Compare commits

...

3 commits

14 changed files with 170 additions and 78 deletions

View file

@ -10,7 +10,7 @@ This is the repository for the NixOS configurations of the Katzen Café (Katzen
- [x] Penpot
- [x] Forgejo
- [ ] Vault
- [ ] Jitsi
- [x] Jitsi
- [x] Mumble
- [ ] Nextcloud
- [ ] Karton

View file

@ -7,11 +7,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1689948211,
"narHash": "sha256-XVDDrerEzYucD6cL7nNW7dNfGhDnhfpB+rbuDvlaWrc=",
"lastModified": 1690376079,
"narHash": "sha256-IJiajoljCMUGlp1bwT/loXs1B3RH2FXpLepnqvcPNEY=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "9ba47f9fbb8650158d9983e19b53206586be4382",
"rev": "f0436c8478d1b5530c115a6b1202c4478dfe2f81",
"type": "github"
},
"original": {
@ -44,11 +44,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1690660551,
"narHash": "sha256-4F5dkDy52pLeP8Pnxz/rFzFx6ckL7bZkY0VazaEcr7U=",
"lastModified": 1690952814,
"narHash": "sha256-Mv7zH8BIjtsUSsdgE8UvFdMvwJ+FXQAb5bHsJKzYHMM=",
"owner": "famedly",
"repo": "conduit",
"rev": "afd8112e25a86918c7f9ac657523698b2e0315f4",
"rev": "06ab707c79b58df2eca96add0f419755e3522bdf",
"type": "gitlab"
},
"original": {
@ -361,11 +361,11 @@
},
"nixpkgsUnstable": {
"locked": {
"lastModified": 1690031011,
"narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=",
"lastModified": 1691006197,
"narHash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "12303c652b881435065a98729eb7278313041e49",
"rev": "66aedfd010204949cb225cf749be08cb13ce1813",
"type": "github"
},
"original": {
@ -425,11 +425,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1690148897,
"narHash": "sha256-l/j/AX1d2K79EWslwgWR2+htkzCbtjKZsS5NbWXnhz4=",
"lastModified": 1690927903,
"narHash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ac1acba43b2f9db073943ff5ed883ce7e8a40a2c",
"rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86",
"type": "github"
},
"original": {

View file

@ -49,7 +49,7 @@
./modules/base-stuff.nix
./modules/proxy.nix
./modules/postgres.nix
# ./modules/jitsi.nix
./modules/jitsi.nix
./modules/containers
./modules/conduit.nix
./modules/keycloak.nix

View file

@ -13,23 +13,26 @@
#];
#};
#networking.useDHCP = lib.mkDefault true;
systemd.services."NetworkManager-wait-oline".enable = false;
networking = {
nameservers = [ "9.9.9.9" "149.112.112.112" ];
hostName = "katzen-cafe";
networkmanager = {
enable = true;
unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" ];
unmanaged = [ "interface-name:ve-phtanumb+" "interface-name:ve-katzenwiki" "interface-name:ve-nextcloud" ];
};
firewall.allowedTCPPorts = [ 22 80 443 ];
firewall.allowedTCPPorts = [ 22 80 443 2222];
firewall.checkReversePath = false;
# firewall.allowedUDPPorts = [ 25568 25569 ];
nat = {
enable = true;
internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" ];
internalInterfaces = [ "ve-phtanumb+" "ve-katzenwiki" "ve-nextcloud" ];
externalInterface = "enp1s0";
};
interfaces."enp1s0" = {
ipv6.addresses = [{
address = "2a01:4f8:c17:c51f::";

View file

@ -5,5 +5,6 @@
./phtanumb-wiki.nix
./calckey.nix
./penpot.nix
./nextcloud.nix
];
}

View file

@ -28,7 +28,7 @@
database = {
type = "mysql";
};
virtualHost = {
httpd.virtualHost = {
hostName = "wiki.katzen.cafe";
adminAddr = "admin@katzen.cafe";
listen = [

