   description = "The IP to assign to the mail server container.";
    #   default = "10.110.0.2";
    # };
  };
  config = mkIf (cfg.enableContainer && !cfg.enable) {
@ -73,6 +61,8 @@ in rec {
      };
    };
    security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
    services.nginx = mkIf cfg.monitoring {
      enable = true;
@ -81,9 +71,9 @@ in rec {
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
        '';
-        trusted-network-string = optionalString ((length trusted-networks) > 0)
+        trusted-network-string = optionalString ((length fudo-cfg.local-networks) > 0)
          (concatStringsSep "\n"
-            (map (network: "allow ${network};") trusted-networks)) + "\ndeny all;";
+            (map (network: "allow ${network};") fudo-cfg.local-networks)) + "\ndeny all;";
      in {
        "${cfg.hostname}" = {
@ -123,30 +113,6 @@ in rec {
      };
    };
    # services.xinetd = let
    #   xinetd-entry = name: port: {
    #     name = name;
    #     port = port;
    #     protocol = "tcp";
    #     server = "";
    #     extraConfig = ''
    #       socket_type = stream
    #       wait = no
    #       redirect = ${cfg.container.container-ip} ${toString port}
    #     '';
    #   };
    # in {
    #   enable = true;
    #   services = [
    #     (xinetd-entry "smtp" 25)
    #     (xinetd-entry "pop3" 110)
    #     (xinetd-entry "pop3s" 995)
    #     (xinetd-entry "imap" 143)
    #     (xinetd-entry "imaps" 993)
    #     (xinetd-entry "submission" 587)
    #   ];
    # };
    containers.mail-server = {
      autoStart = true;
@ -210,46 +176,45 @@ in rec {
          };
        };
-        fudo.mail-server =
+        fudo.mail-server = {
-          {
+          enable = true;
-            enable = true;
+          hostname = cfg.hostname;
-            hostname = cfg.hostname;
+          domain = cfg.domain;
            domain = cfg.domain;
-            debug = cfg.debug;
+          debug = cfg.debug;
-            monitoring = cfg.monitoring;
+          monitoring = cfg.monitoring;
-            state-directory = container-statedir;
+          state-directory = container-statedir;
-            mail-directory = container-maildir;
+          mail-directory = container-maildir;
-            postfix.ssl-certificate = "/etc/${container-postfix-cert}";
+          postfix.ssl-certificate = "/etc/${container-postfix-cert}";
-            postfix.ssl-private-key = "/etc/postfix-certs/key.pem";
+          postfix.ssl-private-key = "/etc/postfix-certs/key.pem";
-            dovecot = {
+          dovecot = {
-              ssl-certificate = "/etc/${container-dovecot-cert}";
+            ssl-certificate = "/etc/${container-dovecot-cert}";
-              ssl-private-key = "/etc/dovecot-certs/key.pem";
+            ssl-private-key = "/etc/dovecot-certs/key.pem";
-              ldap-ca = "/etc/${container-fudo-ca-cert}";
+            ldap-ca = "/etc/${container-fudo-ca-cert}";
-              ldap-urls = cfg.dovecot.ldap-urls;
+            ldap-urls = cfg.dovecot.ldap-urls;
-              ldap-reader-dn = cfg.dovecot.ldap-reader-dn;
+            ldap-reader-dn = cfg.dovecot.ldap-reader-dn;
-              ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd;
+            ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd;
            };
            local-domains = cfg.local-domains;
            alias-users = cfg.alias-users;
            user-aliases = cfg.user-aliases;
            sender-blacklist = cfg.sender-blacklist;
            recipient-blacklist = cfg.recipient-blacklist;
            trusted-networks = cfg.trusted-networks;
            mail-user = container-mail-user;
            mail-user-id = container-mail-user-id;
            mail-group = container-mail-group;
            clamav.enable = cfg.clamav.enable;
            dkim.signing = cfg.dkim.signing;
          };
          local-domains = cfg.local-domains;
          alias-users = cfg.alias-users;
          user-aliases = cfg.user-aliases;
          sender-blacklist = cfg.sender-blacklist;
          recipient-blacklist = cfg.recipient-blacklist;
          trusted-networks = cfg.trusted-networks;
          mail-user = container-mail-user;
          mail-user-id = container-mail-user-id;
          mail-group = container-mail-group;
          clamav.enable = cfg.clamav.enable;
          dkim.signing = cfg.dkim.signing;
