From 164b2b3f693dd5da3c1b1661e43c45b36a6b764c Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Thu, 10 Nov 2022 14:19:19 +0300 Subject: 2022-11-10 --- configurations/manwe/mailserver.nix | 148 ++++++++++++++++++------------------ configurations/manwe/webserver.nix | 4 +- configurations/melian/default.nix | 100 ++++++++++++++++++++---- 3 files changed, 161 insertions(+), 91 deletions(-) (limited to 'configurations') diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix index 83713f9..966c21c 100644 --- a/configurations/manwe/mailserver.nix +++ b/configurations/manwe/mailserver.nix @@ -7,90 +7,90 @@ with lib; { imports = [inputs.simple-nixos-mailserver.nixosModule]; - config = { - secrets = { - dkim-key-azahi-cc = { - file = "${inputs.self}/secrets/dkim-key-azahi-cc"; - path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key"; - owner = "opendkim"; - group = "opendkim"; - }; - dkim-key-rohan-net = { - file = "${inputs.self}/secrets/dkim-key-rohan-net"; - path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key"; - owner = "opendkim"; - group = "opendkim"; - }; - dkim-key-gondor-net = { - file = "${inputs.self}/secrets/dkim-key-gondor-net"; - path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key"; - owner = "opendkim"; - group = "opendkim"; - }; - dkim-key-shire-me = { - file = "${inputs.self}/secrets/dkim-key-shire-me"; - path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key"; - owner = "opendkim"; - group = "opendkim"; - }; + secrets = { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-shire-me = { + file = "${inputs.self}/secrets/dkim-key-shire-me"; + path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; }; + }; - nixfiles.modules.acme.enable = true; + nixfiles.modules.acme.enable = true; - mailserver = let - cert = config.certs.${my.domain.shire}; - in { - enable = true; + mailserver = let + cert = config.certs.${my.domain.shire}; + in { + enable = true; - fqdn = config.networking.domain; - domains = with my.domain; [azahi gondor rohan shire]; + fqdn = config.networking.domain; + domains = with my.domain; [azahi gondor rohan shire]; - localDnsResolver = false; + localDnsResolver = false; - certificateScheme = 1; - certificateFile = "${cert.directory}/fullchain.pem"; - keyFile = "${cert.directory}/key.pem"; + certificateScheme = 1; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; - lmtpSaveToDetailMailbox = "no"; + lmtpSaveToDetailMailbox = "no"; - loginAccounts = with my.domain; { - "azahi@${shire}" = { - hashedPassword = "@HASHED_PASSWORD@"; - aliases = [ - "@${azahi}" - "@${rohan}" - "@${gondor}" - "abuse@${shire}" - "admin@${shire}" - "ceo@${shire}" - "postmaster@${shire}" - ]; - }; - "samwise@${shire}" = { - hashedPassword = "@HASHED_PASSWORD@"; - aliases = ["chad@${shire}"]; - quota = "1G"; - }; - "pippin@${shire}" = { - hashedPassword = "@HASHED_PASSWORD@"; - quota = "1G"; - }; - "meriadoc@${shire}" = { - hashedPassword = "@HASHED_PASSWORD@"; - quota = "1G"; - }; + loginAccounts = with my.domain; { + "azahi@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + aliases = [ + "@${azahi}" + "@${rohan}" + "@${gondor}" + "abuse@${shire}" + "admin@${shire}" + "ceo@${shire}" + "postmaster@${shire}" + ]; + }; + "samwise@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + aliases = ["chad@${shire}"]; + quota = "1G"; + }; + "pippin@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + quota = "1G"; + }; + "meriadoc@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + quota = "1G"; }; }; + }; - services.fail2ban.jails = { - dovecot = '' - enabled = true - mode = aggressive - ''; - postfix = '' - enabled = true - mode = aggressive - ''; - }; + services.fail2ban.jails = { + dovecot = '' + enabled = true + mode = aggressive + ''; + postfix = '' + enabled = true + mode = aggressive + ''; }; + + system.extraDependencies = [inputs.simple-nixos-mailserver]; } diff --git a/configurations/manwe/webserver.nix b/configurations/manwe/webserver.nix index dde3e63..e1ee425 100644 --- a/configurations/manwe/webserver.nix +++ b/configurations/manwe/webserver.nix @@ -4,7 +4,7 @@ ... }: with lib; { - config.nixfiles.modules.nginx.virtualHosts = with my.domain; + nixfiles.modules.nginx.virtualHosts = with my.domain; { ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; "git.