commit 1adabcca1858ebb85bb6049e70e7faf85f7c524c · ryan.freumh.org/eilean-nix

+3 -3

flake.lock

···

       26
       26
        
               "opam-repository": "opam-repository"

     

       27
       27
        
             },

     

       28
       28
        
             "locked": {

     

       29
       29
       -
               "lastModified": 1713007178,

     

       30
       30
       -
               "narHash": "sha256-091K5GMtbNZE78gSviME6ARITr6AL94f3naLzt2DabM=",

     

       29
       29
       +
               "lastModified": 1718122335,

     

       30
       30
       +
               "narHash": "sha256-ooeplCUj5dY2KT840ecFtR+iDq1V2iB5rDsFqjbdFSs=",

     

       31
       31
        
               "owner": "RyanGibb",

     

       32
       32
        
               "repo": "eon",

     

       33
       33
       -
               "rev": "d2b108c439bbd6e8a315630d730037ef940d6c74",

     

       33
       33
       +
               "rev": "87b7ec1cd6cb7dc0f950d8d37a91845465780faf",

     

       34
       34
        
               "type": "github"

     

       35
       35
        
             },

     

       36
       36
        
             "original": {

+1

flake.nix

···

       16
       16
        
               ./modules/default.nix

     

       17
       17
        
               nixos-mailserver.nixosModule

     

       18
       18
        
               eon.nixosModules.default

     

       19
       19
       +
               eon.nixosModules.acme

     

       19
       20
        
               ({ pkgs, config, ... }: {

     

       20
       21
        
                 nixpkgs.overlays = [

     

       21
       22
        
                   (final: prev: {

+16

modules/acme-eon.nix

···

       1
       1
       +
       { pkgs, config, lib, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       with lib;

     

       4
       4
       +
       let cfg = config.eilean;

     

       5
       5
       +
       in {

     

       6
       6
       +
         options.eilean.acme-eon = mkEnableOption "acme-eon";

     

       7
       7
       +
       

     

       8
       8
       +
         config = mkIf cfg.acme-eon {

     

       9
       9
       +
           assertions = [{

     

       10
       10
       +
             assertion = cfg.services.dns.server == "eon";

     

       11
       11
       +
             message = ''

     

       12
       12
       +
               If config.eilean.acme-eon is enabled config.eilean.services.dns.server must be "eon".

     

       13
       13
       +
             '';

     

       14
       14
       +
           }];

     

       15
       15
       +
         };

     

       16
       16
       +
       }

+4 -1

modules/default.nix

···

       4
       4
        
       

     

       5
       5
        
       {

     

       6
       6
        
         imports = [

     

       7
       7
       +
           ./acme-eon.nix

     

       7
       8
        
           ./services/dns/default.nix

     

       8
       9
        
           ./mastodon.nix

     

       9
       10
        
           ./mailserver.nix

     
···

       32
       33
        
         config = {

     

       33
       34
        
           # TODO install manpage

     

       34
       35
        
           environment.systemPackages = [ ];

     

       35
       35
       -
           security.acme.defaults.email =

     

       36
       36
       +
           security.acme.defaults.email = lib.mkIf (!config.eilean.acme-eon)

     

       37
       37
       +
             "${config.eilean.username}@${config.networking.domain}";

     

       38
       38
       +
           security.acme-eon.defaults.email = lib.mkIf config.eilean.acme-eon

     

       36
       39
        
             "${config.eilean.username}@${config.networking.domain}";

     

       37
       40
        
           networking.firewall.allowedTCPPorts = mkIf config.services.nginx.enable [

     

       38
       41
        
             80 # HTTP

+3 -1

modules/gitea.nix

···

       19
       19
        
         };

     

       20
       20
        
       

     

       21
       21
        
         config = mkIf cfg.gitea.enable {

     

       22
       22
       +
           security.acme-eon.nginxCerts = [ subdomain ];

     

       23
       23
       +
       

     

       22
       24
        
           services.nginx = {

     

       23
       25
        
             enable = true;

     

       24
       26
        
             recommendedProxySettings = true;

     

       25
       27
        
             virtualHosts."${subdomain}" = {

     

       26
       26
       -
               enableACME = true;

     