        };
      };
    };
  };
--- a/config/fudo/mail/postfix.nix
+++ b/config/fudo/mail/postfix.nix
@ -105,9 +105,10 @@ in {
      domain = cfg.domain;
      origin = cfg.domain;
      hostname = cfg.hostname;
-      destination = ["localhost" "localhost.localdomain"] ++
+      destination = ["localhost" "localhost.localdomain"];
-                    (map (domain: "localhost.${domain}") cfg.local-domains) ++
+      # destination = ["localhost" "localhost.localdomain"] ++
-                    cfg.local-domains;
+      #               (map (domain: "localhost.${domain}") cfg.local-domains) ++
      #               cfg.local-domains;
      enableHeaderChecks = true;
      enableSmtp = true;
--- a/config/fudo/node-exporter.nix
+++ b/config/fudo/node-exporter.nix
@ -20,6 +20,8 @@ in {
  };
  config = mkIf cfg.enable {
    security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
    services = {
      # This'll run an exporter at localhost:9100
      prometheus.exporters.node = {
--- a/config/fudo/postgres.nix
+++ b/config/fudo/postgres.nix
@ -65,8 +65,9 @@ let
        (username: attrs:
          stringJoin "\n"
            (map (db: ''
-              host   ${username}   ${db}   127.0.0.1/16   md5
+              local  ${db}  ${username}   md5
-              host   ${username}   ${db}   ::1/128        md5
+              host   ${db}  ${username}   127.0.0.1/16   md5
              host   ${db}  ${username}   ::1/128        md5
            '') (attrNames attrs.databases)))
        users);
@ -117,6 +118,24 @@ in {
      description = "A map of databases to database options.";
      default = {};
    };
    socket-directory = mkOption {
      type = types.str;
      description = "Directory in which to place unix sockets.";
      default = "/run/postgresql";
    };
    socket-group = mkOption {
      type = types.str;
      description = "Group for accessing sockets.";
      default = "postgres_local";
    };
    local-users = mkOption {
      type = with types; listOf str;
      description = "Users able to access the server via local socket.";
      default = [];
    };
  };
  config = mkIf cfg.enable {
@ -157,6 +176,12 @@ in {
      };
    };
    users.groups = {
      ${cfg.socket-group} = {
        members = ["postgres"] ++ cfg.local-users;
      };
    };
    services.postgresql = {
      enable = true;
      package = pkgs.postgresql_11_gssapi;
@ -172,23 +197,23 @@ in {
          })
        cfg.users;
-      extraConfig =
+      extraConfig = ''
        ''
        krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
        ssl = true
        ssl_cert_file = '/etc/postgresql/cert.pem'
        ssl_key_file = '/etc/postgresql/private/privkey.pem'
-        unix_socket_directories = '/var/run/postgresql'
+        unix_socket_directories = '${cfg.socket-directory}'
        unix_socket_group = '${cfg.socket-group}'
        unix_socket_permissions = 0777
      '';
-      authentication =
+      authentication = lib.mkForce ''
        ''
        local   all              all             ident
        ${makeLocalUserPasswordEntries cfg.users}
        local   all              all             ident
        # host-local
        host    all              all             127.0.0.1/32            gss include_realm=0 krb_realm=FUDO.ORG
        host    all              all             ::1/128                 gss include_realm=0 krb_realm=FUDO.ORG
@ -204,6 +229,7 @@ in {
    systemd.services.postgresql.postStart = ''
      ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${pkgs.postgresql}/bin/psql --port ${toString config.services.postgresql.port} -f /etc/postgresql/private/user-script.sql -d postgres
      ${pkgs.coreutils}/bin/chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL*
    '';
  };
 }
--- a/config/fudo/prometheus.nix
+++ b/config/fudo/prometheus.nix
@ -77,6 +77,8 @@ in {
  config = mkIf cfg.enable {
    security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
    services.nginx = {
      enable = true;
--- a/config/fudo/system.nix
+++ b/config/fudo/system.nix
@ -0,0 +1,37 @@
 { pkgs, lib, config, ... }:
 with lib;
 let
  cfg = config.fudo.system;
 in {
  options.fudo.system = {
    disableTransparentHugePages = mkOption {
      type = types.bool;
      description = ''
        Disable transparent huge pages (recommended for database loads, in
        particular for Redis.
