Initial commit

2022-03-07 16:01:52 +01:00
commit 1f105ac9d1
71 changed files with 6231 additions and 0 deletions
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -0,0 +1,237 @@
+{ config, lib, pkgs, ... }:
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      ../../pluggables/tools/programming.nix
+
+      ./services/nginx.nix
+      # ./services/dokuwiki.nix
+      # ./services/gitlab
+      ./services/gitea.nix
+      ./services/jitsi.nix
+      # ./services/openldap.nix
+      ./services/plex.nix
+      ./services/hydra.nix
+      ./services/matrix.nix
+      # ./services/libvirt.nix
+      ./services/grafana.nix
+      # ./services/calibre.nix
+      ./services/openvpn.nix
+      # ./services/samba.nix
+      ./services/searx.nix
+      # ./services/syncthing.nix
+    ];
+
+  systemd.targets = {
+    sleep.enable = false;
+    suspend.enable = false;
+    hibernate.enable = false;
+    hybrid-sleep.enable = false;
+  };
+
+  nix.package = pkgs.nixFlakes;
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  # security.pam.services.login.unixAuth = true;
+
+  boot.loader = {
+    grub = {
+      enable = true;
+      version = 2;
+      efiSupport = true;
+      fsIdentifier = "label";
+      device = "nodev";
+      efiInstallAsRemovable = true;
+    };
+    # efi.efiSysMountPoint = "/boot/efi";
+    # efi.canTouchEfiVariables = true;
+  };
+
+  time.timeZone = "Europe/Oslo";
+
+  networking = {
+    hostName = "Tsuki";
+    networkmanager.enable = true;
+    useDHCP = false;
+    interfaces.ens18.useDHCP = true;
+    nameservers = [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
+    firewall.enable=true;
+  };
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      passwordAuthentication = false;
+      challengeResponseAuthentication = false;
+      permitRootLogin = "no";
+    };
+    printing.enable = true;
+    cron = {
+      enable = true;
+      systemCronJobs = [
+    #     "*/5 * * * *      root    date >> /tmp/cron.log"
+      ];
+    };
+  };
+
+  users.groups.media = {};
+
+  users.users = {
+    h7x4 = {
+      isNormalUser = true;
+      extraGroups = [
+        "wheel"
+        "networkmanager"
+        "docker"
+        "disk"
+        "libvirtd"
+        "input"
+      ];
+      shell = pkgs.zsh;
+    };
+    media = {
+      isSystemUser = true;
+      group = "media";
+    };
+  };
+
+  environment = {
+    variables = {
+      EDITOR = "nvim";
+      VISUAL = "nvim";
+    };
+
+    systemPackages = with pkgs; [
+      wget
+    ];
+
+    shells = with pkgs; [
+      bashInteractive
+      zsh
+      dash
+    ];
+
+    etc = {
+      sudoLecture = {
+        target = "sudo.lecture";
+        text = "[31mBe careful or something, idk...[m\n";
+      };
+
+      "resolv.conf" = with lib; with pkgs; {
+        source = writeText "resolv.conf" ''
+          ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)}
+          options edns0
+        '';
+      };
+
+      currentSystemPackages = {
+        target = "current-system-packages";
+        text = let
+          inherit (lib.strings) concatStringsSep;
+          inherit (lib.lists) sort;
+          inherit (lib.trivial) lessThan;
+          packages = map (p: "${p.name}") config.environment.systemPackages;
+          sortedUnique = sort lessThan (lib.unique packages);
+        in concatStringsSep "\n" sortedUnique;
+      };
+    };
+  };
+
+  fonts = {
+    enableDefaultFonts = true;
+
+    fonts = with pkgs; [
+      cm_unicode
+      dejavu_fonts
+      fira-code
+      fira-code-symbols
+      powerline-fonts
+      iosevka
+      symbola
+      corefonts
+      ipaexfont
+      ipafont
+      liberation_ttf
+      migmix
+      noto-fonts
+      noto-fonts-cjk
+      noto-fonts-emoji
+      open-sans
+      source-han-sans
+      source-sans
+      ubuntu_font_family
+      victor-mono
+      (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
+    ];
+
+    fontconfig = {
+      defaultFonts = {
+        serif = [ "Droid Sans Serif" "Ubuntu" ];
+        sansSerif = [ "Droid Sans" "Ubuntu" ];
+        monospace = [ "Fira Code" "Ubuntu" ];
+        emoji = [ "Noto Sans Emoji" ];
+      };
+    };
+  };
+
+  programs = {
+    git.enable = true;
+    npm.enable = true;
+    tmux.enable = true;
+    neovim = {
+      enable = true;
+      defaultEditor = true;
+      viAlias = true;
