diff options
Diffstat (limited to 'nixosConfigurations/manwe')
| -rw-r--r-- | nixosConfigurations/manwe/default.nix | 17 | ||||
| -rw-r--r-- | nixosConfigurations/manwe/mailserver/default.nix | 72 | ||||
| -rw-r--r-- | nixosConfigurations/manwe/webserver.nix | 36 |
3 files changed, 69 insertions, 56 deletions
diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix index 5a2fffd..e7edbf9 100644 --- a/nixosConfigurations/manwe/default.nix +++ b/nixosConfigurations/manwe/default.nix @@ -1,9 +1,6 @@ +{ config, lib, ... }: +with lib; { - config, - lib, - ... -}: -with lib; { imports = [ ./mailserver ./webserver.nix @@ -64,21 +61,17 @@ with lib; { "/" = { device = "/dev/sda2"; fsType = "xfs"; - options = ["noatime"]; + options = [ "noatime" ]; }; "/boot" = { device = "/dev/sda1"; fsType = "xfs"; - options = ["noatime"]; + options = [ "noatime" ]; }; }; - swapDevices = [ - { - device = "/dev/sda3"; - } - ]; + swapDevices = [ { device = "/dev/sda3"; } ]; zramSwap = { enable = true; diff --git a/nixosConfigurations/manwe/mailserver/default.nix b/nixosConfigurations/manwe/mailserver/default.nix index 56dabce..822de6f 100644 --- a/nixosConfigurations/manwe/mailserver/default.nix +++ b/nixosConfigurations/manwe/mailserver/default.nix @@ -4,8 +4,9 @@ lib, ... }: -with lib; { - imports = [inputs.mailserver.nixosModule]; +with lib; +{ + imports = [ inputs.mailserver.nixosModule ]; ark.directories = with config.mailserver; [ "/var/lib/dovecot" @@ -48,40 +49,47 @@ with lib; { redis.enable = true; }; - mailserver = let - cert = config.certs.${my.domain.shire}; - in { - enable = true; + mailserver = + let + cert = config.certs.${my.domain.shire}; + in + { + enable = true; - # Disable potentially insecure[1] STARTTLS connections. SSL-only connections - # are still enabled by default. - # - # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6 - enableImap = false; - enablePop3 = false; - enableSubmission = false; + # Disable potentially insecure[1] STARTTLS connections. SSL-only connections + # are still enabled by default. + # + # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6 + enableImap = false; + enablePop3 = false; + enableSubmission = false; - fqdn = config.networking.domain; - domains = with my.domain; [azahi gondor rohan shire]; + fqdn = config.networking.domain; + domains = with my.domain; [ + azahi + gondor + rohan + shire + ]; - localDnsResolver = false; + localDnsResolver = false; - certificateScheme = "manual"; - certificateFile = "${cert.directory}/fullchain.pem"; - keyFile = "${cert.directory}/key.pem"; + certificateScheme = "manual"; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; - lmtpSaveToDetailMailbox = "no"; + lmtpSaveToDetailMailbox = "no"; - redis = with config.services.redis.servers.default; { - address = bind; - inherit port; - password = requirePass; - }; + redis = with config.services.redis.servers.default; { + address = bind; + inherit port; + password = requirePass; + }; - # Just a list of accounts with aliases and hasedPasswords. Not necessarily - # secret, but kept from prying eyes. - loginAccounts = import ./hidden.nix lib; - }; + # Just a list of accounts with aliases and hasedPasswords. Not necessarily + # secret, but kept from prying eyes. + loginAccounts = import ./hidden.nix lib; + }; services = { fail2ban.jails = { @@ -96,14 +104,14 @@ with lib; { }; # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275#note_1746383655 - dovecot2.sieve.extensions = ["fileinto"]; + dovecot2.sieve.extensions = [ "fileinto" ]; # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241 redis.servers.rspamd.enable = mkForce false; }; systemd.services.rspamd = { - requires = mkForce ["redis-default.service"]; - after = mkForce ["redis-default.service"]; + requires = mkForce [ "redis-default.service" ]; + after = mkForce [ "redis-default.service" ]; }; } diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix index d0784e8..95a0b0b 100644 --- a/nixosConfigurations/manwe/webserver.nix +++ b/nixosConfigurations/manwe/webserver.nix @@ -5,10 +5,12 @@ libPlausible, ... }: -with lib; { +with lib; +{ nixfiles.modules.nginx = { enable = true; - virtualHosts = with my.domain; + virtualHosts = + with my.domain; { # TODO Start using this. # "start.local" = { @@ -78,20 +80,30 @@ with lib; { "git.${shire}".locations."/".return = "301 https://git.${azahi}"; "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}"; ${azahi} = { - serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; + serverAliases = [ + "frodo.${gondor}" + "frodo.${rohan}" + ]; locations."/" = { root = inputs.azahi-cc; - extraConfig = libNginx.config.appendHead [ - (libPlausible.htmlPlausibleScript {domain = azahi;}) - ]; + extraConfig = libNginx.config.appendHead [ (libPlausible.htmlPlausibleScript { domain = azahi; }) ]; }; }; } - // (let - frodo = "301 https://frodo."; - in { - ${gondor}.locations."/".return = concatStrings [frodo gondor]; - ${rohan}.locations."/".return = concatStrings [frodo rohan]; - }); + // ( + let + frodo = "301 https://frodo."; + in + { + ${gondor}.locations."/".return = concatStrings [ + frodo + gondor + ]; + ${rohan}.locations."/".return = concatStrings [ + frodo + rohan + ]; + } + ); }; } |