about summary refs log tree commit diff
path: root/configurations/manwe
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2024-05-01 03:36:55 +0300
committerAzat Bahawi <azat@bahawi.net>2024-05-01 03:36:55 +0300
commit9a20404924fda2587ce4f9769f75369799f34643 (patch)
treea953941a22d6c031e67b267e35a11db72bdd25e3 /configurations/manwe
parent2024-04-29 (diff)
2024-05-01
Diffstat (limited to 'configurations/manwe')
-rw-r--r--configurations/manwe/default.nix76
-rw-r--r--configurations/manwe/mailserver/default.nix113
-rw-r--r--configurations/manwe/webserver.nix109
3 files changed, 298 insertions, 0 deletions
diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix
new file mode 100644
index 0000000..3707440
--- /dev/null
+++ b/configurations/manwe/default.nix
@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+with lib;
+{
+  imports = attrValues (modulesIn ./.);
+
+  nixfiles.modules = {
+    nsd = {
+      enable = true;
+      fqdn = "ns1.${config.networking.domain}";
+    };
+    unbound.enable = true;
+
+    wireguard.server.enable = true;
+
+    acme.enable = true;
+
+    monitoring.enable = true;
+
+    postgresql.enable = true;
+    clickhouse.enable = true;
+
+    git.server = {
+      enable = true;
+      domain = "git.${my.domain.azahi}";
+    };
+
+    matrix.dendrite = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    murmur.enable = true;
+    radicale.enable = true;
+    rss-bridge.enable = true;
+    shadowsocks.enable = true;
+    soju = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    vaultwarden.enable = true;
+    ntfy.enable = true;
+    plausible.enable = true;
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd.availableKernelModules = [
+      "virtio_pci"
+      "virtio_scsi"
+    ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/sda2";
+      fsType = "xfs";
+      options = [ "noatime" ];
+    };
+
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+      options = [ "noatime" ];
+    };
+  };
+
+  swapDevices = [ { device = "/dev/sda3"; } ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
+}
diff --git a/configurations/manwe/mailserver/default.nix b/configurations/manwe/mailserver/default.nix
new file mode 100644
index 0000000..cc8b41d
--- /dev/null
+++ b/configurations/manwe/mailserver/default.nix
@@ -0,0 +1,113 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib;
+{
+  imports = [ inputs.mailserver.nixosModule ] ++ attrValues (modulesIn ./.);
+
+  ark.directories = with config.mailserver; [
+    "/var/lib/dovecot"
+    "/var/lib/postfix"
+    config.security.dhparams.params.dovecot2.path
+    dkimKeyDirectory
+    mailDirectory
+    sieveDirectory
+  ];
+
+  secrets = with config.mailserver; {
+    dkim-key-azahi-cc = {
+      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+      path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-rohan-net = {
+      file = "${inputs.self}/secrets/dkim-key-rohan-net";
+      path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-gondor-net = {
+      file = "${inputs.self}/secrets/dkim-key-gondor-net";
+      path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-shire-net = {
+      file = "${inputs.self}/secrets/dkim-key-shire-net";
+      path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+  };
+
+  nixfiles.modules = {
+    acme.enable = true;
+    redis.enable = true;
+  };
+
+  mailserver =
+    let
+      cert = config.certs.${my.domain.shire};
+    in
+    {
+      enable = true;
+
+      # Disable potentially insecure[1] STARTTLS connections. SSL-only connections
+      # are still enabled by default.