View file

@ -0,0 +1,64 @@
{ pkgs, ... }:
{
containers."nextcloud" = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.3.1";
localAddress = "10.0.3.2";
bindMounts = {
"/var/lib/nextcloud" = {
hostPath = "/nextcloud/data";
isReadOnly = false;
};
"/var/lib/postgresql" = {
hostPath = "/nextcloud/db";
isReadOnly = false;
};
"/var/secret" = {
hostPath = "/nextcloud/secret";
isReadOnly = true;
};
};
config = { config, pkgs, ... }: {
networking.firewall.enable = false;
environment.etc."resolv.conf".text = "nameserver 9.9.9.9";
services.nextcloud = {
enable = true;
https = true;
config = {
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminpassFile = "/var/secret/nextcloud-admin-pass";
trustedProxies = [ "10.0.3.1" ];
};
hostName = "wolke.katzen.cafe";
package = pkgs.nextcloud27;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit bookmarks calendar contacts;
user_oidc = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v1.3.3/user_oidc-v1.3.3.tar.gz";
sha256 = "sha256-s8xr25a40/ot7KDv3Vn7WBm4Pb13LzzK62ZNYufXQ2w";
};
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
system.stateVersion = "23.05";
};
};
deployment.keys = {
"nextcloud-admin-pass" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/nextcloud-admin-pass" ];
destDir = "/nextcloud/secret";
permissions = "0604";
};
};
}

View file

@ -15,7 +15,7 @@
depends_on = [ "penpot-postgres" "penpot-redis" ];
networks = [ "penpot" ];
environment = {
"PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc";
"PENPOT_FLAGS" = "enable-registration disable-login disable-login-with-password enable-login-with-oidc enable-smtp";
"PENPOT_PREPL_HOST" = "0.0.0.0";
"PENPOT_PUBLIC_URI" = "https://design.katzen.cafe";
@ -35,16 +35,15 @@
"PENPOT_OIDC_BASE_URI" = "https://auth.katzen.cafe/realms/katzen.cafe/";
#"PENPOT_OIDC_" = "";
#"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
#"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
#"PENPOT_SMTP_HOST" = "smtp.migadu.com";
#"PENPOT_SMTP_PORT" = "587";
#"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
#"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
#"PENPOT_SMTP_TLS" = "true";
#"PENPOT_SMTP_SSL" = "false";
"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply@katzen.cafe>";
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply@katzen.cafe>";
"PENPOT_SMTP_HOST" = "mail.katzen.cafe";
"PENPOT_SMTP_PORT" = "465";
"PENPOT_SMTP_USERNAME" = "noreply@katzen.cafe";
"PENPOT_SMTP_TLS" = "true";
# "PENPOT_SMTP_SSL" = "true";
};
env_file = [ "/penpot/secret/oidcPpSecret" ];
env_file = [ "/var/lib/secrets/penpot-secrets" ];
};
"penpot-frontend".service = {
image = "penpotapp/frontend:latest";
@ -84,9 +83,9 @@
};
};
deployment.keys = {
"oidcPpSecret" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-keycloak-secret" ];
destDir = "/penpot/secret/";
"penpot-secrets" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/penpot-secrets" ];
destDir = "/var/lib/secrets";
};
};
}

View file

@ -19,6 +19,8 @@
ROOT_URL = "https://forge.katzen.cafe/";
HTTP_PORT = 8082;
DOMAIN = "forge.katzen.cafe";
START_SSH_SERVER = true;
SSH_PORT = 2222;
};
service = {
REGISTER_MANUAL_CONFIRM = true;
@ -29,25 +31,19 @@
};
mailer = {
ENABLED = true;
FROM = "forge@noreply.katzen.cafe";
MAILER_TYPE = "smtp";
FROM = "noreply@katzen.cafe";
PROTOCOL = "smtps";
SMTP_ADDR = "mail.katzen.cafe";
SMTP_PORT = 465;
IS_TLS_ENABLED = true;
USER = "forge@noreply.katzen.cafe";
USER = "noreply@katzen.cafe";
};
};
mailerPasswordFile = "/forgejo/secret/mailerPassword";
mailerPasswordFile = "/var/lib/secrets/noreply-mail-pw-plain";
};
deployment.keys = {
"forgejoDbPw" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/forgejo-db-pw" ];
destDir = "/forgejo/secret/";
permissions = "0604";
};
"mailerPassword" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mailer-pw-forgejo" ];
destDir = "/forgejo/secret/";
"noreply-mail-pw-plain" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw-plain" ];
destDir = "/var/lib/secrets";
permissions = "0604";
};
};

