diff options
author | Azat Bahawi <azat@bahawi.net> | 2022-08-12 22:53:53 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2022-08-12 22:53:53 +0300 |
commit | 61b94f0dd06cac0f7dcd38cce80f2a7ab8376098 (patch) | |
tree | b703a9fe11eae6c4cae4e4682f02caf0caa171d0 /configurations/manwe |
2022-08-12
Diffstat (limited to '')
-rw-r--r-- | configurations/manwe/default.nix | 171 | ||||
-rw-r--r-- | configurations/manwe/mailserver.nix | 96 | ||||
-rw-r--r-- | configurations/manwe/webserver.nix | 21 |
3 files changed, 288 insertions, 0 deletions
diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix new file mode 100644 index 0000000..50acacd --- /dev/null +++ b/configurations/manwe/default.nix @@ -0,0 +1,171 @@ +{ + config, + inputs, + lib, + this, + ... +}: +with lib; { + imports = [ + ./mailserver.nix + ./webserver.nix + ]; + + secrets.wireguard-private-key-manwe.file = "${inputs.self}/secrets/wireguard-private-key-manwe"; + + nixfiles.modules = { + nsd = { + enable = true; + fqdn = "ns1.${config.networking.domain}"; + }; + unbound.enable = true; + + wireguard = { + privateKeyFile = config.secrets.wireguard-private-key-manwe.path; + server.enable = true; + }; + + acme.enable = true; + + monitoring.enable = true; + + gotify.enable = true; + matrix.dendrite = { + enable = true; + domain = my.domain.azahi; + }; + soju = { + enable = true; + domain = my.domain.azahi; + }; + }; + + services.prometheus = { + # TODO Make this generic. + scrapeConfigs = with my.configurations; + with config.services.prometheus.exporters; [ + { + job_name = "endlessh-go"; + static_configs = [ + { + targets = with config.nixfiles.modules.endlessh-go; [ + "${manwe.hostname}:${toString prometheusPort}" + "${varda.hostname}:${toString prometheusPort}" + "${yavanna.hostname}:${toString prometheusPort}" + ]; + } + ]; + } + { + job_name = "nginx"; + static_configs = [ + { + targets = with nginx; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "node"; + static_configs = [ + { + targets = with node; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "postgres"; + static_configs = [ + { + targets = with postgres; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "unbound"; + static_configs = [ + { + targets = with unbound; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + # { + # job_name = "wireguard"; + # static_configs = [{ + # targets = with wireguard; [ + # "${manwe.hostname}:${toString port}" + # ]; + # }]; + # } + ]; + }; + + networking = let + interface = "eth0"; + in { + interfaces.${interface} = { + ipv4.addresses = [ + { + inherit (this.ipv4) address; + prefixLength = 22; + } + ]; + + ipv6.addresses = [ + { + inherit (this.ipv6) address; + prefixLength = 64; + } + ]; + }; + + defaultGateway = { + inherit interface; + address = this.ipv4.gateway; + }; + + defaultGateway6 = { + inherit interface; + address = this.ipv6.gateway; + }; + + nat.externalInterface = interface; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + }; + + fileSystems = { + "/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + options = ["noatime"]; + }; + + "/" = { + device = "/dev/sda2"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + swapDevices = [{device = "/dev/sda3";}]; + + system.stateVersion = "22.05"; +} diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix new file mode 100644 index 0000000..60a917b --- /dev/null +++ b/configurations/manwe/mailserver.nix @@ -0,0 +1,96 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; { + imports = [inputs.simple-nixos-mailserver.nixosModule]; + + config = { + secrets = { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-shire-me = { + file = "${inputs.self}/secrets/dkim-key-shire-me"; + path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + }; + + nixfiles.modules.acme.enable = true; + + mailserver = let + cert = config.certs.${my.domain.shire}; + in { + enable = true; + + fqdn = config.networking.domain; + domains = with my.domain; [azahi gondor rohan shire]; + + localDnsResolver = false; + + certificateScheme = 1; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; + + lmtpSaveToDetailMailbox = "no"; + + loginAccounts = with my.domain; { + "azahi@${shire}" = { + hashedPassword = "[REDACTED]"; + aliases = [ + "@${azahi}" + "@${rohan}" + "@${gondor}" + "abuse@${shire}" + "admin@${shire}" + "ceo@${shire}" + "postmaster@${shire}" + ]; + }; + "samwise@${shire}" = { + hashedPassword = "[REDACTED]"; + aliases = ["chad@${shire}"]; + quota = "1G"; + }; + "pippin@${shire}" = { + hashedPassword = "[REDACTED]"; + quota = "1G"; + }; + "meriadoc@${shire}" = { + hashedPassword = "[REDACTED]"; + quota = "1G"; + }; + }; + }; + + services.fail2ban.jails = { + dovecot = '' + enabled = true + mode = aggressive + ''; + postfix = '' + enabled = true + mode = aggressive + ''; + }; + }; +} diff --git a/configurations/manwe/webserver.nix b/configurations/manwe/webserver.nix new file mode 100644 index 0000000..fd23432 --- /dev/null +++ b/configurations/manwe/webserver.nix @@ -0,0 +1,21 @@ +{ + inputs, + lib, + ... +}: +with lib; { + config.nixfiles.modules.nginx.virtualHosts = with my.domain; + { + ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; + ${azahi} = { + serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; + locations."/".root = inputs.azahi-cc; + }; + } + // (let + frodo = "301 https://frodo."; + in { + ${gondor}.locations."/".return = concatStrings [frodo gondor]; + ${rohan}.locations."/".return = concatStrings [frodo rohan]; + }); +} |