organ config cleanup

hosts/organ/default.nix

@@ -11,89 +11,29 @@
       ./mail.nix
       ./networking.nix
       ./nginx.nix
-      ./tailscale.nix
+      ./ssh.nix
+      ./syncthing.nix
+      ./users.nix
     ]
     ++ lib._.moduleImports [
       "common/nix"
+      "common/packages"
       "server/dns"
     ];
 
-  server.dns.zones."jakubarbet.me" = ./jakubarbet.me.zone;
-
-  age.secrets = lib._.defineSecrets ["organ-jakub-password-hash"] {};
-
-  users.users = {
-    jakub = {
-      hashedPasswordFile = config.age.secrets.organ-jakub-password-hash.path;
-      openssh.authorizedKeys.keys = [config.sshPublicKey];
-      isNormalUser = true;
-      extraGroups = ["wheel"];
-      shell = pkgs.zsh;
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    git
-    curl
-    wget
-    neovim
-  ];
-
-  programs.zsh.enable = true;
-
-  services = {
-    openssh = {
-      enable = true;
-      settings.PasswordAuthentication = false;
-    };
-    syncthing = {
-      enable = true;
-      relay.enable = true;
-      user = "jakub";
-      dataDir = "/home/jakub/Sync";
-      # https://docs.syncthing.net/users/config.html#config-option-gui.insecureskiphostcheck
-      settings.gui.insecureSkipHostcheck = true;
-    };
-  };
-
-  # Syncthing ports:
-  # - 22000 TCP and/or UDP for sync traffic
-  # - 21027/UDP for discovery
-  # source: https://docs.syncthing.net/users/firewall.html
-  networking.firewall = {
-    allowedTCPPorts =
-      lib.optionals config.services.syncthing.enable [22000]
-      ++ lib.optionals config.services.syncthing.relay.enable [
-        config.services.syncthing.relay.port
-        config.services.syncthing.relay.statusPort
-      ];
-    allowedUDPPorts = lib.optionals config.services.syncthing.enable [22000 21027];
-  };
+  age.secrets = lib._.defineSecrets ["organ-tailscale-auth-key"] {};
 
   time.timeZone = "Europe/Prague";
 
-  boot.loader = {
-    systemd-boot.enable = true;
-    systemd-boot.configurationLimit = 5;
-    efi.canTouchEfiVariables = true;
+  server = {
+    dns.zones."jakubarbet.me" = ./dns/jakubarbet.me.zone;
+    tailscale = {
+      tailnet = "ide-vega.ts.net";
+      tailscaleIpv4 = "100.67.2.27";
+      tailscaleIpv6 = "fd7a:115c:a1e0::f101:21b";
+      authKeyFile = config.age.secrets.organ-tailscale-auth-key.path;
+    };
   };
 
-  # This option defines the first version of NixOS you have installed on this particular machine,
-  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
-  #
-  # Most users should NEVER change this value after the initial install, for any reason,
-  # even if you've upgraded your system to a new NixOS release.
-  #
-  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
-  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
-  # to actually do that.
-  #
-  # This value being lower than the current NixOS release does NOT mean your system is
-  # out of date, out of support, or vulnerable.
-  #
-  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
-  # and migrated your data accordingly.
-  #
-  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "24.11";
 }

