nixos-config/machines/vueko/configuration.nix

# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../../modules

    ./services/fuuko-proxy.nix # FIXME!
    ./services/media.nix
    ./services/restic.nix
  ];

  sbruder = {
    nginx.hardening.enable = true;
    restic.system.enable = true;
    wireguard.home.enable = true;
    full = false;
    infovhost.enable = true;

    mailserver = {
      enable = true;
      fqdn = "vueko.sbruder.de";
      domains = [
        "jufeli.de"
        "kegelschiene.net"
        "psycho-power-papagei.de"
        "salespointframework.org"
        "sbruder.de"
      ];
      autoconfig.enable = true;
      users = import ./secrets/mail-users.nix;
    };
  };

  networking.hostName = "vueko";

  system.stateVersion = "22.11";

  # sadly, too many (legitimate) mail servers have broken dnssec on reverse
  # lookups
  services.resolved.dnssec = "false";

  services.nginx = {
    enable = true;

    virtualHosts = {
      "vueko.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        default = true;

        root = pkgs.sbruder.imprint;

        locations."/rspamd/".proxyPass = "http://127.0.0.1:11334/";
      };
      "vueko.vpn.sbruder.de" = {
        # Allow prometheus metrics to be fetched from VPN without authentication
        locations."/rspamd/metrics" = {
          proxyPass = "http://127.0.0.1:11334/metrics";
          extraConfig = ''
            proxy_set_header X-Forwarded-For 127.0.0.1;
          '';
        };
      };
      "dav.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        locations."/".proxyPass = "http://localhost:5232";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80 # HTTP
    443 # HTTPS
  ];

  services.radicale = {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
        htpasswd_encryption = "bcrypt";
        htpasswd_filename = toString (pkgs.writeText
          "radicale-htpasswd"
          (lib.concatMapStringsSep
            "\n"
            ({ address, passwordHash, ... }: "${address}:${passwordHash}")
            config.sbruder.mailserver.users));
      };
    };
  };
}
Relicense This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually. 2024-01-06 01:19:35 +01:00			`# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>`
			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`

vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`{ config, lib, pkgs, ... }:`
Convert to flake Fixes #3. 2021-05-01 16:30:48 +02:00
machines: Add vueko This only adds a minimal configuration. 2021-02-01 17:33:29 +01:00			`{`
			`imports = [`
			`./hardware-configuration.nix`
			`../../modules`
vueko/media: Init This also changes fuuko/media to no longer take the htpasswd file from a file locally stored on fuuko, but rather defines it in sops to be usable by all systems. 2022-08-22 16:32:26 +02:00
vueko: Migrate to new server 2023-04-27 21:08:38 +02:00			`./services/fuuko-proxy.nix # FIXME!`
vueko/media: Init This also changes fuuko/media to no longer take the htpasswd file from a file locally stored on fuuko, but rather defines it in sops to be usable by all systems. 2022-08-22 16:32:26 +02:00			`./services/media.nix`
restic: Use storage box and restic-rest-server While this setup complicates things, it also should protect me against (malicious) deletion of old backups. 2022-08-25 17:18:43 +02:00			`./services/restic.nix`
machines: Add vueko This only adds a minimal configuration. 2021-02-01 17:33:29 +01:00			`];`

			`sbruder = {`
vueko: Enable nginx hardening 2021-03-05 16:00:10 +01:00			`nginx.hardening.enable = true;`
restic/system: Constantly use system for naming In the future I may create add other backup jobs, so it should be clear, that this only backs up the system. 2021-02-28 12:21:04 +01:00			`restic.system.enable = true;`
wireguard/home: Make vueko central server This also restructures the wireguard/home configuration, since now better peer management is possible. 2021-02-20 19:03:40 +01:00			`wireguard.home.enable = true;`
vueko: Make small system 2021-02-05 15:35:42 +01:00			`full = false;`
infovhost: Init This avoids boilerplate code for displaying the imprint on the fqdn of the machine. 2024-01-03 12:04:26 +01:00			`infovhost.enable = true;`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00
			`mailserver = {`
			`enable = true;`
			`fqdn = "vueko.sbruder.de";`
			`domains = [`
vueko/mail: Add domain and user 2023-08-17 13:51:45 +02:00			`"jufeli.de"`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`"kegelschiene.net"`
vueko/mail: Add domain and alias 2022-09-13 09:11:02 +02:00			`"psycho-power-papagei.de"`
vueko/mail: Add domain 2023-11-15 23:42:58 +01:00			`"salespointframework.org"`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`"sbruder.de"`
			`];`
mailserver: Add option for autoconfig 2023-05-31 12:38:28 +02:00			`autoconfig.enable = true;`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`users = import ./secrets/mail-users.nix;`
			`};`
machines: Add vueko This only adds a minimal configuration. 2021-02-01 17:33:29 +01:00			`};`

			`networking.hostName = "vueko";`

vueko: Migrate to new server 2023-04-27 21:08:38 +02:00			`system.stateVersion = "22.11";`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00
vueko: resolved: Disable dnssec 2021-02-10 14:22:00 +01:00			`# sadly, too many (legitimate) mail servers have broken dnssec on reverse`
			`# lookups`
			`services.resolved.dnssec = "false";`

vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`services.nginx = {`
			`enable = true;`

			`virtualHosts = {`
			`"vueko.sbruder.de" = {`
			`enableACME = true;`
			`forceSSL = true;`
vueko: Serve imprint over http 2021-02-14 19:49:05 +01:00
vueko/nginx: Make vueko.sbruder.de default vhost 2021-03-07 15:50:52 +01:00			`default = true;`

vueko: Serve imprint over http 2021-02-14 19:49:05 +01:00			`root = pkgs.sbruder.imprint;`
vueko: Expose rspamd 2023-04-29 12:27:35 +02:00
			`locations."/rspamd/".proxyPass = "http://127.0.0.1:11334/";`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`};`
vueko: Expose rspamd prometheus metrics 2023-04-30 13:09:43 +02:00			`"vueko.vpn.sbruder.de" = {`
			`# Allow prometheus metrics to be fetched from VPN without authentication`
			`locations."/rspamd/metrics" = {`
			`proxyPass = "http://127.0.0.1:11334/metrics";`
			`extraConfig = ''`
			`proxy_set_header X-Forwarded-For 127.0.0.1;`
			`'';`
			`};`
			`};`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`"dav.sbruder.de" = {`
			`enableACME = true;`
			`forceSSL = true;`

			`locations."/".proxyPass = "http://localhost:5232";`
			`};`
			`};`
			`};`

			`networking.firewall.allowedTCPPorts = [`
			`80 # HTTP`
			`443 # HTTPS`
			`];`

			`services.radicale = {`
			`enable = true;`
vueko/radicale: Use services.radicale.settings 2021-05-28 14:24:02 +02:00			`settings = {`
vueko: Add mail and dav server 2021-02-06 12:18:55 +01:00			`auth = {`
			`type = "htpasswd";`
			`htpasswd_encryption = "bcrypt";`
			`htpasswd_filename = toString (pkgs.writeText`
			`"radicale-htpasswd"`
			`(lib.concatMapStringsSep`
			`"\n"`
			`({ address, passwordHash, ... }: "${address}:${passwordHash}")`
			`config.sbruder.mailserver.users));`
			`};`
			`};`
			`};`
machines: Add vueko This only adds a minimal configuration. 2021-02-01 17:33:29 +01:00			`}`