harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

add mx

Browse source 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
This commit is contained in:
Harald Hoyer 2024-03-21 09:12:32 +01:00
parent 143cc1742a
commit c7f3dd204d
22 changed files with 1272 additions and 201 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

106
flake.lock
View file

@ -16,6 +16,22 @@
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"bufdelete-nvim": {
"flake": false,
"locked": {
@ -524,6 +540,22 @@
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@ -1261,6 +1293,36 @@
"type": "github"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs-lib": {
"locked": {
"dir": "lib",
@ -1999,6 +2061,7 @@
"neovim-flake": "neovim-flake",
"nixpkgs": "nixpkgs_4",
"nixsgx-flake": "nixsgx-flake",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"snowfall-lib": "snowfall-lib_2",
"sops-nix": "sops-nix",
"unstable": "unstable"
@ -2088,6 +2151,32 @@
"type": "github"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_4",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils_3"
},
"locked": {
"lastModified": 1706219574,
"narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.11",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"smartcolumn": {
"flake": false,
"locked": {
@ -2129,7 +2218,7 @@
},
"snowfall-lib_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-compat": "flake-compat_5",
"flake-utils-plus": "flake-utils-plus_2",
"nixpkgs": [
"nixpkgs"
@ -2462,6 +2551,21 @@
"type": "github"
}
},
"utils_3": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"vim-dirtytalk": {
"flake": false,
"locked": {

4
flake.nix
View file

@ -37,6 +37,9 @@
url = "github:matter-labs/nixsgx";
# inputs.nixpkgs.follows = "nixpkgs";
};
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs:
@ -69,6 +72,7 @@
home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
disko.nixosModules.disko
simple-nixos-mailserver.nixosModule
];
overlays = with inputs; [

34
homes/x86_64-linux/harald@mx/default.nix Normal file
View file

@ -0,0 +1,34 @@
{ lib
, config
, ...
}:
{
home.sessionPath = [ "$HOME/bin" ];
programs.bash.profileExtra = ''
${lib.getExe pkgs.rust-motd}
'';
metacfg = {
user = {
enable = true;
name = config.snowfallorg.user.name;
};
cli-apps = {
bash.enable = true;
fish.enable = true;
neovim.enable = true;
bat.enable = true;
starship.enable = true;
home-manager.enable = true;
};
tools = {
git.enable = true;
direnv.enable = true;
};
};
xdg.enable = true;
xdg.mime.enable = true;
}

79
systems/x86_64-linux/mx/acme.nix Normal file
View file

@ -0,0 +1,79 @@
{ pkgs, lib, config, ... }:
{
sops.secrets.internetbs = {
sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file
};
security.acme = {
acceptTerms = true;
defaults = {
email = "harald@hoyer.xyz";
dnsProvider = "internetbs";
credentialsFile = config.sops.secrets.internetbs.path;
};
certs = {
"mx.surfsite.org" = { };
"surfsite.org" = {
extraDomainNames = [
"*.surfsite.org"
];
};
"hoyer.xyz" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.xyz"
"*.harald.hoyer.xyz"
"*.hartwin.hoyer.xyz"
];
};
"hoyer.world" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.world"
"*.harald.hoyer.world"
"*.hartwin.hoyer.world"
];
};
"hoyer.social" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.social"
"*.harald.hoyer.social"
"*.hartwin.hoyer.social"
];
};
"hoyer.photos" = {
dnsProvider = "cloudflare";
extraDomainNames = [
"*.hoyer.photos"
"*.harald.hoyer.photos"
"*.hartwin.hoyer.photos"
];
};
"harald-hoyer.de" = {
extraDomainNames = [
"*.harald-hoyer.de"
];
};
"hartwin-hoyer.de" = {
extraDomainNames = [
"*.hartwin-hoyer.de"
];
};
"varlink.org" = {
extraDomainNames = [
"*.varlink.org"
];
};
};
};
}

