harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add mx

Browse source 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
This commit is contained in:
Harald Hoyer 2024-03-21 09:12:32 +01:00
parent 143cc1742a
commit c263669ad7
22 changed files with 1274 additions and 201 deletions
Download patch file Download diff file Expand all files Collapse all files

106
flake.lock generated
View file

@ -16,6 +16,22 @@
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"bufdelete-nvim": {
"flake": false,
"locked": {
@ -524,6 +540,22 @@
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@ -1261,6 +1293,36 @@
"type": "github"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs-lib": {
"locked": {
"dir": "lib",
@ -1999,6 +2061,7 @@
"neovim-flake": "neovim-flake",
"nixpkgs": "nixpkgs_4",
"nixsgx-flake": "nixsgx-flake",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"snowfall-lib": "snowfall-lib_2",
"sops-nix": "sops-nix",
"unstable": "unstable"
@ -2088,6 +2151,32 @@
"type": "github"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_4",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils_3"
},
"locked": {
"lastModified": 1706219574,
"narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.11",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"smartcolumn": {
"flake": false,
"locked": {
@ -2129,7 +2218,7 @@
},
"snowfall-lib_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-compat": "flake-compat_5",
"flake-utils-plus": "flake-utils-plus_2",
"nixpkgs": [
"nixpkgs"
@ -2462,6 +2551,21 @@
"type": "github"
}
},
"utils_3": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"vim-dirtytalk": {
"flake": false,
"locked": {

4
flake.nix
View file

@ -37,6 +37,9 @@
url = "github:matter-labs/nixsgx";
# inputs.nixpkgs.follows = "nixpkgs";
};
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs:
@ -69,6 +72,7 @@
home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
disko.nixosModules.disko
simple-nixos-mailserver.nixosModule
];
overlays = with inputs; [

34
homes/x86_64-linux/harald@mx/default.nix Normal file
View file

@ -0,0 +1,34 @@
{ lib
, config
, ...
}:
{
home.sessionPath = [ "$HOME/bin" ];
programs.bash.profileExtra = ''
${lib.getExe pkgs.rust-motd}
'';
metacfg = {
user = {
enable = true;
name = config.snowfallorg.user.name;
};
cli-apps = {
bash.enable = true;
fish.enable = true;
neovim.enable = true;
bat.enable = true;
starship.enable = true;
home-manager.enable = true;
};
tools = {
git.enable = true;
direnv.enable = true;
};
};
xdg.enable = true;
xdg.mime.enable = true;
}

79
systems/x86_64-linux/mx/acme.nix Normal file
View file

@ -0,0 +1,79 @@
{ pkgs, lib, config, ... }:
{
sops.secrets.internetbs = {
sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file
};
security.acme = {
acceptTerms = true;
defaults = {
email = "harald@hoyer.xyz";
dnsProvider = "internetbs";
credentialsFile = config.sops.secrets.internetbs.path;
};
certs = {
"mx.surfsite.org" = { };
"surfsite.org" = {
extraDomainNames = [
"*.surfsite.org"
];
};
"hoyer.xyz" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.xyz"
"*.harald.hoyer.xyz"
"*.hartwin.hoyer.xyz"
];
};
"hoyer.world" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.world"
"*.harald.hoyer.world"
"*.hartwin.hoyer.world"
];
};
"hoyer.social" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.social"
"*.harald.hoyer.social"
"*.hartwin.hoyer.social"
];
};
"hoyer.photos" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.photos"
"*.harald.hoyer.photos"
"*.hartwin.hoyer.photos"
];
};
"harald-hoyer.de" = {
extraDomainNames = [
"*.harald-hoyer.de"
];
};
"hartwin-hoyer.de" = {
extraDomainNames = [
"*.hartwin-hoyer.de"
];
};
"varlink.org" = {
extraDomainNames = [
"*.varlink.org"
];
};
};
};
}

