default.nix (14914B)
1 extra: 2 { config, lib, pkgs, ... }: 3 let gitExtra = { 4 git = {projectroot = "/var/git-public/repos";}; 5 host = "git.jb55.com"; 6 }; 7 radicale_data = "/var/radicale/data"; 8 httpipePort = "8899"; 9 # httpiped = (import (pkgs.fetchgit { 10 # url = https://github.com/jb55/httpipe; 11 # rev = "376de0e37bba505ba5f23c46435277bb74603acd"; 12 # sha256 = "1x9d98z6zbs22x38xwxjnb6mwladbah9xajyl7kk8bm418l8wac4"; 13 # }) { nodejs = pkgs.nodejs; }).package; 14 npmrepo = (import (pkgs.fetchFromGitHub { 15 owner = "jb55"; 16 repo = "npm-repo-proxy"; 17 rev = "5bb651689c9e74299094ac989125685c810ee9b2"; 18 sha256 = "16cjcz2cakrgl3crn63s5w1k4h4y51h8v0326v5bim8r1hxrpq4n"; 19 }) {}).package; 20 21 pgpkeys = pkgs.fetchurl { 22 url = "https://jb55.com/s/329bdbb1552cf060.pub"; 23 sha256 = "91ec02a43317289057c3f7c4f4129558ae799a4789a98bda0fd9360142096731"; 24 }; 25 26 nip05 = pkgs.writeText "nip05.json" '' 27 { 28 "names": { 29 "jb55": "fd3fdb0d0d8d6f9a7667b53211de8ae3c5246b79bdaf64ebac849d5148b5615f", 30 "_": "fd3fdb0d0d8d6f9a7667b53211de8ae3c5246b79bdaf64ebac849d5148b5615f" 31 } 32 } 33 ''; 34 35 gitCfg = extra.git-server { inherit config pkgs; extra = extra // gitExtra; }; 36 37 hearpress = (import <jb55pkgs> { nixpkgs = pkgs; }).hearpress; 38 myemail = "jb55@jb55.com"; 39 xmpp_modules = [ 40 "csi" 41 "smacks" 42 "mam" 43 "cloud_notify" 44 "carbons" 45 "http_upload" 46 ]; 47 radicale-rights = pkgs.writeText "radicale-rights" '' 48 [vanessa-famcal-access] 49 user = vanessa 50 collection = jb55/4bcae62e-9c8b-0d94-d8ef-977a29a24a84 51 permissions = rw 52 53 # Give owners read-write access to everything else: 54 [owner-write] 55 user = .+ 56 collection = {user}/[^/]+ 57 permissions = rw 58 59 # Everyone can read the root collection 60 [read] 61 user = .* 62 collection = .* 63 permissions = R 64 ''; 65 jb55-activity = pkgs.writeText "jb55-custom-activity" '' 66 { 67 "@context": [ 68 "https://www.w3.org/ns/activitystreams" 69 ], 70 "inbox": "https://jb55/inbox", 71 "id": "https://jb55.com", 72 "type": "Person", 73 "preferredUsername": "jb55", 74 "name": "William Casarin", 75 "summary": "This is not a real activitypub endpoint yet! I'm still building it", 76 "url": "https://jb55.com", 77 "manuallyApprovesFollowers": false, 78 "icon": { 79 "type": "Image", 80 "mediaType": "image/jpeg", 81 "url": "https://jb55.com/me.jpg" 82 }, 83 "publicKey": { 84 "id": "https://jb55.com#main-key", 85 "owner": "https://jb55.com", 86 "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJOPxwmRGBBQYm7YgHRu\nbTaYaKbMoEQiui+37nizXA73CRNeKblSXIaJnfOKfz/ttRG0GH43GzHTpghUDuZX\n+QBpyOk8UMmCW5gM0Y5c3IOv0zLezqLXrVEM8UXMUHE3hxf61r1NKl1+IG9MwhtH\nayx0Kaz6vT/V8nkotCSlb91lMT8X28bButwN86RCclZncecQXuVvgXnFeZCeBLM+\nqV2tBPnn14Ws+AqVvVnBW8xXwVfSPFHQchSLAusdWI7Kw/oWN/on2CqfRASoaVAS\nqKG+uPuJ+1f92iH0ZY1wLB2/ITl7HKTiIMKNikXTWcUudkMlKxc5Iqb7HMHuaPZ9\nIQIDAQAB\n-----END PUBLIC KEY-----" 87 } 88 } 89 ''; 90 webfinger = pkgs.writeText "webfinger-acct-jb55" '' 91 { 92 "subject": "acct:jb55@jb55.com", 93 "aliases": [ 94 "https://jb55.com" 95 ], 96 "links": [ 97 { 98 "rel": "http://webfinger.net/rel/profile-page", 99 "type": "text/html", 100 "href": "https://jb55.com" 101 }, 102 { 103 "rel": "self", 104 "type": "application/activity+json", 105 "href": "https://jb55.com" 106 } 107 ] 108 } 109 ''; 110 in 111 { 112 imports = [ 113 ./networking 114 ./hardware 115 (import ./nginx extra) 116 #(import ./sheetzen extra) 117 #(import ./vidstats extra) 118 ]; 119 120 users.extraGroups.jb55cert.members = [ "prosody" "nginx" "radicale" ]; 121 