18
systems/x86_64-linux/mx/backup.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, lib, ... }:
{
users.users.backup = {
shell = pkgs.bash;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"restrict,command=\"/run/wrappers/bin/rrsync -ro /\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGdtB6BFdXN+cRepkzWhbG5KRIM5nXmHiw1K+CEhGihwWsNVKGgU/q4rePK6PVNflTIoHUfL30jkA7H8VpSzu0XOa97Tqf+sF9VQOFrMjpf2rOWv38nc2GnKpnUu68c17KRZ+i8cnPZH0VUqRzaY/1IPMFH3OYO4qHJAEN5oAsyMFI9pbqFLqRnwNALjxf8fUvR/XB88zt3P34vFFer15FtLr4dlIzoEFGdUSOErmGJGmDzTptMqi/t0kn2AgaBKzMxwGTDUj6adU6KKBERj4ii3ekOrPwcNjsws3Mtlm5p8ycUkwUFoIiXukF6XRzCRSWMbZOgSnu2TfC6jRRrdbMNWn4QGF/jdBvvKcBoD4sChzpG6aF4m+7ue0QuHES7Kd2Rwnq0jbesGuBnRciDN+jssGvxZKX7XEialuXiaTQ4jPUA4zgWq474CR6ksuxpUDlKpH+leWPLtuKlhEZZnJHCMhz8Ewk/ZwiNSbLO97cwJciBM71orGWpFxHciT1QE= root@sgx"
];
};
security.wrappers.rrsync = {
source = "${pkgs.rrsync.out}/bin/rrsync";
owner = "backup";
group = "users";
permissions = "u=rwx,g=,o=";
capabilities = "cap_dac_read_search=+ep";
};
}

70
systems/x86_64-linux/mx/default.nix Normal file
View file

@ -0,0 +1,70 @@
{ pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
./rspamd.nix
./goaccess.nix
./nextcloud.nix
./backup.nix
./users.nix
./kicker.nix
./mailserver.nix
./acme.nix
./forgejo.nix
./nginx.nix
./network.nix
];
metacfg = {
base.enable = true;
nix.enable = true;
podman.enable = true;
secureboot.enable = false;
};
security = {
tpm2.enable = lib.mkDefault true;
tpm2.abrmd.enable = lib.mkDefault true;
};
system.autoUpgrade = {
enable = true;
operation = "switch";
allowReboot = true;
flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx";
};
environment.systemPackages = with pkgs; [
age
apacheHttpd # for mkpasswd
efibootmgr
fgallery
git
htop
mdadm
rrsync
tpm2-pkcs11
tpm2-pkcs11.out
tpm2-tools
zola
];
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
services.openssh = {
enable = true;
hostKeys = [
{
path = "/var/lib/secrets/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/var/lib/secrets/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
system.stateVersion = "23.05";
}

54
systems/x86_64-linux/mx/forgejo.nix Normal file
View file

@ -0,0 +1,54 @@
{ pkgs, lib, config, ... }:
{
sops.secrets."postgres/gitea_dbpass" = {
sopsFile = ../../../.secrets/hetzner/postgres.yaml; # bring your own password file
owner = config.services.forgejo.user;
};
services.forgejo = {
enable = true;
user = "gitea";
group = "gitea";
stateDir = "/var/lib/gitea";
database = {
name = "gitea";
user = "gitea";
type = "postgres";
passwordFile = config.sops.secrets."postgres/gitea_dbpass".path;
};
settings.service.DISABLE_REGISTRATION = true;
settings.server = {
DOMAIN = "git.hoyer.xyz";
ROOT_URL = "https://git.hoyer.xyz/";
HTTP_PORT = 3001;
};
settings.log.LEVEL = "Warn";
};
users.users.gitea = {
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
services.postgresql = {
package = pkgs.postgresql_14;
ensureDatabases = [
config.services.forgejo.database.name
"nextcloud"
];
ensureUsers = [
{
name = config.services.forgejo.database.user;
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
};
}

26
systems/x86_64-linux/mx/goaccess.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, lib, ... }:
{
systemd.timers."goaccess" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/15";
Unit = "goaccess.service";
};
};
systemd.services."goaccess" = {
script = ''
set -eu
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/index.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^harald.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/harald-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^hartwin.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/hartwin-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^git.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/git-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^nc.hoyer.xyz' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/nc-hoyer.html -
${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.log* | ${pkgs.gnugrep}/bin/egrep '^kicker.surfsite.org' | ${pkgs.goaccess}/bin/goaccess --log-format=VCOMBINED -o /var/www/hoyer.xyz/html/stats/kicker.html -
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
}

