split!

services/distrust/akkoma.nix

@@ -0,0 +1,62 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  fediPort = 8083;
+  inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
+in {
+  age.secrets."hidden_service/akkoma".file = ../secrets/hidden_service/akkoma;
+
+  services = {
+    akkoma = {
+      enable = true;
+      config = {
+        ":pleroma" = {
+          ":instance" = {
+            name = "social.distrust.network";
+            description = "Akkoma instance for distrust.network users";
+            email = "root@distrust.network";
+            registration_open = false;
+          };
+          ":ldap" = {
+            enabled = true;
+            host = "localhost";
+            port = 3890;
+            ssl = false;
+            tls = false;
+            base = "ou=people,dc=distrust,dc=network";
+            uid = "uid";
+          };
+          "Pleroma.Upload".base_url = "https://social.distrust.network/media/";
+          "Pleroma.Web.Endpoint" = {
+            url.host = "social.distrust.network";
+            http = {
+              ip = "0.0.0.0";
+              port = fediPort;
+            };
+          };
+          "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
+        };
+      };
+    };
+  };
+
+  distrust.services."akkoma" = {
+    url = "https://social.distrust.network";
+    onion = {
+      url = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
+      secretKey = config.age.secrets."hidden_service/akkoma".path;
+    };
+    virtualHostConfig = ''
+      reverse_proxy localhost:${toString fediPort}
+    '';
+    backup = {
+      enable = true;
+      paths = [
+        "/var/lib/akkoma"
+      ];
+      database = "akkoma";
+    };
+  };
+}

services/distrust/caddy.nix

@@ -0,0 +1,7 @@
+{
+  services.caddy = {
+    enable = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+}

services/distrust/default.nix

@@ -0,0 +1,23 @@
+{
+  imports = [
+    ../shared
+
+    # Core System
+    ./caddy.nix
+
+    # Non-stateful services
+    ./ipfs.nix
+    ./site.nix
+    ./tor.nix
+
+    # Stateful services (backed up by borg)
+    ./akkoma.nix
+    ./forgejo.nix
+    ./lldap.nix
+    ./mailserver.nix
+    ./nextcloud.nix
+    ./paste.nix
+    ./prosody.nix
+    ./vaultwarden.nix
+  ];
+}

services/distrust/forgejo.nix

@@ -0,0 +1,38 @@
+{config, ...}: let
+  forgejoPort = 8082;
+in {
+  age.secrets."hidden_service/forgejo" = {
+    file = ../secrets/hidden_service/forgejo;
+  };
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = false;
+    settings = { 
+      server = {
+        DOMAIN = "git.distrust.network";
+        HTTP_PORT = forgejoPort;
+        ROOT_URL = "https://git.distrust.network/";
+        SSH_PORT = builtins.head config.services.openssh.ports;
+      };
+      "service.explore".DISABLE_USERS_PAGE = true;
+    };
+  };
+
+  distrust.services."forgejo" = {
+    url = "https://git.distrust.network";
+    onion = {
+      url = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
+      secretKey = config.age.secrets."hidden_service/forgejo".path;
+    };
+    virtualHostConfig = ''
+      reverse_proxy localhost:${toString forgejoPort}
+    '';
+    backup = {
+      enable = true;
+      paths = [
+        "/var/lib/forgejo"
+      ];
+    };
+  };
+}

services/distrust/ipfs.nix

@@ -0,0 +1,11 @@
+{
+  services = {
+    kubo.enable = true;
+    tor.relay.onionServices."site".map = [
+      4001
+      8080
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [4001];
+}

