tweaks

fmt
2025-11-04 12:48:38 +00:00 · 2025-11-04 11:31:52 +00:00
15 changed files with 241 additions and 239 deletions
--- a/flake.nix
+++ b/flake.nix
@ -15,13 +15,12 @@
  };

  outputs = {
-    self,
    nixpkgs,
    nixos-mailserver,
    agenix,
    ...
  }: let
-    lib = nixpkgs.lib;
+    inherit (nixpkgs) lib;
  in {
    nixosConfigurations = {
      distrust = lib.nixosSystem {
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -6,8 +6,7 @@ let
  systems = [system];

  all = users ++ systems;
-in
-{
+in {
  "bind_pw".publicKeys = all;
  "nextcloud-admin-pass".publicKeys = all;
  "vaultwarden.env".publicKeys = all;
--- a/services/akkoma.nix
+++ b/services/akkoma.nix
@ -8,7 +8,8 @@
  onionUrl = "http://n5j5sq55iem2hzbgvkba5vwd5gx5qj2pkb7nxyginbtmnkah74rtulad.onion";
  inherit ((pkgs.formats.elixirConf {}).lib) mkAtom;
 in {
-  services.akkoma = {
+  services = {
+    akkoma = {
      enable = true;
      config = {
        ":pleroma" = {
@ -40,11 +41,12 @@ in {
      };
    };

-  services.caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
+    caddy.virtualHosts."http://social.distrust.network ${onionUrl}".extraConfig = ''
      reverse_proxy localhost:${toString fediPort}
    '';

-  services.tor.relay.onionServices."akkoma".map = [
+    tor.relay.onionServices."akkoma".map = [
      80
    ];
+  };
 }
--- a/services/default.nix
+++ b/services/default.nix
@ -7,7 +7,8 @@
    ./akkoma.nix
    ./prosody.nix
    ./lldap.nix
-    ./dante.nix
+    # Dante not working right now, possibly misconfigured.
+    #./dante.nix
    ./vaultwarden.nix
    ./mailserver.nix
  ];
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -2,7 +2,8 @@ let
  forgejoPort = 8082;
  onionUrl = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
 in {
-  services.forgejo = {
+  services = {
+    forgejo = {
      enable = true;
      lfs.enable = false;
      settings.server = {
@ -13,11 +14,12 @@ in {
      };
    };

-  services.caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
+    caddy.virtualHosts."https://git.distrust.network ${onionUrl}".extraConfig = ''
      reverse_proxy localhost:${toString forgejoPort}
    '';

-  services.tor.relay.onionServices."forgejo".map = [
+    tor.relay.onionServices."forgejo".map = [
      80
    ];
+  };
 }
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@ -1,5 +1,4 @@
-{ config, ... }:
-{
+{config, ...}: {
  mailserver = {
    enable = true;
    fqdn = "distrust.network";
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -8,7 +8,9 @@
 in {
  age.secrets."nextcloud-admin-pass".file = ../secrets/nextcloud-admin-pass;

-  services.nextcloud = {
+  users.groups.nextcloud.members = ["nextcloud" "caddy"];
+  services = {
+    nextcloud = {
      enable = true;
      hostName = "cloud.distrust.network";
      settings = {
@ -21,19 +23,21 @@ in {
        dbtype = "pgsql";
      };
      package = pkgs.nextcloud32;
-    https = true;
+      https = false;
      configureRedis = true;
      caching.redis = true;
      database.createLocally = true;
+      phpOptions = {
+        "opcache.interned_strings_buffer" = 64;
+      };
    };

-  users.groups.nextcloud.members = [ "nextcloud" "caddy" ];
-  services.nginx.enable = lib.mkForce false;
-  services.phpfpm.pools.nextcloud.settings = {
+    nginx.enable = lib.mkForce false;
+    phpfpm.pools.nextcloud.settings = {
      "listen.owner" = "caddy";
      "listen.group" = "caddy";
    };
-  services.caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
+    caddy.virtualHosts."https://cloud.distrust.network ${onionUrl}".extraConfig = ''
      # encode zstd gzip

      root * ${config.services.nginx.virtualHosts."cloud.distrust.network".root}
@ -93,11 +97,8 @@ in {
      file_server
    '';

-  services.nextcloud.phpOptions = {
-    "opcache.interned_strings_buffer" = 64;
-  };
-
-  services.tor.relay.onionServices."nextcloud".map = [
+    tor.relay.onionServices."nextcloud".map = [
      80
    ];
+  };
 }
--- a/services/prosody.nix
+++ b/services/prosody.nix
@ -1,12 +1,12 @@
 {
  pkgs,
-  lib,
  config,
  ...
 }: {
  age.secrets."bind_pw".file = ../secrets/bind_pw;

-  services.prosody = {
+  services = {
+    prosody = {
      package = pkgs.prosody.override {
        withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
      };
@ -33,6 +33,20 @@
        ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
      '';
    };
+    caddy.virtualHosts."distrust.network".extraConfig = ''
+      handle /.well-known/* {
+        root * /var/lib/acme/
+        file_server
+      }
+    '';
+
+    caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
+      handle /.well-known/* {
+        root * /var/lib/acme/
+        file_server
+      }
+    '';
+  };

  security.acme = {
    defaults = {
@ -63,18 +77,4 @@
    #  after = [ "acme-order-renew-chat.distrust.network.service" ];
    serviceConfig.SupplementaryGroups = ["acme"];
  };
-
-  services.caddy.virtualHosts."distrust.network".extraConfig = ''
-    handle /.well-known/* {
-      root * /var/lib/acme/
-      file_server
-    }
-  '';
-
-  services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
-    handle /.well-known/* {
-      root * /var/lib/acme/
-      file_server
-    }
-  '';
 }
--- a/services/site.nix
+++ b/services/site.nix
@ -1,9 +1,4 @@
-{
-  pkgs,
-  lib,
-  ...
-}: let
-  sitePort = 8080;
+let
  onionUrl = "http://nzmkihvxjazbb3fgu7drbklpt6ibg4suff4glxpadhrd4pf5wd2od5yd.onion";
 in {
  services.caddy.virtualHosts = {
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -1,12 +1,11 @@
-{ config, ... }:
-let 
+{config, ...}: let
  vaultPort = 8222;
  onionUrl = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
-in
-{
+in {
  age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;

-  services.vaultwarden = {
+  services = {
+    vaultwarden = {
      enable = true;
      config = {
        DOMAIN = "https://vault.distrust.network";
@ -15,11 +14,12 @@ in
      environmentFile = config.age.secrets."vaultwarden.env".path;
    };

-  services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
+    caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
      reverse_proxy localhost:${toString vaultPort}
    '';

-  services.tor.relay.onionServices."vaultwarden".map = [
+    tor.relay.onionServices."vaultwarden".map = [
      80
    ];
+  };
 }
--- a/site/index.html
+++ b/site/index.html
@ -55,7 +55,7 @@
 	    <li>Vaultwarden <small><a href="http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion/">[tor]</a> <a href="https://vault.distrust.network">[clearnet]</a> <a title="Once you have logged in for the first time, check your inbox.">[hover]</a></small></li>
        </ul>
        <p>All services have a strict no-logs and no-metrics policy. Where it is difficult to configure this in a service, logs are directly piped and/or symlinked to <code>/dev/null</code>.</p>
-        <p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks.</p>
+	<p>The server runs a hardened NixOS config, and is updated when appropriate for any security/hardening tweaks. This NixOS config is auditable and freely accessible over <a href="http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion/root/flake">TOR</a> and <a href="https://git.distrust.network/root/flake">clearnet</a>.</p>
        <p>If you are interested, <a href="mailto:root@distrust.network?subject=ACCOUNT%20REQUEST&body=Replace%20this%20email%20body%20with%20your%20desired%20username.">email me</a> with your desired username.</p>
        <hr>
        <a href="mailto:root@distrust.network?subject=INQUIRY">Contact</a><a href="/privacy-policy.html" class="privacy-policy">Privacy Policy</a>
--- a/system/configuration.nix
+++ b/system/configuration.nix
@ -1,10 +1,9 @@
-{pkgs, ...}:
-let updateScript = pkgs.writeShellScriptBin "rebuild" ''
+{pkgs, ...}: let
+  updateScript = pkgs.writeShellScriptBin "rebuild" ''
    #!/bin/sh
    nixos-rebuild switch --flake /etc/nixos#distrust --impure
  '';
-in
-{
+in {
  environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [updateScript];

  nix.settings.experimental-features = ["nix-command" "flakes"];
@ -13,17 +12,19 @@ in
  zramSwap.enable = true;
  networking.hostName = "distrust";

-  services.openssh = {
+  services = {
+    openssh = {
      enable = true;
      settings.PermitRootLogin = "yes";
      ports = [292];
    };
-  services.fail2ban.enable = true;
-  services.endlessh = {
+    fail2ban.enable = true;
+    endlessh = {
      enable = true;
      port = 22;
      openFirewall = true;
    };
+  };

  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
  system.stateVersion = "25.05";
--- a/system/default.nix
+++ b/system/default.nix
@ -3,6 +3,5 @@
    ./configuration.nix
    ./hardware-configuration.nix
    ./networking.nix
-    <nixpkgs/nixos/modules/profiles/hardened.nix>
  ];
 }
--- a/system/hardware-configuration.nix
+++ b/system/hardware-configuration.nix
@ -1,8 +1,12 @@
 {modulesPath, ...}: {
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
-  boot.loader.grub.device = "/dev/sda";
-  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
-  boot.initrd.kernelModules = ["nvme"];
+  boot = {
+    loader.grub.device = "/dev/sda";
+    initrd = {
+      availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+      kernelModules = ["nvme"];
+    };
+  };
  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
Author	SHA1	Message	Date
Administrator	9f40a68eb4	tweaks	2025-11-04 12:48:38 +00:00
Administrator	766f143e51	fmt	2025-11-04 11:31:52 +00:00