18
systems/x86_64-linux/mx/backup.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, lib, ... }:
{
users.users.backup = {
shell = pkgs.bash;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"restrict,command=\"/run/wrappers/bin/rrsync -ro /\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGdtB6BFdXN+cRepkzWhbG5KRIM5nXmHiw1K+CEhGihwWsNVKGgU/q4rePK6PVNflTIoHUfL30jkA7H8VpSzu0XOa97Tqf+sF9VQOFrMjpf2rOWv38nc2GnKpnUu68c17KRZ+i8cnPZH0VUqRzaY/1IPMFH3OYO4qHJAEN5oAsyMFI9pbqFLqRnwNALjxf8fUvR/XB88zt3P34vFFer15FtLr4dlIzoEFGdUSOErmGJGmDzTptMqi/t0kn2AgaBKzMxwGTDUj6adU6KKBERj4ii3ekOrPwcNjsws3Mtlm5p8ycUkwUFoIiXukF6XRzCRSWMbZOgSnu2TfC6jRRrdbMNWn4QGF/jdBvvKcBoD4sChzpG6aF4m+7ue0QuHES7Kd2Rwnq0jbesGuBnRciDN+jssGvxZKX7XEialuXiaTQ4jPUA4zgWq474CR6ksuxpUDlKpH+leWPLtuKlhEZZnJHCMhz8Ewk/ZwiNSbLO97cwJciBM71orGWpFxHciT1QE= root@sgx"
];
};
security.wrappers.rrsync = {
source = "${pkgs.rrsync.out}/bin/rrsync";
owner = "backup";
group = "users";
permissions = "u=rwx,g=,o=";
capabilities = "cap_dac_read_search=+ep";
};
}

70
systems/x86_64-linux/mx/default.nix Normal file
View file

@ -0,0 +1,70 @@
{ pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
./rspamd.nix
./goaccess.nix
./nextcloud.nix
./backup.nix
./users.nix
./kicker.nix
./mailserver.nix
./acme.nix
./forgejo.nix
./nginx.nix
./network.nix
];
metacfg = {
base.enable = true;
nix.enable = true;
podman.enable = true;
secureboot.enable = false;
};
security = {
tpm2.enable = lib.mkDefault true;
tpm2.abrmd.enable = lib.mkDefault true;
};
system.autoUpgrade = {
enable = true;
operation = "switch";
allowReboot = true;
flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx";
};
environment.systemPackages = with pkgs; [
age
apacheHttpd # for mkpasswd
efibootmgr
fgallery
git
htop
mdadm
rrsync
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
zola
];
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
services.openssh = {
enable = true;
hostKeys = [
{
path = "/var/lib/secrets/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/var/lib/secrets/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
system.stateVersion = "23.05";
}

54
systems/x86_64-linux/mx/forgejo.nix Normal file
View file

@ -0,0 +1,54 @@
{ pkgs, lib, config, ... }:
{
sops.secrets."postgres/gitea_dbpass" = {
sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
owner = config.services.forgejo.user;
};
services.forgejo = {
enable = true;
user = "gitea";
group = "gitea";
stateDir = "/var/lib/gitea";
database = {
name = "gitea";
user = "gitea";
type = "postgres";
passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
};
settings.service.DISABLE_REGISTRATION = true;
settings.server = {
DOMAIN = "git.hoyer.xyz";
ROOT_URL = "https://git.hoyer.xyz/";
HTTP_PORT = 3001;
};
settings.log.LEVEL = "Warn";
};
users.users.gitea = {
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
services.postgresql = {
package = pkgs.postgresql_14;
ensureDatabases = [
config.services.forgejo.database.name
"nextcloud"
];
ensureUsers = [
{
name = config.services.forgejo.database.user;
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
};
}

26
systems/x86_64-linux/mx/goaccess.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, lib, ... }:
{
systemd.timers."goaccess" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/15";
Unit = "goaccess.service";
};
};
systemd.services."goaccess" = {
script = ''
set -eu
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/index.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^harald.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/harald-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^hartwin.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/hartwin-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^git.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/git-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^nc.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/nc-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^kicker.surfsite.org' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/kicker.html -
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
}

