diff --git a/configuration.nix b/configuration.nix index 2e30133..30aa309 100644 --- a/configuration.nix +++ b/configuration.nix @@ -115,6 +115,8 @@ filebrowser dufs git + git-graph + gitui helix nil starship diff --git a/coturn.nix b/coturn.nix index ec5e853..40978ac 100644 --- a/coturn.nix +++ b/coturn.nix @@ -56,17 +56,30 @@ allowedTCPPorts = [ 3478 5349 ]; }; }; - # get a certificate - security.acme.certs.${config.services.coturn.realm} = { - /* insert here the right configuration to obtain a certificate */ - postRun = "systemctl restart coturn.service"; - group = "turnserver"; + services.nginx = { + enable = true; + virtualHosts."turn.sondell.org" = { + forceSSL = true; + enableACME = true; + }; }; - # configure synapse to point users to coturn - # services.matrix-synapse = with config.services.coturn; { - # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; - # turn_shared_secret = static-auth-secret; - # turn_user_lifetime = "1h"; + # get a certificate + users.users.nginx.extraGroups = [ + "turnserver" + ]; + # security.acme.certs.${config.services.coturn.realm} = { + # /* insert here the right configuration to obtain a certificate */ + # postRun = "systemctl restart coturn.service"; + # group = "turnserver"; # }; + # configure synapse to point users to coturn + services.matrix-synapse = with config.services.coturn; { + settings.turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; + settings.turn_user_lifetime = "1h"; + # turn_shared_secret = static-auth-secret; + extraConfigFiles = [ + config.services.coturn.static-auth-secret-file + ]; + }; } diff --git a/dbg/err.log b/dbg/err.log new file mode 100644 index 0000000..db91d97 --- /dev/null +++ b/dbg/err.log @@ -0,0 +1,104 @@ +apr 03 10:27:48 nixos Nextcloud[150872]: {"reqId":"pW9oiFQa0uFJNtYkN650", +"level":4, +"time":"2024-04-03T08:27:48+00:00", +"remoteAddr":"", +"user":"--", +"app":"no app in context", +"method":"", +"url":"--", +"message":"{\"Exception\":\"RedisException\", +\"Message\":\"ERR AUTH called without any password configured for the default user. Are you sure your configuration is correct?\", +\"Code\":0, +\"Trace\":[{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/RedisFactory.php\", +\"line\":123, +\"function\":\"auth\", +\"class\":\"Redis\", +\"type\":\"->\", +\"args\":[\"*** sensitive parameters replaced ***\"]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/RedisFactory.php\", +\"line\":158, +\"function\":\"create\", +\"class\":\"OC\\\\RedisFactory\", +\"type\":\"->\", +\"args\":[\"*** sensitive parameters replaced ***\"]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/Memcache/Redis.php\", +\"line\":70, +\"function\":\"getInstance\", +\"class\":\"OC\\\\RedisFactory\", +\"type\":\"->\", +\"args\":[]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/Memcache/Redis.php\", +\"line\":76, +\"function\":\"getCache\", +\"class\":\"OC\\\\Memcache\\\\Redis\", +\"type\":\"->\", +\"args\":[]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/apps/workflowengine/lib/Manager.php\", +\"line\":113, +\"function\":\"get\", +\"class\":\"OC\\\\Memcache\\\\Redis\", +\"type\":\"->\", +\"args\":[\"events\"]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/apps/workflowengine/lib/AppInfo/Application.php\", +\"line\":71, +\"function\":\"getAllConfiguredEvents\", +\"class\":\"OCA\\\\WorkflowEngine\\\\Manager\", +\"type\":\"->\", +\"args\":[]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/AppFramework/Bootstrap/FunctionInjector.php\", +\"line\":45, +\"function\":\"registerRuleListeners\", +\"class\":\"OCA\\\\WorkflowEngine\\\\AppInfo\\\\Application\", +\"type\":\"->\", +\"args\":[[\"OC\\\\EventDispatcher\\\\EventDispatcher\"], +[\"OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer\"], +[\"OC\\\\AppFramework\\\\ScopedPsrLogger\"]]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/AppFramework/Bootstrap/BootContext.php\", +\"line\":50, +\"function\":\"injectFn\", +\"class\":\"OC\\\\AppFramework\\\\Bootstrap\\\\FunctionInjector\", +\"type\":\"->\", +\"args\":[[\"Closure\"]]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/apps/workflowengine/lib/AppInfo/Application.php\", +\"line\":63, +\"function\":\"injectFn\", +\"class\":\"OC\\\\AppFramework\\\\Bootstrap\\\\BootContext\", +\"type\":\"->\", +\"args\":[[\"Closure\"]]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/AppFramework/Bootstrap/Coordinator.php\", +\"line\":200, +\"function\":\"boot\", +\"class\":\"OCA\\\\WorkflowEngine\\\\AppInfo\\\\Application\", +\"type\":\"->\", +\"args\":[[\"OC\\\\AppFramework\\\\Bootstrap\\\\BootContext\"]]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/App/AppManager.php\", +\"line\":434, +\"function\":\"bootApp\", +\"class\":\"OC\\\\AppFramework\\\\Bootstrap\\\\Coordinator\", +\"type\":\"->\", +\"args\":[\"workflowengine\"]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/App/AppManager.php\", +\"line\":213, +\"function\":\"loadApp\", +\"class\":\"OC\\\\App\\\\AppManager\", +\"type\":\"->\", +\"args\":[\"workflowengine\"]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/legacy/OC_App.php\", +\"line\":125, +\"function\":\"loadApps\", +\"class\":\"OC\\\\App\\\\AppManager\", +\"type\":\"->\", +\"args\":[[]]}, +{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/cron.php\", +\"line\":55, +\"function\":\"loadApps\", +\"class\":\"OC_App\", +\"type\":\"::\", +\"args\":[]}], +\"File\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/RedisFactory.php\", +\"Line\":123, +\"message\":\"Could not boot workflowengine: ERR AUTH called without any password configured for the default user. Are you sure your configuration is correct?\", +\"exception\":{}, +\"CustomMessage\":\"Could not boot workflowengine: ERR AUTH called without any password configured for the default user. Are you sure your configuration is correct?\"}", +"userAgent":"--", +"version":"28.0.3.2"} diff --git a/dbg/nextcloud b/dbg/nextcloud new file mode 120000 index 0000000..a9d8301 --- /dev/null +++ b/dbg/nextcloud @@ -0,0 +1 @@ +/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3 \ No newline at end of file diff --git a/dbg/nextcloud.cfg b/dbg/nextcloud.cfg new file mode 120000 index 0000000..3d49117 --- /dev/null +++ b/dbg/nextcloud.cfg @@ -0,0 +1 @@ +/var/lib/nextcloud \ No newline at end of file diff --git a/dbg/nextredis.cfg b/dbg/nextredis.cfg new file mode 120000 index 0000000..c0f2e69 --- /dev/null +++ b/dbg/nextredis.cfg @@ -0,0 +1 @@ +/var/lib/redis-nextcloud \ No newline at end of file diff --git a/dbg/redis-nixos.conf b/dbg/redis-nixos.conf new file mode 120000 index 0000000..90d4e8d --- /dev/null +++ b/dbg/redis-nixos.conf @@ -0,0 +1 @@ +/nix/store/alsv8fyd8m1j006sz7c6p8x9cn9kmz7f-redis.conf \ No newline at end of file diff --git a/filebrowser.nix b/filebrowser.nix index 5d346c6..2381a7f 100644 --- a/filebrowser.nix +++ b/filebrowser.nix @@ -19,7 +19,7 @@ in }; systemd.services.tailBrowser = with pkgs; { - enable = true; + enable = false; description = "serve via tailscale filebrowser"; wantedBy = [ "multi-user.target" ]; unitConfig = { diff --git a/flake.lock b/flake.lock index 10091ea..daae977 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,37 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -39,13 +71,36 @@ "url": "https://git.sondell.org/glennwso/home.git" } }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1710449465, + "narHash": "sha256-2orO8nfplp6uQJBFqKkj1iyNMC6TysmwbWwbb4osTag=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "79c8cfcd5873a85559da6201b116fb38b490d030", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", "type": "github" }, "original": { @@ -58,6 +113,7 @@ "root": { "inputs": { "home": "home", + "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs" } }, @@ -75,6 +131,39 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d733922..217f656 100644 --- a/flake.nix +++ b/flake.nix @@ -2,11 +2,16 @@ inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; inputs.home.url = "git+https://git.sondell.org/glennwso/home.git"; inputs.home.inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + }; - outputs = { self, nixpkgs, home }@attrs: + outputs = { self, nixpkgs, home, nixos-mailserver}@attrs: let system = "x86_64-linux"; homepage = home.packages.