commit 33b8ad8668ebfb3daea948bb9e77c769f301a1af · ryan.freumh.org/eilean-nix

+2 -1

docs/getting_started.md

···

       163
       163
        
       

     

       164
       164
        
       ## Further Information 

     

       165
       165
        
       

     

       166
       166
       -
       See [docs](../docs/).

     

       166
       166
       +
       For a list of options, use `man eilean-configuration.nix`.

     

       167
       167
       +

+4 -4

flake.lock

···

       2
       2
        
         "nodes": {

     

       3
       3
        
           "nixpkgs": {

     

       4
       4
        
             "locked": {

     

       5
       5
       -
               "lastModified": 1703068421,

     

       6
       6
       -
               "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=",

     

       7
       7
       -
               "owner": "NixOS",

     

       5
       5
       +
               "lastModified": 1710272261,

     

       6
       6
       +
               "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=",

     

       7
       7
       +
               "owner": "nixos",

     

       8
       8
        
               "repo": "nixpkgs",

     

       9
       9
       -
               "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f",

     

       9
       9
       +
               "rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2",

     

       10
       10
        
               "type": "github"

     

       11
       11
        
             },

     

       12
       12
        
             "original": {

+9 -2

flake.nix

···

       1
       1
        
       {

     

       2
       2
        
         inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

     

       3
       3
        
       

     

       4
       4
       -
         outputs = { self, nixpkgs, ... }@inputs: {

     

       4
       4
       +
         outputs = { self, nixpkgs, ... }: rec {

     

       5
       5
       +
           packages = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed (system:

     

       6
       6
       +
             let

     

       7
       7
       +
               pkgs = nixpkgs.legacyPackages.${system};

     

       8
       8
       +
             in {

     

       9
       9
       +
               manpage = import ./man { inherit pkgs system; };

     

       10
       10
       +
             });

     

       11
       11
       +
       

     

       5
       12
        
           nixosModules.default = {

     

       6
       13
        
             imports = [

     

       7
       14
        
               ./modules/default.nix

     

       8
       8
       -
               ({ config, ... }: {

     

       15
       15
       +
               ({ pkgs, config, ... }: {

     

       9
       16
        
                 nixpkgs.overlays = [ (final: prev: {

     

       10
       17
        
                   mautrix-meta = (prev.callPackage ./pkgs/mautrix-meta.nix { });

     

       11
       18
        
                 }) ];

+42

man/default.nix

···

       1
       1
       +
       { pkgs, system, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       with pkgs;

     

       4
       4
       +
       let

     

       5
       5
       +
           optionsDoc =

     

       6
       6
       +
             let

     

       7
       7
       +
               eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {

     

       8
       8
       +
                 inherit system;

     

       9
       9
       +
                 modules = [

     

       10
       10
       +
                   ../modules/default.nix

     

       11
       11
       +
                 ];

     

       12
       12
       +
               };

     

       13
       13
       +
             in pkgs.nixosOptionsDoc {

     

       14
       14
       +
               options = eval.options;

     

       15
       15
       +
               # TODO make sure all options have descriptions

     

       16
       16
       +
               warningsAreErrors = false;

     

       17
       17
       +
             };

     

       18
       18
       +
       

     

       19
       19
       +
         # Generate the `man eliean.nix` package

     

       20
       20
       +
         eilean-configuration-manual =

     

       21
       21
       +
           runCommand "eilean-reference-manpage"

     

       22
       22
       +
           { nativeBuildInputs = [

     

       23
       23
       +
               buildPackages.installShellFiles

     

       24
       24
       +
               buildPackages.nixos-render-docs

     

       25
       25
       +
             ];

     

       26
       26
       +
             allowedReferences = [ "out" ];

     

       27
       27
       +
           }

     

       28
       28
       +
           ''

     

       29
       29
       +
             # Generate manpages.

