forked from Drift/pvv-nixos-config
		
	Compare commits
	
		
			2 Commits
		
	
	
		
			setup-open
			...
			richara-ad
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 620e41695e | |||
| c8d383c9ab | 
							
								
								
									
										14
									
								
								flake.nix
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								flake.nix
									
									
									
									
									
								
							| @@ -99,20 +99,6 @@ | |||||||
|           inputs.grzegorz-clients.nixosModules.grzegorz-webui |           inputs.grzegorz-clients.nixosModules.grzegorz-webui | ||||||
|         ]; |         ]; | ||||||
|       }; |       }; | ||||||
|  |  | ||||||
|       grevling = stableNixosConfig "grevling" { |  | ||||||
|         modules = [ |  | ||||||
|           ./hosts/grevling/configuration.nix |  | ||||||
|           sops-nix.nixosModules.sops |  | ||||||
|         ]; |  | ||||||
|       }; |  | ||||||
|  |  | ||||||
|       tuba = stableNixosConfig "grevling" { |  | ||||||
|         modules = [ |  | ||||||
|           ./hosts/tuba/configuration.nix |  | ||||||
|           sops-nix.nixosModules.sops |  | ||||||
|         ]; |  | ||||||
|       }; |  | ||||||
|     }; |     }; | ||||||
|  |  | ||||||
|     devShells = forAllSystems (system: { |     devShells = forAllSystems (system: { | ||||||
|   | |||||||
| @@ -13,6 +13,7 @@ | |||||||
|     # ./services/website.nix |     # ./services/website.nix | ||||||
|     ./services/nginx.nix |     ./services/nginx.nix | ||||||
|     ./services/gitea/default.nix |     ./services/gitea/default.nix | ||||||
|  |     ./services/webmail | ||||||
|     # ./services/mediawiki.nix |     # ./services/mediawiki.nix | ||||||
|   ]; |   ]; | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										6
									
								
								hosts/bekkalokk/services/webmail/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								hosts/bekkalokk/services/webmail/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | { config, values, pkgs, ... }: | ||||||
|  | { | ||||||
|  |   imports = [ | ||||||
|  |     ./roundcube.nix | ||||||
|  |   ]; | ||||||
|  | } | ||||||
							
								
								