43
systems/x86_64-linux/mx/hardware-configuration.nix Normal file
View file

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.luks.devices.crypted = {
device = "/dev/md/raid1";
preLVM = true;
};
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"sd_mod"
"tpm"
"tpm_tis"
"trusted"
"tpm_crb"
"tpm_tis_core"
"rng_core"
];
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
MAILADDR admin@hoyer.xyz
'';
disko.devices = import ./server-raid.nix {
inherit lib;
disks = [ "/dev/sda" "/dev/sdb" ];
};
swapDevices = [{ device = "/swapfile"; }];
}

17
systems/x86_64-linux/mx/kicker.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, lib, ... }:
{
virtualisation.oci-containers.containers = {
kicker = {
image = "quay.io/kicker/kicker:live";
ports = [ "127.0.0.1:8087:80" ];
volumes = [
"/home/hartwin/kicker/.htaccess:/app/public/.htaccess"
"/home/hartwin/kicker/.htpasswd:/app/public/.htpasswd"
"/home/hartwin/kicker/live.db:/app/db/data/current.db"
];
extraOptions = [
"--pull=always"
];
};
};
}

232
systems/x86_64-linux/mx/mailserver.nix Normal file
View file

@ -0,0 +1,232 @@
{ pkgs, lib, config, ... }:
{
mailserver = {
enable = true;
fqdn = "mx.surfsite.org";
sendingFqdn = "mx.surfsite.org";
domains = [
"harald-hoyer.de"
"hartwin-hoyer.de"
"herward-hoyer.de"
"meike-knutz.de"
"gerlinde-hoyer.de"
"hoyer.xyz"
"nc.hoyer.xyz"
"harald.hoyer.xyz"
"varlink.org"
"surfsite.org"
"myprivacy.tools"
"hoyer.social"
"hoyer.world"
"hoyer.photos"
"harald.hoyer.photos"
"hartwin.hoyer.photos"
"mx.surfsite.org"
];
extraVirtualAliases = {
"max@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"felix@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"muh@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"kicker@surfsite.org" = [
"harald@hoyer.xyz"
"hartwin@hoyer.xyz"
];
};
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"mh@hoyer.xyz" = {
hashedPasswordFile = "/home/harald/secrets/mh@hoyer.xyz";
aliases = [
"meike@harald-hoyer.de"
"meike@meike-knutz.de"
"meike.hoyer@meike-knutz.de"
"meike@hoyer.xyz"
];
};
"alex@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/alex-mail";
aliases = [
"alex@hartwin-hoyer.de"
"alex.hoyer@hartwin-hoyer.de"
"alex@surfsite.org"
"alex.hoyer@surfsite.org"
"alexander@hoyer.xyz"
];
};
"jan@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/jan-mail";
aliases = [
"jan@hartwin-hoyer.de"
"jan.hoyer@hartwin-hoyer.de"
"jan@surfsite.org"
"jan.hoyer@surfsite.org"
];
};
"hannah@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/hannah-mail";
aliases = [
"hannah@hartwin-hoyer.de"
"hannah.hoyer@hartwin-hoyer.de"
"hannah@surfsite.org"
"hannah.hoyer@surfsite.org"
];
};
"steffi@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/steffi-mail";
aliases = [
"steffi@surfsite.org"
"stefaniehoyer@surfsite.org"
"stefanie.hoyer@surfsite.org"
"stefanie.hoyer@hoyer.xyz"
"stefanie@hoyer.xyz"
];
};
"hartwin@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/hartwin-mail";
aliases = [
"hartwin.hoyer@hartwin-hoyer.de"
"mail@hartwin-hoyer.de"
"hartwin@hartwin-hoyer.de"
"youtube@hartwin-hoyer.de"
"hartwin@nc.hoyer.xyz"
"hartwin@hoyer.photos"
"webmaster@hartwin.hoyer.photos"
];
};
"hhoyer@herward-hoyer.de" = {
hashedPasswordFile = "/home/hhoyer/secrets/hhoyer-mail";
aliases = [
"herward@herward-hoyer.de"
"herward@vs189018.vserver.de"
"gua808@herward-hoyer.de"
