From 52ec7cd428ffbe059cc94cde6b9b41f809e08a05 Mon Sep 17 00:00:00 2001
From: Johannes Hendrik Gerard van der Weide <hertog@fsfe.org>
Date: Fri, 20 Oct 2023 23:52:37 +0200
Subject: [PATCH] NixOS configuration added

---
 configuration.nix                 | 78 +++++++++++++++++++++++++++++++
 services/nextcloud.nix            | 16 +++++++
 services/nginx.nix                | 11 +++++
 services/owncast.nix              | 24 ++++++++++
 services/ssh.nix                  | 12 +++++
 services/tt-rss.nix               | 35 ++++++++++++++
 sites/blog.hermitcollective.net   | 10 ++++
 sites/hermitcollective.net        | 10 ++++
 sites/hertog.hermitcollective.net | 10 ++++
 users/hertog.nix                  | 10 ++++
 users/sara.nix                    | 12 +++++
 11 files changed, 228 insertions(+)
 create mode 100644 configuration.nix
 create mode 100644 services/nextcloud.nix
 create mode 100644 services/nginx.nix
 create mode 100644 services/owncast.nix
 create mode 100644 services/ssh.nix
 create mode 100644 services/tt-rss.nix
 create mode 100644 sites/blog.hermitcollective.net
 create mode 100644 sites/hermitcollective.net
 create mode 100644 sites/hertog.hermitcollective.net
 create mode 100644 users/hertog.nix
 create mode 100644 users/sara.nix

diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..843fd47
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+
+      # Services
+      ./services/ssh.nix
+      ./services/nginx.nix
+      ./services/nextcloud.nix
+      ./services/tt-rss.nix
+      ./services/owncast.nix
+
+      # Sites
+      ./sites/hermitcollective.net
+      ./sites/blog.hermitcollective.net
+      ./sites/hertog.hermitcollective.net
+
+      # Users
+      ./users/hertog.nix
+      ./users/sara.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "HermitCollective"; 
+  networking.domain = "hermitcollective.net";
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  # Configure keymap in X11
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "";
+  };
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # Accept ACME terms
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "hertog@fsfe.org";  
+
+  environment.systemPackages = with pkgs; [
+     neofetch
+     helix
+     hyfetch
+     bottom
+     iftop
+     openssl     
+     git
+  ];
+
+  # Open ports in the firewall.
+   networking.firewall.allowedTCPPorts = [ 22 80 443 8080 8181 1935 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+}
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
new file mode 100644
index 0000000..4b1349a
--- /dev/null
+++ b/services/nextcloud.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud27;
+    appstoreEnable = true;
+    hostName = "cloud.hermitcollective.net";
+    config.adminpassFile = "/etc/nextcloud-admin-pass";
+    https = true;
+  };
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    enableACME = true;
+  };
+}
diff --git a/services/nginx.nix b/services/nginx.nix
new file mode 100644
index 0000000..5138b77
--- /dev/null
+++ b/services/nginx.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+} 
diff --git a/services/owncast.nix b/services/owncast.nix
new file mode 100644
index 0000000..31529f7
--- /dev/null
+++ b/services/owncast.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  services.owncast = {
+    enable = true;
+    port = 8181;
+    openFirewall = true;
+  };
+  # Homepage
+  services.nginx.virtualHosts."live.hermitcollective.net" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:8181";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig =
+          # required when the target is also TLS server with multiple hosts
+          "proxy_ssl_server_name on;" +
+          # required when the server wants to use HTTP Authentication
+          "proxy_pass_header Authorization;"
+          ;
+      };
+  };
+}
diff --git a/services/ssh.nix b/services/ssh.nix
new file mode 100644
index 0000000..ac67519
--- /dev/null
+++ b/services/ssh.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{  # Enable and configure openssh
+   services.openssh = {
