diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..89b3a77de6cffa8876648bed1c8630d92aab72f9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+secrets.nix
diff --git a/clients/faecherstadt-consulting.nix b/clients/faecherstadt-consulting.nix
new file mode 100644
index 0000000000000000000000000000000000000000..03f69f2562308e2e1de28abaa5771c89720569eb
--- /dev/null
+++ b/clients/faecherstadt-consulting.nix
@@ -0,0 +1,232 @@
+{ config, pkgs, lib, options, ... }:
+let
+
+ secrets = import ../secrets.nix;
+
+ wordpressPackages = {
+ themes = lib.recurseIntoAttrs (pkgs.callPackage ../wordpress/themes.nix { });
+ plugins = lib.recurseIntoAttrs (pkgs.callPackage ../wordpress/plugins.nix { });
+ };
+
+ language-de = pkgs.stdenv.mkDerivation {
+ name = "language-de";
+ src = pkgs.fetchurl {
+ url = "https://de.wordpress.org/wordpress-5.9.3-de_DE.tar.gz";
+ sha256 = "sha256-FFQfn0vVaPEaIT0qI0fvbO5BgpHoyVaYj4N6Plp51fM=";
+ };
+ installPhase = "mkdir -p $out; cp -r ./wp-content/languages/* $out/";
+ };
+
+in {
+
+containers ={
+
+ faecherstadt-consulting = {
+ config = { config, pkgs, ... }: {
+
+ disabledModules = [
+ "services/web-apps/wordpress.nix"
+ ];
+
+ imports = [
+ "${fetchTarball "https://github.com/onny/nixpkgs/archive/wordpress-lang.tar.gz"}/nixos/modules/services/web-apps/wordpress.nix"
+ ];
+
+ services.nextcloud = {
+ enable = true;
+ package = pkgs.nextcloud24;
+ hostName = "nextcloud.faecherstadt-consulting.de";
+ config.adminpassFile = "${pkgs.writeText "adminpass" secrets.faecherstadt-consulting.nextcloud.adminPassword}";
+ https = true;
+ };
+
+ nixpkgs.config = {
+ allowUnfree = true;
+ packageOverrides = pkgs: {
+ unstable = import <nixos-unstable> {
+ config = config.nixpkgs.config;
+ };
+ };
+ };
+
+ services.wordpress = {
+ webserver = "nginx";
+ sites."faecherstadt-consulting.de" = {
+ themes = with wordpressPackages.themes; [ faecherstadt-consulting ];
+ plugins = with wordpressPackages.plugins; [ jetpack ];
+ languages = [ language-de ];
+ package = pkgs.unstable.wordpress;
+ extraConfig = ''
+ define ('WPLANG', 'de_DE');
+ define ('WP_DEFAULT_THEME', 'faecherstadt-consulting');
+ // Needed to run behind reverse proxy
+ define('FORCE_SSL_ADMIN', true);
+ $_SERVER['HTTPS']='on';
+ '';
+ };
+ };
+
+ system.stateVersion = "22.05";
+
+ networking = {
+ firewall = {
+ enable = true;
+ allowedTCPPorts = [ 80 ];
+ };
+ };
+
+ environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
+
+ };
+ autoStart = true;
+ privateNetwork = true;
+ hostAddress = "192.168.100.10";
+ localAddress = "192.168.100.12";
+ };
+
+
+};
+
+services = {
+
+ postfix.enable = lib.mkForce false;
+
+ maddy = {
+ enable = true;
+ openFirewall = true;
+ hostname = "mx1.faecherstadt-consulting.de";
+ primaryDomain = "faecherstadt-consulting.de";
+ tls = {
+ certPath = "/etc/letsencrypt/live/mx1.faecherstadt-consulting.de/fullchain.pem";
+ keyPath = "/etc/letsencrypt/live/mx1.faecherstadt-consulting.de/privkey.pem";
+ };
+ imap = {
+ port = 143;
+ tlsEnable = true;
+ tlsPort = 993;
+ };
+ submission.tlsEnable = true;
+ config = builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {
+ check {
+ rspamd
+ }
+ ''] options.services.maddy.config.default;
+ };
+
+ rspamd.enable = true;
+
+ go-autoconfig = {
+ enable = true;
+ settings = {