+      vimAlias = true;
+      configure = {
+        packages.myVimPackage = with pkgs.vimPlugins; {
+          start = [
+            direnv-vim
+            vim-nix
+            vim-polyglot
+          ];
+
+          opt = [
+            vim-monokai
+          ];
+        };
+
+        customRC = ''
+          set number relativenumber
+          set undofile
+          set undodir=~/.cache/vim/undodir 
+
+          packadd! vim-monokai 
+          colorscheme monokai
+        '';
+      };
+    };
+  };
+
+  security.sudo.extraConfig = ''
+    Defaults    lecture = always
+    Defaults    lecture_file = /etc/${config.environment.etc.sudoLecture.target} 
+  '';
+
+  virtualisation = {
+    docker.enable = true;
+    libvirtd.enable = true;
+  };
+
+  system.stateVersion = "21.11";
+}
+
+
--- a/hosts/tsuki/hardware-configuration.nix
+++ b/hosts/tsuki/hardware-configuration.nix
@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/54b9fd58-0df5-410c-ab87-766860967653";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/0A60-2885";
+      fsType = "vfat";
+    };
+
+  fileSystems."/data" =
+    { device = "/dev/disk/by-uuid/87354b26-4f7f-4b94-96fd-4bbeb834a03b";
+      fsType = "btrfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/92a1a33f-89a8-45de-a45e-6c303172cd7f"; }
+    ];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/tsuki/services/calibre.todo.nix
+++ b/hosts/tsuki/services/calibre.todo.nix
@@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.calibre-server = {
+    # user = ""
+    # group = ""
+    enable = true;
+    # libraries = [
+    #   /etc/abc
+    # ];
+    # libraryDir =  ????
+  };
+}
--- a/hosts/tsuki/services/cron-backups/mail.nix
+++ b/hosts/tsuki/services/cron-backups/mail.nix
--- a/hosts/tsuki/services/cron-backups/pixiv.nix
+++ b/hosts/tsuki/services/cron-backups/pixiv.nix
--- a/hosts/tsuki/services/cron-backups/reddit.nix
+++ b/hosts/tsuki/services/cron-backups/reddit.nix
--- a/hosts/tsuki/services/cron-backups/youtube.nix
+++ b/hosts/tsuki/services/cron-backups/youtube.nix
--- a/hosts/tsuki/services/dokuwiki.todo.nix
+++ b/hosts/tsuki/services/dokuwiki.todo.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  services.dokuwiki.sites = {
+    # TODO: research?
+    wiki = {
+      enable = false;
+    };
+  };
+}
--- a/hosts/tsuki/services/gitea.nix
+++ b/hosts/tsuki/services/gitea.nix
@@ -0,0 +1,62 @@
+{config, pkgs, lib, secrets, ...}:
+{
+  security.pam.services."gitea".unixAuth = true;
+
+  users.users.git = {
+    description = "Gitea service";
+    home = config.services.gitea.stateDir;
+    useDefaultShell = true;
+    group = "gitea";
+    isSystemUser = true;
+    uid = config.ids.uids.git;
+  };
+
+  services.gitea = {
+    enable = true;
+    user = "git";
+    appName = "Git Gud";
+    cookieSecure = true;
+    rootUrl = "https://git.nani.wtf/";
+    domain = "git.nani.wtf";
+    # # TODO: move to secrets
+    httpPort = secrets.ports.gitea;
+    disableRegistration = true;
+
+    database = {
+      user = "git";
+    };
+
+    settings = {
+      server = {
+        BUILTIN_SSH_SERVER_USER="git";
+      };
+
+      ui.DEFAULT_THEME = "arc-green";
+      indexer.REPO_INDEXER_ENABLED = true;
+      mailer = {
+        ENABLED = true;
+        FROM = "gitea@nani.wtf";
+      };
+
+      # markup = let
+      #   docutils = pkgs.python37.withPackages (ps: with ps; [
+      #       docutils # Provides rendering of ReStructured Text files
+      #       pygments # Provides syntax highlighting
+      #   ]);
+      # in {
+      #   restructuredtext = {
+      #     ENABLED = true;
+      #     FILE_EXTENSIONS = ".rst";
+      #     RENDER_COMMAND = "${docutils}/bin/rst2html.py";
+      #     IS_INPUT_FILE = false;
+      #   };
+      #   asciidoc = {
+      #     ENABLED = true;
+      #     FILE_EXTENSIONS = ".adoc,.asciidoc";
+      #     RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor -e -a leveloffset=-1 --out-file=- -";
+      #     IS_INPUT_FILE = false;
+      #   };
+      # };
+    };
+  };
+}
--- a/hosts/tsuki/services/gitlab/default.nix
+++ b/hosts/tsuki/services/gitlab/default.nix
@@ -0,0 +1,94 @@
+{ pkgs, lib, config, secrets, ... }:
+let
+  gitlab-port = secrets.ports.gitlab;
+  gitlab-host = "gitlab.nani.wtf";
+
+  # TODO: this should optimally be extracted out to nix-secrets completely.
