From 9a20404924fda2587ce4f9769f75369799f34643 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Wed, 1 May 2024 03:36:55 +0300 Subject: 2024-05-01 --- configurations/manwe/default.nix | 76 +++++++++++++++++++ configurations/manwe/mailserver/default.nix | 113 ++++++++++++++++++++++++++++ configurations/manwe/webserver.nix | 109 +++++++++++++++++++++++++++ 3 files changed, 298 insertions(+) create mode 100644 configurations/manwe/default.nix create mode 100644 configurations/manwe/mailserver/default.nix create mode 100644 configurations/manwe/webserver.nix (limited to 'configurations/manwe') diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix new file mode 100644 index 0000000..3707440 --- /dev/null +++ b/configurations/manwe/default.nix @@ -0,0 +1,76 @@ +{ config, lib, ... }: +with lib; +{ + imports = attrValues (modulesIn ./.); + + nixfiles.modules = { + nsd = { + enable = true; + fqdn = "ns1.${config.networking.domain}"; + }; + unbound.enable = true; + + wireguard.server.enable = true; + + acme.enable = true; + + monitoring.enable = true; + + postgresql.enable = true; + clickhouse.enable = true; + + git.server = { + enable = true; + domain = "git.${my.domain.azahi}"; + }; + + matrix.dendrite = { + enable = true; + domain = my.domain.azahi; + }; + murmur.enable = true; + radicale.enable = true; + rss-bridge.enable = true; + shadowsocks.enable = true; + soju = { + enable = true; + domain = my.domain.azahi; + }; + vaultwarden.enable = true; + ntfy.enable = true; + plausible.enable = true; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd.availableKernelModules = [ + "virtio_pci" + "virtio_scsi" + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/sda2"; + fsType = "xfs"; + options = [ "noatime" ]; + }; + + "/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + options = [ "noatime" ]; + }; + }; + + swapDevices = [ { device = "/dev/sda3"; } ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; +} diff --git a/configurations/manwe/mailserver/default.nix b/configurations/manwe/mailserver/default.nix new file mode 100644 index 0000000..cc8b41d --- /dev/null +++ b/configurations/manwe/mailserver/default.nix @@ -0,0 +1,113 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; +{ + imports = [ inputs.mailserver.nixosModule ] ++ attrValues (modulesIn ./.); + + ark.directories = with config.mailserver; [ + "/var/lib/dovecot" + "/var/lib/postfix" + config.security.dhparams.params.dovecot2.path + dkimKeyDirectory + mailDirectory + sieveDirectory + ]; + + secrets = with config.mailserver; { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-shire-net = { + file = "${inputs.self}/secrets/dkim-key-shire-net"; + path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + }; + + nixfiles.modules = { + acme.enable = true; + redis.enable = true; + }; + + mailserver = + let + cert = config.certs.${my.domain.shire}; + in + { + enable = true; + + # Disable potentially insecure[1] STARTTLS connections. SSL-only connections + # are still enabled by default. + # + # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6 + enableImap = false; + enablePop3 = false; + enableSubmission = false; + + fqdn = config.networking.domain; + domains = with my.domain; [ + azahi + gondor + rohan + shire + ]; + + localDnsResolver = false; + + certificateScheme = "manual"; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; + + lmtpSaveToDetailMailbox = "no"; + + redis = with config.services.redis.servers.default; { + address = bind; + inherit port; + password = requirePass; + }; + }; + + services = { + fail2ban.jails = { + dovecot = { + enabled = true; + settings.mode = "aggressive"; + }; + postfix = { + enabled = true; + settings.mode = "aggressive"; + }; + }; + + # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275#note_1746383655 + dovecot2.sieve.extensions = [ "fileinto" ]; + + # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241 + redis.servers.rspamd.enable = mkForce false; + }; + + systemd.services.rspamd = { + requires = mkForce [ "redis-default.service" ]; + after = mkForce [ "redis-default.service" ]; + }; +} diff --git a/configurations/manwe/webserver.nix b/configurations/manwe/webserver.nix new file mode 100644 index 0000000..95a0b0b --- /dev/null +++ b/configurations/manwe/webserver.nix @@ -0,0 +1,109 @@ +{ + inputs, + lib, + libNginx, + libPlausible, + ... +}: +with lib; +{ + nixfiles.modules.nginx = { + enable = true; + virtualHosts = + with my.domain; + { + # TODO Start using this. + # "start.local" = { + # root = pkgs.hiccup; + # locations = { + # "/".tryFiles = "$uri $uri/ /index.html"; + # "~* ^.+config.json$".extraConfig = let + # config = pkgs.writeText "config.json" (generators.toJSON {} { + # version = "2.0"; + # id = "default"; + # title = "Demo Config"; + # url = "./configs/config.json"; + # featured = [ + # { + # name = "GitHub"; + # background = "/assets/card.png"; + # link = "https://github.com/ashwin-pc/hiccup"; + # } + # ]; + # categories = [ + # { + # title = "Category 1"; + # links = [ + # { + # name = "Link 1"; + # link = "https://example.com"; + # } + # ]; + # } + # { + # title = "Category 2"; + # links = [ + # { + # name = "Link 1"; + # link = "https://example.com"; + # } + # ]; + # } + # { + # title = "Category 3"; + # links = [ + # { + # name = "Link 1"; + # link = "https://example.com"; + # } + # ]; + # } + # { + # title = "Category 4"; + # links = [ + # { + # name = "Link 1"; + # link = "https://example.com"; + # } + # ]; + # } + # ]; + # }); + # in '' + # alias ${config}; + # ''; + # }; + # enableACME = false; + # forceSSL = false; + # }; + ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; + "git.${shire}".locations."/".return = "301 https://git.${azahi}"; + "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}"; + ${azahi} = { + serverAliases = [ + "frodo.${gondor}" + "frodo.${rohan}" + ]; + locations."/" = { + root = inputs.azahi-cc; + extraConfig = libNginx.config.appendHead [ (libPlausible.htmlPlausibleScript { domain = azahi; }) ]; + }; + }; + } + // ( + let + frodo = "301 https://frodo."; + in + { + ${gondor}.locations."/".return = concatStrings [ + frodo + gondor + ]; + ${rohan}.locations."/".return = concatStrings [ + frodo + rohan + ]; + } + ); + }; +} -- cgit 1.4.1