Compare commits
3 commits
3b666eee63
...
57a9d854ae
Author | SHA1 | Date | |
---|---|---|---|
57a9d854ae | |||
4353c90e2b | |||
02a6440717 |
14 changed files with 170 additions and 78 deletions
|
@ -10,7 +10,7 @@ This is the repository for the NixOS configurations of the Katzen Café (Katzen
|
|||
- [x] Penpot
|
||||
- [x] Forgejo
|
||||
- [ ] Vault
|
||||
- [ ] Jitsi
|
||||
- [x] Jitsi
|
||||
- [x] Mumble
|
||||
- [ ] Nextcloud
|
||||
- [ ] Karton
|
||||
|
|
24
flake.lock
24
flake.lock
|
@ -7,11 +7,11 @@
|
|||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1689948211,
|
||||
"narHash": "sha256-XVDDrerEzYucD6cL7nNW7dNfGhDnhfpB+rbuDvlaWrc=",
|
||||
"lastModified": 1690376079,
|
||||
"narHash": "sha256-IJiajoljCMUGlp1bwT/loXs1B3RH2FXpLepnqvcPNEY=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "arion",
|
||||
"rev": "9ba47f9fbb8650158d9983e19b53206586be4382",
|
||||
"rev": "f0436c8478d1b5530c115a6b1202c4478dfe2f81",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -44,11 +44,11 @@
|
|||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690660551,
|
||||
"narHash": "sha256-4F5dkDy52pLeP8Pnxz/rFzFx6ckL7bZkY0VazaEcr7U=",
|
||||
"lastModified": 1690952814,
|
||||
"narHash": "sha256-Mv7zH8BIjtsUSsdgE8UvFdMvwJ+FXQAb5bHsJKzYHMM=",
|
||||
"owner": "famedly",
|
||||
"repo": "conduit",
|
||||
"rev": "afd8112e25a86918c7f9ac657523698b2e0315f4",
|
||||
"rev": "06ab707c79b58df2eca96add0f419755e3522bdf",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
|
@ -361,11 +361,11 @@
|
|||
},
|
||||
"nixpkgsUnstable": {
|
||||
"locked": {
|
||||
"lastModified": 1690031011,
|
||||
"narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=",
|
||||
"lastModified": 1691006197,
|
||||
"narHash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "12303c652b881435065a98729eb7278313041e49",
|
||||
"rev": "66aedfd010204949cb225cf749be08cb13ce1813",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -425,11 +425,11 @@
|
|||
},
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1690148897,
|
||||
"narHash": "sha256-l/j/AX1d2K79EWslwgWR2+htkzCbtjKZsS5NbWXnhz4=",
|
||||
"lastModified": 1690927903,
|
||||
"narHash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ac1acba43b2f9db073943ff5ed883ce7e8a40a2c",
|
||||
"rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -49,7 +49,7 @@
|
|||
./modules/base-stuff.nix
|
||||
./modules/proxy.nix
|
||||
./modules/postgres.nix
|
||||
# ./modules/jitsi.nix
|
||||
./modules/jitsi.nix
|
||||
./modules/containers
|
||||
./modules/conduit.nix
|
||||
./modules/keycloak.nix
|
||||
|
|
|
@ -13,23 +13,26 @@
|
|||
#];
|
||||
#};
|
||||
#networking.useDHCP = lib.mkDefault true;
|
||||
systemd.services."NetworkManager-wait-oline".enable = false;
|
||||
networking = {
|
||||
nameservers = [ "9.9.9.9" "149.112.112.112" ];
|
||||
hostName = "katzen-cafe";
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" ];
|
||||
unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" "interface-name:ve-nextcloud" ];
|
||||
};
|
||||
|
||||
firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
firewall.allowedTCPPorts = [ 22 80 443 2222];
|
||||
firewall.checkReversePath = false;
|
||||
# firewall.allowedUDPPorts = [ 25568 25569 ];
|
||||
|
||||
nat = {
|
||||
enable = true;
|
||||
internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" ];
|
||||
internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" "ve-nextcloud" ];
|
||||
externalInterface = "enp1s0";
|
||||
};
|
||||
|
||||
|
||||
interfaces."enp1s0" = {
|
||||
ipv6.addresses = [{
|
||||
address = "2a01:4f8:c17:c51f::";
|
||||
|
|
|
@ -5,5 +5,6 @@
|
