harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add mx

Browse source 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
This commit is contained in:
Harald Hoyer 2024-03-21 09:12:32 +01:00
parent 143cc1742a
commit c263669ad7
22 changed files with 1274 additions and 201 deletions
Download patch file Download diff file Expand all files Collapse all files

79
systems/x86_64-linux/mx/acme.nix Normal file
View file

@ -0,0 +1,79 @@
{ pkgs, lib, config, ... }:
{
sops.secrets.internetbs = {
sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file
};
security.acme = {
acceptTerms = true;
defaults = {
email = "harald@hoyer.xyz";
dnsProvider = "internetbs";
credentialsFile = config.sops.secrets.internetbs.path;
};
certs = {
"mx.surfsite.org" = { };
"surfsite.org" = {
extraDomainNames = [
"*.surfsite.org"
];
};
"hoyer.xyz" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.xyz"
"*.harald.hoyer.xyz"
"*.hartwin.hoyer.xyz"
];
};
"hoyer.world" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.world"
"*.harald.hoyer.world"
"*.hartwin.hoyer.world"
];
};
"hoyer.social" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.social"
"*.harald.hoyer.social"
"*.hartwin.hoyer.social"
];
};
"hoyer.photos" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.photos"
"*.harald.hoyer.photos"
"*.hartwin.hoyer.photos"
];
};
"harald-hoyer.de" = {
extraDomainNames = [
"*.harald-hoyer.de"
];
};
"hartwin-hoyer.de" = {
extraDomainNames = [
"*.hartwin-hoyer.de"
];
};
"varlink.org" = {
extraDomainNames = [
"*.varlink.org"
];
};
};
};
}

18
systems/x86_64-linux/mx/backup.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, lib, ... }:
{
users.users.backup = {
shell = pkgs.bash;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"restrict,command=\"/run/wrappers/bin/rrsync -ro /\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGdtB6BFdXN+cRepkzWhbG5KRIM5nXmHiw1K+CEhGihwWsNVKGgU/q4rePK6PVNflTIoHUfL30jkA7H8VpSzu0XOa97Tqf+sF9VQOFrMjpf2rOWv38nc2GnKpnUu68c17KRZ+i8cnPZH0VUqRzaY/1IPMFH3OYO4qHJAEN5oAsyMFI9pbqFLqRnwNALjxf8fUvR/XB88zt3P34vFFer15FtLr4dlIzoEFGdUSOErmGJGmDzTptMqi/t0kn2AgaBKzMxwGTDUj6adU6KKBERj4ii3ekOrPwcNjsws3Mtlm5p8ycUkwUFoIiXukF6XRzCRSWMbZOgSnu2TfC6jRRrdbMNWn4QGF/jdBvvKcBoD4sChzpG6aF4m+7ue0QuHES7Kd2Rwnq0jbesGuBnRciDN+jssGvxZKX7XEialuXiaTQ4jPUA4zgWq474CR6ksuxpUDlKpH+leWPLtuKlhEZZnJHCMhz8Ewk/ZwiNSbLO97cwJciBM71orGWpFxHciT1QE= root@sgx"
];
};
security.wrappers.rrsync = {
source = "${pkgs.rrsync.out}/bin/rrsync";
owner = "backup";
group = "users";
permissions = "u=rwx,g=,o=";
capabilities = "cap_dac_read_search=+ep";
};
}

70
systems/x86_64-linux/mx/default.nix Normal file
View file

@ -0,0 +1,70 @@
{ pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
./rspamd.nix
./goaccess.nix
./nextcloud.nix
./backup.nix
./users.nix
./kicker.nix
./mailserver.nix
./acme.nix
./forgejo.nix
./nginx.nix
./network.nix
];
metacfg = {
base.enable = true;
nix.enable = true;
podman.enable = true;
secureboot.enable = false;
};
security = {
tpm2.enable = lib.mkDefault true;
tpm2.abrmd.enable = lib.mkDefault true;
};
system.autoUpgrade = {
enable = true;
operation = "switch";
allowReboot = true;
flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx";
};
environment.systemPackages = with pkgs; [
age
apacheHttpd # for mkpasswd
efibootmgr
fgallery
git
htop
mdadm
rrsync
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
zola
];
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
services.openssh = {
enable = true;
hostKeys = [
{
path = "/var/lib/secrets/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/var/lib/secrets/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
system.stateVersion = "23.05";
}