      '';
      default = false;
    };
    postHugePageServices = mkOption {
      type = with types; listOf str;
      description = "List of systemd services that should wait until after THP are disabled.";
      default = [];
      example = ["redis.service"];
    };
  };
  config = mkIf cfg.disableTransparentHugePages {
    systemd.services.disableHugePages = {
      description = "Turn off Transparent Huge Pages (https://www.kernel.org/doc/Documentation/vm/transhuge.txt)";
      after = [ "sysinit.target" "localfs-target" ];
      before = cfg.postHugePageServices;
      enable = true;
      serviceConfig = {
        ExecStart = "/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null";
        Type = "oneshot";
      };
    };
  };
 }
--- a/config/fudo/webmail.nix
+++ b/config/fudo/webmail.nix
@ -145,6 +145,12 @@ let
        };
        default = null;
      };
      admin-email = mkOption {
        type = types.str;
        description = "Email of administrator of this site.";
        default = "admin@fudo.org";
      };
    };
  };
@ -220,6 +226,11 @@ in {
      };
    };
    security.acme.certs = mapAttrs' (site: site-cfg:
      nameValuePair site {
        email = site-cfg.admin-email;
      }) cfg.sites;
    services = {
      phpfpm = {
        pools.webmail = {
@ -273,46 +284,62 @@ in {
      };
    };
-    systemd.services.nginx.preStart = let
+    systemd.services = {
-      link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let
+      webmail-init = let
-        cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version);
+        link-configs = concatStringsSep "\n" (mapAttrsToList (site: site-cfg: let
-        domain-cfg = builtins.toFile "${site}-domain.cfg" ''
+          cfg-file = builtins.toFile "${site}-rainloop.cfg" (import ./include/rainloop.nix lib site site-cfg site-packages.${site}.version);
-          imap_host = "${site-cfg.mail-server}"
+          domain-cfg = builtins.toFile "${site}-domain.cfg" ''
-          imap_port = 143
+              imap_host = "${site-cfg.mail-server}"
-          imap_secure = "TLS"
+              imap_port = 143
-          imap_short_login = On
+              imap_secure = "TLS"
-          sieve_use = Off
+              imap_short_login = On
-          sieve_allow_raw = Off
+              sieve_use = Off
-          sieve_host = ""
+              sieve_allow_raw = Off
-          sieve_port = 4190
+              sieve_host = ""
-          sieve_secure = "None"
+              sieve_port = 4190
-          smtp_host = "${site-cfg.mail-server}"
+              sieve_secure = "None"
-          smtp_port = 587
+              smtp_host = "${site-cfg.mail-server}"
-          smtp_secure = "TLS"
+              smtp_port = 587
-          smtp_short_login = On
+              smtp_secure = "TLS"
-          smtp_auth = On
+              smtp_short_login = On
-          smtp_php_mail = Off
+              smtp_auth = On
-          white_list = ""
+              smtp_php_mail = Off
-        '';
+              white_list = ""
            '';
        in ''
            ${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/configs
            ${pkgs.coreutils}/bin/cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini
-      in ''
+            ${pkgs.coreutils}/bin/mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/
-        mkdir -p ${base-data-path}/${site}/_data_/_default_/configs
+            ${pkgs.coreutils}/bin/cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini
-        cp ${cfg-file} ${base-data-path}/${site}/_data_/_default_/configs/application.ini
+          '') cfg.sites);
        scriptPkg = (pkgs.writeScriptBin "webmail-init.sh" ''
              #!${pkgs.bash}/bin/bash -e
              ${link-configs}
              ${pkgs.coreutils}/bin/chown -R ${webmail-user}:${webmail-group} ${base-data-path}
              ${pkgs.coreutils}/bin/chmod -R ug+w ${base-data-path}
            '');
      in {
        requiredBy = [ "nginx.service" ];
        description = "Initialize webmail service directories prior to starting nginx.";
        script = "${scriptPkg}/bin/webmail-init.sh";
      };
-        mkdir -p ${base-data-path}/${site}/_data_/_default_/domains/
+      phpfpm-webmail-socket-perm = {
-        cp ${domain-cfg} ${base-data-path}/${site}/_data_/_default_/domains/${site-cfg.domain}.ini
+        wantedBy = [ "multi-user.target" ];
        description = "Change ownership of the phpfpm socket for webmail once it's started.";
        requires = [ "phpfpm-webmail.service" ];
        serviceConfig = {
          ExecStart = ''
            ${pkgs.coreutils}/bin/chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket}
          '';
        };
      };
-      '') cfg.sites);
+      nginx = {
-
+        requires = [ "webmail-init.service" ];
-    in ''
+        wantedBy = [ "phpfpm-webmail-socket-perm.service" ];
-      ${link-configs}
+      };
-
+    };
      chown -R ${webmail-user}:${webmail-group} ${base-data-path}
      chmod -R ug+w ${base-data-path}
    '';
    systemd.services.phpfpm-webmail.postStart = ''
      chown ${webmail-user}:${webmail-group} ${config.services.phpfpm.pools.webmail.socket}
    '';
  };
 }
--- a/config/local.nix
+++ b/config/local.nix
@ -7,6 +7,7 @@ with lib;
    ./fudo/authentication.nix
    ./fudo/chat.nix
    ./fudo/common.nix
    ./fudo/git.nix
    ./fudo/grafana.nix
    ./fudo/kdc.nix
    ./fudo/ldap.nix
@ -16,6 +17,7 @@ with lib;
    ./fudo/node-exporter.nix
    ./fudo/postgres.nix
    ./fudo/prometheus.nix
    ./fudo/system.nix
    ./fudo/webmail.nix
    ../fudo/profiles
--- a/defaults.nix
+++ b/defaults.nix
@ -10,6 +10,7 @@
  ];
  nixpkgs.config.allowUnfree = true;
  security.acme.acceptTerms = true;
  environment.systemPackages = with pkgs; [
    asdf
@ -84,11 +85,10 @@
  krb5.libdefaults.default_realm = "FUDO.ORG";
  krb5.kerberos = pkgs.heimdalFull;
  console.keyMap = "dvp";
  i18n = {
    # consoleFont = "Lat2-Terminus16";
    consoleKeyMap = "dvp";
    defaultLocale = "en_US.UTF-8";
    # consoleUseXkbConfig = true;
  };
  programs = {
--- a/fudo/groups.nix
+++ b/fudo/groups.nix
@ -35,6 +35,7 @@
      "joker4ever"
      "jun"
      "kevin"
      "kevinyinjunjie"
      "kris"
      "laura"
      "leefolio"
@ -108,6 +109,7 @@
    members = [
      "ansyg"
      "joker4ever"
      "kevinyinjunjie"
      "niten"
      "omefire"
      "reaper"
