nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/config/host-config/france.nix

287 lines
8.3 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
primary-ip = "208.81.3.117";
git-server-ip = "208.81.3.118";
hostname = config.instance.hostname;
domain-name = config.fudo.hosts.${hostname}.domain;
domain = config.fudo.domains.${domain-name};
host-fqdn = "${hostname}.${domain-name}";
mail-hostname = "mail.fudo.org";
mail-directory = "/srv/mail";
secrets = config.fudo.secrets.host-secrets.france;
secret-files = config.fudo.secrets.files;
letsencrypt-full-chain = name: chain: pkgs.stdenv.mkDerivation {
name = "${name}-letsencrypt-full-chain.pem";
phases = "installPhase";
installPhase = ''
cat ${chain} > $out
cat ${pkgs.letsencrypt-ca}/ca.pem >> $out
'';
};
in {
# imports = let
# is-regular-file = filename: type: type == "regular" || type == "link";
# regular-files = path:
# attrNames (filterAttrs is-regular-file (builtins.readDir path));
# is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
# nix-files = path:
# map
# (file: path + "/${file}")
# (filter is-nix-file (regular-files path));
# in nix-files ./france;
config = {
security.acme.email = "admin@fudo.org";
fileSystems = {
"/srv/archiva" = {
fsType = "btrfs";
label = "pool0";
options = [ "noatime" "nodiratime" "noexec" "subvol=archiva" ];
};
"/srv/grafana" = {
fsType = "btrfs";
label = "pool0";
options = [ "noatime" "nodiratime" "noexec" "subvol=grafana" ];
};
${mail-directory} = {
fsType = "btrfs";
label = "pool0";
options = [ "noatime" "nodiratime" "noexec" "subvol=mail" ];
};
};
users.users.archiva = {
isSystemUser = true;
group = "nogroup";
};
virtualisation = {
lxd.enable = true;
oci-containers = {
backend = "docker";
containers = {
archiva = {
image = "xetusoss/archiva";
autoStart = true;
ports = [ "8001:8080/tcp" ];
# Ugly: name-to-uid lookup fails.
user = toString config.users.users.archiva.uid;
volumes = [ "/srv/archiva:/archiva-data" ];
environment = {
# Not directly connected to the world anyway
SSL_ENABLED = "false";
PROXY_BASE_URL = "https://archiva.fudo.org/";
};
};
};
};
};
fudo = let
backplane-dns-password-file = pkgs.lib.passwd.stablerandom-passwd-file
"dns-service-backplane-passwd"
"dns-service-backplane-passwd-${config.instance.build-seed}";
in {
hosts.france.external-interfaces = [ "extif0" ];
acme.host-domains.france."france.fudo.org" = {
email = "admin@fudo.org";
local-copies = {
postgres = {
user = "postgres";
};
openldap = {
user = config.services.openldap.user;
};
};
};
secrets.host-secrets.${hostname} = let
ldap-user = config.services.openldap.user;
ldap-group = config.services.openldap.group;
in {
ldap-keytab = {
source-file = secret-files.service-keytabs.france.ldap;
target-file = "/run/openldap/ldap.keytab";
user = ldap-user;
group = ldap-group;
};
ldap-root-passwd = {
source-file =
pkgs.lib.passwd.random-passwd-file "ldap-root-passwd" 20;
target-file = "/run/openldap/root.passwd";
user = ldap-user;
group = ldap-group;
};
postgres-keytab = {
source-file = secret-files.service-keytabs.france.postgres;
target-file = "/run/postgres/postgres.keytab";
user = "postgres"; # This is just plain hard-coded...
};
backplane-dns-password = {
source-file = backplane-dns-password-file;
target-file = "/run/backplane/dns/xmpp.passwd";
user = config.fudo.backplane.dns.user;
};
};
client.dns = {
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
};
# france = {
# ldap = let
# cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
# chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
# in {
# ssl-certificate = cert-copy.certificate;
# ssl-private-key = cert-copy.private-key;
# ssl-ca-certificate = chain;
# keytab = secrets.ldap-keytab.target-file;
# root-password-file = secrets.ldap-root-passwd.target-file;
# };
# kdc = {
# state-directory = "/state/kerberos";
# master-key-file = secret-files.realm-master-keys."FUDO.ORG";
# listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
# };
# jabber = {
# ldap-servers = [ "france.fudo.org" ];
# listen-ips = [ primary-ip ];
# backplane = {
# host-passwd-files = let
# hosts = attrNames config.fudo.hosts;
# in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
# config.fudo.hosts;
# service-passwd-files = {
# dns = backplane-dns-password-file;
# };
# };
# };
# backplane-server = {
# listen-ips = [ primary-ip ];
# backplane-dns-password-file =
# secrets.backplane-dns-password.target-file;
# };
# mail = {
# mail-directory = "${mail-directory}/mailboxes";
# state-directory = "${mail-directory}/var";
# ldap-server-urls = [
# "ldap://france.fudo.org"
# ];
# };
# webmail = {
# mail-server = mail-hostname;
# database.hostname = "localhost";
# };
# git = {
# repository-directory = "/state/gitea/repo";
# state-directory = "/state/gitea/state";
# ssh.listen-ip = git-server-ip;
# database-host = "localhost";
# };
# postgresql = let
# cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
# in {
# keytab = secrets.postgres-keytab.target-file;
# ssl-certificate = cert-copy.certificate;
# ssl-private-key = cert-copy.private-key;
# };
# dns = {
# default-host = primary-ip;
# listen-ip = primary-ip;
# mail-hosts = [ "mail.fudo.org" ];
# };
# chat = {
# chat-hostname = "chat.fudo.org";
# mail-server = "mail.fudo.org";
# database-host = "localhost";
# };
# };
# minecraft-server = {
# enable = true;
# package = pkgs.minecraft-current;
# data-dir = "/state/minecraft/selbyland";
# world-name = "selbyland";
# motd = "Welcome to the Selby Minecraft server.";
# };
};
networking = {
interfaces = {
intif0 = {
ipv4.addresses = [{
address = "192.168.11.1";
prefixLength = 24;
}];
};
extif0 = {
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 28;
}
];
};
};
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"mail.fudo.org" = {
enableACME = true;
locations."/".return = "301 https://webmail.fudo.org$request_uri";
};
"archiva.fudo.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink