root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tweaks

Browse source
This commit is contained in:
root 2025-11-04 12:48:38 +00:00
parent 766f143e51
commit 9f40a68eb4
12 changed files with 222 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

3
flake.nix
View file

@ -15,13 +15,12 @@
}; };
outputs = { outputs = {
self,
nixpkgs, nixpkgs,
nixos-mailserver, nixos-mailserver,
agenix, agenix,
... ...
}: let }: let
lib = nixpkgs.lib; inherit (nixpkgs) lib;
in { in {
nixosConfigurations = { nixosConfigurations = {
distrust = lib.nixosSystem { distrust = lib.nixosSystem {

8
services/akkoma.nix
View file

@ -8,7 +8,8 @@
onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion"; onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
inherit ((pkgs.formats.elixirConf {}).lib) mkAtom; inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
in { in {
services.akkoma = { services = {
akkoma = {
enable = true; enable = true;
config = { config = {
":pleroma" = { ":pleroma" = {
@ -40,11 +41,12 @@ in {
}; };
}; };
services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = '' caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString fediPort} reverse_proxy localhost:${toString fediPort}
''; '';
services.tor.relay.onionServices."akkoma".map = [ tor.relay.onionServices."akkoma".map = [
80 80
]; ];
};
} }

3
services/default.nix
View file

@ -7,7 +7,8 @@
./akkoma.nix ./akkoma.nix
./prosody.nix ./prosody.nix
./lldap.nix ./lldap.nix
./dante.nix # Dante not working right now, possibly misconfigured.
#./dante.nix
./vaultwarden.nix ./vaultwarden.nix
./mailserver.nix ./mailserver.nix
]; ];

8
services/forgejo.nix
View file

@ -2,7 +2,8 @@ let
forgejoPort = 8082; forgejoPort = 8082;
onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion"; onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
in { in {
services.forgejo = { services = {
forgejo = {
enable = true; enable = true;
lfs.enable = false; lfs.enable = false;
settings.server = { settings.server = {
@ -13,11 +14,12 @@ in {
}; };
}; };
services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = '' caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString forgejoPort} reverse_proxy localhost:${toString forgejoPort}
''; '';
services.tor.relay.onionServices."forgejo".map = [ tor.relay.onionServices."forgejo".map = [
80 80
]; ];
};
} }

23
services/nextcloud.nix
View file

@ -8,7 +8,9 @@
in { in {
age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass; age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
services.nextcloud = { users.groups.nextcloud.members = ["nextcloud" "caddy"];
services = {
nextcloud = {
enable = true; enable = true;
hostName = "cloud.distrust.network"; hostName = "cloud.distrust.network";
settings = { settings = {
@ -21,19 +23,21 @@ in {
dbtype = "pgsql"; dbtype = "pgsql";
}; };
package = pkgs.nextcloud32; package = pkgs.nextcloud32;
https = true; https = false;
configureRedis = true; configureRedis = true;
caching.redis = true; caching.redis = true;
database.createLocally = true; database.createLocally = true;
phpOptions = {
"opcache.interned_strings_buffer" = 64;
};
}; };
users.groups.nextcloud.members = ["nextcloud" "caddy"]; nginx.enable = lib.mkForce false;
services.nginx.enable = lib.mkForce false; phpfpm.pools.nextcloud.settings = {
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = "caddy"; "listen.owner" = "caddy";
"listen.group" = "caddy"; "listen.group" = "caddy";
}; };
services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = '' caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
# encode zstd gzip # encode zstd gzip
root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root} root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
@ -93,11 +97,8 @@ in {
file_server file_server
''; '';
services.nextcloud.phpOptions = { tor.relay.onionServices."nextcloud".map = [
"opcache.interned_strings_buffer" = 64;
};
services.tor.relay.onionServices."nextcloud".map = [
80 80
]; ];
};
} }

32
services/prosody.nix
View file

@ -1,12 +1,12 @@
{ {
pkgs, pkgs,
lib,
config, config,
... ...
}: { }: {
age.secrets."bind_pw".file = ../secrets/bind_pw; age.secrets."bind_pw".file = ../secrets/bind_pw;
services.prosody = { services = {
prosody = {
package = pkgs.prosody.override { package = pkgs.prosody.override {
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap]; withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
}; };
@ -33,6 +33,20 @@
ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}" ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
''; '';
}; };
caddy.virtualHosts."distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
};
security.acme = { security.acme = {
defaults = { defaults = {
@ -63,18 +77,4 @@
# after = [ "acme-order-renew-chat.distrust.network.service" ]; # after = [ "acme-order-renew-chat.distrust.network.service" ];
serviceConfig.SupplementaryGroups = ["acme"]; serviceConfig.SupplementaryGroups = ["acme"];
}; };
services.caddy.virtualHosts."distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
} }

7
services/site.nix
View file

@ -1,9 +1,4 @@
{ let
pkgs,
lib,
...
}: let
sitePort = 8080;
onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion"; onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
in { in {
services.caddy.virtualHosts = { services.caddy.virtualHosts = {

8
services/vaultwarden.nix
View file

@ -4,7 +4,8 @@
in { in {
age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env; age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
services.vaultwarden = { services = {
vaultwarden = {
enable = true; enable = true;
config = { config = {
DOMAIN = "https://vault.distrust.network"; DOMAIN = "https://vault.distrust.network";
@ -13,11 +14,12 @@ in {
environmentFile = config.age.secrets."vaultwarden.env".path; environmentFile = config.age.secrets."vaultwarden.env".path;
}; };
services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = '' caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString vaultPort} reverse_proxy localhost:${toString vaultPort}
''; '';
services.tor.relay.onionServices."vaultwarden".map = [ tor.relay.onionServices."vaultwarden".map = [
80 80
]; ];
};
} }

2
site/index.html
View file

@ -55,7 +55,7 @@
<li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li> <li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li>
</ul> </ul>
<p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p> <p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p>
<p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks.</p> <p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over <a href="http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion/root/flake">TOR</a> and <a href="https://git.distrust.network/root/flake">clearnet</a>.</p>
<p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p> <p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p>
<hr> <hr>
<a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/privacy-policy.html" class="privacy-policy">Privacy Policy</a> <a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/privacy-policy.html" class="privacy-policy">Privacy Policy</a>

8
system/configuration.nix
View file

@ -12,17 +12,19 @@ in {
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "distrust"; networking.hostName = "distrust";
services.openssh = { services = {
openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
ports = [292]; ports = [292];
}; };
services.fail2ban.enable = true; fail2ban.enable = true;
services.endlessh = { endlessh = {
enable = true; enable = true;
port = 22; port = 22;
openFirewall = true; openFirewall = true;
}; };
};
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"]; users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
system.stateVersion = "25.05"; system.stateVersion = "25.05";

1
system/default.nix
View file

@ -3,6 +3,5 @@
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
]; ];
} }

10
system/hardware-configuration.nix
View file

@ -1,8 +1,12 @@
{modulesPath, ...}: { {modulesPath, ...}: {
imports = [(modulesPath + "/profiles/qemu-guest.nix")]; imports = [(modulesPath + "/profiles/qemu-guest.nix")];
boot.loader.grub.device = "/dev/sda"; boot = {
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; loader.grub.device = "/dev/sda";
boot.initrd.kernelModules = ["nvme"]; initrd = {
availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
kernelModules = ["nvme"];
};
};
fileSystems."/" = { fileSystems."/" = {
device = "/dev/sda1"; device = "/dev/sda1";
fsType = "ext4"; fsType = "ext4";