wip: Add host deertopia

README.org

@@ -17,8 +17,8 @@ A second try at NixOS, now that I have a better idea of what I'm doing. The effo
 
 In order of descending preference, user programs should be configured by...
 
-1. Wrappers, with config files optionally living somewhere under =/persist/dots=.
-2. home-manager's modules.
+1. home-manager's modules.
+2. Wrappers, with config files optionally living somewhere under =/persist/dots=.
 3. ~home.file~ and similar.
 4. Mutable symlinks using ~home.file~ and ~mkOutOfStoreSymlink~.
 
@@ -133,6 +133,32 @@ As with the rest of the config, these are largely adapted from Doom's ([cite:@li
 
 - ~«NAME»-h~ :: Procedure defined specifically to be added to a hook.
 
+* Hosts
+
+** nixos-testbed
+
+Configuration for the VM I'm currently using as a testbed, before moving to my real desktop.
+
+** deertopia
+
+My home server.
+
+* Users
+
+** crumb
+
+Me }:). My primary user for programming and playing TF2.
+
+** lain
+
+A bit on the nose for a transfemme into computers, but my chosen name is also Madeleine.
+
+Used as a server admin account with little configuration.
+
+** escort
+
+Another low-config user for "escorting" people to system services that require a user, e.g. logging in for file-sharing.
+
 * ~sydnix-cli~
 
 sydnix-cli is a command-line utility written in Clojure wrapping various sydnix-related scripts.

hosts/deertopia/configuration.nix

@@ -10,7 +10,8 @@
     filesystemType = "btrfs";
 
     users.users = [
-      "arisu"
+      "lain"
+      "escort"
     ];
 
     impermanence = {
@@ -31,6 +32,11 @@
         subvolume = "rootfs";
       };
     };
+
+    sops = {
+      enable = true;
+      keyFile = "/persist/vault/root/deertopia-key";
+    };
   };
 
   boot.loader = {
@@ -54,11 +60,20 @@
   environment.systemPackages = with pkgs; [
     neovim
     git
+    sshfs
     # sydnix-cli.packages.x86_64-linux.default
   ];
 
-  services.openssh.enable = true;
-  services.openssh.settings.PermitRootLogin = "yes";
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "yes";
+      X11Forwarding = true;
+      # This server is connected to the internet!  Port 22 is open!!
+      # Aagghhhh!!!  Stay safe!
+      PasswordAuthentication = false;
+    };
+  };
 
   # TODO: Move to defaults.
   users.mutableUsers = false;

hosts/deertopia/services.nix

@@ -1,7 +1,10 @@
-{ utils, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  imports =
-    map (x: ./services/${x})
-      (utils.listNixFilesInDirectory ./services);
+  imports = [
+    # ./services/seafile.nix
+    # ./services/tinydns.nix
+    ./services/git-annex.nix
+    ./services/nginx.nix
+  ];
 }

hosts/deertopia/services/git-annex.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    git-annex
+    git
+    rsync
+  ];
+
+  # Our files managed by git-annex actually live on a WebDAV server that is
+  # declared by the following section.
+  services.nginx = {
+    # Nginx's WebDAV support is in a separate module we must import.
+    additionalModules = [ pkgs.nginxModules.dav ];
+
+    virtualHosts."dav.deertopia.net" = {
+      addSSL = true;
+      enableACME = true;
+      locations."/".extraConfig = ''
+        alias /persist/web/webdav;
+        client_body_temp_path /tmp/nginx/webdav;
+        dav_methods PUT DELETE MKCOL COPY MOVE;
+        dav_ext_methods PROPFIND OPTIONS;
+        create_full_put_path on
+
+        auth_basic "Restricted Access";
+        auth_basic_user_file /etc/nginx/webdav.passwd;
+
+        # Deny all access unless authenticated
+        satisfy all;
+        allow all;  # This allows all authenticated users
+        deny all;   # This denies all other users
+      '';
+    };
+  };
+}

hosts/deertopia/services/nextcloud.nix

@@ -1,11 +1,28 @@
 { config, lib, pkgs, ... }:
 
 {
-  sydnix.sops = {
-    enable = true;
-    keyFile = "/persist/vault/root/deertopia-key";
+  sydnix = {
+    sops.secrets = {
+      nextcloud-admin = {
+        owner = "nextcloud";
+        group = "nextcloud";
+      };
+    };
+
+    impermanence.directories = [ "/var/lib/nextcloud" ];
   };
 