"mail@herward-hoyer.de"
"herward.hoyer@herward-hoyer.de"
"hhoyer@surfsite.org"
"hhoyer@hoyer.xyz"
"herward@hoyer.xyz"
"herward@nc.hoyer.xyz"
];
};
"harald@hoyer.xyz" = {
hashedPasswordFile = "/home/harald/secrets/harald@hoyer.xyz";
aliases = [
"harald@mx.surfsite.org"
"root@mx.surfsite.org"
"abuse@mx.surfsite.org"
"abuse@surfsite.org"
"abuse@hartwin-hoyer.de"
"abuse@herward-hoyer.de"
"abuse@meike-knutz.de"
"abuse@gerlinde-hoyer.de"
"abuse@hoyer.xyz"
"abuse@harald.hoyer.xyz"
"abuse@varlink.org"
"abuse@myprivacy.tools"
"abuse@hoyer.social"
"abuse@hoyer.world"
"abuse@hoyer.photos"
"postmaster@mx.surfsite.org"
"postmaster@surfsite.org"
"postmaster@hartwin-hoyer.de"
"postmaster@herward-hoyer.de"
"postmaster@meike-knutz.de"
"postmaster@gerlinde-hoyer.de"
"postmaster@hoyer.xyz"
"postmaster@harald.hoyer.xyz"
"postmaster@varlink.org"
"postmaster@myprivacy.tools"
"postmaster@hoyer.social"
"postmaster@hoyer.world"
"postmaster@hoyer.photos"
"webmaster@hoyer.xyz"
"webmaster@surfsite.org"
"webmaster@harald.hoyer.xyz"
"webmaster@varlink.org"
"webmaster@myprivacy.tools"
"webmaster@hoyer.social"
"webmaster@hoyer.world"
"webmaster@hoyer.photos"
"webmaster@harald.hoyer.photos"
"admin@hoyer.xyz"
"admin@harald.hoyer.xyz"
"admin@nc.hoyer.xyz"
"admin@mx.surfsite.org"
"admin@hoyer.social"
"admin@hoyer.world"
"admin@hoyer.photos"
"harald@surfsite.org"
"harald@hoyer.xyz"
"harald@nc.hoyer.xyz"
"harald@varlink.org"
"harald@myprivacy.tools"
"harald@hoyer.world"
"harald@hoyer.social"
"harald@hoyer.photos"
"@harald.hoyer.xyz"
"@harald-hoyer.de"
"paypal-harald@hoyer.xyz"
"photo-harald@hoyer.xyz"
"fb@surfsite.org"
"freifunk@surfsite.org"
"fbc@surfsite.org"
"mine@surfsite.org"
"bitcoin@surfsite.org"
"bitcoin@hoyer.xyz"
"roulette@surfsite.org"
"github@surfsite.org"
"mua@surfsite.org"
"aliexpress@surfsite.org"
# Max
"max@hoyer.xyz"
"max.hoyer@hoyer.xyz"
"maximilian@hoyer.xyz"
"maximilian.hoyer@hoyer.xyz"
# Felix
"felix@hoyer.xyz"
"felix.hoyer@hoyer.xyz"
];
};
};
certificateScheme = "acme";
};
services.roundcube = {
enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "webmail.hoyer.xyz";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
}

45
systems/x86_64-linux/mx/network.nix Normal file
View file

@ -0,0 +1,45 @@
{ pkgs, lib, ... }:
{
services.fail2ban.enable = true;
services.resolved.domains = [
"surfsite.org"
"hoyer.xyz"
];
services.resolved.extraConfig = "ReadEtcHosts=no";
services.nscd.enableNsncd = false;
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowPing = true;
networking.hostName = "mx"; # Define your hostname.
networking.domain = "surfsite.org";
networking.dhcpcd.enable = false;
networking.firewall.logRefusedConnections = false;
networking.networkmanager.enable = false;
networking.useDHCP = false;
networking.useNetworkd = true;
networking.wireless.enable = false;
networking.defaultGateway.address = "95.216.66.129";
networking.defaultGateway.interface = "enp0s31f6";
#networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
networking.enableIPv6 = true;
networking.interfaces.enp0s31f6 = {
ipv6 = {
addresses = [{
address = "2a01:4f9:2b:2e3::2"; # Your IPv6 here
prefixLength = 64;
}];
# Default IPv6 route
routes = [{
address = "::";
prefixLength = 0;
via = "fe80::1";
}];
};
ipv4.addresses = [{
address = "95.216.66.178";
prefixLength = 26;
}];
};
}