+  gitlab-keydir = secrets.hosts.${config.networking.hostName}.keydir + "/gitlab";
+in
+{
+  # TODO: Set up gitlab-runner
+  # imports = [ ./runner.nix ];
+
+  services.gitlab = {
+    enable = false;
+
+    host = gitlab-host;
+    port = gitlab-port + 1;
+
+    user = "gitlab";
+    group = "gitlab";
+
+    databaseUsername = "gitlab";
+
+    statePath = "${secrets.hosts.${config.networking.hostName}.dataStatePath}/gitlab";
+
+    # A file containing the initial password of the root gitlab-account.
+    # This file should be readable to the user defined in `services.gitlab.user`,
+    # optimally having only read write permissions for that user.
+    initialRootPasswordFile = secrets.keys.gitlab.root_password;
+
+    secrets = { inherit (secrets.keys.gitlab) secretFile dbFile otpFile jwsFile; };
+
+
+    # TODO: Activate GitLabs Prometheus service
+    # extraGitlabRb = ''
+    #   prometheus['enabled'] = true
+    #   prometheus['server_address'] = '0.0.0.0:10392'
+    # '';
+
+    smtp = {
+      tls = true;
+      # address = gitlab-host;
+      port = gitlab-port + 2;
+    };
+
+    # TODO: Set up registry
+    # registry = {
+    #   enable = true;
+    #   # host = gitlab-host;
+    #   port = gitlab-port + 3;
+    #   externalPort = gitlab-port + 3;
+    #   certFile = /var/cert.pem;
+    #   keyFile = /var/key.pem;
+    # };
+
+    pagesExtraArgs = [
+       "-gitlab-server" "http://${gitlab-host}" 
+       "-listen-proxy" "127.0.0.1:${toString (gitlab-port + 4)}" 
+       "-log-format" "text" 
+    ];
+
+    # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitlab.nix
+    # https://gitlab.com/gitlab-org/gitlab/blob/master/config/gitlab.yml.example
+    extraConfig = {
+      # gitlab = {};
+      gravatar.enabled = false;
+
+      # TODO: Fix pages API connection
+      # pages = {
+      #   enabled = true;
+      #   host = gitlab-host;
+      #   secret_file = "${toString gitlab-keydir}/pages_secret";
+      #   local_store.enabled = true;
+      # };
+    };
+
+  };
+
+  # TODO: Set up registry
+  # services.dockerRegistry = {
+  #   enable = true;
+  # };
+
+  # TODO: Connect plantuml to gitlab
+  services.plantuml-server = {
+    enable = true;
+    listenPort = gitlab-port + 5;
+  };
+
+  # TODO: Make module for kroki, and connect to gitlab
+  # services.kroki = {
+  #   
+  # };
+}
--- a/hosts/tsuki/services/gitlab/genfiles.sh
+++ b/hosts/tsuki/services/gitlab/genfiles.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+if [ "$EUID" -ne 0 ]; then
+  echo "Please run as root"
+  exit 1
+fi
+
+KEYDIR='/var/keys/gitlab'
+
+umask u=rwx,g=,o=
+
+mkdir -p $KEYDIR
+chmod 755 '/var/keys'
+
+for FILE in secretFile dbFile otpFile pages_secret; do
+  tr -dc A-Za-z0-9 < /dev/random | head -c 128 > $KEYDIR/$FILE
+done
+
+nix-shell -p openssl --run "openssl genrsa 2048 > $KEYDIR/jwsFile"
+chmod 600 $KEYDIR/jwsFile
+
+read -s -p "Root password: " ROOTPASS
+echo $ROOTPASS > $KEYDIR/root_password
+
+chown -R git:git $KEYDIR
--- a/hosts/tsuki/services/gitlab/runner.nix
+++ b/hosts/tsuki/services/gitlab/runner.nix
@@ -0,0 +1,51 @@
+{ ... }:
+{
+
+  # See https://nixos.wiki/wiki/Gitlab_runner
+  # boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
+  # virtualisation.docker.enable = true;
+  # services.gitlab-runner = {
+  #   enable = true;
+  #   services= {
+  #     # runner for building in docker via host's nix-daemon
+  #     # nix store will be readable in runner, might be insecure
+  #     nix = with lib;{
+  #       # File should contain at least these two variables:
+  #       # `CI_SERVER_URL`
+  #       # `REGISTRATION_TOKEN`
+  #       registrationConfigFile = toString ./path/to/ci-env; # 2
+  #       dockerImage = "alpine";
+  #       dockerVolumes = [
+  #         "/nix/store:/nix/store:ro"
+  #         "/nix/var/nix/db:/nix/var/nix/db:ro"