+ service_addr = ":1323";
+ domain = "autoconfig.faecherstadt-consulting.de";
+ imap = {
+ server = "mx1.faecherstadt-consulting.de";
+ port = 993;
+ };
+ smtp = {
+ server = "mx1.faecherstadt-consulting.de";
+ port = 465;
+ };
+ };
+ };
+
+ nsd = {
+ enable = false;
+ interfaces = [
+ "0.0.0.0"
+ "::"
+ ];
+ zones."faecherstadt-consulting.de.".data = let
+ domainkey = ''
+ v=DKIM1; k=rsa; p=${
+ lib.fileContents( /var/lib/maddy/dkim_keys/faecherstadt-consulting.de_default.dns )
+ }'';
+ segments = ((lib.stringLength domainkey) / 255);
+ domainkeySplitted = map (x: lib.substring (x*255) 255 domainkey) (lib.range 0 segments);
+ in ''
+ @ SOA ns1.faecherstadt-consulting.de noc.faecherstadt-consulting.de 666 7200 3600 1209600 3600
+ @ A 159.69.9.150
+ @ AAAA 2a01:4f8:1c1c:2c16::
+ @ MX 10 mx1
+ mx1 A 159.69.9.150
+ mx1 AAAA 2a01:4f8:1c1c:2c16::
+ ns1 A 159.69.9.150
+ ns1 AAAA 2a01:4f8:1c1c:2c16::
+ @ TXT "v=spf1 mx ~all"
+ mx1 TXT "v=spf1 mx ~all"
+ _dmarc TXT "v=DMARC1; p=quarantine; ruf=mailto:postmaster@faecherstadt-consulting.de"
+ _mta-sts TXT "v=STSv1; id=1"
+ _smtp._tls TXT "v=TLSRPTv1;rua=mailto:postmaster@faecherstadt-consulting.de"
+ default._domainkey TXT "${lib.concatStringsSep "\" \"" domainkeySplitted}"
+ _autodiscover._tcp SRV 0 0 443 autoconfig
+ '';
+ };
+
+ caddy = {
+ enable = true;
+ virtualHosts = {
+
+ # Fächerstadt-Consulting Wordpress
+ "fächerstadt-consulting.de" = {
+ extraConfig = ''
+ redir https://faecherstadt-consulting.de
+ '';
+ serverAliases = [
+ "xn--fcherstadt-consulting-51b.de"
+ "fcg-faecherstadt-consulting.de"
+ "xn--fcg-fcherstadt-consulting-pec.de"
+ ];
+ };
+ "faecherstadt-consulting.de".extraConfig = ''
+ reverse_proxy http://192.168.100.12
+ '';
+
+ # Fächerstadt-Consulting Mail Setup
+ "autoconfig.faecherstadt-consulting.de" = {
+ extraConfig = ''
+ reverse_proxy http://localhost:1323
+ '';
+ serverAliases = [
+ "mx1.faecherstadt-consulting.de"
+ ];
+ };
+ "mta-sts.faecherstadt-consulting.de".extraConfig = ''
+ encode gzip
+ file_server
+ root * ${
+ pkgs.runCommand "testdir" {} ''
+ mkdir -p "$out/.well-known"
+ echo "
+ version: STSv1
+ mode: enforce
+ max_age: 604800
+ mx: mx1.faecherstadt-consulting.de
+ " > "$out/.well-known/mta-sts.txt"
+ ''
+ }
+ '';
+ "mailadm.faecherstadt-consulting.de".extraConfig = ''
+ reverse_proxy http://localhost:8000
+ '';
+
+
+ # Fächerstadt-Consulting Nextcloud
+ "nextcloud.fächerstadt-consulting.de" = {
+ extraConfig = ''
+ redir https://nextcloud.faecherstadt-consulting.de
+ '';
+ serverAliases = [ "nextcloud.xn--fcherstadt-consulting-51b.de" ];
+ };
+ "nextcloud.faecherstadt-consulting.de".extraConfig = ''
+ reverse_proxy http://192.168.100.12
+ '';
+
+ };
+ };
+
+ };
+
+ systemd.services.maddy.serviceConfig.SupplementaryGroups = [ "acme" ];
+
+}
diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000000000000000000000000000000000000..244c1196b89eb5212cbcdaa53d4373a96ae6ebea
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,162 @@
+{ config, lib, pkgs, ... }:
+let
+
+ secrets = import ./secrets.nix;
+
+in {
+
+ disabledModules = [
+ "services/mail/maddy.nix"
+ "services/web-apps/nextcloud.nix"
+ ];
+ imports = [
+ ./hardware-configuration.nix
+ ./clients/faecherstadt-consulting.nix
+ ./experimental.nix
+ "${fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