29
systems/x86_64-linux/mx/nextcloud.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, ... }:
{
systemd.services."nextcloud-setup".requires = [ "postgresql.service" ];
systemd.services."nextcloud-setup".after = [ "postgresql.service" ];
environment.etc."nextcloud-admin-pass".text = "test123";
services.nextcloud = {
enable = true;
package = pkgs.nextcloud28;
hostName = "nc.hoyer.xyz";
https = true;
configureRedis = true;
extraOptions = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
};
phpOptions = {
upload_max_filesize = lib.mkForce "1G";
post_max_size = lib.mkForce "1G";
"opcache.interned_strings_buffer" = "16";
};
config.adminpassFile = "/etc/nextcloud-admin-pass";
config.defaultPhoneRegion = "DE";
config.dbtype = "pgsql";
config.dbname = "nextcloud";
config.dbhost = "/run/postgresql";
config.dbuser = "nextcloud";
};
}

166
systems/x86_64-linux/mx/nginx.nix Normal file
View file

@ -0,0 +1,166 @@
{ pkgs, lib, ... }:
{
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
appendHttpConfig = ''
log_format vcombined '$host:$server_port '
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined;
'';
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"00000" = {
useACMEHost = "hoyer.xyz";
serverName = "_";
globalRedirect = "hoyer.xyz";
addSSL = true;
};
"hoyer.photos" = {
enableACME = false;
useACMEHost = "hoyer.photos";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.world" = {
enableACME = false;
useACMEHost = "hoyer.world";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.social" = {
enableACME = false;
useACMEHost = "hoyer.social";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.xyz" = {
# serverName = "hoyer.xyz";
serverAliases = [
"www.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
locations."/stats" = {
basicAuthFile = "/var/www/hoyer.xyz/stats.htaccess";
};
};
"surfsite.org" = {
useACMEHost = "surfsite.org";
enableACME = false;
forceSSL = true;
root = "/var/www/surfsite.org";
};
"kicker.surfsite.org" = {
useACMEHost = "surfsite.org";
enableACME = false;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8087/";
};
};
"git.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
"webmail.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
};
"harald.hoyer.photos" = {
enableACME = true;
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"photo.harald-hoyer.de" = {
useACMEHost = "harald-hoyer.de";
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"photo-harald.hoyer.xyz" = {
serverAliases = [ "photo.harald.hoyer.xyz" ];
useACMEHost = "hoyer.xyz";
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"harald-hoyer.de" = {
serverAliases = [
"www.harald-hoyer.de"
];
useACMEHost = "harald-hoyer.de";
globalRedirect = "harald.hoyer.xyz";
forceSSL = true;
};
"harald.hoyer.xyz" = {
serverAliases = [
"www.harald.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
root = "/var/www/harald.hoyer.xyz/html/";
extraConfig = ''
rewrite ^/feed/rss$ /rss.xml permanent;
rewrite ^/feed/rss/$ /rss.xml permanent;
rewrite ^/feed/$ /rss.xml permanent;
rewrite ^/feed/rss/index.html$ /rss.xml permanent;
rewrite ^/fedora/fedora/RSS2$ /tags/fedora/rss.xml permanent;
rewrite ^/linux/linux/RSS2$ /tags/linux/rss.xml permanent;
rewrite ^/linux/feed$ /tags/linux/rss.xml permanent;
rewrite ^/wp-rss2.php$ /rss.xml permanent;
rewrite ^/aggregator/rss.xml$ /rss.xml permanent;
rewrite ^/personal/blog/aggregator/RSS$ /rss.xml permanent;
rewrite ^/personal/blog/aggregator/RSS2$ /rss.xml permanent;
rewrite ^/aggregator/RSS$ /rss.xml permanent;
rewrite ^/aggregator/RSS2$ /rss.xml permanent;
rewrite ^/wp-commentsrss2.php$ /rss.xml permanent;
'';
forceSSL = true;
};
"hartwin-hoyer.de" = {
serverAliases = [
"www.hartwin-hoyer.de"
];
useACMEHost = "hartwin-hoyer.de";
globalRedirect = "hartwin.hoyer.xyz";
forceSSL = true;
};
"hartwin.hoyer.xyz" = {
serverAliases = [
"testhartwin.hoyer.xyz"
"www.hartwin.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
root = "/var/www/hartwin.hoyer.xyz/html/";
forceSSL = true;
};
"nc.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
forceSSL = true;
};
};
};
}

