hosts/default.nix

@@ -11,6 +11,33 @@
           self.nixosModules.unlock-zfs-on-boot
           self.nixosModules.core
           self.nixosModules.docker
+
+          self.nixosModules.nginx
+          self.nixosModules.collabora
+          self.nixosModules.coturn
+          self.nixosModules.forgejo
+          self.nixosModules.keycloak
+          self.nixosModules.mailman
+          self.nixosModules.mastodon
+          self.nixosModules.nginx-mastodon
+          self.nixosModules.nginx-mastodon-files
+          self.nixosModules.mediawiki
+          self.nixosModules.nextcloud
+          self.nixosModules.nginx-prometheus-exporters
+          self.nixosModules.nginx-website
+          self.nixosModules.nginx-website-miom
+          self.nixosModules.opensearch
+          self.nixosModules.owncast
+          self.nixosModules.postgresql
+          self.nixosModules.prometheus-exporters
+          self.nixosModules.promtail
+          self.nixosModules.searx
+          self.nixosModules.tmate
+          self.nixosModules.obs-portal
+          self.nixosModules.matrix
+          self.nixosModules.matrix-irc
+          self.nixosModules.matrix-telegram
+          self.nixosModules.nginx-matrix
         ];
       };
 
@@ -21,6 +48,13 @@
           ./flora-6
           self.nixosModules.overlays
           self.nixosModules.core
+
+          self.nixosModules.caddy
+          self.nixosModules.drone
+          self.nixosModules.forgejo-actions-runner
+          self.nixosModules.grafana
+          self.nixosModules.prometheus
+          self.nixosModules.loki
         ];
       };
     };

hosts/flora-6/default.nix

@@ -8,13 +8,5 @@
       ./configuration.nix
       ./triton-vmtools.nix
       ./wireguard.nix
-
-      ./apps/caddy.nix
-
-      ./apps/drone.nix
-      ./apps/forgejo-actions-runner.nix
-      ./apps/grafana.nix
-      ./apps/prometheus.nix
-      ./apps/loki.nix
     ];
 }

hosts/nachtigall/default.nix

@@ -10,33 +10,6 @@
       ./networking.nix
       ./wireguard.nix
       ./backups.nix
-      ./apps/nginx.nix
 
-      ./apps/collabora.nix
-      ./apps/coturn.nix
-      ./apps/forgejo.nix
-      ./apps/keycloak.nix
-      ./apps/mailman.nix
-      ./apps/mastodon.nix
-      ./apps/mediawiki.nix
-      ./apps/nextcloud.nix
-      ./apps/nginx-mastodon.nix
-      ./apps/nginx-mastodon-files.nix
-      ./apps/nginx-prometheus-exporters.nix
-      ./apps/nginx-website.nix
-      ./apps/nginx-website-miom.nix
-      ./apps/opensearch.nix
-      ./apps/owncast.nix
-      ./apps/postgresql.nix
-      ./apps/prometheus-exporters.nix
-      ./apps/promtail.nix
-      ./apps/searx.nix
-      ./apps/tmate.nix
-      ./apps/obs-portal.nix
-
-      ./apps/matrix/irc.nix
-      ./apps/matrix/mautrix-telegram.nix
-      ./apps/matrix/synapse.nix
-      ./apps/nginx-matrix.nix
     ];
 }

modules/apps/caddy.nix

@@ -6,45 +6,29 @@
 }:
 {
   systemd.tmpfiles.rules = [
-    "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
+    "d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -"
   ];
 
   services.caddy = {
     enable = lib.mkForce true;
-    group = "hakkonaut";
-    email = "admins@pub.solar";
+    group = config.pub-solar-os.authentication.robot.username;
+    email = config.pub-solar-os.adminEmail;
     enableReload = true;
     globalConfig = lib.mkForce ''
       grace_period 60s
     '';
     virtualHosts = {
-      "ci.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          reverse_proxy :4000
-        '';
-      };
       "flora-6.pub.solar" = {
         logFormat = lib.mkForce ''
           output discard
         '';
         extraConfig = ''
                     basicauth * {
-          	    hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
+                ${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
                     }
                     reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
         '';
       };
-      "grafana.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          reverse_proxy :${toString config.services.grafana.settings.server.http_port}
-        '';
-      };
       "obs-portal.pub.solar" = {
         logFormat = lib.mkForce ''
           output discard

modules/apps/drone.nix

@@ -30,6 +30,15 @@
     "d '/var/lib/drone-db' 0750 drone drone - -"
   ];
 