|||
./phtanumb-wiki.nix
|
||||
./calckey.nix
|
||||
./penpot.nix
|
||||
./nextcloud.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
database = {
|
||||
type = "mysql";
|
||||
};
|
||||
virtualHost = {
|
||||
httpd.virtualHost = {
|
||||
hostName = "wiki.katzen.cafe";
|
||||
adminAddr = "admin@katzen.cafe";
|
||||
listen = [
|
||||
|
|
64
modules/containers/nextcloud.nix
Normal file
64
modules/containers/nextcloud.nix
Normal file
|
@ -0,0 +1,64 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
containers."nextcloud" = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.0.3.1";
|
||||
localAddress = "10.0.3.2";
|
||||
bindMounts = {
|
||||
"/var/lib/nextcloud" = {
|
||||
hostPath = "/nextcloud/data";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/var/lib/postgresql" = {
|
||||
hostPath = "/nextcloud/db";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/var/secret" = {
|
||||
hostPath = "/nextcloud/secret";
|
||||
isReadOnly = true;
|
||||
};
|
||||
};
|
||||
config = { config, pkgs, ... }: {
|
||||
networking.firewall.enable = false;
|
||||
environment.etc."resolv.conf".text = "nameserver 9.9.9.9";
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
https = true;
|
||||
config = {
|
||||
dbtype = "pgsql";
|
||||
dbhost = "/run/postgresql";
|
||||
adminpassFile = "/var/secret/nextcloud-admin-pass";
|
||||
trustedProxies = [ "10.0.3.1" ];
|
||||
};
|
||||
hostName = "wolke.katzen.cafe";
|
||||
package = pkgs.nextcloud27;
|
||||
extraApps = with config.services.nextcloud.package.packages.apps; {
|
||||
inherit bookmarks calendar contacts;
|
||||
user_oidc = pkgs.fetchNextcloudApp rec {
|
||||
url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v1.3.3/user_oidc-v1.3.3.tar.gz";
|
||||
sha256 = "sha256-s8xr25a40/ot7KDv3Vn7WBm4Pb13LzzK62ZNYufXQ2w";
|
||||
};
|
||||
};
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "nextcloud";
|
||||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
}
|
||||
];
|
||||
};
|
||||
system.stateVersion = "23.05";
|
||||
};
|
||||
};
|
||||
deployment.keys = {
|
||||
"nextcloud-admin-pass" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/nextcloud-admin-pass" ];
|
||||
destDir = "/nextcloud/secret";
|
||||
permissions = "0604";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -15,7 +15,7 @@
|
|||
depends_on = [ "penpot-postgres" "penpot-redis" ];
|
||||
networks = [ "penpot" ];
|
||||
environment = {
|
||||
"PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc";
|
||||
"PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc enable-smtp";
|
||||
"PENPOT_PREPL_HOST" = "0.0.0.0";
|
||||
|
||||
"PENPOT_PUBLIC_URI" = "https://design.katzen.cafe";
|
||||
|
@ -35,16 +35,15 @@
|
|||
"PENPOT_OIDC_BASE_URI" = "https://auth.katzen.cafe/realms/katzen.cafe/";
|
||||
#"PENPOT_OIDC_" = "";
|
||||
|
||||
#"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
|
||||
#"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
|
||||
#"PENPOT_SMTP_HOST" = "smtp.migadu.com";
|
||||
#"PENPOT_SMTP_PORT" = "587";
|
||||
#"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
|
||||
#"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
|
||||
#"PENPOT_SMTP_TLS" = "true";
|
||||
#"PENPOT_SMTP_SSL" = "false";
|
||||
"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply@katzen.cafe>";
|
||||
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply@katzen.cafe>";
|
||||
"PENPOT_SMTP_HOST" = "mail.katzen.cafe";
|
||||
"PENPOT_SMTP_PORT" = "465";
|
||||
"PENPOT_SMTP_USERNAME" = "noreply@katzen.cafe";
|
||||
"PENPOT_SMTP_TLS" = "true";
|
||||
# "PENPOT_SMTP_SSL" = "true";
|
||||
