initial add

This commit is contained in:
naturallaw77 2023-06-01 05:47:05 -07:00
parent 8c5ed0c982
commit 355e35b9f6
13 changed files with 1076 additions and 2 deletions

View File

@ -0,0 +1,14 @@
{
description = "The Ultimate Sovran Pro Configuration from Sovran Systems";
inputs = {
Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_Pro";
};
outputs = { self, Sovran_Systems, ... }@inputs: {
nixosConfigurations."nixos" = Sovran_Systems.inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ Sovran_Systems.nixosModules.Sovran_Pro ];
};
};
}

View File

@ -0,0 +1,197 @@
#!/usr/bin/env bash
GREEN="\e[32m"
LIGHTBLUE="\e[94m"
ENDCOLOR="\e[0m"
#
pushd /etc/nixos/
sudo wget https://git.sovransystems.com/Sovran_Systems/Sovran_Pro/raw/branch/main/For_NEW_Sovran_Pros_Upload/flake.nix
sudo chown root:root /etc/nixos/ -R
sudo chmod 770 /etc/nixos/ -R
popd
#
sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/home/ /home
sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/www/ /var/lib/www
sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/domains/ /var/lib/domains
sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/nextcloudaddition/ /var/lib/nextcloudaddition
sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/njalla/ /var/lib/njalla
sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/external_ip/ /var/lib/external_ip
sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/secrets/ /var/lib/secrets
#
nixos-rebuild switch --flake '/etc/nixos/#' --impure --update-input Sovran_Systems --commit-lock-file
#
sudo chown root:root /var/lib/secrets/main -R
sudo chown matrix-synapse:matrix-synapse /var/lib/secrets/matrix_reg_secret -R
sudo chown matrix-synapse:matrix-synapse /var/lib/secrets/matrixdb -R
sudo chown postgres:postgres /var/lib/secrets/nextclouddb -R
sudo chown turnserver:turnserver /var/lib/secrets/turn -R
sudo chown mysql:mysql /var/lib/secrets/wordpressdb -R
sudo chmod 770 /var/lib/secrets/ -R
#
sudo echo -e "${GREEN}What is your New Matrix (Element Chat) domain name?${ENDCOLOR}"
read
sudo echo -n $REPLY > /var/lib/domains/matrix
sudo echo -e "${GREEN}What is your New Wordpress domain name?${ENDCOLOR}"
read
sudo echo -n $REPLY > /var/lib/domains/wordpress
sudo echo -e "${GREEN}What is your New Nextcloud domain name?${ENDCOLOR}"
read
sudo echo -n $REPLY > /var/lib/domains/nextcloud
sudo echo -e "${GREEN}What is your New BTCPayserver domain name?${ENDCOLOR}"
read
sudo echo -n $REPLY > /var/lib/domains/btcpayserver
sudo echo -e "${GREEN}What is your New Vaultwarden domain name?${ENDCOLOR}"
read
sudo echo -n $REPLY > /var/lib/domains/vaultwarden
sudo echo -e "${GREEN}What is the email you would like to use to manage the SSL certificates for your domains?${ENDCOLOR}"
read
sudo echo -n $REPLY > /var/lib/domains/sslemail
sudo chown caddy:php /var/lib/domains -R
sudo chmod 770 /var/lib/domains -R
#
set -x
sudo rm -rf /home/free/.config/BraveSoftware
sudo rm -rf /home/free/.local/share/fish/fish_history
#
sudo rm -rf /var/lib/www/wordpress/wp-config.php
sudo rm -rf /var/lib/www/nextcloud/config/config.php
sudo touch /var/lib/www/nextcloud/config/CAN_INSTALL
sudo sed -i '$e cat /var/lib/nextcloudaddition/nextcloudaddition' /var/lib/www/nextcloud/config/config.php
sudo chown caddy:php /var/lib/www -R
sudo chmod 770 /var/lib/www -R
#
sudo mkdir /var/lib/nextcloud
sudo chown caddy:php /var/lib/nextcloud -R
sudo chmod 770 /var/lib/nextcloud -R
#
sudo mkdir /var/lib/coturn
sudo chown turnserver:turnserver /var/lib/coturn -R
sudo chmod 770 /var/lib/coturn -R
#
sudo touch /var/lib/vaultwarden.env
sudo chown vaultwarden:vaultwarden /var/lib/vaultwarden.env
sudo chmod 770 /var/lib/vaultwarden.env
#
sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/nextclouddb
sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/wordpressdb
sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/matrixdb
sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/turn
sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/matrix_reg_secret
sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/main
sudo echo -n ADMIN_TOKEN=$(openssl rand -base64 48
) > /var/lib/vaultwarden.env
#
sudo echo "root:$(cat /var/lib/secrets/main)" | chpasswd -c SHA512
#
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak update
#
sudo echo "free:a" | chpasswd -c SHA512
#
sudo rm -rf /root/sp
sudo rm -rf /root/Step_2_psp
sudo rm -rf /root/.ssh
sudo rm -rf /home/free/.ssh
sudo rm -rf /root/sovransystems
sudo chown bitcoin:bitcoin /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node -R
sudo chmod 770 /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node -R
sudo chown electrs:electrs /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data -R
sudo chmod 770 /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data -R
nixos-rebuild switch --flake '/etc/nixos/#' --impure --update-input Sovran_Systems --commit-lock-file
#
set +x
sudo echo -e "${GREEN}These four passwords are generated for convenience to use for the Web front end setup UI accounts for Nextcloud, Wordpress, VaultWarden, and BTCPayserver (if you want to use them).${ENDCOLOR} \n"
sudo echo -e "$(pwgen -s 17 -1) \n"
sudo echo -e "$(pwgen -s 17 -1) \n"
sudo echo -e "$(pwgen -s 17 -1) \n"
sudo echo -e "$(pwgen -s 17 -1) \n"
#
sudo echo -e "${LIGHTBLUE}One last thing, you need to put the Njalla DDNS info from Njalla into njalla.sh.${ENDCOLOR} \n"
sudo echo -e "${GREEN}All Finished! Please Reboot then Enjoy your New Sovran Pro!${ENDCOLOR} \n"

