nix dotfiles

server/configuration.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./matrix.nix
+    ./element.nix
+    ./forgejo.nix
+  ];
+
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  networking.hostName = "navi";
+
+  networking.dhcpcd.IPv6rs = true;
+  networking.dhcpcd.persistent = true;
+  networking.tempAddresses = "disabled";
+  networking.interfaces.ens3.tempAddress = "disabled";
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+      PubkeyAuthentication = true;
+    };
+  };
+
+  users.users.root = {
+    isNormalUser = false;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHioVSkG7cILl5SQiGm3TaL641BGU00FLSgexBx6xtYy"
+    ];
+    password = null;
+  };
+
+  services.cron.enable = true;
+  services.cron.systemCronJobs = [
+    "@reboot root sleep 30 && curl -L -XPOST -q https://portal.servinga.cloud/api/service/v1/cloud-init/callback > /dev/null 2>&1"
+  ];
+
+  system.stateVersion = "26.05";
+}

server/element.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "itamar.site";
+  matrixDomain = "matrix.${domain}";
+  elementDomain = "element.${domain}";
+in {
+  security.acme.certs."${elementDomain}" = {};
+
+  services.nginx.virtualHosts."${elementDomain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    root = pkgs.element-web.override {
+      conf = {
+        default_server_config = {
+          "m.homeserver" = {
+            base_url = "https://${matrixDomain}";
+            server_name = domain;
+          };
+          "m.identity_server" = {
+            base_url = "https://vector.im";
+          };
+        };
+        # Optional: Set default theme and other settings
+        default_theme = "dark";
+        show_labs_settings = true;
+        disable_guests = false;
+        disable_3pid_login = false;
+      };
+    };
+  };
+}

server/forgejo.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in {
+  services.forgejo = {
+    enable = true;
+    appName = "git.itamar.site";
+    database.type = "sqlite3";
+    lfs.enable = true;
+
+    settings = {
+      server = {
+        DOMAIN = "git.itamar.site";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://git.itamar.site/";
+        PROTOCOL = "http"; 
+
+        DISABLE_SSH = false;
+        START_SSH_SERVER = false; 
+        SSH_DOMAIN = "git.itamar.site";
+        SSH_PORT = lib.head config.services.openssh.ports;
+
+        DISABLE_HTTP_GIT = true;
+      };
+
+      security = {
+        COOKIE_SECURE = true;
+      };
+
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+
+      log.LEVEL = "Info";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."git.itamar.site" = {
+      enableACME = true;
+      forceSSL = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "itamar@itamar.site";
+  };
+
+  services.openssh = {
+    enable = true;
+    ports = [22];
+  };
+
+  networking.firewall.allowedTCPPorts = [22 80 443];
+}

server/hardware-configuration.nix

@@ -0,0 +1,27 @@
+[root@navi:/etc/nixos]# cat hardware-configuration.nix 
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/3afb8070-14f2-4f56-bce2-301eccea108d";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/2744bc0a-2684-4952-8ea8-371bd0c09f78"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

server/matrix.nix

@@ -0,0 +1,195 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "itamar.site";
+  matrixDomain = "matrix.${domain}";
+in {
+  networking.firewall = {
+    allowedTCPPorts = [80 443 8448];
+    allowedUDPPorts = [3478 5349];
+    allowedUDPPortRanges = [
+      {
+        from = 49152;
+        to = 65535;
+      }
+    ];
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${domain}";
+    certs = {
+      "${domain}" = {};
+      "${matrixDomain}" = {};
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = ["matrix-synapse" "mautrix-whatsapp"];
+    ensureUsers = [
+      {
+        name = "matrix-synapse";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "mautrix-whatsapp";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = domain;
+      suppress_key_server_warning = true;
+      database = {
+        name = "psycopg2";
+        allow_unsafe_locale = true;
+        args = {
+          database = "matrix-synapse";
+          user = "matrix-synapse";
+          host = "/run/postgresql";
+        };
+      };
+      enable_registration = false;
+      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
+      turn_uris = [
+        "turns:${domain}:5349?transport=udp"
+        "turns:${domain}:5349?transport=tcp"
+        "turn:${domain}:3478?transport=udp"
+        "turn:${domain}:3478?transport=tcp"
+      ];
+      turn_shared_secret_path = "/var/lib/matrix-synapse/turn_secret";
+      turn_user_lifetime = "1d";
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["127.0.0.1" "::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = false;
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  services.mautrix-whatsapp = {
+    enable = true;
+    registerToSynapse = true;
+    settings = {
+      homeserver = {
+        address = "http://localhost:8008";
+        domain = domain;
+      };
+      appservice = {
+        id = "whatsapp";
+        bot = {
+          username = "whatsappbot";
+          displayname = "WhatsApp Bridge Bot";
+        };
+      };
+      database = {
+        type = "postgres";
+        uri = "postgres://mautrix-whatsapp@/mautrix-whatsapp?host=/run/postgresql";
+      };
+      bridge = {
+        permissions = {
+          "*" = "relay";
+          "*@${domain}" = "user";
+          "@itamar:${domain}" = "admin";
+        };
+        encryption.allow = true;
+        private_chat_portal_meta = true;
+      };
+      encryption = {
+        pickle_key = "$ENCRYPTION_PICKLE_KEY";
+      };
+      provisioning.shared_secret = "disable";
+    };
+    environmentFile = "/var/lib/mautrix-whatsapp/secrets.env";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "${domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/var/www/${domain}";
+        locations."= /.well-known/matrix/server".extraConfig = ''
+          add_header Content-Type application/json;
+          return 200 '{"m.server": "${matrixDomain}:443"}';
+        '';
+        locations."= /.well-known/matrix/client".extraConfig = ''
+          add_header Content-Type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '{"m.homeserver":{"base_url":"https://${matrixDomain}"},"m.identity_server":{"base_url":"https://vector.im"}}';
+        '';
+      };
+
+      "${matrixDomain}" = {
+        enableACME = true;
+        forceSSL = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations."/_matrix" = {
+          proxyPass = "http://[::1]:8008";
+          proxyWebsockets = true;
+        };
+        locations."/_synapse/client" = {
+          proxyPass = "http://[::1]:8008";
+          proxyWebsockets = true;
+        };
+        locations."/".extraConfig = "return 404;";
+      };
+    };
+  };
+
+  services.coturn = {
+    enable = true;
+    realm = domain;
+    listening-ips = ["0.0.0.0"];
+    listening-port = 3478;
+    tls-listening-port = 5349;
+    min-port = 49152;
+    max-port = 65535;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret-file = "/var/lib/coturn/static-auth-secret";
+    cert = "/var/lib/acme/${domain}/fullchain.pem";
+    pkey = "/var/lib/acme/${domain}/key.pem";
+    no-cli = true;
+    no-tcp-relay = true;
+    secure-stun = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/matrix-synapse 0750 matrix-synapse matrix-synapse -"
+    "d /var/lib/coturn 0750 turnserver turnserver -"
+  ];
+}