40
systems/x86_64-linux/mx/rspamd.nix Normal file
View file

@ -0,0 +1,40 @@
{ pkgs, lib, ... }:
{
services.rspamd.workers.controller.bindSockets = [{
socket = "/run/rspamd/worker-controller.sock";
mode = "0660";
}];
services.rspamd.locals = {
"maps.d/spf_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"maps.d/spf_dkim_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"maps.d/dmarc_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"greylist-whitelist-domains.inc" = {
text = ''
dmail.ai
epicgames.com
'';
};
};
services.rspamd.extraConfig = ''
actions {
reject = null;
greylist = 4; # Apply greylisting when reaching this score
add_header = 4; # Add header when reaching this score
}
'';
}

79
systems/x86_64-linux/mx/server-raid.nix Normal file
View file

@ -0,0 +1,79 @@
{ disks ? [ "/dev/sda" "/dev/sdb" ], ... }: {
disk = {
one = {
type = "disk";
device = builtins.elemAt disks 0;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "256M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = builtins.elemAt disks 1;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "256M";
type = "EF00";
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [ "--allow-discards" ];
settings = {
allowDiscards = true;
keyFile = "/tmp/secret.key";
};
additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
#initrdUnlock = true;
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
}

23
systems/x86_64-linux/mx/users.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, lib, ... }:
{
# Herward
users.users.hhoyer = {
shell = pkgs.bash;
isNormalUser = true;
description = "hhoyer";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCIlCnBiRkm8i/UQaTDv2UCO+mEzPC5OQ0e+DlzS1GVmJEjH5BqPosEivvDQheQP7WWNZOCWoHqAg8vvH8QpSA6AOqruvsWrbY1TmoMc4TlulgyEK5/z9aw/t3WUkQjj+fYeQbQXSNeT7pplN3hB49MCXAQNJ+LxnnntrZhp7tHRAsJFlGgK6NGFapCizeYt9DOqeh2KGTd+x9TXTa96ccWQTRovE5xWP/8X7LoejCl7sfe2dymeByU465Do+mvDs2DbyKI1XHlLpPZihsyxyU1/K0B9VF92U486vh8Ep3fnTgpu7D9n0KdN0wGMfSmH75rtrYZPiGvu6Qy0YzV6MUN newkex"
];
};
# Hartwin
users.users.hartwin = {
shell = pkgs.bash;
isNormalUser = true;
description = "hartwin";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjeTezn11UITzlqfOS9U3/sOdEJ4au5MSo/vNUcMHVIfKWLXfOWH6skB2kVrRcSlevNydgWtmQfA/xD7n7Syx4esWLvaUUwRO75QNz8TJq9dgItxi6R+bxWlUqN79aAmNWQH6yftBs+bLDtTg7XABZYe2z53UcfLtG0iQOHG6mftcOL2YKyzdtd/1F7jgMmy2HJ1LzsFNb57hBQvA3cg+hDwXKfptrDh/8Xysm110vMj74T2ANbhmE3wT25PmUMN7B/sx0m7Rm7jg3COyLq6/MZzoFGyl+Kd9vxTPzp76aSq7bI70qGUzcq2aX6UnlkcrrAz2bzZBi5RMOHYO3QPmP hlh@aiur.localdomain"
];
};
}

