Remove liza

common/network/hosts.nix

@@ -36,14 +36,6 @@ in {
   keepalive-ping.hosts = attrNames zerotierHosts;
 
   programs.ssh.knownHosts = {
-    liza = {
-      hostNames = [ "liza" "mail.neet.dev" ];
-      publicKey = system.liza;
-    };
-    liza-unlock = {
-      hostNames = [ unlock-onion-hosts.liza ];
-      publicKey = system.liza-unlock;
-    };
     ponyo = {
       hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
       publicKey = system.ponyo;
@@ -72,34 +64,6 @@ in {
       hostNames = [ unlock-onion-hosts.s0 ];
       publicKey = system.s0-unlock;
     };
-    n1 = {
-      hostNames = [ "n1" ];
-      publicKey = system.n1;
-    };
-    n2 = {
-      hostNames = [ "n2" ];
-      publicKey = system.n2;
-    };
-    n3 = {
-      hostNames = [ "n3" ];
-      publicKey = system.n3;
-    };
-    n4 = {
-      hostNames = [ "n4" ];
-      publicKey = system.n4;
-    };
-    n5 = {
-      hostNames = [ "n5" ];
-      publicKey = system.n5;
-    };
-    n6 = {
-      hostNames = [ "n6" ];
-      publicKey = system.n6;
-    };
-    n7 = {
-      hostNames = [ "n7" ];
-      publicKey = system.n7;
-    };
   };
 
   # prebuilt cmds for easy ssh LUKS unlock

common/network/pia-wireguard.nix

@@ -32,11 +32,11 @@ in {
       type = lib.types.str;
       default = "piaw";
     };
-    # forwardedPort = lib.mkOption {
+    forwardedPort = lib.mkOption {
-    #   type = lib.types.port;
+      type = lib.types.port;
-    #   description = "The port to redirect port forwarded TCP VPN traffic too";
+      description = "The port to redirect port forwarded TCP VPN traffic too";
-    #   default = 15050;
+      default = 15050;
-    # };
+    };
     # TODO allow disabling this
     portForwarding = lib.mkEnableOption "Enables PIA port fowarding";
 

common/server/default.nix

@@ -14,5 +14,7 @@
     ./radio.nix
     ./samba.nix
     ./owncast.nix
+    ./mailserver.nix
+    ./nextcloud.nix
   ];
 }

common/server/gitea.nix

@@ -14,11 +14,8 @@ in {
       domain = cfg.hostname;
       rootUrl = "https://${cfg.hostname}/";
       appName = cfg.hostname;
-      ssh.enable = true;
       # lfs.enable = true;
       dump.enable = true;
-      cookieSecure = true;
-      disableRegistration = true;
       settings = {
         other = {
           SHOW_FOOTER_VERSION = false;
@@ -26,6 +23,12 @@ in {
         ui = {
           DEFAULT_THEME = "arc-green";
         };
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
+        session = {
+          COOKIE_SECURE = true;
+        };
       };
     };
     services.nginx.enable = true;