hosts/organ/jakubarbet.me.zone → hosts/organ/dns/jakubarbet.me.zone

@@ -42,12 +42,8 @@ email		IN	CNAME	eu.mailgun.org.
 _dmarc		IN	TXT	"v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]"
 _smtp._tls	IN	TXT	"v=TLSRPTv1; rua=mailto:[email protected]"
 mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
-          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyeerwJv8l/ec+I8s/hcnemFTsfWC4F5LFse0N3wNA+yAbF4+UBIcWYDTjRmqNuyf//HND6Yoy1KUIzsueYmvWT/CpfUModqrxD6r52ZUL4QWxwm40IAZwi8zsrLdESHIF0qsQ9SSCxUSZPg7VLVk2ggwbxGX5bSUvt47fx4kywAl+mIF6xU7EPys4PHIogzIj8h8FGuHUI9FqT"
-	  "HZPpNJcpVU8bdUrlGIcm+YonsDF3sh17xRiAOg1EUsO/3YKpMGopFppLHYh+FUBsO5iUO/xQ0IdvUqDaF61UiywvNN6Jv5HHq2UQt47ew/1zNWzHT8MjUKhOz0zKSn2OF9UUW18wIDAQAB" )
-; mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
-; 	  "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuxEkSd887tJnfncjJnXsmK+YcYzZKrhLE+Ew58Sjq8j1EDSuHdBdYzF7vBOO+CjbqKxacFSa6ClvgNHtKbSQAZnuJHDpq54eD77Y+XrZpUJlNxSHZSKT7TchRtIM4f0xwNMqfti4J6obhByavMQ7ZKU1hPQuiR/MrA61Lr7UlkRNFmyKTgVS+L+MaMVQKbb1zPlvgk7DNRrGxD"
-; 	  "twGULYo7RyT5OrEdS/34f5aGnseu2gDRaj1JkKcjabAPgP47EVWY3jWtWcW7aB/wsIf1kbQwg3Y/ehXWNfgxqY+7ZRlbq9TuNcETdh6QhRjdOolNap3axe7eWncFjovuktaXqxYm9wskA5ddO2mvUKzwMytZLXPi5FslD2eoARH6ezl1LUQl4HO1hPCKS8rsoyYDiwukaLZAv16qwS/2hlw+c48q5ALyQOdMjvHbnHyt/Z2vwDoxzDNxQC"
-; 	  "XfFZ5das8JZ6o1GqM+ofTOA0F2TluFuzqjfGT8wyoKwKF5bbPVwU94snKGExziWIDEXRW+N38G2P9Txugf5kg6ak3B8rUYrNIB7NyOdExDW4SwJmTCTMRaQG0PLXixlSs22uXH5Deu44tNZOYmbkuQ7Oh8jc9dpi2xLVzH/y1yHj9Hq2JdhMyTib0gEYl2u6kKRz4gabAjLYJug5UsNbYnN1XuuTHWbzdhsCAwEAAQ==" )  ; ----- DKIM key mail for jakubarbet.me
+    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyeerwJv8l/ec+I8s/hcnemFTsfWC4F5LFse0N3wNA+yAbF4+UBIcWYDTjRmqNuyf//HND6Yoy1KUIzsueYmvWT/CpfUModqrxD6r52ZUL4QWxwm40IAZwi8zsrLdESHIF0qsQ9SSCxUSZPg7VLVk2ggwbxGX5bSUvt47fx4kywAl+mIF6xU7EPys4PHIogzIj8h8FGuHUI9FqT"
+	"HZPpNJcpVU8bdUrlGIcm+YonsDF3sh17xRiAOg1EUsO/3YKpMGopFppLHYh+FUBsO5iUO/xQ0IdvUqDaF61UiywvNN6Jv5HHq2UQt47ew/1zNWzHT8MjUKhOz0zKSn2OF9UUW18wIDAQAB" )
 
 
 ; Mail autoconfig
@@ -59,4 +55,3 @@ _imap._tcp		IN	SRV	5 0 143 mail.jakubarbet.me.
 _imaps._tcp		IN	SRV	5 0 993 mail.jakubarbet.me.
 _submission._tcp	IN	SRV	5 0 587 mail.jakubarbet.me.
 _submissions._tcp	IN	SRV	5 0 465 mail.jakubarbet.me.
-

hosts/organ/hardware-configuration.nix

@@ -14,11 +14,20 @@ in {
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
-  boot.initrd.kernelModules = ["virtio_gpu"];
-  boot.kernelModules = [];
-  boot.extraModulePackages = [];
-  boot.kernelParams = ["console=tty"];
+  boot = {
+    kernelModules = [];
+    extraModulePackages = [];
+    kernelParams = ["console=tty"];
+    initrd = {
+      availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
+      kernelModules = ["virtio_gpu"];
+    };
+    loader = {
+      systemd-boot.enable = true;
+      systemd-boot.configurationLimit = 5;
+      efi.canTouchEfiVariables = true;
+    };
+  };
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/b927425d-7b67-4af5-95d5-1598b83e0001";
@@ -61,12 +70,5 @@ in {
     {device = "/dev/disk/by-uuid/289ba3ad-decc-477a-8775-ccb4678e6a49";}
   ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }

hosts/organ/mail.nix

@@ -4,13 +4,11 @@
   lib,
   ...
 }: let
-  domain = "jakubarbet.me";
+  domain = config.networking.domain;
 in {
   imports = [inputs.simple-nixos-mailserver.nixosModule];
 