services/distrust/lldap.nix

@@ -0,0 +1,48 @@
+{config, ...}: let
+  lldapPort = 8089;
+in {
+  age.secrets = {
+    "hidden_service/lldap".file = ../secrets/hidden_service/lldap;
+    "lldap_root_pass" = {
+      file = ../secrets/lldap_root_pass;
+      mode = "0440";
+      group = "lldap-secrets";
+    };
+  };
+  
+  services.lldap = {
+    enable = true;
+    settings = {
+      http_url = "https://login.distrust.network";
+      http_port = lldapPort;
+      ldap_user_email = "root@distrust.network";
+      ldap_user_dn = "root";
+      ldap_base_dn = "dc=distrust,dc=network";
+      ldap_user_pass_file = config.age.secrets."lldap_root_pass".path;
+      force_ldap_user_pass_reset = "always";
+    };
+  };
+
+  distrust.services."lldap" = {
+    url = "https://login.distrust.network";
+    onion = {
+      url = "http://i3a47orggn2cebueja2jur66yjgyqd2y7kzthajar4ghuerbx2kzwqyd.onion";
+      secretKey = config.age.secrets."hidden_service/lldap".path;
+    };
+    virtualHostConfig = ''
+      reverse_proxy localhost:${toString lldapPort}
+    '';
+    backup = {
+      enable = true;
+      paths = [
+        "/var/lib/lldap"
+      ];
+    };
+  };
+  
+  # Creates a group for the LLDAP DynamicUser to read the secret
+  users.groups.lldap-secrets = {};
+  systemd.services.lldap.serviceConfig = {
+    SupplementaryGroups = [ "lldap-secrets" ];
+  };
+}

services/distrust/mailserver.nix

@@ -0,0 +1,39 @@
+{config, ...}: {
+  age.secrets."bind_pw".file = ../secrets/bind_pw;
+
+  mailserver = {
+    stateVersion = 3;
+    enable = true;
+    fqdn = "distrust.network";
+    domains = ["distrust.network"];
+    certificateScheme = "acme";
+    ldap = {
+      enable = true;
+      bind.dn = "cn=bind,ou=people,dc=distrust,dc=network";
+      bind.passwordFile = config.age.secrets."bind_pw".path;
+      searchBase = "ou=people,dc=distrust,dc=network";
+      uris = ["ldap://localhost:3890"];
+    };
+  };
+
+  services.borgbackup.jobs."mailserver" = {
+    repo = config.distrust.backups.borgRepository + "/./mailserver";
+    environment = {
+      BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
+    };
+    paths = [
+      "/var/vmail/ldap"
+    ];
+    encryption = {
+      mode = "keyfile";
+      passCommand = config.distrust.backups.borgPassCommand;
+    };
+    compression = "auto,lzma";
+    startAt = "daily";
+    prune.keep = {
+      daily = 7;
+      weekly = 4;
+      monthly = -1;
+    };
+  };
+}