users.extraGroups.vmail.members = [ "jb55" ]; 122 123 services.gitDaemon.basePath = "/var/git-public/repos"; 124 services.gitDaemon.enable = true; 125 126 users.users = { 127 git = { 128 uid = config.ids.uids.git; 129 description = "Git daemon user"; 130 }; 131 }; 132 133 users.groups = { 134 git.gid = config.ids.gids.git; 135 }; 136 137 services.radicale.enable = true; 138 139 services.radicale.settings.storage.filesystem_folder = "/var/radicale/data"; 140 services.radicale.settings.auth.type = "htpasswd"; 141 services.radicale.settings.auth.htpasswd_filename = "${extra.private.radicale.users}"; 142 services.radicale.settings.auth.htpasswd_encryption = "plain"; 143 services.radicale.settings.auth.delay = "1"; 144 services.radicale.settings.server.hosts = "127.0.0.1:5232"; 145 services.radicale.settings.server.ssl = "False"; 146 services.radicale.settings.server.max_connections = "20"; 147 services.radicale.settings.server.max_content_length = "10000000"; 148 services.radicale.settings.server.timeout = "10"; 149 services.radicale.settings.rights.type = "from_file"; 150 services.radicale.settings.rights.file = "${radicale-rights}"; 151 152 security.acme.acceptTerms = true; 153 154 security.acme.certs."jb55.com" = { 155 webroot = "/var/www/challenges"; 156 group = "jb55cert"; 157 #postRun = "systemctl restart prosody"; 158 email = myemail; 159 }; 160 161 security.acme.certs."git.jb55.com" = { 162 webroot = "/var/www/challenges"; 163 group = "jb55cert"; 164 email = myemail; 165 }; 166 167 security.acme.certs."openpgpkey.jb55.com" = { 168 webroot = "/var/www/challenges"; 169 group = "jb55cert"; 170 email = myemail; 171 }; 172 173 security.acme.certs."social.jb55.com" = { 174 webroot = "/var/www/challenges"; 175 group = "jb55cert"; 176 email = myemail; 177 }; 178 179 security.acme.certs."sheetzen.com" = { 180 webroot = "/var/www/challenges"; 181 group = "jb55cert"; 182 email = myemail; 183 }; 184 185 security.acme.certs."bitcoinwizard.net" = { 186 webroot = "/var/www/challenges"; 187 group = "jb55cert"; 188 email = myemail; 189 }; 190 191 services.mailz = { 192 enable = true; 193 domain = "jb55.com"; 194 195 users = { 196 jb55 = { 197 password = "$6$KHmFLeDBaXBE1Jkg$eEN8HM3LpZ4muDK/JWC25qW9xSZq0AqsF4tlzEan7yctROJ9A/lSqz6gN1b1GtwE7efroXGHtDi2FEJ2ujDAl0"; 198 aliases = [ "postmaster" "bill" "will" "william" "me" "jb" "guestdaddy" ]; 199 }; 200 201 }; 202 203 sieves = builtins.readFile ./dovecot/filters.sieve; 204 }; 205 206 users.extraUsers.smtpd.extraGroups = [ "jb55cert" ]; 207 users.extraUsers.jb55.extraGroups = [ "jb55cert" ]; 208 #users.extraUsers.prosody.extraGroups = [ "jb55cert" ]; 209 210 services.prosody.enable = false; 211 services.prosody.xmppComplianceSuite = false; 212 services.prosody.admins = [ "jb55@jb55.com" ]; 213 services.prosody.allowRegistration = false; 214 services.prosody.extraModules = xmpp_modules; 215 services.prosody.package = pkgs.prosody.override { 216 withCommunityModules = xmpp_modules; 217 }; 218 services.prosody.extraConfig = '' 219 c2s_require_encryption = true 220 221 http_upload_expire_after = 60 * 60 * 24 * 7 222 ''; 223 services.prosody.ssl = { 224 cert = "/var/lib/acme/jb55.com/fullchain.pem"; 225 key = "/var/lib/acme/jb55.com/key.pem"; 226 }; 227 services.prosody.virtualHosts.jb55 = { 228 enabled = true; 229 domain = "jb55.com"; 230 ssl = { 231 cert = "/var/lib/acme/jb55.com/fullchain.pem"; 232 key = "/var/lib/acme/jb55.com/key.pem"; 233 }; 234 }; 235 236 services.postgresql = { 237 dataDir = "/var/db/postgresql/9.5"; 238 package = pkgs.postgresql95; 239 enable = false; 240 