View File

@ -1,3 +1,29 @@
# Sovran_SystemsOS <br />
<br />
The Official Repository of Sovran_SystemsOS. <center><img src="sovran_systems.png" alt="drawing" width="500"/></center>
<br />
<br />
<br />
# Complete Configuration for Sovran_SystemsOS and the Sovran Pro
________________________________________________________
A Nix Flake Implementation
Thanks to all the NixOS creators and developers for creating what is the future of computing.
https://www.sovransystems.com
Connect on Matrix here: https://matrix.to/#/#sovran-systems:anarchyislove.xyz
_________________________________________________________
GNU GPL 3.0+
All Open Source Software Used Falls Under Its Specific Open Source License.
Created, Handcrafted, and Headquartered in Southern California 2022-2023 🏖️.
This Gitea is Proudly Powered by a Sovran Pro 💚.
All Is Love. Fear Is Illusion. All Beings Are Free. Truth Can Never Be Destroyed.

122
flake.lock Normal file
View File

@ -0,0 +1,122 @@
{
"nodes": {
"extra-container": {
"inputs": {
"flake-utils": [
"nix-bitcoin",
"flake-utils"
],
"nixpkgs": [
"nix-bitcoin",
"nixpkgs"
]
},
"locked": {
"lastModified": 1678566036,
"narHash": "sha256-dq+gCYplCTkbHOH1ERCzuTnwY/RvwMyw/kijPy7C3vE=",
"owner": "erikarvstedt",
"repo": "extra-container",
"rev": "a4fe3227bf63bf8479938e1457ebe1c04fe51ef5",
"type": "github"
},
"original": {
"owner": "erikarvstedt",
"repo": "extra-container",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nix-bitcoin": {
"inputs": {
"extra-container": "extra-container",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
},
"locked": {
"lastModified": 1679384842,
"narHash": "sha256-SMJW+QZt3iRuoezjE12sopBsdLHDihXe/RerLfRpqoI=",
"owner": "fort-nix",
"repo": "nix-bitcoin",
"rev": "481050bdf75106bff652016bfe5c39736bdd03ef",
"type": "github"
},
"original": {
"owner": "fort-nix",
"ref": "release",
"repo": "nix-bitcoin",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1679139072,
"narHash": "sha256-Gtw2Yj8DfETie3u7iHv1y5Wt+plGRmp6nTQ0EEfaPho=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "08ef7dc8334521605a5c8b7086cc248e74ee338b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1679198465,
"narHash": "sha256-VfXpHpniNWgg7pBzxb20pRX7kqn80LApPDQYTReiFCw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5a05160f7671434e1c833b1b01284b876e04eca4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1681217261,
"narHash": "sha256-RbxCHWN3Vhyv/WEsXcJlDwF7bpvZ9NxDjfSouQxXEKo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3fb8eedc450286d5092e4953118212fa21091b3b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nix-bitcoin": "nix-bitcoin",
"nixpkgs": "nixpkgs_2"
}
}
},
"root": "root",
"version": 7
}