+ sha256 = "0zndp3pisaxp33268jd3hw9d69qdcnbxwlq63wiy0i14gwkf7vk1";
+ }}/nixos/modules/services/web-apps/onlyoffice.nix"
+ "${fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
+ sha256 = "0zndp3pisaxp33268jd3hw9d69qdcnbxwlq63wiy0i14gwkf7vk1";
+ }}/nixos/modules/services/web-apps/nextcloud.nix"
+ "${fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
+ sha256 = "0zndp3pisaxp33268jd3hw9d69qdcnbxwlq63wiy0i14gwkf7vk1";
+ }}/nixos/modules/services/web-apps/outline.nix"
+ "${fetchTarball "https://github.com/onny/nixpkgs/archive/maddytls.tar.gz"}/nixos/modules/services/mail/maddy.nix"
+ "${fetchTarball "https://github.com/onny/nixpkgs/archive/e884b832f6cb4e4d781d7fb7679b076c5275e35a.tar.gz"}/nixos/modules/services/networking/go-autoconfig.nix"
+ ];
+
+ nixpkgs.overlays = [
+ (self: super: {
+ onlyoffice-documentserver = (import (builtins.fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
+ }) { config = { allowUnfree = true; }; }).onlyoffice-documentserver;
+ })
+ (self: super: {
+ outline = (import (builtins.fetchTarball {
+ url = "https://github.com/yrd/nixpkgs/archive/outline.tar.gz";
+ }) { config = { allowUnfree = true; }; }).outline;
+ })
+ (self: super: {
+ maddy = (import (builtins.fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
+ }) { config = { allowUnfree = true; }; }).maddy;
+ })
+ (self: super: {
+ go-autoconfig = (import (builtins.fetchTarball {
+ url = "https://github.com/onny/nixpkgs/archive/go-autoconfig.tar.gz";
+ }) { config = { allowUnfree = true; }; }).go-autoconfig;
+ })
+ ];
+
+ boot.cleanTmpDir = true;
+ zramSwap.enable = true;
+
+ users.users.root.openssh.authorizedKeys.keys = [
+ secrets.onny.pubkey
+ ];
+
+ networking = {
+
+ hostName = "piproxy";
+ domain = "project-insanity.org";
+
+ firewall = {
+ enable = true;
+ allowedTCPPorts = [ 53 80 443 8008 8080 ]; # dns, caddy, dendrite nginx/nextcloud
+ allowedUDPPorts = [ 53 51821 ]; # dns, wireguard
+ };
+
+ interfaces = {
+ wg0.mtu = 1384; # dont know why lol
+ ens3.ipv6.addresses = [{
+ address = "2a01:4f8:1c1c:2c16::";
+ prefixLength = 64;
+ }];
+ };
+
+ defaultGateway6 = {
+ address = "fe80::1";
+ interface = "ens3";
+ };
+
+ wireguard.interfaces.wg0 = {
+ ips = [ "10.100.0.1/24" ];
+ listenPort = 51821;
+ generatePrivateKeyFile = true;
+ privateKeyFile = "/etc/wireguard/private_key";
+ peers = [
+ # picloud
+ {
+ publicKey = "rX4Gb44rErdsqeTlKtYv3owTKMrFsWWqt+7kyX/MbHU=";
+ allowedIPs = [ "10.100.0.2/32" ];
+ }
+ # piroot
+ {
+ publicKey = "zEGTPdM5l+ZoN/LzpPVtXqMnu1Dl7qW3kP2JtnN84T0=";
+ allowedIPs = [ "10.100.0.3/32" ];
+ }
+ ];
+ };
+
+ nat = {
+ enable = true;
+ internalInterfaces = ["ve-+"];
+ externalInterface = "ens3";
+ };
+
+ };
+
+ documentation.man.enable = false;
+
+ services = {
+
+ resolved.enable = true;
+
+ openssh = {
+ enable = true;
+ openFirewall = true;
+ };
+
+ caddy = {
+ enable = true;
+ virtualHosts = {
+
+ "lecker-company.de".extraConfig = ''
+ reverse_proxy http://10.100.0.2
+ '';
+
+ "invoice.turbotux.de".extraConfig = ''
+ reverse_proxy http://10.100.0.2
+ '';
+ "turbotux.de".extraConfig = ''
+ reverse_proxy http://10.100.0.2:8096
+ '';
+
+ "fachwerk-sauna.de" = {
+ extraConfig = ''
+ reverse_proxy http://10.100.0.2
+ '';
+ serverAliases = [ "www.fachwerk-sauna.de" ];
+ };
+
