init

2025-11-02 14:05:51 +00:00 · 2025-11-02 14:05:51 +00:00 · d4bea4c7c5
commit d4bea4c7c5
12 changed files with 328 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -0,0 +1,19 @@
+{ pkgs,... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix # generated at runtime by nixos-infect
+    ./services 
+  ];
+
+  environment.systemPackages = with pkgs; [ vim btop git alejandra ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+  networking.hostName = "distrust";
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "yes";
+  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
+  system.stateVersion = "25.05";
+}
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  
+}
--- a/networking.nix
+++ b/networking.nix
@ -0,0 +1,35 @@
+{ lib, ... }: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [ "213.136.95.10"
+ "213.136.95.11"
+ "2a02:c207::1" "8.8.8.8"
+ ];
+    defaultGateway = "157.173.112.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address="157.173.124.100"; prefixLength=20; }
+        ];
+        ipv6.addresses = [
+          { address="2a02:c207:2288:2816::1"; prefixLength=64; }
+{ address="fe80::250:56ff:fe5d:f07e"; prefixLength=64; }
+        ];
+        ipv4.routes = [ { address = "157.173.112.1"; prefixLength = 32; } ];
+        ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
+      };
+      
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="00:50:56:5d:f0:7e", NAME="eth0"
+    
+  '';
+}
--- a/services/akkoma.nix
+++ b/services/akkoma.nix
@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  fediPort = 8083;
+  inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
+in {
+  services.akkoma = {
+    enable = true;
+    config = {
+      ":pleroma" = {
+        ":instance" = {
+          name = "social.distrust.network";
+          description = "Akkoma instance for distrust.network users";
+          email = "root@distrust.network";
+          registration_open = false;
+        };
+        ":ldap" = {
+          enabled = true;
+          host = "localhost";
+          port = 3890;
+          ssl = false;
+          tls = false;
+          base = "ou=people,dc=distrust,dc=network";
+          uid = "uid";
+        };
+        "Pleroma.Upload".base_url = "https://social.distrust.network/media/";
+        "Pleroma.Web.Endpoint" = {
+          url.host = "social.distrust.network";
+          http = {
+            ip = "0.0.0.0";
+            port = fediPort;
+          };
+        };
+        "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
+      };
+    };
+  };
+
+  services.caddy.virtualHosts."social.distrust.network".extraConfig = ''
+    reverse_proxy localhost:${toString fediPort}
+  '';
+
+  services.tor.relay.onionServices."akkoma".map = [
+    {
+      port = 80;
+      target = {port = fediPort;};
+    }
+  ];
+}
--- a/services/caddy.nix
+++ b/services/caddy.nix
@ -0,0 +1,8 @@
+{
+  services = {
+    caddy.enable = true;
+    tor.enable = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+}
--- a/services/default.nix
+++ b/services/default.nix
@ -0,0 +1,13 @@
+{...}: {
+  imports = [
+    ./caddy.nix
+    ./tor.nix
+    ./site.nix
+    ./nextcloud.nix
+    ./forgejo.nix
+    ./akkoma.nix
+    #./matrix.nix
+    ./prosody.nix
+    ./lldap.nix
+  ];
+}
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -0,0 +1,24 @@
+let
+  forgejoPort = 8082;
+in {
+  services.forgejo = {
+    enable = true;
+    lfs.enable = false;
+    settings.server = {
+      DOMAIN = "git.distrust.network";
+      HTTP_PORT = forgejoPort;
+      ROOT_URL = "https://git.distrust.network/";
+    };
+  };
+
+  services.caddy.virtualHosts."git.distrust.network".extraConfig = ''
+    reverse_proxy localhost:${toString forgejoPort}
+  '';
+
+  services.tor.relay.onionServices."forgejo".map = [
+    {
+      port = 80;
+      target = {port = forgejoPort;};
+    }
+  ];
+}
--- a/services/lldap.nix
+++ b/services/lldap.nix
@ -0,0 +1,16 @@
+{
+  services.lldap = {
+    enable = true;
+    settings = {
+      http_url = "https://login.distrust.network";
+      ldap_user_email = "root@distrust.network";
+      ldap_user_dn = "root";
+      ldap_base_dn = "dc=distrust,dc=network";
+      ldap_user_pass = "VERY_SECURE";
+    };
+  };
+
+  services.caddy.virtualHosts."login.distrust.network".extraConfig = ''