28
flake.nix Normal file
View File

@ -0,0 +1,28 @@
{
description = "The Ultimate Sovran Pro Configuration from Sovran Systems";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
};
outputs = { self, nixpkgs, nix-bitcoin, ... }:
{
nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
system ="x86_64-linux";
};
nixosModules.Sovran_Pro = { pkgs, ... }: {
imports = [
./modules/modules.nix
nix-bitcoin.nixosModules.default
];
};
};
}

View File

@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }:
{
nix-bitcoin.generateSecrets = true;
services.bitcoind = {
enable = true;
dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node";
txindex = true;
tor.proxy = true;
disablewallet = true;
extraConfig = ''
peerbloomfilters=1
server=1
'';
};
nix-bitcoin.onionServices.bitcoind.enable = true;
nix-bitcoin.onionServices.electrs.enable = true;
services.lnd = {
enable = true;
};
services.lightning-loop = {
enable = true;
};
services.lightning-pool = {
enable = true;
};
services.rtl = {
enable = true;
port = 3050;
nightTheme = true;
nodes = {
lnd = {
enable = true;
loop = true;
};
reverseOrder = true;
};
};
nix-bitcoin.onionServices.lnd.public = true;
services.lnd.lndconnect = {
enable = true;
onion = true;
};
services.charge-lnd.enable = true;
services.btcpayserver.lightningBackend = "lnd";
services.electrs = {
enable = true;
tor.enforce = true;
dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data";
};
services.btcpayserver = {
enable = true;
};
nix-bitcoin.nodeinfo.enable = true;
nix-bitcoin.operator = {
enable = true;
name = "free";
};
}