43
systems/x86_64-linux/mx/hardware-configuration.nix Normal file
View file

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.luks.devices.crypted = {
device = "/dev/md/raid1";
preLVM = true;
};
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"sd_mod"
"tpm"
"tpm_tis"
"trusted"
"tpm_crb"
"tpm_tis_core"
"rng_core"
];
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
MAILADDR admin@hoyer.xyz
'';
disko.devices = import ./server-raid.nix {
inherit lib;
disks = [ "/dev/sda" "/dev/sdb" ];
};
swapDevices = [{ device = "/swapfile"; }];
}

17
systems/x86_64-linux/mx/kicker.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, lib, ... }:
{
virtualisation.oci-containers.containers = {
kicker = {
image = "quay.io/kicker/kicker:live";
ports = [ "127.0.0.1:8087:80" ];
volumes = [
"/home/hartwin/kicker/.htaccess:/app/public/.htaccess"
"/home/hartwin/kicker/.htpasswd:/app/public/.htpasswd"
"/home/hartwin/kicker/live.db:/app/db/data/current.db"
];
extraOptions = [
"--pull=always"
];
};
};
}

232
systems/x86_64-linux/mx/mailserver.nix Normal file
View file

@ -0,0 +1,232 @@
{ pkgs, lib, config, ... }:
{
mailserver = {
enable = true;
fqdn = "mx.surfsite.org";
sendingFqdn = "mx.surfsite.org";
domains = [
"harald-hoyer.de"
"hartwin-hoyer.de"
"herward-hoyer.de"
"meike-knutz.de"
"gerlinde-hoyer.de"
"hoyer.xyz"
"nc.hoyer.xyz"
"harald.hoyer.xyz"
"varlink.org"
"surfsite.org"
"myprivacy.tools"
"hoyer.social"
"hoyer.world"
"hoyer.photos"
"harald.hoyer.photos"
"hartwin.hoyer.photos"
"mx.surfsite.org"
];
extraVirtualAliases = {
"max@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"felix@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"muh@hoyer.xyz" = [
"harald@hoyer.xyz"
"mh@hoyer.xyz"
];
"kicker@surfsite.org" = [
"harald@hoyer.xyz"
"hartwin@hoyer.xyz"
];
};
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"mh@hoyer.xyz" = {
hashedPasswordFile = "/home/harald/secrets/mh@hoyer.xyz";
aliases = [
"meike@harald-hoyer.de"
"meike@meike-knutz.de"
"meike.hoyer@meike-knutz.de"
"meike@hoyer.xyz"
];
};
"alex@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/alex-mail";
aliases = [
"alex@hartwin-hoyer.de"
"alex.hoyer@hartwin-hoyer.de"
"alex@surfsite.org"
"alex.hoyer@surfsite.org"
"alexander@hoyer.xyz"
];
};
"jan@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/jan-mail";
aliases = [
"jan@hartwin-hoyer.de"
"jan.hoyer@hartwin-hoyer.de"
"jan@surfsite.org"
"jan.hoyer@surfsite.org"
];
};
"hannah@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/hannah-mail";
aliases = [
"hannah@hartwin-hoyer.de"
"hannah.hoyer@hartwin-hoyer.de"
"hannah@surfsite.org"
"hannah.hoyer@surfsite.org"
];
};
"steffi@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/steffi-mail";
aliases = [
"steffi@surfsite.org"
"stefaniehoyer@surfsite.org"
"stefanie.hoyer@surfsite.org"
"stefanie.hoyer@hoyer.xyz"
"stefanie@hoyer.xyz"
];
};
"hartwin@hoyer.xyz" = {
hashedPasswordFile = "/home/hartwin/secrets/hartwin-mail";
aliases = [
"hartwin.hoyer@hartwin-hoyer.de"
"mail@hartwin-hoyer.de"
"hartwin@hartwin-hoyer.de"
"youtube@hartwin-hoyer.de"
"hartwin@nc.hoyer.xyz"
"hartwin@hoyer.photos"
"webmaster@hartwin.hoyer.photos"
];
};
"hhoyer@herward-hoyer.de" = {
hashedPasswordFile = "/home/hhoyer/secrets/hhoyer-mail";
aliases = [
"herward@herward-hoyer.de"
"herward@vs189018.vserver.de"
"gua808@herward-hoyer.de"