common/server/mailserver.nix

@@ -0,0 +1,72 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.mailserver;
+in {
+  config = lib.mkIf cfg.enable {
+    mailserver = {
+      fqdn = "mail.neet.dev";
+      dkimKeyBits = 2048;
+      indexDir = "/var/lib/mailindex";
+      enableManageSieve = true;
+      fullTextSearch.enable = true;
+      fullTextSearch.indexAttachments = true;
+      fullTextSearch.memoryLimit = 500;
+      domains = [
+        "neet.space" "neet.dev" "neet.cloud"
+        "runyan.org" "runyan.rocks"
+        "thunderhex.com" "tar.ninja"
+        "bsd.ninja" "bsd.rocks"
+      ];
+      loginAccounts = {
+        "jeremy@runyan.org" = {
+          hashedPasswordFile = "/run/agenix/email-pw";
+          aliases = [
+            "@neet.space" "@neet.cloud" "@neet.dev"
+            "@runyan.org" "@runyan.rocks"
+            "@thunderhex.com" "@tar.ninja"
+            "@bsd.ninja" "@bsd.rocks"
+          ];
+        };
+      };
+      rejectRecipients = [
+        "george@runyan.org"
+        "joslyn@runyan.org"
+        "damon@runyan.org"
+        "jonas@runyan.org"
+      ];
+      certificateScheme = 3; # use let's encrypt for certs
+    };
+    age.secrets.email-pw.file = ../../secrets/email-pw.age;
+
+    # sendmail to use xxx@domain instead of xxx@mail.domain
+    services.postfix.origin = "$mydomain";
+
+    # relay sent mail through mailgun
+    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
+    services.postfix.config = {
+      smtp_sasl_auth_enable = "yes";
+      smtp_sasl_security_options = "noanonymous";
+      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
+      smtp_use_tls = "yes";
+      sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
+      smtp_sender_dependent_authentication = "yes";
+    };
+    services.postfix.mapFiles.sender_relay = let
+      relayHost = "[smtp.mailgun.org]:587";
+    in pkgs.writeText "sender_relay" ''
+      @neet.space ${relayHost}
+      @neet.cloud ${relayHost}
+      @neet.dev ${relayHost}
+      @runyan.org ${relayHost}
+      @runyan.rocks ${relayHost}
+      @thunderhex.com ${relayHost}
+      @tar.ninja ${relayHost}
+      @bsd.ninja ${relayHost}
+      @bsd.rocks ${relayHost}
+    '';
+    services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
+    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
+  };
+}

common/server/nextcloud.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.services.nextcloud;
+in {
+  config = lib.mkIf cfg.enable {
+    services.nextcloud = {
+      https = true;
+      package = pkgs.nextcloud25;
+      hostName = "neet.cloud";
+      config.dbtype = "sqlite";
+      config.adminuser = "jeremy";
+      config.adminpassFile = "/run/agenix/nextcloud-pw";
+      autoUpdateApps.enable = true;
+      enableBrokenCiphersForSSE = false;
+    };
+    age.secrets.nextcloud-pw = {
+      file = ../../secrets/nextcloud-pw.age;
+      owner = "nextcloud";
+    };
+    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}

common/ssh.nix

@@ -6,8 +6,6 @@ rec {
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
   ] ++ higherTrustUserKeys;
   system = {
-    liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
-    liza-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6eMKW7jBNUKm2r9zEoape4s3KVrmLTLC0nkW9t/8JK";
     ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
     ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
     ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
@@ -15,13 +13,6 @@ rec {
     router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
     s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
     s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
-    n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
-    n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
-    n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
-    n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
-    n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
-    n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
-    n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
   };
 
   higherTrustUserKeys = [
@@ -30,43 +21,18 @@ rec {
 
   # groups
   systems = with system; [
-    liza
     ponyo
     ray
     router
     s0
-    n1
-    n2
-    n3
-    n4
-    n5
-    n6
-    n7
   ];
   personal = with system; [
     ray
   ];
   servers = with system; [
-    liza
     ponyo
     router
     s0
-    n1
-    n2
-    n3
-    n4
-    n5
-    n6
-    n7
-  ];
-  compute = with system; [
-    n1
-    n2
-    n3
-    n4
-    n5
-    n6
-    n7
   ];
   storage = with system; [
     s0

flake.nix

@@ -89,7 +89,6 @@
     {
       "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
       # "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
-      "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
       "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
       "router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix;
       "s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix;

