wip: Add host deertopia

hosts/deertopia/configuration.nix

@@ -10,7 +10,8 @@
     filesystemType = "btrfs";
 
     users.users = [
-      "arisu"
+      "lain"
+      "escort"
     ];
 
     impermanence = {
@@ -31,6 +32,11 @@
         subvolume = "rootfs";
       };
     };
+
+    sops = {
+      enable = true;
+      keyFile = "/persist/vault/root/deertopia-key";
+    };
   };
 
   boot.loader = {
@@ -54,11 +60,20 @@
   environment.systemPackages = with pkgs; [
     neovim
     git
+    sshfs
     # sydnix-cli.packages.x86_64-linux.default
   ];
 
-  services.openssh.enable = true;
-  services.openssh.settings.PermitRootLogin = "yes";
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "yes";
+      X11Forwarding = true;
+      # This server is connected to the internet!  Port 22 is open!!
+      # Aagghhhh!!!  Stay safe!
+      PasswordAuthentication = false;
+    };
+  };
 
   # TODO: Move to defaults.
   users.mutableUsers = false;

hosts/deertopia/services.nix

@@ -1,7 +1,10 @@
-{ utils, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  imports =
-    map (x: ./services/${x})
-      (utils.listNixFilesInDirectory ./services);
+  imports = [
+    # ./services/seafile.nix
+    # ./services/tinydns.nix
+    ./services/git-annex.nix
+    ./services/nginx.nix
+  ];
 }

hosts/deertopia/services/git-annex.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    git-annex
+    git
+    rsync
+  ];
+
+  # Our files managed by git-annex actually live on a WebDAV server that is
+  # declared by the following section.
+  services.nginx = {
+    # Nginx's WebDAV support is in a separate module we must import.
+    additionalModules = [ pkgs.nginxModules.dav ];
+
+    virtualHosts."dav.deertopia.net" = {
+      addSSL = true;
+      enableACME = true;
+      locations."/".extraConfig = ''
+        alias /persist/web/webdav;
+        client_body_temp_path /tmp/nginx/webdav;
+        dav_methods PUT DELETE MKCOL COPY MOVE;
+        dav_ext_methods PROPFIND OPTIONS;
+        create_full_put_path on
+
+        auth_basic "Restricted Access";
+        auth_basic_user_file /etc/nginx/webdav.passwd;
+
+        # Deny all access unless authenticated
+        satisfy all;
+        allow all;  # This allows all authenticated users
+        deny all;   # This denies all other users
+      '';
+    };
+  };
+}

hosts/deertopia/services/nextcloud.nix

@@ -1,11 +1,28 @@
 { config, lib, pkgs, ... }:
 
 {
-  sydnix.sops = {
-    enable = true;
-    keyFile = "/persist/vault/root/deertopia-key";
+  sydnix = {
+    sops.secrets = {
+      nextcloud-admin = {
+        owner = "nextcloud";
+        group = "nextcloud";
+      };
+    };
+
+    impermanence.directories = [ "/var/lib/nextcloud" ];
   };
 
-  # services.nextcloud = {
-  # };
+  # Setting `services.nextcloud.hostName` automatically sets up a Nginx server
+  # (on port 80) hosting the Nextcloud services.
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  services.nextcloud = {
+    enable = true;
+    hostName = "cloud.internal.deertopia.net";
+    package = pkgs.nextcloud30;
+    config = {
+      adminpassFile = "/run/secrets/nextcloud-admin";
+      dbtype = "sqlite";
+    };
+  };
 }

hosts/deertopia/services/nginx.nix

@@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+
+let
+  deertopiaRoot = {
+    directory = "/persist/deertopia.net/";
+    group = "nginx";
+    user = "nginx";
+  };
+in
+{
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [
+    80  # HTTP
+    443 # HTTPS
+  ];
+
+  # With this section, virtual hosts declared through the Nginx NixOS module
+  # will automatically request ACME SSL certificates and configure systemd
+  # timers to renew the certificate if required.  See the article on the NixOS
+  # wiki, from which I've nabbed the following snippet:
+  # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "lomiskiam@gmail.com";
+  };
+
+  services.nginx.virtualHosts."deertopia.net" = {
+    root = "${deertopiaRoot.directory}/www";
+
+    # addSSL = true;
+    forceSSL = true;
+    enableACME = true;
+
+    locations."/" = {
+      index = "index.html";
+    };
+  };
+
+  system.activationScripts.initialiseDeertopiaRoot.text = ''
+    mkdir -p "${deertopiaRoot.directory}"
+    chown -R "${deertopiaRoot.user}:${deertopiaRoot.user}" \
+      "${deertopiaRoot.directory}"
+    chmod -R 775 "${deertopiaRoot.directory}"
+  '';
+}

hosts/deertopia/services/seafile.nix

@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+{
+  sydnix.impermanence = {
+    directories = [
+      "/var/lib/seafile"
+    ];
+  };
+
+  services.seafile = {
+    enable = true;
+
+    adminEmail = "lomiskiam@gmail.com";
+    initialAdminPassword = "password123";
+
+    ccnetSettings.General.SERVICE_URL = "http://files.deertopia.net";
+
+    seafileSettings = {
+      fileserver = {
+        host = "ipv4:127.0.0.1";
+        port = 8082;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."files.deertopia.net" = {
+
+  };
+}

hosts/deertopia/services/tinydns.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.tinydns = {
+    enable = true;
+    data = ''
+      .internal.deertopia.net:192.168.68.79:dns:86400
+      =*.internal.deertopia.net:192.168.68.79:86400
+      =internal.deertopia.net:192.168.68.79:86400
+
+      # Redirect everything else to the router's nameservers.
+      &.::192.168.68.1:86400
+    '';
+  };
+
+  networking.firewall.allowedUDPPorts = [
+    53
+  ];
+
+  networking.nameservers = [ "192.168.68.79" ];
+}