services/distrust/nextcloud.nix

@@ -0,0 +1,121 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  onionHostName = "znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion";
+in {
+  age.secrets = {
+    "nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
+    "hidden_service/nextcloud".file = ../secrets/hidden_service/nextcloud;
+  };
+
+  users.groups.nextcloud.members = ["nextcloud" "caddy"];
+
+  services = {
+    nextcloud = {
+      enable = true;
+      hostName = "cloud.distrust.network";
+      settings = {
+        trusted_domains = [onionHostName];
+        trusted_proxies = ["127.0.0.1"];
+        maintenance_window_start = 1;
+      };
+      config = {
+        adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
+        dbtype = "pgsql";
+      };
+      package = pkgs.nextcloud32;
+      https = false;
+      configureRedis = true;
+      caching.redis = true;
+      database.createLocally = true;
+      phpOptions = {
+        "opcache.interned_strings_buffer" = 64;
+      };
+    };
+
+    # Force disable nginx and adjust permissions as we use caddy
+    nginx.enable = lib.mkForce false;
+    phpfpm.pools.nextcloud.settings = {
+      "listen.owner" = "caddy";
+      "listen.group" = "caddy";
+    };
+  };
+
+  distrust.services."nextcloud" = {
+    url = "https://cloud.distrust.network";
+    onion = {
+      url = "http://${onionHostName}";
+      secretKey = config.age.secrets."hidden_service/nextcloud".path;
+    };
+    virtualHostConfig = ''
+      # encode zstd gzip
+
+      root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
+
+      redir /.well-known/carddav /remote.php/dav 301
+      redir /.well-known/caldav /remote.php/dav 301
+      redir /.well-known/* /index.php{uri} 301
+      redir /remote/* /remote.php{uri} 301
+
+
+      header {
+        Strict-Transport-Security max-age=31536000
+        Permissions-Policy interest-cohort=()
+        X-Content-Type-Options nosniff
+        X-Frame-Options SAMEORIGIN
+        Referrer-Policy no-referrer
+        X-XSS-Protection "1; mode=block"
+        X-Permitted-Cross-Domain-Policies none
+        X-Robots-Tag "noindex, nofollow"
+        -X-Powered-By
+        Host {host}
+        X-Real-IP {remote_host}
+        X-Forwarded-For {remote_host}
+        X-Forwarded-Proto {scheme}
+        X-Forwarded-Host {host}
+        Onion-Loation http://${onionHostName}
+      }
+
+
+      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
+        root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
+        env front_controller_active true
+        env modHeadersAvailable true
+      }
+
+      @forbidden {
+        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+        not path /.well-known/*
+      }
+      error @forbidden 404
+
+      @immutable {
+        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+        query v=*
+      }
+      header @immutable Cache-Control "max-age=15778463, immutable"
+
+      @static {
+        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+        not query v=*
+      }
+      header @static Cache-Control "max-age=15778463"
+
+      @woff2 path *.woff2
+      header @woff2 Cache-Control "max-age=604800"
+
+      file_server
+    '';
+    backup = {
+      enable = true;
+      paths = [
+        "/var/lib/nextcloud"
+      ];
+      database = "nextcloud";
+    };
+  };
+}

services/distrust/paste.nix

@@ -0,0 +1,34 @@
+{config, ...}: let
+  pastePort = 8087;
+in {
+  age.secrets."hidden_service/microbin".file = ../secrets/hidden_service/microbin;
+
+  services.microbin = {
+    enable = true;
+    settings = {
+      MICROBIN_PORT = pastePort;
+      MICROBIN_ENABLE_BURN_AFTER = true;
+      MICROBIN_QR = true;
+      MICROBIN_NO_LISTING = true;
+      MICROBIN_HIGHLIGHTSYNTAX = true;
+      MICROBIN_PUBLIC_PATH = "https://paste.distrust.network/";
+    };
+  };
+
+  distrust.services."microbin" = {
+    url = "https://paste.distrust.network";
+    onion = {
+      url = "http://s4h5nfnwwhzku55opxlqouobioibx4htwygnp2l4fkp256lur5s53rad.onion";
+      secretKey = config.age.secrets."hidden_service/microbin".path;
+    };
+    virtualHostConfig = ''
+      reverse_proxy localhost:${toString pastePort}
+    '';
+    backup = {
+      enable = true;
+      paths = [
+        "/var/lib/microbin"
+      ];
+    };
+  };
+}