${shire}".locations."/".return = "301 https://git.${azahi}"; @@ -20,4 +20,6 @@ with lib; { ${gondor}.locations."/".return = concatStrings [frodo gondor]; ${rohan}.locations."/".return = concatStrings [frodo rohan]; }); + + system.extraDependencies = [inputs.azahi-cc]; } diff --git a/configurations/melian/default.nix b/configurations/melian/default.nix index 3ef0e46..bfdc42e 100644 --- a/configurations/melian/default.nix +++ b/configurations/melian/default.nix @@ -1,4 +1,5 @@ { + config, lib, pkgs, ... @@ -14,6 +15,7 @@ with lib; { syncthing.enable = true; + android.enable = true; beets.enable = true; bluetooth.enable = true; libvirtd.enable = true; @@ -29,6 +31,68 @@ with lib; { wlan0.useDHCP = true; }; + networkmanager = { + enable = true; + wifi.backend = "iwd"; + + # Spent three days trying to make this work but still getting "No SSO + # handler" even on the HEAD version that 100% has SSO support baked in. + # It's all so tiresome[1]... aaand KDE is not supported[2]. + # + # I fucking hate AnyConnect, truly an example of how shit is is non-free + # software. SAML also sucks balls. I also hate my company for using this + # shit, guess I have no other choice but to use the absolute dogshit + # Ubuntu laptop they gave me. + # + # [1]: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect + # [1]: https://gitlab.com/openconnect/openconnect/-/issues/424 + # [2]: https://groups.google.com/g/linux.debian.bugs.dist/c/lK8u-LMY7n4 + # [2]: https://bugs.kde.org/show_bug.cgi?id=448153 + # + # plugins = with pkgs; [ + # ((networkmanager-openconnect.override { + # withGnome = false; + # openconnect = openconnect.overrideAttrs (_: super: { + # version = "unstable-2022-10-23"; + # src = fetchFromGitLab { + # owner = "openconnect"; + # repo = "openconnect"; + # rev = "acdfc753f7885b2a539f99036ac41ba1b78cc7ae"; + # hash = "sha256-ub+Z4WFD77h5YMQTb+TLc7EyY2KjBWglF1QVTirCHJM="; + # }; + # }); + # }).overrideAttrs (_: super: { + # version = "unstable-2022-09-10"; + # src = fetchFromGitLab { + # domain = "gitlab.gnome.org"; + # owner = "GNOME"; + # repo = "NetworkManager-openconnect"; + # rev = "3c1590786518e9acca33c250660ad21cae565acd"; + # hash = "sha256-YTUN46QHsHkXPAhImPG/MMLMqjlSRknapVO8u43nnWk="; + # }; + # buildInputs = super.buildInputs ++ [ + # (webkitgtk_4_1.override { + # libsoup = gnome.libsoup; + # }) + # ]; + # nativeBuildInputs = super.nativeBuildInputs ++ [ + # autoreconfHook + # ]; + # postPatch = '' + # substituteInPlace configure.ac \ + # --replace "PKG_CHECK_MODULES(LIBSECRET, libsecret-1 >= 0.18)" "" + # ''; + # preAutoreconf = '' + # autoupdate + # ''; + # preConfigure = '' + # NOCONFIGURE=x ./autogen.sh + # touch gtk4/nm-openconnect-dialog.ui + # ''; + # })) + # ]; + }; + wireless = { enable = false; iwd.enable = true; @@ -59,23 +123,27 @@ with lib; { powerUpCommands = "${modprobe} xhci_pci"; }; - services.thinkfan = { - enable = true; - - settings = { - sensors = [ - { - hwmon = "/sys/class/hwmon"; - name = "coretemp"; - indices = [1]; - } - ]; - fans = [{tpacpi = "/proc/acpi/ibm/fan";}]; - levels = [ - ["level auto" 0 50] - ["level disengaged" 50 32767] - ]; + services = { + thinkfan = { + enable = true; + + settings = { + sensors = [ + { + hwmon = "/sys/class/hwmon"; + name = "coretemp"; + indices = [1]; + } + ]; + fans = [{tpacpi = "/proc/acpi/ibm/fan";}]; + levels = [ + ["level auto" 0 50] + ["level disengaged" 50 32767] + ]; + }; }; + + fwupd.enable = true; }; boot = { -- cgit v1.2.3