{ config, lib, pkgs, ... }: with lib; let primary-ip = "208.81.3.117"; git-server-ip = "208.81.3.118"; hostname = config.instance.hostname; domain-name = config.fudo.hosts.${hostname}.domain; domain = config.fudo.domains.${domain-name}; host-fqdn = "${hostname}.${domain-name}"; mail-hostname = "mail.fudo.org"; mail-directory = "/srv/mail"; secrets = config.fudo.secrets.host-secrets.france; secret-files = config.fudo.secrets.files; letsencrypt-full-chain = name: chain: pkgs.stdenv.mkDerivation { name = "${name}-letsencrypt-full-chain.pem"; phases = "installPhase"; installPhase = '' cat ${chain} > $out cat ${pkgs.letsencrypt-ca}/ca.pem >> $out ''; }; in { # imports = let # is-regular-file = filename: type: type == "regular" || type == "link"; # regular-files = path: # attrNames (filterAttrs is-regular-file (builtins.readDir path)); # is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null; # nix-files = path: # map # (file: path + "/${file}") # (filter is-nix-file (regular-files path)); # in nix-files ./france; config = { security.acme.email = "admin@fudo.org"; fileSystems = { "/srv/archiva" = { fsType = "btrfs"; label = "pool0"; options = [ "noatime" "nodiratime" "noexec" "subvol=archiva" ]; }; "/srv/grafana" = { fsType = "btrfs"; label = "pool0"; options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ]; }; ${mail-directory} = { fsType = "btrfs"; label = "pool0"; options = [ "noatime" "nodiratime" "noexec" "subvol=mail" ]; }; }; users.users.archiva = { isSystemUser = true; group = "nogroup"; }; virtualisation = { lxd.enable = true; oci-containers = { backend = "docker"; containers = { archiva = { image = "xetusoss/archiva"; autoStart = true; ports = [ "8001:8080/tcp" ]; # Ugly: name-to-uid lookup fails. user = toString config.users.users.archiva.uid; volumes = [ "/srv/archiva:/archiva-data" ]; environment = { # Not directly connected to the world anyway SSL_ENABLED = "false"; PROXY_BASE_URL = "https://archiva.fudo.org/"; }; }; }; }; }; fudo = let backplane-dns-password-file = pkgs.lib.passwd.stablerandom-passwd-file "dns-service-backplane-passwd" "dns-service-backplane-passwd-${config.instance.build-seed}"; in { hosts.france.external-interfaces = [ "extif0" ]; acme.host-domains.france."france.fudo.org" = { admin-email = "admin@fudo.org"; local-copies = { postgres = { user = "postgres"; }; openldap = { user = config.services.openldap.user; }; }; }; secrets.host-secrets.${hostname} = let ldap-user = config.services.openldap.user; ldap-group = config.services.openldap.group; in { ldap-keytab = { source-file = secret-files.service-keytabs.france.ldap; target-file = "/run/openldap/ldap.keytab"; user = ldap-user; group = ldap-group; }; ldap-root-passwd = { source-file = pkgs.lib.passwd.random-passwd-file "ldap-root-passwd" 20; target-file = "/run/openldap/root.passwd"; user = ldap-user; group = ldap-group; }; postgres-keytab = { source-file = secret-files.service-keytabs.france.postgres; target-file = "/run/postgres/postgres.keytab"; user = "postgres"; # This is just plain hard-coded... }; backplane-dns-password = { source-file = backplane-dns-password-file; target-file = "/run/backplane/dns/xmpp.passwd"; user = config.fudo.backplane.dns.user; }; }; client.dns = { ipv4 = true; ipv6 = true; user = "fudo-client"; external-interface = "extif0"; }; # france = { # ldap = let # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap; # chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}"; # in { # ssl-certificate = cert-copy.certificate; # ssl-private-key = cert-copy.private-key; # ssl-ca-certificate = chain; # keytab = secrets.ldap-keytab.target-file; # root-password-file = secrets.ldap-root-passwd.target-file; # }; # kdc = { # state-directory = "/state/kerberos"; # master-key-file = secret-files.realm-master-keys."FUDO.ORG"; # listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; # }; # jabber = { # ldap-servers = [ "france.fudo.org" ]; # listen-ips = [ primary-ip ]; # backplane = { # host-passwd-files = let # hosts = attrNames config.fudo.hosts; # in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file) # config.fudo.hosts; # service-passwd-files = { # dns = backplane-dns-password-file; # }; # }; # }; # backplane-server = { # listen-ips = [ primary-ip ]; # backplane-dns-password-file = # secrets.backplane-dns-password.target-file; # }; # mail = { # mail-directory = "${mail-directory}/mailboxes"; # state-directory = "${mail-directory}/var"; # ldap-server-urls = [ # "ldap://france.fudo.org" # ]; # }; # webmail = { # mail-server = mail-hostname; # database.hostname = "localhost"; # }; # git = { # repository-directory = "/state/gitea/repo"; # state-directory = "/state/gitea/state"; # ssh.listen-ip = git-server-ip; # database-host = "localhost"; # }; # postgresql = let # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres; # in { # keytab = secrets.postgres-keytab.target-file; # ssl-certificate = cert-copy.certificate; # ssl-private-key = cert-copy.private-key; # }; # dns = { # default-host = primary-ip; # listen-ip = primary-ip; # mail-hosts = [ "mail.fudo.org" ]; # }; # chat = { # chat-hostname = "chat.fudo.org"; # mail-server = "mail.fudo.org"; # database-host = "localhost"; # }; # }; # minecraft-server = { # enable = true; # package = pkgs.minecraft-current; # data-dir = "/state/minecraft/selbyland"; # world-name = "selbyland"; # motd = "Welcome to the Selby Minecraft server."; # }; }; networking = { interfaces = { intif0 = { ipv4.addresses = [{ address = "192.168.11.1"; prefixLength = 24; }]; }; extif0 = { ipv4.addresses = [{ address = primary-ip; prefixLength = 28; }]; }; }; }; services = { nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; recommendedProxySettings = true; virtualHosts = { "mail.fudo.org" = { enableACME = true; locations."/".return = "301 https://webmail.fudo.org$request_uri"; }; "archiva.fudo.org" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8001"; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; ''; }; }; }; }; }; }; }