From bb3fd6ee57e1b25d053444671d2283ea395c67c8 Mon Sep 17 00:00:00 2001 From: baritone Date: Tue, 4 Mar 2025 00:39:43 +0100 Subject: [PATCH] stuff --- configuration.nix | 4 ++- disko.nix | 4 +++ flake.lock | 73 +++++++++++++++++++++++++++++++++++++++- flake.nix | 12 ++++++- services/fail2ban.nix | 4 +++ services/forgejo.nix | 17 +++------- services/jellyfin.nix | 17 +++------- services/mailserver.nix | 35 +++++++++++++------ services/nginx.nix | 9 +++++ services/vaultwarden.nix | 8 +++-- services/website.nix | 16 +++++++++ 11 files changed, 158 insertions(+), 41 deletions(-) create mode 100644 services/fail2ban.nix create mode 100644 services/nginx.nix create mode 100644 services/website.nix diff --git a/configuration.nix b/configuration.nix index 5752a1a..8674c45 100755 --- a/configuration.nix +++ b/configuration.nix @@ -1,10 +1,12 @@ {pkgs, ...}: { imports = [ + ./services/nginx.nix ./services/openssh.nix ./services/forgejo.nix ./services/vaultwarden.nix ./services/jellyfin.nix - # ./services/mailserver.nix + ./services/website.nix + ./services/mailserver.nix ./services/misc.nix ./modules/git.nix diff --git a/disko.nix b/disko.nix index 5392660..18ebd42 100755 --- a/disko.nix +++ b/disko.nix @@ -108,6 +108,10 @@ type = "zfs_fs"; mountpoint = "/opt"; }; + media = { + type = "zfs_fs"; + mountpoint = "/media"; + }; }; }; }; diff --git a/flake.lock b/flake.lock index 50d7062..6927d65 100755 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -65,6 +81,22 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -122,12 +154,51 @@ "type": "github" } }, + "nixpkgs-24_11": { + "locked": { + "lastModified": 1734083684, + "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.11", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", "disko": "disko", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-24_11": "nixpkgs-24_11" + }, + "locked": { + "lastModified": 1740437053, + "narHash": "sha256-exPTta4qI1ka9sk+jPcLogGffJ1OVXnAsTRqpeAXeNw=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "c8ec4d5e432f5df4838eacd39c11828d23ce66ec", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" } }, "systems": { diff --git a/flake.nix b/flake.nix index ece1301..ff788cc 100755 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,11 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + simple-nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -31,7 +36,12 @@ formatter.${system} = pkgs.alejandra; nixosConfigurations = let - modules = [inputs.disko.nixosModules.default inputs.agenix.nixosModules.default inputs.home-manager.nixosModules.default]; + modules = [ + inputs.disko.nixosModules.default + inputs.agenix.nixosModules.default + inputs.home-manager.nixosModules.default + inputs.simple-nixos-mailserver.nixosModule + ]; in { server-vm = nixpkgs.lib.nixosSystem { specialArgs = {inherit inputs;}; diff --git a/services/fail2ban.nix b/services/fail2ban.nix new file mode 100644 index 0000000..184d085 --- /dev/null +++ b/services/fail2ban.nix @@ -0,0 +1,4 @@ +{...}: +{ + +} diff --git a/services/forgejo.nix b/services/forgejo.nix index d1c80a7..6b64a92 100755 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -36,19 +36,12 @@ in { networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedUDPPorts = [80 443]; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - + services.nginx. virtualHosts."git.spoodythe.one" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${host}:${toString port}"; - }; + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${host}:${toString port}"; }; }; diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 43dd2a7..db769f9 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -31,19 +31,12 @@ in { # ''; # }; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - + services.nginx. virtualHosts."media.spoodythe.one" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${host}:${toString port}"; - }; + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${host}:${toString port}"; }; }; } diff --git a/services/mailserver.nix b/services/mailserver.nix index 96d2aac..f43c519 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -1,22 +1,21 @@ -{fetchFromGitLab, ...}: { - imports = [ - (fetchFromGitLab { - owner = "simple-nixos-webserver"; - repo = "nixos-mailserver"; - rev = "c8ec4d5e432f5df4838eacd39c11828d23ce66ec"; - hash = ""; # TODO: Fill this hash - }) - ]; - +{ + config, + fetchFromGitLab, + ... +}: { mailserver = { enable = true; fqdn = "mail.spoodythe.one"; domains = ["spoodythe.one"]; + openFirewall = false; + + localDnsResolver = false; # FUCK OFF!!!! + # A list of all login accounts. To create the password hashes, use # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { - "spoody@spoodythe.one" = { + "spoody" = { hashedPassword = "$2b$05$sTD8VXUF76uu1LOThuOSTOC8iCe2w4jgwExwpP.cnN7UOa.YEO9G2"; aliases = ["admin@spoodythe.one"]; }; @@ -27,4 +26,18 @@ certificateScheme = "acme-nginx"; certificateDomains = ["mail.spoodythe.one"]; }; + + services.roundcube = { + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "webmail.spoodythe.one"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; } diff --git a/services/nginx.nix b/services/nginx.nix new file mode 100644 index 0000000..63b27f6 --- /dev/null +++ b/services/nginx.nix @@ -0,0 +1,9 @@ +{...}: { + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; +} diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 52512c6..a9f2202 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -5,8 +5,10 @@ in { services.vaultwarden = { enable = true; + environmentFile = "/var/lib/vaultwarden/environment.env"; + config = { - DOMAIN = "https://bitwarden.spoodythe.one"; + DOMAIN = "https://vaultwarden.spoodythe.one"; SIGNUPS_ALLOWED = false; ROCKET_ADDRESS = host; @@ -17,7 +19,7 @@ in { SMTP_PORT = 25; SMTP_SSL = false; - SMTP_FROM = "admin@bitwarden.spoodythe.one"; + SMTP_FROM = "vaultwarden@spoodythe.one"; SMTP_FROM_NAME = "SpoodyThe.One Bitwarden Server"; }; }; @@ -25,7 +27,7 @@ in { networking.firewall.allowedTCPPorts = [port]; networking.firewall.allowedUDPPorts = [port]; - services.nginx.virtualHosts."bitwarden.spoodythe.one" = { + services.nginx.virtualHosts."vaultwarden.spoodythe.one" = { enableACME = true; forceSSL = true; locations."/" = { diff --git a/services/website.nix b/services/website.nix new file mode 100644 index 0000000..ee3e1e0 --- /dev/null +++ b/services/website.nix @@ -0,0 +1,16 @@ +{ + fetchFromGitLab, + pkgs, + ... +}: let + host = "127.0.0.1"; + port = 8080; +in { + services.nginx.virtualHosts."spoodythe.one" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://${host}:${toString port}"; + }; + }; +}