434
modules/configuration.nix Normal file
View File

@ -0,0 +1,434 @@
{ config, pkgs, lib, ... }:
let
personalization = import ./personalization.nix;
custom-php = pkgs.php81.buildEnv {
extensions = { enabled, all }: enabled ++ (with all; [ apcu imagick memcached ]);
extraConfig = ''
display_errors = On
display_startup_errors = On
max_execution_time = 6000
max_input_time = 3000
memory_limit = 8G;
opcache.enable=1;
opcache.memory_consumption=512;
opcache_revalidate_freq = 240;
opcache.max_accelerated_files=4000;
auto_prepend_file = '/var/lib/www/wordpress/wordfence-waf.php'
post_max_size = 2048M
upload_max_filesize = 2048M
opcache.interned_strings_buffer = 32
apc.enable_cli=1
'';
};
in
{
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.kernelPackages = pkgs.linuxPackages_latest;
# Enable Automount without Fail for Internal Drive.
fileSystems."/run/media/Second_Drive" = {
device = "LABEL=BTCEcoandBackup";
fsType = "ext4";
options = [ "nofail" ];
};
nix = {
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "us";
xkbVariant = "";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Systemd Settings
systemd.enableEmergencyMode = false;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
users.users = {
free = {
isNormalUser = true;
description = "free";
extraGroups = [ "networkmanager" ];
};
####### PHP user for PHPFPM #######
php = {
isSystemUser = true;
createHome = false;
uid = 7777;
};
};
users.users.php.group = "php";
users.groups.php = {};
# Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "free";
# Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
systemd.services."getty@tty1".enable = true;
systemd.services."autovt@tty1".enable = true;
# Allow Flatpak
services.flatpak.enable = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
wget
librewolf
fish
htop
gnomeExtensions.dash-to-dock-for-cosmic
gnomeExtensions.vitals
gnomeExtensions.pop-shell
gnomeExtensions.transparent-top-bar
gnomeExtensions.just-perfection
gnomeExtensions.appindicator
gnomeExtensions.systemd-manager
gnome.gnome-tweaks
papirus-icon-theme
ranger
gnome.gnome-tweaks
sparrow
bisq-desktop
neofetch
gnome.gedit
matrix-synapse
openssl
pwgen
aspell
aspellDicts.en
lm_sensors
hunspell
hunspellDicts.en_US
custom-php
matrix-synapse-tools.synadm
brave
ncdu_2
bitwarden
gparted
pv
unzip
parted
screen
gnome.zenity
];
nixpkgs.config.permittedInsecurePackages = [
"nodejs-16.20.0"
"nodejs-slim-16.20.0"
];
programs.bash.promptInit = "fish";
programs.fish = {
enable = true;
promptInit = "neofetch";
};
####### PHPFMP #######
services.phpfpm.pools = {
mypool = {
user = "caddy";
group = "php";
phpPackage = custom-php;
settings = {
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
"clear_env" = "no";
};
};
};
####### CADDY #######
services.caddy = {
enable = true;
package = pkgs.caddy;
user = "caddy";
group = "root";
email = "${personalization.caddy_email_for_zerossl}";
acmeCA = "https://acme.zerossl.com/v2/DV90";
virtualHosts = {
"${personalization.wordpress_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/wordpress
php_fastcgi unix//run/phpfpm/mypool.sock
file_server browse
'';
};
"www.${personalization.wordpress_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/wordpress
php_fastcgi unix//run/phpfpm/mypool.sock
file_server browse
'';
};
"${personalization.nextcloud_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/nextcloud
php_fastcgi unix//run/phpfpm/mypool.sock
file_server
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
header {
Strict-Transport-Security max-age=31536000;
}
'';
};
"${personalization.matrix_url}" = {
extraConfig = ''
reverse_proxy /_matrix/* http://localhost:8008
reverse_proxy /_synapse/client/* http://localhost:8008
'';
};
"${personalization.matrix_url}:8448" = {
extraConfig = ''
reverse_proxy http://localhost:8008
'';
};
"${personalization.btcpayserver_url}" = {
extraConfig = ''
reverse_proxy http://localhost:23000
encode gzip zstd
'';
};
"https://${personalization.vaultwarden_url}" = {
extraConfig = ''
reverse_proxy http://localhost:8777
encode gzip zstd
'';
};
":3051" = {
extraConfig = ''
reverse_proxy :3050
encode gzip zstd
tls internal
'';
};
};
};
###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) #######
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
};
services.postgresql.authentication = lib.mkForce ''
# Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
services.mysql = {
enable = true;
package = pkgs.mariadb_1011;
};
services.postgresql.initialScript = pkgs.writeText "begin-init.sql" ''
CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.nextclouddb_pass}';
CREATE DATABASE "nextclouddb" WITH OWNER "ncusr"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.matrix-synapsedb_pass}';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
''
;
services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" ''
CREATE DATABASE wordpressdb;
GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${personalization.wordpressdb_pass}';
FLUSH PRIVILEGES;
''
;
####### KEEP AWAKE for DISPLAY and HEADLESS #######
services.xserver.displayManager.gdm.autoSuspend = false;
####### BACKUP TO INTERNAL DRIVE #######
services.rsnapshot = {
enable = true;
extraConfig = ''
snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup
retain hourly 12
retain daily 12
backup /home/ localhost/
backup /var/lib/ localhost/
backup /etc/nixos/ localhost/
backup /etc/nix-bitcoin-secrets/ localhost/
'';
cronIntervals = {
daily = "50 21 * * *";
hourly = "0 * * * *";
};
};
####### CRON #######
services.cron = {
enable = true;
systemCronJobs = [
"*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
"15 * * * * root /var/lib/njalla/njalla.sh"
"0 */2 * * * root /var/lib/external_ip/external_ip.sh"
];
};
####### TOR #######
services.tor = {
enable = true;
client.enable = true;
torsocks.enable = true;
};
services.privoxy.enableTor = true;
####### Enable the OpenSSH daemon #######
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
};
#######FailtoBan#######
services.fail2ban = {
enable = true;
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"8.8.8.8"
];
};
####### Open ports in the firewall #######
networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3050 3051 ];
networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3050 3051 ];
networking.firewall.allowedUDPPortRanges = [
{ from=49152; to=65535; } # TURN relay
];
# Or disable the firewall altogether.
networking.firewall.enable = true;
####### AUTO UPDATE #######
# system.autoUpgrade = {
# enable = true;
# flags = [ "--impure" "--update-input" "Sovran_Systems" "--commit-lock-file" ];
# flake = "/etc/nixos";
# persistent = true;
# allowReboot = true;
# rebootWindow = { lower = "02:00"; upper = "05:00"; };
# };
####### AUTO COLLECT GARABAGE #######
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
system.stateVersion = "22.05";
}

