3 files changed, 288 insertions, 0 deletions

diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix
new file mode 100644
index 0000000..50acacd
--- /dev/null
+++ b/configurations/manwe/default.nix
@@ -0,0 +1,171 @@
+{
+  config,
+  inputs,
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  imports = [
+    ./mailserver.nix
+    ./webserver.nix
+  ];
+
+  secrets.wireguard-private-key-manwe.file = "${inputs.self}/secrets/wireguard-private-key-manwe";
+
+  nixfiles.modules = {
+    nsd = {
+      enable = true;
+      fqdn = "ns1.${config.networking.domain}";
+    };
+    unbound.enable = true;
+
+    wireguard = {
+      privateKeyFile = config.secrets.wireguard-private-key-manwe.path;
+      server.enable = true;
+    };
+
+    acme.enable = true;
+
+    monitoring.enable = true;
+
+    gotify.enable = true;
+    matrix.dendrite = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    soju = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+  };
+
+  services.prometheus = {
+    # TODO Make this generic.
+    scrapeConfigs = with my.configurations;
+    with config.services.prometheus.exporters; [
+      {
+        job_name = "endlessh-go";
+        static_configs = [
+          {
+            targets = with config.nixfiles.modules.endlessh-go; [
+              "${manwe.hostname}:${toString prometheusPort}"
+              "${varda.hostname}:${toString prometheusPort}"
+              "${yavanna.hostname}:${toString prometheusPort}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "nginx";
+        static_configs = [
+          {
+            targets = with nginx; [
+              "${manwe.hostname}:${toString port}"
+              "${varda.hostname}:${toString port}"
+              "${yavanna.hostname}:${toString port}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "node";
+        static_configs = [
+          {
+            targets = with node; [
+              "${manwe.hostname}:${toString port}"
+              "${varda.hostname}:${toString port}"
+              "${yavanna.hostname}:${toString port}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "postgres";
+        static_configs = [
+          {
+            targets = with postgres; [
+              "${manwe.hostname}:${toString port}"
+              "${varda.hostname}:${toString port}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "unbound";
+        static_configs = [
+          {
+            targets = with unbound; ["${manwe.hostname}:${toString port}"];
+          }
+        ];
+      }
+      # {
+      #   job_name = "wireguard";
+      #   static_configs = [{
+      #     targets = with wireguard; [
+      #       "${manwe.hostname}:${toString port}"
+      #     ];
+      #   }];
+      # }
+    ];
+  };
+
+  networking = let
+    interface = "eth0";
+  in {
+    interfaces.${interface} = {
+      ipv4.addresses = [
+        {
+          inherit (this.ipv4) address;
+          prefixLength = 22;
+        }
+      ];
+
+      ipv6.addresses = [
+        {
+          inherit (this.ipv6) address;
+          prefixLength = 64;
+        }
+      ];
+    };
+
+    defaultGateway = {
+      inherit interface;
+      address = this.ipv4.gateway;
+    };
+
+    defaultGateway6 = {
+      inherit interface;
+      address = this.ipv6.gateway;
+    };
+
+    nat.externalInterface = interface;
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+
+    "/" = {
+      device = "/dev/sda2";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  swapDevices = [{device = "/dev/sda3";}];
+
+  system.stateVersion = "22.05";
+}
diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix
new file mode 100644
index 0000000..60a917b
--- /dev/null
+++ b/configurations/manwe/mailserver.nix
@@ -0,0 +1,96 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [inputs.simple-nixos-mailserver.nixosModule];
+
+  config = {
+    secrets = {
+      dkim-key-azahi-cc = {
+        file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+        path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-rohan-net = {
+        file = "${inputs.self}/secrets/dkim-key-rohan-net";
+        path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-gondor-net = {
+        file = "${inputs.self}/secrets/dkim-key-gondor-net";
+        path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-shire-me = {
+        file = "${inputs.self}/secrets/dkim-key-shire-me";
+        path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+    };
+
+    nixfiles.modules.acme.enable = true;
+
+    mailserver = let
+      cert = config.certs.${my.domain.shire};
+    in {
+      enable = true;
+
+      fqdn = config.networking.domain;
+      domains = with my.domain; [azahi gondor rohan shire];
+
+      localDnsResolver = false;
+
+      certificateScheme = 1;
+      certificateFile = "${cert.directory}/fullchain.pem";
+      keyFile = "${cert.directory}/key.pem";
+
+      lmtpSaveToDetailMailbox = "no";
+
+      loginAccounts = with my.domain; {
+        "azahi@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          aliases = [
+            "@${azahi}"
+            "@${rohan}"
+            "@${gondor}"
+            "abuse@${shire}"
+            "admin@${shire}"
+            "ceo@${shire}"
+            "postmaster@${shire}"
+          ];
+        };
+        "samwise@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          aliases = ["chad@${shire}"];
+          quota = "1G";
+        };
+        "pippin@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          quota = "1G";
+        };
+        "meriadoc@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          quota = "1G";
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      dovecot = ''
+        enabled = true
+        mode = aggressive
+      '';
+      postfix = ''
+        enabled = true
+        mode = aggressive
+      '';
+    };
+  };
+}
diff --git a/configurations/manwe/webserver.nix b/configurations/manwe/webserver.nix
new file mode 100644
index 0000000..fd23432
--- /dev/null
+++ b/configurations/manwe/webserver.nix
@@ -0,0 +1,21 @@
+{
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  config.nixfiles.modules.nginx.virtualHosts = with my.domain;
+    {
+      ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ";
+      ${azahi} = {
+        serverAliases = ["frodo.${gondor}" "frodo.${rohan}"];
+        locations."/".root = inputs.azahi-cc;
+      };
+    }
+    // (let
+      frodo = "301 https://frodo.";
+    in {
+      ${gondor}.locations."/".return = concatStrings [frodo gondor];
+      ${rohan}.locations."/".return = concatStrings [frodo rohan];
+    });
+}