+  services.caddy.virtualHosts."ci.pub.solar" = {
+    logFormat = lib.mkForce ''
+      output discard
+    '';
+    extraConfig = ''
+      reverse_proxy :4000
+    '';
+  };
+
   systemd.services."docker-network-drone" =
     let
       docker = config.virtualisation.oci-containers.backend;

modules/apps/grafana/grafana.nix

@@ -33,6 +33,15 @@
     };
   };
 
+  services.caddy.virtualHosts."grafana.pub.solar" = {
+    logFormat = lib.mkForce ''
+      output discard
+    '';
+    extraConfig = ''
+      reverse_proxy :${toString config.services.grafana.settings.server.http_port}
+    '';
+  };
+
   services.grafana = {
     enable = true;
     settings = {

modules/apps/matrix/nginx-matrix.nix

@@ -5,7 +5,7 @@ let
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     add_header X-XSS-Protection "1; mode=block";
   '';
-  clientConfig = import ./matrix/element-client-config.nix { inherit lib pkgs; };
+  clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
   wellKnownClient = domain: {
     "m.homeserver".base_url = "https://matrix.${domain}";
     "m.identity_server".base_url = "https://matrix.${domain}";

modules/core/default.nix

@@ -0,0 +1,35 @@
+{ pkgs, config, flake, lib, ... }: {
+  imports = [
+    ./nix.nix
+    ./networking.nix
+    ./terminal-tooling.nix
+    ./users.nix
+  ];
+
+  options.pub-solar-os = with lib; {
+    adminEmail = mkOption {
+      description = "Email address to use for administrative stuff like ACME";
+      type = types.str;
+      default = "admins@pub.solar";
+    };
+  };
+
+  config = {
+    environment = {
+      # Just a couple of global packages to make our lives easier
+      systemPackages = with pkgs; [ git vim wget ];
+    };
+
+    # Select internationalization properties
+    console = {
+      font = "Lat2-Terminus16";
+      keyMap = "us";
+    };
+
+    time.timeZone = "Etc/UTC";
+
+    home-manager.users.${config.pub-solar-os.authentication.username} = {
+      home.stateVersion = "23.05";
+    };
+  };
+}

modules/core/networking.nix

@@ -0,0 +1,67 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  options.pub-solar-os.networking = with lib; {
+    domain = mkOption {
+      description = "domain on which all services should run. This defaults to pub.solar";
+      type = types.str;
+      default = "pub.solar";
+    };
+
+    defaultInterface = mkOption {
+      description = "Network interface which should be used as the default internet-connected one";
+      type = types.nullOr types.str;
+    };
+  };
+
+  config = {
+
+    # Don't expose SSH via public interfaces
+    networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
+
+    networking.hosts = {
+      "10.7.6.1" = ["nachtigall.${config.pub-solar-os.networking.domain}"];
+      "10.7.6.2" = ["flora-6.${config.pub-solar-os.networking.domain}"];
+    };
+
+    services.openssh = {
+      enable = true;
+      openFirewall = lib.mkDefault false;
+      settings = {
+        PermitRootLogin = "prohibit-password";
+        PasswordAuthentication = false;
+        # Add back openssh MACs that got removed from defaults
+        # for backwards compatibility
+        #
+        # NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
+        # This breaks compatibilty with clients that do not offer these MACs. For
+        # compatibility reasons, we add back the old defaults.
+        # See: https://github.com/NixOS/nixpkgs/pull/231165
+        # 
+        # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
+        # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+          "hmac-sha2-512"
+          "hmac-sha2-256"
+          "umac-128@openssh.com"
+        ];
+      };
+    };
+
+    services.resolved = {
+      enable = true;
+      extraConfig = ''
+        DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+        FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
+        Domains=~.
+        DNSOverTLS=yes
+      '';
+    };
+  };
+}

modules/core/nix.nix

@@ -41,7 +41,7 @@
 
     nixPath = [
       "nixpkgs=${flake.inputs.nixpkgs}"
-      "nixos-config=${../lib/compat/nixos}"
+      "nixos-config=${../../lib/compat/nixos}"
       "home-manager=${flake.inputs.home-manager}"
     ];
   };

