diff --git a/.gitattributes b/.gitattributes index f3daf0d..b79f44d 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ secrets.config.nix filter=git-crypt diff=git-crypt **/*.age filter=git-crypt diff=git-crypt -machines/magenta/mail-accounts.nix filter=git-crypt diff=git-crypt +machines/magenta/services/mailserver-accounts.nix filter=git-crypt diff=git-crypt diff --git a/flake.nix b/flake.nix index bd229f9..6ce9a14 100644 --- a/flake.nix +++ b/flake.nix @@ -128,6 +128,11 @@ }; config.deployment = { inherit targetHost; }; }) + # base home manager settings + ({ ... }: { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + }) ]; }) (import ./machines inputs); diff --git a/machines/magenta/default.nix b/machines/magenta/default.nix index 0a34ed4..4b484f4 100644 --- a/machines/magenta/default.nix +++ b/machines/magenta/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let data = import ../../data.nix; @@ -7,9 +7,11 @@ in imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect - ./mail-accounts.nix ../modules/common.nix ../modules/nix.nix + ../modules/nginx.nix + ./services/mailserver.nix + ./services/gitea.nix ]; boot.cleanTmpDir = true; @@ -23,18 +25,4 @@ in acceptTerms = true; defaults.email = "dmitriy@pleshevski.ru"; }; - - - # See: https://nixos-mailserver.readthedocs.io/en/latest/options.html - mailserver = { - enable = true; - fqdn = "mail.pleshevski.ru"; - domains = [ "pleshevski.ru" ]; - - # Use Let's Encrypt certificates. Note that this needs to set up a stripped - # down nginx and opens port 80. - certificateScheme = 3; - - hierarchySeparator = "/"; - }; } diff --git a/machines/magenta/mail-accounts.nix b/machines/magenta/mail-accounts.nix deleted file mode 100644 index a7674f9..0000000 Binary files a/machines/magenta/mail-accounts.nix and /dev/null differ diff --git a/machines/magenta/services/gitea.nix b/machines/magenta/services/gitea.nix new file mode 100644 index 0000000..27deb90 --- /dev/null +++ b/machines/magenta/services/gitea.nix @@ -0,0 +1,135 @@ +{ config, pkgs, lib, ... }: + +let hostname = "nix-git.pleshevski.ru"; in +{ + services.postgresql.package = pkgs.postgresql_14; + + programs.git = { + enable = true; + config = { + user = { + email = "gitea@noreply.pleshevski.ru"; + name = "Gitea"; + signingKey = "7B1C00B534537C0E"; + }; + gpg.program = "/run/current-system/sw/bin/gpg"; + commit.gpgSign = true; + tag.gpgSign = true; + core = { + quotePath = false; + commitGraph = true; + }; + receive = { + advertisePushOptions = true; + procReceiveRefs = "refs/for"; + }; + gc.writeCommitGraph = true; + }; + }; + + programs.gnupg.agent.enable = true; + + services.gitea = { + enable = true; + httpPort = 9901; + domain = hostname; + rootUrl = "https://${hostname}"; + appName = "Pleshevskiy Git Repositories"; + mailerPasswordFile = config.age.secrets.gitea-mailserver-passfile.path; + database = { + type = "postgres"; + host = "/run/postgresql"; + port = config.services.postgresql.port; + }; + lfs.enable = true; + settings = { + log = { + LEVEL = "Debug"; + ENABLE_SSH_LOG = true; + }; + database = { + CHARSET = "utf8"; + LOG_SQL = false; + }; + server.DISABLE_ROUTER_LOG = true; + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + DEFAULT_KEEP_EMAIL_PRIVATE = false; + DEFAULT_ALLOW_CREATE_ORGANIZATION = true; + DEFAULT_ENABLE_TIMETRACKING = true; + DEFAULT_ENABLE_DEPENDENCIES = false; + DISABLE_REGISTRATION = true; + ENABLE_NOTIFY_MAIL = false; + ENABLE_CAPTCHA = false; + ENABLE_TIMETRACKING = false; + REQUIRE_SIGNIN_VIEW = false; + REGISTER_EMAIL_CONFIRM = false; + NO_REPLY_ADDRESS = "noreply.pleshevski.ru"; + }; + repository = { + DISABLE_MIGRATIONS = false; + DISABLE_HTTP_GIT = false; + DISABLE_STARS = true; + DEFAULT_BRANCH = "main"; + DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = true; + }; + "repository.signing" = { + #SIGNING_EMAIL = "gitea@noreply.pleshevski.ru"; + #SIGNING_NAME = "Gitea"; + #SIGNING_KEY = "E1DDBF5A1406BB987779A85F55B75599806CD426"; + SIGNING_KEY = "default"; + DEFAULT_TRUST_MODEL = "collaboratorcommiter"; + MERGES = "pubkey,basesigned,commitssigned"; + }; + "repository.local" = { + LOCAL_COPY_PATH = "${config.services.gitea.stateDir}/tmp/local-repo"; + }; + "repository.upload" = { + TEMP_PATH = "${config.services.gitea.stateDir}/uploads"; + ALLOWED_TYPES = "image/*"; + }; + "repository.pull-request" = { + WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:"; + }; + indexer = { + ISSUE_INDEXER_PATH = "${config.services.gitea.stateDir}/indexers/issues.bleve"; + }; + sessions = { + PROVIDER = "file"; + PROVIDER_CONFIG = "${config.services.gitea.stateDir}/sessions"; + }; + picture = { + AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/avatars"; + REPOSITORY_AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/repo-avatars"; + DISABLE_GRAVATAR = false; + ENABLE_FEDERATED_AVATAR = true; + }; + attachment = { + PATH = "${config.services.gitea.stateDir}/attachments"; + }; + mailer = { + ENABLED = true; + MAILER_TYPE = "smtp"; + FROM = "\"${config.services.gitea.appName}\" "; + USER = "dmitriy@pleshevski.ru"; + HOST = "mail.pleshevski.ru:465"; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = false; + }; + }; + }; + + services.nginx.virtualHosts.${hostname} = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:${toString config.services.gitea.httpPort}/"; + }; + + age.secrets.gitea-mailserver-passfile = { + file = ../../../secrets/mailserver-users-jan-passfile.age; + owner = config.services.gitea.user; + group = "gitea"; + }; +} diff --git a/machines/magenta/services/mailserver-accounts.nix b/machines/magenta/services/mailserver-accounts.nix new file mode 100644 index 0000000..f6190fc Binary files /dev/null and b/machines/magenta/services/mailserver-accounts.nix differ diff --git a/machines/magenta/services/mailserver.nix b/machines/magenta/services/mailserver.nix new file mode 100644 index 0000000..dcde596 --- /dev/null +++ b/machines/magenta/services/mailserver.nix @@ -0,0 +1,18 @@ +{ ... }: + +{ + imports = [ ./mailserver-accounts.nix ]; + + # See: https://nixos-mailserver.readthedocs.io/en/latest/options.html + mailserver = { + enable = true; + fqdn = "mail.pleshevski.ru"; + domains = [ "pleshevski.ru" ]; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = 3; + + hierarchySeparator = "/"; + }; +} diff --git a/machines/modules/nginx.nix b/machines/modules/nginx.nix new file mode 100644 index 0000000..185498d --- /dev/null +++ b/machines/modules/nginx.nix @@ -0,0 +1,11 @@ +{ + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/notes/ssh.md b/notes/ssh.md new file mode 100644 index 0000000..4523e3f --- /dev/null +++ b/notes/ssh.md @@ -0,0 +1,11 @@ +# Get key for machine + +```sh +ssh-keyscan +``` + +If you want to get key for the current machine you can use the following code + +```sh +ssh-keyscan localhost +``` diff --git a/users/jan/default.nix b/users/jan/default.nix index 1b53bf1..0a82b48 100644 --- a/users/jan/default.nix +++ b/users/jan/default.nix @@ -21,18 +21,14 @@ passwordFile = config.age.secrets.users-jan-passfile.path; }; - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - users.jan = { lib, ... }: { - imports = [ - inputs.wired.homeManagerModules.default - ./home.nix - extraHomeModule - ]; + home-manager.users.jan = { lib, ... }: { + imports = [ + inputs.wired.homeManagerModules.default + ./home.nix + extraHomeModule + ]; - home.stateVersion = config.system.stateVersion; - }; + home.stateVersion = config.system.stateVersion; }; nix.settings.trusted-users = lib.mkAfter [ "jan" ];