"mail@herward-hoyer.de"
"herward.hoyer@herward-hoyer.de"
"hhoyer@surfsite.org"
"hhoyer@hoyer.xyz"
"herward@hoyer.xyz"
"herward@nc.hoyer.xyz"
];
};
"harald@hoyer.xyz" = {
hashedPasswordFile = "/home/harald/secrets/harald@hoyer.xyz";
aliases = [
"harald@mx.surfsite.org"
"root@mx.surfsite.org"
"abuse@mx.surfsite.org"
"abuse@surfsite.org"
"abuse@hartwin-hoyer.de"
"abuse@herward-hoyer.de"
"abuse@meike-knutz.de"
"abuse@gerlinde-hoyer.de"
"abuse@hoyer.xyz"
"abuse@harald.hoyer.xyz"
"abuse@varlink.org"
"abuse@myprivacy.tools"
"abuse@hoyer.social"
"abuse@hoyer.world"
"abuse@hoyer.photos"
"postmaster@mx.surfsite.org"
"postmaster@surfsite.org"
"postmaster@hartwin-hoyer.de"
"postmaster@herward-hoyer.de"
"postmaster@meike-knutz.de"
"postmaster@gerlinde-hoyer.de"
"postmaster@hoyer.xyz"
"postmaster@harald.hoyer.xyz"
"postmaster@varlink.org"
"postmaster@myprivacy.tools"
"postmaster@hoyer.social"
"postmaster@hoyer.world"
"postmaster@hoyer.photos"
"webmaster@hoyer.xyz"
"webmaster@surfsite.org"
"webmaster@harald.hoyer.xyz"
"webmaster@varlink.org"
"webmaster@myprivacy.tools"
"webmaster@hoyer.social"
"webmaster@hoyer.world"
"webmaster@hoyer.photos"
"webmaster@harald.hoyer.photos"
"admin@hoyer.xyz"
"admin@harald.hoyer.xyz"
"admin@nc.hoyer.xyz"
"admin@mx.surfsite.org"
"admin@hoyer.social"
"admin@hoyer.world"
"admin@hoyer.photos"
"harald@surfsite.org"
"harald@hoyer.xyz"
"harald@nc.hoyer.xyz"
"harald@varlink.org"
"harald@myprivacy.tools"
"harald@hoyer.world"
"harald@hoyer.social"
"harald@hoyer.photos"
"@harald.hoyer.xyz"
"@harald-hoyer.de"
"paypal-harald@hoyer.xyz"
"photo-harald@hoyer.xyz"
"fb@surfsite.org"
"freifunk@surfsite.org"
"fbc@surfsite.org"
"mine@surfsite.org"
"bitcoin@surfsite.org"
"bitcoin@hoyer.xyz"
"roulette@surfsite.org"
"github@surfsite.org"
"mua@surfsite.org"
"aliexpress@surfsite.org"
# Max
"max@hoyer.xyz"
"max.hoyer@hoyer.xyz"
"maximilian@hoyer.xyz"
"maximilian.hoyer@hoyer.xyz"
# Felix
"felix@hoyer.xyz"
"felix.hoyer@hoyer.xyz"
];
};
};
certificateScheme = "acme";
};
services.roundcube = {
enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "webmail.hoyer.xyz";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
}

45
systems/x86_64-linux/mx/network.nix Normal file
View file

@ -0,0 +1,45 @@
{ pkgs, lib, ... }:
{
services.fail2ban.enable = true;
services.resolved.domains = [
"surfsite.org"
"hoyer.xyz"
];
services.resolved.extraConfig = "ReadEtcHosts=no";
services.nscd.enableNsncd = false;
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowPing = true;
networking.hostName = "mx"; # Define your hostname.
networking.domain = "surfsite.org";
networking.dhcpcd.enable = false;
networking.firewall.logRefusedConnections = false;
networking.networkmanager.enable = false;
networking.useDHCP = false;
networking.useNetworkd = true;
networking.wireless.enable = false;
networking.defaultGateway.address = "95.216.66.129";
networking.defaultGateway.interface = "enp0s31f6";
#networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
networking.enableIPv6 = true;
networking.interfaces.enp0s31f6 = {
ipv6 = {
addresses = [{
address = "2a01:4f9:2b:2e3::2"; # Your IPv6 here
prefixLength = 64;
}];
# Default IPv6 route
routes = [{
address = "::";
prefixLength = 0;
via = "fe80::1";
}];
};
ipv4.addresses = [{
address = "95.216.66.178";
prefixLength = 26;
}];
};
}