51
modules/coturn.nix Normal file
View File

@ -0,0 +1,51 @@
{config, pkgs, lib, ...}:
let
personalization = import ./personalization.nix;
in
{
systemd.services.sslcoturn = {
script = ''
cp -n /var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/${personalization.matrix_url}/${personalization.matrix_url}.crt /var/lib/coturn/${personalization.matrix_url}.crt.pem
cp -n /var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/${personalization.matrix_url}/${personalization.matrix_url}.key /var/lib/coturn/${personalization.matrix_url}.key.pem
chown turnserver:turnserver /var/lib/coturn -R
chmod 770 /var/lib/coturn -R
systemctl restart coturn
'';
unitConfig = {
Type = "simple";
After = "NetworkManager.service";
Requires = "network-online.target";
};
serviceConfig = {
RemainAfterExit = "yes";
Type = "oneshot";
};
wantedBy = [ "multi-user.target" ];
};
services.coturn = {
enable = true;
use-auth-secret = true;
static-auth-secret = "${personalization.turn_shared}";
realm = personalization.matrix_url;
cert = "/var/lib/coturn/${personalization.matrix_url}.crt.pem";
pkey = "/var/lib/coturn/${personalization.matrix_url}.key.pem";
min-port = 49152;
max-port = 65535;
no-cli = true;
#listening-ips = [ "127.0.0.1" ];
extraConfig = ''
verbose
external-ip=${personalization.external_ip_secret}
'';
};
}

13
modules/modules.nix Normal file
View File

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
{
imports = [
./configuration.nix
./synapse.nix
./coturn.nix
./bitcoinecosystem.nix
./vaultwarden.nix
/etc/nixos/hardware-configuration.nix
];
}

View File

@ -0,0 +1,17 @@
{
matrix_url = builtins.readFile /var/lib/domains/matrix;
wordpress_url = builtins.readFile /var/lib/domains/wordpress;
nextcloud_url = builtins.readFile /var/lib/domains/nextcloud;
btcpayserver_url = builtins.readFile /var/lib/domains/btcpayserver;
caddy_email_for_zerossl = builtins.readFile /var/lib/domains/sslemail;
vaultwarden_url = builtins.readFile /var/lib/domains/vaultwarden;
wordpressdb_pass = builtins.readFile /var/lib/secrets/wordpressdb;
matrix-synapsedb_pass = builtins.readFile /var/lib/secrets/matrixdb;
nextclouddb_pass = builtins.readFile /var/lib/secrets/nextclouddb;
turn_shared = builtins.readFile /var/lib/secrets/turn;
matrix_reg_secret = builtins.readFile /var/lib/secrets/matrix_reg_secret;
external_ip_secret = builtins.readFile /var/lib/secrets/external_ip;
}

75
modules/synapse.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, pkgs, lib, ... }:
####### CREATE NEW USER (ADMIN OR NOT) VIA TERMINAL #######
# (Run as root in terminal) matrix-synapse-register_new_matrix_user #
####### #######
let
personalization = import ./personalization.nix;
in
{
services.matrix-synapse = {
enable = true;
settings = {
include_content = false;
group_unread_count_by_room = false;
encryption_enabled_by_default_for_room_type = "invite";
allow_profile_lookup_over_federation = false;
allow_device_name_lookup_over_federation = false;
server_name = personalization.matrix_url;
url_preview_enabled = true;
max_upload_size = "1024M";
url_preview_ip_range_blacklist = [
"10.0.0.0/8"
"100.64.0.0/10"
"169.254.0.0/16"
"172.16.0.0/12"
"192.0.0.0/24"
"192.0.2.0/24"
"192.168.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"198.51.100.0/24"
"2001:db8::/32"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fc00::/7"
"fe80::/10"
"fec0::/10"
"ff00::/8"
];
url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
turn_shared_secret = "${personalization.turn_shared}";
turn_uris = [
"turn:${personalization.matrix_url}:5349?transport=udp"
"turn:${personalization.matrix_url}:5349?transport=tcp"
"turns:${personalization.matrix_url}:5349?transport=udp"
"turns:${personalization.matrix_url}:5349?transport=tcp"
];
presence.enabled = true;
enable_registration = false;
registration_shared_secret = "${personalization.matrix_reg_secret}";
listeners = [
{
port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" ];
compress = true;
}
{
names = [ "federation" ];
compress = false;
} ];
}
];
};
};
}

21
modules/vaultwarden.nix Normal file
View File

@ -0,0 +1,21 @@
{ config, pkgs, lib, ... }:
let
personalization = import ./personalization.nix;
in
{
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${personalization.vaultwarden_url}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8777;
ROCKET_LOG = "critical";
};
dbBackend = "sqlite";
environmentFile = "/var/lib/vaultwarden.env";
};
}

BIN
sovran_systems.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 23 KiB