54
systems/x86_64-linux/mx/forgejo.nix Normal file
View file

@ -0,0 +1,54 @@
{ pkgs, lib, config, ... }:
{
sops.secrets."postgres/gitea_dbpass" = {
sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
owner = config.services.forgejo.user;
};
services.forgejo = {
enable = true;
user = "gitea";
group = "gitea";
stateDir = "/var/lib/gitea";
database = {
name = "gitea";
user = "gitea";
type = "postgres";
passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
};
settings.service.DISABLE_REGISTRATION = true;
settings.server = {
DOMAIN = "git.hoyer.xyz";
ROOT_URL = "https://git.hoyer.xyz/";
HTTP_PORT = 3001;
};
settings.log.LEVEL = "Warn";
};
users.users.gitea = {
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
services.postgresql = {
package = pkgs.postgresql_14;
ensureDatabases = [
config.services.forgejo.database.name
"nextcloud"
];
ensureUsers = [
{
name = config.services.forgejo.database.user;
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
};
}

26
systems/x86_64-linux/mx/goaccess.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, lib, ... }:
{
systemd.timers."goaccess" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/15";
Unit = "goaccess.service";
};
};
systemd.services."goaccess" = {
script = ''
set -eu
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/index.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^harald.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/harald-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^hartwin.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/hartwin-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^git.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/git-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^nc.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/nc-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^kicker.surfsite.org' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/kicker.html -
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
}

43
systems/x86_64-linux/mx/hardware-configuration.nix Normal file
View file

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.luks.devices.crypted = {
device = "/dev/md/raid1";
preLVM = true;
};
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"sd_mod"
"tpm"
"tpm_tis"
"trusted"
"tpm_crb"
"tpm_tis_core"
"rng_core"
];
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
MAILADDR admin@hoyer.xyz
'';
disko.devices = import ./server-raid.nix {
inherit lib;
disks = [ "/dev/sda" "/dev/sdb" ];
};
swapDevices = [{ device = "/swapfile"; }];
}

17
systems/x86_64-linux/mx/kicker.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, lib, ... }:
{
virtualisation.oci-containers.containers = {
kicker = {
image = "quay.io/kicker/kicker:live";
ports = [ "127.0.0.1:8087:80" ];
volumes = [
"/home/hartwin/kicker/.htaccess:/app/public/.htaccess"
"/home/hartwin/kicker/.htpasswd:/app/public/.htpasswd"
"/home/hartwin/kicker/live.db:/app/db/data/current.db"
];
extraOptions = [
"--pull=always"
];
};
};
}