--- a/fudo/sender-blacklist.nix
+++ b/fudo/sender-blacklist.nix
@ -2,6 +2,7 @@
 #  spamming. Learn2passward!
 [
  "animus@fudo.org"
  "ark@fudo.org"
  "theblacksun@fudo.org"
 ]
--- a/fudo/users.nix
+++ b/fudo/users.nix
@ -19,14 +19,14 @@
    uid = 10002;
    group = "fudo";
    common-name = "James Frazer";
-    hashed-password = "{MD5}5EenPxFXCKCkxMGFmSAHqQ==";
+    hashed-password = "";
  };
  ark = {
    uid = 10005;
    group = "fudo";
    common-name = "Roger Wong";
-    hashed-password = "{SHA}H1+3u18I7JG+xcy7jBaKu1M6GFk=";
+    hashed-password = "";
  };
  ben = {
@ -415,4 +415,11 @@
    common-name = "Fudo Chat";
    hashed-password = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7";
  };
  kevinyinjunjie = {
    uid = 10112;
    group = "fudo";
    common-name = "Kevin";
    hashed-password = "{SSHA}1onx6HPMKCJvmLnRf1tiWFJ1D92DEtnl";
  };
 }
--- a/hosts/france.nix
+++ b/hosts/france.nix
@ -6,6 +6,8 @@ let
  hostname = "france.${domain}";
  mail-hostname = hostname;
  host_ipv4 = "208.81.3.117";
  # Use a special IP for git.fudo.org, since it needs to be SSH-able
  docker_ipv4 = "208.81.3.126";
  all-hostnames = [];
  acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
@ -56,6 +58,7 @@ in {
    lxd
    multipath-tools
    nix-prefetch-docker
    tshark
  ];
  fudo.prometheus = {
@ -109,6 +112,18 @@ in {
    ];
    users = {
      fudo_git = {
        password = fileContents "/srv/git/secure/db.passwd";
        databases = {
          fudo_git = "ALL PRIVILEGES";
        };
      };
      gitlab_postgres = {
        password = fileContents "/srv/gitlab/secure/db.passwd";
        databases = {
          gitlab = "ALL PRIVILEGES";
        };
      };
      grafana = {
        password = fileContents "/srv/grafana/secure/db.passwd";
        databases = {
@ -130,7 +145,13 @@ in {
      niten = {};
    };
    local-users = [
      "fudo_git"
    ];
    databases = {
      fudo_git = ["niten"];
      gitlab = ["niten"];
      grafana = ["niten"];
      mattermost = ["niten"];
      webmail = ["niten"];
@ -217,7 +238,7 @@ in {
    mail-directory = "${system-mail-directory}/mailboxes";
    dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org";
-    dovecot.ldap-reader-passwd = removeSuffix "\n" (readFile /srv/ldap/secure/user_db.passwd);
+    dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd;
    # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.
    dovecot.ldap-urls = [ "ldap://france.fudo.org" ];
@ -245,6 +266,33 @@ in {
          password-file = /srv/webmail/secure/db.passwd;
        };
      };
      "webmail.test.fudo.org" = {
        title = "Fudo Webmail";
        favicon = "/etc/nixos/static/fudo.org/favicon.ico";
        mail-server = mail-hostname;
        domain = "test.fudo.org";
        edit-mode = "Plain";
        database = {
          name = "webmail";
          hostname = "localhost";
          user = "webmail";
          password-file = /srv/webmail/secure/db.passwd;
        };
      };
      "webmail.test.selby.ca" = {
        title = "Selby Webmail";
        favicon = "/etc/nixos/static/selby.ca/favicon.ico";
        mail-server = mail-hostname;
        domain = "test.selby.ca";
        database = {
          name = "webmail";
          hostname = "localhost";
          user = "webmail";
          password-file = /srv/webmail/secure/db.passwd;
        };
      };
    };
  };
@ -264,14 +312,26 @@ in {
    };
  };
  fudo.git = {
    enable = true;
    hostname = "git.test.fudo.org";
    site-name = "Fudo Git";
    user = "fudo_git";
    database = {
      user = "fudo_git";
      password-file = /srv/git/secure/db.passwd;
      hostname = "127.0.0.1";
      name = "fudo_git";
    };
    repository-dir = /srv/git/repo;
    state-dir = /srv/git/state;
  };
  networking = {
    hostName = hostname;
    dhcpcd.enable = false;
    useDHCP = false;
