root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tweaks

Browse source
This commit is contained in:
root 2025-11-04 12:48:38 +00:00
parent 766f143e51
commit 9f40a68eb4
12 changed files with 222 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

3
flake.nix
View file

@ -15,13 +15,12 @@
}; };
outputs = { outputs = {
self,
nixpkgs, nixpkgs,
nixos-mailserver, nixos-mailserver,
agenix, agenix,
... ...
}: let }: let
lib = nixpkgs.lib; inherit (nixpkgs) lib;
in { in {
nixosConfigurations = { nixosConfigurations = {
distrust = lib.nixosSystem { distrust = lib.nixosSystem {

70
services/akkoma.nix
View file

@ -8,43 +8,45 @@
onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion"; onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
inherit ((pkgs.formats.elixirConf {}).lib) mkAtom; inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
in { in {
services.akkoma = { services = {
enable = true; akkoma = {
config = { enable = true;
":pleroma" = { config = {
":instance" = { ":pleroma" = {
name = "social.distrust.network"; ":instance" = {
description = "Akkoma instance for distrust.network users"; name = "social.distrust.network";
email = "root@distrust.network"; description = "Akkoma instance for distrust.network users";
registration_open = false; email = "root@distrust.network";
}; registration_open = false;
":ldap" = {
enabled = true;
host = "localhost";
port = 3890;
ssl = false;
tls = false;
base = "ou=people,dc=distrust,dc=network";
uid = "uid";
};
"Pleroma.Upload".base_url = "https://social.distrust.network/media/";
"Pleroma.Web.Endpoint" = {
url.host = "social.distrust.network";
http = {
ip = "0.0.0.0";
port = fediPort;
}; };
":ldap" = {
enabled = true;
host = "localhost";
port = 3890;
ssl = false;
tls = false;
base = "ou=people,dc=distrust,dc=network";
uid = "uid";
};
"Pleroma.Upload".base_url = "https://social.distrust.network/media/";
"Pleroma.Web.Endpoint" = {
url.host = "social.distrust.network";
http = {
ip = "0.0.0.0";
port = fediPort;
};
};
"Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
}; };
"Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
}; };
}; };
caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString fediPort}
'';
tor.relay.onionServices."akkoma".map = [
80
];
}; };
services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString fediPort}
'';
services.tor.relay.onionServices."akkoma".map = [
80
];
} }

3
services/default.nix
View file

@ -7,7 +7,8 @@
./akkoma.nix ./akkoma.nix
./prosody.nix ./prosody.nix
./lldap.nix ./lldap.nix
./dante.nix # Dante not working right now, possibly misconfigured.
#./dante.nix
./vaultwarden.nix ./vaultwarden.nix
./mailserver.nix ./mailserver.nix
]; ];

34
services/forgejo.nix
View file

@ -2,22 +2,24 @@ let
forgejoPort = 8082; forgejoPort = 8082;
onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion"; onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
in { in {
services.forgejo = { services = {
enable = true; forgejo = {
lfs.enable = false; enable = true;
settings.server = { lfs.enable = false;
DOMAIN = "git.distrust.network"; settings.server = {
HTTP_PORT = forgejoPort; DOMAIN = "git.distrust.network";
ROOT_URL = "https://git.distrust.network/"; HTTP_PORT = forgejoPort;
SSH_PORT = 292; ROOT_URL = "https://git.distrust.network/";
SSH_PORT = 292;
};
}; };
caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString forgejoPort}
'';
tor.relay.onionServices."forgejo".map = [
80
];
}; };
services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString forgejoPort}
'';
services.tor.relay.onionServices."forgejo".map = [
80
];
} }

181
services/nextcloud.nix
View file

@ -8,96 +8,97 @@
in { in {
age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass; age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
services.nextcloud = {
enable = true;
hostName = "cloud.distrust.network";
settings = {
trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
trusted_proxies = ["127.0.0.1"];
maintenance_window_start = 1;
};
config = {
adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
dbtype = "pgsql";
};
package = pkgs.nextcloud32;
https = true;
configureRedis = true;
caching.redis = true;
database.createLocally = true;
};
users.groups.nextcloud.members = ["nextcloud" "caddy"]; users.groups.nextcloud.members = ["nextcloud" "caddy"];
services.nginx.enable = lib.mkForce false; services = {
services.phpfpm.pools.nextcloud.settings = { nextcloud = {
"listen.owner" = "caddy"; enable = true;
"listen.group" = "caddy"; hostName = "cloud.distrust.network";
settings = {
trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
trusted_proxies = ["127.0.0.1"];
maintenance_window_start = 1;
};
config = {
adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
dbtype = "pgsql";
};
package = pkgs.nextcloud32;
https = false;
configureRedis = true;
caching.redis = true;
database.createLocally = true;
phpOptions = {
"opcache.interned_strings_buffer" = 64;
};
};
nginx.enable = lib.mkForce false;
phpfpm.pools.nextcloud.settings = {
"listen.owner" = "caddy";
"listen.group" = "caddy";
};
caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
# encode zstd gzip
root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
Host {host}
X-Real-IP {remote_host}
X-Forwarded-For {remote_host}
X-Forwarded-Proto {scheme}
X-Forwarded-Host {host}
}
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
tor.relay.onionServices."nextcloud".map = [
80
];
}; };
services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
# encode zstd gzip
root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
Host {host}
X-Real-IP {remote_host}
X-Forwarded-For {remote_host}
X-Forwarded-Proto {scheme}
X-Forwarded-Host {host}
}
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
services.nextcloud.phpOptions = {
"opcache.interned_strings_buffer" = 64;
};
services.tor.relay.onionServices."nextcloud".map = [
80
];
} }

