about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/nixos/common/security.nix2
-rw-r--r--modules/nixos/common/xdg.nix5
-rw-r--r--modules/nixos/matrix/dendrite.nix14
-rw-r--r--modules/nixos/matrix/synapse.nix14
-rw-r--r--modules/nixos/nsd.nix58
-rw-r--r--modules/nixos/sound.nix4
6 files changed, 70 insertions, 27 deletions
diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix
index 7a3d3b3..2272e12 100644
--- a/modules/nixos/common/security.nix
+++ b/modules/nixos/common/security.nix
@@ -25,5 +25,7 @@ with lib; {
         });
       '';
     };
+
+    rtkit.enable = true;
   };
 }
diff --git a/modules/nixos/common/xdg.nix b/modules/nixos/common/xdg.nix
index 8ddf1ac..d74bf82 100644
--- a/modules/nixos/common/xdg.nix
+++ b/modules/nixos/common/xdg.nix
@@ -15,6 +15,11 @@ with lib; {
     (mkAliasOptionModule ["userDirs"] (withBase "userDirs"))
   ];
 
+  xdg.portal = mkIf this.isHeadful {
+    enable = true;
+    xdgOpenUsePortal = true;
+  };
+
   hm.xdg = mkMerge [
     {
       enable = true;
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
index bd19f8b..d9c4914 100644
--- a/modules/nixos/matrix/dendrite.nix
+++ b/modules/nixos/matrix/dendrite.nix
@@ -52,20 +52,18 @@ in {
               extraConfig = ''
                 add_header Content-Type application/json;
               '';
-              return = "200 '${
-                generators.toJSON {} {"m.server" = "${cfg.domain}:443";}
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.server" = "${cfg.domain}:443";
+              }}'";
             };
             "= /.well-known/matrix/client" = {
               extraConfig = ''
                 add_header Content-Type application/json;
                 add_header Access-Control-Allow-Origin *;
               '';
-              return = "200 '${
-                generators.toJSON {} {
-                  "m.homeserver".base_url = "https://${cfg.domain}";
-                }
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.homeserver".base_url = "https://${cfg.domain}";
+              }}'";
             };
           };
         };
diff --git a/modules/nixos/matrix/synapse.nix b/modules/nixos/matrix/synapse.nix
index a74ebb4..40595a0 100644
--- a/modules/nixos/matrix/synapse.nix
+++ b/modules/nixos/matrix/synapse.nix
@@ -33,20 +33,18 @@ in {
               extraConfig = ''
                 add_header Content-Type application/json;
               '';
-              return = "200 '${
-                generators.toJSON {} {"m.server" = "${cfg.domain}:443";}
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.server" = "${cfg.domain}:443";
+              }}'";
             };
             "= /.well-known/matrix/client" = {
               extraConfig = ''
                 add_header Content-Type application/json;
                 add_header Access-Control-Allow-Origin *;
               '';
-              return = "200 '${
-                generators.toJSON {} {
-                  "m.homeserver".base_url = "https://${cfg.domain}";
-                }
-              }'";
+              return = "200 '${generators.toJSON {} {
+                "m.homeserver".base_url = "https://${cfg.domain}";
+              }}'";
             };
           };
         };
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index 255c787..f8d9e4b 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -19,6 +19,27 @@ in {
   };
 
   config = mkIf cfg.enable {
+    nixfiles.modules.nginx = let
+      domain = my.domain.shire;
+    in {
+      enable = true;
+      virtualHosts = mapAttrs' (_: v:
+        nameValuePair "mta-sts.${v}" {
+          locations."= /.well-known/mta-sts.txt" = {
+            extraConfig = ''
+              add_header default_type text/plain;
+            '';
+            return = "200 '${concatStringsSep "\\r\\n" [
+              "version: STSv1"
+              "mode: enforce"
+              "max_age: 2419200"
+              "mx: ${domain}"
+            ]}'";
+          };
+        })
+      my.domain;
+    };
+
     services = {
       nsd = {
         enable = true;
@@ -40,8 +61,8 @@ in {
               domain ? my.domain.shire,
               dkimKey ? null,
             }: {
-              MX = [(mx.mx 10 "${domain}.")];
-              TXT = [(spf.strict ["a" "mx"])];
+              MX = [(mx.mx 10 "${my.domain.shire}.")];
+              TXT = [(spf.soft ["a"])];
               DMARC = [
                 {
                   p = "quarantine";
@@ -54,6 +75,7 @@ in {
                 selector = "mail";
                 p = dkimKey;
               };
+              subdomains._mta-sts.TXT = ["v=STSv1; id=20230506134541Z"];
             };
 
             mkZone = {
@@ -88,10 +110,11 @@ in {
             ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"];
           in
             mkMerge [
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.shire;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
@@ -103,6 +126,8 @@ in {
                       yavanna = ips "yavanna";
                       "*.yavanna" = yavanna;
 
+                      mta-sts = manwe;
+
                       ns1 = manwe;
                       # ns2 = varda;
 
@@ -124,37 +149,52 @@ in {
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.azahi;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   ariadneIdProof
                   {
-                    subdomains.git = ips "manwe";
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      git = ips "manwe";
+                    };
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.gondor;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe" // ariadneIdProof;
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      frodo = ips "manwe" // ariadneIdProof;
+                    };
                   }
                 ];
               })
-              (mkZone {
+              (mkZone rec {
                 domain = my.domain.rohan;
                 extra = mkMerge [
                   (mkEmailEntries {
+                    inherit domain;
                     dkimKey = "@DKIM_KEY@";
                   })
                   {
-                    subdomains.frodo = ips "manwe" // ariadneIdProof;
+                    subdomains = {
+                      mta-sts = ips "manwe";
+
+                      frodo = ips "manwe" // ariadneIdProof;
+                    };
                   }
                 ];
               })
diff --git a/modules/nixos/sound.nix b/modules/nixos/sound.nix
index ae35e44..073d59c 100644
--- a/modules/nixos/sound.nix
+++ b/modules/nixos/sound.nix
@@ -13,8 +13,8 @@ in {
     services.pipewire = {
       enable = true;
 
-      alsa.enable = false;
-      jack.enable = false;
+      alsa.enable = true;
+      jack.enable = true;
       pulse.enable = true;
     };
   };

Consider giving Nix/NixOS a try! <3