root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tweaks

Browse source
This commit is contained in:
root 2025-11-04 12:48:38 +00:00
parent 766f143e51
commit 9f40a68eb4
12 changed files with 222 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

70
services/akkoma.nix
View file

@ -8,43 +8,45 @@
onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
in {
services.akkoma = {
enable = true;
config = {
":pleroma" = {
":instance" = {
name = "social.distrust.network";
description = "Akkoma instance for distrust.network users";
email = "root@distrust.network";
registration_open = false;
};
":ldap" = {
enabled = true;
host = "localhost";
port = 3890;
ssl = false;
tls = false;
base = "ou=people,dc=distrust,dc=network";
uid = "uid";
};
"Pleroma.Upload".base_url = "https://social.distrust.network/media/";
"Pleroma.Web.Endpoint" = {
url.host = "social.distrust.network";
http = {
ip = "0.0.0.0";
port = fediPort;
services = {
akkoma = {
enable = true;
config = {
":pleroma" = {
":instance" = {
name = "social.distrust.network";
description = "Akkoma instance for distrust.network users";
email = "root@distrust.network";
registration_open = false;
};
":ldap" = {
enabled = true;
host = "localhost";
port = 3890;
ssl = false;
tls = false;
base = "ou=people,dc=distrust,dc=network";
uid = "uid";
};
"Pleroma.Upload".base_url = "https://social.distrust.network/media/";
"Pleroma.Web.Endpoint" = {
url.host = "social.distrust.network";
http = {
ip = "0.0.0.0";
port = fediPort;
};
};
"Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
};
"Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
};
};
caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString fediPort}
'';
tor.relay.onionServices."akkoma".map = [
80
];
};
services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString fediPort}
'';
services.tor.relay.onionServices."akkoma".map = [
80
];
}

3
services/default.nix
View file

@ -7,7 +7,8 @@
./akkoma.nix
./prosody.nix
./lldap.nix
./dante.nix
# Dante not working right now, possibly misconfigured.
#./dante.nix
./vaultwarden.nix
./mailserver.nix
];

34
services/forgejo.nix
View file

@ -2,22 +2,24 @@ let
forgejoPort = 8082;
onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
in {
services.forgejo = {
enable = true;
lfs.enable = false;
settings.server = {
DOMAIN = "git.distrust.network";
HTTP_PORT = forgejoPort;
ROOT_URL = "https://git.distrust.network/";
SSH_PORT = 292;
services = {
forgejo = {
enable = true;
lfs.enable = false;
settings.server = {
DOMAIN = "git.distrust.network";
HTTP_PORT = forgejoPort;
ROOT_URL = "https://git.distrust.network/";
SSH_PORT = 292;
};
};
caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString forgejoPort}
'';
tor.relay.onionServices."forgejo".map = [
80
];
};
services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString forgejoPort}
'';
services.tor.relay.onionServices."forgejo".map = [
80
];
}

181
services/nextcloud.nix
View file

@ -8,96 +8,97 @@
in {
age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
services.nextcloud = {
enable = true;
hostName = "cloud.distrust.network";
settings = {
trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
trusted_proxies = ["127.0.0.1"];
maintenance_window_start = 1;
};
config = {
adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
dbtype = "pgsql";
};
package = pkgs.nextcloud32;
https = true;
configureRedis = true;
caching.redis = true;
database.createLocally = true;
};
users.groups.nextcloud.members = ["nextcloud" "caddy"];
services.nginx.enable = lib.mkForce false;
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = "caddy";
"listen.group" = "caddy";
services = {
nextcloud = {
enable = true;
hostName = "cloud.distrust.network";
settings = {
trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
trusted_proxies = ["127.0.0.1"];
maintenance_window_start = 1;
};
config = {
adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
dbtype = "pgsql";
};
package = pkgs.nextcloud32;
https = false;
configureRedis = true;
caching.redis = true;
database.createLocally = true;
phpOptions = {
"opcache.interned_strings_buffer" = 64;
};
};
nginx.enable = lib.mkForce false;
phpfpm.pools.nextcloud.settings = {
"listen.owner" = "caddy";
"listen.group" = "caddy";
};
caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
# encode zstd gzip
root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
Host {host}
X-Real-IP {remote_host}
X-Forwarded-For {remote_host}
X-Forwarded-Proto {scheme}
X-Forwarded-Host {host}
}
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
tor.relay.onionServices."nextcloud".map = [
80
];
};
services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
# encode zstd gzip
root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
Host {host}
X-Real-IP {remote_host}
X-Forwarded-For {remote_host}
X-Forwarded-Proto {scheme}
X-Forwarded-Host {host}
}
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
services.nextcloud.phpOptions = {
"opcache.interned_strings_buffer" = 64;
};
services.tor.relay.onionServices."nextcloud".map = [
80
];
}

74
services/prosody.nix
View file

@ -1,36 +1,50 @@
{
pkgs,
lib,
config,
...
}: {
age.secrets."bind_pw".file = ../secrets/bind_pw;
services.prosody = {
package = pkgs.prosody.override {
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
};
enable = true;
admins = ["root@distrust.network"];
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
virtualHosts."distrust.network" = {
enabled = true;
domain = "distrust.network";
services = {
prosody = {
package = pkgs.prosody.override {
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
};
enable = true;
admins = ["root@distrust.network"];
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
virtualHosts."distrust.network" = {
enabled = true;
domain = "distrust.network";
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
};
muc = [{domain = "conference.distrust.network";}];
httpFileShare = {
domain = "upload.distrust.network";
path = "/var/lib/prosody";
};
extraConfig = ''
authentication = "ldap"
ldap_base = "ou=people,dc=distrust,dc=network"
ldap_server = "localhost:3890"
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
'';
};
muc = [{domain = "conference.distrust.network";}];
httpFileShare = {
domain = "upload.distrust.network";
path = "/var/lib/prosody";
};
extraConfig = ''
authentication = "ldap"
ldap_base = "ou=people,dc=distrust,dc=network"
ldap_server = "localhost:3890"
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
caddy.virtualHosts."distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
};
@ -63,18 +77,4 @@
# after = [ "acme-order-renew-chat.distrust.network.service" ];
serviceConfig.SupplementaryGroups = ["acme"];
};
services.caddy.virtualHosts."distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
}

7
services/site.nix
View file

@ -1,9 +1,4 @@
{
pkgs,
lib,
...
}: let
sitePort = 8080;
let
onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
in {
services.caddy.virtualHosts = {

30
services/vaultwarden.nix
View file

@ -4,20 +4,22 @@
in {
age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://vault.distrust.network";
ROCKET_PORT = vaultPort;
services = {
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://vault.distrust.network";
ROCKET_PORT = vaultPort;
};
environmentFile = config.age.secrets."vaultwarden.env".path;
};
environmentFile = config.age.secrets."vaultwarden.env".path;
caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString vaultPort}
'';
tor.relay.onionServices."vaultwarden".map = [
80
];
};
services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString vaultPort}
'';
services.tor.relay.onionServices."vaultwarden".map = [
80
];
}