${system}.default; + mailserver = nixos-mailserver.nixosModules.default; in { # replace 'joes-desktop' with your hostname here. @@ -24,8 +29,9 @@ ./filebrowser.nix ./tail.nix ./matrix.nix + ./coturn.nix + (import ./mail.nix {inherit mailserver;}) (import ./homepage.nix {inherit homepage;}) - # ./coturn.nix # disabled becouse tls not solved ]; }; diff --git a/forgejo.nix b/forgejo.nix index bc93c06..aa7e852 100644 --- a/forgejo.nix +++ b/forgejo.nix @@ -28,6 +28,8 @@ in }; services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000/"; }; diff --git a/mail.nix b/mail.nix new file mode 100644 index 0000000..9e2d483 --- /dev/null +++ b/mail.nix @@ -0,0 +1,40 @@ +{ mailserver , ... }: +{ + imports = [ + mailserver + ]; + + mailserver = { + enable = true; + fqdn = "mail.sondell.org"; + domains = [ "sondell.org" ]; + + # A list of all login accounts. To create the password hashes, use + # cat .secrets/nextadminpw | nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > .secrets/mailpw.hash + loginAccounts = { + "admin@sondell.org" = { + hashedPasswordFile = "/etc/nixos/.secrets/mailpw.hash"; + aliases = ["info@sondell.org"]; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + + # services.roundcube = { + # enable = true; + # # this is the url of the vhost, not necessarily the same as the fqdn of + # # the mailserver + # hostName = "webmail.sondell.org"; + # extraConfig = '' + # # starttls needed for authentication, so the fqdn required to match + # # the certificate + # $config['smtp_server'] = "tls://${mailserver.fqdn}"; + # $config['smtp_user'] = "%u"; + # $config['smtp_pass'] = "%p"; + # ''; + # }; + +} diff --git a/matrix.nix b/matrix.nix index 5957519..05be83b 100644 --- a/matrix.nix +++ b/matrix.nix @@ -2,7 +2,6 @@ let domain = "sondell.org"; - matrixAdress = "m.${domain}"; hostName = "matrix"; fqdn = "${hostName}.${domain}"; baseUrl = "https://${fqdn}"; @@ -53,11 +52,11 @@ services.postgresql = { services.nginx.virtualHosts = { ${fqdn} = { - # enableACME = true; - # forceSSL = true; - locations."/".extraConfig = '' - return 404; - ''; + enableACME = true; + forceSSL = true; + # locations."/".extraConfig = '' + # return 404; + # ''; # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash # *must not* be used here. locations."/_matrix".proxyPass = "http://[::1]:8008"; @@ -65,21 +64,21 @@ services.postgresql = { locations."/_synapse/client".proxyPass = "http://[::1]:8008"; }; - ${matrixAdress} = { - # enableACME = true; - # forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:8008"; - }; - # # This section is not needed if the server_name of matrix-synapse is equal to - # # the domain (i.e. example.org from @foo:example.org) and the federation port - # # is 8448. - # # Further reference can be found in the docs about delegation under - # # https://element-hq.github.io/synapse/latest/delegate.html + ${domain} = { + enableACME = true; + forceSSL = true; + # locations."