From a26d2bda796bb920eb81ef8118706802a82518c5 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Thu, 21 Mar 2024 09:12:32 +0100 Subject: [PATCH] add mx Signed-off-by: Harald Hoyer --- flake.lock | 106 +++++++- flake.nix | 4 + systems/x86_64-linux/mx/acme.nix | 79 ++++++ systems/x86_64-linux/mx/backup.nix | 18 ++ systems/x86_64-linux/mx/default.nix | 70 ++++++ systems/x86_64-linux/mx/forgejo.nix | 54 ++++ systems/x86_64-linux/mx/goaccess.nix | 26 ++ .../mx/hardware-configuration.nix | 43 ++++ systems/x86_64-linux/mx/kicker.nix | 17 ++ systems/x86_64-linux/mx/mailserver.nix | 232 ++++++++++++++++++ systems/x86_64-linux/mx/network.nix | 45 ++++ systems/x86_64-linux/mx/nextcloud.nix | 29 +++ systems/x86_64-linux/mx/nginx.nix | 166 +++++++++++++ systems/x86_64-linux/mx/rspamd.nix | 40 +++ systems/x86_64-linux/mx/server-raid.nix | 79 ++++++ systems/x86_64-linux/mx/users.nix | 23 ++ systems/x86_64-linux/sgx/backup.nix | 76 ++++++ systems/x86_64-linux/sgx/default.nix | 213 +--------------- systems/x86_64-linux/sgx/fileserver.nix | 75 ++++++ .../sgx/hardware-configuration.nix | 4 + systems/x86_64-linux/sgx/network.nix | 42 ++++ 21 files changed, 1240 insertions(+), 201 deletions(-) create mode 100644 systems/x86_64-linux/mx/acme.nix create mode 100644 systems/x86_64-linux/mx/backup.nix create mode 100644 systems/x86_64-linux/mx/default.nix create mode 100644 systems/x86_64-linux/mx/forgejo.nix create mode 100644 systems/x86_64-linux/mx/goaccess.nix create mode 100644 systems/x86_64-linux/mx/hardware-configuration.nix create mode 100644 systems/x86_64-linux/mx/kicker.nix create mode 100644 systems/x86_64-linux/mx/mailserver.nix create mode 100644 systems/x86_64-linux/mx/network.nix create mode 100644 systems/x86_64-linux/mx/nextcloud.nix create mode 100644 systems/x86_64-linux/mx/nginx.nix create mode 100644 systems/x86_64-linux/mx/rspamd.nix create mode 100644 systems/x86_64-linux/mx/server-raid.nix create mode 100644 systems/x86_64-linux/mx/users.nix create mode 100644 systems/x86_64-linux/sgx/backup.nix create mode 100644 systems/x86_64-linux/sgx/fileserver.nix create mode 100644 systems/x86_64-linux/sgx/network.nix diff --git a/flake.lock b/flake.lock index 0e30908..caaf1e1 100644 --- a/flake.lock +++ b/flake.lock @@ -16,6 +16,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "bufdelete-nvim": { "flake": false, "locked": { @@ -524,6 +540,22 @@ } }, "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { "flake": false, "locked": { "lastModified": 1650374568, @@ -1261,6 +1293,36 @@ "type": "github" } }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-23_11": { + "locked": { + "lastModified": 1706098335, + "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.11", + "type": "indirect" + } + }, "nixpkgs-lib": { "locked": { "dir": "lib", @@ -1999,6 +2061,7 @@ "neovim-flake": "neovim-flake", "nixpkgs": "nixpkgs_4", "nixsgx-flake": "nixsgx-flake", + "simple-nixos-mailserver": "simple-nixos-mailserver", "snowfall-lib": "snowfall-lib_2", "sops-nix": "sops-nix", "unstable": "unstable" @@ -2088,6 +2151,32 @@ "type": "github" } }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_4", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-23_05": "nixpkgs-23_05", + "nixpkgs-23_11": "nixpkgs-23_11", + "utils": "utils_3" + }, + "locked": { + "lastModified": 1706219574, + "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-23.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "smartcolumn": { "flake": false, "locked": { @@ -2129,7 +2218,7 @@ }, "snowfall-lib_2": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" @@ -2462,6 +2551,21 @@ "type": "github" } }, + "utils_3": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "vim-dirtytalk": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 4b181f7..520ab74 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,9 @@ url = "github:matter-labs/nixsgx"; # inputs.nixpkgs.follows = "nixpkgs"; }; + + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; + simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs: @@ -69,6 +72,7 @@ home-manager.nixosModules.home-manager sops-nix.nixosModules.sops disko.nixosModules.disko + simple-nixos-mailserver.nixosModule ]; overlays = with inputs; [ diff --git a/systems/x86_64-linux/mx/acme.nix b/systems/x86_64-linux/mx/acme.nix new file mode 100644 index 0000000..ebdff53 --- /dev/null +++ b/systems/x86_64-linux/mx/acme.nix @@ -0,0 +1,79 @@ +{ pkgs, lib, config, ... }: +{ + sops.secrets.internetbs = { + sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "harald@hoyer.xyz"; + dnsProvider = "internetbs"; + credentialsFile = config.sops.secrets.internetbs.path; + }; + certs = { + "mx.surfsite.org" = { }; + + "surfsite.org" = { + extraDomainNames = [ + "*.surfsite.org" + ]; + }; + + "hoyer.xyz" = { + dnsProvider = "cloudflare"; + extraDomainNames = [ + "*.hoyer.xyz" + "*.harald.hoyer.xyz" + "*.hartwin.hoyer.xyz" + ]; + }; + + "hoyer.world" = { + dnsProvider = "cloudflare"; + extraDomainNames = [ + "*.hoyer.world" + "*.harald.hoyer.world" + "*.hartwin.hoyer.world" + ]; + }; + + "hoyer.social" = { + dnsProvider = "cloudflare"; + extraDomainNames = [ + "*.hoyer.social" + "*.harald.hoyer.social" + "*.hartwin.hoyer.social" + ]; + }; + + "hoyer.photos" = { + dnsProvider = "cloudflare"; + extraDomainNames = [ + "*.hoyer.photos" + "*.harald.hoyer.photos" + "*.hartwin.hoyer.photos" + ]; + }; + + + "harald-hoyer.de" = { + extraDomainNames = [ + "*.harald-hoyer.de" + ]; + }; + + "hartwin-hoyer.de" = { + extraDomainNames = [ + "*.hartwin-hoyer.de" + ]; + }; + + "varlink.org" = { + extraDomainNames = [ + "*.varlink.org" + ]; + }; + }; + }; +} diff --git a/systems/x86_64-linux/mx/backup.nix b/systems/x86_64-linux/mx/backup.nix new file mode 100644 index 0000000..27a1721 --- /dev/null +++ b/systems/x86_64-linux/mx/backup.nix @@ -0,0 +1,18 @@ +{ pkgs, lib, ... }: +{ + users.users.backup = { + shell = pkgs.bash; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "restrict,command=\"/run/wrappers/bin/rrsync -ro /\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGdtB6BFdXN+cRepkzWhbG5KRIM5nXmHiw1K+CEhGihwWsNVKGgU/q4rePK6PVNflTIoHUfL30jkA7H8VpSzu0XOa97Tqf+sF9VQOFrMjpf2rOWv38nc2GnKpnUu68c17KRZ+i8cnPZH0VUqRzaY/1IPMFH3OYO4qHJAEN5oAsyMFI9pbqFLqRnwNALjxf8fUvR/XB88zt3P34vFFer15FtLr4dlIzoEFGdUSOErmGJGmDzTptMqi/t0kn2AgaBKzMxwGTDUj6adU6KKBERj4ii3ekOrPwcNjsws3Mtlm5p8ycUkwUFoIiXukF6XRzCRSWMbZOgSnu2TfC6jRRrdbMNWn4QGF/jdBvvKcBoD4sChzpG6aF4m+7ue0QuHES7Kd2Rwnq0jbesGuBnRciDN+jssGvxZKX7XEialuXiaTQ4jPUA4zgWq474CR6ksuxpUDlKpH+leWPLtuKlhEZZnJHCMhz8Ewk/ZwiNSbLO97cwJciBM71orGWpFxHciT1QE= root@sgx" + ]; + }; + + security.wrappers.rrsync = { + source = "${pkgs.rrsync.out}/bin/rrsync"; + owner = "backup"; + group = "users"; + permissions = "u=rwx,g=,o="; + capabilities = "cap_dac_read_search=+ep"; + }; +} diff --git a/systems/x86_64-linux/mx/default.nix b/systems/x86_64-linux/mx/default.nix new file mode 100644 index 0000000..770ab1c --- /dev/null +++ b/systems/x86_64-linux/mx/default.nix @@ -0,0 +1,70 @@ +{ pkgs, lib, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./rspamd.nix + ./goaccess.nix + ./nextcloud.nix + ./backup.nix + ./users.nix + ./kicker.nix + ./mailserver.nix + ./acme.nix + ./forgejo.nix + ./nginx.nix + ./network.nix + ]; + + metacfg = { + base.enable = true; + nix.enable = true; + podman.enable = true; + secureboot.enable = false; + }; + + security = { + tpm2.enable = lib.mkDefault true; + tpm2.abrmd.enable = lib.mkDefault true; + }; + + system.autoUpgrade = { + enable = true; + operation = "switch"; + allowReboot = true; + flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx"; + }; + + environment.systemPackages = with pkgs; [ + age + apacheHttpd # for mkpasswd + efibootmgr + fgallery + git + htop + mdadm + rrsync + tpm2-pkcs11 + tpm2-pkcs11.out + tpm2-tools + zola + ]; + + sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ]; + + services.openssh = { + enable = true; + hostKeys = [ + { + path = "/var/lib/secrets/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/var/lib/secrets/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + + system.stateVersion = "23.05"; +} diff --git a/systems/x86_64-linux/mx/forgejo.nix b/systems/x86_64-linux/mx/forgejo.nix new file mode 100644 index 0000000..7d60c4e --- /dev/null +++ b/systems/x86_64-linux/mx/forgejo.nix @@ -0,0 +1,54 @@ +{ pkgs, lib, config, ... }: +{ + sops.secrets."postgres/gitea_dbpass" = { + sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file + owner = config.services.forgejo.user; + }; + + services.forgejo = { + enable = true; + user = "gitea"; + group = "gitea"; + stateDir = "/var/lib/gitea"; + database = { + name = "gitea"; + user = "gitea"; + type = "postgres"; + passwordFile = config.sops.secrets."postgres/gitea_dbpass".path; + }; + settings.service.DISABLE_REGISTRATION = true; + settings.server = { + DOMAIN = "git.hoyer.xyz"; + ROOT_URL = "https://git.hoyer.xyz/"; + HTTP_PORT = 3001; + }; + settings.log.LEVEL = "Warn"; + }; + + users.users.gitea = { + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + }; + + users.groups.gitea = { }; + + services.postgresql = { + package = pkgs.postgresql_14; + ensureDatabases = [ + config.services.forgejo.database.name + "nextcloud" + ]; + ensureUsers = [ + { + name = config.services.forgejo.database.user; + ensureDBOwnership = true; + } + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/systems/x86_64-linux/mx/goaccess.nix b/systems/x86_64-linux/mx/goaccess.nix new file mode 100644 index 0000000..dc318ec --- /dev/null +++ b/systems/x86_64-linux/mx/goaccess.nix @@ -0,0 +1,26 @@ +{ pkgs, lib, ... }: +{ + systemd.timers."goaccess" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*:0/15"; + Unit = "goaccess.service"; + }; + }; + + systemd.services."goaccess" = { + script = '' + set -eu + ${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/index.html - + ${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^harald.