initial commit

2026-02-16 21:29:21 -08:00 · 2026-02-16 21:29:21 -08:00 · 47c42dc7a6
commit 47c42dc7a6
14 changed files with 490 additions and 0 deletions
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -0,0 +1,49 @@
+{ config, pkgs, ... }:
+
+{
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "extremist.software" = {
+        extraConfig = ''
+          respond "Hi"
+        '';
+      };
+      
+      "git.extremist.software" = {
+        extraConfig = ''
+          reverse_proxy localhost:3000
+        '';
+      };
+
+      "mail.extremist.software" = {
+        # Stalwart handles its own certs usually, or we can proxy UI here
+        # Stalwart UI is usually on 8080
+        extraConfig = ''
+          reverse_proxy localhost:8080
+        '';
+      };
+
+      "search.extremist.software" = {
+        extraConfig = ''
+          reverse_proxy localhost:8082
+        '';
+      };
+
+      "status.extremist.software" = {
+        extraConfig = ''
+          reverse_proxy localhost:3001 # Grafana
+        '';
+      };
+
+      "matrix.extremist.software" = {
+        extraConfig = ''
+          reverse_proxy /_matrix/* localhost:6167
+          reverse_proxy /_synapse/client/* localhost:6167
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/modules/forgejo.nix
+++ b/modules/forgejo.nix
@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    # Enable support for Large File Storage
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.extremist.software";
+        ROOT_URL = "https://git.extremist.software/";
+        HTTP_PORT = 3000;
+      };
+      # You can configure SMTP here using secrets if needed
+    };
+    # Secret for DB password set in secrets.nix
+  };
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+  };
+}
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+
+{
+  services.stalwart = {
+    enable = true;
+    settings = {
+      server = {
+        hostname = "mail.extremist.software";
+        tls = {
+          enable = true;
+          implicit = false; # StartTLS usually on 587
+        };
+      };
+      # authentication.fallback-admin set in secrets.nix
+      # Stalwart configuration is quite extensive. 
+      # By default it listens on standard ports (25, 465, 587, 993, 4190)
+      # and provides a web admin UI on 8080.
+    };
+  };
+
+  # Open Firewalls for Mail
+  networking.firewall.allowedTCPPorts = [ 
+    25 465 587 # SMTP
+    993        # IMAP (Secure)
+    4190       # Sieve
+    8080       # Admin UI (Reverse proxied, but good to double check loopback)
+  ];
+}
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  services.matrix-conduit = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "matrix.extremist.software";
+        allow_registration = true; # Disable after creating first user
+        port = 6167;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 6167 8448 ];
+}
--- a/modules/minecraft.nix
+++ b/modules/minecraft.nix
@ -0,0 +1,33 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
+
+  nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
+
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+
+    servers = {
+      fabric = {
+        enable = true;
+        # Use fetchPackwizModpack to get the server with mods
+        package = pkgs.fetchPackwizModpack {
+          url = "https://raw.githubusercontent.com/Fabulously-Optimized/fabulously-optimized/main/Packwiz/1.20.1/pack.toml";
+          packHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; # User must update this hash!
+        };
+        serverProperties = {
+          motd = "Extremist Software Optimized Server";
+          difficulty = "hard";
+          view-distance = 10;
+          simulation-distance = 10;
+          max-players = 5;
+          enable-rcon = true;
+          # "rcon.password" set in secrets.nix
+        };
+        jvmOpts = "-Xms2G -Xmx2500M -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
+      };
+    };
+  };
+}
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+
+{
+  services.prometheus = {
+    enable = true;
+    port = 9090;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9100;
+      };
+      # Stalwart and Conduit might have exporters too
+    };
+    scrapeConfigs = [
+      {
+        job_name = "node";
+        static_configs = [{
+          targets = [ "127.0.0.1:9100" ];
+        }];
+      }
+    ];
+  };
+
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_port = 3001;
+        http_addr = "127.0.0.1";
+        domain = "status.extremist.software";
+      };
+    };
+  };
+}
--- a/modules/searx.nix
+++ b/modules/searx.nix
@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+
+{
+  services.searx = {
+    enable = true;
+    # settings.server.secret_key set in secrets.nix
+    settings = {
+      server = {
+        port = 8082;
+        bind_address = "127.0.0.1";
+        # secret_key = ...; # Set via env var in file
+      };
+    };
+  };
+  
+  # Inject secret via env vars or file substitution if possible
+  # Or use `environment.etc` to place config file if service allows.
+  # For now, simplistic setup.
+}