+      #
+      # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6
+      enableImap = false;
+      enablePop3 = false;
+      enableSubmission = false;
+
+      fqdn = config.networking.domain;
+      domains = with my.domain; [
+        azahi
+        gondor
+        rohan
+        shire
+      ];
+
+      localDnsResolver = false;
+
+      certificateScheme = "manual";
+      certificateFile = "${cert.directory}/fullchain.pem";
+      keyFile = "${cert.directory}/key.pem";
+
+      lmtpSaveToDetailMailbox = "no";
+
+      redis = with config.services.redis.servers.default; {
+        address = bind;
+        inherit port;
+        password = requirePass;
+      };
+    };
+
+  services = {
+    fail2ban.jails = {
+      dovecot = {
+        enabled = true;
+        settings.mode = "aggressive";
+      };
+      postfix = {
+        enabled = true;
+        settings.mode = "aggressive";
+      };
+    };
+
+    # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275#note_1746383655
+    dovecot2.sieve.extensions = [ "fileinto" ];
+
+    # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241
+    redis.servers.rspamd.enable = mkForce false;
+  };
+
+  systemd.services.rspamd = {
+    requires = mkForce [ "redis-default.service" ];
+    after = mkForce [ "redis-default.service" ];
+  };
+}
diff --git a/configurations/manwe/webserver.nix b/configurations/manwe/webserver.nix
new file mode 100644
index 0000000..95a0b0b
--- /dev/null
+++ b/configurations/manwe/webserver.nix
@@ -0,0 +1,109 @@
+{
+  inputs,
+  lib,
+  libNginx,
+  libPlausible,
+  ...
+}:
+with lib;
+{
+  nixfiles.modules.nginx = {
+    enable = true;
+    virtualHosts =
+      with my.domain;
+      {
+        # TODO Start using this.
+        # "start.local" = {
+        #   root = pkgs.hiccup;
+        #   locations = {
+        #     "/".tryFiles = "$uri $uri/ /index.html";
+        #     "~* ^.+config.json$".extraConfig = let
+        #       config = pkgs.writeText "config.json" (generators.toJSON {} {
+        #         version = "2.0";
+        #         id = "default";
+        #         title = "Demo Config";
+        #         url = "./configs/config.json";
+        #         featured = [
+        #           {
+        #             name = "GitHub";
+        #             background = "/assets/card.png";
+        #             link = "https://github.com/ashwin-pc/hiccup";
+        #           }
+        #         ];
+        #         categories = [
+        #           {
+        #             title = "Category 1";
+        #             links = [
+        #               {
+        #                 name = "Link 1";
+        #                 link = "https://example.com";
+        #               }
+        #             ];
+        #           }
+        #           {
+        #             title = "Category 2";
+        #             links = [
+        #               {
+        #                 name = "Link 1";
+        #                 link = "https://example.com";
+        #               }
+        #             ];
+        #           }
+        #           {
+        #             title = "Category 3";
+        #             links = [
+        #               {
+        #                 name = "Link 1";
+        #                 link = "https://example.com";
+        #               }
+        #             ];
+        #           }
+        #           {
+        #             title = "Category 4";
+        #             links = [
+        #               {
+        #                 name = "Link 1";
+        #                 link = "https://example.com";
+        #               }
+        #             ];
+        #           }
+        #         ];
+        #       });
+        #     in ''
+        #       alias ${config};
+        #     '';
+        #   };
+        #   enableACME = false;
+        #   forceSSL = false;
+        # };
+        ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ";
+        "git.${shire}".locations."/".return = "301 https://git.${azahi}";
+        "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}";
+        ${azahi} = {
+          serverAliases = [
+            "frodo.${gondor}"
+            "frodo.${rohan}"
+          ];
+          locations."/" = {
+            root = inputs.azahi-cc;
+            extraConfig = libNginx.config.appendHead [ (libPlausible.htmlPlausibleScript { domain = azahi; }) ];
+          };
+        };
+      }
+      // (
+        let
+          frodo = "301 https://frodo.";
+        in
+        {
+          ${gondor}.locations."/".return = concatStrings [
+            frodo
+            gondor
+          ];
+          ${rohan}.locations."/".return = concatStrings [
+            frodo
+            rohan
+          ];
+        }
+      );
+  };
+}

Consider giving Nix/NixOS a try! <3