root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init

Browse source
This commit is contained in:
root 2025-11-02 14:05:51 +00:00
commit d4bea4c7c5
12 changed files with 328 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
configuration.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs,... }: {
imports = [
./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
./services
];
environment.systemPackages = with pkgs; [ vim btop git alejandra ];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "distrust";
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
system.stateVersion = "25.05";
}

9
hardware-configuration.nix Normal file
View file

@ -0,0 +1,9 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

35
networking.nix Normal file
View file

@ -0,0 +1,35 @@
{ lib, ... }: {
# This file was populated at runtime with the networking
# details gathered from the active system.
networking = {
nameservers = [ "213.136.95.10"
"213.136.95.11"
"2a02:c207::1" "8.8.8.8"
];
defaultGateway = "157.173.112.1";
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [
{ address="157.173.124.100"; prefixLength=20; }
];
ipv6.addresses = [
{ address="2a02:c207:2288:2816::1"; prefixLength=64; }
{ address="fe80::250:56ff:fe5d:f07e"; prefixLength=64; }
];
ipv4.routes = [ { address = "157.173.112.1"; prefixLength = 32; } ];
ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="00:50:56:5d:f0:7e", NAME="eth0"
'';
}

52
services/akkoma.nix Normal file
View file

@ -0,0 +1,52 @@
{
config,
lib,
pkgs,
...
}: let
fediPort = 8083;
inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
in {
services.akkoma = {
enable = true;
config = {
":pleroma" = {
":instance" = {
name = "social.distrust.network";
description = "Akkoma instance for distrust.network users";
email = "root@distrust.network";
registration_open = false;
};
":ldap" = {
enabled = true;
host = "localhost";
port = 3890;
ssl = false;
tls = false;
base = "ou=people,dc=distrust,dc=network";
uid = "uid";
};
"Pleroma.Upload".base_url = "https://social.distrust.network/media/";
"Pleroma.Web.Endpoint" = {
url.host = "social.distrust.network";
http = {
ip = "0.0.0.0";
port = fediPort;
};
};
"Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
};
};
};
services.caddy.virtualHosts."social.distrust.network".extraConfig = ''
reverse_proxy localhost:${toString fediPort}
'';
services.tor.relay.onionServices."akkoma".map = [
{
port = 80;
target = {port = fediPort;};
}
];
}

8
services/caddy.nix Normal file
View file

@ -0,0 +1,8 @@
{
services = {
caddy.enable = true;
tor.enable = true;
};
networking.firewall.allowedTCPPorts = [80 443];
}

13
services/default.nix Normal file
View file

@ -0,0 +1,13 @@
{...}: {
imports = [
./caddy.nix
./tor.nix
./site.nix
./nextcloud.nix
./forgejo.nix
./akkoma.nix
#./matrix.nix
./prosody.nix
./lldap.nix
];
}

24
services/forgejo.nix Normal file
View file

@ -0,0 +1,24 @@
let
forgejoPort = 8082;
in {
services.forgejo = {
enable = true;
lfs.enable = false;
settings.server = {
DOMAIN = "git.distrust.network";
HTTP_PORT = forgejoPort;
ROOT_URL = "https://git.distrust.network/";
};
};
services.caddy.virtualHosts."git.distrust.network".extraConfig = ''
reverse_proxy localhost:${toString forgejoPort}
'';
services.tor.relay.onionServices."forgejo".map = [
{
port = 80;
target = {port = forgejoPort;};
}
];
}

16
services/lldap.nix Normal file
View file

@ -0,0 +1,16 @@
{
services.lldap = {
enable = true;
settings = {
http_url = "https://login.distrust.network";
ldap_user_email = "root@distrust.network";
ldap_user_dn = "root";
ldap_base_dn = "dc=distrust,dc=network";
ldap_user_pass = "VERY_SECURE";
};
};
services.caddy.virtualHosts."login.distrust.network".extraConfig = ''
reverse_proxy localhost:17170
'';
}

34
services/nextcloud.nix Normal file
View file

@ -0,0 +1,34 @@
{
pkgs,
config,
...
}: let
nextcloudPort = 8081;
in {
environment.etc."nextcloud-admin-pass".text = "PWD";
services.nextcloud = {
enable = true;
hostName = "cloud.distrust.network";
settings.trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
config = {
adminpassFile = "/etc/nextcloud-admin-pass";
dbtype = "pgsql";
};
package = pkgs.nextcloud32;
https = true;
configureRedis = true;
caching.redis = true;
database.createLocally = true;
};
services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [
{
addr = "127.0.0.1";
port = nextcloudPort;
}
];
services.caddy.virtualHosts."https://cloud.distrust.network".extraConfig = ''
reverse_proxy localhost:${toString nextcloudPort}
'';
}

77
services/prosody.nix Normal file
View file

@ -0,0 +1,77 @@
{
pkgs,
lib,
...
}: {
services.prosody = {
package = pkgs.prosody.override {
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
};
enable = true;
admins = ["root@distrust.network"];
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
virtualHosts."distrust.network" = {
enabled = true;
domain = "distrust.network";
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
};
muc = [{domain = "conference.distrust.network";}];
httpFileShare = {
domain = "upload.distrust.network";
path = "/var/lib/prosody";
};
extraConfig = ''
authentication = "ldap"
ldap_base = "ou=people,dc=distrust,dc=network"
ldap_server = "localhost:3890"
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
ldap_password = "bindpassword"
'';
};
security.acme = {
defaults = {
email = "root@distrust.network";
webroot = "/var/lib/acme";
};
acceptTerms = true;
certs = {
"distrust.network" = {
extraDomainNames = [
"upload.distrust.network"
"conference.distrust.network"
];
postRun = ''
chmod -R 770 /var/lib/acme/distrust.network
chown -R acme:prosody /var/lib/acme/distrust.network
'';
};
};
};
networking.resolvconf.dnsExtensionMechanism = false;
networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
systemd.services.caddy.serviceConfig.SupplementaryGroups = ["acme"];
systemd.services.prosody = {
# requires = [ "acme-order-renew-chat.distrust.network.service" ];
# after = [ "acme-order-renew-chat.distrust.network.service" ];
serviceConfig.SupplementaryGroups = ["acme"];
};
services.caddy.virtualHosts."distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
}

32
services/site.nix Normal file
View file

@ -0,0 +1,32 @@
{
pkgs,
lib,
...
}: let
sitePort = 8080;
in {
systemd.services.python-http-server = {
description = "Simple Python HTTP Server";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${pkgs.python3}/bin/python3 -m http.server ${toString sitePort} --directory /var/www/distrust.network";
Restart = "on-failure";
User = "nobody";
WorkingDirectory = "/var/www/distrust.network";
};
};
services.caddy.virtualHosts."distrust.network" = {
extraConfig = ''
reverse_proxy localhost:${toString sitePort}
'';
};
services.tor.relay.onionServices."site".map = [
{
port = 80;
target = {port = sitePort;};
}
];
}

9
services/tor.nix Normal file
View file

@ -0,0 +1,9 @@
{lib, ...}: {
services.tor = {
settings.HiddenServiceNonAnonymousMode = false;
client = {
enable = true;
dns.enable = true;
};
};
}