enableTCPIP = true; 241 authentication = '' 242 # type db user address method 243 local all all trust 244 host all all 127.0.0.1/16 trust 245 ''; 246 #extraConfig = '' 247 # listen_addresses = '${extra.ztip}' 248 #''; 249 }; 250 251 systemd.services.npmrepo = { 252 description = "npmrepo.com"; 253 254 wantedBy = [ "multi-user.target" ]; 255 256 serviceConfig.Type = "simple"; 257 serviceConfig.ExecStart = "${npmrepo}/bin/npm-repo-proxy"; 258 }; 259 260 services.fcgiwrap.enable = true; 261 262 services.nginx.httpConfig = '' 263 limit_req_zone $server_name zone=email_form:10m rate=3r/m; 264 265 server { 266 listen 443 ssl; 267 listen [::]:443 ssl; 268 269 server_name bitcoinwizard.net; 270 root /www/bitcoinwizard.net; 271 index index.html; 272 273 ssl_certificate /var/lib/acme/bitcoinwizard.net/fullchain.pem; 274 ssl_certificate_key /var/lib/acme/bitcoinwizard.net/key.pem; 275 276 location / { 277 try_files $uri $uri/ =404; 278 } 279 280 location /email { 281 limit_req zone=email_form; 282 gzip off; 283 # fcgiwrap is set up to listen on this host:port 284 fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; 285 include ${pkgs.nginx}/conf/fastcgi_params; 286 fastcgi_param SCRIPT_FILENAME /www/bitcoinwizard.net/emailform.py; 287 288 client_max_body_size 512; 289 290 # export all repositories under GIT_PROJECT_ROOT 291 292 fastcgi_param PATH_INFO $uri; 293 } 294 295 } 296 297 server { 298 listen 80; 299 listen [::]:80; 300 301 server_name cdn.jb55.com; 302 303 location / { 304 autoindex on; 305 root /www/cdn.jb55.com; 306 } 307 } 308 309 server { 310 listen 443 ssl; 311 listen [::]:443 ssl; 312 313 server_name www.bitcoinwizard.net; 314 return 301 https://bitcoinwizard.net$request_uri; 315 } 316 317 server { 318 listen 80; 319 listen [::]:80; 320 321 server_name bitcoinwizard.net www.bitcoinwizard.net; 322 323 location /.well-known/acme-challenge { 324 root /var/www/challenges; 325 } 326 327 location / { 328 return 301 https://bitcoinwizard.net$request_uri; 329 } 330 } 331 332 server { 333 listen 443 ssl; 334 listen [::]:443 ssl; 335 336 } 337 338 server { 339 listen 443 default_server ssl; 340 listen [::]:443 default_server ssl; 341 342 server_name _; 343 return 444; 344 345 ssl_certificate /var/lib/acme/jb55.com/fullchain.pem; 346 ssl_certificate_key /var/lib/acme/jb55.com/key.pem; 347 } 348 349 server { 350 listen 80; 351 listen [::]:80; 352 353 server_name git.jb55.com; 354 355 location /.well-known/acme-challenge { 356 root /var/www/challenges; 357 } 358 359 location ~ ^(/[^/\s]+)/?$ { 360 if (-f $document_root$1/file/README.md.html) { 361 return 302 $1/file/README.md.html; 362 } 363 if (-f $document_root$1/file/README.html) { 364 return 302 $1/file/README.html; 365 } 366 if (-f $document_root$1/file/README.txt.html) { 367 return 302 $1/file/README.txt.html; 368 } 369 if (-f $document_root$1/log.html) { 370 return 302 $1/log.html; 371 } 372 } 373 374 root /var/git-public/stagit; 375 index index.html index.htm; 376 377 # location / { 378 # return 301 https://git.jb55.com$request_uri; 379 # } 380 } 381 382 # server { 383 # listen 443 ssl; 384 # server_name git.jb55.com; 385 386 # root /var/git-public/stagit; 387 # index index.html index.htm; 388 389 # ssl_certificate /var/lib/acme/git.jb55.com/fullchain.pem; 390 # ssl_certificate_key /var/lib/acme/git.jb55.com/key.pem; 391 # } 392 393 server { 394 listen 80; 395 listen [::]:80; 396 server_name openpgpkey.jb55.com; 397 398 location /.well-known/acme-challenge { 399 root /var/www/challenges; 400 } 401 } 402 403 server { 404 listen 80; 405 listen [::]:80; 