+  #         "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+  #       ];
+  #       dockerDisableCache = true;
+  #       preBuildScript = pkgs.writeScript "setup-container" ''
+  #         mkdir -p -m 0755 /nix/var/log/nix/drvs
+  #         mkdir -p -m 0755 /nix/var/nix/gcroots
+  #         mkdir -p -m 0755 /nix/var/nix/profiles
+  #         mkdir -p -m 0755 /nix/var/nix/temproots
+  #         mkdir -p -m 0755 /nix/var/nix/userpool
+  #         mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+  #         mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+  #         mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+  #         mkdir -p -m 0700 "$HOME/.nix-defexpr"
+  #         . ${pkgs.nix}/etc/profile.d/nix.sh
+  #         ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3
+  #         ${pkgs.nix}/bin/nix-channel --update nixpkgs
+  #         ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
+  #       '';
+  #       environmentVariables = {
+  #         ENV = "/etc/profile";
+  #         USER = "root";
+  #         NIX_REMOTE = "daemon";
+  #         PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+  #         NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+  #       };
+  #       tagList = [ "nix" ];
+  #     };
+  #   };
+  # };
+
+}
--- a/hosts/tsuki/services/grafana.nix
+++ b/hosts/tsuki/services/grafana.nix
@@ -0,0 +1,76 @@
+{ config, lib, secrets, ... }:
+{
+  services.grafana = {
+    enable = true;
+    domain = "log.nani.wtf";
+    port = secrets.ports.grafana;
+    addr = "0.0.0.0";
+  };
+
+  # services.influxdb = {
+  #   enable = true;
+  #   dataDir = "/data/var/influxdb";
+  #   extraConfig = {
+  #     udp = {
+  #       enabled = true;
+  #       bind-address = "0.0.0.0:8089";
+  #       database = "proxmox";
+  #       batch-size = 1000;
+  #       batch-timeout = "1s";
+  #     };
+  #   };
+  # };
+
+  services.prometheus = {
+    enable = true;
+    port = secrets.ports.prometheus;
+
+    scrapeConfigs = [
+      {
+        job_name = "synapse";
+        scrape_interval = "15s";
+        metrics_path = "/_synapse/metrics";
+        static_configs = [
+          {
+            targets = [ "localhost:${toString secrets.ports.matrix.listener}" ];
+          }
+        ];
+      }
+      {
+        job_name = "minecraft";
+        # scrape_interval = "15s";
+        # metrics_path = "/_synapse/metrics";
+        static_configs = [
+          {
+            targets = [ "${secrets.ips.crafty}:${toString secrets.ports.prometheus-crafty}" ];
+            labels = {
+              server_name = "my-minecraft-server";
+            };
+          }
+        ];
+      }
+    ];
+
+    exporters = {
+      jitsi.enable = true;
+      nginx.enable = true;
+      nginxlog.enable = true;
+      systemd.enable = true;
+      # postgres.enable = true;
+    };
+
+    # globalConfig = {
+
+    # };
+
+  };
+
+  # services.loki = {
+  #   enable = true;
+    # configFile = ./loki-local-config.yaml;
+    # config = {
+
+    # };
+  # };
+
+}
--- a/hosts/tsuki/services/hydra.nix
+++ b/hosts/tsuki/services/hydra.nix
@@ -0,0 +1,9 @@
+{ secrets, ... }:
+{
+  services.hydra = {
+    enable = true;
+    hydraURL = "http://hydra.nani.wtf";
+    notificationSender = "hydra@nani.wtf";
+    port = secrets.ports.hydra;
+  };
+}
--- a/hosts/tsuki/services/jitsi.nix
+++ b/hosts/tsuki/services/jitsi.nix
@@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.jitsi-meet = {
+    enable = true;
+    hostName = "jitsi.nani.wtf";
+    config = {
+      enableWelcomePage = false;
+      prejoinPageEnabled = true;
+      defaultLang = "en";
+    };
+    interfaceConfig = {
+      SHOW_JITSI_WATERMARK = false;
+      SHOW_WATERMARK_FOR_GUESTS = false;
+    };
+  };
+}
--- a/hosts/tsuki/services/libvirt.todo.nix
