From 837fc97b30a41d766dd53a2370f6cb1d26364f9a Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Wed, 20 Sep 2023 15:26:47 +0300 Subject: 2023-09-20 --- nixosConfigurations/eonwe/default.nix | 1 + nixosConfigurations/manwe/default.nix | 4 +- nixosConfigurations/manwe/mailserver.nix | 112 ----------------------- nixosConfigurations/manwe/mailserver/default.nix | 96 +++++++++++++++++++ nixosConfigurations/manwe/webserver.nix | 9 +- 5 files changed, 108 insertions(+), 114 deletions(-) delete mode 100644 nixosConfigurations/manwe/mailserver.nix create mode 100644 nixosConfigurations/manwe/mailserver/default.nix (limited to 'nixosConfigurations') diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix index d155cdf..e7f0187 100644 --- a/nixosConfigurations/eonwe/default.nix +++ b/nixosConfigurations/eonwe/default.nix @@ -21,6 +21,7 @@ with lib; { games = { lutris.enable = true; minecraft.client.enable = true; + steam.enable = true; }; android.enable = true; diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix index 267654d..c2ac8be 100644 --- a/nixosConfigurations/manwe/default.nix +++ b/nixosConfigurations/manwe/default.nix @@ -5,7 +5,7 @@ }: with lib; { imports = [ - ./mailserver.nix + ./mailserver ./webserver.nix ]; @@ -23,6 +23,7 @@ with lib; { monitoring.enable = true; postgresql.enable = true; + clickhouse.enable = true; git.server = { enable = true; @@ -43,6 +44,7 @@ with lib; { }; vaultwarden.enable = true; ntfy.enable = true; + plausible.enable = true; }; # A VPN to play old LAN games with the boys. diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix deleted file mode 100644 index 389a9a0..0000000 --- a/nixosConfigurations/manwe/mailserver.nix +++ /dev/null @@ -1,112 +0,0 @@ -{ - config, - inputs, - lib, - ... -}: -with lib; { - imports = [inputs.simple-nixos-mailserver.nixosModule]; - - ark.directories = with config.mailserver; [ - "/var/lib/dovecot" - "/var/lib/postfix" - config.security.dhparams.params.dovecot2.path - dkimKeyDirectory - mailDirectory - sieveDirectory - ]; - - secrets = with config.mailserver; { - dkim-key-azahi-cc = { - file = "${inputs.self}/secrets/dkim-key-azahi-cc"; - path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key"; - owner = config.services.opendkim.user; - inherit (config.services.opendkim) group; - }; - dkim-key-rohan-net = { - file = "${inputs.self}/secrets/dkim-key-rohan-net"; - path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key"; - owner = config.services.opendkim.user; - inherit (config.services.opendkim) group; - }; - dkim-key-gondor-net = { - file = "${inputs.self}/secrets/dkim-key-gondor-net"; - path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key"; - owner = config.services.opendkim.user; - inherit (config.services.opendkim) group; - }; - dkim-key-shire-net = { - file = "${inputs.self}/secrets/dkim-key-shire-net"; - path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key"; - owner = config.services.opendkim.user; - inherit (config.services.opendkim) group; - }; - }; - - nixfiles.modules = { - acme.enable = true; - redis.enable = true; - }; - - mailserver = let - cert = config.certs.${my.domain.shire}; - in { - enable = true; - - fqdn = config.networking.domain; - domains = with my.domain; [azahi gondor rohan shire]; - - localDnsResolver = false; - - certificateScheme = "manual"; - certificateFile = "${cert.directory}/fullchain.pem"; - keyFile = "${cert.directory}/key.pem"; - - lmtpSaveToDetailMailbox = "no"; - - redis = with config.services.redis.servers.default; { - address = bind; - inherit port; - password = requirePass; - }; - - loginAccounts = with my.domain; { - "azahi@${shire}" = { - hashedPassword = "@HASHED_PASSWORD@"; - aliases = [ - "@${azahi}" - "@${rohan}" - "@${gondor}" - "abuse@${shire}" - "admin@${shire}" - "ceo@${shire}" - "postmaster@${shire}" - "root@${shire}" - ]; - }; - "samwise@${shire}" = { - hashedPassword = "@HASHED_PASSWORD@"; - aliases = ["chad@${shire}"]; - quota = "1G"; - }; - }; - }; - - # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241 - services.redis.servers.rspamd.enable = mkForce false; - systemd.services.rspamd = { - requires = mkForce ["redis-default.service"]; - after = mkForce ["redis-default.service"]; - }; - - services.fail2ban.jails = { - dovecot = { - enabled = true; - settings.mode = "aggressive"; - }; - postfix = { - enabled = true; - settings.mode = "aggressive"; - }; - }; -} diff --git a/nixosConfigurations/manwe/mailserver/default.nix b/nixosConfigurations/manwe/mailserver/default.nix new file mode 100644 index 0000000..4f58df7 --- /dev/null +++ b/nixosConfigurations/manwe/mailserver/default.nix @@ -0,0 +1,96 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; { + imports = [inputs.simple-nixos-mailserver.nixosModule]; + + # Redis? + ark.directories = with config.mailserver; [ + "/var/lib/dovecot" + "/var/lib/postfix" + config.security.dhparams.params.dovecot2.path + dkimKeyDirectory + mailDirectory + sieveDirectory + ]; + + secrets = with config.mailserver; { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-shire-net = { + file = "${inputs.self}/secrets/dkim-key-shire-net"; + path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + }; + + nixfiles.modules = { + acme.enable = true; + redis.enable = true; + }; + + mailserver = let + cert = config.certs.${my.domain.shire}; + in { + enable = true; + + fqdn = config.networking.domain; + domains = with my.domain; [azahi gondor rohan shire]; + + localDnsResolver = false; + + certificateScheme = "manual"; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; + + lmtpSaveToDetailMailbox = "no"; + + redis = with config.services.redis.servers.default; { + address = bind; + inherit port; + password = requirePass; + }; + + # Just a list of accounts with aliases and hasedPasswords. Not necessarily + # secret, but kept from prying eyes. + loginAccounts = import ./accounts.nix lib; + }; + + # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241 + services.redis.servers.rspamd.enable = mkForce false; + systemd.services.rspamd = { + requires = mkForce ["redis-default.service"]; + after = mkForce ["redis-default.service"]; + }; + + services.fail2ban.jails = { + dovecot = { + enabled = true; + settings.mode = "aggressive"; + }; + postfix = { + enabled = true; + settings.mode = "aggressive"; + }; + }; +} diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix index f07d545..9e19474 100644 --- a/nixosConfigurations/manwe/webserver.nix +++ b/nixosConfigurations/manwe/webserver.nix @@ -13,7 +13,14 @@ with lib; { "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}"; ${azahi} = { serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; - locations."/".root = inputs.azahi-cc; + locations."/" = { + root = inputs.azahi-cc; + extraConfig = '' + sub_filter '' + ''; + sub_filter_once on; + ''; + }; }; } // (let -- cgit 1.4.1