     

       30
       30
       +
             mkdir -p $out/share/man/man5

     

       31
       31
       +
             # filter to only eilean options

     

       32
       32
       +
             cat ${optionsDoc.optionsJSON}/share/doc/nixos/options.json \

     

       33
       33
       +
               | ${pkgs.jq}/bin/jq 'with_entries(select(.key | test("^eilean")))' \

     

       34
       34
       +
               > eilean-options.json

     

       35
       35
       +
             nixos-render-docs -j $NIX_BUILD_CORES options manpage \

     

       36
       36
       +
               --revision dev \

     

       37
       37
       +
               --header ${./eilean-configuration-nix-header.5} \

     

       38
       38
       +
               --footer ${./eilean-configuration-nix-footer.5} \

     

       39
       39
       +
               eilean-options.json \

     

       40
       40
       +
               $out/share/man/man5/eilean-configuration.nix.5

     

       41
       41
       +
           '';

     

       42
       42
       +
       in eilean-configuration-manual

+3

man/eilean-configuration-nix-footer.5

···

       1
       1
       +
       .SH "AUTHORS"

     

       2
       2
       +
       .PP

     

       3
       3
       +
       Eilean contributors

+17

man/eilean-configuration-nix-header.5

···

       1
       1
       +
       .TH "EILEAN-CONFIGURATION\&.NIX" "5" "01/01/1980" "Home Manager"

     

       2
       2
       +
       .\" disable hyphenation

     

       3
       3
       +
       .nh

     

       4
       4
       +
       .\" disable justification (adjust text to left margin only)

     

       5
       5
       +
       .ad l

     

       6
       6
       +
       .\" enable line breaks after slashes

     

       7
       7
       +
       .cflags 4 /

     

       8
       8
       +
       .SH "NAME"

     

       9
       9
       +
       \fIeilean\-configuration\&.nix\fP \- Eilean configuration specification

     

       10
       10
       +
       .SH "DESCRIPTION"

     

       11
       11
       +
       .sp

     

       12
       12
       +
       Self-host your own digital island.

     

       13
       13
       +
       .sp

     

       14
       14
       +
       Eilean extends the NixOS module system with the following options.

     

       15
       15
       +
       .sp

     

       16
       16
       +
       .SH "OPTIONS"

     

       17
       17
       +
       .PP

+5 -2

modules/default.nix

···

       1
       1
       -
       { lib, config, ... }:

     

       1
       1
       +
       { pkgs, lib, config, ... }:

     

       2
       2
        
       

     

       3
       3
        
       with lib;

     

       4
       4
        
       

     
···

       16
       16
        
           ./matrix/mautrix-messenger.nix

     

       17
       17
        
           ./turn.nix

     

       18
       18
        
           ./headscale.nix

     

       19
       19
       -
           ./wireguard/server.nix

     

       20
       19
        
           ./wireguard/default.nix

     

       21
       20
        
         ];

     

       22
       21
        
       

     
···

       36
       35
        
         };

     

       37
       36
        
       

     

       38
       37
        
         config = {

     

       38
       38
       +
           # install manpage

     

       39
       39
       +
           environment.systemPackages = [

     

       40
       40
       +
             (import ../man/default.nix { inherit pkgs; system = config.nixpkgs.hostPlatform.system; })

     

       41
       41
       +
           ];

     

       39
       42
        
           security.acme.defaults.email = "${config.eilean.username}@${config.networking.domain}";

     

       40
       43
        
           networking.firewall.allowedTCPPorts = mkIf config.services.nginx.enable [

     

       41
       44
        
             80 # HTTP

+3 -1

modules/headscale.nix

···

       8
       8
        
           enable = mkEnableOption "headscale";

     

       9
       9
        
           zone = mkOption {

     

       10
       10
        
             type = types.str;

     

       11
       11
       -
             default = "${config.networking.domain}";

     

       11
       11
       +
             default = config.networking.domain;

     

       12
       12
       +
             defaultText = "config.networking.domain";

     

       12
       13
        
           };

     

       13
       14
        
           domain = mkOption {

     

       14
       15
        
             type = types.str;

     

       15
       16
        
             default = "headscale.${config.networking.domain}";

     

       17
       17
       +
             defaultText = "headscale.$${config.networking.domain}";

     