+++ b/hosts/tsuki/services/libvirt.todo.nix
--- a/hosts/tsuki/services/matrix.nix
+++ b/hosts/tsuki/services/matrix.nix
@@ -0,0 +1,134 @@
+{config, pkgs, lib, secrets, ...}: {
+
+  # configure synapse to point users to coturn
+  services.matrix-synapse = {
+    enable = true;
+    turn_uris = let 
+      inherit (config.services.coturn) realm;
+      p = toString secrets.ports.matrix.default;
+    in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
+    turn_shared_secret = config.services.coturn.static-auth-secret;
+    turn_user_lifetime = "1h";
+
+    server_name = "nani.wtf";
+    public_baseurl = "https://matrix.nani.wtf";
+
+    enable_metrics = true;
+
+    listeners = [
+      {
+        port = secrets.ports.matrix.listener;
+        bind_address = "::1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [ "client" "federation" "metrics" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+
+    enable_registration = false;
+
+    # password_config.enabled = lib.mkForce false;
+
+    dataDir = "/data/var/matrix";
+
+    database_type = "psycopg2";
+    database_args = {
+      password = "synapse";
+    };
+
+    # redis.enabled = true;
+
+    # settings = {
+
+
+ 
+    # };
+  };
+
+  services.redis.enable = true;
+
+  # enable coturn
+  services.coturn = rec {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = secrets.ports.matrix.min;
+    max-port = secrets.ports.matrix.max;
+    use-auth-secret = true;
+    static-auth-secret = secrets.keys.matrix.static-auth-secret;
+    realm = "turn.nani.wtf";
+    cert = "${secrets.keys.certificates.server.crt}";
+    pkey = "${secrets.keys.certificates.server.key}";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  services.postgresql = {
+    enable = true;
+
+    ## postgresql user and db name remains in the
+    ## service.matrix-synapse.database_args setting which
+    ## by default is matrix-synapse
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+            TEMPLATE template0
+            LC_COLLATE = "C"
+            LC_CTYPE = "C";
+        '';
+  };
+
+  # open the firewall
+  networking.firewall = {
+    interfaces.enp2s0 = let
+      range = with config.services.coturn; [ {
+      from = secrets.ports.matrix.min;
+      to = secrets.ports.matrix.max;
+    } ];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [ secrets.ports.matrix.default ];
+      allowedTCPPortRanges = range;
+      allowedTCPPorts = [ secrets.ports.matrix.default ];
+    };
+  };
+  # get a certificate
+  # security.acme.certs.${config.services.coturn.realm} = {
+  #   /* insert here the right configuration to obtain a certificate */
+  #   postRun = "systemctl restart coturn.service";
+  #   group = "turnserver";
+  # };
+}
--- a/hosts/tsuki/services/minecraft.todo.nix
+++ b/hosts/tsuki/services/minecraft.todo.nix
@@ -0,0 +1,64 @@
+{ pkgs, lib, ... }:
+
+# See https://github.com/InfinityGhost/nixos-workstation/blob/master/minecraft-server.nix
+
+let
+  allocatedMemory = "4096M";
+in {
+  services.minecraft-server = let
+    version = "1.18.1";
+
+    spigot = pkgs.minecraft-server.overrideAttrs (old: {
+      src = pkgs.fetchurl {
+        url = "https://hub.spigotmc.org/jenkins/job/BuildTools/141/artifact/target/BuildTools.jar";
+        sha1 = "?";
+      };
+
+      buildPhase = ''
+        cat > minecraft-server << EOF
+
+        #!${pkgs.bash}/bin/sh
+        exec ${pkgs.adoptopenjdk-jre-hotspot-bin-17}/bin/java \$@ -jar $out/bin/spigot-${version}.jar nogui
+
+        java -jar $src --rev ${version}
+      '';
+
+      installPhase = ''
+        mkdir -p $out/bin $out/lib/minecraft
+        cp -v spigot-${version}.jar $out/lib/minecraft
+        cp -v minecraft-server $out/bin
+
+        chmod +x $out/bin/minecraft-server
+      '';
+    });
+  in {
+    enable = true;
+    eula = true;
+    package = pkgs.spigot;