-  # services.nextcloud = {
-  # };
+  # Setting `services.nextcloud.hostName` automatically sets up a Nginx server
+  # (on port 80) hosting the Nextcloud services.
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.internal.deertopia.net";
+    package = pkgs.nextcloud30;
+    config = {
+      adminpassFile = "/run/secrets/nextcloud-admin";
+      dbtype = "sqlite";
+    };
+  };
 }

hosts/deertopia/services/nginx.nix

@@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+
+let
+  deertopiaRoot = {
+    directory = "/persist/deertopia.net/";
+    group = "nginx";
+    user = "nginx";
+  };
+in
+{
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [
+    80  # HTTP
+    443 # HTTPS
+  ];
+
+  # With this section, virtual hosts declared through the Nginx NixOS module
+  # will automatically request ACME SSL certificates and configure systemd
+  # timers to renew the certificate if required.  See the article on the NixOS
+  # wiki, from which I've nabbed the following snippet:
+  # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "lomiskiam@gmail.com";
+  };
+
+  services.nginx.virtualHosts."deertopia.net" = {
+    root = "${deertopiaRoot.directory}/www";
+
+    # addSSL = true;
+    forceSSL = true;
+    enableACME = true;
+
+    locations."/" = {
+      index = "index.html";
+    };
+  };
+
+  system.activationScripts.initialiseDeertopiaRoot.text = ''
+    mkdir -p "${deertopiaRoot.directory}"
+    chown -R "${deertopiaRoot.user}:${deertopiaRoot.user}" \
+      "${deertopiaRoot.directory}"
+    chmod -R 775 "${deertopiaRoot.directory}"
+  '';
+}

hosts/deertopia/services/seafile.nix

@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+{
+  sydnix.impermanence = {
+    directories = [
+      "/var/lib/seafile"
+    ];
+  };
+
+  services.seafile = {
+    enable = true;
+
+    adminEmail = "lomiskiam@gmail.com";
+    initialAdminPassword = "password123";
+
+    ccnetSettings.General.SERVICE_URL = "http://files.deertopia.net";
+
+    seafileSettings = {
+      fileserver = {
+        host = "ipv4:127.0.0.1";
+        port = 8082;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."files.deertopia.net" = {
+
+  };
+}

hosts/deertopia/services/tinydns.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.tinydns = {
+    enable = true;
+    data = ''
+      .internal.deertopia.net:192.168.68.79:dns:86400
+      =*.internal.deertopia.net:192.168.68.79:86400
+      =internal.deertopia.net:192.168.68.79:86400
+
+      # Redirect everything else to the router's nameservers.
+      &.::192.168.68.1:86400
+    '';
+  };
+
+  networking.firewall.allowedUDPPorts = [
+    53
+  ];
+
+  networking.nameservers = [ "192.168.68.79" ];
+}

hosts/nixos-testbed/configuration.nix

@@ -73,11 +73,15 @@
   environment.systemPackages = with pkgs; [
     neovim
     git
+    git-annex
     sydnix-cli.packages.x86_64-linux.default
   ];
 
-  services.openssh.enable = true;
-  services.openssh.settings.PermitRootLogin = "yes";
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+    settings.X11Forwarding = true;
+  };
 
   # TODO: Move to defaults.
   users.mutableUsers = false;

modules/nixos/sops.nix

@@ -14,6 +14,7 @@ in {
       };
       secrets = mkOption {
         description = "Secrets passed directly to sops-nix.";
+        default = {};
       };
       package = mkOption {
         description = "Sops CLI package.  If null, nothing will be installed.";

public-keys/crumb-at-guix-rebound.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKja46XYT+AOxcpp0r8YX+qu6uUEvtiPBhqzfskEYnlt crumb@guix-rebound

