commit ffef62284fe0ab01bc307b0b5505024e6977cb8a
parent 3fc3157e66fa3040f6fbbb3d3e7176bc93b952e0
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 24 Jan 2022 21:19:54 +0100
parent 3fc3157e66fa3040f6fbbb3d3e7176bc93b952e0
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 24 Jan 2022 21:19:54 +0100
add host: taurus
8 files changed, 507 insertions(+), 0 deletions(-)
A
|
72
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
|
86
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
|
200
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/machines/taurus/bind.nix b/machines/taurus/bind.nix @@ -0,0 +1,42 @@ +{config, lib, pkgs, ...}: + +let + dns-zones = pkgs.fetchgit { + url = "https://cgit.ctu.cx/dns-zones"; + rev = "325971a3b44324b566fa4243d686432234dafd4e"; + sha256 = "1a1napwdwa1ss6x4vqh2nipiz4d8rmzyd6ykkrd9piszlk9ic6jh"; + }; + +in { + + services.bind = { + enable = true; + zones = { + "ctu.cx" = { + file = "${dns-zones}/ctu.cx.zone"; + master = true; + }; + "ctucx.de" = { + file = "${dns-zones}/ctucx.de.zone"; + master = true; + }; + "thein.ovh" = { + file = "${dns-zones}/thein.ovh.zone"; + master = true; + }; + "oeffisear.ch" = { + file = "${dns-zones}/oeffisear.ch.zone"; + master = true; + }; + "trans-agenda.de" = { + file = "${dns-zones}/trans-agenda.de.zone"; + master = true; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; +}
diff --git a/machines/taurus/configuration.nix b/machines/taurus/configuration.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +{ + + imports = [ + ./hardware-configuration.nix + ../../configurations/common.nix + + ./syncthing.nix + ./node-exporter.nix + ./bind.nix + ./matrix-synapse.nix + ./pleroma + ]; + + boot = { + loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + initrd.network = { + enable = true; + ssh = { + enable = true; + port = 22; + hostKeys = [ /etc/ssh/ssh_host_rsa_key ]; + authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + }; + + postCommands = '' + ip link set dev ens3 up + ip addr add 2a03:4000:9:f8::1/128 dev ens3 + ip route add default via fe80::1 dev ens3 onlink + + ip addr add 37.221.196.131/22 dev ens3 + ip route add default via 37.221.196.1 dev ens3 onlink + + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + }; + + networking = { + hostName = "taurus"; + domain = "ctu.cx"; + + useDHCP = false; + + defaultGateway6 = { + interface = "ens3"; + address = "fe80::1"; + }; + + interfaces.ens3 = { + useDHCP = true; + + ipv6.addresses = [{ + address = "2a03:4000:9:f8::1"; + prefixLength = 64; + }]; + }; + + firewall.enable = true; + }; + + system.stateVersion = "21.11"; + home-manager.users.leah.home.stateVersion = "21.11"; + +} +
diff --git a/machines/taurus/hardware-configuration.nix b/machines/taurus/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/736af6d6-f9c2-464f-85e6-f3f226d0ba10"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/c445487c-e0a6-44f1-9f5d-c64cf8446597"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/88C3-5967"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}
diff --git a/machines/taurus/matrix-synapse.nix b/machines/taurus/matrix-synapse.nix @@ -0,0 +1,86 @@ +{config, lib, pkgs, ...}: + +let + secrets = import ../../secrets; + +in { + services = { + postgresql.enable = true; + + matrix-synapse = { + enable = true; + withJemalloc = true; + server_name = "trans-agenda.de"; + no_tls = false; + public_baseurl = "https://matrix.trans-agenda.de/"; + max_upload_size = "100M"; + dynamic_thumbnails = true; + enable_registration = true; + enable_registration_captcha = true; + registration_shared_secret = secrets.hosts.taurus.matrix.registration_shared_secret; + url_preview_enabled = true; + url_preview_ip_range_blacklist = ["127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" "169.254.0.0/16" "::1/128" "fe80::/64" "fc00::/7"]; + listeners = [{ + bind_address = "127.0.0.1"; + port = 8008; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { