···
-
name = "nix-cache.vpn.${config.networking.domain}.";
-
name = "jellyfin.vpn.${config.networking.domain}.";
-
name = "nextcloud.vpn.${config.networking.domain}.";
-
name = "transmission.vpn.${config.networking.domain}.";
-
name = "owntracks.vpn.${config.networking.domain}.";
-
name = "immich.vpn.${config.networking.domain}.";
-
name = "audiobookshelf.vpn.${config.networking.domain}.";
./hardware-configuration.nix
-
../../modules/colour-guesser.nix
../../modules/ryan-website.nix
../../modules/alec-website.nix
../../modules/fn06-website.nix
···
environment.systemPackages = with pkgs; [
-
age.secrets.eon-capnp = {
-
file = ../../secrets/eon-capnp.age;
-
age.secrets.eon-sirref-primary = {
-
file = ../../secrets/eon-sirref-primary.cap.age;
-
capnpSecretKeyFile = config.age.secrets.eon-capnp.path;
-
primaries = [ config.age.secrets.eon-sirref-primary.path ];
-
capnpAddress = "135.181.100.27";
-
package = eon.defaultPackage.${config.nixpkgs.hostPlatform.system};
-
defaults.email = "${config.custom.username}@${config.networking.domain}";
-
defaults.capFile = "/var/lib/eon/caps/domain/freumh.org.cap";
-
"fn06.org".capFile = "/var/lib/eon/caps/domain/fn06.org.cap";
-
"capybara.fn06.org".capFile = "/var/lib/eon/caps/domain/fn06.org.cap";
-
username = config.custom.username;
-
serverIpv4 = "135.181.100.27";
-
serverIpv6 = "2a01:4f9:c011:87ad:0:0:0:0";
-
fail2ban.enable = true;
-
networking.domain = lib.mkDefault "freumh.org";
-
eilean.publicInterface = "enp1s0";
-
eilean.mailserver.enable = true;
-
age.secrets.matrix-shared-secret = {
-
file = ../../secrets/matrix-shared-secret.age;
-
owner = "${config.systemd.services.matrix-synapse.serviceConfig.User}";
-
group = "${config.systemd.services.matrix-synapse.serviceConfig.Group}";
-
registrationSecretFile = config.age.secrets.matrix-shared-secret.path;
-
bridges.whatsapp = true;
-
bridges.instagram = true;
-
bridges.messenger = true;
-
eilean.turn.enable = true;
-
eilean.mastodon.enable = true;
-
eilean.headscale.enable = true;
-
#eilean.dns.enable = lib.mkForce false;
-
systemd.services.matrix-as-meta = {
-
# voice messages need `ffmpeg`
-
path = [ pkgs.ffmpeg ];
-
rmfakecloud.enable = true;
-
eilean.dns.nameservers = [ "ns1" ];
-
eilean.services.dns.zones = {
-
${config.networking.domain} = {
-
value = "google-site-verification=rEvwSqf7RYKRQltY412qMtTuoxPp64O3L7jMotj9Jnc";
-
name = "_atproto.ryan";
-
value = "did=did:plc:3lfhu6ehlynzjgehef6alnvg";
-
value = "ns1.sirref.org.";
-
value = config.eilean.serverIpv4;
-
value = config.eilean.serverIpv6;
-
value = config.eilean.serverIpv4;
-
value = config.eilean.serverIpv6;
-
value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";
-
value = "128.232.113.136";
-
value = "65.109.10.223";
-
# sudo openssl x509 -in /var/lib/acme/mail.freumh.org/fullchain.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum | awk '{print "3 1 1", $1}'
-
name = "_25._tcp.mail";
-
value = "3 1 1 2f0fd413f063c75141937dd196a9f4ab66139d599e0dcf2a7ce6d557647e26a6";
-
# for i in r3 e1 r4-cross-signed e2
-
# openssl x509 -in ~/downloads/lets-encrypt-$i.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum | awk '{print "2 1 1", $1}'
-
name = "_25._tcp.mail";
-
value = "2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d";
-
name = "_25._tcp.mail";
-
value = "2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10";
-
name = "_25._tcp.mail";
-
value = "2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03";
-
name = "_25._tcp.mail";
-
value = "2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270";
-
soa.serial = 1706745602;
-
value = config.eilean.serverIpv4;
-
value = config.eilean.serverIpv6;
-
value = config.eilean.serverIpv4;
-
value = config.eilean.serverIpv6;
-
value = config.eilean.serverIpv4;
-
value = config.eilean.serverIpv6;