232
systems/x86_64-linux/mx/mailserver.nix Normal file
View file

@ -0,0 +1,232 @@
{ pkgs, lib, config, ... }:
{
mailserver = {
enable = true;
fqdn = "mx.surfsite.org";
sendingFqdn = "mx.surfsite.org";
domains = [
"harald-hoyer.de"
"hartwin-hoyer.de"
"herward-hoyer.de"
"meike-knutz.de"
"gerlinde-hoyer.de"
"hoyer.xyz"
"nc.hoyer.xyz"
"harald.hoyer.xyz"
"varlink.org"
"surfsite.org"
"myprivacy.tools"
"hoyer.social"
"hoyer.world"
"hoyer.photos"
"harald.hoyer.photos"
"hartwin.hoyer.photos"
"mx.surfsite.org"
];
extraVirtualAliases = {
"max@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"felix@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"muh@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"kicker@surfsite.org" = [
"harald@hoyer.xyz"
"hartwin@hoyer.xyz"
];
};
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"mh@hoyer.xyz" = {
hashedPasswordFile = "/home/harald/secrets/mh@hoyer.xyz";
aliases = [
"meike@harald-hoyer.de"
"meike@meike-knutz.de"
"meike.hoyer@meike-knutz.de"
"meike@hoyer.xyz"
];
};
"alex@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/alex-mail";
aliases = [
"alex@hartwin-hoyer.de"
"alex.hoyer@hartwin-hoyer.de"
"alex@surfsite.org"
"alex.hoyer@surfsite.org"
"alexander@hoyer.xyz"
];
};
"jan@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/jan-mail";
aliases = [
"jan@hartwin-hoyer.de"
"jan.hoyer@hartwin-hoyer.de"
"jan@surfsite.org"
"jan.hoyer@surfsite.org"
];
};
"hannah@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/hannah-mail";
aliases = [
"hannah@hartwin-hoyer.de"
"hannah.hoyer@hartwin-hoyer.de"
"hannah@surfsite.org"
"hannah.hoyer@surfsite.org"
];
};
"steffi@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/steffi-mail";
aliases = [
"steffi@surfsite.org"
"stefaniehoyer@surfsite.org"
"stefanie.hoyer@surfsite.org"
"stefanie.hoyer@hoyer.xyz"
"stefanie@hoyer.xyz"
];
};
"hartwin@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/hartwin-mail";
aliases = [
"hartwin.hoyer@hartwin-hoyer.de"
"mail@hartwin-hoyer.de"
"hartwin@hartwin-hoyer.de"
"youtube@hartwin-hoyer.de"
"hartwin@nc.hoyer.xyz"
"hartwin@hoyer.photos"
"webmaster@hartwin.hoyer.photos"
];
};
"hhoyer@herward-hoyer.de" = {
hashedPasswordFile = "/home/hhoyer/secrets/hhoyer-mail";
aliases = [
"herward@herward-hoyer.de"
"herward@vs189018.vserver.de"
"gua808@herward-hoyer.de"
"mail@herward-hoyer.de"
"herward.hoyer@herward-hoyer.de"
"hhoyer@surfsite.org"
"hhoyer@hoyer.xyz"
"herward@hoyer.xyz"
"herward@nc.hoyer.xyz"
];
};
"harald@hoyer.xyz" = {
hashedPasswordFile = "/home/harald/secrets/harald@hoyer.xyz";
aliases = [
"harald@mx.surfsite.org"
"root@mx.surfsite.org"
"abuse@mx.surfsite.org"
"abuse@surfsite.org"
"abuse@hartwin-hoyer.de"
"abuse@herward-hoyer.de"
"abuse@meike-knutz.de"
"abuse@gerlinde-hoyer.de"
"abuse@hoyer.xyz"
"abuse@harald.hoyer.xyz"
"abuse@varlink.org"
"abuse@myprivacy.tools"
"abuse@hoyer.social"
"abuse@hoyer.world"
"abuse@hoyer.photos"
"postmaster@mx.surfsite.org"
"postmaster@surfsite.org"
"postmaster@hartwin-hoyer.de"
"postmaster@herward-hoyer.de"
"postmaster@meike-knutz.de"
"postmaster@gerlinde-hoyer.de"
"postmaster@hoyer.xyz"
"postmaster@harald.hoyer.xyz"
"postmaster@varlink.org"
"postmaster@myprivacy.tools"
"postmaster@hoyer.social"
"postmaster@hoyer.world"
"postmaster@hoyer.photos"
"webmaster@hoyer.xyz"
"webmaster@surfsite.org"
"webmaster@harald.hoyer.xyz"
"webmaster@varlink.org"
"webmaster@myprivacy.tools"
"webmaster@hoyer.social"
"webmaster@hoyer.world"
"webmaster@hoyer.photos"
"webmaster@harald.hoyer.photos"
"admin@hoyer.xyz"
"admin@harald.hoyer.xyz"
"admin@nc.hoyer.xyz"
"admin@mx.surfsite.org"
"admin@hoyer.social"
"admin@hoyer.world"
"admin@hoyer.photos"
"harald@surfsite.org"
"harald@hoyer.xyz"
"harald@nc.hoyer.xyz"
"harald@varlink.org"
"harald@myprivacy.tools"
"harald@hoyer.world"
"harald@hoyer.social"
"harald@hoyer.photos"
"@harald.hoyer.xyz"
"@harald-hoyer.de"
"paypal-harald@hoyer.xyz"
"photo-harald@hoyer.xyz"
"fb@surfsite.org"
"freifunk@surfsite.org"
"fbc@surfsite.org"
"mine@surfsite.org"
"bitcoin@surfsite.org"
"bitcoin@hoyer.xyz"
"roulette@surfsite.org"
"github@surfsite.org"
"mua@surfsite.org"
"aliexpress@surfsite.org"
# Max
"max@hoyer.xyz"
"max.hoyer@hoyer.xyz"
"maximilian@hoyer.xyz"
"maximilian.hoyer@hoyer.xyz"
# Felix
"felix@hoyer.xyz"
"felix.hoyer@hoyer.xyz"
];
};
};
certificateScheme = "acme";
};
services.roundcube = {
enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "webmail.hoyer.xyz";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
}