									
										34
									
								
								hosts/bekkalokk/services/webmail/roundcube.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								hosts/bekkalokk/services/webmail/roundcube.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,34 @@ | |||||||
|  | { config, pkgs, lib, ... }: | ||||||
|  |  | ||||||
|  | with lib; | ||||||
|  | let | ||||||
|  |   cfg = config.services.roundcube; | ||||||
|  |   domain = "roundcube.pvv.ntnu.no"; | ||||||
|  | in  | ||||||
|  | { | ||||||
|  |   services.roundcube = { | ||||||
|  |       enable = true; | ||||||
|  |       package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login plugins.thunderbird_labels plugins.contextmenu plugins.custom_from]); | ||||||
|  |       dicts = with pkgs.aspellDicts; [ en en-science en-computers nb  nn fr de it]; | ||||||
|  |       maxAttachmentSize = 20; | ||||||
|  |       # this is the url of the vhost, not necessarily the same as the fqdn of the mailserver | ||||||
|  |       hostName = domain; | ||||||
|  |  | ||||||
|  |       extraConfig = '' | ||||||
|  |         # starttls needed for authentication, so the fqdn required to match | ||||||
|  |         # the certificate | ||||||
|  |         $config['enable_installer'] = false; | ||||||
|  |         $config['default_host'] = "ssl://imap.pvv.ntnu.no"; | ||||||
|  |         $config['default_port'] = 993; | ||||||
|  |         #$config['smtp_server'] = "tls://smtp.pvv.ntnu.no"; | ||||||
|  |         #$config['smtp_port'] = 25; | ||||||
|  |         $config['smtp_server'] = "ssl://smtp.pvv.ntnu.no"; | ||||||
|  |         $config['smtp_port'] = 465; | ||||||
|  |         # $config['smtp_user'] = "%u@pvv.ntnu.no"; | ||||||
|  |         $config['mail_domain'] = "pvv.ntnu.no"; | ||||||
|  |         $config['smtp_user'] = "%u"; | ||||||
|  |         # $config['smtp_pass'] = "%p"; | ||||||
|  |         $config['support_url'] = ""; | ||||||
|  |       ''; | ||||||
|  |   };   | ||||||
|  | } | ||||||
| @@ -1,36 +0,0 @@ | |||||||
| { config, pkgs, values, ... }: |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|       # Include the results of the hardware scan. |  | ||||||
|       ./hardware-configuration.nix |  | ||||||
|       ../../base.nix |  | ||||||
|       ../../misc/metrics-exporters.nix |  | ||||||
|  |  | ||||||
|       ./services/openvpn |  | ||||||
|     ]; |  | ||||||
|  |  | ||||||
|   boot.loader.systemd-boot.enable = true; |  | ||||||
|   boot.loader.efi.canTouchEfiVariables = true; |  | ||||||
|  |  | ||||||
|   networking.hostName = "grevling"; |  | ||||||
|  |  | ||||||
|   # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { |  | ||||||
|   #   matchConfig.Name = "eno1"; |  | ||||||
|   #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ]; |  | ||||||
|   # }; |  | ||||||
|  |  | ||||||
|   # List packages installed in system profile |  | ||||||
|   environment.systemPackages = with pkgs; [ |  | ||||||
|   ]; |  | ||||||
|  |  | ||||||
|   # List services that you want to enable: |  | ||||||
|  |  | ||||||
|   # This value determines the NixOS release from which the default |  | ||||||
|   # settings for stateful data, like file locations and database versions |  | ||||||
|   # on your system were taken. It‘s perfectly fine and recommended to leave |  | ||||||
|   # this value at the release version of the first install of this system. |  | ||||||
|   # Before changing this value read the documentation for this option |  | ||||||
|   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). |  | ||||||
|   system.stateVersion = "23.05"; # Did you read the comment? |  | ||||||
|  |  | ||||||
| } |  | ||||||
| @@ -1,40 +0,0 @@ | |||||||
| # Do not modify this file!  It was generated by ‘nixos-generate-config’ |  | ||||||
| # and may be overwritten by future invocations.  Please make changes |  | ||||||
| # to /etc/nixos/configuration.nix instead. |  | ||||||
| { config, lib, pkgs, modulesPath, ... }: |  | ||||||
|  |  | ||||||
| { |  | ||||||
|   imports = |  | ||||||
|     [ (modulesPath + "/installer/scan/not-detected.nix") |  | ||||||
|     ]; |  | ||||||
|  |  | ||||||
|   boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; |  | ||||||
|   boot.initrd.kernelModules = [ ]; |  | ||||||
|   boot.kernelModules = [ "kvm-intel" ]; |  | ||||||
|   boot.extraModulePackages = [ ]; |  | ||||||
|  |  | ||||||
|   fileSystems."/" = |  | ||||||
|     { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; |  | ||||||
|       fsType = "ext4"; |  | ||||||
|     }; |  | ||||||
|  |  | ||||||
|   fileSystems."/boot" = |  | ||||||
|     { device = "/dev/disk/by-uuid/145E-7362"; |  | ||||||
|       fsType = "vfat"; |  | ||||||
|     }; |  | ||||||
|  |  | ||||||
|   swapDevices = |  | ||||||
|     [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } |  | ||||||
|     ]; |  | ||||||
|  |  | ||||||
|   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking |  | ||||||