View file

@ -1,5 +1,7 @@
{ pkgs, ... }:
{
# Jitsi for some reason needs 127.0.0.1:8080, and will fail if it can't get it
# what the fuck is this service...
services.jitsi-meet = {
enable = true;
hostName = "meet.katzen.cafe";

View file

@ -5,7 +5,7 @@
settings = {
http-port = 8080;
http-host = "127.0.0.1";
http-host = "127.0.0.3";
http-enabled = true;
https-port = 8443;

View file

@ -5,23 +5,14 @@
enable = true;
fqdn = "mail.katzen.cafe";
sendingFqdn = "katzen.cafe";
domains = [ "katzen.cafe" "noreply.katzen.cafe" ];
domains = [ "katzen.cafe" ];
loginAccounts = {
"admin@katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/admin-mail-pw";
aliases = [ "postmaster@katzen.cafe" "abuse@katzen.cafe" ];
};
"ck@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-ck";
};
"forge@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-forgejo";
};
"keycloak@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-keycloak";
};
"penpot@noreply.katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-penpot";
"noreply@katzen.cafe" = {
hashedPasswordFile = "/var/lib/secrets/noreply-mail-pw";
};
};
certificateScheme = "acme-nginx";
@ -31,20 +22,8 @@
keyCommand = [ "cat" "/home/jade/keys-tmp/admin-mail-pw" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-ck" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-ck" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-forgejo" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-forgejo" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-keycloak" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-keycloak" ];
destDir = "/var/lib/secrets";
};
"noreply-mail-penpot" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-penpot" ];
"noreply-mail-pw" = {
keyCommand = [ "cat" "/home/jade/keys-tmp/noreply-mail-pw" ];
destDir = "/var/lib/secrets";
};
};

View file

@ -5,14 +5,17 @@
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
enabledCollectors = [ "systemd" "processes" ];
};
nginx = {
enable = true;
};
};
scrapeConfigs = [
{
job_name = "katzencafe";
static_configs = [{
targets = [ "127.0.0.1:9100" ];
targets = [ "127.0.0.1:9100" "127.0.0.1:9113"];
}];
}
];
@ -25,6 +28,13 @@
http_port = 2343;
http_addr = "127.0.0.1";
};
smtp = {
enabled = true;
user = "noreply@katzen.cafe";
password = "$__file{/var/lib/secrets/noreply-mail-pw-plain}";
host = "mail.katzen.cafe:465";
from_address = "noreply@katzen.cafe";
};
};
};

View file

@ -11,6 +11,10 @@
group = "nginx";
keyType = "rsa4096";
};
"miau.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
"forge.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
@ -35,10 +39,10 @@
group = "nginx";
keyType = "rsa4096";
};
# "mumble.katzen.cafe" = {
# group = "murmur";
# keyType = "rsa4096";
# };
"mumble.katzen.cafe" = {
group = "murmur";
keyType = "rsa4096";
};
"hc-vault.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
@ -47,6 +51,10 @@
group = "nginx";
keyType = "rsa4096";
};
"wolke.katzen.cafe" = {
group = "nginx";
keyType = "rsa4096";
};
# "prosody.katzen.cafe" = {
# group = "prosody";
# keyType = "rsa4096";
@ -57,6 +65,8 @@
# };
};
};
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
@ -68,6 +78,24 @@
statusPage = true;
virtualHosts = {
"miau.katzen.cafe" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/var/www/miau";
};
};
"_.katzen.cafe" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts
serverAliases = [ "*.katzen.cafe" ];
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/acme-challenge";
};
locations."/" = {
return = "301 https://$host$request_uri";
root = "/var/www/miau";
};
};
"grafana.katzen.cafe" = {
forceSSL = true;
enableACME = true;
@ -102,7 +130,7 @@
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
proxyPass = "http://127.0.0.3:8080";
# proxy_set_header Host $host;
extraConfig = ''
proxy_buffers 4 256k;
@ -139,6 +167,16 @@
proxyPass = "http://10.0.1.2";
};
};
"wolke.katzen.cafe" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.0.3.2";
};
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'';
};
"hc-vault.katzen.cafe" = {
forceSSL = true;
enableACME = true;