diff --git a/flake.nix b/flake.nix
index 79bc84c..2128c0c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,12 +15,13 @@
};
outputs = {
+ self,
nixpkgs,
nixos-mailserver,
agenix,
...
}: let
- inherit (nixpkgs) lib;
+ lib = nixpkgs.lib;
in {
nixosConfigurations = {
distrust = lib.nixosSystem {
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a97a6d2..60cf7f6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,12 +1,13 @@
let
user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk+P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno:16_179_196";
- users = [user];
-
+ users = [ user ];
+
system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKxw1fDsIUUh3vWCD90LDgDMAG/NSVRg7QamUbknz5A root@distrust";
- systems = [system];
+ systems = [ system ];
all = users ++ systems;
-in {
+in
+{
"bind_pw".publicKeys = all;
"nextcloud-admin-pass".publicKeys = all;
"vaultwarden.env".publicKeys = all;
diff --git a/services/akkoma.nix b/services/akkoma.nix
index f353c74..3bc99d8 100644
--- a/services/akkoma.nix
+++ b/services/akkoma.nix
@@ -8,45 +8,43 @@
onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
in {
- services = {
- akkoma = {
- enable = true;
- config = {
- ":pleroma" = {
- ":instance" = {
- name = "social.distrust.network";
- description = "Akkoma instance for distrust.network users";
- email = "root@distrust.network";
- registration_open = false;
- };
- ":ldap" = {
- enabled = true;
- host = "localhost";
- port = 3890;
- ssl = false;
- tls = false;
- base = "ou=people,dc=distrust,dc=network";
- uid = "uid";
- };
- "Pleroma.Upload".base_url = "https://social.distrust.network/media/";
- "Pleroma.Web.Endpoint" = {
- url.host = "social.distrust.network";
- http = {
- ip = "0.0.0.0";
- port = fediPort;
- };
- };
- "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
+ services.akkoma = {
+ enable = true;
+ config = {
+ ":pleroma" = {
+ ":instance" = {
+ name = "social.distrust.network";
+ description = "Akkoma instance for distrust.network users";
+ email = "root@distrust.network";
+ registration_open = false;
};
+ ":ldap" = {
+ enabled = true;
+ host = "localhost";
+ port = 3890;
+ ssl = false;
+ tls = false;
+ base = "ou=people,dc=distrust,dc=network";
+ uid = "uid";
+ };
+ "Pleroma.Upload".base_url = "https://social.distrust.network/media/";
+ "Pleroma.Web.Endpoint" = {
+ url.host = "social.distrust.network";
+ http = {
+ ip = "0.0.0.0";
+ port = fediPort;
+ };
+ };
+ "Pleroma.Web.Auth.Authenticator" = mkAtom "Pleroma.Web.Auth.LDAPAuthenticator";
};
};
-
- caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
- reverse_proxy localhost:${toString fediPort}
- '';
-
- tor.relay.onionServices."akkoma".map = [
- 80
- ];
};
+
+ services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
+ reverse_proxy localhost:${toString fediPort}
+ '';
+
+ services.tor.relay.onionServices."akkoma".map = [
+ 80
+ ];
}
diff --git a/services/dante.nix b/services/dante.nix
index 60bae3a..9193a64 100644
--- a/services/dante.nix
+++ b/services/dante.nix
@@ -9,6 +9,6 @@
'';
};
- networking.firewall.allowedTCPPorts = [1080];
- networking.firewall.allowedUDPPorts = [1080];
+ networking.firewall.allowedTCPPorts = [ 1080 ];
+ networking.firewall.allowedUDPPorts = [ 1080 ];
}
diff --git a/services/default.nix b/services/default.nix
index 3d1955a..49cc03e 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -7,8 +7,7 @@
./akkoma.nix
./prosody.nix
./lldap.nix
- # Dante not working right now, possibly misconfigured.