76
systems/x86_64-linux/sgx/backup.nix Normal file
View file

@ -0,0 +1,76 @@
{ pkgs, lib, config, ... }:
let
backup_new_path = "/mnt/raid/backup/hoyer/new/";
restic_repo = "/mnt/backup/restic-repo";
in
{
services.restic.backups.hoyer_new = {
repository = restic_repo;
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [ backup_new_path ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
backupPrepareCommand = ''
HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh" --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path}
'';
};
services.restic.backups.self = {
repository = restic_repo;
#repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup";
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [
"/etc"
"/var"
"/home"
"/root"
"/persist"
config.services.samba.shares.Qmultimedia.path
];
extraBackupArgs =
let
ignorePatterns = [
"/mnt/raid/backup"
"/mnt/backup"
"/mnt/snap"
"/var/cache"
"/home/*/.local/share/Trash"
"/home/*/.cache"
"/home/*/Downloads"
"/home/*/.npm"
"/home/*/.local/share/containers"
".cache"
".tmp"
".log"
".Trash"
];
ignoreFile = builtins.toFile "ignore"
(lib.foldl (a: b: a + "\n" + b) "" ignorePatterns);
in
[ "--exclude-file=${ignoreFile}" ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
};
}

213
systems/x86_64-linux/sgx/default.nix
View file

@ -1,10 +1,11 @@
{ pkgs, lib, config, ... }:
let
backup_new_path = "/mnt/raid/backup/hoyer/new/";
restic_repo = "/mnt/backup/restic-repo";
in
{
imports = [ ./hardware-configuration.nix ];
imports = [
./hardware-configuration.nix
./fileserver.nix
./backup.nix
./network.nix
];
sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml;
@ -22,8 +23,12 @@ in
user.extraGroups = [ "docker" "sgx" ];
};
virtualisation.docker.enable = true;
virtualisation.podman.dockerCompat = false;
virtualisation = {
docker.enable = true;
libvirtd.enable = true;
podman.dockerCompat = false;
};
systemd.services.libvirt-guests.after = [ "network-online.target" ];
system.autoUpgrade = {
enable = true;
@ -31,15 +36,8 @@ in
allowReboot = true;
};
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
services.pcscd.enable = true;
powerManagement.cpuFreqGovernor = "ondemand";
system.stateVersion = "23.11";
environment.etc."sgx_default_qcnl.conf".text = ''
{
"pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/",
@ -53,190 +51,5 @@ in
}
'';
services.netatalk = {
enable = true;
settings = {
Homes = {
"basedir regex" = "/home";
path = "Public";
};
time-machine = {
path = "/mnt/backup/tm_share";
"valid users" = "harald";
"time machine" = true;
};
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
};
};
};
services.avahi = {
enable = true;
nssmdns = true;
publish = {
enable = true;
userServices = true;
};
};
services.samba = {
enable = true;
securityType = "user";
extraConfig = ''
read raw = Yes
write raw = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
min receivefile size = 16384
use sendfile = true
aio read size = 16384
aio write size = 16384
workgroup = WORKGROUP
server string = sgx
netbios name = sgx
security = user
#max protocol = smb2
hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1
hosts deny = ALL
guest account = nobody
map to guest = bad user
'';
shares = {
# public = {
# path = "/mnt/Shares/Public";
# browseable = "yes";
# "read only" = "no";
# "guest ok" = "yes";
# "create mask" = "0644";
# "directory mask" = "0755";
# "force user" = "username";
# "force group" = "groupname";
# };
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "harald";
"force group" = "users";
};
};
};
services.restic.backups.hoyer_new = {
repository = restic_repo;
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [ backup_new_path ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
backupPrepareCommand = ''
HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh" --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path}
'';
};
services.restic.backups.self = {
repository = restic_repo;
#repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup";
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [
"/etc"
"/var"
"/home"
"/root"
"/persist"
config.services.samba.shares.Qmultimedia.path
];
extraBackupArgs =
let
ignorePatterns = [
"/mnt/raid/backup"
"/mnt/backup"
"/mnt/snap"
"/var/cache"
"/home/*/.local/share/Trash"
"/home/*/.cache"
"/home/*/Downloads"
"/home/*/.npm"
"/home/*/.local/share/containers"
".cache"
".tmp"
".log"
".Trash"
];
ignoreFile = builtins.toFile "ignore"
(lib.foldl (a: b: a + "\n" + b) "" ignorePatterns);
in
[ "--exclude-file=${ignoreFile}" ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
};
systemd.services.libvirt-guests.after = [ "network-online.target" ];
virtualisation.libvirtd.enable = true;
networking.hostName = "sgx"; # Define your hostname.
networking.useDHCP = false;
#networking.domain = "fritz.box";
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = false; # use networkd
networking.dhcpcd.enable = false; # use networkd
# services.nscd.enableNsncd = false;
# systemd-networkd
systemd.network.enable = true;
#systemd.network.wait-online.anyInterface = true;
#systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
systemd.network.networks."10-br0" = {
matchConfig.Name = "br0";
DHCP = "yes";
linkConfig.RequiredForOnline = "routable";
linkConfig.RequiredFamilyForOnline = "both";
};
systemd.network.netdevs."br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
MACAddress = "00:a1:2f:68:07:ea";
};
};
systemd.network.networks."11-en" = {
linkConfig.RequiredForOnline = "enslaved";
matchConfig.Name = "enp3s0";
networkConfig = {
Bridge = "br0";
};
};
networking.firewall.allowedTCPPorts = [ 548 ];
networking.firewall.allowPing = true;
services.samba.openFirewall = true;
system.stateVersion = "23.11";
}

