{ config, lib, pkgs, ... }@toplevel: with lib; let hostname = config.instance.hostname; localDomain = "fudo.org"; serviceSecrets = config.fudo.secrets.files.service-secrets."${hostname}"; inherit (pkgs.lib) getDomainHosts getHostIpv4 getHostFqdn; domain = config.fudo.domains."${localDomain}"; authentikHost = "legatus"; primaryNameserver = "germany"; defaultHost = "germany"; mastodonHostname = "mastodon.fudo.org"; in { imports = [ (import ./fudo.org/authentik.nix { inherit authentikHost; }) (import ./fudo.org/mastodon.nix { mastodonHost = "legatus"; mastodonHostname = mastodonHostname; mastodonWebDomain = "fudo.org"; mastodonOidcClientId = serviceSecrets."mastodon-oidc.clientid"; mastodonOidcClientSecret = serviceSecrets."mastodon-oidc.secret"; }) (import ./fudo.org/nextcloud.nix { nextcloudHost = "legatus"; nextcloudHostname = "cloud.fudo.org"; nextcloudPackage = pkgs.nextcloud27; }) (import ./fudo.org/matrix.nix { matrixHost = "legatus"; matrixServerName = "fudo.org"; openIdClientId = readFile serviceSecrets."matrix-oidc.clientid"; openIdClientSecret = readFile serviceSecrets."matrix-oidc.secret"; }) (import ./fudo.org/mail-server.nix (rec { primaryMailserver = "germany"; primaryDomain = "test.fudo.org"; authentikServer = "authentik.fudo.org"; ldapBase = "dc=fudo,dc=org"; ldapBindDn = "cn=userdb,ou=users,${ldapBase}"; ldapBindPwFile = config.fudo.secrets.files.domain-secrets."${primaryDomain}"."ldap-bind.passwd"; saslDomain = "FUDO.ORG"; authentikOutpostToken = config.fudo.secrets.files.domain-secrets."${primaryDomain}"."authentik-ldap.token"; servedDomains = [ "fudo.org" "fudo.ca" "fudo.im" "selby.ca" "selbyhomecentre.com" ]; # TODO: FIXME! dkimRecord = ""; })) ]; config = { # All Fudo hosts should redirect selby.ca to the selbyhomecentre website. services.nginx.virtualHosts = { # Pass requests to selby on to selbyhomecentre "selby.ca".locations."/".return = "301 https://selbyhomecentre.com$request_uri"; "www.selby.ca".locations."/".return = "301 https://selbyhomecentre.com$request_uri"; # For Mastodon "fudo.org".locations = { "/.well-known/webfinger" = { return = "301 http://${mastodonHostname}"; extraConfig = "add_header Access-Control-Allow-Origin '*';"; }; "/.well-known/host-meta" = { return = "301 https://${mastodonHostname}$request_uri"; }; }; }; fudo.services = { jabber = { domain = "jabber.fudo.org"; ldap.servers = map (host: "${host}.${localDomain}") domain.ldap-servers; }; authoritative-dns = { enable = hostname == primaryNameserver; nameservers = { primary = primaryNameserver; external = map (hostname: { inherit (config.fudo.zones."fudo.org".hosts."${hostname}") ipv4-address ipv6-address description; }) [ "ns2-fudo" "ns3-fudo" "ns4-fudo" ]; }; ip-host-map = let networkHosts = getDomainHosts "fudo.org"; ipHostPairs = map (host: nameValuePair (getHostIpv4 host) (getHostFqdn host)) networkHosts; in listToAttrs ipHostPairs; zones = let defaultDeets = { inherit (config.fudo.zones."fudo.org".hosts."${defaultHost}") ipv4-address ipv6-address sshfp-records; description = "fudo.org"; }; in { "fudo.org" = { default-host = defaultDeets; ksk = config.fudo.secrets.files.dns.key-signing-keys."fudo.org"; reverse-zones = [ "208.81.1.128/28" "208.81.3.112/28" ]; }; "test.fudo.org" = { default-host = defaultDeets; ksk = config.fudo.secrets.files.dns.key-signing-keys."test.fudo.org"; }; "selby.ca" = { default-host = defaultDeets; ksk = config.fudo.secrets.files.dns.key-signing-keys."selby.ca"; }; "fudo.ca" = { default-host = defaultDeets; ksk = config.fudo.secrets.files.dns.key-signing-keys."fudo.ca"; }; "fudo.im" = { default-host = defaultDeets; ksk = config.fudo.secrets.files.dns.key-signing-keys."fudo.im"; }; "stewartsoundservices.ca" = { default-host = defaultDeets; ksk = config.fudo.secrets.files.dns.key-signing-keys."stewartsoundservices.ca"; }; }; }; }; }; }