74
services/prosody.nix
View file

@ -1,36 +1,50 @@
{ {
pkgs, pkgs,
lib,
config, config,
... ...
}: { }: {
age.secrets."bind_pw".file = ../secrets/bind_pw; age.secrets."bind_pw".file = ../secrets/bind_pw;
services.prosody = { services = {
package = pkgs.prosody.override { prosody = {
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap]; package = pkgs.prosody.override {
}; withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
enable = true; };
admins = ["root@distrust.network"]; enable = true;
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; admins = ["root@distrust.network"];
ssl.key = "/var/lib/acme/distrust.network/key.pem";
virtualHosts."distrust.network" = {
enabled = true;
domain = "distrust.network";
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem"; ssl.key = "/var/lib/acme/distrust.network/key.pem";
virtualHosts."distrust.network" = {
enabled = true;
domain = "distrust.network";
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
};
muc = [{domain = "conference.distrust.network";}];
httpFileShare = {
domain = "upload.distrust.network";
path = "/var/lib/prosody";
};
extraConfig = ''
authentication = "ldap"
ldap_base = "ou=people,dc=distrust,dc=network"
ldap_server = "localhost:3890"
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
'';
}; };
muc = [{domain = "conference.distrust.network";}]; caddy.virtualHosts."distrust.network".extraConfig = ''
httpFileShare = { handle /.well-known/* {
domain = "upload.distrust.network"; root * /var/lib/acme/
path = "/var/lib/prosody"; file_server
}; }
extraConfig = '' '';
authentication = "ldap"
ldap_base = "ou=people,dc=distrust,dc=network" caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
ldap_server = "localhost:3890" handle /.well-known/* {
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network" root * /var/lib/acme/
ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}" file_server
}
''; '';
}; };
@ -63,18 +77,4 @@
# after = [ "acme-order-renew-chat.distrust.network.service" ]; # after = [ "acme-order-renew-chat.distrust.network.service" ];
serviceConfig.SupplementaryGroups = ["acme"]; serviceConfig.SupplementaryGroups = ["acme"];
}; };
services.caddy.virtualHosts."distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
} }

7
services/site.nix
View file

@ -1,9 +1,4 @@
{ let
pkgs,
lib,
...
}: let
sitePort = 8080;
onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion"; onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
in { in {
services.caddy.virtualHosts = { services.caddy.virtualHosts = {

30
services/vaultwarden.nix
View file

@ -4,20 +4,22 @@
in { in {
age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env; age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
services.vaultwarden = { services = {
enable = true; vaultwarden = {
config = { enable = true;
DOMAIN = "https://vault.distrust.network"; config = {
ROCKET_PORT = vaultPort; DOMAIN = "https://vault.distrust.network";
ROCKET_PORT = vaultPort;
};
environmentFile = config.age.secrets."vaultwarden.env".path;
}; };
environmentFile = config.age.secrets."vaultwarden.env".path;
caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString vaultPort}
'';
tor.relay.onionServices."vaultwarden".map = [
80
];
}; };
services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
reverse_proxy localhost:${toString vaultPort}
'';
services.tor.relay.onionServices."vaultwarden".map = [
80
];
} }

2
site/index.html
View file

@ -55,7 +55,7 @@
<li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li> <li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li>
</ul> </ul>
<p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p> <p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p>
<p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks.</p> <p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over <a href="http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion/root/flake">TOR</a> and <a href="https://git.distrust.network/root/flake">clearnet</a>.</p>
<p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p> <p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p>
<hr> <hr>
<a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/privacy-policy.html" class="privacy-policy">Privacy Policy</a> <a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/privacy-policy.html" class="privacy-policy">Privacy Policy</a>

22
system/configuration.nix
View file

@ -12,16 +12,18 @@ in {
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "distrust"; networking.hostName = "distrust";
services.openssh = { services = {
enable = true; openssh = {
settings.PermitRootLogin = "yes"; enable = true;
ports = [292]; settings.PermitRootLogin = "yes";
}; ports = [292];
services.fail2ban.enable = true; };
services.endlessh = { fail2ban.enable = true;
enable = true; endlessh = {
port = 22; enable = true;
openFirewall = true; port = 22;
openFirewall = true;
};
}; };
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"]; users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];

1
system/default.nix
View file

@ -3,6 +3,5 @@
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
]; ];
} }

10
system/hardware-configuration.nix
View file

@ -1,8 +1,12 @@
{modulesPath, ...}: { {modulesPath, ...}: {
imports = [(modulesPath + "/profiles/qemu-guest.nix")]; imports = [(modulesPath + "/profiles/qemu-guest.nix")];
boot.loader.grub.device = "/dev/sda"; boot = {
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; loader.grub.device = "/dev/sda";
boot.initrd.kernelModules = ["nvme"]; initrd = {
availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
kernelModules = ["nvme"];
};
};
fileSystems."/" = { fileSystems."/" = {
device = "/dev/sda1"; device = "/dev/sda1";
fsType = "ext4"; fsType = "ext4";