75
systems/x86_64-linux/sgx/fileserver.nix Normal file
View file

@ -0,0 +1,75 @@
{ pkgs, lib, config, ... }:
{
services.netatalk = {
enable = true;
settings = {
Homes = {
"basedir regex" = "/home";
path = "Public";
};
time-machine = {
path = "/mnt/backup/tm_share";
"valid users" = "harald";
"time machine" = true;
};
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
};
};
};
services.avahi = {
enable = true;
nssmdns = true;
publish = {
enable = true;
userServices = true;
};
};
services.samba = {
enable = true;
openFirewall = true;
securityType = "user";
extraConfig = ''
read raw = Yes
write raw = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
min receivefile size = 16384
use sendfile = true
aio read size = 16384
aio write size = 16384
workgroup = WORKGROUP
server string = sgx
netbios name = sgx
security = user
#max protocol = smb2
hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1
hosts deny = ALL
guest account = nobody
map to guest = bad user
'';
shares = {
# public = {
# path = "/mnt/Shares/Public";
# browseable = "yes";
# "read only" = "no";
# "guest ok" = "yes";
# "create mask" = "0644";
# "directory mask" = "0755";
# "force user" = "username";
# "force group" = "groupname";
# };
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "harald";
"force group" = "users";
};
};
};
}

4
systems/x86_64-linux/sgx/hardware-configuration.nix
View file

@ -57,4 +57,8 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
powerManagement.cpuFreqGovernor = "ondemand";
}

42
systems/x86_64-linux/sgx/network.nix Normal file
View file

@ -0,0 +1,42 @@
{ pkgs, lib, config, ... }:
{
networking.hostName = "sgx"; # Define your hostname.
networking.useDHCP = false;
#networking.domain = "fritz.box";
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = false; # use networkd
networking.dhcpcd.enable = false; # use networkd
# services.nscd.enableNsncd = false;
# systemd-networkd
systemd.network.enable = true;
#systemd.network.wait-online.anyInterface = true;
#systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
systemd.network.networks."10-br0" = {
matchConfig.Name = "br0";
DHCP = "yes";
linkConfig.RequiredForOnline = "routable";
linkConfig.RequiredFamilyForOnline = "both";
};
systemd.network.netdevs."br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
MACAddress = "00:a1:2f:68:07:ea";
};
};
systemd.network.networks."11-en" = {
linkConfig.RequiredForOnline = "enslaved";
matchConfig.Name = "enp3s0";
networkConfig = {
Bridge = "br0";
};
};
networking.firewall.allowedTCPPorts = [ 548 ];
networking.firewall.allowPing = true;
}