    # Why on earth would these use DHCP?
    # interfaces.enp4s0f0.useDHCP = true;
    # interfaces.enp4s0f1.useDHCP = true;
    # TODO: fix IPv6
    enableIPv6 = false;
@ -282,6 +342,10 @@ in {
        interface = "enp4s0f0";
        mode = "bridge";
      };
      extif1 = {
        interface = "enp4s0f0";
        mode = "bridge";
      };
      intif0 = {
        interface = "enp4s0f1";
        mode = "bridge";
@ -290,7 +354,8 @@ in {
    interfaces = {
      extif0 = {
-        # result of: echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
+        # result of:
        # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
        macAddress = "02:d4:e8:3b:10:2f";
        ipv4.addresses = [
          {
@ -299,8 +364,18 @@ in {
          }
        ];
      };
      extif1 = {
        macAddress = "02:6d:e2:e1:ad:ca";
        ipv4.addresses = [
          {
            address = docker_ipv4;
            prefixLength = 28;
          }
        ];
      };
      intif0 = {
-        # result of: echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
+        # result of:
        # echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
        macAddress = "02:ba:ba:e9:08:21";
        ipv4.addresses = [
          {
@ -315,10 +390,6 @@ in {
  hardware.bluetooth.enable = false;
  virtualisation = {
    lxd = {
      enable = true;
    };
    docker = {
      enable = true;
      enableOnBoot = true;
@ -327,6 +398,10 @@ in {
        enable = true;
      };
    };
    lxd = {
      enable = true;
    };
  };
  fileSystems = {
@ -362,22 +437,129 @@ in {
    };
  };
-  ##
+  users = {
-  # Archiva
+    extraUsers = {
-  ##
+      archiva = {
        isNormalUser = false;
        group = "nogroup";
        uid = 8001;
      };
-  users.extraUsers = {
+      fudo_git = {
-    archiva = {
+        isNormalUser = false;
-      isNormalUser = false;
+        uid = 8006;
-      group = "nogroup";
+      };
-      uid = 1000;
+
      gitlab = {
        isNormalUser = false;
        uid = 8002;
      };
      gitlab_postgres = {
        isNormalUser = false;
        group = config.fudo.postgresql.socket-group;
        uid = 8003;
      };
      gitlab_redis = {
        isNormalUser = false;
        group = "redis-local";
        uid = 8004;
      };
      gitlab_www = {
        isNormalUser = false;
        group = "nogroup";
        uid = 8005;
      };
    };
    extraGroups = {
      redis-local = {
        members = ["redis"];
        gid = 7001;
      };
    };
  };
  boot.kernel.sysctl = {
    # For Redis
    "vm.overcommit_memory" = 1;
  };
  fudo.system = {
    disableTransparentHugePages = true;
    postHugePageServices = ["redis.service"];
  };
  systemd.services.redis.postStart = ''
    chgrp redis-local ${config.services.redis.unixSocket}
  '';
  security.acme.certs = {
    "archiva.fudo.org".email = config.fudo.common.admin-email;
    "git.fudo.org".email = config.fudo.common.admin-email;
  };
  services = {
    redis = {
      enable = true;
      bind = "127.0.0.1";
      unixSocket = "/run/redis/redis.socket";
      extraConfig = ''
        unixsocketperm 770
      '';
    };
    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;
      virtualHosts = {
        "archiva.fudo.org" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8001";
            extraConfig = ''
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-By $server_addr:$server_port;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
              '';
          };
        };
        "git.fudo.org" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8002";
            extraConfig = ''
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-By $server_addr:$server_port;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
              '';
          };
        };
      };
    };
  };
  docker-containers = {
    archiva = {
      image = "xetusoss/archiva";
-      ports = ["127.0.0.1:8091:8080"];
+      ports = ["127.0.0.1:8001:8080"];
      # Ugly: name-to-uid lookup fails.
      user = toString config.users.users.archiva.uid;
      volumes = [
        "/srv/archiva:/archiva-data"
      ];
@ -385,19 +567,61 @@ in {
        # Not directly connected to the world anyway
        SSL_ENABLED = "false";
      };
-      # Ugly as shit: name-to-uid lookup fails.