29
systems/x86_64-linux/mx/nextcloud.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, ... }:
{
systemd.services."nextcloud-setup".requires = [ "postgresql.service" ];
systemd.services."nextcloud-setup".after = [ "postgresql.service" ];
environment.etc."nextcloud-admin-pass".text = "test123";
services.nextcloud = {
enable = true;
package = pkgs.nextcloud28;
hostName = "nc.hoyer.xyz";
https = true;
configureRedis = true;
extraOptions = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
};
phpOptions = {
upload_max_filesize = lib.mkForce "1G";
post_max_size = lib.mkForce "1G";
"opcache.interned_strings_buffer" = "16";
};
config.adminpassFile = "/etc/nextcloud-admin-pass";
config.defaultPhoneRegion = "DE";
config.dbtype = "pgsql";
config.dbname = "nextcloud";
config.dbhost = "/run/postgresql";
config.dbuser = "nextcloud";
};
}

166
systems/x86_64-linux/mx/nginx.nix Normal file
View file

@ -0,0 +1,166 @@
{ pkgs, lib, ... }:
{
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
appendHttpConfig = ''
log_format vcombined '$host:$server_port '
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined;
'';
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"00000" = {
useACMEHost = "hoyer.xyz";
serverName = "_";
globalRedirect = "hoyer.xyz";
addSSL = true;
};
"hoyer.photos" = {
enableACME = false;
useACMEHost = "hoyer.photos";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.world" = {
enableACME = false;
useACMEHost = "hoyer.world";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.social" = {
enableACME = false;
useACMEHost = "hoyer.social";
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
};
"hoyer.xyz" = {
# serverName = "hoyer.xyz";
serverAliases = [
"www.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
root = "/var/www/hoyer.xyz/html";
locations."/stats" = {
basicAuthFile = "/var/www/hoyer.xyz/stats.htaccess";
};
};
"surfsite.org" = {
useACMEHost = "surfsite.org";
enableACME = false;
forceSSL = true;
root = "/var/www/surfsite.org";
};
"kicker.surfsite.org" = {
useACMEHost = "surfsite.org";
enableACME = false;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8087/";
};
};
"git.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
"webmail.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
enableACME = false;
forceSSL = true;
};
"harald.hoyer.photos" = {
enableACME = true;
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"photo.harald-hoyer.de" = {
useACMEHost = "harald-hoyer.de";
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"photo-harald.hoyer.xyz" = {
serverAliases = [ "photo.harald.hoyer.xyz" ];
useACMEHost = "hoyer.xyz";
forceSSL = true;
root = "/var/www/photo.harald-hoyer.de/html";
};
"harald-hoyer.de" = {
serverAliases = [
"www.harald-hoyer.de"
];
useACMEHost = "harald-hoyer.de";
globalRedirect = "harald.hoyer.xyz";
forceSSL = true;
};
"harald.hoyer.xyz" = {
serverAliases = [
"www.harald.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
root = "/var/www/harald.hoyer.xyz/html/";
extraConfig = ''
rewrite ^/feed/rss$ /rss.xml permanent;
rewrite ^/feed/rss/$ /rss.xml permanent;
rewrite ^/feed/$ /rss.xml permanent;
rewrite ^/feed/rss/index.html$ /rss.xml permanent;
rewrite ^/fedora/fedora/RSS2$ /tags/fedora/rss.xml permanent;
rewrite ^/linux/linux/RSS2$ /tags/linux/rss.xml permanent;
rewrite ^/linux/feed$ /tags/linux/rss.xml permanent;
rewrite ^/wp-rss2.php$ /rss.xml permanent;
rewrite ^/aggregator/rss.xml$ /rss.xml permanent;
rewrite ^/personal/blog/aggregator/RSS$ /rss.xml permanent;
rewrite ^/personal/blog/aggregator/RSS2$ /rss.xml permanent;
rewrite ^/aggregator/RSS$ /rss.xml permanent;
rewrite ^/aggregator/RSS2$ /rss.xml permanent;
rewrite ^/wp-commentsrss2.php$ /rss.xml permanent;
'';
forceSSL = true;
};
"hartwin-hoyer.de" = {
serverAliases = [
"www.hartwin-hoyer.de"
];
useACMEHost = "hartwin-hoyer.de";
globalRedirect = "hartwin.hoyer.xyz";
forceSSL = true;
};
"hartwin.hoyer.xyz" = {
serverAliases = [
"testhartwin.hoyer.xyz"
"www.hartwin.hoyer.xyz"
];
useACMEHost = "hoyer.xyz";
root = "/var/www/hartwin.hoyer.xyz/html/";
forceSSL = true;
};
"nc.hoyer.xyz" = {
useACMEHost = "hoyer.xyz";
forceSSL = true;
};
};
};
}