modules/core/terminal-tooling.nix

@@ -1,5 +1,5 @@
-{ flake, ... }: {
-  home-manager.users.${flake.self.username} = {
+{ flake, config, ... }: {
+  home-manager.users.${config.pub-solar-os.authentication.username} = {
     programs.git.enable = true;
     programs.starship.enable = true;
     programs.bash.enable = true;

modules/core/users.nix

@@ -0,0 +1,70 @@
+{
+  flake,
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  options.pub-solar-os.authentication = with lib; {
+    username = mkOption {
+      description = "Username for the adminstrative user";
+      type = types.str;
+      default = flake.self.username;
+    };
+
+    sshPubKeys = mkOption {
+      description = "SSH Keys that should have administrative root access";
+      type = types.listOf types.str;
+      default = flake.self.logins.admins.sshPubKeys;
+    };
+
+    root.initialHashedPassword = mkOption {
+      description = "Hashed password of the root account";
+      type = types.str;
+      default = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
+    };
+
+    robot.username = mkOption {
+      description = "username for the robot user";
+      type = types.str;
+      default = "hakkonaut";
+    };
+
+    robot.sshPubKeys = mkOption {
+      description = "SSH Keys to use for the robot user";
+      type = types.listOf types.str;
+      default = flake.self.logins.robots.sshPubKeys;
+    };
+  };
+
+  config = {
+    users.users.${config.pub-solar-os.authentication.username} = {
+      name = config.pub-solar-os.authentication.username;
+      group = config.pub-solar-os.authentication.username;
+      extraGroups = [ "wheel" "docker" ];
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+    };
+    users.groups.${config.pub-solar-os.authentication.username} = { };
+
+    # TODO: Remove when we stop locking ourselves out.
+    users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+
+    users.users.${config.pub-solar-os.authentication.robot.username} = {
+      description = "CI and automation user";
+      home = "/home/${config.pub-solar-os.authentication.robot.username}";
+      createHome = true;
+      useDefaultShell = true;
+      uid = 998;
+      group = "${config.pub-solar-os.authentication.robot.username}";
+      isSystemUser = true;
+      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
+    };
+
+    users.groups.${config.pub-solar-os.authentication.robot.username} = { };
+
+    users.users.root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
+
+    security.sudo.wheelNeedsPassword = false;
+  };
+}

modules/default.nix

@@ -2,38 +2,43 @@
 {
   flake = {
     nixosModules = rec {
-      nix = import ./nix.nix;
-      networking = import ./networking.nix;
+      core = import ./core;
+
       unlock-zfs-on-boot = import ./unlock-zfs-on-boot.nix;
       docker = import ./docker.nix;
-      terminal-tooling = import ./terminal-tooling.nix;
-      users = import ./users.nix;
 
-      core = { pkgs, ... }: {
-        imports = [
-          nix
-          networking
-          terminal-tooling
-          users
-        ];
-
-        environment = {
-          # Just a couple of global packages to make our lives easier
-          systemPackages = with pkgs; [ git vim wget ];
-        };
-
-        # Select internationalization properties
-        console = {
-          font = "Lat2-Terminus16";
-          keyMap = "us";
-        };
-
-        time.timeZone = "Etc/UTC";
-
-        home-manager.users.${self.username} = {
-          home.stateVersion = "23.05";
-        };
-      };
+      caddy = import ./apps/caddy.nix;
+      collabora = import ./apps/collabora.nix;
+      coturn = import ./apps/coturn.nix;
+      drone = import ./apps/drone.nix;
+      forgejo-actions-runner = import ./apps/forgejo/forgejo-actions-runner.nix;
+      forgejo = import ./apps/forgejo/forgejo.nix;
+      grafana = import ./apps/grafana/grafana.nix;
+      keycloak = import ./apps/keycloak.nix;
+      loki = import ./apps/loki.nix;
+      mailman = import ./apps/mailman.nix;
+      mastodon = import ./apps/mastodon/mastodon.nix;
+      nginx-mastodon = import ./apps/mastodon/nginx-mastodon.nix;
+      nginx-mastodon-files = import ./apps/mastodon/nginx-mastodon-files.nix;
+      matrix = import ./apps/matrix/synapse.nix;
+      nginx-matrix = import ./apps/matrix/nginx-matrix.nix;
+      matrix-telegram = import ./apps/matrix/mautrix-telegram.nix;
+      matrix-irc = import ./apps/matrix/irc.nix;
+      mediawiki = import ./apps/mediawiki.nix;
+      nextcloud = import ./apps/nextcloud/nextcloud.nix;
+      nginx-website-miom = import ./apps/nginx-website-miom.nix;
+      nginx-website = import ./apps/nginx-website.nix;
+      nginx = import ./apps/nginx.nix;
+      obs-portal = import ./apps/obs-portal.nix;
+      opensearch = import ./apps/opensearch.nix;
+      owncast = import ./apps/owncast.nix;
+      postgresql = import ./apps/postgresql.nix;
+      prometheus = import ./apps/prometheus/prometheus.nix;
+      prometheus-exporters = import ./apps/prometheus/prometheus-exporters.nix;
+      nginx-prometheus-exporters = import ./apps/prometheus/nginx-prometheus-exporters.nix;
+      promtail = import ./apps/promtail.nix;
+      searx = import ./apps/searx.nix;
+      tmate = import ./apps/tmate.nix;
     };
   };
 }