secrets.yaml

@@ -1,21 +1,21 @@
-example-key: ENC[AES256_GCM,data:ddKerh17p/+kDzSlSQ==,iv:62BgArZBCfcxL/qeVRluaSbY5y1GHtuiAbqXRB3NuG4=,tag:chcteZECw/SHFQctM+swVA==,type:str]
+nextcloud-admin: ENC[AES256_GCM,data:MfHTZw5Co7DdY6uYT7e4ydoVPg==,iv:KqK/UaDpiEM5MnR86peGZ4iLfhC5JK4IOdI2T7RDZNg=,tag:Tpx2FdYavXud4OLcT7drTQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age1qayk0d0f765v57pedm7mtau6qkmv8rh6jtaqm40g5g9armaty4jqc0v0y2
+        - recipient: age10fqh0td67alzpyjyhdex5ncj9thvaty506r0t63vs2nz4ldafgaqadl8mg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSU40YUdJbEh6b01FdHYv
-            SjhKNFhwTmtiRVVKTC80T3ZjZnI4LzZIY2tBCms3S1lJcHo4M242ZmZBNTQrbmxa
-            YUxJb085Q2JWc2JNVkNrSU5SQktwbjQKLS0tIEd6aEo2NlNnVjJYZ3FISGVYZGNm
-            VFh1RFYvMUNnY1QveXF6TkVSMGpOTlUK9HrBWz8BzbA+HJ8XLFc5ji9QDKw1TuGx
-            pcDUwNy8DdSBhEtYQ7DxQ2U379IRQY1CN5qL3SdZnicg3zMhV5TWSA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3V2VVcGl5WlJTKzZpRG9p
+            WitQdXNpZGUzUkwxdzRrUzIwZm5ZK0g2WFdnCmxQdU5vaVc0elZpN3lQbDZ2Uldn
+            R0xHMTFKeDJVUUxKcUkxN2Uva0UwcGMKLS0tIDNJRzBUbTFPaXJHWGdvdHYyYnlS
+            aXZvL3RJRUtkOXR5OTFxcC9saXhGYVUKymDTIoxeHgJiM0rly5Zbp8kYoIUmmsWL
+            CMfXunhtA+u/vjDUHjyj41TTFbZMVl8FUzqMYoMxhIH6dQw8u1HKBA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-29T07:21:13Z"
-    mac: ENC[AES256_GCM,data:4SO/ho4QYlwwFthsbBhHTsOIwKwq0xPHUaabt+OZbTzETSg9UDTiLi8LZci+CUh9mKDwwh1CKJxIsl4MiOei+pLU0PB9uaudb9n68pPjeIxzJYKjjXwXzpfXipiAYcpSJJybmbJoivHncJoOuerBMmOlZ1HmHK9pcE2aJmGaBDY=,iv:HJF6A4bOJnXpMctHCTV1Cw7T8DAq4AXuBdqJzGo4vVI=,tag:2zD++PfLS6/4sp2SeBZLiw==,type:str]
+    lastmodified: "2025-01-18T16:35:24Z"
+    mac: ENC[AES256_GCM,data:1oYl56zjPnzzX9pBMDwbnoZFiu+k9OXlz9bEnTXl6Flr7+D3sZZIo5I6IidvRdMU8kHBOA87pascTqhFd/LUkU3HOpF0CgQUxjwcKIbSZ2OEp/xKCh9C9trDXUh62eZrcgrjT5ST2r8uNcicKWKZVQxAa0S2AKd+5apUAvSouAE=,iv:X7EhB8l230wZviAw1lpj1G8KAhhcDvuoA+prbpLENUQ=,tag:uA0997qvRb8DZqBs5a32hg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1

users/escort/default.nix

@@ -0,0 +1,21 @@
+{
+  systemConfiguration = { config, ... }: {
+    isNormalUser = true;
+    # TODO: Don't hard-code `persist`.  Use
+    # config.sydnix.impermanence.persistGroupName.
+    extraGroups = [ ];
+    initialHashedPassword =
+      "$y$j9T$uU64mjI.5Y1JICkKAaIgl0$kkO089hyDp3akSj7ReIKqFthA4T/d1w/nF40a5Tujt1";
+  };
+
+  homeConfiguration = { config, lib, pkgs, ... }: {
+    imports = [
+    ];
+
+    sydnix = {
+    };
+
+    # Don't touch!
+    home.stateVersion = "18.09";
+  };
+}

users/lain/default.nix

@@ -3,9 +3,13 @@
     isNormalUser = true;
     # TODO: Don't hard-code `persist`.  Use
     # config.sydnix.impermanence.persistGroupName.
-    extraGroups = [ "wheel" "persist" ];
+    extraGroups = [ "wheel" "persist" "nginx" ];
     initialHashedPassword =
       "$y$j9T$aEFDDwdTZbAc6VQRXrkBJ0$K8wxTGTWDihyX1wxJ.ZMH//wmQFfrGGUkLkxIU0Lyq8";
+
+    openssh.authorizedKeys.keyFiles = [
+      ../../public-keys/crumb-at-guix-rebound.pub
+    ];
   };
 
   homeConfiguration = { config, lib, pkgs, ... }: {