       28
       28
       +
               enableACME = lib.mkIf (!cfg.acme-eon) true;

     

       27
       29
        
               forceSSL = true;

     

       28
       30
        
               locations."/" = {

     

       29
       31
        
                 proxyPass = "http://localhost:${

+21 -2

modules/mailserver.nix

···

       15
       15
        
         };

     

       16
       16
        
       

     

       17
       17
        
         config = mkIf cfg.mailserver.enable {

     

       18
       18
       +
           security.acme-eon.certs."${subdomain}" = lib.mkIf cfg.acme-eon {

     

       19
       19
       +
             group = "turnserver";

     

       20
       20
       +
             reloadServices = [ "postfix.service" "dovecot.service" ];

     

       21
       21
       +
           };

     

       22
       22
       +
       

     

       18
       23
        
           mailserver = {

     

       19
       24
        
             enable = true;

     

       20
       25
        
             fqdn = subdomain;

     
···

       32
       37
        
       

     

       33
       38
        
             # Use Let's Encrypt certificates. Note that this needs to set up a stripped

     

       34
       39
        
             # down nginx and opens port 80.

     

       35
       35
       -
             certificateScheme = "acme-nginx";

     

       36
       36
       -
       

     

       40
       40
       +
             certificateScheme = if cfg.acme-eon then "manual" else "acme-nginx";

     

       41
       41
       +
             certificateFile = lib.mkIf cfg.acme-eon "${

     

       42
       42
       +
                 config.security.acme-eon.certs.${subdomain}.directory

     

       43
       43
       +
               }/fullchain.pem";

     

       44
       44
       +
             keyFile = lib.mkIf cfg.acme-eon

     

       45
       45
       +
               "${config.security.acme-eon.certs.${subdomain}.directory}/key.pem";

     

       37
       46
        
             localDnsResolver = false;

     

       38
       47
        
           };

     

       39
       48
        
       

     
···

       41
       50
        
           services.nginx.virtualHosts."${config.mailserver.fqdn}".extraConfig = ''

     

       42
       51
        
             return 301 $scheme://${domain}$request_uri;

     

       43
       52
        
           '';

     

       53
       53
       +
       

     

       54
       54
       +
           systemd.services.dovecot2 = lib.mkIf cfg.acme-eon {

     

       55
       55
       +
             wants = [ "acme-eon-${subdomain}.service" ];

     

       56
       56
       +
             after = [ "acme-eon-${subdomain}.service" ];

     

       57
       57
       +
           };

     

       58
       58
       +
       

     

       59
       59
       +
           systemd.services.postfix = lib.mkIf cfg.acme-eon {

     

       60
       60
       +
             wants = [ "acme-eon-${subdomain}.service" ];

     

       61
       61
       +
             after = [ "acme-eon-${subdomain}.service" ];

     

       62
       62
       +
           };

     

       44
       63
        
       

     

       45
       64
        
           services.postfix.config = {

     

       46
       65
        
             smtpd_tls_protocols =

+3 -1

modules/mastodon.nix

···

       40
       40
        
           users.groups.${config.services.mastodon.group}.members =

     

       41
       41
        
             [ config.services.nginx.user ];

     

       42
       42
        
       

     

       43
       43
       +
           security.acme-eon.nginxCerts = lib.mkIf cfg.acme-eon [ subdomain ];

     

       44
       44
       +
       

     

       43
       45
        
           services.nginx = {

     

       44
       46
        
             enable = true;

     

       45
       47
        
             recommendedProxySettings = true;

     
···

       56
       58
        
               "${subdomain}" = {

     

       57
       59
        
                 root = "${config.services.mastodon.package}/public/";

     

       58
       60
        
                 forceSSL = true;

     

       59
       59
       -
                 enableACME = true;

     

       61
       61
       +
                 enableACME = lib.mkIf (!cfg.acme-eon) true;

     

       60
       62
        
       

     

       61
       63
        
                 locations."/system/".alias = "/var/lib/mastodon/public-system/";

     

       62
       64

+4 -2

modules/matrix/synapse.nix

···

       52
       52
        
               LC_CTYPE = "C";

     

       53
       53
        
           '';

     

       54
       54
        
       

     