+    };
-      #user = "1000";
+
-      user = toString config.users.users.archiva.uid;
+    gitlab = {
      image = "gitlab/gitlab-ce:12.8.1-ce.0";
      ports = [
        "127.0.0.1:8002:80"
        "${docker_ipv4}::22"
      ];
      # user = toString config.users.users.gitlab.uid;
      volumes = [
        "/run/redis:/var/opt/gitlab/redis"
        "/srv/gitlab/builds:/var/opt/gitlab/gitlab-ci/builds"
        "/srv/gitlab/config:/etc/gitlab"
        "/srv/gitlab/logs:/var/log/gitlab"
        "/srv/gitlab/gitlab:/var/opt/gitlab"
        "${config.fudo.postgresql.socket-directory}:/run/postgresql"
        "${config.fudo.postgresql.socket-directory}:/var/opt/gitlab/postgresql"
      ];
      extraDockerOptions = [
        "--hostname=git.fudo.org"
      ];
    };
  };
  systemd.services.docker-gitlab-config = let
    gitlab-config = pkgs.writeText "gitlab-config.rb" ''
      gitlab_rails['db_adapter'] = "postgresql"
      gitlab_rails['db_encoding'] = "unicode"
      gitlab_rails['db_database'] = "gitlab"
      gitlab_rails['db_username'] = "gitlab_postgres"
      gitlab_rails['db_password'] = "${fileContents /srv/gitlab/secure/db.passwd}"
      user['uid'] = "${toString config.users.users.gitlab.uid}"
      user['gid'] = "${toString config.users.groups.redis-local.gid}"
      # Provided externally
      redis['enable'] = false
      postgresql['enable'] = false
      web_server['uid'] = "${toString config.users.users.gitlab_www.uid}"
      web_server['gid'] = "${toString config.users.groups.nogroup.gid}"
    '';
  in {
    # before = ["docker-gitlab.service"];
    script = "cp -f ${gitlab-config} /srv/gitlab/config/gitlab.rb";
  };
  systemd.services.docker-gitlab.requires = ["docker-gitlab-config.service"];
  ###
  # Minecraft
  ###
  fudo.minecraft-server = {
    enable = true;
-    package = pkgs.minecraft-server_1_15_1;
+    package = pkgs.minecraft-server_1_15_2;
    data-dir = minecraft-data-dir;
    world-name = "selbyland";
    motd = "Welcome to the Selby Minecraft server.";
--- a/packages/local.nix
+++ b/packages/local.nix
@ -15,9 +15,22 @@
      };
    });
    minecraft-server_1_15_2 = pkgs.minecraft-server.overrideAttrs (oldAttrs: rec {
      version = "1.15.2";
      src = builtins.fetchurl {
        url = "https://launcher.mojang.com/v1/objects/bb2b6b1aefcd70dfd1892149ac3a215f6c636b07/server.jar";
        sha256 = "12kynrpxgcdg8x12wcvwkxka0fxgm5siqg8qq0nnmv0443f8dkw0";
      };
    });
    postgresql_11_gssapi = pkgs.postgresql_11.overrideAttrs (oldAttrs: rec {
      configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ];
      buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
    });
    postgresql_12_gssapi = pkgs.postgresql_12.overrideAttrs (oldAttrs: rec {
      configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ];
      buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
    });
  };
 }
--- a/static/fudo.link/favicon.ico
+++ b/static/fudo.link/favicon.ico
--- a/static/fudo.org/favicon.ico
+++ b/static/fudo.org/favicon.ico
--- a/static/selby.ca/favicon.ico
+++ b/static/selby.ca/favicon.ico