+ "${secrets.jhartung.url}".extraConfig = ''
+ reverse_proxy ${secrets.jhartung.fritzURL}:46190
+ '';
+ "${secrets.jhartung.url}/ipp".extraConfig = ''
+ reverse_proxy ${secrets.jhartung.fritzURL}:631 {
+ header_up Host 192.168.178.220
+ }
+ '';
+
+ };
+ };
+
+ };
+
+ system.stateVersion = "22.05";
+
+}
diff --git a/experimental.nix b/experimental.nix
new file mode 100644
index 0000000000000000000000000000000000000000..98690d684735bebd88f2feacca98d6d0d6d740ad
--- /dev/null
+++ b/experimental.nix
@@ -0,0 +1,140 @@
+{ pkgs, lib, config, ... }:
+let
+
+ secrets = import ./secrets.nix;
+
+in {
+
+ containers ={
+
+ onlyoffice = {
+ config = { config, pkgs, ... }: {
+
+ imports = [ /root/nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix ];
+
+ nixpkgs.overlays = [
+ (self: super: {
+ onlyoffice-documentserver = (import (builtins.fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
+ }) { config = { allowUnfree = true; }; }).onlyoffice-documentserver;
+ })
+ ];
+
+ services.onlyoffice = {
+ enable = true;
+ hostname = "office.turbotux.de";
+ };
+
+ system.stateVersion = "22.05";
+
+ networking.firewall = {
+ enable = true;
+ allowedTCPPorts = [ 80 ];
+ };
+
+ };
+ autoStart = true;
+ privateNetwork = true;
+ hostAddress = "192.168.100.10";
+ localAddress = "192.168.100.11";
+ };
+
+ };
+
+
+ services = {
+
+ #dendrite = {
+ # enable = true;
+ # openRegistration = true;
+ # settings = {
+ # global.server_name = "turbotux.de";
+ # global.private_key = "";
+ # client_api.registration_disabled = false;
+ # };
+ #};
+
+ #outline = {
+ # enable = true;
+ # storage = {
+ # uploadBucketUrl = "http://localhost:9000";
+ # uploadBucketName = "outline-bucket";
+ # secretKeyFile = builtins.toPath( pkgs.writeText "secretKeyFile" "12345678" );
+ # accessKey = "12345";
+ # };
+ #};
+
+ minio = {
+ enable = true;
+ secretKey = "12345678";
+ accessKey = "12345";
+ };
+
+ gitlab = {
+ enable = true;
+ #databaseHost = "10.25.40.6";
+ databasePasswordFile = pkgs.writeText "dbPassword" secrets.gitlab.dbPassword;
+ initialRootPasswordFile = pkgs.writeText "rootPassword" secrets.gitlab.initialRootPassword;
+ smtp.enable = true;
+ secrets = {
+ secretFile = pkgs.writeText "secret" secrets.gitlab.secret;
+ otpFile = pkgs.writeText "otpsecret" secrets.gitlab.optsecret;
+ dbFile = pkgs.writeText "dbsecret" secrets.gitlab.dbsecret;
+ jwsFile = pkgs.runCommand "oidcKeyBase" { } "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+ };
+ };
+
+ nextcloud = {
+ enable = false;
+ package = pkgs.nextcloud24;
+ hostName = "nextcloud.${config.networking.domain}";
+ # FIXME: Configure apps
+ config = {
+ adminpassFile = "${pkgs.writeText "adminpass" secrets.nextcloud.adminPassword}";
+ dbhost = "10.100.0.2";
+ dbpassFile = "${pkgs.writeText "dbpass" secrets.nextcloud.dbpass}";
+ dbtype = "mysql";
+ overwriteProtocol = "https";
+ };
+ extraOptions = {
+ passwordsalt = secrets.nextcloud.passwordSalt;
+ secret = secrets.nextcloud.secret;
+ instanceid = secrets.nextcloud.instanceId;
+ installed = true;
+ };
+ };
+ #nginx.virtualHosts."nextcloud.project-insanity.org".listen = [ { addr = "127.0.0.1"; port = 8080; } ];
+
+ caddy = {
+ enable = true;
+ virtualHosts = {
+
+ #"wiki.project-insanity.org".extraConfig = ''
+ # reverse_proxy http://10.100.0.2
+ #'';
+