|   # (the default) this is the recommended approach. When using systemd-networkd it's |  | ||||||
|   # still possible to use this option, but it's recommended to use it in conjunction |  | ||||||
|   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. |  | ||||||
|   networking.useDHCP = lib.mkDefault true; |  | ||||||
|   # networking.interfaces.eno1.useDHCP = lib.mkDefault true; |  | ||||||
|   # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true; |  | ||||||
|  |  | ||||||
|   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; |  | ||||||
|   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; |  | ||||||
| } |  | ||||||
| @@ -1,77 +0,0 @@ | |||||||
| { pkgs, lib, values, ... }: |  | ||||||
| { |  | ||||||
|   services.openvpn.servers."ov-tunnel" = { |  | ||||||
|     config = let |  | ||||||
|       conf = { |  | ||||||
|         # TODO: use aliases |  | ||||||
|         local = "129.241.210.191"; |  | ||||||
|         port = 1194; |  | ||||||
|         proto = "udp"; |  | ||||||
|         dev = "tap"; |  | ||||||
|  |  | ||||||
|         # TODO: set up |  | ||||||
|         ca = ""; |  | ||||||
|         cert = ""; |  | ||||||
|         key = ""; |  | ||||||
|         dh = ""; |  | ||||||
|  |  | ||||||
|         # Maintain a record of client <-> virtual IP address |  | ||||||
|         # associations in this file.  If OpenVPN goes down or |  | ||||||
|         # is restarted, reconnecting clients can be assigned |  | ||||||
|         # the same virtual IP address from the pool that was |  | ||||||
|         # previously assigned. |  | ||||||
|         ifconfig-pool-persist = ./ipp.txt; |  | ||||||
|  |  | ||||||
|         server-bridge = builtins.concatStringsSep " " [ |  | ||||||
|           "129.241.210.129" |  | ||||||
|           "255.255.255.128" |  | ||||||
|           "129.241.210.253" |  | ||||||
|           "129.241.210.254" |  | ||||||
|         ]; |  | ||||||
|  |  | ||||||
|         keepalive = "10 120"; |  | ||||||
|         cipher = "none"; |  | ||||||
|  |  | ||||||
|         user = "nobody"; |  | ||||||
|         group = "nobody"; |  | ||||||
|  |  | ||||||
|         status = "/var/log/openvpn-status.log"; |  | ||||||
|  |  | ||||||
|         client-config-dir = pkgs.writeTextDir "tuba" '' |  | ||||||
|           # Sett IP-adr. for tap0 til tubas PVV-adr. |  | ||||||
|           ifconfig-push ${values.services.tuba-tap} 255.255.255.128 |  | ||||||
|           # Hvordan skal man faa dette til aa funke, tro? |  | ||||||
|           #ifconfig-ipv6-push 2001:700:300:1900::xxx/64 |  | ||||||
|            |  | ||||||
|           # La tuba bruke std. PVV-gateway til all trafikk (unntatt |  | ||||||
|           # VPN-tunnellen). |  | ||||||
|           push "redirect-gateway" |  | ||||||
|         ''; |  | ||||||
|  |  | ||||||
|         persist-key = true; |  | ||||||
|         persist-tun = true; |  | ||||||
|  |  | ||||||
|         verb = 5; |  | ||||||
|  |  | ||||||
|         explicit-exit-notify = 1; |  | ||||||
|       }; |  | ||||||
|     in lib.pipe conf [ |  | ||||||
|       (lib.filterAttrs (_: value: !(builtins.isNull value || value == false))) |  | ||||||
|       (builtins.mapAttrs (_: value: |  | ||||||
|         if builtins.isList value then builtins.concatStringsSep " " (map toString value) |  | ||||||
|         else if value == true then value |  | ||||||
|         else if builtins.any (f: f value) [ |  | ||||||
|           builtins.isString |  | ||||||
|           builtins.isInt |  | ||||||
|           builtins.isFloat |  | ||||||
|           lib.isPath |  | ||||||
|           lib.isDerivation |  | ||||||
|         ] then toString value |  | ||||||
|         else throw "Unknown value in grevling openvpn config, deading now\n${value}" |  | ||||||
|       )) |  | ||||||
|       (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}")) |  | ||||||
|       (builtins.concatStringsSep "\n") |  | ||||||
|       (x: x + "\n\n") |  | ||||||
|     ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
| @@ -1,36 +0,0 @@ | |||||||
| { config, pkgs, values, ... }: |  | ||||||
| { |  | ||||||
|   imports = [ |  | ||||||
|       # Include the results of the hardware scan. |  | ||||||
|       ./hardware-configuration.nix |  | ||||||
|       ../../base.nix |  | ||||||
|       ../../misc/metrics-exporters.nix |  | ||||||
|  |  | ||||||
|       ./services/openvpn |  | ||||||
|     ]; |  | ||||||
|  |  | ||||||
|   boot.loader.systemd-boot.enable = true; |  | ||||||
|   boot.loader.efi.canTouchEfiVariables = true; |  | ||||||
|  |  | ||||||
|   networking.hostName = "tuba"; |  | ||||||
|  |  | ||||||
|   # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { |  | ||||||
|   #   matchConfig.Name = "eno1"; |  | ||||||
|   #   address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ]; |  | ||||||
|   # }; |  | ||||||
|  |  | ||||||
|   # List packages installed in system profile |  | ||||||