- #./dante.nix
+ ./dante.nix
./vaultwarden.nix
./mailserver.nix
];
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 025b38f..ff3c826 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -2,24 +2,22 @@ let
forgejoPort = 8082;
onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
in {
- services = {
- forgejo = {
- enable = true;
- lfs.enable = false;
- settings.server = {
- DOMAIN = "git.distrust.network";
- HTTP_PORT = forgejoPort;
- ROOT_URL = "https://git.distrust.network/";
- SSH_PORT = 292;
- };
+ services.forgejo = {
+ enable = true;
+ lfs.enable = false;
+ settings.server = {
+ DOMAIN = "git.distrust.network";
+ HTTP_PORT = forgejoPort;
+ ROOT_URL = "https://git.distrust.network/";
+ SSH_PORT = 292;
};
-
- caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
- reverse_proxy localhost:${toString forgejoPort}
- '';
-
- tor.relay.onionServices."forgejo".map = [
- 80
- ];
};
+
+ services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
+ reverse_proxy localhost:${toString forgejoPort}
+ '';
+
+ services.tor.relay.onionServices."forgejo".map = [
+ 80
+ ];
}
diff --git a/services/mailserver.nix b/services/mailserver.nix
index c034882..393da6f 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,15 +1,16 @@
-{config, ...}: {
+{ config, ... }:
+{
mailserver = {
enable = true;
fqdn = "distrust.network";
- domains = ["distrust.network"];
+ domains = [ "distrust.network" ];
certificateScheme = "acme";
ldap = {
enable = true;
bind.dn = "cn=bind,ou=people,dc=distrust,dc=network";
bind.passwordFile = config.age.secrets."bind_pw".path;
searchBase = "ou=people,dc=distrust,dc=network";
- uris = ["ldap://localhost:3890"];
+ uris = [ "ldap://localhost:3890" ];
};
};
}
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index beb3ada..fcc914c 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -7,98 +7,97 @@
onionUrl = "http://znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion";
in {
age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;
-
- users.groups.nextcloud.members = ["nextcloud" "caddy"];
- services = {
- nextcloud = {
- enable = true;
- hostName = "cloud.distrust.network";
- settings = {
- trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
- trusted_proxies = ["127.0.0.1"];
- maintenance_window_start = 1;
- };
- config = {
- adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
- dbtype = "pgsql";
- };
- package = pkgs.nextcloud32;
- https = false;
- configureRedis = true;
- caching.redis = true;
- database.createLocally = true;
- phpOptions = {
- "opcache.interned_strings_buffer" = 64;
- };
+
+ services.nextcloud = {
+ enable = true;
+ hostName = "cloud.distrust.network";
+ settings = {
+ trusted_domains = ["znfdxs4e3rqvzxtkksiidomupgm2x44wtrzyxtpomczto3xg5qxpcbqd.onion"];
+ trusted_proxies = ["127.0.0.1"];
+ maintenance_window_start = 1;
};
-
- nginx.enable = lib.mkForce false;
- phpfpm.pools.nextcloud.settings = {
- "listen.owner" = "caddy";
- "listen.group" = "caddy";
+ config = {
+ adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
+ dbtype = "pgsql";
};
- caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
- # encode zstd gzip
-
- root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
-
- redir /.well-known/carddav /remote.php/dav 301
- redir /.well-known/caldav /remote.php/dav 301
- redir /.well-known/* /index.php{uri} 301
- redir /remote/* /remote.php{uri} 301
-
-
- header {
- Strict-Transport-Security max-age=31536000
- Permissions-Policy interest-cohort=()
- X-Content-Type-Options nosniff
- X-Frame-Options SAMEORIGIN
- Referrer-Policy no-referrer
- X-XSS-Protection "1; mode=block"
- X-Permitted-Cross-Domain-Policies none
- X-Robots-Tag "noindex, nofollow"
- -X-Powered-By
- Host {host}
- X-Real-IP {remote_host}
- X-Forwarded-For {remote_host}
- X-Forwarded-Proto {scheme}
- X-Forwarded-Host {host}
- }
-
-
- php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
- root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
- env front_controller_active true
- env modHeadersAvailable true
- }
-
- @forbidden {
- path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
- path /.* /autotest* /occ* /issue* /indie* /db_* /console*
- not path /.well-known/*
- }
- error @forbidden 404
-
- @immutable {
- path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
- query v=*
- }
- header @immutable Cache-Control "max-age=15778463, immutable"
-
- @static {
- path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
- not query v=*
- }
- header @static Cache-Control "max-age=15778463"
-
- @woff2 path *.woff2
- header @woff2 Cache-Control "max-age=604800"
-
- file_server
- '';
-
- tor.relay.onionServices."nextcloud".map = [
- 80
- ];
+ package = pkgs.nextcloud32;
+ https = true;
