From 8f137c28230623259a964484adcf31fe00756594 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sat, 17 Dec 2022 16:39:09 +0300 Subject: 2022-12-17 --- nixosConfigurations/manwe/default.nix | 88 ++++++++++++++++++++++++++++++ nixosConfigurations/manwe/mailserver.nix | 94 ++++++++++++++++++++++++++++++++ nixosConfigurations/manwe/webserver.nix | 23 ++++++++ 3 files changed, 205 insertions(+) create mode 100644 nixosConfigurations/manwe/default.nix create mode 100644 nixosConfigurations/manwe/mailserver.nix create mode 100644 nixosConfigurations/manwe/webserver.nix (limited to 'nixosConfigurations/manwe') diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix new file mode 100644 index 0000000..b8dd324 --- /dev/null +++ b/nixosConfigurations/manwe/default.nix @@ -0,0 +1,88 @@ +{ + config, + lib, + this, + ... +}: +with lib; { + imports = [ + ./mailserver.nix + ./webserver.nix + ]; + + nixfiles.modules = { + nsd = { + enable = true; + fqdn = "ns1.${config.networking.domain}"; + }; + unbound.enable = true; + + wireguard.server.enable = true; + + acme.enable = true; + + monitoring.enable = true; + + postgresql.enable = true; + + git.server = { + enable = true; + domain = "git.${my.domain.azahi}"; + }; + + gotify.enable = true; + matrix.dendrite = { + enable = true; + domain = my.domain.azahi; + }; + radicale.enable = true; + rss-bridge.enable = true; + shadowsocks.enable = true; + soju = { + enable = true; + domain = my.domain.azahi; + }; + vaultwarden.enable = true; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd.availableKernelModules = [ + "ata_piix" + "sd_mod" + "sr_mod" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + ]; + }; + + fileSystems = { + "/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + options = ["noatime"]; + }; + + "/" = { + device = "/dev/sda2"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + swapDevices = [ + { + device = "/dev/sda3"; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 25; + }; +} diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix new file mode 100644 index 0000000..a4b552a --- /dev/null +++ b/nixosConfigurations/manwe/mailserver.nix @@ -0,0 +1,94 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; { + imports = [inputs.simple-nixos-mailserver.nixosModule]; + + secrets = { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-shire-me = { + file = "${inputs.self}/secrets/dkim-key-shire-me"; + path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + }; + + nixfiles.modules.acme.enable = true; + + mailserver = let + cert = config.certs.${my.domain.shire}; + in { + enable = true; + + fqdn = config.networking.domain; + domains = with my.domain; [azahi gondor rohan shire]; + + localDnsResolver = false; + + certificateScheme = 1; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; + + lmtpSaveToDetailMailbox = "no"; + + loginAccounts = with my.domain; { + "azahi@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + aliases = [ + "@${azahi}" + "@${rohan}" + "@${gondor}" + "abuse@${shire}" + "admin@${shire}" + "ceo@${shire}" + "postmaster@${shire}" + ]; + }; + "samwise@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + aliases = ["chad@${shire}"]; + quota = "1G"; + }; + "pippin@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + quota = "1G"; + }; + "meriadoc@${shire}" = { + hashedPassword = "@HASHED_PASSWORD@"; + quota = "1G"; + }; + }; + }; + + services.fail2ban.jails = { + dovecot = '' + enabled = true + mode = aggressive + ''; + postfix = '' + enabled = true + mode = aggressive + ''; + }; +} diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix new file mode 100644 index 0000000..4dded7e --- /dev/null +++ b/nixosConfigurations/manwe/webserver.nix @@ -0,0 +1,23 @@ +{ + inputs, + lib, + ... +}: +with lib; { + nixfiles.modules.nginx.virtualHosts = with my.domain; + { + ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; + "git.${shire}".locations."/".return = "301 https://git.${azahi}"; + "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}"; + ${azahi} = { + serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; + locations."/".root = inputs.azahi-cc; + }; + } + // (let + frodo = "301 https://frodo."; + in { + ${gondor}.locations."/".return = concatStrings [frodo gondor]; + ${rohan}.locations."/".return = concatStrings [frodo rohan]; + }); +} -- cgit 1.4.1