/" = { + # proxyPass = "http://localhost:8008"; + # }; + # This section is not needed if the server_name of matrix-synapse is equal to + # the domain (i.e. example.org from @foo:example.org) and the federation port + # is 8448. + # Further reference can be found in the docs about delegation under + # https://element-hq.github.io/synapse/latest/delegate.html locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # # Further reference can be found in the upstream docs at - # # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient + # This is usually needed for homeserver discovery (from e.g. other Matrix clients). + # Further reference can be found in the upstream docs at + # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; }; diff --git a/nextcloud.nix b/nextcloud.nix index 2c82b49..20916c6 100644 --- a/nextcloud.nix +++ b/nextcloud.nix @@ -1,24 +1,18 @@ { self, config, lib, pkgs, ... }: -let domain = "cloud.sondell.org"; +let +domain = "cloud.sondell.org"; +nextcloud = pkgs.nextcloud28; in { - # Based on https://carjorvaz.com/posts/the-holy-grail-nextcloud-setup-made-easy-by-nixos/ - # security.acme = { - # acceptTerms = true; - # defaults = { - # email = "glennpub@proton.me"; - # dnsProvider = "cloudflare"; - # # # location of your CLOUDFLARE_DNS_API_TOKEN=[value] - # # # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile= - # environmentFile = "/REPLACE/WITH/YOUR/PATH"; - # }; - # }; + environment.systemPackages = [ + nextcloud + ]; services = { nginx.virtualHosts = { ${domain} = { - # forceSSL = true; - # enableACME = true; + forceSSL = true; + enableACME = true; # Use DNS Challenege. # acmeRoot = null; }; @@ -29,24 +23,27 @@ in enable = true; hostName = domain; # Need to manually increment with every major upgrade. - package = pkgs.nextcloud28; + package = nextcloud; # Let NixOS install and configure the database automatically. database.createLocally = true; - # Let NixOS install and configure Redis caching automatically. - configureRedis = true; # Increase the maximum file upload size. maxUploadSize = "16G"; https = true; autoUpdateApps.enable = true; extraAppsEnable = true; + # Let NixOS install and configure Redis caching automatically. + configureRedis = true; + settings = { + maintenance_window_start = 1; + }; extraOptions = { - redis = { - host = "/run/redis/redis.sock"; - port = 0; - dbindex = 0; - password = "secret"; - timeout = 1.5; - }; + # redis = { + # # host = "/run/redis/redis.sock"; + # port = 0; + # dbindex = 0; + # password = "secret"; + # timeout = 1.5; + # }; }; extraApps = with config.services.nextcloud.package.packages.apps; { # List of apps we want to install and are already packaged in @@ -55,7 +52,7 @@ in }; config = { overwriteProtocol = "https"; - # defaultPhoneRegion = "US"; + defaultPhoneRegion = "SE"; dbtype = "pgsql"; adminuser = "admin"; adminpassFile = "/etc/nixos/.secrets/nextadminpw"; @@ -69,4 +66,14 @@ in # startAt = "*-*-* 01:15:00"; # }; }; + services.onlyoffice = { + enable = true; + port = 8123; + hostname = "office.sondell.org"; + }; + services.nginx.virtualHosts."office.sondell.org" = { + forceSSL = true; + enableACME = true; + # locations."/".proxyPass = "http://12:8123"; + }; } diff --git a/tail.nix b/tail.nix index acdd2bb..8f67616 100644 --- a/tail.nix +++ b/tail.nix @@ -1,7 +1,7 @@ { config, ... }: { services.tailscale = { - enable =true; + enable =false; useRoutingFeatures = "both"; extraUpFlags = [ "--advertise-exit-node" diff --git a/tunnel.nix b/tunnel.nix index cb34469..cc3730d 100644 --- a/tunnel.nix +++ b/tunnel.nix @@ -3,19 +3,19 @@ services.nginx = { enable = true; clientMaxBodySize = "10g"; - defaultHTTPListenPort = 1234; + # defaultHTTPListenPort = 1234; }; services.cloudflared = { - enable = true; - tunnels = { - "tulpan" = { - credentialsFile = "/etc/nixos/.secrets/tulpan-tunnel.json"; - default = "http_status:404"; - ingress = { - "*.sondell.org" = "http://localhost:1234"; - "sondell.org" = "http://localhost:1234"; - }; - }; - }; + enable = false; + # tunnels = { + # "tulpan" = { + # credentialsFile = "/etc/nixos/.secrets/tulpan-tunnel.json"; + # default = "http_status:404"; + # ingress = { + # "*.sondell.org" = "http://localhost:1234"; + # "sondell.org" = "http://localhost:1234"; + # }; + # }; + # }; }; }