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/harald-hoyer.html - + ${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^hartwin.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/hartwin-hoyer.html - + ${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^git.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/git-hoyer.html - + ${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^nc.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/nc-hoyer.html - + ${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^kicker.surfsite.org' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/kicker.html - + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; +} diff --git a/systems/x86_64-linux/mx/hardware-configuration.nix b/systems/x86_64-linux/mx/hardware-configuration.nix new file mode 100644 index 0000000..ce6a25e --- /dev/null +++ b/systems/x86_64-linux/mx/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.luks.devices.crypted = { + device = "/dev/md/raid1"; + preLVM = true; + }; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "sd_mod" + "tpm" + "tpm_tis" + "trusted" + "tpm_crb" + "tpm_tis_core" + "rng_core" + ]; + + + boot.swraid.enable = true; + boot.swraid.mdadmConf = '' + MAILADDR admin@hoyer.xyz + ''; + disko.devices = import ./server-raid.nix { + inherit lib; + disks = [ "/dev/sda" "/dev/sdb" ]; + }; + + swapDevices = [{ device = "/swapfile"; }]; + + + +} diff --git a/systems/x86_64-linux/mx/kicker.nix b/systems/x86_64-linux/mx/kicker.nix new file mode 100644 index 0000000..bf40d7b --- /dev/null +++ b/systems/x86_64-linux/mx/kicker.nix @@ -0,0 +1,17 @@ +{ pkgs, lib, ... }: +{ + virtualisation.oci-containers.containers = { + kicker = { + image = "quay.io/kicker/kicker:live"; + ports = [ "127.0.0.1:8087:80" ]; + volumes = [ + "/home/hartwin/kicker/.htaccess:/app/public/.htaccess" + "/home/hartwin/kicker/.htpasswd:/app/public/.htpasswd" + "/home/hartwin/kicker/live.db:/app/db/data/current.db" + ]; + extraOptions = [ + "--pull=always" + ]; + }; + }; +} diff --git a/systems/x86_64-linux/mx/mailserver.nix b/systems/x86_64-linux/mx/mailserver.nix new file mode 100644 index 0000000..0d77cab --- /dev/null +++ b/systems/x86_64-linux/mx/mailserver.nix @@ -0,0 +1,232 @@ +{ pkgs, lib, config, ... }: +{ + mailserver = { + enable = true; + fqdn = "mx.surfsite.org"; + sendingFqdn = "mx.surfsite.org"; + domains = [ + "harald-hoyer.de" + "hartwin-hoyer.de" + "herward-hoyer.de" + "meike-knutz.de" + "gerlinde-hoyer.de" + + "hoyer.xyz" + "nc.hoyer.xyz" + "harald.hoyer.xyz" + + "varlink.org" + "surfsite.org" + "myprivacy.tools" + "hoyer.social" + "hoyer.world" + "hoyer.photos" + "harald.hoyer.photos" + "hartwin.hoyer.photos" + "mx.surfsite.org" + ]; + + extraVirtualAliases = { + "max@hoyer.xyz" = [ + "harald@hoyer.xyz" + "mh@hoyer.xyz" + ]; + + "felix@hoyer.xyz" = [ + "harald@hoyer.xyz" + "mh@hoyer.xyz" + ]; + + "muh@hoyer.xyz" = [ + "harald@hoyer.xyz" + "mh@hoyer.xyz" + ]; + + "kicker@surfsite.org" = [ + "harald@hoyer.xyz" + "hartwin@hoyer.xyz" + ]; + }; + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "mh@hoyer.xyz" = { + hashedPasswordFile = "/home/harald/secrets/mh@hoyer.xyz"; + aliases = [ + "meike@harald-hoyer.de" + "meike@meike-knutz.de" + "meike.hoyer@meike-knutz.de" + "meike@hoyer.xyz" + ]; + }; + "alex@hoyer.xyz" = { + hashedPasswordFile = "/home/hartwin/secrets/alex-mail"; + aliases = [ + "alex@hartwin-hoyer.de" + "alex.hoyer@hartwin-hoyer.de" + "alex@surfsite.org" + "alex.hoyer@surfsite.org" + "alexander@hoyer.xyz" + ]; + }; + "jan@hoyer.xyz" = { + hashedPasswordFile = "/home/hartwin/secrets/jan-mail"; + aliases = [ + "jan@hartwin-hoyer.de" + "jan.hoyer@hartwin-hoyer.de" + "jan@surfsite.org" + "jan.hoyer@surfsite.org" + ]; + }; + "hannah@hoyer.xyz" = { + hashedPasswordFile = "/home/hartwin/secrets/hannah-mail"; + aliases = [ + "hannah@hartwin-hoyer.de" + "hannah.hoyer@hartwin-hoyer.de" + "hannah@surfsite.org" + "hannah.hoyer@surfsite.org" + ]; + }; + "steffi@hoyer.xyz" = { + hashedPasswordFile = "/home/hartwin/secrets/steffi-mail"; + aliases = [ + "steffi@surfsite.org" + "stefaniehoyer@surfsite.org" + "stefanie.hoyer@surfsite.org" + "stefanie.hoyer@hoyer.xyz" + "stefanie@hoyer.xyz" + ]; + }; + "hartwin@hoyer.xyz" = { + hashedPasswordFile = "/home/hartwin/secrets/hartwin-mail"; + aliases = [ + "hartwin.hoyer@hartwin-hoyer.de" + "mail@hartwin-hoyer.de" + "hartwin@hartwin-hoyer.de" + "youtube@hartwin-hoyer.de" + "hartwin@nc.hoyer.xyz" + "hartwin@hoyer.photos" + "webmaster@hartwin.hoyer.photos" + ]; + }; + "hhoyer@herward-hoyer.de" = { + hashedPasswordFile = "/home/hhoyer/secrets/hhoyer-mail"; + aliases = [ + "herward@herward-hoyer.de" + "herward@vs189018.vserver.de" + "gua808@herward-hoyer.de" + "mail@herward-hoyer.de" + "herward.hoyer@herward-hoyer.de" + "hhoyer@surfsite.org" + "hhoyer@hoyer.xyz" + "herward@hoyer.xyz" + "herward@nc.hoyer.xyz" + ]; + }; + "harald@hoyer.xyz" = { + hashedPasswordFile = "/home/harald/secrets/harald@hoyer.xyz"; + aliases = [ + "harald@mx.surfsite.org" + "root@mx.surfsite.org" + + "abuse@mx.surfsite.org" + "abuse@surfsite.org" + "abuse@hartwin-hoyer.de" + "abuse@herward-hoyer.de" + "abuse@meike-knutz.de" + "abuse@gerlinde-hoyer.de" + "abuse@hoyer.xyz" + "abuse@harald.hoyer.xyz" + "abuse@varlink.org" + "abuse@myprivacy.tools" + "abuse@hoyer.social" + "abuse@hoyer.world" + "abuse@hoyer.photos" + + "postmaster@mx.surfsite.org" + "postmaster@surfsite.org" + "postmaster@hartwin-hoyer.de" + "postmaster@herward-hoyer.de" + "postmaster@meike-knutz.de" + "postmaster@gerlinde-hoyer.de" + "postmaster@hoyer.xyz" + "postmaster@harald.hoyer.xyz" + "postmaster@varlink.org" + "postmaster@myprivacy.tools" + "postmaster@hoyer.social" + "postmaster@hoyer.world" + "postmaster@hoyer.photos" + + "webmaster@hoyer.xyz" + "webmaster@surfsite.org" + "webmaster@harald.hoyer.xyz" + "webmaster@varlink.org" + "webmaster@myprivacy.tools" + "webmaster@hoyer.social" + "webmaster@hoyer.world" + "webmaster@hoyer.photos" + "webmaster@harald.hoyer.photos" + + "admin@hoyer.xyz" + "admin@harald.hoyer.xyz" + "admin@nc.hoyer.xyz" + "admin@mx.surfsite.org" + "admin@hoyer.social" + "admin@hoyer.world" + "admin@hoyer.photos" + + "harald@surfsite.org" + "harald@hoyer.xyz" + "harald@nc.hoyer.xyz" + "harald@varlink.org" + "harald@myprivacy.tools" + "harald@hoyer.world" + "harald@hoyer.social" + "harald@hoyer.photos" + + "@harald.hoyer.xyz" + "@harald-hoyer.de" + + "paypal-harald@hoyer.xyz" + "photo-harald@hoyer.xyz" + + "fb@surfsite.org" + "freifunk@surfsite.org" + "fbc@surfsite.org" + "mine@surfsite.org" + "bitcoin@surfsite.org" + "bitcoin@hoyer.xyz" + "roulette@surfsite.org" + "github@surfsite.org" + "mua@surfsite.org" + "aliexpress@surfsite.org" + + # Max + "max@hoyer.xyz" + "max.hoyer@hoyer.xyz" + "maximilian@hoyer.xyz" + "maximilian.hoyer@hoyer.xyz" + + # Felix + "felix@hoyer.xyz" + "felix.hoyer@hoyer.xyz" + ]; + }; + }; + certificateScheme = "acme"; + }; + + services.roundcube = { + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "webmail.hoyer.xyz"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; +} diff --git a/systems/x86_64-linux/mx/network.nix b/systems/x86_64-linux/mx/network.nix new file mode 100644 index 0000000..bfb2999 --- /dev/null +++ b/systems/x86_64-linux/mx/network.nix @@ -0,0 +1,45 @@ +{ pkgs, lib, ... }: +{ + services.fail2ban.enable = true; + services.resolved.domains = [ + "surfsite.org" + "hoyer.xyz" + ]; + services.resolved.extraConfig = "ReadEtcHosts=no"; + services.nscd.enableNsncd = false; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowPing = true; + + networking.hostName = "mx"; # Define your hostname. + networking.domain = "surfsite.org"; + networking.dhcpcd.enable = false; + networking.firewall.logRefusedConnections = false; + networking.networkmanager.enable = false; + networking.useDHCP = false; + networking.useNetworkd = true; + networking.wireless.enable = false; + networking.defaultGateway.address = "95.216.66.129"; + networking.defaultGateway.interface = "enp0s31f6"; + #networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; + networking.enableIPv6 = true; + + networking.interfaces.enp0s31f6 = { + ipv6 = { + addresses = [{ + address = "2a01:4f9:2b:2e3::2"; # Your IPv6 here + prefixLength = 64; + }]; + # Default IPv6 route + routes = [{ + address = "::"; + prefixLength = 0; + via = "fe80::1"; + }]; + }; + ipv4.addresses = [{ + address = "95.216.66.178"; + prefixLength = 26; + }]; + }; +} diff --git a/systems/x86_64-linux/mx/nextcloud.nix b/systems/x86_64-linux/mx/nextcloud.nix new file mode 100644 index 0000000..6494eda --- /dev/null +++ b/systems/x86_64-linux/mx/nextcloud.nix @@ -0,0 +1,29 @@ +{ pkgs, lib, ... }: +{ + systemd.services."nextcloud-setup".requires = [ "postgresql.service" ]; + systemd.services."nextcloud-setup".after = [ "postgresql.service" ]; + + environment.etc."nextcloud-admin-pass".text = "test123"; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud28; + hostName = "nc.hoyer.xyz"; + https = true; + configureRedis = true; + extraOptions = { + mail_smtpmode = "sendmail"; + mail_sendmailmode = "pipe"; + }; + phpOptions = { + upload_max_filesize = lib.mkForce "1G"; + post_max_size = lib.mkForce "1G"; + "opcache.interned_strings_buffer" = "16"; + }; + config.adminpassFile = "/etc/nextcloud-admin-pass"; + config.defaultPhoneRegion = "DE"; + config.dbtype = "pgsql"; + config.dbname = "nextcloud"; + config.dbhost = "/run/postgresql"; + config.dbuser = "nextcloud"; + }; +} diff --git a/systems/x86_64-linux/mx/nginx.nix b/systems/x86_64-linux/mx/nginx.nix new file mode 100644 index 0000000..5db2537 --- /dev/null +++ b/systems/x86_64-linux/mx/nginx.nix @@ -0,0 +1,166 @@ +{ pkgs, lib, ... }: +{ + users.users.nginx.extraGroups = [ "acme" ]; + services.nginx = { + enable = true; + appendHttpConfig = '' + log_format vcombined '$host:$server_port ' + '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log vcombined; + ''; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "00000" = { + useACMEHost = "hoyer.xyz"; + serverName = "_"; + globalRedirect = "hoyer.xyz"; + addSSL = true; + }; + + "hoyer.photos" = { + enableACME = false; + useACMEHost = "hoyer.photos"; + forceSSL = true; + root = "/var/www/hoyer.xyz/html"; + }; + + + "hoyer.world" = { + enableACME = false; + useACMEHost = "hoyer.world"; + forceSSL = true; + root = "/var/www/hoyer.xyz/html"; + }; + + "hoyer.social" = { + enableACME = false; + useACMEHost = "hoyer.social"; + forceSSL = true; + root = "/var/www/hoyer.xyz/html"; + }; + + "hoyer.xyz" = { + # serverName = "hoyer.xyz"; + serverAliases = [ + "www.hoyer.xyz" + ]; + useACMEHost = "hoyer.xyz"; + enableACME = false; + forceSSL = true; + root = "/var/www/hoyer.xyz/html"; + locations."/stats" = { + basicAuthFile = "/var/www/hoyer.xyz/stats.htaccess"; + }; + }; + + "surfsite.org" = { + useACMEHost = "surfsite.org"; + enableACME = false; + forceSSL = true; + root = "/var/www/surfsite.org"; + }; + + "kicker.surfsite.org" = { + useACMEHost = "surfsite.org"; + enableACME = false; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:8087/"; + }; + }; + + "git.hoyer.xyz" = { + useACMEHost = "hoyer.xyz"; + enableACME = false; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3001/"; + }; + }; + + "webmail.hoyer.xyz" = { + useACMEHost = "hoyer.xyz"; + enableACME = false; + forceSSL = true; + }; + + "harald.hoyer.photos" = { + enableACME = true; + forceSSL = true; + root = "/var/www/photo.harald-hoyer.de/html"; + }; + "photo.harald-hoyer.de" = { + useACMEHost = "harald-hoyer.de"; + forceSSL = true; + root = "/var/www/photo.harald-hoyer.de/html"; + }; + "photo-harald.hoyer.xyz" = { + serverAliases = [ "photo.harald.hoyer.xyz" ]; + useACMEHost = "hoyer.xyz"; + forceSSL = true; + root = "/var/www/photo.harald-hoyer.de/html"; + }; + + "harald-hoyer.de" = { + serverAliases = [ + "www.harald-hoyer.de" + ]; + useACMEHost = "harald-hoyer.de"; + globalRedirect = "harald.hoyer.xyz"; + forceSSL = true; + }; + "harald.hoyer.xyz" = { + serverAliases = [ + "www.harald.hoyer.xyz" + ]; + useACMEHost = "hoyer.xyz"; + root = "/var/www/harald.hoyer.xyz/html/"; + extraConfig = '' + rewrite ^/feed/rss$ /rss.xml permanent; + rewrite ^/feed/rss/$ /rss.xml permanent; + rewrite ^/feed/$ /rss.xml permanent; + rewrite ^/feed/rss/index.html$ /rss.xml permanent; + rewrite ^/fedora/fedora/RSS2$ /tags/fedora/rss.xml permanent; + rewrite ^/linux/linux/RSS2$ /tags/linux/rss.xml permanent; + rewrite ^/linux/feed$ /tags/linux/rss.xml permanent; + rewrite ^/wp-rss2.php$ /rss.xml permanent; + rewrite ^/aggregator/rss.xml$ /rss.xml permanent; + rewrite ^/personal/blog/aggregator/RSS$ /rss.xml permanent; + rewrite ^/personal/blog/aggregator/RSS2$ /rss.xml permanent; + rewrite ^/aggregator/RSS$ /rss.xml permanent; + rewrite ^/aggregator/RSS2$ /rss.xml permanent; + rewrite ^/wp-commentsrss2.php$ /rss.xml permanent; + ''; + forceSSL = true; + }; + + "hartwin-hoyer.de" = { + serverAliases = [ + "www.hartwin-hoyer.de" + ]; + useACMEHost = "hartwin-hoyer.de"; + globalRedirect = "hartwin.hoyer.xyz"; + forceSSL = true; + }; + "hartwin.hoyer.xyz" = { + serverAliases = [ + "testhartwin.hoyer.xyz" + "www.hartwin.hoyer.xyz" + ]; + useACMEHost = "hoyer.xyz"; + root = "/var/www/hartwin.hoyer.xyz/html/"; + forceSSL = true; + }; + + "nc.hoyer.xyz" = { + useACMEHost = "hoyer.xyz"; + forceSSL = true; + }; + }; + }; +} diff --git a/systems/x86_64-linux/mx/rspamd.nix b/systems/x86_64-linux/mx/rspamd.nix new file mode 100644 index 0000000..8b006e4 --- /dev/null +++ b/systems/x86_64-linux/mx/rspamd.nix @@ -0,0 +1,40 @@ +{ pkgs, lib, ... }: +{ + services.rspamd.workers.controller.bindSockets = [{ + socket = "/run/rspamd/worker-controller.sock"; + mode = "0660"; + }]; + services.rspamd.locals = { + "maps.d/spf_whitelist.inc.local" = { + text = '' + epicgames.com + dmail.ai + ''; + }; + "maps.d/spf_dkim_whitelist.inc.local" = { + text = '' + epicgames.com + dmail.ai + ''; + }; + "maps.d/dmarc_whitelist.inc.local" = { + text = '' + epicgames.com + dmail.ai + ''; + }; + "greylist-whitelist-domains.inc" = { + text = '' + dmail.ai + epicgames.com + ''; + }; + }; + services.rspamd.extraConfig = '' + actions { + reject = null; + greylist = 4; # Apply greylisting when reaching this score + add_header = 4; # Add header when reaching this score + } + ''; +} diff --git a/systems/x86_64-linux/mx/server-raid.nix b/systems/x86_64-linux/mx/server-raid.nix new file mode 100644 index 0000000..ccb1997 --- /dev/null +++ b/systems/x86_64-linux/mx/server-raid.nix @@ -0,0 +1,79 @@ +{ disks ? [ "/dev/sda" "/dev/sdb" ], ... }: { + disk = { + one = { + type = "disk"; + device = builtins.elemAt disks 0; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "256M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid1"; + }; + }; + }; + }; + }; + two = { + type = "disk"; + device = builtins.elemAt disks 1; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "256M"; + type = "EF00"; + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid1"; + }; + }; + }; + }; + }; + }; + mdadm = { + raid1 = { + type = "mdadm"; + level = 1; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ "--allow-discards" ]; + settings = { + allowDiscards = true; + keyFile = "/tmp/secret.key"; + }; + additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + #initrdUnlock = true; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; +} diff --git a/systems/x86_64-linux/mx/users.nix b/systems/x86_64-linux/mx/users.nix new file mode 100644 index 0000000..9564832 --- /dev/null +++ b/systems/x86_64-linux/mx/users.nix @@ -0,0 +1,23 @@ +{ pkgs, lib, ... }: +{ + # Herward + users.users.hhoyer = { + shell = pkgs.bash; + isNormalUser = true; + description = "hhoyer"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCIlCnBiRkm8i/UQaTDv2UCO+mEzPC5OQ0e+DlzS1GVmJEjH5BqPosEivvDQheQP7WWNZOCWoHqAg8vvH8QpSA6AOqruvsWrbY1TmoMc4TlulgyEK5/z9aw/t3WUkQjj+fYeQbQXSNeT7pplN3hB49MCXAQNJ+LxnnntrZhp7tHRAsJFlGgK6NGFapCizeYt9DOqeh2KGTd+x9TXTa96ccWQTRovE5xWP/8X7LoejCl7sfe2dymeByU465Do+mvDs2DbyKI1XHlLpPZihsyxyU1/K0B9VF92U486vh8Ep3fnTgpu7D9n0KdN0wGMfSmH75rtrYZPiGvu6Qy0YzV6MUN newkex" + ]; + }; + + # Hartwin + users.users.hartwin = { + shell = pkgs.bash; + isNormalUser = true; + description = "hartwin"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjeTezn11UITzlqfOS9U3/sOdEJ4au5MSo/vNUcMHVIfKWLXfOWH6skB2kVrRcSlevNydgWtmQfA/xD7n7Syx4esWLvaUUwRO75QNz8TJq9dgItxi6R+bxWlUqN79aAmNWQH6yftBs+bLDtTg7XABZYe2z53UcfLtG0iQOHG6mftcOL2YKyzdtd/1F7jgMmy2HJ1LzsFNb57hBQvA3cg+hDwXKfptrDh/8Xysm110vMj74T2ANbhmE3wT25PmUMN7B/sx0m7Rm7jg3COyLq6/MZzoFGyl+Kd9vxTPzp76aSq7bI70qGUzcq2aX6UnlkcrrAz2bzZBi5RMOHYO3QPmP hlh@aiur.localdomain" + ]; + }; + +} diff --git a/systems/x86_64-linux/sgx/backup.nix b/systems/x86_64-linux/sgx/backup.nix new file mode 100644 index 0000000..54b0023 --- /dev/null +++ b/systems/x86_64-linux/sgx/backup.nix @@ -0,0 +1,76 @@ +{ pkgs, lib, config, ... }: +let + backup_new_path = "/mnt/raid/backup/hoyer/new/"; + restic_repo = "/mnt/backup/restic-repo"; +in +{ + services.restic.backups.hoyer_new = { + repository = restic_repo; + passwordFile = config.sops.secrets.backup-pw.path; + timerConfig = { + OnCalendar = "daily"; + FixedRandomDelay = true; + RandomizedDelaySec = "4h"; + Persistent = true; + }; + paths = [ backup_new_path ]; + pruneOpts = [ + "-g host,paths" + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + "--keep-yearly 1" + ]; + backupPrepareCommand = '' + HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh" --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path} + ''; + }; + + services.restic.backups.self = { + repository = restic_repo; + #repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup"; + passwordFile = config.sops.secrets.backup-pw.path; + timerConfig = { + OnCalendar = "daily"; + FixedRandomDelay = true; + RandomizedDelaySec = "4h"; + Persistent = true; + }; + paths = [ + "/etc" + "/var" + "/home" + "/root" + "/persist" + config.services.samba.shares.Qmultimedia.path + ]; + extraBackupArgs = + let + ignorePatterns = [ + "/mnt/raid/backup" + "/mnt/backup" + "/mnt/snap" + "/var/cache" + "/home/*/.local/share/Trash" + "/home/*/.cache" + "/home/*/Downloads" + "/home/*/.npm" + "/home/*/.local/share/containers" + ".cache" + ".tmp" + ".log" + ".Trash" + ]; + ignoreFile = builtins.toFile "ignore" + (lib.foldl (a: b: a + "\n" + b) "" ignorePatterns); + in + [ "--exclude-file=${ignoreFile}" ]; + pruneOpts = [ + "-g host,paths" + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + "--keep-yearly 1" + ]; + }; +} diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index 366dd24..deb3edb 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -1,10 +1,11 @@ { pkgs, lib, config, ... }: -let - backup_new_path = "/mnt/raid/backup/hoyer/new/"; - restic_repo = "/mnt/backup/restic-repo"; -in { - imports = [ ./hardware-configuration.nix ]; + imports = [ + ./hardware-configuration.nix + ./fileserver.nix + ./backup.nix + ./network.nix + ]; sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml; sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml; @@ -22,8 +23,12 @@ in user.extraGroups = [ "docker" "sgx" ]; }; - virtualisation.docker.enable = true; - virtualisation.podman.dockerCompat = false; + virtualisation = { + docker.enable = true; + libvirtd.enable = true; + podman.dockerCompat = false; + }; + systemd.services.libvirt-guests.after = [ "network-online.target" ]; system.autoUpgrade = { enable = true; @@ -31,15 +36,8 @@ in allowReboot = true; }; - security.tpm2.enable = false; - security.tpm2.abrmd.enable = false; - services.pcscd.enable = true; - powerManagement.cpuFreqGovernor = "ondemand"; - - system.stateVersion = "23.11"; - environment.etc."sgx_default_qcnl.conf".text = '' { "pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/", @@ -53,190 +51,5 @@ in } ''; - services.netatalk = { - enable = true; - settings = { - Homes = { - "basedir regex" = "/home"; - path = "Public"; - }; - time-machine = { - path = "/mnt/backup/tm_share"; - "valid users" = "harald"; - "time machine" = true; - }; - Qmultimedia = { - path = "/mnt/raid/Qmultimedia"; - }; - }; - }; - - services.avahi = { - enable = true; - nssmdns = true; - publish = { - enable = true; - userServices = true; - }; - }; - - services.samba = { - enable = true; - securityType = "user"; - extraConfig = '' - read raw = Yes - write raw = Yes - socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 - min receivefile size = 16384 - use sendfile = true - aio read size = 16384 - aio write size = 16384 - workgroup = WORKGROUP - server string = sgx - netbios name = sgx - security = user - #max protocol = smb2 - hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1 - hosts deny = ALL - guest account = nobody - map to guest = bad user - ''; - shares = { - # public = { - # path = "/mnt/Shares/Public"; - # browseable = "yes"; - # "read only" = "no"; - # "guest ok" = "yes"; - # "create mask" = "0644"; - # "directory mask" = "0755"; - # "force user" = "username"; - # "force group" = "groupname"; - # }; - Qmultimedia = { - path = "/mnt/raid/Qmultimedia"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "harald"; - "force group" = "users"; - }; - }; - }; - - services.restic.backups.hoyer_new = { - repository = restic_repo; - passwordFile = config.sops.secrets.backup-pw.path; - timerConfig = { - OnCalendar = "daily"; - FixedRandomDelay = true; - RandomizedDelaySec = "4h"; - Persistent = true; - }; - paths = [ backup_new_path ]; - pruneOpts = [ - "-g host,paths" - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - "--keep-yearly 1" - ]; - backupPrepareCommand = '' - HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh" --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path} - ''; - }; - - services.restic.backups.self = { - repository = restic_repo; - #repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup"; - passwordFile = config.sops.secrets.backup-pw.path; - timerConfig = { - OnCalendar = "daily"; - FixedRandomDelay = true; - RandomizedDelaySec = "4h"; - Persistent = true; - }; - paths = [ - "/etc" - "/var" - "/home" - "/root" - "/persist" - config.services.samba.shares.Qmultimedia.path - ]; - extraBackupArgs = - let - ignorePatterns = [ - "/mnt/raid/backup" - "/mnt/backup" - "/mnt/snap" - "/var/cache" - "/home/*/.local/share/Trash" - "/home/*/.cache" - "/home/*/Downloads" - "/home/*/.npm" - "/home/*/.local/share/containers" - ".cache" - ".tmp" - ".log" - ".Trash" - ]; - ignoreFile = builtins.toFile "ignore" - (lib.foldl (a: b: a + "\n" + b) "" ignorePatterns); - in - [ "--exclude-file=${ignoreFile}" ]; - pruneOpts = [ - "-g host,paths" - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - "--keep-yearly 