{ config, pkgs, ... }: let luaPam = pkgs.callPackage ./custom/luaPam.nix {}; luaPosix = pkgs.callPackage ./custom/luaPosix.nix {}; luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {}; prosodyAuth = pkgs.callPackage ./custom/prosody-auth.nix {}; prosodyVirtHost = name: { enabled = true; domain = name; ssl = { key = "certs/${name}.key"; cert = "certs/${name}.crt"; }; }; in { imports = [ ./ymir-hw.nix ./custom/zsh.nix ./users.nix ./custom/tinc/def.nix ]; boot.loader.grub = { enable = true; version = 2; device = "/dev/vda"; }; boot.kernel.sysctl = { "net.ipv4.tcp_keepalive_time" = 60; "net.ipv4.tcp_keepalive_intvl" = 10; "net.ipv4.tcp_keepalive_probes" = 6; }; nixpkgs.config.packageOverrides = pkgs: rec { prosody = pkgs.callPackage ./customized/prosody.nix ({ inherit (pkgs.lua51Packages) luasocket luasec luaexpat luafilesystem luabitop luaevent luazlib; lua5 = pkgs.lua5_1; communityModules = ["mod_carbons"]; extraModules = [prosodyAuth]; extraLibs = [luaPam luaPosix luaSha2]; }); }; environment.systemPackages = with pkgs; [ git mosh rsync tmux zsh ]; networking = { hostName = "ymir"; hostId = "1c5c994e"; firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 22 # ssh 5222 # xmpp.s2c 5269 # xmpp.s2s 655 # tinc.yggdrasil 656 # tinc.laeradhr 80 # http 443 # https ]; allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh ]; }; enableIPv6 = true; defaultGateway6 = "fe80::1"; interfaces."enp0s3" = { ipv6Address = "2a03:4000:6:d004::"; ipv6PrefixLength = 64; }; }; users.extraUsers.root = let template = (import users/gkleen.nix); in { inherit (template) shell; openssh.authorizedKeys.keyFiles = template.openssh.authorizedKeys.keyFiles; }; services.ntp = { enable = false; }; nix.binaryCaches = [ "https://cache.nixos.org/" ]; nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; # List services that you want to enable: services.openssh = { enable = true; passwordAuthentication = false; }; services.fcron = { enable = true; systab = '' %weekly * * nix-collect-garbage --delete-older-than '7d' ''; }; services.chrony = { enable = true; }; services.prosody = { enable = true; admins = [ "gkleen@xmpp.li" ]; allowRegistration = false; extraModules = [ "private" "auth_custom" "carbons" ]; extraConfig = '' authentication="custom" custom_alias_file="/etc/prosody/aliases" custom_alias_secret_file="/etc/prosody/alias_secret" Component "alias.xmpp.li" Include "/etc/prosody/alias.xmpp.li.cfg.lua" ''; virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; }) ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li"]); }; security.pam.services."xmpp".text = '' auth requisite pam_succeed_if.so user ingroup xmpp auth required pam_unix.so audit ''; users.groups."shadow" = { members = [ "prosody" ]; }; users.groups."xmpp" = {}; system.activationScripts."shadow-perms" = '' chown root:shadow /etc/shadow chmod 0640 /etc/shadow ''; services.customTinc.networks = ((import ./custom/tinc/yggdrasil.nix) { inherit (pkgs) stdenv nettools openresolv; name = "ymir"; connect = false; ipConf = { ip4 = [ { address = "10.141.4.1"; prefixLength = 16; } ]; }; }) // ((import ./custom/tinc/laeradhr.nix) { inherit (pkgs) stdenv nettools openresolv; name = "ymir"; connect = false; ipConf = { ip4 = [ { address = "10.142.0.3"; prefixLength = 16; } ]; }; }); services.nginx = { enable = true; httpConfig = '' default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 2k; request_pool_size 4k; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 75 20; ignore_invalid_headers on; server { listen *:80; listen [::]:80; server_name dirty-haskell.org www.dirty-haskell.org; root /srv/www/dirty-haskell.org; } server { listen *:443 ssl; listen [::]:443 ssl; server_name dirty-haskell.org; ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem; root /srv/www/dirty-haskell.org; server { listen *:443 ssl; listen [::]:443 ssl; server_name www.dirty-haskell.org; ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem; root /srv/www/dirty-haskell.org; } } ''; }; }