+    declarative = true;
+    dataDir = "/home/h7x4/minecraft";
+    openFirewall = true;
+
+    jvmOpts = lib.concatStringsSep " " [
+      "-Xmx${allocatedMemory}"
+      "-Xms${allocatedMemory}"
+      "-XX:+UseG1GC"
+      "-XX:ParallelGCThreads=2"
+      "-XX:MinHeapFreeRatio=5"
+      "-XX:MaxHeapFreeRatio=10"
+    ];
+
+    serverProperties = {
+      motd = "NixOS Minecraft Server";
+      server-port = 25565;
+      difficulty = 2;
+      gamemode = 0;
+      max-players = 5;
+      white-list = false;
+      enable-rcon = false;
+      allow-flight = true;
+    };
+    
+    # whitelist = {};
+  };
+}
--- a/hosts/tsuki/services/nginx.nix
+++ b/hosts/tsuki/services/nginx.nix
@@ -0,0 +1,143 @@
+{ pkgs, config, secrets, ... }:
+  let
+    # TODO: fix lib
+    lib = pkgs.lib;
+      
+    inherit (secrets) ips ports;
+
+    s = toString;
+  in
+{
+
+  security.acme = {
+    email = "h7x4abk3g@protonmail.com";
+    acceptTerms = true;
+  };
+
+  services.nginx = let
+    generateServerAliases =
+      domains: subdomains:
+      lib.lists.flatten (map (s: map (d: "${s}.${d}") domains) subdomains);
+  in {
+    enable = true;
+    
+    statusPage = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = let
+      inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
+      inherit (lib.lists) head drop;
+      inherit (secrets) domains keys;
+
+      makeHost =
+        subdomains: extraSettings:
+        nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate {
+          serverAliases = drop 1 (generateServerAliases domains subdomains);
+          forceSSL = true;
+          sslCertificate = keys.certificates.server.crt;
+          sslCertificateKey = keys.certificates.server.key;
+        } extraSettings);
+
+      makeACMEHost =
+        subdomains: extraSettings:
+        nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate {
+          serverAliases = drop 1 (generateServerAliases domains subdomains);
+          enableACME = true;
+          forceSSL = true;
+        } extraSettings);
+      
+      makeClientCertHost =
+        subdomains: extraSettings:
+        nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate {
+          serverAliases = drop 1 (generateServerAliases domains subdomains);
+          enableACME = true;
+          forceSSL = true;
+          extraConfig = ''
+            ssl_client_certificate ${secrets.keys.certificates.CA.crt};
+            ssl_verify_client optional;
+          '';
+          locations."/".extraConfig = ''
+            if ($ssl_client_verify != SUCCESS) {
+              return 403;
+            } 
+          '';
+        } extraSettings);
+
+      makeProxy = 
+        subdomains: url: extraSettings:
+        makeHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
+
+      makeACMEProxy = 
+        subdomains: url: extraSettings:
+        makeACMEHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
+
+      makeClientCertProxy = 
+        subdomains: url: extraSettings:
+        makeClientCertHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
+
+    in (listToAttrs [
+      # (makeACMEProxy ["gitlab"] "http://unix:/run/gitlab/gitlab-workhorse.socket" {})
+      (makeACMEProxy ["plex"] "http://localhost:${s ports.plex}" {})
+      (makeACMEHost ["www"] { root = "/data/www"; })
+      (makeACMEProxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
+      (makeACMEProxy ["git"] "http://localhost:${s ports.gitea}" {})
+      (makeClientCertHost ["cache"] { root = "/var/lib/nix-cache"; })
+      (makeClientCertProxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" {
+          locations."/".proxyWebsockets = true;
+      })
+      (makeClientCertProxy ["idrac"] "https://${ips.idrac}" {})
+      (makeClientCertProxy ["searx"] "http://localhost:${s ports.searx}" {})