45
systems/x86_64-linux/mx/network.nix Normal file
View file

@ -0,0 +1,45 @@
{ pkgs, lib, ... }:
{
services.fail2ban.enable = true;
services.resolved.domains = [
"surfsite.org"
"hoyer.xyz"
];
services.resolved.extraConfig = "ReadEtcHosts=no";
services.nscd.enableNsncd = false;
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowPing = true;
networking.hostName = "mx"; # Define your hostname.
networking.domain = "surfsite.org";
networking.dhcpcd.enable = false;
networking.firewall.logRefusedConnections = false;
networking.networkmanager.enable = false;
networking.useDHCP = false;
networking.useNetworkd = true;
networking.wireless.enable = false;
networking.defaultGateway.address = "95.216.66.129";
networking.defaultGateway.interface = "enp0s31f6";
#networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
networking.enableIPv6 = true;
networking.interfaces.enp0s31f6 = {
ipv6 = {
addresses = [{
address = "2a01:4f9:2b:2e3::2"; # Your IPv6 here
prefixLength = 64;
}];
# Default IPv6 route
routes = [{
address = "::";
prefixLength = 0;
via = "fe80::1";
}];
};
ipv4.addresses = [{
address = "95.216.66.178";
prefixLength = 26;
}];
};
}

29
systems/x86_64-linux/mx/nextcloud.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, ... }:
{
systemd.services."nextcloud-setup".requires = [ "postgresql.service" ];
systemd.services."nextcloud-setup".after = [ "postgresql.service" ];
environment.etc."nextcloud-admin-pass".text = "test123";
services.nextcloud = {
enable = true;
package = pkgs.nextcloud28;
hostName = "nc.hoyer.xyz";
https = true;
configureRedis = true;
extraOptions = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
};
phpOptions = {
upload_max_filesize = lib.mkForce "1G";
post_max_size = lib.mkForce "1G";
"opcache.interned_strings_buffer" = "16";
};
config.adminpassFile = "/etc/nextcloud-admin-pass";
config.defaultPhoneRegion = "DE";
config.dbtype = "pgsql";
config.dbname = "nextcloud";
config.dbhost = "/run/postgresql";
config.dbuser = "nextcloud";
};
}

166
systems/x86_64-linux/mx/nginx.nix Normal file
View file

@ -0,0 +1,166 @@
{ pkgs, lib, ... }:
{
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
appendHttpConfig = ''
log_format vcombined '$host:$server_port '
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined;
'';
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"00000" = {
useACMEHost = "hoyer.xyz";
serverName = "_";
globalRedirect = "hoyer.xyz";
addSSL = true;
};
"hoyer.photos" = {
enableACME = false;
useACMEHost = "hoyer.photos";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.world" = {
enableACME = false;
useACMEHost = "hoyer.world";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.social" = {
enableACME = false;
useACMEHost = "hoyer.social";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.xyz" = {
# serverName = "hoyer.xyz";
serverAliases = [
"www.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
locations."/stats" = {
basicAuthFile = "/var/www/hoyer.xyz/stats.htaccess";
};
};
"surfsite.org" = {
useACMEHost = "surfsite.org";
enableACME = false;
forceSSL = true;
root = "/var/www/surfsite.org";
};
"kicker.surfsite.org" = {
useACMEHost = "surfsite.org";
enableACME = false;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8087/";
};
};
"git.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
"webmail.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
};
"harald.hoyer.photos" = {
enableACME = true;
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"photo.harald-hoyer.de" = {
useACMEHost = "harald-hoyer.de";
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"photo-harald.hoyer.xyz" = {
serverAliases = [ "photo.harald.hoyer.xyz" ];
useACMEHost = "hoyer.xyz";
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"harald-hoyer.de" = {
serverAliases = [
"www.harald-hoyer.de"
];
useACMEHost = "harald-hoyer.de";
globalRedirect = "harald.hoyer.xyz";
forceSSL = true;
};
"harald.hoyer.xyz" = {
serverAliases = [
"www.harald.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
root = "/var/www/harald.hoyer.xyz/html/";
extraConfig = ''
rewrite ^/feed/rss$ /rss.xml permanent;
rewrite ^/feed/rss/$ /rss.xml permanent;
rewrite ^/feed/$ /rss.xml permanent;
rewrite ^/feed/rss/index.html$ /rss.xml permanent;
rewrite ^/fedora/fedora/RSS2$ /tags/fedora/rss.xml permanent;
rewrite ^/linux/linux/RSS2$ /tags/linux/rss.xml permanent;
rewrite ^/linux/feed$ /tags/linux/rss.xml permanent;
rewrite ^/wp-rss2.php$ /rss.xml permanent;
rewrite ^/aggregator/rss.xml$ /rss.xml permanent;
rewrite ^/personal/blog/aggregator/RSS$ /rss.xml permanent;
rewrite ^/personal/blog/aggregator/RSS2$ /rss.xml permanent;
rewrite ^/aggregator/RSS$ /rss.xml permanent;
rewrite ^/aggregator/RSS2$ /rss.xml permanent;
rewrite ^/wp-commentsrss2.php$ /rss.xml permanent;
'';
forceSSL = true;
};
"hartwin-hoyer.de" = {
serverAliases = [
"www.hartwin-hoyer.de"
];
useACMEHost = "hartwin-hoyer.de";
globalRedirect = "hartwin.hoyer.xyz";
forceSSL = true;
};
"hartwin.hoyer.xyz" = {
serverAliases = [
"testhartwin.hoyer.xyz"
"www.hartwin.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
root = "/var/www/hartwin.hoyer.xyz/html/";
forceSSL = true;
};
"nc.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
forceSSL = true;
};
};
};
}