+ configureRedis = true;
+ caching.redis = true;
+ database.createLocally = true;
};
+
+ users.groups.nextcloud.members = [ "nextcloud" "caddy" ];
+ services.nginx.enable = lib.mkForce false;
+ services.phpfpm.pools.nextcloud.settings = {
+ "listen.owner" = "caddy";
+ "listen.group" = "caddy";
+ };
+ services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
+ # encode zstd gzip
+
+ root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
+
+ redir /.well-known/carddav /remote.php/dav 301
+ redir /.well-known/caldav /remote.php/dav 301
+ redir /.well-known/* /index.php{uri} 301
+ redir /remote/* /remote.php{uri} 301
+
+
+ header {
+ Strict-Transport-Security max-age=31536000
+ Permissions-Policy interest-cohort=()
+ X-Content-Type-Options nosniff
+ X-Frame-Options SAMEORIGIN
+ Referrer-Policy no-referrer
+ X-XSS-Protection "1; mode=block"
+ X-Permitted-Cross-Domain-Policies none
+ X-Robots-Tag "noindex, nofollow"
+ -X-Powered-By
+ Host {host}
+ X-Real-IP {remote_host}
+ X-Forwarded-For {remote_host}
+ X-Forwarded-Proto {scheme}
+ X-Forwarded-Host {host}
+ }
+
+
+ php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
+ root ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
+ env front_controller_active true
+ env modHeadersAvailable true
+ }
+
+ @forbidden {
+ path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+ path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+ not path /.well-known/*
+ }
+ error @forbidden 404
+
+ @immutable {
+ path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+ query v=*
+ }
+ header @immutable Cache-Control "max-age=15778463, immutable"
+
+ @static {
+ path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+ not query v=*
+ }
+ header @static Cache-Control "max-age=15778463"
+
+ @woff2 path *.woff2
+ header @woff2 Cache-Control "max-age=604800"
+
+ file_server
+ '';
+
+ services.nextcloud.phpOptions = {
+ "opcache.interned_strings_buffer" = 64;
+ };
+
+ services.tor.relay.onionServices."nextcloud".map = [
+ 80
+ ];
}
diff --git a/services/prosody.nix b/services/prosody.nix
index 5981dad..aa33eba 100644
--- a/services/prosody.nix
+++ b/services/prosody.nix
@@ -1,50 +1,36 @@
{
pkgs,
+ lib,
config,
...
}: {
age.secrets."bind_pw".file = ../secrets/bind_pw;
- services = {
- prosody = {
- package = pkgs.prosody.override {
- withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
- };
- enable = true;
- admins = ["root@distrust.network"];
+ services.prosody = {
+ package = pkgs.prosody.override {
+ withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
+ };
+ enable = true;
+ admins = ["root@distrust.network"];
+ ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+ ssl.key = "/var/lib/acme/distrust.network/key.pem";
+ virtualHosts."distrust.network" = {
+ enabled = true;
+ domain = "distrust.network";
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
- virtualHosts."distrust.network" = {
- enabled = true;
- domain = "distrust.network";
- ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
- ssl.key = "/var/lib/acme/distrust.network/key.pem";
- };
- muc = [{domain = "conference.distrust.network";}];
- httpFileShare = {
- domain = "upload.distrust.network";
- path = "/var/lib/prosody";
- };
- extraConfig = ''
- authentication = "ldap"
- ldap_base = "ou=people,dc=distrust,dc=network"
- ldap_server = "localhost:3890"
- ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
- ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
- '';
};
- caddy.virtualHosts."distrust.network".extraConfig = ''
- handle /.well-known/* {
- root * /var/lib/acme/
- file_server
- }
- '';
-
- caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
- handle /.well-known/* {
- root * /var/lib/acme/
- file_server
- }
+ muc = [{domain = "conference.distrust.network";}];
+ httpFileShare = {
+ domain = "upload.distrust.network";
+ path = "/var/lib/prosody";
+ };
+ extraConfig = ''
+ authentication = "ldap"
+ ldap_base = "ou=people,dc=distrust,dc=network"
+ ldap_server = "localhost:3890"
+ ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
+ ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
'';
};
@@ -77,4 +63,18 @@
# after = [ "acme-order-renew-chat.distrust.network.service" ];
serviceConfig.SupplementaryGroups = ["acme"];
};
+
+ services.caddy.virtualHosts."distrust.network".extraConfig = ''
+ handle /.well-known/* {
+ root * /var/lib/acme/
+ file_server
+ }
+ '';
+
+ services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
+ handle /.well-known/* {
+ root * /var/lib/acme/
+ file_server
+ }
+ '';
}
diff --git a/services/site.nix b/services/site.nix
index 54bc239..de36ade 100644
--- a/services/site.nix
+++ b/services/site.nix
@@ -1,4 +1,9 @@
-let
+{
+ pkgs,
+ lib,
+ ...
