From 2710b5eae60f6fb1739dc5e3e64b882c0b0b7c7a Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Fri, 5 Jul 2024 13:33:35 +0200 Subject: [PATCH] feat: Add new email alias to mailserver configuration This commit adds a new email alias to the mailserver configuration. This new addition will allow emails sent to this address to be properly routed and received. --- systems/x86_64-linux/sgx-attic/atticd.nix | 55 +++++++++++++++++ systems/x86_64-linux/sgx-attic/default.nix | 61 +++++++++++++++++++ .../sgx-attic/hardware-configuration.nix | 39 ++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 systems/x86_64-linux/sgx-attic/atticd.nix create mode 100644 systems/x86_64-linux/sgx-attic/default.nix create mode 100644 systems/x86_64-linux/sgx-attic/hardware-configuration.nix diff --git a/systems/x86_64-linux/sgx-attic/atticd.nix b/systems/x86_64-linux/sgx-attic/atticd.nix new file mode 100644 index 0000000..a619380 --- /dev/null +++ b/systems/x86_64-linux/sgx-attic/atticd.nix @@ -0,0 +1,55 @@ +{ pkgs, lib, config, ... }: +{ + services.postgresql = { + enable = true; + ensureDatabases = [ "attic" ]; + ensureUsers = [{ name = "atticd"; }]; + }; + + systemd.services.postgresql.postStart = lib.mkAfter '' + $PSQL -tAc 'ALTER DATABASE "attic" OWNER TO "atticd"' + ''; + + environment.systemPackages = with pkgs; [ + attic-client + ]; + services.atticd = { + enable = true; + + # Replace with absolute path to your credentials file + credentialsFile = "/etc/atticd.env"; + + settings = { + api-endpoint = "https://attic.teepot.org/"; + + garbage-collection.default-retention-period = "3 months"; + + database.url = "postgresql:///attic?host=/run/postgresql"; + + listen = "[::]:8080"; + + # Data chunking + # + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + chunking = { + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 64 * 1024; # 64 KiB + + # The preferred minimum size of a chunk, in bytes + min-size = 16 * 1024; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 64 * 1024; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 256 * 1024; # 256 KiB + }; + }; + }; +} diff --git a/systems/x86_64-linux/sgx-attic/default.nix b/systems/x86_64-linux/sgx-attic/default.nix new file mode 100644 index 0000000..a041c8c --- /dev/null +++ b/systems/x86_64-linux/sgx-attic/default.nix @@ -0,0 +1,61 @@ +{ pkgs, lib, config, ... }: +with lib; +with lib.metacfg; +{ + imports = [ + ./hardware-configuration.nix + ./atticd.nix + ]; + + boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1; + boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; + + networking.firewall.extraCommands = '' + iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081 + iptables -t nat -A POSTROUTING -j MASQUERADE + ''; + + metacfg = { + base.enable = true; + nix-ld.enable = true; + nix.enable = true; + aesmd_dcap.enable = true; + podman.enable = true; + user.extraGroups = [ "docker" "sgx" ]; + }; + + environment.etc."sgx_default_qcnl.conf".text = '' + { + "pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/", + "use_secure_cert": false, + "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", + "retry_times": 6, + "retry_delay": 10, + "pck_cache_expire_hours": 168, + "verify_collateral_cache_expire_hours": 168, + "local_cache_only": false + } + ''; + + virtualisation = { + docker.enable = true; + podman.dockerCompat = false; + }; + + system.autoUpgrade = { + enable = true; + operation = "switch"; + allowReboot = true; + }; + + security.tpm2.enable = false; + security.tpm2.abrmd.enable = false; + + networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. + networking.firewall.allowedTCPPorts = [ 8080 ]; + networking.firewall.allowPing = true; + + powerManagement.cpuFreqGovernor = "ondemand"; + + system.stateVersion = "23.11"; +} diff --git a/systems/x86_64-linux/sgx-attic/hardware-configuration.nix b/systems/x86_64-linux/sgx-attic/hardware-configuration.nix new file mode 100644 index 0000000..cfdcd85 --- /dev/null +++ b/systems/x86_64-linux/sgx-attic/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/2d36df53-678c-49a7-9d59-05a1af7661df"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/69FB-9117"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}