+ #"project-insanity.org" = {
+ # serverAliases = [
+ # "www.project-insanity.org"
+ # "blog.project-insanity.org"
+ # "wiki.project-insanity.org"
+ # "nextcloud.project-insanity.org"
+ # ];
+ # extraConfig = ''
+ # reverse_proxy http://10.100.0.2
+ # '';
+ #};
+
+ "office.turbotux.de".extraConfig = ''
+ @insecure {
+ header X-Forwarded-Proto http
+ }
+ redir @insecure https://{host}{uri} permanent
+ reverse_proxy http://192.168.100.11
+ '';
+ };
+ };
+
+ };
+
+}
diff --git a/hardware-configuration.nix b/hardware-configuration.nix
new file mode 100644
index 0000000000000000000000000000000000000000..dfd35d58d92a0b8175a8f4e40c1c3b773827b918
--- /dev/null
+++ b/hardware-configuration.nix
@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+ boot.loader.grub.device = "/dev/sda";
+ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+ boot.initrd.kernelModules = [ "nvme" ];
+ fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+}
diff --git a/wordpress/plugins.nix b/wordpress/plugins.nix
new file mode 100644
index 0000000000000000000000000000000000000000..62240204e6cb3b68e59725f4a8cd8fe304907ac7
--- /dev/null
+++ b/wordpress/plugins.nix
@@ -0,0 +1,44 @@
+{ lib
+, pkgs
+, fetchurl
+, stdenv
+}:
+
+let
+
+ mkWordpressPlugin = a@{
+ pluginName,
+ namePrefix ? "wordpressplugin-",
+ src,
+ unpackPhase ? "",
+ configurePhase ? ":",
+ buildPhase ? ":",
+ addonInfo ? null,
+ preInstall ? "",
+ postInstall ? "",
+ path ? lib.getName pluginName,
+ ...
+ }:
+ stdenv.mkDerivation (a // {
+ pname = namePrefix + pluginName;
+
+ inherit pluginName unpackPhase configurePhase buildPhase addonInfo preInstall postInstall;
+
+ installPhase = "mkdir -p $out; cp -R * $out/";
+ });
+
+in rec {
+ inherit mkWordpressPlugin;
+
+ jetpack = mkWordpressPlugin {
+ pluginName = "jetpack";
+ version = "10.9.1";
+ src = fetchurl {
+ url = "https://downloads.wordpress.org/plugin/jetpack.10.9.1.zip";
+ sha256 = "sha256-R4kBpMQ7TJcf0ClqgmeXzzmjRFEqTD+QFnRfAdfBnr8=";
+ };
+ buildInputs = [ pkgs.unzip ];
+ installPhase = "mkdir -p $out; cp -R * $out/";
+ };
+
+}
diff --git a/wordpress/themes.nix b/wordpress/themes.nix
new file mode 100644
index 0000000000000000000000000000000000000000..c72ef83aa95e5a374cdcae1d89533470a53f89ec
--- /dev/null
+++ b/wordpress/themes.nix
@@ -0,0 +1,45 @@
+{ lib
+, pkgs
+, fetchurl
+, stdenv
+}:
+
+let
+
+ mkWordpressTheme = a@{
+ themeName,
+ namePrefix ? "wordpresstheme-",
+ src,
+ unpackPhase ? "",
+ configurePhase ? ":",
+ buildPhase ? ":",
+ addonInfo ? null,
+ preInstall ? "",
+ postInstall ? "",
+ path ? lib.getName themeName,
+ ...
+ }:
+ stdenv.mkDerivation (a // {
+ pname = namePrefix + themeName;
+
+ inherit themeName unpackPhase configurePhase buildPhase addonInfo preInstall postInstall;
+
+ installPhase = "mkdir -p $out; cp -R * $out/";
+ });
+
+in rec {
+ inherit mkWordpressTheme;
+
+ faecherstadt-consulting = mkWordpressTheme {
+ themeName = "faecherstadt-consulting";
+ version = "1.2";
+ src = fetchurl {
+ url = "https://git.project-insanity.org/onny/client-faecherstadt-consulting/-/archive/main/client-faecherstadt-consulting-main.tar.bz2";
+ sha256 = "sha256-9ebhyMdgYzAtw/aZt9VijyQzegIXMbPmVm8JqcEtArc=";
+ };
+ installPhase = "mkdir -p $out/faecherstadt-consulting; cp -R * $out/faecherstadt-consulting/";
+ };
+
+}
+
+