modules/networking.nix

@@ -1,46 +0,0 @@
-{ pkgs, lib, ... }: {
-  # Don't expose SSH via public interfaces
-  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
-
-  networking.hosts = {
-      "10.7.6.1" = ["nachtigall.pub.solar"];
-      "10.7.6.2" = ["flora-6.pub.solar"];
-  };
-
-  services.openssh = {
-    enable = true;
-    openFirewall = lib.mkDefault false;
-    settings = {
-      PermitRootLogin = "prohibit-password";
-      PasswordAuthentication = false;
-      # Add back openssh MACs that got removed from defaults
-      # for backwards compatibility
-      #
-      # NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
-      # This breaks compatibilty with clients that do not offer these MACs. For
-      # compatibility reasons, we add back the old defaults.
-      # See: https://github.com/NixOS/nixpkgs/pull/231165
-      # 
-      # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
-      # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
-      Macs = [
-        "hmac-sha2-512-etm@openssh.com"
-        "hmac-sha2-256-etm@openssh.com"
-        "umac-128-etm@openssh.com"
-        "hmac-sha2-512"
-        "hmac-sha2-256"
-        "umac-128@openssh.com"
-      ];
-    };
-  };
-
-  services.resolved = {
-    enable = true;
-    extraConfig = ''
-      DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
-      FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
-      Domains=~.
-      DNSOverTLS=yes
-    '';
-  };
-}

modules/unlock-zfs-on-boot.nix

@@ -1,4 +1,4 @@
-{ flake, ... }: {
+{ flake, config, ... }: {
   # From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
   boot.initrd.network = {
     enable = true;
@@ -10,7 +10,7 @@
 
       # Please create this manually the first time.
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = flake.self.logins.admins.sshPubKeys;
+      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
     };
     # this will automatically load the zfs password prompt on login
     # and kill the other prompt so boot can continue

modules/users.nix

@@ -1,30 +0,0 @@
-{ flake, pkgs, ... }: {
-  users.users.${flake.self.username} = {
-    name = flake.self.username;
-    group = flake.self.username;
-    extraGroups = [ "wheel" "docker" ];
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
-  };
-  users.groups.${flake.self.username} = { };
-
-  # TODO: Remove when we stop locking ourselves out.
-  users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
-
-  users.users.hakkonaut = {
-    description = "CI and automation user";
-    home = "/home/hakkonaut";
-    createHome = true;
-    useDefaultShell = true;
-    uid = 998;
-    group = "hakkonaut";
-    isSystemUser = true;
-    openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys;
-  };
-
-  users.groups.hakkonaut = { };
-
-  users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
-
-  security.sudo.wheelNeedsPassword = false;
-}

tests/website.nix

@@ -0,0 +1,23 @@
+{
+  self,
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  name = "website";
+
+  nodes.nachtigall-test = self.nixosConfigurations.nachtigall-test;
+
+  node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
+  hostPkgs = pkgs;
+
+  enableOCR = true;
+
+  testScript = ''
+    machine.wait_for_unit("system.slice")
+    machine.succeed("ping 127.0.0.1 -c 2")
+    machine.wait_for_unit("nginx.service")
+    machine.succeed("curl -H 'Host:pub.solar' http://127.0.0.1/")
+  '';
+}