diff options
Diffstat (limited to 'modules/nixos')
| -rw-r--r-- | modules/nixos/common/security.nix | 2 | ||||
| -rw-r--r-- | modules/nixos/common/xdg.nix | 5 | ||||
| -rw-r--r-- | modules/nixos/matrix/dendrite.nix | 14 | ||||
| -rw-r--r-- | modules/nixos/matrix/synapse.nix | 14 | ||||
| -rw-r--r-- | modules/nixos/nsd.nix | 58 | ||||
| -rw-r--r-- | modules/nixos/sound.nix | 4 |
6 files changed, 70 insertions, 27 deletions
diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix index 7a3d3b3..2272e12 100644 --- a/modules/nixos/common/security.nix +++ b/modules/nixos/common/security.nix @@ -25,5 +25,7 @@ with lib; { }); ''; }; + + rtkit.enable = true; }; } diff --git a/modules/nixos/common/xdg.nix b/modules/nixos/common/xdg.nix index 8ddf1ac..d74bf82 100644 --- a/modules/nixos/common/xdg.nix +++ b/modules/nixos/common/xdg.nix @@ -15,6 +15,11 @@ with lib; { (mkAliasOptionModule ["userDirs"] (withBase "userDirs")) ]; + xdg.portal = mkIf this.isHeadful { + enable = true; + xdgOpenUsePortal = true; + }; + hm.xdg = mkMerge [ { enable = true; diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix index bd19f8b..d9c4914 100644 --- a/modules/nixos/matrix/dendrite.nix +++ b/modules/nixos/matrix/dendrite.nix @@ -52,20 +52,18 @@ in { extraConfig = '' add_header Content-Type application/json; ''; - return = "200 '${ - generators.toJSON {} {"m.server" = "${cfg.domain}:443";} - }'"; + return = "200 '${generators.toJSON {} { + "m.server" = "${cfg.domain}:443"; + }}'"; }; "= /.well-known/matrix/client" = { extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${ - generators.toJSON {} { - "m.homeserver".base_url = "https://${cfg.domain}"; - } - }'"; + return = "200 '${generators.toJSON {} { + "m.homeserver".base_url = "https://${cfg.domain}"; + }}'"; }; }; }; diff --git a/modules/nixos/matrix/synapse.nix b/modules/nixos/matrix/synapse.nix index a74ebb4..40595a0 100644 --- a/modules/nixos/matrix/synapse.nix +++ b/modules/nixos/matrix/synapse.nix @@ -33,20 +33,18 @@ in { extraConfig = '' add_header Content-Type application/json; ''; - return = "200 '${ - generators.toJSON {} {"m.server" = "${cfg.domain}:443";} - }'"; + return = "200 '${generators.toJSON {} { + "m.server" = "${cfg.domain}:443"; + }}'"; }; "= /.well-known/matrix/client" = { extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${ - generators.toJSON {} { - "m.homeserver".base_url = "https://${cfg.domain}"; - } - }'"; + return = "200 '${generators.toJSON {} { + "m.homeserver".base_url = "https://${cfg.domain}"; + }}'"; }; }; }; diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index 255c787..f8d9e4b 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -19,6 +19,27 @@ in { }; config = mkIf cfg.enable { + nixfiles.modules.nginx = let + domain = my.domain.shire; + in { + enable = true; + virtualHosts = mapAttrs' (_: v: + nameValuePair "mta-sts.${v}" { + locations."= /.well-known/mta-sts.txt" = { + extraConfig = '' + add_header default_type text/plain; + ''; + return = "200 '${concatStringsSep "\\r\\n" [ + "version: STSv1" + "mode: enforce" + "max_age: 2419200" + "mx: ${domain}" + ]}'"; + }; + }) + my.domain; + }; + services = { nsd = { enable = true; @@ -40,8 +61,8 @@ in { domain ? my.domain.shire, dkimKey ? null, }: { - MX = [(mx.mx 10 "${domain}.")]; - TXT = [(spf.strict ["a" "mx"])]; + MX = [(mx.mx 10 "${my.domain.shire}.")]; + TXT = [(spf.soft ["a"])]; DMARC = [ { p = "quarantine"; @@ -54,6 +75,7 @@ in { selector = "mail"; p = dkimKey; }; + subdomains._mta-sts.TXT = ["v=STSv1; id=20230506134541Z"]; }; mkZone = { @@ -88,10 +110,11 @@ in { ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"]; in mkMerge [ - (mkZone { + (mkZone rec { domain = my.domain.shire; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) { @@ -103,6 +126,8 @@ in { yavanna = ips "yavanna"; "*.yavanna" = yavanna; + mta-sts = manwe; + ns1 = manwe; # ns2 = varda; @@ -124,37 +149,52 @@ in { } ]; }) - (mkZone { + (mkZone rec { domain = my.domain.azahi; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) ariadneIdProof { - subdomains.git = ips "manwe"; + subdomains = { + mta-sts = ips "manwe"; + + git = ips "manwe"; + }; } ]; }) - (mkZone { + (mkZone rec { domain = my.domain.gondor; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) { - subdomains.frodo = ips "manwe" // ariadneIdProof; + subdomains = { + mta-sts = ips "manwe"; + + frodo = ips "manwe" // ariadneIdProof; + }; } ]; }) - (mkZone { + (mkZone rec { domain = my.domain.rohan; extra = mkMerge [ (mkEmailEntries { + inherit domain; dkimKey = "@DKIM_KEY@"; }) { - subdomains.frodo = ips "manwe" // ariadneIdProof; + subdomains = { + mta-sts = ips "manwe"; + + frodo = ips "manwe" // ariadneIdProof; + }; } ]; }) diff --git a/modules/nixos/sound.nix b/modules/nixos/sound.nix index ae35e44..073d59c 100644 --- a/modules/nixos/sound.nix +++ b/modules/nixos/sound.nix @@ -13,8 +13,8 @@ in { services.pipewire = { enable = true; - alsa.enable = false; - jack.enable = false; + alsa.enable = true; + jack.enable = true; pulse.enable = true; }; }; |