{ config, pkgs, ... }: let luaPam = pkgs.callPackage ./custom/luaPam.nix {}; luaPosix = pkgs.callPackage ./custom/luaPosix.nix {}; luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {}; prosodyAuth = pkgs.callPackage ./custom/prosody-auth.nix {}; prosodyVirtHost = name: { enabled = true; domain = name; ssl = { key = "certs/${name}.key"; cert = "certs/${name}.crt"; }; }; simp_le = pkgs.callPackage ./custom/simp_le.nix {}; in rec { imports = [ ./ymir-hw.nix ./custom/zsh.nix ./users.nix ./custom/tinc/def.nix ./custom/ymir-nginx.nix ]; boot.loader.grub = { enable = true; version = 2; device = "/dev/vda"; }; boot.kernel.sysctl = { "net.ipv4.tcp_keepalive_time" = 60; "net.ipv4.tcp_keepalive_intvl" = 10; "net.ipv4.tcp_keepalive_probes" = 6; }; nixpkgs.config.packageOverrides = pkgs: rec { prosody = pkgs.callPackage ./customized/prosody.nix ({ inherit (pkgs.lua51Packages) luasocket luasec luaexpat luafilesystem luabitop luaevent luazlib; lua5 = pkgs.lua5_1; communityModules = ["mod_carbons"]; extraModules = [prosodyAuth]; extraLibs = [luaPam luaPosix luaSha2]; }); uwsgi = pkgs.callPackage ./customized/uwsgi.nix { extraPlugins = [ { name = "cgi"; interpreter = pkgs.python3; path = "plugins/cgi"; deps = [ pkgs.python3 ]; install = '' ${pkgs.python3.executable} -m compileall $out/${pkgs.python3.sitePackages}/ ${pkgs.python3.executable} -O -m compileall $out/${pkgs.python3.sitePackages}/ ''; } ]; plugins = []; }; cgit = pkgs.stdenv.lib.overrideDerivation pkgs.cgit (oldAttrs : { buildInputs = oldAttrs.buildInputs ++ [ pkgs.perl pkgs.python2 pkgs.makeWrapper ]; postInstall = "wrapProgram $out/lib/cgit/filters/syntax-highlighting.py --prefix PYTHONPATH ':' ${pkgs.python.buildEnv.override { extraLibs = with pkgs.python2Packages; [ pygments ]; }}/lib/*/site-packages"; }); }; environment.systemPackages = with pkgs; [ git mosh rsync tmux zsh ]; networking = { hostName = "ymir"; hostId = "1c5c994e"; firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 22 # ssh 5222 # xmpp.s2c 5269 # xmpp.s2s 655 # tinc.yggdrasil 656 # tinc.laeradhr 80 # http 443 # https 9418 # git ]; allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh ]; }; enableIPv6 = true; defaultGateway6 = "fe80::1"; interfaces."enp0s3" = { ipv6Address = "2a03:4000:6:d004::"; ipv6PrefixLength = 64; }; }; users.extraUsers.root = let template = (import users/gkleen.nix); in { inherit (template) shell; openssh.authorizedKeys.keyFiles = template.openssh.authorizedKeys.keyFiles; }; services.ntp = { enable = false; }; nix.binaryCaches = [ "https://cache.nixos.org/" ]; nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; # List services that you want to enable: services.openssh = { enable = true; passwordAuthentication = false; }; services.fcron = { enable = true; systab = '' %weekly * * nix-collect-garbage --delete-older-than '7d' %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"} %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"} %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"} %daily * * systemctl reload nginx.service ''; }; services.chrony = { enable = true; }; services.prosody = { enable = true; admins = [ "gkleen@xmpp.li" ]; allowRegistration = false; extraModules = [ "private" "auth_custom" "carbons" ]; extraConfig = '' authentication="custom" custom_alias_file="/etc/prosody/aliases" custom_alias_secret_file="/etc/prosody/alias_secret" Component "alias.xmpp.li" Include "/etc/prosody/alias.xmpp.li.cfg.lua" ''; virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; }) ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li"]); }; security.pam.services."xmpp".text = '' auth requisite pam_succeed_if.so user ingroup xmpp auth required pam_unix.so audit ''; users.groups."shadow" = { members = [ "prosody" ]; }; users.groups."xmpp" = {}; system.activationScripts."shadow-perms" = '' chown root:shadow /etc/shadow chmod 0640 /etc/shadow ''; services.customTinc.networks = ((import ./custom/tinc/yggdrasil.nix) { inherit (pkgs) stdenv nettools openresolv; name = "ymir"; connect = false; ipConf = { ip4 = [ { address = "10.141.5.1"; prefixLength = 16; } ]; }; }) // ((import ./custom/tinc/laeradhr.nix) { inherit (pkgs) stdenv nettools openresolv; name = "ymir"; connect = false; ipConf = { ip4 = [ { address = "10.142.0.3"; prefixLength = 16; } ]; }; }); users.extraUsers."nginx".extraGroups = ["uwsgi"]; services.uwsgi = { enable = true; plugins = ["python3" "cgi"]; instance = { type = "normal"; processes = 1; threads = 8; chdir = "${pkgs.cgit}/cgit"; cgi = "${pkgs.cgit}/cgit/cgit.cgi"; socket = "/tmp/cgit.sock"; chmod-socket = "660"; chown-socket = "uwsgi:nginx"; }; }; users.extraUsers."uwsgi".extraGroups = ["git"]; environment.etc."cgitrc" = { enable = true; text = '' robots=noindex, nofollow virtual-root=/ enable-git-config=1 remove-suffix=1 root-title=git.yggdrasil.li root-desc= enable-http-clone=1 enable-commit-graph=1 snapshots=tar tar.gz tar.bz2 tar.xz zip side-by-side-diffs=1 source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh readme=:README.md readme=:README.txt readme=:README readme=:readme.md readme=:readme.txt readme=:readme clone-prefix=git://git.yggdrasil.li/ http://git.yggdrasil.li/ strict-export=git-daemon-export-ok project-list=/srv/git/projects.list section-from-path=2 scan-path=/srv/git/repositories ''; }; services.gitolite = { enable = true; adminPubkey = builtins.readFile (builtins.head (import ./users/gkleen.nix).openssh.authorizedKeys.keyFiles); dataDir = "/srv/git"; }; users.extraUsers."gitolite" = { group = "git"; }; services.gitDaemon = { enable = true; basePath = services.gitolite.dataDir + "/repositories"; }; }