···
12
-
name = "nix-cache.vpn.${config.networking.domain}.";
14
-
value = "100.64.0.9";
17
-
name = "jellyfin.vpn.${config.networking.domain}.";
19
-
value = "100.64.0.9";
22
-
name = "nextcloud.vpn.${config.networking.domain}.";
24
-
value = "100.64.0.9";
27
-
name = "transmission.vpn.${config.networking.domain}.";
29
-
value = "100.64.0.9";
32
-
name = "owntracks.vpn.${config.networking.domain}.";
34
-
value = "100.64.0.9";
37
-
name = "immich.vpn.${config.networking.domain}.";
39
-
value = "100.64.0.9";
42
-
name = "audiobookshelf.vpn.${config.networking.domain}.";
44
-
value = "100.64.0.9";
./hardware-configuration.nix
52
-
../../modules/colour-guesser.nix
../../modules/ryan-website.nix
../../modules/alec-website.nix
../../modules/fn06-website.nix
···
environment.systemPackages = with pkgs; [
65
-
age.secrets.eon-capnp = {
66
-
file = ../../secrets/eon-capnp.age;
71
-
age.secrets.eon-sirref-primary = {
72
-
file = ../../secrets/eon-sirref-primary.cap.age;
78
-
capnpSecretKeyFile = config.age.secrets.eon-capnp.path;
79
-
primaries = [ config.age.secrets.eon-sirref-primary.path ];
81
-
capnpAddress = "135.181.100.27";
85
-
security.acme-eon = {
87
-
package = eon.defaultPackage.${config.nixpkgs.hostPlatform.system};
88
-
defaults.email = "${config.custom.username}@${config.networking.domain}";
89
-
defaults.capFile = "/var/lib/eon/caps/domain/freumh.org.cap";
91
-
"fn06.org".capFile = "/var/lib/eon/caps/domain/fn06.org.cap";
92
-
"capybara.fn06.org".capFile = "/var/lib/eon/caps/domain/fn06.org.cap";
97
-
username = config.custom.username;
98
-
serverIpv4 = "135.181.100.27";
99
-
serverIpv6 = "2a01:4f9:c011:87ad:0:0:0:0";
101
-
fail2ban.enable = true;
103
-
networking.domain = lib.mkDefault "freumh.org";
104
-
eilean.publicInterface = "enp1s0";
105
-
eilean.mailserver.enable = true;
106
-
eilean.radicale = {
110
-
age.secrets.matrix-shared-secret = {
111
-
file = ../../secrets/matrix-shared-secret.age;
113
-
owner = "${config.systemd.services.matrix-synapse.serviceConfig.User}";
114
-
group = "${config.systemd.services.matrix-synapse.serviceConfig.Group}";
118
-
registrationSecretFile = config.age.secrets.matrix-shared-secret.path;
119
-
bridges.whatsapp = true;
120
-
bridges.signal = true;
121
-
bridges.instagram = true;
122
-
bridges.messenger = true;
124
-
eilean.turn.enable = true;
125
-
eilean.mastodon.enable = true;
126
-
eilean.headscale.enable = true;
127
-
#eilean.dns.enable = lib.mkForce false;
129
-
systemd.services.matrix-as-meta = {
130
-
# voice messages need `ffmpeg`
131
-
path = [ pkgs.ffmpeg ];
135
-
freumh.enable = true;
136
-
rmfakecloud.enable = true;
149
-
domain = "fn06.org";
158
-
eilean.dns.nameservers = [ "ns1" ];
159
-
eilean.services.dns.zones = {
160
-
${config.networking.domain} = {
163
-
serial = 2018011660;
170
-
value = "google-site-verification=rEvwSqf7RYKRQltY412qMtTuoxPp64O3L7jMotj9Jnc";
173
-
name = "_atproto.ryan";
175
-
value = "did=did:plc:3lfhu6ehlynzjgehef6alnvg";
187
-
value = "ns1.sirref.org.";
193
-
value = config.eilean.serverIpv4;
198
-
value = config.eilean.serverIpv6;
203
-
value = config.eilean.serverIpv4;
208
-
value = config.eilean.serverIpv6;
214
-
value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";
220
-
value = "128.232.113.136";
229
-
name = "ns1.eilean";
231
-
value = "65.109.10.223";
236
-
value = "ns1.eilean";
252
-
# sudo openssl x509 -in /var/lib/acme/mail.freumh.org/fullchain.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum | awk '{print "3 1 1", $1}'
254
-
name = "_25._tcp.mail";
256
-
value = "3 1 1 2f0fd413f063c75141937dd196a9f4ab66139d599e0dcf2a7ce6d557647e26a6";
259
-
# for i in r3 e1 r4-cross-signed e2
260
-
# openssl x509 -in ~/downloads/lets-encrypt-$i.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum | awk '{print "2 1 1", $1}'
263
-
name = "_25._tcp.mail";
265
-
value = "2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d";
269
-
name = "_25._tcp.mail";
271
-
value = "2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10";
275
-
name = "_25._tcp.mail";
277
-
value = "2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03";
281
-
name = "_25._tcp.mail";
283
-
value = "2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270";
288
-
soa.serial = 1706745602;
304
-
value = config.eilean.serverIpv4;
309
-
value = config.eilean.serverIpv6;
314
-
value = config.eilean.serverIpv4;
319
-
value = config.eilean.serverIpv6;
325
-
value = config.eilean.serverIpv4;