+}: let
+ sitePort = 8080;
onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
in {
services.caddy.virtualHosts = {
diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix
index b386a8c..834ddb1 100644
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@@ -1,25 +1,25 @@
-{config, ...}: let
+{ config, ... }:
+let
vaultPort = 8222;
onionUrl = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
-in {
+in
+{
age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
-
- services = {
- vaultwarden = {
- enable = true;
- config = {
- DOMAIN = "https://vault.distrust.network";
- ROCKET_PORT = vaultPort;
- };
- environmentFile = config.age.secrets."vaultwarden.env".path;
+
+ services.vaultwarden = {
+ enable = true;
+ config = {
+ DOMAIN = "https://vault.distrust.network";
+ ROCKET_PORT = vaultPort;
};
-
- caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
- reverse_proxy localhost:${toString vaultPort}
- '';
-
- tor.relay.onionServices."vaultwarden".map = [
- 80
- ];
+ environmentFile = config.age.secrets."vaultwarden.env".path;
};
+
+ services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
+ reverse_proxy localhost:${toString vaultPort}
+ '';
+
+ services.tor.relay.onionServices."vaultwarden".map = [
+ 80
+ ];
}
diff --git a/site/index.html b/site/index.html
index 580e959..660cd00 100755
--- a/site/index.html
+++ b/site/index.html
@@ -55,7 +55,7 @@
Vaultwarden [tor] [clearnet] [hover]
All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to /dev/null.
- The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over TOR and clearnet.
+ The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks.
If you are interested, email me with your desired username.
ContactPrivacy Policy
diff --git a/system/configuration.nix b/system/configuration.nix
index 68bb0d3..b979e19 100644
--- a/system/configuration.nix
+++ b/system/configuration.nix
@@ -1,10 +1,11 @@
-{pkgs, ...}: let
- updateScript = pkgs.writeShellScriptBin "rebuild" ''
- #!/bin/sh
- nixos-rebuild switch --flake /etc/nixos#distrust --impure
- '';
-in {
- environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [updateScript];
+{pkgs, ...}:
+let updateScript = pkgs.writeShellScriptBin "rebuild" ''
+ #!/bin/sh
+ nixos-rebuild switch --flake /etc/nixos#distrust --impure
+'';
+in
+{
+ environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [ updateScript ];
nix.settings.experimental-features = ["nix-command" "flakes"];
@@ -12,18 +13,16 @@ in {
zramSwap.enable = true;
networking.hostName = "distrust";
- services = {
- openssh = {
- enable = true;
- settings.PermitRootLogin = "yes";
- ports = [292];
- };
- fail2ban.enable = true;
- endlessh = {
- enable = true;
- port = 22;
- openFirewall = true;
- };
+ services.openssh = {
+ enable = true;
+ settings.PermitRootLogin = "yes";
+ ports = [292];
+ };
+ services.fail2ban.enable = true;
+ services.endlessh = {
+ enable = true;
+ port = 22;
+ openFirewall = true;
};
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
diff --git a/system/default.nix b/system/default.nix
index 165c2fa..24c1e94 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -3,5 +3,6 @@
./configuration.nix
./hardware-configuration.nix
./networking.nix
+
];
}
diff --git a/system/hardware-configuration.nix b/system/hardware-configuration.nix
index 8b01d5e..329ed8a 100644
--- a/system/hardware-configuration.nix
+++ b/system/hardware-configuration.nix
@@ -1,12 +1,8 @@
{modulesPath, ...}: {
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
- boot = {
- loader.grub.device = "/dev/sda";
- initrd = {
- availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
- kernelModules = ["nvme"];
- };
- };
+ boot.loader.grub.device = "/dev/sda";
+ boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+ boot.initrd.kernelModules = ["nvme"];
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";