40
systems/x86_64-linux/mx/rspamd.nix Normal file
View file

@ -0,0 +1,40 @@
{ pkgs, lib, ... }:
{
services.rspamd.workers.controller.bindSockets = [{
socket = "/run/rspamd/worker-controller.sock";
mode = "0660";
}];
services.rspamd.locals = {
"maps.d/spf_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"maps.d/spf_dkim_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"maps.d/dmarc_whitelist.inc.local" = {
text = ''
epicgames.com
dmail.ai
'';
};
"greylist-whitelist-domains.inc" = {
text = ''
dmail.ai
epicgames.com
'';
};
};
services.rspamd.extraConfig = ''
actions {
reject = null;
greylist = 4; # Apply greylisting when reaching this score
add_header = 4; # Add header when reaching this score
}
'';
}

77
systems/x86_64-linux/mx/server-raid.nix Normal file
View file

@ -0,0 +1,77 @@
{ disks ? [ "/dev/sda" "/dev/sdb" ], ... }: {
disk = {
one = {
type = "disk";
device = builtins.elemAt disks 0;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "256M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = builtins.elemAt disks 1;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "256M";
type = "EF00";
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [ "--allow-discards" ];
settings = {
allowDiscards = true;
};
initrdUnlock = false;
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
}

23
systems/x86_64-linux/mx/users.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, lib, ... }:
{
# Herward
users.users.hhoyer = {
shell = pkgs.bash;
isNormalUser = true;
description = "hhoyer";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCIlCnBiRkm8i/UQaTDv2UCO+mEzPC5OQ0e+DlzS1GVmJEjH5BqPosEivvDQheQP7WWNZOCWoHqAg8vvH8QpSA6AOqruvsWrbY1TmoMc4TlulgyEK5/z9aw/t3WUkQjj+fYeQbQXSNeT7pplN3hB49MCXAQNJ+LxnnntrZhp7tHRAsJFlGgK6NGFapCizeYt9DOqeh2KGTd+x9TXTa96ccWQTRovE5xWP/8X7LoejCl7sfe2dymeByU465Do+mvDs2DbyKI1XHlLpPZihsyxyU1/K0B9VF92U486vh8Ep3fnTgpu7D9n0KdN0wGMfSmH75rtrYZPiGvu6Qy0YzV6MUN newkex"
];
};
# Hartwin
users.users.hartwin = {
shell = pkgs.bash;
isNormalUser = true;
description = "hartwin";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjeTezn11UITzlqfOS9U3/sOdEJ4au5MSo/vNUcMHVIfKWLXfOWH6skB2kVrRcSlevNydgWtmQfA/xD7n7Syx4esWLvaUUwRO75QNz8TJq9dgItxi6R+bxWlUqN79aAmNWQH6yftBs+bLDtTg7XABZYe2z53UcfLtG0iQOHG6mftcOL2YKyzdtd/1F7jgMmy2HJ1LzsFNb57hBQvA3cg+hDwXKfptrDh/8Xysm110vMj74T2ANbhmE3wT25PmUMN7B/sx0m7Rm7jg3COyLq6/MZzoFGyl+Kd9vxTPzp76aSq7bI70qGUzcq2aX6UnlkcrrAz2bzZBi5RMOHYO3QPmP hlh@aiur.localdomain"
];
};
}