406 server_name lnlink.app; 407 408 location / { 409 root /www/lnlink.app; 410 } 411 } 412 413 server { 414 listen 443 ssl; 415 listen [::]:443 ssl; 416 server_name openpgpkey.jb55.com; 417 418 ssl_certificate /var/lib/acme/openpgpkey.jb55.com/fullchain.pem; 419 ssl_certificate_key /var/lib/acme/openpgpkey.jb55.com/key.pem; 420 421 location = /.well-known/openpgpkey/jb55.com/hu/9adqqiba8jxrhu5wf18bfapmnwjk5ybo { 422 alias ${pgpkeys}; 423 } 424 } 425 426 server { 427 listen 443 ssl; 428 listen [::]:443 ssl; 429 430 server_name jb55.com; 431 root /www/jb55/public; 432 index index.html index.htm; 433 434 ssl_certificate /var/lib/acme/jb55.com/fullchain.pem; 435 ssl_certificate_key /var/lib/acme/jb55.com/key.pem; 436 437 rewrite ^/pkgs.tar.gz$ https://github.com/jb55/jb55pkgs/archive/master.tar.gz permanent; 438 rewrite ^/pkgs/?$ https://github.com/jb55/jb55pkgs/archive/master.tar.gz permanent; 439 440 location /inbox { 441 proxy_set_header Host $http_host; 442 proxy_redirect off; 443 proxy_pass http://127.0.0.1:5188/inbox; 444 } 445 446 location / { 447 gzip on; 448 gzip_types application/json; 449 charset utf-8; 450 451 proxy_set_header Host $http_host; 452 proxy_redirect off; 453 454 if ( $http_accept ~ "application/activity\+json" ) { 455 proxy_pass http://127.0.0.1:5188; 456 } 457 458 if ( $http_accept ~ "application/ld\+json" ) { 459 proxy_pass http://127.0.0.1:5188; 460 } 461 462 try_files $uri $uri/ =404; 463 } 464 465 location ~ ^/[01] { 466 proxy_pass http://localhost:7070; 467 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; 468 proxy_redirect off; 469 proxy_buffering off; 470 proxy_set_header Host $host; 471 proxy_set_header X-Real-IP $remote_addr; 472 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 473 } 474 475 location = /saylor-saif { 476 return 302 https://episodes.castos.com/5ffc6bf0bf71b5-21733898/34.-Michael-Saylor-on-The-Fiat-Standard.mp3; 477 } 478 479 location = /attack { 480 return 302 https://nakamotoinstitute.org/mempool/speculative-attack/; 481 } 482 483 location = /social { 484 return 302 https://bitcoinhackers.org/users/jb55; 485 } 486 487 location /phlog { 488 autoindex on; 489 } 490 491 location /.well-known/webfinger { 492 proxy_pass http://localhost:5188/; 493 proxy_redirect off; 494 proxy_set_header Host $host; 495 } 496 497 location = /.well-known/openpgpkey/jb55.com/hu/9adqqiba8jxrhu5wf18bfapmnwjk5ybo { 498 add_header Access-Control-Allow-Origin *; 499 alias ${pgpkeys}; 500 } 501 502 location = /.well-known/nostr.json { 503 add_header Access-Control-Allow-Origin *; 504 alias ${nip05}; 505 } 506 507 location /cal/ { 508 proxy_pass http://127.0.0.1:5232/; 509 proxy_set_header X-Script-Name /cal; 510 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 511 } 512 513 location ^~ /files/calls { 514 error_page 405 =200 $uri; 515 } 516 } 517 518 server { 519 listen 80; 520 listen [::]:80; 521 522 server_name jb55.com www.jb55.com; 523 524 location /.well-known/acme-challenge { 525 root /var/www/challenges; 526 } 527 528 location ~ ^/[01] { 529 proxy_pass http://localhost:7070; 530 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; 531 proxy_redirect off; 532 proxy_buffering off; 533 proxy_set_header Host $host; 534 proxy_set_header X-Real-IP $remote_addr; 535 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 536 } 537 538 location / { 539 return 301 https://jb55.com$request_uri; 540 } 541 } 542 server { 543 listen 443 ssl; 544 listen [::]:443 ssl; 545 546 server_name www.jb55.com; 547 return 301 https://jb55.com$request_uri; 548 } 549 550 ''; 551 552 }