services/distrust/prosody.nix

@@ -0,0 +1,109 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  age.secrets."prosody.env".file = ../secrets/prosody.env;
+
+  services = {
+    prosody = {
+      package = pkgs.prosody.override {
+        withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
+      };
+      enable = true;
+      admins = ["root@distrust.network"];
+      ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+      ssl.key = "/var/lib/acme/distrust.network/key.pem";
+      virtualHosts."distrust.network" = {
+        enabled = true;
+        domain = "distrust.network";
+        ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+        ssl.key = "/var/lib/acme/distrust.network/key.pem";
+      };
+      muc = [{domain = "conference.distrust.network";}];
+      httpFileShare = {
+        domain = "upload.distrust.network";
+        path = "/var/lib/prosody";
+      };
+      extraConfig = ''
+        authentication = "ldap"
+        ldap_base = "ou=people,dc=distrust,dc=network"
+        ldap_server = "localhost:3890"
+        ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
+        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
+      '';
+    };
+
+    # Adjust caddy to serve the ACME challenges for prosody
+    caddy.virtualHosts = {
+      "distrust.network".extraConfig = ''
+        handle /.well-known/* {
+          root * /var/lib/acme/
+          file_server
+        }
+      '';
+      "conference.distrust.network upload.distrust.network".extraConfig = ''
+        handle /.well-known/* {
+          root * /var/lib/acme/
+          file_server
+        }
+      '';
+    };
+
+    borgbackup.jobs."prosody" = {
+      repo = config.distrust.backups.borgRepository + "/./prosody";
+      environment = {
+        BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
+      };
+      paths = [
+        "/var/lib/prosody"
+      ];
+      encryption = {
+        mode = "keyfile";
+        passCommand = config.distrust.backups.borgPassCommand;
+      };
+      compression = "auto,lzma";
+      startAt = "daily";
+      prune.keep = {
+        daily = 7;
+        weekly = 4;
+        monthly = -1;
+      };
+    };
+  };
+
+  security.acme = {
+    defaults = {
+      email = "root@distrust.network";
+      webroot = "/var/lib/acme";
+    };
+    acceptTerms = true;
+    certs = {
+      "distrust.network" = {
+        extraDomainNames = [
+          "upload.distrust.network"
+          "conference.distrust.network"
+        ];
+        postRun = ''
+          chmod -R 770 /var/lib/acme/distrust.network
+          chown -R acme:prosody /var/lib/acme/distrust.network
+        '';
+      };
+    };
+  };
+
+  networking = {
+    # This can mess with prosody's DNS resolution, so we disable it
+    resolvconf.dnsExtensionMechanism = false;
+    firewall.allowedTCPPorts = [5222 5269 5281 5000];
+  };
+
+  systemd.services = {
+    caddy.serviceConfig.SupplementaryGroups = ["acme"];
+    prosody.serviceConfig = {
+      SupplementaryGroups = ["acme"];
+      # Slightly hacky way to inject the LDAP password into prosody without builtins.readFile exposing it system-wide
+      EnvironmentFile = config.age.secrets."prosody.env".path;
+    };
+  };
+}

services/distrust/site.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  distrust-homepage = import ../homepage/default.nix {inherit pkgs;};
+in {
+  age.secrets."hidden_service/site" = {
+    file = ../secrets/hidden_service/site;
+  };
+
+  distrust.services."site" = {
+    url = "https://distrust.network";
+    onion = {
+      url = "http://distrustdtp5qgbk2firlzfkkmu5p6v6acuh2ox454zd2i3ujdqad5yd.onion";
+      secretKey = config.age.secrets."hidden_service/site".path;
+    };
+    virtualHostConfig = ''
+      redir / /home.html
+      root * ${distrust-homepage.out}
+      file_server
+    '';
+    backup.enable = false;
+  };
+}

services/distrust/tor.nix

@@ -0,0 +1,16 @@
+{
+  services.tor = {
+    enable = true;
+    relay = {
+      enable = true;
+      role = "relay";
+    };
+    settings = {
+      Nickname = "Distrust";
+      ContactInfo = "root@distrust.network";
+      ORPort = 9001;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [9001];
+}

services/distrust/vaultwarden.nix

@@ -0,0 +1,34 @@
+{config, ...}: let
+  vaultPort = 8222;
+in {
+  age.secrets = {
+    "vaultwarden.env".file = ../secrets/vaultwarden.env;
+    "hidden_service/vaultwarden".file = ../secrets/hidden_service/vaultwarden;
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://vault.distrust.network";
+      ROCKET_PORT = vaultPort;
+    };
+    environmentFile = config.age.secrets."vaultwarden.env".path;
+  };
+
+  distrust.services."vaultwarden" = {
+    url = "https://vault.distrust.network";
+    onion = {
+      url = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
+      secretKey = config.age.secrets."hidden_service/vaultwarden".path;
+    };
+    virtualHostConfig = ''
+      reverse_proxy localhost:${toString vaultPort}
+    '';
+    backup = {
+      enable = true;
+      paths = [
+        "/var/lib/vaultwarden"
+      ];
+    };
+  };
+}