76
systems/x86_64-linux/sgx/backup.nix Normal file
View file

@ -0,0 +1,76 @@
{ pkgs, lib, config, ... }:
let
backup_new_path = "/mnt/raid/backup/hoyer/new/";
restic_repo = "/mnt/backup/restic-repo";
in
{
services.restic.backups.hoyer_new = {
repository = restic_repo;
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [ backup_new_path ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
backupPrepareCommand = ''
HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh" --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path}
'';
};
services.restic.backups.self = {
repository = restic_repo;
#repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup";
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [
"/etc"
"/var"
"/home"
"/root"
"/persist"
config.services.samba.shares.Qmultimedia.path
];
extraBackupArgs =
let
ignorePatterns = [
"/mnt/raid/backup"
"/mnt/backup"
"/mnt/snap"
"/var/cache"
"/home/*/.local/share/Trash"
"/home/*/.cache"
"/home/*/Downloads"
"/home/*/.npm"
"/home/*/.local/share/containers"
".cache"
".tmp"
".log"
".Trash"
];
ignoreFile = builtins.toFile "ignore"
(lib.foldl (a: b: a + "\n" + b) "" ignorePatterns);
in
[ "--exclude-file=${ignoreFile}" ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
};
}

213
systems/x86_64-linux/sgx/default.nix
View file

@ -1,10 +1,11 @@
{ pkgs, lib, config, ... }:
let
backup_new_path = "/mnt/raid/backup/hoyer/new/";
restic_repo = "/mnt/backup/restic-repo";
in
{
imports = [ ./hardware-configuration.nix ];
imports = [
./hardware-configuration.nix
./fileserver.nix
./backup.nix
./network.nix
];
sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml;
@ -22,8 +23,12 @@ in
user.extraGroups = [ "docker" "sgx" ];
};
virtualisation.docker.enable = true;
virtualisation.podman.dockerCompat = false;
virtualisation = {
docker.enable = true;
libvirtd.enable = true;
podman.dockerCompat = false;
};
systemd.services.libvirt-guests.after = [ "network-online.target" ];
system.autoUpgrade = {
enable = true;
@ -31,15 +36,8 @@ in
allowReboot = true;
};
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
services.pcscd.enable = true;
powerManagement.cpuFreqGovernor = "ondemand";
system.stateVersion = "23.11";
environment.etc."sgx_default_qcnl.conf".text = ''
{
"pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/",
@ -53,190 +51,5 @@ in
}
'';
services.netatalk = {
enable = true;
settings = {
Homes = {
"basedir regex" = "/home";
path = "Public";
};
time-machine = {
path = "/mnt/backup/tm_share";
"valid users" = "harald";
"time machine" = true;
};
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
};
};
};
services.avahi = {
enable = true;
nssmdns = true;
publish = {
enable = true;
userServices = true;
};
};
services.samba = {
enable = true;
securityType = "user";
extraConfig = ''
read raw = Yes
write raw = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
min receivefile size = 16384
use sendfile = true
aio read size = 16384
aio write size = 16384
workgroup = WORKGROUP
server string = sgx
netbios name = sgx
security = user
#max protocol = smb2
hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1
hosts deny = ALL
guest account = nobody
map to guest = bad user
'';
shares = {
# public = {
# path = "/mnt/Shares/Public";
# browseable = "yes";
# "read only" = "no";
# "guest ok" = "yes";
# "create mask" = "0644";
# "directory mask" = "0755";
# "force user" = "username";
# "force group" = "groupname";
# };
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "harald";
"force group" = "users";
};
};
};
services.restic.backups.hoyer_new = {
repository = restic_repo;
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [ backup_new_path ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
backupPrepareCommand = ''
HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh" --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path}
'';
};
services.restic.backups.self = {
repository = restic_repo;
#repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup";
passwordFile = config.sops.secrets.backup-pw.path;
timerConfig = {
OnCalendar = "daily";
FixedRandomDelay = true;
RandomizedDelaySec = "4h";
Persistent = true;
};
paths = [
"/etc"
"/var"
"/home"
"/root"
"/persist"
config.services.samba.shares.Qmultimedia.path
];
extraBackupArgs =
let
ignorePatterns = [
"/mnt/raid/backup"
"/mnt/backup"
"/mnt/snap"
"/var/cache"
"/home/*/.local/share/Trash"
"/home/*/.cache"
"/home/*/Downloads"
"/home/*/.npm"
"/home/*/.local/share/containers"
".cache"
".tmp"
".log"
".Trash"
];
ignoreFile = builtins.toFile "ignore"
(lib.foldl (a: b: a + "\n" + b) "" ignorePatterns);
in
[ "--exclude-file=${ignoreFile}" ];
pruneOpts = [
"-g host,paths"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 1"
];
};
systemd.services.libvirt-guests.after = [ "network-online.target" ];
virtualisation.libvirtd.enable = true;
networking.hostName = "sgx"; # Define your hostname.
networking.useDHCP = false;
#networking.domain = "fritz.box";
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = false; # use networkd
networking.dhcpcd.enable = false; # use networkd
# services.nscd.enableNsncd = false;
# systemd-networkd
systemd.network.enable = true;
#systemd.network.wait-online.anyInterface = true;
#systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
systemd.network.networks."10-br0" = {
matchConfig.Name = "br0";
DHCP = "yes";
linkConfig.RequiredForOnline = "routable";
linkConfig.RequiredFamilyForOnline = "both";
};
systemd.network.netdevs."br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
MACAddress = "00:a1:2f:68:07:ea";
};
};
systemd.network.networks."11-en" = {
linkConfig.RequiredForOnline = "enslaved";
matchConfig.Name = "enp3s0";
networkConfig = {
Bridge = "br0";
};
};
networking.firewall.allowedTCPPorts = [ 548 ];
networking.firewall.allowPing = true;
services.samba.openFirewall = true;
system.stateVersion = "23.11";
}