names = [ "client" ]; compress = true; } + { names = [ "federation" ]; compress = false; } + ]; + }]; + extraConfig = '' + recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + recaptcha_public_key: "${secrets.hosts.taurus.matrix.recaptcha_public_key}" + recaptcha_private_key: "${secrets.hosts.taurus.matrix.recaptcha_private_key}" + + admin_contact: 'mailto:leah@ctu.cx' + + email: + smtp_host: osterei.ctu.cx + smtp_port: 587 + smtp_user: "matrix@trans-agenda.de" + smtp_pass: "${secrets.hosts.taurus.matrix.smtp_password}" + require_transport_security: true + notif_from: "trans-agenda.de Matrix Server <matrix@trans-agenda.de>" + app_name: Matrix + enable_notifs: true + notif_for_new_users: false + client_base_url: "https://matrix.trans-agenda.de" + validation_token_lifetime: 1h + ''; + }; + + nginx = { + enable = true; + virtualHosts."matrix.trans-agenda.de" = { + enableACME = true; + forceSSL = true; + locations = { + "/_matrix".proxyPass = "http://127.0.0.1:8008"; + "/".root = pkgs.buildEnv { + name = "schildichat-web-env"; + paths = [ + pkgs.schildichat-web + (lib.hiPrio (pkgs.writeTextDir "config.json" (builtins.toJSON { + brand = "matrix.trans-agenda.de"; + disable_guests = false; + defaultCountryCode = "DE"; + piwik = false; + default_server_config = { + "m.homeserver" = { + base_url = "https://matrix.trans-agenda.de"; + server_name = "trans-agenda.de"; + }; + }; + }))) + ]; + }; + }; + }; + }; + }; + +}
diff --git a/machines/taurus/node-exporter.nix b/machines/taurus/node-exporter.nix @@ -0,0 +1,21 @@ +{config, lib, pkgs, ...}: + +{ + + services = { + prometheus.exporters.node.enable = true; + nginx = { + enable = true; + virtualHosts."${config.networking.hostName}.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + locations."/node-exporter" = { + proxyPass = "http://127.0.0.1:9100/metrics"; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + +}
diff --git a/machines/taurus/pleroma/config.exs b/machines/taurus/pleroma/config.exs @@ -0,0 +1,200 @@ +import Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "trans-agenda.de", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000] + +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + database: "pleroma", + socket_dir: "/run/postgresql", + pool_size: 10 + +# Configure web push notifications +config :web_push_encryption, :vapid_details, subject: "mailto:pleroma@trans-agenda.de" + +config :pleroma, :database, rum_enabled: false +config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" +config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + +config :pleroma, :static_fe, enabled: false + +config :pleroma, :frontend_configurations, + pleroma_fe: %{ + theme: "mammal", + background: "/static/bg.png", + logo: "/static/logo.png", + nsfwCensorImage: "/static/nsfw.png", + chatDisabled: true, + webPushNotifications: true, + showFeaturesPanel: true, + collapseMessageWithSubject: true, + hideUserStats: false + } + +config :pleroma, :instance, + name: "trans-agenda.de", + email: "the@trans-agenda.de", + notify_email: "the@trans-agenda.de", + limit: 5000, + registrations_open: true, + account_approval_required: true, + account_activation_required: true, + invites_enabled: true, + remote_post_retention_days: 180, + external_user_synchronization: true, + upload_limit: 50_000_000, + avatar_upload_limit: 10_000_000, + background_upload_limit: 10_000_000, + banner_upload_limit: 10_000_000, + allowed_post_formats: [ + "text/plain", + "text/html", + "text/markdown" + ], + quarantined_instances: [ + "search.fedi.app", + "freespeechextremist.com", + "gleasonator.com", + "gab.com", + "gab.ai", + "spinster.xyz", + "clubcyberia.co", + "glowers.club", + "shitposter.club", + "social.urspringer.de", + "pleroma.soykaf.com", + "nnia.space", + "kiwifarms.cc", + "wintermute.fr.to", + "anitwitter.moe", + "brighteon.social", + "cawfee.club", + "community.halle-leaks.de", + "crypto-group-buy.com", + "freefedifollowers.ga", + "freevoice.space", + "glindr.org", + "gs.smuglo.li", + "pl.smuglo.li", + "humblr.social", + "jaeger.website", + "lets.saynoto.lgbt", + "libre.tube", + "neckbeard.xyz", + "newjack.city", + "ohai.su", + "pawoo.net", + "pieville.net", + "play.xmr.101010.pl", + "pleroma.rareome.ga", + "preteengirls.biz", + "skippers-bin.com", + "sneak.berlin", + "the.hedgehoghunter.club", + "toot.canberrasocial.net", + "video.halle-leaks.de", + "weedis.life", + "yggdrasil.social", + "anime.website", + "collapsitarian.io", + "pleroma.gretagangbang.biz", + "gitmo.life" + ] + +config :pleroma, Pleroma.Emails.Mailer, + enabled: true, + adapter: Swoosh.Adapters.SMTP, + relay: "wanderduene.ctu.cx", + username: "the@trans-agenda.de", + password: "{{ lookup('diskcache', 'passwordstore', 'E-Mail/the@trans-agenda.de')}}", + port: 465, + ssl: true, + auth: :always + +config :pleroma, :media_proxy, + enabled: true, + proxy_opts: [ + redirect_on_failure: true + ] + #base_url: "https://cache.pleroma.social" + +config :pleroma, :fetch_initial_posts, + enabled: false, + pages: 1 + +config :pleroma, :shout, enabled: false + +config :pleroma, :mrf, + policies: [Pleroma.Web.ActivityPub.MRF.SimplePolicy] + +config :pleroma, :mrf_simple, + reject: [ + "search.fedi.app", + "freespeechextremist.com", + "gleasonator.com", + "gab.com", + "gab.ai", + "spinster.xyz", + "clubcyberia.co", + "glowers.club", + "shitposter.club", + "social.urspringer.de", + "pleroma.soykaf.com", + "nnia.space", + "kiwifarms.cc", + "wintermute.fr.to", + "anitwitter.moe", + "brighteon.social", + "cawfee.club", + "community.halle-leaks.de", + "crypto-group-buy.com", + "freefedifollowers.ga", + "freevoice.space", + "glindr.org", + "gs.smuglo.li", + "pl.smuglo.li", + "humblr.social", + "jaeger.website", + "lets.saynoto.lgbt", + "libre.tube", + "neckbeard.xyz", + "newjack.city", + "ohai.su", + "pawoo.net", + "pieville.net", + "play.xmr.101010.pl", + "pleroma.rareome.ga", + "preteengirls.biz", + "skippers-bin.com", + "sneak.berlin", + "the.hedgehoghunter.club", + "toot.canberrasocial.net", + "video.halle-leaks.de", + "weedis.life", + "yggdrasil.social", + "anime.website", + "collapsitarian.io", + "pleroma.gretagangbang.biz", + "gitmo.life" + ] + +config :pleroma, :emoji, + shortcode_globs: ["/emoji/custom/**/*.png"], + groups: [ + "Bahn": "/emoji/cuties/Bahn/*.png", + "Blobs": "/emoji/cuties/Blobs/*.png", + "Bread": "/emoji/cuties/Bread/*.png", + "LGBTIQ*": "/emoji/cuties/LGBTIQ\*/*.png", + "Signale": "/emoji/cuties/Signale/*.png", + "Naughty_Goose": "/emoji/cuties/naughty_goose/*.png", + 'Technology': "/emoji/cuties/Technology/*.png", + "Transportation": "/emoji/cuties/Transportation/*.png", + "Chaos": "/emoji/chaos/*.png", + "Femojis": "/emoji/femojis/*.png" + ] + +config :pleroma, configurable_from_database: false + +config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool, Pleroma.Upload.Filter.AnonymizeFilename, Pleroma.Upload.Filter.Dedupe]
diff --git a/machines/taurus/pleroma/default.nix b/machines/taurus/pleroma/default.nix @@ -0,0 +1,29 @@ +{config, lib, pkgs, ...}: + +{ + + systemd.services.pleroma.path = [ pkgs.exiftool ]; + + services = { + postgresql.enable = true; + + pleroma = { + enable = true; + configs = [ (lib.fileContents ./config.exs) ]; + secretConfigFile = "/var/lib/pleroma/secret.exs"; + }; + + nginx = { + enable = true; + virtualHosts."trans-agenda.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:4000/"; + proxyWebsockets = true; + }; + }; + }; + }; + +}
diff --git a/machines/taurus/syncthing.nix b/machines/taurus/syncthing.nix @@ -0,0 +1,26 @@ +{config, lib, pkgs, ...}: + +{ + + imports = [ + ../../configurations/programs/syncthing.nix + ]; + + services = { + syncthing = { + guiAddress = "0.0.0.0:8384"; + }; + + nginx = { + enable = true; + virtualHosts."syncthing.${config.networking.hostName}.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8384/"; + }; + }; + }; + }; + +}