};
|
||||
env_file = [ "/penpot/secret/oidcPpSecret" ];
|
||||
env_file = [ "/var/lib/secrets/penpot-secrets" ];
|
||||
};
|
||||
"penpot-frontend".service = {
|
||||
image = "penpotapp/frontend:latest";
|
||||
|
@ -84,9 +83,9 @@
|
|||
};
|
||||
};
|
||||
deployment.keys = {
|
||||
"oidcPpSecret" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-keycloak-secret" ];
|
||||
destDir = "/penpot/secret/";
|
||||
"penpot-secrets" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-secrets" ];
|
||||
destDir = "/var/lib/secrets";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -19,6 +19,8 @@
|
|||
ROOT_URL = "https://forge.katzen.cafe/";
|
||||
HTTP_PORT = 8082;
|
||||
DOMAIN = "forge.katzen.cafe";
|
||||
START_SSH_SERVER = true;
|
||||
SSH_PORT = 2222;
|
||||
};
|
||||
service = {
|
||||
REGISTER_MANUAL_CONFIRM = true;
|
||||
|
@ -29,25 +31,19 @@
|
|||
};
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "forge@noreply.katzen.cafe";
|
||||
MAILER_TYPE = "smtp";
|
||||
FROM = "noreply@katzen.cafe";
|
||||
PROTOCOL = "smtps";
|
||||
SMTP_ADDR = "mail.katzen.cafe";
|
||||
SMTP_PORT = 465;
|
||||
IS_TLS_ENABLED = true;
|
||||
USER = "forge@noreply.katzen.cafe";
|
||||
USER = "noreply@katzen.cafe";
|
||||
};
|
||||
};
|
||||
mailerPasswordFile = "/forgejo/secret/mailerPassword";
|
||||
mailerPasswordFile = "/var/lib/secrets/noreply-mail-pw-plain";
|
||||
};
|
||||
deployment.keys = {
|
||||
"forgejoDbPw" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/forgejo-db-pw" ];
|
||||
destDir = "/forgejo/secret/";
|
||||
permissions = "0604";
|
||||
};
|
||||
"mailerPassword" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mailer-pw-forgejo" ];
|
||||
destDir = "/forgejo/secret/";
|
||||
"noreply-mail-pw-plain" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw-plain" ];
|
||||
destDir = "/var/lib/secrets";
|
||||
permissions = "0604";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
# Jitsi for some reason needs 127.0.0.1:8080, and will fail if it can't get it
|
||||
# what the fuck is this service...
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "meet.katzen.cafe";
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
settings = {
|
||||
http-port = 8080;
|
||||
http-host = "127.0.0.1";
|
||||
http-host = "127.0.0.3";
|
||||
http-enabled = true;
|
||||
https-port = 8443;
|
||||
|
||||
|
|
|
@ -5,23 +5,14 @@
|
|||
enable = true;
|
||||
fqdn = "mail.katzen.cafe";
|
||||
sendingFqdn = "katzen.cafe";
|
||||
domains = [ "katzen.cafe" "noreply.katzen.cafe" ];
|
||||
domains = [ "katzen.cafe" ];
|
||||
loginAccounts = {
|
||||
"admin@katzen.cafe" = {
|
||||
hashedPasswordFile = "/var/lib/secrets/admin-mail-pw";
|
||||
aliases = [ "postmaster@katzen.cafe" "abuse@katzen.cafe" ];
|
||||
};
|
||||
"ck@noreply.katzen.cafe" = {
|
||||
hashedPasswordFile = "/var/lib/secrets/noreply-mail-ck";
|
||||
};
|
||||
"forge@noreply.katzen.cafe" = {
|
||||
hashedPasswordFile = "/var/lib/secrets/noreply-mail-forgejo";
|
||||
};
|
||||
"keycloak@noreply.katzen.cafe" = {
|
||||
hashedPasswordFile = "/var/lib/secrets/noreply-mail-keycloak";
|
||||
};
|
||||
"penpot@noreply.katzen.cafe" = {
|
||||
hashedPasswordFile = "/var/lib/secrets/noreply-mail-penpot";
|
||||
"noreply@katzen.cafe" = {
|
||||
hashedPasswordFile = "/var/lib/secrets/noreply-mail-pw";
|
||||
};
|
||||
};
|
||||
certificateScheme = "acme-nginx";
|
||||
|
@ -31,20 +22,8 @@
|
|||
keyCommand = [ "cat" "/home/jade/keys-tmp/admin-mail-pw" ];
|
||||
destDir = "/var/lib/secrets";
|
||||
};
|
||||
"noreply-mail-ck" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-ck" ];