       16
       18
        
           };

     

       17
       19
        
         };

     

       18
       20

+2 -2

modules/mailserver/default.nix

···

       669
       669
        
               if (ip == "0.0.0.0" || ip == "::")

     

       670
       670
        
               then "127.0.0.1"

     

       671
       671
        
               else if isIpv6 ip then "[${ip}]" else ip;

     

       672
       672
       -
               defaultText = lib.literalDocBook "computed from <option>config.services.redis.servers.rspamd.bind</option>";

     

       672
       672
       +
               defaultText = lib.literalMD "computed from <option>config.services.redis.servers.rspamd.bind</option>";

     

       673
       673
        
               description = ''

     

       674
       674
        
                 Address that rspamd should use to contact redis.

     

       675
       675
        
               '';

     
···

       795
       795
        
                       start program = "${pkgs.systemd}/bin/systemctl start rspamd"

     

       796
       796
        
                       stop program = "${pkgs.systemd}/bin/systemctl stop rspamd"

     

       797
       797
        
               '';

     

       798
       798
       -
               defaultText = lib.literalDocBook "see source";

     

       798
       798
       +
               defaultText = lib.literalMD "see source";

     

       799
       799
        
               description = ''

     

       800
       800
        
                 The configuration used for monitoring via monit.

     

       801
       801
        
                 Use a mail address that you actively check and set it via 'set alert ...'.

-6

modules/mailserver/dovecot.nix

···

       95
       95
        
       in

     

       96
       96
        
       {

     

       97
       97
        
         config = with cfg; lib.mkIf enable {

     

       98
       98
       -
           assertions = [

     

       99
       99
       -
             {

     

       100
       100
       -
               assertion = junkMailboxNumber == 1;

     

       101
       101
       -
               message = "nixos-mailserver requires exactly one dovecot mailbox with the 'special use' flag set to 'Junk' (${builtins.toString junkMailboxNumber} have been found)";

     

       102
       102
       -
             }

     

       103
       103
       -
           ];

     

       104
       98
        
       

     

       105
       99
        
           services.dovecot2 = {

     

       106
       100
        
             enable = true;

-4

modules/mailserver/users.nix

···

       67
       67
        
       in {

     

       68
       68
        
         config = lib.mkIf enable {

     

       69
       69
        
           # assert that all accounts provide a password

     

       70
       70
       -
           assertions = (map (acct: {

     

       71
       71
       -
             assertion = (acct.password != null || acct.passwordFile != null);

     

       72
       72
       -
             message = "${acct.name} must provide either a password or a password file";

     

       73
       73
       -
           }) (lib.attrValues loginAccounts));

     

       74
       70
        
       

     

       75
       71
        
           # warn for accounts that specify both password and file

     

       76
       72
        
           warnings = (map

+76 -38

modules/wireguard/default.nix

···

       42
       42
        
             };

     

       43
       43
        
             in mkOption {

     

       44
       44
        
               type = with types; attrsOf (submodule hostOps);

     

       45
       45
       +
               default = {};

     

       45
       46
        
             };

     

       46
       47
        
         };

     

       47
       48
        
       

     

       48
       49
        
         config = mkIf cfg.enable {

     

       49
       50
        
           environment.systemPackages = with pkgs; [ wireguard-tools ];

     

       50
       50
       -
           networking = {

     

       51
       51
       -
             # populate /etc/hosts with hostnames and IPs

     

       52
       52
       -
             extraHosts = builtins.concatStringsSep "\n" (

     

       53
       53
       -
               attrsets.mapAttrsToList (

     

       54
       54
       -
                 hostName: values: "${values.ip} ${hostName}"

     

       55
       55
       -
               ) cfg.hosts

     

       56
       56
       -
             );

     

       51
       51
       +
           networking = mkMerge [

     

       52
       52
       +
             {

     

       53
       53
       +
               # populate /etc/hosts with hostnames and IPs

     

       54
       54
       +
               extraHosts = builtins.concatStringsSep "\n" (

     

       55
       55
       +
                 attrsets.mapAttrsToList (

     