330
-
value = config.eilean.serverIpv6;
334
-
name = "www.fn06.org.";
336
-
value = "fn06.org.";
342
-
value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";
346
-
name = "capybara.fn06.org.";
348
-
value = "fn06.org.";
352
-
name = "jellyfin.${config.networking.domain}.";
354
-
value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";
357
-
name = "jellyseerr.${config.networking.domain}.";
359
-
value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";
362
-
name = "calibre.${config.networking.domain}.";
364
-
value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";
369
-
services.bind.zones.${config.networking.domain}.extraConfig =
371
-
dnssec-policy default;
372
-
inline-signing yes;
373
-
journal "${config.services.bind.directory}/${config.networking.domain}.signed.jnl";
376
-
# dig ns org +short | xargs dig +short
377
-
# replace with `checkds true;` in bind 9.20
389
-
services.nginx.commonHttpConfig = ''
390
-
add_header Strict-Transport-Security max-age=31536000 always;
391
-
add_header X-Frame-Options SAMEORIGIN always;
392
-
add_header X-Content-Type-Options nosniff always;
393
-
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
394
-
add_header Referrer-Policy 'same-origin';
396
-
services.nginx.virtualHosts."teapot.${config.networking.domain}" = {
401
-
age.secrets.website-phd = {
402
-
file = ../../secrets/website-phd.age;
404
-
owner = "${config.systemd.services.nginx.serviceConfig.User}";
405
-
group = "${config.systemd.services.nginx.serviceConfig.Group}";
407
-
services.nginx.virtualHosts."${config.custom.website.ryan.domain}" = {
408
-
locations."/phd/" = {
409
-
basicAuthFile = config.age.secrets.website-phd.path;
413
-
security.acme-eon.nginxCerts = [
414
-
"capybara.fn06.org"
418
-
services.nginx.virtualHosts."capybara.fn06.org" = {
422
-
http://100.64.0.10:8123
424
-
proxyWebsockets = true;
427
-
services.nginx.virtualHosts."shrew.freumh.org" = {
430
-
# need to specify ip or there's a bootstrap problem with headscale
432
-
http://100.64.0.6:8123
434
-
proxyWebsockets = true;
438
-
services.mastodon = {
439
-
webProcesses = lib.mkForce 1;
440
-
webThreads = lib.mkForce 1;
441
-
sidekiqThreads = lib.mkForce 1;
442
-
streamingProcesses = lib.mkForce 1;
445
-
boot.kernel.sysctl = {
446
-
"net.ipv4.ip_forward" = 1;
447
-
"net.ipv6.conf.all.forwarding" = 1;
450
-
services.headscale.settings.dns = {
451
-
extra_records = vpnRecords;
452
-
base_domain = "vpn.freumh.org";
453
-
nameservers.global = config.networking.nameservers;
456
-
age.secrets.restic-owl.file = ../../secrets/restic-owl.age;
457
-
services.restic.backups.${config.networking.hostName} = {
458
-
repository = "rest:http://100.64.0.9:8000/${config.networking.hostName}/";
459
-
passwordFile = config.age.secrets.restic-owl.path;
467
-
OnCalendar = "03:00";
468
-
randomizedDelaySec = "1hr";
···
481
-
age.secrets.email-ryan.file = ../../secrets/email-ryan.age;
482
-
age.secrets.email-system.file = ../../secrets/email-system.age;
483
-
eilean.mailserver.systemAccountPasswordFile = config.age.secrets.email-system.path;
484
-
mailserver.loginAccounts = {
485
-
"${config.eilean.username}@${config.networking.domain}" = {
486
-
passwordFile = config.age.secrets.email-ryan.path;
488
-
"dns@${config.networking.domain}"
489
-
"postmaster@${config.networking.domain}"
492
-
require ["fileinto", "mailbox"];
494
-
if header :contains ["to", "cc"] ["ai-control@ietf.org"] {
495
-
fileinto :create "lists.aietf";
500
-
"misc@${config.networking.domain}" = {
501
-
passwordFile = config.age.secrets.email-ryan.path;
502
-
catchAll = [ "${config.networking.domain}" ];
504
-
"system@${config.networking.domain}" = {
505
-
aliases = [ "nas@${config.networking.domain}" ];
509
-
services.minecraft-server = {
511
-
package = pkgs.overlay-unstable.minecraft-server;
513
-
openFirewall = true;
516
-
networking.firewall.allowedTCPPorts = [ 7001 ];
services.openssh.openFirewall = true;
520
-
age.secrets.tangled = {
521
-
file = ../../secrets/tangled.age;
526
-
services.tangled-knotserver = {
528
-
repo.mainBranch = "master";
529
-
server.hostname = "knot.freumh.org";
531
-
secretFile = config.age.secrets.tangled.path;
532
-
listenAddr = "127.0.0.1:5555";
533
-
internalListenAddr = "127.0.0.1:5444";
536
-
services.nginx.virtualHosts."knot.freumh.org" = {
540
-
http://${config.services.tangled-knotserver.server.listenAddr}
542
-
proxyWebsockets = true;
ryan.freumh.org