|   environment.systemPackages = with pkgs; [ |  | ||||||
|   ]; |  | ||||||
|  |  | ||||||
|   # List services that you want to enable: |  | ||||||
|  |  | ||||||
|   # This value determines the NixOS release from which the default |  | ||||||
|   # settings for stateful data, like file locations and database versions |  | ||||||
|   # on your system were taken. It‘s perfectly fine and recommended to leave |  | ||||||
|   # this value at the release version of the first install of this system. |  | ||||||
|   # Before changing this value read the documentation for this option |  | ||||||
|   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). |  | ||||||
|   system.stateVersion = "23.05"; # Did you read the comment? |  | ||||||
|  |  | ||||||
| } |  | ||||||
| @@ -1,40 +0,0 @@ | |||||||
| # Do not modify this file!  It was generated by ‘nixos-generate-config’ |  | ||||||
| # and may be overwritten by future invocations.  Please make changes |  | ||||||
| # to /etc/nixos/configuration.nix instead. |  | ||||||
| { config, lib, pkgs, modulesPath, ... }: |  | ||||||
|  |  | ||||||
| { |  | ||||||
|   imports = |  | ||||||
|     [ (modulesPath + "/installer/scan/not-detected.nix") |  | ||||||
|     ]; |  | ||||||
|  |  | ||||||
|   boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; |  | ||||||
|   boot.initrd.kernelModules = [ ]; |  | ||||||
|   boot.kernelModules = [ "kvm-intel" ]; |  | ||||||
|   boot.extraModulePackages = [ ]; |  | ||||||
|  |  | ||||||
|   fileSystems."/" = |  | ||||||
|     { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; |  | ||||||
|       fsType = "ext4"; |  | ||||||
|     }; |  | ||||||
|  |  | ||||||
|   fileSystems."/boot" = |  | ||||||
|     { device = "/dev/disk/by-uuid/145E-7362"; |  | ||||||
|       fsType = "vfat"; |  | ||||||
|     }; |  | ||||||
|  |  | ||||||
|   swapDevices = |  | ||||||
|     [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } |  | ||||||
|     ]; |  | ||||||
|  |  | ||||||
|   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking |  | ||||||
|   # (the default) this is the recommended approach. When using systemd-networkd it's |  | ||||||
|   # still possible to use this option, but it's recommended to use it in conjunction |  | ||||||
|   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. |  | ||||||
|   networking.useDHCP = lib.mkDefault true; |  | ||||||
|   # networking.interfaces.eno1.useDHCP = lib.mkDefault true; |  | ||||||
|   # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true; |  | ||||||
|  |  | ||||||
|   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; |  | ||||||
|   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; |  | ||||||
| } |  | ||||||
| @@ -1,54 +0,0 @@ | |||||||
| { lib, values, ... }: |  | ||||||
| { |  | ||||||
|   services.openvpn.servers."ov-tunnel" = { |  | ||||||
|     config = let |  | ||||||
|       conf = { |  | ||||||
|         # TODO: use aliases |  | ||||||
|         client = true; |  | ||||||
|         dev = "tap"; |  | ||||||
|         proto = "udp"; |  | ||||||
|         remote = "129.241.210.191 1194"; |  | ||||||
|  |  | ||||||
|         resolv-retry = "infinite"; |  | ||||||
|         nobind = true; |  | ||||||
|  |  | ||||||
|         # # TODO: set up |  | ||||||
|         ca = ""; |  | ||||||
|         cert = ""; |  | ||||||
|         key = ""; |  | ||||||
|         remote-cert-tls = "server"; |  | ||||||
|         cipher = "none"; |  | ||||||
|  |  | ||||||
|         user = "nobody"; |  | ||||||
|         group = "nobody"; |  | ||||||
|  |  | ||||||
|         status = "/var/log/openvpn-status.log"; |  | ||||||
|  |  | ||||||
|         persist-key = true; |  | ||||||
|         persist-tun = true; |  | ||||||
|  |  | ||||||
|         verb = 5; |  | ||||||
|  |  | ||||||
|         # script-security = 2; |  | ||||||
|         # up = "systemctl restart rwhod"; |  | ||||||
|       }; |  | ||||||
|     in lib.pipe conf [ |  | ||||||
|       (lib.filterAttrs (_: value: !(builtins.isNull value || value == false))) |  | ||||||
|       (builtins.mapAttrs (_: value: |  | ||||||
|         if builtins.isList value then builtins.concatStringsSep " " (map toString value) |  | ||||||
|         else if value == true then value |  | ||||||
|         else if builtins.any (f: f value) [ |  | ||||||
|           builtins.isString |  | ||||||
|           builtins.isInt |  | ||||||
|           builtins.isFloat |  | ||||||
|           lib.isPath |  | ||||||
|           lib.isDerivation |  | ||||||
|         ] then toString value |  | ||||||
|         else throw "Unknown value in tuba openvpn config, deading now\n${value}" |  | ||||||
|       )) |  | ||||||
|       (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}")) |  | ||||||
|       (builtins.concatStringsSep "\n") |  | ||||||
|       (x: x + "\n\n") |  | ||||||
|     ]; |  | ||||||
|   }; |  | ||||||
| } |  | ||||||
							