1" - ]; - }; - - systemd.services.libvirt-guests.after = [ "network-online.target" ]; - virtualisation.libvirtd.enable = true; - - networking.hostName = "sgx"; # Define your hostname. - networking.useDHCP = false; - - #networking.domain = "fritz.box"; - networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. - networking.networkmanager.enable = false; # use networkd - networking.dhcpcd.enable = false; # use networkd - # services.nscd.enableNsncd = false; - - # systemd-networkd - systemd.network.enable = true; - #systemd.network.wait-online.anyInterface = true; - #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; - - systemd.network.networks."10-br0" = { - matchConfig.Name = "br0"; - DHCP = "yes"; - linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredFamilyForOnline = "both"; - }; - - systemd.network.netdevs."br0" = { - netdevConfig = { - Name = "br0"; - Kind = "bridge"; - MACAddress = "00:a1:2f:68:07:ea"; - }; - }; - - systemd.network.networks."11-en" = { - linkConfig.RequiredForOnline = "enslaved"; - matchConfig.Name = "enp3s0"; - networkConfig = { - Bridge = "br0"; - }; - }; - - networking.firewall.allowedTCPPorts = [ 548 ]; - networking.firewall.allowPing = true; - services.samba.openFirewall = true; - + system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/sgx/fileserver.nix b/systems/x86_64-linux/sgx/fileserver.nix new file mode 100644 index 0000000..975230f --- /dev/null +++ b/systems/x86_64-linux/sgx/fileserver.nix @@ -0,0 +1,75 @@ +{ pkgs, lib, config, ... }: +{ + services.netatalk = { + enable = true; + settings = { + Homes = { + "basedir regex" = "/home"; + path = "Public"; + }; + time-machine = { + path = "/mnt/backup/tm_share"; + "valid users" = "harald"; + "time machine" = true; + }; + Qmultimedia = { + path = "/mnt/raid/Qmultimedia"; + }; + }; + }; + + services.avahi = { + enable = true; + nssmdns = true; + publish = { + enable = true; + userServices = true; + }; + }; + + services.samba = { + enable = true; + openFirewall = true; + securityType = "user"; + extraConfig = '' + read raw = Yes + write raw = Yes + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 + min receivefile size = 16384 + use sendfile = true + aio read size = 16384 + aio write size = 16384 + workgroup = WORKGROUP + server string = sgx + netbios name = sgx + security = user + #max protocol = smb2 + hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1 + hosts deny = ALL + guest account = nobody + map to guest = bad user + ''; + shares = { + # public = { + # path = "/mnt/Shares/Public"; + # browseable = "yes"; + # "read only" = "no"; + # "guest ok" = "yes"; + # "create mask" = "0644"; + # "directory mask" = "0755"; + # "force user" = "username"; + # "force group" = "groupname"; + # }; + Qmultimedia = { + path = "/mnt/raid/Qmultimedia"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "harald"; + "force group" = "users"; + }; + }; + }; +} diff --git a/systems/x86_64-linux/sgx/hardware-configuration.nix b/systems/x86_64-linux/sgx/hardware-configuration.nix index 6f5a55f..694914f 100644 --- a/systems/x86_64-linux/sgx/hardware-configuration.nix +++ b/systems/x86_64-linux/sgx/hardware-configuration.nix @@ -57,4 +57,8 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + security.tpm2.enable = false; + security.tpm2.abrmd.enable = false; + powerManagement.cpuFreqGovernor = "ondemand"; } diff --git a/systems/x86_64-linux/sgx/network.nix b/systems/x86_64-linux/sgx/network.nix new file mode 100644 index 0000000..dce7335 --- /dev/null +++ b/systems/x86_64-linux/sgx/network.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, config, ... }: +{ + networking.hostName = "sgx"; # Define your hostname. + networking.useDHCP = false; + + #networking.domain = "fritz.box"; + networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = false; # use networkd + networking.dhcpcd.enable = false; # use networkd + # services.nscd.enableNsncd = false; + + # systemd-networkd + systemd.network.enable = true; + #systemd.network.wait-online.anyInterface = true; + #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + + systemd.network.networks."10-br0" = { + matchConfig.Name = "br0"; + DHCP = "yes"; + linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredFamilyForOnline = "both"; + }; + + systemd.network.netdevs."br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + MACAddress = "00:a1:2f:68:07:ea"; + }; + }; + + systemd.network.networks."11-en" = { + linkConfig.RequiredForOnline = "enslaved"; + matchConfig.Name = "enp3s0"; + networkConfig = { + Bridge = "br0"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 548 ]; + networking.firewall.allowPing = true; +}