       55
       55
       +
           security.acme-eon.nginxCerts = lib.mkIf cfg.acme-eon [ domain subdomain ];

     

       56
       56
       +
       

     

       55
       57
        
           services.nginx = {

     

       56
       58
        
             enable = true;

     

       57
       59
        
             # only recommendedProxySettings and recommendedGzipSettings are strictly required,

     
···

       66
       68
        
               # i.e. to delegate from the host being accessible as ${domain}

     

       67
       69
        
               # to another host actually running the Matrix homeserver.

     

       68
       70
        
               "${domain}" = {

     

       69
       69
       -
                 enableACME = true;

     

       71
       71
       +
                 enableACME = lib.mkIf (!cfg.acme-eon) true;

     

       70
       72
        
                 forceSSL = true;

     

       71
       73
        
       

     

       72
       74
        
                 locations."= /.well-known/matrix/server".extraConfig = let

     
···

       98
       100
        
       

     

       99
       101
        
               # Reverse proxy for Matrix client-server and server-server communication

     

       100
       102
        
               "${subdomain}" = {

     

       101
       101
       -
                 enableACME = true;

     

       103
       103
       +
                 enableACME = lib.mkIf (!cfg.acme-eon) true;

     

       102
       104
        
                 forceSSL = true;

     

       103
       105
        
       

     

       104
       106
        
                 # Or do a redirect instead of the 404, or whatever is appropriate for you.

+1 -1

modules/services/dns/default.nix

···

       57
       57
        
           enable = mkEnableOption "DNS server";

     

       58
       58
        
           server = mkOption {

     

       59
       59
        
             type = types.enum [ "bind" "eon" ];

     

       60
       60
       -
             default = "bind";

     

       60
       60
       +
             default = if config.eilean.acme-eon then "eon" else "bind";

     

       61
       61
        
           };

     

       62
       62
        
           openFirewall = mkOption {

     

       63
       63
        
             type = types.bool;

+2

modules/services/dns/eon.nix

···

       4
       4
        
       in lib.mkIf (cfg.enable && cfg.server == "eon") {

     

       5
       5
        
         services.eon = {

     

       6
       6
        
           enable = true;

     

       7
       7
       +
           application = "capd";

     

       8
       8
       +
           capnpAddress = lib.mkDefault config.networking.domain;

     

       7
       9
        
           zoneFiles = let

     

       8
       10
        
             mapZonefile = zonename: zone:

     

       9
       11
        
               "${

+35 -23

modules/turn.nix

···

       10
       10
        
         options.eilean.turn = { enable = mkEnableOption "TURN server"; };

     

       11
       11
        
       

     

       12
       12
        
         config = mkIf cfg.turn.enable {

     

       13
       13
       -
           services.coturn =

     

       14
       14
       -
             let certDir = config.security.acme.certs.${subdomain}.directory;

     

       15
       15
       -
             in {

     

       16
       16
       -
               enable = true;

     

       17
       17
       -
               no-cli = true;

     

       18
       18
       -
               no-tcp-relay = true;

     

       19
       19
       -
               secure-stun = true;

     

       20
       20
       -
               use-auth-secret = true;

     

       21
       21
       -
               static-auth-secret-file = staticAuthSecretFile;

     

       22
       22
       -
               realm = subdomain;

     

       23
       23
       -
               relay-ips = with config.eilean; [ serverIpv4 serverIpv6 ];

     

       24
       24
       -
               cert = "${certDir}/fullchain.pem";

     

       25
       25
       -
               pkey = "${certDir}/key.pem";

     

       26
       26
       -
             };

     

       13
       13
       +
           security.acme-eon.certs."${subdomain}" = lib.mkIf cfg.acme-eon {

     

       14
       14
       +
             group = "turnserver";

     

       15
       15
       +
             reloadServices = [ "coturn" ];

     

       16
       16
       +
           };

     

       17
       17
       +
       

     

       18
       18
       +
           services.coturn = let

     

       19
       19
       +
             certDir = if cfg.acme-eon then

     

       20
       20
       +
               config.security.acme-eon.certs.${subdomain}.directory

     

       21
       21
       +
             else

     

       22
       22
       +
               config.security.acme.certs.${subdomain}.directory;

     

       23
       23
       +
           in {

     