-
name = "www.fn06.org.";
-
value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";
-
name = "capybara.fn06.org.";
-
name = "jellyfin.${config.networking.domain}.";
-
value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";
-
name = "jellyseerr.${config.networking.domain}.";
-
value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";
-
name = "calibre.${config.networking.domain}.";
-
value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";
-
services.bind.zones.${config.networking.domain}.extraConfig =
-
journal "${config.services.bind.directory}/${config.networking.domain}.signed.jnl";
-
# dig ns org +short | xargs dig +short
-
# replace with `checkds true;` in bind 9.20
-
services.nginx.commonHttpConfig = ''
-
add_header Strict-Transport-Security max-age=31536000 always;
-
add_header X-Frame-Options SAMEORIGIN always;
-
add_header X-Content-Type-Options nosniff always;
-
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
-
add_header Referrer-Policy 'same-origin';
-
services.nginx.virtualHosts."teapot.${config.networking.domain}" = {
-
age.secrets.website-phd = {
-
file = ../../secrets/website-phd.age;
-
owner = "${config.systemd.services.nginx.serviceConfig.User}";
-
group = "${config.systemd.services.nginx.serviceConfig.Group}";
-
services.nginx.virtualHosts."${config.custom.website.ryan.domain}" = {
-
basicAuthFile = config.age.secrets.website-phd.path;
-
security.acme-eon.nginxCerts = [
-
services.nginx.virtualHosts."capybara.fn06.org" = {
-
http://100.64.0.10:8123
-
proxyWebsockets = true;
-
services.nginx.virtualHosts."shrew.freumh.org" = {
-
# need to specify ip or there's a bootstrap problem with headscale
-
proxyWebsockets = true;
-
webProcesses = lib.mkForce 1;
-
webThreads = lib.mkForce 1;
-
sidekiqThreads = lib.mkForce 1;
-
streamingProcesses = lib.mkForce 1;
-
"net.ipv4.ip_forward" = 1;
-
"net.ipv6.conf.all.forwarding" = 1;
-
services.headscale.settings.dns = {
-
extra_records = vpnRecords;
-
base_domain = "vpn.freumh.org";
-
nameservers.global = config.networking.nameservers;
-
age.secrets.restic-owl.file = ../../secrets/restic-owl.age;
-
services.restic.backups.${config.networking.hostName} = {
-
repository = "rest:http://100.64.0.9:8000/${config.networking.hostName}/";
-
passwordFile = config.age.secrets.restic-owl.path;
-
randomizedDelaySec = "1hr";
···
-
age.secrets.email-ryan.file = ../../secrets/email-ryan.age;
-
age.secrets.email-system.file = ../../secrets/email-system.age;
-
eilean.mailserver.systemAccountPasswordFile = config.age.secrets.email-system.path;
-
mailserver.loginAccounts = {
-
"${config.eilean.username}@${config.networking.domain}" = {
-
passwordFile = config.age.secrets.email-ryan.path;
-
"dns@${config.networking.domain}"
-
"postmaster@${config.networking.domain}"
-
require ["fileinto", "mailbox"];
-
if header :contains ["to", "cc"] ["ai-control@ietf.org"] {
-
fileinto :create "lists.aietf";
-
"misc@${config.networking.domain}" = {
-
passwordFile = config.age.secrets.email-ryan.path;
-
catchAll = [ "${config.networking.domain}" ];
-
"system@${config.networking.domain}" = {
-
aliases = [ "nas@${config.networking.domain}" ];
-
services.minecraft-server = {
-
package = pkgs.overlay-unstable.minecraft-server;
-
networking.firewall.allowedTCPPorts = [ 7001 ];
services.openssh.openFirewall = true;
-
age.secrets.tangled = {
-
file = ../../secrets/tangled.age;
-
services.tangled-knotserver = {
-
repo.mainBranch = "master";
-
server.hostname = "knot.freumh.org";
-
secretFile = config.age.secrets.tangled.path;
-
listenAddr = "127.0.0.1:5555";
-
internalListenAddr = "127.0.0.1:5444";
-
services.nginx.virtualHosts."knot.freumh.org" = {
-
http://${config.services.tangled-knotserver.server.listenAddr}
-
proxyWebsockets = true;
ryan.freumh.org