|
||||
destDir = "/var/lib/secrets";
|
||||
};
|
||||
"noreply-mail-forgejo" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-forgejo" ];
|
||||
destDir = "/var/lib/secrets";
|
||||
};
|
||||
"noreply-mail-keycloak" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-keycloak" ];
|
||||
destDir = "/var/lib/secrets";
|
||||
};
|
||||
"noreply-mail-penpot" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-penpot" ];
|
||||
"noreply-mail-pw" = {
|
||||
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw" ];
|
||||
destDir = "/var/lib/secrets";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -5,14 +5,17 @@
|
|||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
enabledCollectors = [ "systemd" "processes" ];
|
||||
};
|
||||
nginx = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "katzencafe";
|
||||
static_configs = [{
|
||||
targets = [ "127.0.0.1:9100" ];
|
||||
targets = [ "127.0.0.1:9100" "127.0.0.1:9113"];
|
||||
}];
|
||||
}
|
||||
];
|
||||
|
@ -25,6 +28,13 @@
|
|||
http_port = 2343;
|
||||
http_addr = "127.0.0.1";
|
||||
};
|
||||
smtp = {
|
||||
enabled = true;
|
||||
user = "noreply@katzen.cafe";
|
||||
password = "$__file{/var/lib/secrets/noreply-mail-pw-plain}";
|
||||
host = "mail.katzen.cafe:465";
|
||||
from_address = "noreply@katzen.cafe";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -11,6 +11,10 @@
|
|||
group = "nginx";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"miau.katzen.cafe" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"forge.katzen.cafe" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa4096";
|
||||
|
@ -35,10 +39,10 @@
|
|||
group = "nginx";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
# "mumble.katzen.cafe" = {
|
||||
# group = "murmur";
|
||||
# keyType = "rsa4096";
|
||||
# };
|
||||
"mumble.katzen.cafe" = {
|
||||
group = "murmur";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"hc-vault.katzen.cafe" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa4096";
|
||||
|
@ -47,6 +51,10 @@
|
|||
group = "nginx";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"wolke.katzen.cafe" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
# "prosody.katzen.cafe" = {
|
||||
# group = "prosody";
|
||||
# keyType = "rsa4096";
|
||||
|
@ -57,6 +65,8 @@
|
|||
# };
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
|
@ -68,6 +78,24 @@
|
|||
statusPage = true;
|
||||
|
||||
virtualHosts = {
|
||||
"miau.katzen.cafe" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
root = "/var/www/miau";
|
||||
};
|
||||
};
|
||||
"_.katzen.cafe" = {
|
||||
# Catchall vhost, will redirect users to HTTPS for all vhosts
|
||||
serverAliases = [ "*.katzen.cafe" ];
|
||||
locations."/.well-known/acme-challenge" = {
|
||||
root = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
locations."/" = {
|
||||
return = "301 https://$host$request_uri";
|
||||
root = "/var/www/miau";
|
||||
};
|
||||
};
|
||||
"grafana.katzen.cafe" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
@ -102,7 +130,7 @@
|
|||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8080";
|
||||
proxyPass = "http://127.0.0.3:8080";
|
||||
# proxy_set_header Host $host;
|
||||
extraConfig = ''
|
||||
proxy_buffers 4 256k;
|
||||
|
@ -139,6 +167,16 @@
|
|||
proxyPass = "http://10.0.1.2";
|
||||
};
|
||||
};
|
||||
"wolke.katzen.cafe" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.0.3.2";
|
||||
};
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
'';
|
||||
};
|
||||
"hc-vault.katzen.cafe" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
|
Loading…
Reference in a new issue