+    reverse_proxy localhost:17170
+  '';
+}
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -0,0 +1,34 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  nextcloudPort = 8081;
+in {
+  environment.etc."nextcloud-admin-pass".text = "PWD";
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.distrust.network";
+    settings.trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
+    config = {
+      adminpassFile = "/etc/nextcloud-admin-pass";
+      dbtype = "pgsql";
+    };
+    package = pkgs.nextcloud32;
+    https = true;
+    configureRedis = true;
+    caching.redis = true;
+    database.createLocally = true;
+  };
+
+  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [
+    {
+      addr = "127.0.0.1";
+      port = nextcloudPort;
+    }
+  ];
+
+  services.caddy.virtualHosts."https://cloud.distrust.network".extraConfig = ''
+    reverse_proxy localhost:${toString nextcloudPort}
+  '';
+}
--- a/services/prosody.nix
+++ b/services/prosody.nix
@ -0,0 +1,77 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  services.prosody = {
+    package = pkgs.prosody.override {
+      withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
+    };
+    enable = true;
+    admins = ["root@distrust.network"];
+    ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+    ssl.key = "/var/lib/acme/distrust.network/key.pem";
+    virtualHosts."distrust.network" = {
+      enabled = true;
+      domain = "distrust.network";
+      ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+      ssl.key = "/var/lib/acme/distrust.network/key.pem";
+    };
+    muc = [{domain = "conference.distrust.network";}];
+    httpFileShare = {
+      domain = "upload.distrust.network";
+      path = "/var/lib/prosody";
+    };
+    extraConfig = ''
+      authentication = "ldap"
+      ldap_base = "ou=people,dc=distrust,dc=network"
+      ldap_server = "localhost:3890"
+      ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
+      ldap_password = "bindpassword"
+    '';
+  };
+
+  security.acme = {
+    defaults = {
+      email = "root@distrust.network";
+      webroot = "/var/lib/acme";
+    };
+    acceptTerms = true;
+    certs = {
+      "distrust.network" = {
+        extraDomainNames = [
+          "upload.distrust.network"
+          "conference.distrust.network"
+        ];
+        postRun = ''
+          chmod -R 770 /var/lib/acme/distrust.network
+          chown -R acme:prosody /var/lib/acme/distrust.network
+        '';
+      };
+    };
+  };
+
+  networking.resolvconf.dnsExtensionMechanism = false;
+  networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
+
+  systemd.services.caddy.serviceConfig.SupplementaryGroups = ["acme"];
+  systemd.services.prosody = {
+    #  requires = [ "acme-order-renew-chat.distrust.network.service" ];
+    #  after = [ "acme-order-renew-chat.distrust.network.service" ];
+    serviceConfig.SupplementaryGroups = ["acme"];
+  };
+
+  services.caddy.virtualHosts."distrust.network".extraConfig = ''
+    handle /.well-known/* {
+      root * /var/lib/acme/
+      file_server
+    }
+  '';
+
+  services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
+    handle /.well-known/* {
+      root * /var/lib/acme/
+      file_server
+    }
+  '';
+}
--- a/services/site.nix
+++ b/services/site.nix
@ -0,0 +1,32 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  sitePort = 8080;
+in {
+  systemd.services.python-http-server = {
+    description = "Simple Python HTTP Server";
+    after = ["network.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      ExecStart = "${pkgs.python3}/bin/python3 -m http.server ${toString sitePort} --directory /var/www/distrust.network";
+      Restart = "on-failure";
+      User = "nobody";
+      WorkingDirectory = "/var/www/distrust.network";
+    };
+  };
+
+  services.caddy.virtualHosts."distrust.network" = {
+    extraConfig = ''
+      reverse_proxy localhost:${toString sitePort}
+    '';
+  };
+
+  services.tor.relay.onionServices."site".map = [
+    {
+      port = 80;
+      target = {port = sitePort;};
+    }
+  ];
+}
--- a/services/tor.nix
+++ b/services/tor.nix
@ -0,0 +1,9 @@
+{lib, ...}: {
+  services.tor = {
+    settings.HiddenServiceNonAnonymousMode = false;
+    client = {
+      enable = true;
+      dns.enable = true;
+    };
+  };
+}