+      (makeACMEProxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" {
+        basicAuthFile = keys.htpasswds.default;
+      })
+      (makeClientCertProxy ["log"] "http://localhost:${s ports.grafana}" {
+        locations."/".proxyWebsockets = true;
+      })
+      # (makeProxy ["wiki"] "" {})
+      # (makeHost ["vpn"] "" {})
+      (makeClientCertProxy ["hydra"] "http://localhost:${s ports.hydra}" {})
+
+      # (makePassProxy ["sync" "drive"] "" {})
+      # (makePassProxy ["music" "mpd"] "" {})
+    ]) // {
+      ${config.services.jitsi-meet.hostName} = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+
+    upstreams = {};
+
+    streamConfig = ''
+      upstream minecraft {
+        server ${ips.crafty}:${s ports.minecraft};
+      }
+
+      server {
+        listen 0.0.0.0:${s ports.minecraft};
+        listen [::0]:${s ports.minecraft};
+        proxy_pass minecraft;
+      }
+    '';
+      # upstream openvpn {
+      #   server localhost:${s ports.openvpn};
+      # }
+
+      # server {
+      #   listen 0.0.0.0:${s ports.openvpn};
+      #   listen [::0]:${s ports.openvpn};
+      #   proxy_pass openvpn;
+      # }
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  #   secrets.ports.openvpn
+    ports.minecraft
+  ];
+}
--- a/hosts/tsuki/services/openldap.todo.nix
+++ b/hosts/tsuki/services/openldap.todo.nix
@@ -0,0 +1,74 @@
+{ pkgs, ... }:
+{
+  services.openldap = {
+    enable = true;
+    # dataDir = "/data/var/openldap";
+    urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates)
+    # suffix = "dc=nixos,dc=org";
+    # rootdn = "cn=admin,dc=nixos,dc=org";
+    # rootpwFile = "/var/keys/ldap/rootpw";
+    # See https://www.openldap.org/doc/admin24/slapdconfig.html
+    # extraDatabaseConfig = ''
+    #   access to dn.base="dc=nixos,dc=org" by * read
+    #   # Add your own ACLs here…
+
+    #   # Drop everything that wasn't handled by previous ACLs:
+    #   access to * by * none
+
+    #   index objectClass eq
+    #   index uid eq
+    #   index mail sub
+    #   # Accelerates replication if you use it
+    #   index entryCSN eq
+    #   index entryUUID eq
+    # '';
+
+    settings = {
+      attrs.olcLogLevel = [ "stats" ];
+      children = {
+        "cn=schema".includes = [
+           "${pkgs.openldap}/etc/schema/core.ldif"
+           "${pkgs.openldap}/etc/schema/cosine.ldif"
+           "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+        ];
+        "olcDatabase={-1}frontend" = {
+          attrs = {
+            objectClass = "olcDatabaseConfig";
+            olcDatabase = "{-1}frontend";
+            olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
+          };
+        };
+        "olcDatabase={0}config" = {
+          attrs = {
+            objectClass = "olcDatabaseConfig";
+            olcDatabase = "{0}config";
+            olcAccess = [ "{0}to * by * none break" ];
+          };
+        };
+        "olcDatabase={1}mdb" = {
+          attrs = {
+            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+            olcDatabase = "{1}mdb";
+            olcDbDirectory = "/data/var/openldap/db";
+            olcDbIndex = [
+              "objectClass eq"
+              "cn pres,eq"
+              "uid pres,eq"
+              "sn pres,eq,subany"
+            ];
+            olcSuffix = "dc=example,dc=com";
+            olcAccess = [ "{0}to * by * read break" ];
+          };
+        };
+      };
+    };
+
+    # Setting this causes OpenLDAP to drop the entire database on startup and write the contents of
+    # of this LDIF string into the database. This ensures that only nix-managed content is found in the
+    # database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt
+    # startup performance.
+    # Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be
+    # lost.