40
systems/x86_64-linux/mx/rspamd.nix Normal file
View file

@ -0,0 +1,40 @@
{ pkgs, lib, ... }:
{
services.rspamd.workers.controller.bindSockets = [{
socket = "/run/rspamd/worker-controller.sock";
mode = "0660";
}];
services.rspamd.locals = {
"maps.d/spf_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"maps.d/spf_dkim_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"maps.d/dmarc_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"greylist-whitelist-domains.inc" = {
text = ''
dmail.ai
epicgames.com
'';
};
};
services.rspamd.extraConfig = ''
actions {
reject = null;
greylist = 4; # Apply greylisting when reaching this score
add_header = 4; # Add header when reaching this score
}
'';
}

79
systems/x86_64-linux/mx/server-raid.nix Normal file
View file

@ -0,0 +1,79 @@
{ disks ? [ "/dev/sda" "/dev/sdb" ], ... }: {
disk = {
one = {
type = "disk";
device = builtins.elemAt disks 0;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "256M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = builtins.elemAt disks 1;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "256M";
type = "EF00";
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [ "--allow-discards" ];
settings = {
allowDiscards = true;
keyFile = "/tmp/secret.key";
};
additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
#initrdUnlock = true;
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
}

23
systems/x86_64-linux/mx/users.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, lib, ... }:
{
# Herward
users.users.hhoyer = {
shell = pkgs.bash;
isNormalUser = true;
description = "hhoyer";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCIlCnBiRkm8i/UQaTDv2UCO+mEzPC5OQ0e+DlzS1GVmJEjH5BqPosEivvDQheQP7WWNZOCWoHqAg8vvH8QpSA6AOqruvsWrbY1TmoMc4TlulgyEK5/z9aw/t3WUkQjj+fYeQbQXSNeT7pplN3hB49MCXAQNJ+LxnnntrZhp7tHRAsJFlGgK6NGFapCizeYt9DOqeh2KGTd+x9TXTa96ccWQTRovE5xWP/8X7LoejCl7sfe2dymeByU465Do+mvDs2DbyKI1XHlLpPZihsyxyU1/K0B9VF92U486vh8Ep3fnTgpu7D9n0KdN0wGMfSmH75rtrYZPiGvu6Qy0YzV6MUN newkex"
];
};
# Hartwin
users.users.hartwin = {
shell = pkgs.bash;
isNormalUser = true;
description = "hartwin";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjeTezn11UITzlqfOS9U3/sOdEJ4au5MSo/vNUcMHVIfKWLXfOWH6skB2kVrRcSlevNydgWtmQfA/xD7n7Syx4esWLvaUUwRO75QNz8TJq9dgItxi6R+bxWlUqN79aAmNWQH6yftBs+bLDtTg7XABZYe2z53UcfLtG0iQOHG6mftcOL2YKyzdtd/1F7jgMmy2HJ1LzsFNb57hBQvA3cg+hDwXKfptrDh/8Xysm110vMj74T2ANbhmE3wT25PmUMN7B/sx0m7Rm7jg3COyLq6/MZzoFGyl+Kd9vxTPzp76aSq7bI70qGUzcq2aX6UnlkcrrAz2bzZBi5RMOHYO3QPmP hlh@aiur.localdomain"
];
};
}