-  age.secrets =
-    lib._.defineSecrets ["organ-sasl-passwd"] {
-    };
+  age.secrets = lib._.defineSecrets ["organ-sasl-passwd"] {};
 
   mailserver = {
     enable = true;
@@ -36,6 +34,7 @@ in {
         proxyPass = "http://localhost:8080/";
       };
     };
+    # Confgiure postfix to use mailgun as relay to improve deliverability
     postfix = {
       mapFiles."sasl_passwd" = config.age.secrets.organ-sasl-passwd.path;
       extraConfig = ''

hosts/organ/networking.nix

@@ -1,24 +1,27 @@
-{...}: let
+{config, ...}: let
   ipv4 = "116.203.250.61";
   ipv6 = "2a01:4f8:c012:58f4::";
 in {
   networking = {
     hostName = "organ";
+    domain = "jakubarbet.me";
     useDHCP = false;
     nameservers = ["1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001"];
     firewall.enable = true;
   };
 
   services.resolved.enable = false;
 
+  # static ip configuration for hetzner cloud
+  # https://docs.hetzner.com/cloud/servers/static-configuration/
   systemd.network = {
     enable = true;
     networks."10-wan" = {
       matchConfig.Name = "enp1s0";
       networkConfig.DHCP = "no";
       address = [
-        "${ipv4}/32"
-        "${ipv6}/64"
+        "${config.ipv4}/32"
+        "${config.ipv6}/64"
       ];
       routes = [
         {

hosts/organ/nginx.nix

@@ -1,28 +1,24 @@
-{...}: {
+{config, ...}: {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "hostmaster@jakubarbet.me";
+    defaults.email = "hostmaster@${config.networking.domain}";
   };
 
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-    virtualHosts."organ.jakubarbet.me" = {
+    virtualHosts.${config.networking.fqdn} = {
       enableACME = true;
       forceSSL = true;
       extraConfig = ''
         proxy_intercept_errors on;
         error_page 401 /unauthorized.html;
       '';
       locations."/unauthorized.html" = {
-        root = "/srv/www/organ.jakubarbet.me";
+        root = "/srv/www/${config.networking.fqdn}";
         extraConfig = "internal;";
       };
-      locations."/syncthing/" = {
-        extraConfig = "auth_request /auth;";
-        proxyPass = "http://localhost:8384/";
-      };
     };
   };
 

hosts/organ/ssh.nix

@@ -0,0 +1,8 @@
+{...}: {
+  services = {
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+    };
+  };
+}

hosts/organ/syncthing.nix

@@ -0,0 +1,27 @@
+{config, ...}: let
+  user = "jakub";
+in {
+  services = {
+    nginx.virtualHosts.${config.networking.fqdn}.locations."/syncthing/" = {
+      extraConfig = "auth_request /auth;";
+      proxyPass = "http://localhost:8384/";
+    };
+    syncthing = {
+      enable = true;
+      user = user;
+      dataDir = "${config.users.users.${user}.home}/Sync";
+
+      # https://docs.syncthing.net/users/config.html#config-option-gui.insecureskiphostcheck
+      settings.gui.insecureSkipHostcheck = true;
+    };
+  };
+
+  # Syncthing ports:
+  # - 22000 TCP and/or UDP for sync traffic
+  # - 21027/UDP for discovery
+  # source: https://docs.syncthing.net/users/firewall.html
+  networking.firewall = {
+    allowedTCPPorts = [22000];
+    allowedUDPPorts = [22000 21027];
+  };
+}

hosts/organ/users.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  age.secrets = lib._.defineSecrets ["organ-jakub-password-hash"] {};
+
+  users.users = {
+    jakub = {
+      hashedPasswordFile = config.age.secrets.organ-jakub-password-hash.path;
+      openssh.authorizedKeys.keys = [config.sshPublicKey];
+      isNormalUser = true;
+      extraGroups = ["wheel"];
+      shell = pkgs.zsh;
+    };
+  };
+
+  programs.zsh.enable = true;
+}

lib/default.nix

@@ -64,7 +64,7 @@ inputs @ {
           }
           .${system};
       in [
-        ../config.nix
+        ../config.nix # Autoload global config options
         agenixModule
         {environment.systemPackages = [agenix.packages.${system}.default];}
         path

modules/common/nix.nix

@@ -1,4 +1,5 @@
 # [nixos/nix-darwin]
+# nix with sensible defaults
 {
   inputs,
   lib,

modules/common/packages.nix

@@ -0,0 +1,11 @@
+# [nixos/nix-darwin]
+# common packages shared across all systems
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    alejandra
+    git
+    curl
+    wget
+    neovim
+  ];
+}