75
systems/x86_64-linux/sgx/fileserver.nix Normal file
View file

@ -0,0 +1,75 @@
{ pkgs, lib, config, ... }:
{
services.netatalk = {
enable = true;
settings = {
Homes = {
"basedir regex" = "/home";
path = "Public";
};
time-machine = {
path = "/mnt/backup/tm_share";
"valid users" = "harald";
"time machine" = true;
};
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
};
};
};
services.avahi = {
enable = true;
nssmdns = true;
publish = {
enable = true;
userServices = true;
};
};
services.samba = {
enable = true;
openFirewall = true;
securityType = "user";
extraConfig = ''
read raw = Yes
write raw = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
min receivefile size = 16384
use sendfile = true
aio read size = 16384
aio write size = 16384
workgroup = WORKGROUP
server string = sgx
netbios name = sgx
security = user
#max protocol = smb2
hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1
hosts deny = ALL
guest account = nobody
map to guest = bad user
'';
shares = {
# public = {
# path = "/mnt/Shares/Public";
# browseable = "yes";
# "read only" = "no";
# "guest ok" = "yes";
# "create mask" = "0644";
# "directory mask" = "0755";
# "force user" = "username";
# "force group" = "groupname";
# };
Qmultimedia = {
path = "/mnt/raid/Qmultimedia";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "harald";
"force group" = "users";
};
};
};
}

4
systems/x86_64-linux/sgx/hardware-configuration.nix
View file

@ -57,4 +57,8 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
powerManagement.cpuFreqGovernor = "ondemand";
}

42
systems/x86_64-linux/sgx/network.nix Normal file
View file

@ -0,0 +1,42 @@
{ pkgs, lib, config, ... }:
{
networking.hostName = "sgx"; # Define your hostname.
networking.useDHCP = false;
#networking.domain = "fritz.box";
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = false; # use networkd
networking.dhcpcd.enable = false; # use networkd
# services.nscd.enableNsncd = false;
# systemd-networkd
systemd.network.enable = true;
#systemd.network.wait-online.anyInterface = true;
#systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
systemd.network.networks."10-br0" = {
matchConfig.Name = "br0";
DHCP = "yes";
linkConfig.RequiredForOnline = "routable";
linkConfig.RequiredFamilyForOnline = "both";
};
systemd.network.netdevs."br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
MACAddress = "00:a1:2f:68:07:ea";
};
};
systemd.network.networks."11-en" = {
linkConfig.RequiredForOnline = "enslaved";
matchConfig.Name = "enp3s0";
networkConfig = {
Bridge = "br0";
};
};
networking.firewall.allowedTCPPorts = [ 548 ];
networking.firewall.allowPing = true;
}