about summary refs log tree commit diff
path: root/nixosConfigurations/manwe
diff options
context:
space:
mode:
Diffstat (limited to 'nixosConfigurations/manwe')
-rw-r--r--nixosConfigurations/manwe/default.nix88
-rw-r--r--nixosConfigurations/manwe/mailserver.nix94
-rw-r--r--nixosConfigurations/manwe/webserver.nix23
3 files changed, 205 insertions, 0 deletions
diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix
new file mode 100644
index 0000000..b8dd324
--- /dev/null
+++ b/nixosConfigurations/manwe/default.nix
@@ -0,0 +1,88 @@
+{
+  config,
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  imports = [
+    ./mailserver.nix
+    ./webserver.nix
+  ];
+
+  nixfiles.modules = {
+    nsd = {
+      enable = true;
+      fqdn = "ns1.${config.networking.domain}";
+    };
+    unbound.enable = true;
+
+    wireguard.server.enable = true;
+
+    acme.enable = true;
+
+    monitoring.enable = true;
+
+    postgresql.enable = true;
+
+    git.server = {
+      enable = true;
+      domain = "git.${my.domain.azahi}";
+    };
+
+    gotify.enable = true;
+    matrix.dendrite = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    radicale.enable = true;
+    rss-bridge.enable = true;
+    shadowsocks.enable = true;
+    soju = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    vaultwarden.enable = true;
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd.availableKernelModules = [
+      "ata_piix"
+      "sd_mod"
+      "sr_mod"
+      "uhci_hcd"
+      "virtio_pci"
+      "virtio_scsi"
+    ];
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+
+    "/" = {
+      device = "/dev/sda2";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/sda3";
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
+}
diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix
new file mode 100644
index 0000000..a4b552a
--- /dev/null
+++ b/nixosConfigurations/manwe/mailserver.nix
@@ -0,0 +1,94 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [inputs.simple-nixos-mailserver.nixosModule];
+
+  secrets = {
+    dkim-key-azahi-cc = {
+      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+      path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-rohan-net = {
+      file = "${inputs.self}/secrets/dkim-key-rohan-net";
+      path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-gondor-net = {
+      file = "${inputs.self}/secrets/dkim-key-gondor-net";
+      path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-shire-me = {
+      file = "${inputs.self}/secrets/dkim-key-shire-me";
+      path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+  };
+
+  nixfiles.modules.acme.enable = true;
+
+  mailserver = let
+    cert = config.certs.${my.domain.shire};
+  in {
+    enable = true;
+
+    fqdn = config.networking.domain;
+    domains = with my.domain; [azahi gondor rohan shire];
+
+    localDnsResolver = false;
+
+    certificateScheme = 1;
+    certificateFile = "${cert.directory}/fullchain.pem";
+    keyFile = "${cert.directory}/key.pem";
+
+    lmtpSaveToDetailMailbox = "no";
+
+    loginAccounts = with my.domain; {
+      "azahi@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        aliases = [
+          "@${azahi}"
+          "@${rohan}"
+          "@${gondor}"
+          "abuse@${shire}"
+          "admin@${shire}"
+          "ceo@${shire}"
+          "postmaster@${shire}"
+        ];
+      };
+      "samwise@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        aliases = ["chad@${shire}"];
+        quota = "1G";
+      };
+      "pippin@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        quota = "1G";
+      };
+      "meriadoc@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        quota = "1G";
+      };
+    };
+  };
+
+  services.fail2ban.jails = {
+    dovecot = ''
+      enabled = true
+      mode = aggressive
+    '';
+    postfix = ''
+      enabled = true
+      mode = aggressive
+    '';
+  };
+}
diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix
new file mode 100644
index 0000000..4dded7e
--- /dev/null
+++ b/nixosConfigurations/manwe/webserver.nix
@@ -0,0 +1,23 @@
+{
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  nixfiles.modules.nginx.virtualHosts = with my.domain;
+    {
+      ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ";
+      "git.${shire}".locations."/".return = "301 https://git.${azahi}";
+      "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}";
+      ${azahi} = {
+        serverAliases = ["frodo.${gondor}" "frodo.${rohan}"];
+        locations."/".root = inputs.azahi-cc;
+      };
+    }
+    // (let
+      frodo = "301 https://frodo.";
+    in {
+      ${gondor}.locations."/".return = concatStrings [frodo gondor];
+      ${rohan}.locations."/".return = concatStrings [frodo rohan];
+    });
+}

Consider giving Nix/NixOS a try! <3