Initial commit

hosts/kazuki/conduit.nix

@@ -0,0 +1,97 @@
+{
+  config,
+  pkgs,
+  inputs',
+  ...
+}: let
+  formatJson = pkgs.formats.json {};
+in {
+  services.matrix-conduit = {
+    enable = true;
+    package = inputs'.niko-nur.packages.conduit-latest;
+    settings.global = {
+      server_name = "nrab.lol";
+      database_backend = "rocksdb";
+      allow_registration = false;
+    };
+  };
+  systemd.services.conduit.serviceConfig.LimitNOFILE = 8192;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "nikodem@rabulinski.com";
+  };
+
+  users.users.nginx.extraGroups = ["acme"];
+  networking.firewall.allowedTCPPorts = [80 443 8448 2222];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "nrab.lol" = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."=/.well-known/matrix/server" = {
+          alias = formatJson.generate "well-known-matrix-server" {
+            "m.server" = "matrix.nrab.lol";
+          };
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+
+        locations."=/.well-known/matrix/client" = {
+          alias = formatJson.generate "well-known-matrix-client" {
+            "m.homeserver" = {
+              "base_url" = "https://matrix.nrab.lol";
+            };
+          };
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+      };
+
+      "matrix.nrab.lol" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        extraConfig = ''
+          merge_slashes off;
+        '';
+
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+      };
+    };
+
+    upstreams."backend_conduit".servers = {
+      "localhost:${toString config.services.matrix-conduit.settings.global.port}" = {};
+    };
+  };
+}

hosts/kazuki/default.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  self,
+  ...
+}: {
+  configurations.nixos.kazuki = {
+    modulesPath,
+    lib,
+    username,
+    ...
+  }: {
+    imports = [
+      "${modulesPath}/profiles/qemu-guest.nix"
+      (import ./disks.nix {})
+
+      ./conduit.nix
+      ./mail.nix
+      ./vault.nix
+    ];
+
+    nixpkgs.system = "aarch64-linux";
+
+    users.users.${username}.openssh.authorizedKeys.keys = lib.attrValues config.assets.sshKeys.user;
+
+    boot = {
+      supportedFilesystems = ["btrfs"];
+      loader.systemd-boot.enable = true;
+      loader.systemd-boot.configurationLimit = 1;
+      loader.efi.canTouchEfiVariables = true;
+    };
+  };
+}

hosts/kazuki/disks.nix

@@ -0,0 +1,51 @@
+{bootDevice ? "/dev/sda", ...}: {
+  disko.devices.disk.bootDisk = {
+    type = "disk";
+    device = bootDevice;
+    content = {
+      type = "table";
+      format = "gpt";
+      partitions = [
+        {
+          name = "EFI";
+          start = "1MiB";
+          end = "128MiB";
+          fs-type = "fat32";
+          bootable = true;
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        }
+        {
+          name = "LINUX";
+          start = "128MiB";
+          end = "-4G";
+          content = {
+            type = "btrfs";
+            extraArgs = ["-f"];
+            subvolumes = let
+              mountOptions = ["compress=zstd" "noatime"];
+            in {
+              "/root" = {
+                inherit mountOptions;
+                mountpoint = "/";
+              };
+              "/nix" = {inherit mountOptions;};
+            };
+          };
+        }
+        {
+          name = "SWAP";
+          start = "-4G";
+          end = "100%";
+          content = {
+            type = "swap";
+            randomEncryption = true;
+          };
+        }
+      ];
+    };
+  };
+}

hosts/kazuki/mail.nix

@@ -0,0 +1,28 @@
+{config, ...}: {
+  age.secrets = {
+    leet-nrab-lol.file = ../../secrets/leet-nrab-lol-pass.age;
+    alert-nrab-lol.file = ../../secrets/alert-nrab-lol-pass.age;
+  };
+
+  users.users.nginx.extraGroups = ["acme"];
+  networking.firewall.allowedTCPPorts = [80 443 8448 2222];
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.nrab.lol";
+    domains = ["nrab.lol"];
+
+    loginAccounts = {
+      "1337@nrab.lol" = {
+        hashedPasswordFile = config.age.secrets.leet-nrab-lol.path;
+      };
+      "alert@nrab.lol" = {
+        hashedPasswordFile = config.age.secrets.alert-nrab-lol.path;
+        sendOnly = true;
+        sendOnlyRejectMessage = "";
+      };
+    };
+
+    certificateScheme = "acme-nginx";
+  };
+}

hosts/kazuki/vault.nix

@@ -0,0 +1,34 @@
+{config, ...}: {
+  age.secrets.vault-cert-env.file = ../../secrets/vault-cert-env.age;
+
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      ROCKET_PORT = 60001;
+    };
+  };
+
+  users.users.nginx.extraGroups = ["acme"];
+  networking.firewall.allowedTCPPorts = [80 443 8448 2222];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts."vault.rabulinski.com" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://vaultwarden";
+      };
+    };
+
+    upstreams.vaultwarden.servers = {
+      "localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}" = {};
+    };
+  };
+
+  security.acme.certs."valut.rabulinski.com" = {
+    dnsProvider = "cloudflare";
+    credentialsFile = config.age.secrets.vault-cert-env.path;
+  };
+}