+    # declarativeContents = "…";
+  };
+}
--- a/hosts/tsuki/services/openvpn.nix
+++ b/hosts/tsuki/services/openvpn.nix
@@ -0,0 +1,53 @@
+{ config, pkgs, secrets, ... }:
+let
+  inherit (secrets) ips ports;
+in {
+  services = {
+    openvpn.servers = let
+      inherit (secrets.keys.certificates) openvpn CA server;
+      inherit (secrets.openvpn) ip-range;
+    in {
+      tsuki = {
+        config = ''
+          dev tap
+          server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end} 
+          local 0.0.0.0
+          port ${toString ports.openvpn}
+          user nobody
+          group nogroup
+          comp-lzo no
+          push 'comp-lzo no'
+          persist-key
+          persist-tun
+          keepalive 10 120
+          topology subnet
+          push "dhcp-option DNS 1.1.1.1"
+          push "dhcp-option DNS 8.8.8.8"
+          dh none
+          ecdh-curve prime256v1
+          tls-crypt ${openvpn.tls-crypt}
+          ca ${CA.crt}
+          cert ${server.crt}
+          key ${server.key}
+          auth SHA256
+          cipher AES-128-GCM
+          ncp-ciphers AES-128-GCM
+          tls-server
+          tls-version-min 1.2
+          tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
+          status /var/openvpn/status.log
+          verb 3
+        '';
+        autoStart = false;
+        updateResolvConf = true;
+      };
+    };
+  };
+
+  networking.firewall = {
+    allowedUDPPorts = [ ports.openvpn ];
+    allowedTCPPorts = [ ports.openvpn ];
+  };
+
+  # networking.bridges.br0.interfaces = [ "tap0" "ens18" ];
+}
--- a/hosts/tsuki/services/plex.nix
+++ b/hosts/tsuki/services/plex.nix
@@ -0,0 +1,21 @@
+{ secrets, ... }:
+{
+  services.plex = {
+    enable = true;
+    openFirewall = true;
+    dataDir = "/data/var/plex";
+  };
+
+  # TODO: make default directories.
+  services.samba.shares.plex = {
+    path = "/data/media";
+    browseable = "yes";
+    "read only" = "no";
+    "guest ok" = "no";
+    "create mode" = 0664;
+    "directory mode" = 2775;
+    comment = "Movies, Series and other stuff for Plex";
+  };
+
+  networking.firewall.allowedTCPPorts = [ secrets.ports.plex ];
+}
--- a/hosts/tsuki/services/samba.todo.nix
+++ b/hosts/tsuki/services/samba.todo.nix
@@ -0,0 +1,23 @@
+{}:
+{
+  services.samba = {
+    enable = true;
+
+    extraConfig = ''
+    '';
+
+    shares = {
+      plex = {
+        path = "/data/media";
+        "read only" = false;
+        browseable = "yes";
+        "guest ok" = "no";
+        comment = "Pictures, music, videos, etc.";
+      };
+
+      # home = {
+        
+      # };
+    };
+  };
+}
--- a/hosts/tsuki/services/searx.nix
+++ b/hosts/tsuki/services/searx.nix
@@ -0,0 +1,61 @@
+{ secrets, ... }:
+{
+  # TODO: Make secret keys.
+  services.searx = {
+    enable = true;
+    settings = {
+
+      general = {
+        debug = false;
+        instance_name = "Searx";
+      };
+
+      server = {
+        port = secrets.ports.searx;
+        bind_address = "0.0.0.0";
+        secret_key = secrets.keys.searx.key;
+      };
+
+      ui = {
+        default_theme = "oscar";
+        theme_args.oscar_style = "logicodev-dark";
+      };
+     
+      engines = [
+        # {
+        #   name = "YouTube";
+        #   shortcut = "yt";
+        #   engine = "youtube_api";
+        # }
+        {
+          name = "fdroid";
+          engine = "fdroid";
+        }
+        {
+          name = "github";
+          engine = "github";
+        }
+        {
+          name = "ebay";
+          engine = "ebay";
+        }
+        # {
+        #   name = "bandcamp";
+        #   engine = "bandcamp";
+        # }
+        {
+          name = "arch_linux_wiki";
+          shortcut = "aw";
+          engine = "archlinux";
+        }
+      ];
+    };
+
+    # runInUwsgi = true;
+    # uwsgiConfig = {
+      # disable-logging = false;
+      # http = ":11000";
+      # socket = "/run/searx/searx.sock";
+    # };
+  };
+}
--- a/hosts/tsuki/services/syncthing.todo.nix
+++ b/hosts/tsuki/services/syncthing.todo.nix