       24
       24
       +
             enable = true;

     

       25
       25
       +
             no-cli = true;

     

       26
       26
       +
             no-tcp-relay = true;

     

       27
       27
       +
             secure-stun = true;

     

       28
       28
       +
             use-auth-secret = true;

     

       29
       29
       +
             static-auth-secret-file = staticAuthSecretFile;

     

       30
       30
       +
             realm = subdomain;

     

       31
       31
       +
             relay-ips = with config.eilean; [ serverIpv4 serverIpv6 ];

     

       32
       32
       +
             cert = "${certDir}/fullchain.pem";

     

       33
       33
       +
             pkey = "${certDir}/key.pem";

     

       34
       34
       +
           };

     

       27
       35
        
       

     

       28
       36
        
           systemd.services = {

     

       29
       37
        
             coturn-static-auth-secret-generator = {

     
···

       39
       47
        
               serviceConfig.RemainAfterExit = true;

     

       40
       48
        
             };

     

       41
       49
        
             "coturn" = {

     

       42
       42
       -
               after = [ "coturn-static-auth-secret-generator.service" ];

     

       50
       50
       +
               after = [ "coturn-static-auth-secret-generator.service" ]

     

       51
       51
       +
                 ++ lib.lists.optional cfg.acme-eon "acme-eon-${subdomain}.service";

     

       43
       52
        
               requires = [ "coturn-static-auth-secret-generator.service" ];

     

       53
       53
       +
               wants = lib.lists.optional cfg.acme-eon "acme-eon-${subdomain}.service";

     

       44
       54
        
             };

     

       45
       55
        
           };

     

       46
       56
        
       

     
···

       64
       74
        
               allowedUDPPortRanges = [ turn-range ];

     

       65
       75
        
             };

     

       66
       76
        
       

     

       67
       67
       -
           security.acme.certs.${config.services.coturn.realm} = {

     

       68
       68
       -
             postRun =

     

       69
       69
       -
               "systemctl reload nginx.service; systemctl restart coturn.service";

     

       70
       70
       -
             group = "turnserver";

     

       71
       71
       -
           };

     

       72
       72
       -
           services.nginx.enable = true;

     

       73
       73
       -
           services.nginx.virtualHosts = {

     

       77
       77
       +
           security.acme.certs.${config.services.coturn.realm} =

     

       78
       78
       +
             lib.mkIf (!cfg.acme-eon) {

     

       79
       79
       +
               postRun =

     

       80
       80
       +
                 "systemctl reload nginx.service; systemctl restart coturn.service";

     

       81
       81
       +
               group = "turnserver";

     

       82
       82
       +
             };

     

       83
       83
       +
           services.nginx.enable = lib.mkIf (!cfg.acme-eon) true;

     

       84
       84
       +
           services.nginx.virtualHosts = lib.mkIf (!cfg.acme-eon) {

     

       74
       85
        
             "${config.services.coturn.realm}" = {

     

       75
       86
        
               forceSSL = true;

     

       76
       87
        
               enableACME = true;

     

       77
       88
        
             };

     

       78
       89
        
           };

     

       79
       79
       -
           users.groups."turnserver".members = [ config.services.nginx.user ];

     

       90
       90
       +
           users.groups."turnserver".members =

     

       91
       91
       +
             lib.mkIf (!cfg.acme-eon) [ config.services.nginx.user ];

     

       80
       92
        
       

     

       81
       93
        
           eilean.dns.enable = true;

     

       82
       94
        
           eilean.services.dns.zones.${config.networking.domain}.records = [{

+2 -1

template/configuration.nix

···

       43
       43
        
       

     

       44
       44
        
         # TODO replace this with domain

     

       45
       45
        
         networking.domain = "example.org";

     

       46
       46
       -
         security.acme.acceptTerms = true;

     

       46
       46
       +
         security.acme.acceptTerms = lib.mkIf (!config.eilean.acme-eon) true;

     

       47
       47
       +
         security.acme-eon.acceptTerms = lib.mkIf config.eilean.acme-eon true;

     

       47
       48
        
       

     

       48
       49
        
         # TODO select internationalisation properties

     

       49
       50
        
         i18n.defaultLocale = "en_GB.UTF-8";