       56
       56
       +
                   hostName: values: "${values.ip} ${hostName}"

     

       57
       57
       +
                 ) cfg.hosts

     

       58
       58
       +
               );

     

       57
       59
        
       

     

       58
       58
       -
             firewall = {

     

       59
       59
       -
               allowedUDPPorts = [ 51820 ];

     

       60
       60
       -
               checkReversePath = false;

     

       61
       61
       -
             };

     

       60
       60
       +
               firewall = {

     

       61
       61
       +
                 allowedUDPPorts = [ 51820 ];

     

       62
       62
       +
                 checkReversePath = false;

     

       63
       63
       +
               };

     

       62
       64
        
       

     

       63
       63
       -
             wireguard = {

     

       64
       64
       -
               enable = true;

     

       65
       65
       -
               interfaces.wg0 = let hostName = config.networking.hostName; in {

     

       66
       66
       -
                 ips =

     

       67
       67
       -
                   if cfg.hosts ? hostname then

     

       68
       68
       -
                     [ "${cfg.hosts."${hostName}".ip}/24" ]

     

       69
       69
       -
                   else [ ];

     

       70
       70
       -
                 listenPort = 51820; 

     

       71
       71
       -
                 privateKeyFile = cfg.hosts."${hostName}".privateKeyFile;

     

       72
       72
       -
                 peers =

     

       73
       73
       -
                   let

     

       74
       74
       -
                     serverPeers = attrsets.mapAttrsToList

     

       75
       75
       -
                       (hostName: values:

     

       76
       76
       -
                         if values.server then

     

       77
       77
       -
                         {

     

       78
       78
       -
                           allowedIPs = [ "10.0.0.0/24" ];

     

       79
       79
       -
                           publicKey = values.publicKey;

     

       80
       80
       -
                           endpoint = "${values.endpoint}:51820";

     

       81
       81
       -
                           persistentKeepalive = values.persistentKeepalive;

     

       82
       82
       -
                         }

     

       83
       83
       -
                       else {})

     

       84
       84
       -
                       cfg.hosts;

     

       85
       85
       -
                     # remove empty elements

     

       86
       86
       -
                     cleanedServerPeers = lists.remove { } serverPeers;

     

       87
       87
       -
                   in mkIf (!cfg.server) cleanedServerPeers; 

     

       65
       65
       +
               wireguard = {

     

       66
       66
       +
                 enable = true;

     

       67
       67
       +
                 interfaces.wg0 = let hostName = config.networking.hostName; in {

     

       68
       68
       +
                   ips =

     

       69
       69
       +
                     if cfg.hosts ? hostname then

     

       70
       70
       +
                       [ "${cfg.hosts."${hostName}".ip}/24" ]

     

       71
       71
       +
                     else [ ];

     

       72
       72
       +
                   listenPort = 51820; 

     

       73
       73
       +
                   privateKeyFile = cfg.hosts."${hostName}".privateKeyFile;

     

       74
       74
       +
                   peers =

     

       75
       75
       +
                     let

     

       76
       76
       +
                       serverPeers = attrsets.mapAttrsToList

     

       77
       77
       +
                         (hostName: values:

     

       78
       78
       +
                           if values.server then

     

       79
       79
       +
                           {

     

       80
       80
       +
                             allowedIPs = [ "10.0.0.0/24" ];

     

       81
       81
       +
                             publicKey = values.publicKey;

     

       82
       82
       +
                             endpoint = "${values.endpoint}:51820";

     

       83
       83
       +
                             persistentKeepalive = values.persistentKeepalive;

     

       84
       84
       +
                           }

     

       85
       85
       +
                         else {})

     

       86
       86
       +
                         cfg.hosts;

     

       87
       87
       +
                       # remove empty elements

     

       88
       88
       +
                       cleanedServerPeers = lists.remove { } serverPeers;

     

       89
       89
       +
                     in mkIf (!cfg.server) cleanedServerPeers; 

     

       90
       90
       +
                 };

     

       88
       91
        
               };

     

       89
       89
       -
             };

     