								
								
									
										19
									
								
								users/richarah.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								users/richarah.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | { pkgs, ... }: | ||||||
|  | { | ||||||
|  |   users.users.richarah = { | ||||||
|  |     isNormalUser = true; | ||||||
|  |     description = ""; | ||||||
|  |     extraGroups = [ | ||||||
|  |       "wheel" | ||||||
|  |       "drift" | ||||||
|  |     ]; | ||||||
|  |  | ||||||
|  |     packages = with pkgs; [ | ||||||
|  |       docker | ||||||
|  |     ]; | ||||||
|  |  | ||||||
|  |     openssh.authorizedKeys.keys = [ | ||||||
|  |       "" | ||||||
|  |     ]; | ||||||
|  |   }; | ||||||
|  | } | ||||||
							
								
								
									
										14
									
								
								values.nix
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								values.nix
									
									
									
									
									
								
							| @@ -21,12 +21,6 @@ in rec { | |||||||
|       ipv4 = pvv-ipv4 213; |       ipv4 = pvv-ipv4 213; | ||||||
|       ipv6 = pvv-ipv6 213; |       ipv6 = pvv-ipv6 213; | ||||||
|     }; |     }; | ||||||
|     grevling-tap = { |  | ||||||
|       ipv4 = pvv-ipv4 251; |  | ||||||
|     }; |  | ||||||
|     tuba-tap = { |  | ||||||
|       ipv4 = pvv-ipv4 252; |  | ||||||
|     }; |  | ||||||
|   }; |   }; | ||||||
|  |  | ||||||
|   hosts = { |   hosts = { | ||||||
| @@ -55,14 +49,6 @@ in rec { | |||||||
|       ipv4 = pvv-ipv4 204; |       ipv4 = pvv-ipv4 204; | ||||||
|       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why |       ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why | ||||||
|     }; |     }; | ||||||
|     grevling = { |  | ||||||
|       ipv4 = pvv-ipv4 198; |  | ||||||
|       ipv6 = pvv-ipv6 198; |  | ||||||
|     }; |  | ||||||
|     tuba = { |  | ||||||
|       ipv4 = pvv-ipv4 199; |  | ||||||
|       ipv6 = pvv-ipv6 199; |  | ||||||
|     }; |  | ||||||
|   }; |   }; | ||||||
|  |  | ||||||
|   defaultNetworkConfig = { |   defaultNetworkConfig = { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user