+     enable = true;
+     settings = {
+       PasswordAuthentication = false;
+       PermitRootLogin = "no";
+       X11Forwarding = false;
+     };
+   };
+}
diff --git a/services/tt-rss.nix b/services/tt-rss.nix
new file mode 100644
index 0000000..7ecbcfe
--- /dev/null
+++ b/services/tt-rss.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  services.tt-rss = {
+    enable = true;                                           # Enable TT-RSS
+    database = {                                             # Configure the database
+      type = "pgsql";                                        # Database type
+      passwordFile = "/etc/tt-rss-pass";                     # Where to find the password
+    };
+    email = {
+      fromAddress = "feeds@hermitcollective.net"; # Address for outgoing email
+      fromName = "Feeds from HermitCollective";   # Display name for outgoing email
+    };
+    selfUrlPath = "https://feeds.hermitcollective.net/"; # Root web URL
+    virtualHost = "feeds.hermitcollective.net";          # Setup a virtualhost
+  };
+
+  services.postgresql = {
+    enable = true;                            # Ensure postgresql is enabled
+    authentication = ''
+      local tt_rss all ident map=tt_rss-users
+    '';
+    identMap =                                # Map the tt-rss user to postgresql
+      ''
+        tt_rss-users tt_rss tt_rss
+      '';
+  };
+  
+  services.nginx.virtualHosts."feeds.hermitcollective.net" = {                              # TT-RSS hostname
+      enableACME = true;                                                       # Use ACME certs
+      forceSSL = true;                                                         # Force SSL
+    };
+  };
+}
diff --git a/sites/blog.hermitcollective.net b/sites/blog.hermitcollective.net
new file mode 100644
index 0000000..9d29ff1
--- /dev/null
+++ b/sites/blog.hermitcollective.net
@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  # Reqeusts SSL and adds the site to nginx
+  services.nginx.virtualHosts."blog.hermitcollective.net" = {
+     forceSSL = true;
+     enableACME = true;
+     root = "/var/www/blog.hermitcollective.net";
+  };
+} 
diff --git a/sites/hermitcollective.net b/sites/hermitcollective.net
new file mode 100644
index 0000000..2fed9c9
--- /dev/null
+++ b/sites/hermitcollective.net
@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  # Reqeusts SSL and adds the site to nginx
+  services.nginx.virtualHosts."hermitcollective.net" = {
+     forceSSL = true;
+     enableACME = true;
+     root = "/var/www/hermitcollective.net";
+  };
+} 
diff --git a/sites/hertog.hermitcollective.net b/sites/hertog.hermitcollective.net
new file mode 100644
index 0000000..ca04d04
--- /dev/null
+++ b/sites/hertog.hermitcollective.net
@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  # Reqeusts SSL and adds the site to nginx
+  services.nginx.virtualHosts."hertog.hermitcollective.net" = {
+     forceSSL = true;
+     enableACME = true;
+     root = "/var/www/hertog.hermitcollective.net";
+  };
+} 
diff --git a/users/hertog.nix b/users/hertog.nix
new file mode 100644
index 0000000..6456c5d
--- /dev/null
+++ b/users/hertog.nix
@@ -0,0 +1,10 @@
+  { config, pkgs, ... }:
+{
+  users.users.hertog = {
+    isNormalUser = true;
+    description = "Johannes Hendrik Gerard van der Weide";    
+    extraGroups = [ "networkmanager" "wheel" "podman" ];
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjpvCSpIUMsZ8pmz2LbvsJUdYroenTp6PYXw9ACiYBq hertog@fsfe.org"];
+  packages = with pkgs; [];
+  };
+}
diff --git a/users/sara.nix b/users/sara.nix
new file mode 100644
index 0000000..015f461
--- /dev/null
+++ b/users/sara.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+  users.users.sara = {
+    isNormalUser = true;
+    description = "Sara Gerretsen";
+    extraGroups = [ "networkmanager" "wheel" "podman" ];
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhmYV/SSGScbig1xXa7EHFwaxtD0e0QCorPUromR0nM sara@fedora-fw"];
+    packages = with pkgs; [
+       # User packages go here
+    ];
+  };
+}