       90
       90
       -
           };

     

       92
       92
       +
             }

     

       93
       93
       +
       

     

       94
       94
       +
             (mkIf cfg.server {

     

       95
       95
       +
               nat = {

     

       96
       96
       +
                 enable = true;

     

       97
       97
       +
                 externalInterface = "enp1s0";

     

       98
       98
       +
                 internalInterfaces = [ "wg0" ];

     

       99
       99
       +
               };

     

       100
       100
       +
               firewall = {

     

       101
       101
       +
                 extraCommands = ''

     

       102
       102
       +
                   iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT

     

       103
       103
       +
                 '';

     

       104
       104
       +
                 trustedInterfaces = [ "wg0" ];

     

       105
       105
       +
               };

     

       106
       106
       +
       

     

       107
       107
       +
               wireguard.interfaces.wg0 = {

     

       108
       108
       +
                 # Route from wireguard to public internet, allowing server to act as VPN

     

       109
       109
       +
                 postSetup = ''

     

       110
       110
       +
                   ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE

     

       111
       111
       +
                 '';

     

       112
       112
       +
       

     

       113
       113
       +
                 postShutdown = ''

     

       114
       114
       +
                   ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE

     

       115
       115
       +
                 '';

     

       116
       116
       +
       

     

       117
       117
       +
                 # add clients

     

       118
       118
       +
                 peers = with lib.attrsets;

     

       119
       119
       +
                   mapAttrsToList (

     

       120
       120
       +
                     hostName: values: {

     

       121
       121
       +
                       allowedIPs = [ "${values.ip}/32" ];

     

       122
       122
       +
                       publicKey = values.publicKey;

     

       123
       123
       +
                       persistentKeepalive = values.persistentKeepalive;

     

       124
       124
       +
                     }

     

       125
       125
       +
                   ) cfg.hosts;

     

       126
       126
       +
               };

     

       127
       127
       +
             })

     

       128
       128
       +
           ];

     

       91
       129
        
         };

     

       92
       130
        
       }

-39

modules/wireguard/server.nix

···

       1
       1
       -
       { pkgs, config, lib, ... }:

     

       2
       2
       -
       

     

       3
       3
       -
       let cfg = config.wireguard; in

     

       4
       4
       -
       {

     

       5
       5
       -
         networking = lib.mkIf (cfg.enable && cfg.server) {

     

       6
       6
       -
           nat = {

     

       7
       7
       -
             enable = true;

     

       8
       8
       -
             externalInterface = "enp1s0";

     

       9
       9
       -
             internalInterfaces = [ "wg0" ];

     

       10
       10
       -
           };

     

       11
       11
       -
           firewall = {

     

       12
       12
       -
             extraCommands = ''

     

       13
       13
       -
               iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT

     

       14
       14
       -
             '';

     

       15
       15
       -
             trustedInterfaces = [ "wg0" ];

     

       16
       16
       -
           };

     

       17
       17
       -
       

     

       18
       18
       -
           wireguard.interfaces.wg0 = {

     

       19
       19
       -
             # Route from wireguard to public internet, allowing server to act as VPN

     

       20
       20
       -
             postSetup = ''

     

       21
       21
       -
               ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE

     

       22
       22
       -
             '';

     

       23
       23
       -
       

     

       24
       24
       -
             postShutdown = ''

     

       25
       25
       -
               ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE

     

       26
       26
       -
             '';

     

       27
       27
       -
       

     

       28
       28
       -
             # add clients

     

       29
       29
       -
             peers = with lib.attrsets;

     

       30
       30
       -
               mapAttrsToList (

     

       31
       31
       -
                 hostName: values: {

     

       32
       32
       -
                   allowedIPs = [ "${values.ip}/32" ];

     

       33
       33
       -
                   publicKey = values.publicKey;

     

       34
       34
       -
                   persistentKeepalive = values.persistentKeepalive;

     

       35
       35
       -
                 }

     

       36
       36
       -
               ) cfg.hosts;

     

       37
       37
       -
           };

     

       38
       38
       -
         };

     

       39
       39
       -
       }