Clean branch

linux/singularity/caddy.nix

@@ -0,0 +1,59 @@
+{ config, ... }:
+
+{
+
+  services.caddy = {
+    enable = true;
+    email = config.constants.postMaster;
+    virtualHosts =
+      let
+        dn = config.constants.domain;
+        msfqdn = config.mailserver.fqdn;
+        mtfqdn = "matrix.${dn}";
+        vaultCfg = config.services.vaultwarden.config;
+        wn = s: "/.well-known/${s}";
+      in
+      {
+        "${dn}".extraConfig = let wnm = wn "matrix"; in ''
+          header ${wnm}/* Content-Type application/json
+          header ${wnm}/* Access-Control-Allow-Origin *
+          respond ${wnm}/server `{ "m.server": "${mtfqdn}:443" }`
+          respond ${wnm}/client `{
+            "m.homeserver": { "base_url": "https://${mtfqdn}" },
+            "m.identity_server": { "base_url": "https://${mtfqdn}" }
+          }`
+        '';
+        ${msfqdn} = {
+          extraConfig = ''
+            file_server ${wn "acme-challenge"}/* {
+              root ${config.security.acme.defaults.webroot}/
+            }
+          '';
+          useACMEHost = msfqdn;
+        };
+        "vault.${dn}".extraConfig =
+          ''
+            reverse_proxy /notifications/hub/negotiate ${vaultCfg.ROCKET_ADDRESS}:${
+              toString vaultCfg.ROCKET_PORT
+            }
+            reverse_proxy /notifications/hub ${vaultCfg.WEBSOCKET_ADDRESS}:${
+              toString vaultCfg.WEBSOCKET_PORT
+            }
+            reverse_proxy ${vaultCfg.ROCKET_ADDRESS}:${
+              toString vaultCfg.ROCKET_PORT
+            } {
+              header_up X-Real-IP {remote_host}
+            }
+          '';
+      };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = config.constants.postMaster;
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+  };
+
+}

linux/singularity/configuration.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+
+{
+
+  boot = {
+    tmp.cleanOnBoot = true;
+    loader.grub.device = "/dev/sda";
+  };
+
+  constants.sopsFile = ../../common/auths.yaml;
+
+  environment.systemPackages = with pkgs; [
+    bat
+    bottom
+    helix
+  ];
+
+  programs = {
+    fish.enable = true;
+    git.enable = true;
+  };
+
+  sops.secrets."users/root/password".neededForUsers = true;
+
+  system.stateVersion = "23.11";
+
+  users = {
+    mutableUsers = false;
+    users.root = {
+      openssh.authorizedKeys.keys = config.constants.publicKeys;
+      hashedPasswordFile = config.sops.secrets."users/root/password".path;
+      shell = pkgs.fish;
+    };
+  };
+
+  zramSwap.enable = true;
+}

linux/singularity/default.nix

@@ -0,0 +1,16 @@
+{ inputs, ... }: {
+  imports = with inputs; [
+    mailserver.nixosModule
+    sops-nix.nixosModules.sops
+  ] ++ [
+    ./caddy.nix
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./mailserver.nix
+    ./network.nix
+    ./vaultwarden.nix
+    ./xray.nix
+    ../../common/constants.nix
+    ../../common/secrets.nix
+  ];
+}

linux/singularity/hardware-configuration.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  # boot.initrd.availableKernelModules =
+  #   [ "ata_piix" "virtio_pci" "virtio_scsi" "sd_mod" ];
+  # boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # fileSystems."/" = {
+  #   device = "/dev/disk/by-uuid/6d3bf8cd-1996-45fb-";
+  #   fsType = "ext4";
+  # };
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
+
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens19.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

linux/singularity/mailserver.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+
+let
+  dn = config.constants.domain;
+  usr = config.constants.userName;
+  mailSecret = "mail/${usr}/password";
+in
+{
+  mailserver =
+    {
+      enable = true;
+      fqdn = "mail.${dn}";
+      domains = [ dn ];
+
+      loginAccounts = {
+        "${usr}@${dn}" = {
+          aliases = [ config.constants.postMaster ];
+          hashedPasswordFile = config.sops.secrets.${mailSecret}.path;
+        };
+      };
+
+      certificateScheme = "acme";
+    };
+  sops.secrets.${mailSecret} = { };
+}

linux/singularity/network.nix

@@ -0,0 +1,34 @@
+{ config, ... }:
+
+let hn = "singularity"; in {
+  networking = {
+    domain = config.constants.domain;
+    firewall.allowedTCPPorts = [ 80 443 50051 ];
+    hostName = hn;
+    hostId = "2cadb253";
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
+    hostKeys = [{
+      comment = "host@${hn}";
+      path = "/etc/ssh/host";
+      rounds = 100;
+      type = "ed25519";
+    }];
+  };
+
+  sops.secrets."cloudflare/${hn}" = { };
+
+  services.cloudflare-dyndns = {
+    enable = true;
+    apiTokenFile = config.sops.secrets."cloudflare/${hn}".path;
+    domains = builtins.attrNames config.services.caddy.virtualHosts;
+  };
+
+  services.resolved.enable = true;
+}

linux/singularity/vaultwarden.nix

@@ -0,0 +1,18 @@
+{ config, ... }:
+
+{
+  services.vaultwarden = let lh = config.constants.localhost; in {
+    enable = true;
+    config = {
+      # Disable signup
+      SIGNUPS_ALLOWED = false;
+      # Specify service port
+      ROCKET_ADDRESS = lh;
+      ROCKET_PORT = 25487;
+      # Specify notification port
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = lh;
+      WEBSOCKET_PORT = 40513;
+    };
+  };
+}

linux/singularity/xray.nix

@@ -0,0 +1,10 @@
+{ config, ... }:
+
+let xrayCfg = "xray/config.json"; in {
+  services.xray = {
+    enable = true;
+    settingsFile = config.sops.secrets.${xrayCfg}.path;
+  };
+
+  sops.secrets.${xrayCfg}.mode = "0444";
+}