initial commit

hosts/velarion/default.nix

@@ -0,0 +1,25 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./disk.nix
+    ./machine.nix
+    ./secrets.nix
+    ../../modules/podman.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    useOSProber = true;
+  };
+
+  programs.dconf.enable = true;
+
+  # Setup DKIM key directory
+  systemd.tmpfiles.rules = [
+    "d /var/dkim 0755 root root - -"
+  ];
+}

hosts/velarion/disk.nix

@@ -0,0 +1,37 @@
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = "/dev/vda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/velarion/machine.nix

@@ -0,0 +1,161 @@
+{dns, ...}: let
+  domain = "ruject.fun";
+  database = {
+    host = "127.0.0.1";
+    port = 5432;
+  };
+  ipv4 = "94.156.112.0";
+in {
+  services.nginx.enable = true;
+  machine = {
+    gateway = "10.0.0.1";
+    inherit ipv4;
+    bind = {
+      enable = true;
+      inherit domain;
+      zones = with dns.lib.combinators; {
+        ${domain} = {
+          SOA = {
+            nameServer = "ns1";
+            adminEmail = "hostmaster";
+            serial = 2019030800;
+            refresh = 3 * 60 * 60; # 3 hours
+            retry = 1 * 60 * 60; # 1 hour
+            expire = 7 * 24 * 60 * 60; # 7 days
+          };
+          useOrigin = false;
+          NS = [
+            "ns1"
+            "ns2"
+          ];
+
+          A = [ipv4];
+
+          subdomains = rec {
+            ns1 = host ipv4 null;
+            ns2 = ns1;
+            "3x-ui" = ns1;
+            "sub.3x-ui" = ns1;
+            git = ns1;
+            music = ns1;
+            bitwarden = ns1;
+            roundcube = ns1;
+            status = ns1;
+            irc = ns1;
+            "upload.irc" = ns1;
+            nextcloud = ns1;
+            code = ns1;
+            mail = ns1;
+            matrix = ns1;
+            chat = ns1;
+            turn = ns1;
+          };
+
+          TXT = [
+            (with spf; strict ["a:mail.ruject.fun"])
+          ];
+
+          MX = with mx; [(mx 10 "mail.ruject.fun.")];
+
+          DMARC = [
+            {
+              p = "quarantine";
+              adkim = "strict";
+              aspf = "strict";
+            }
+          ];
+          DKIM = [
+            {
+              selector = "mail";
+              k = "rsa";
+              p = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0L14rM/ObA5WwVlPpCMiy3ESOhqo9Ye0edtc52sjt+YxJxpDgT1oo1yCdoXWbF38/f2RfqgmBCKg0+N9YQFsAL8FbBcAlkERXbt52T/5A5gBkfUnwB1I646WQdT43JsCWiSYgDc4IcVM/tG8Quj/oKois+b8W6dco6NWLET7bBcnBCEfJYL7TLnG+O83poB+gHef3g0WqwMMqXqbgvJutGb4uevJ327Ywa77fcUp7oYrMvgz6ESmetgmsizTwJadwuXC2k4E50ZmlM3tdjpisQgaUImJBqEa311SXfkhD9AbKjfp5tmOjinPMZwqVM09GFkIn89X7U6LDykh85zBNwIDAQAB";
+            }
+          ];
+        };
+      };
+    };
+    code-server = {
+      enable = true;
+      port = 4444;
+      domain = "code.${domain}";
+      user = "rus07tam";
+      hashedPassword = "$argon2i$v=19$m=4096,t=3,p=1$Z29zNjNOalFobUwyak1YY3pwYlYwL0IrN053PQ$hmRE46O8UM9zTgINjt5/xn35xypU+MMxNNq1r7xPXqo";
+    };
+    coturn = {
+      enable = true;
+      startPort = 49000;
+      endPort = 50000;
+      realm = "turn.${domain}";
+    };
+    forgejo = {
+      enable = true;
+      enableRunner = true;
+      domain = "git.${domain}";
+      port = 3000;
+      inherit database;
+    };
+    mail = {
+      enable = true;
+      inherit domain;
+      fqdn = "mail.${domain}";
+    };
+    minecraft-server = {
+      enable = false;
+      port = 25565;
+    };
+    mysql = {
+      enable = true;
+      port = 3306;
+    };
+    navidrome = {
+      enable = true;
+      domain = "music.${domain}";
+      port = 4533;
+      folder = "/mnt/music";
+    };
+    postgresql = {
+      enable = true;
+      port = 5432;
+    };
+    prosody = {
+      enable = true;
+      port = 5347;
+      domain = "irc.${domain}";
+    };
+    nextcloud = {
+      enable = true;
+      host = "nextcloud.${domain}";
+    };
+    redis = {
+      enable = true;
+      port = 6379;
+    };
+    roundcube = {
+      enable = true;
+      domain = "roundcube.${domain}";
+    };
+    synapse = {
+      enable = true;
+      element = {
+        enable = true;
+        domain = "chat.${domain}";
+      };
+      domain = "matrix.${domain}";
+      port = 8008;
+      metrics = {
+        enable = true;
+        port = 9000;
+      };
+    };
+    uptime-kuma = {
+      enable = true;
+      domain = "status.${domain}";
+      port = 4000;
+    };
+    vaultwarden = {
+      enable = true;
+      domain = "bitwarden.${domain}";
+      port = 4534;
+    };
+  };
+}

hosts/velarion/secrets.nix

@@ -0,0 +1,25 @@
+{
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.bind;
+in
+with lib; mkIf cfg.enable {
+  sops.secrets = {
+    "velarion/publicKey" = {
+      sopsFile = ./../../secrets/velarion.yaml;
+      path = "/etc/ssh/ssh_host_ed25519_key.pub";
+      mode = "0644";
+      owner = "root";
+      group = "root";
+    };
+    "velarion/privateKey" = {
+      sopsFile = ./../../secrets/velarion.yaml;
+      path = "/etc/ssh/ssh_host_ed25519_key";
+      mode = "0600";
+      owner = "root";
+      group = "root";
+    };
+  };
+}