machines/liza/configuration.nix

@@ -1,97 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports =[
-    ./hardware-configuration.nix
-  ];
-
-  system.autoUpgrade.enable = true;
-
-  networking.hostName = "liza";
-
-  networking.interfaces.enp1s0.useDHCP = true;
-
-  mailserver = {
-    enable = true;
-    fqdn = "mail.neet.dev";
-    dkimKeyBits = 2048;
-    indexDir = "/var/lib/mailindex";
-    enableManageSieve = true;
-    fullTextSearch.enable = true;
-    fullTextSearch.indexAttachments = true;
-    fullTextSearch.memoryLimit = 500;
-    domains = [
-      "neet.space" "neet.dev" "neet.cloud"
-      "runyan.org" "runyan.rocks"
-      "thunderhex.com" "tar.ninja"
-      "bsd.ninja" "bsd.rocks"
-    ];
-    loginAccounts = {
-      "jeremy@runyan.org" = {
-        hashedPasswordFile = "/run/agenix/email-pw";
-        aliases = [
-          "@neet.space" "@neet.cloud" "@neet.dev"
-          "@runyan.org" "@runyan.rocks"
-          "@thunderhex.com" "@tar.ninja"
-          "@bsd.ninja" "@bsd.rocks"
-        ];
-      };
-    };
-    rejectRecipients = [
-      "george@runyan.org"
-      "joslyn@runyan.org"
-      "damon@runyan.org"
-      "jonas@runyan.org"
-    ];
-    certificateScheme = 3; # use let's encrypt for certs
-  };
-  age.secrets.email-pw.file = ../../secrets/email-pw.age;
-
-  # sendmail to use xxx@domain instead of xxx@mail.domain
-  services.postfix.origin = "$mydomain";
-
-  # relay sent mail through mailgun
-  # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
-  services.postfix.config = {
-    smtp_sasl_auth_enable = "yes";
-    smtp_sasl_security_options = "noanonymous";
-    smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
-    smtp_use_tls = "yes";
-    sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
-    smtp_sender_dependent_authentication = "yes";
-  };
-  services.postfix.mapFiles.sender_relay = let
-    relayHost = "[smtp.mailgun.org]:587";
-  in pkgs.writeText "sender_relay" ''
-    @neet.space ${relayHost}
-    @neet.cloud ${relayHost}
-    @neet.dev ${relayHost}
-    @runyan.org ${relayHost}
-    @runyan.rocks ${relayHost}
-    @thunderhex.com ${relayHost}
-    @tar.ninja ${relayHost}
-    @bsd.ninja ${relayHost}
-    @bsd.rocks ${relayHost}
-  '';
-  services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
-  age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
-
-  services.nextcloud = {
-    enable = true;
-    https = true;
-    package = pkgs.nextcloud22;
-    hostName = "neet.cloud";
-    config.dbtype = "sqlite";
-    config.adminuser = "jeremy";
-    config.adminpassFile = "/run/agenix/nextcloud-pw";
-    autoUpdateApps.enable = true;
-  };
-  age.secrets.nextcloud-pw = {
-    file = ../../secrets/nextcloud-pw.age;
-    owner = "nextcloud";
-  };
-  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
-    enableACME = true;
-    forceSSL = true;
-  };
-}

machines/liza/hardware-configuration.nix

@@ -1,46 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  firmware.x86_64.enable = true;
-
-  bios = {
-    enable = true;
-    device = "/dev/sda";
-  };
-
-  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2b8f6f6d-9358-4d30-8341-7426574e0819";
-      fsType = "ext3";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/ef7a83db-4b33-41d1-85fc-cff69e480352"; }
-    ];
-
-}

machines/ponyo/configuration.nix

@@ -11,10 +11,13 @@
 
   services.zerotierone.enable = true;
 
+  mailserver.enable = true;
+
+  services.nextcloud.enable = true;
+
   services.gitea = {
     enable = true;
     hostname = "git.neet.dev";
-    disableRegistration = true;
   };
 
   services.thelounge = {
@@ -90,7 +93,7 @@
   services.postgresql.package = pkgs.postgresql_11;
 
   services.searx = {
-    enable = true;
+    enable = false;
     environmentFile = "/run/agenix/searx";
     settings = {
       server.port = 43254;