2021-02-06 12:18:55 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
2021-02-07 12:29:22 +01:00
|
|
|
let
|
|
|
|
# any nixpkgs fetcher fails with infinite recursion when importing a module
|
|
|
|
# from it
|
2021-02-27 19:55:12 +01:00
|
|
|
infinisilSystem = fetchTarball {
|
2021-02-07 12:29:22 +01:00
|
|
|
url = "https://github.com/Infinisil/system/archive/91c5df20db68a995155218c5334db0e394185ca8.tar.gz";
|
|
|
|
sha256 = "1qlz96mla0rlsqax9r8pmwycy8f8byisvjxlk2545mpk9lp2yspv";
|
|
|
|
};
|
|
|
|
in
|
2021-02-01 17:33:29 +01:00
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
./hardware-configuration.nix
|
|
|
|
../../modules
|
2021-02-07 12:29:22 +01:00
|
|
|
|
2021-02-28 16:16:06 +01:00
|
|
|
./services/element-web.nix
|
|
|
|
|
2021-02-07 12:29:22 +01:00
|
|
|
"${infinisilSystem}/config/new-modules/murmur.nix"
|
2021-02-01 17:33:29 +01:00
|
|
|
];
|
|
|
|
|
|
|
|
sbruder = {
|
2021-03-05 16:00:10 +01:00
|
|
|
nginx.hardening.enable = true;
|
2021-02-28 12:21:04 +01:00
|
|
|
restic.system.enable = true;
|
2021-02-20 19:03:40 +01:00
|
|
|
wireguard.home.enable = true;
|
2021-02-05 15:35:42 +01:00
|
|
|
full = false;
|
2021-02-06 12:18:55 +01:00
|
|
|
|
|
|
|
mailserver = {
|
|
|
|
enable = true;
|
|
|
|
fqdn = "vueko.sbruder.de";
|
|
|
|
domains = [
|
|
|
|
"kegelschiene.net"
|
|
|
|
"sbruder.de"
|
|
|
|
];
|
|
|
|
users = import ./secrets/mail-users.nix;
|
|
|
|
rejectSenders = import ./secrets/mail-reject-senders.nix;
|
|
|
|
};
|
2021-02-01 17:33:29 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
networking.hostName = "vueko";
|
|
|
|
|
|
|
|
system.stateVersion = "20.09";
|
2021-02-06 12:18:55 +01:00
|
|
|
|
2021-02-10 14:22:00 +01:00
|
|
|
# sadly, too many (legitimate) mail servers have broken dnssec on reverse
|
|
|
|
# lookups
|
|
|
|
services.resolved.dnssec = "false";
|
|
|
|
|
2021-02-06 12:18:55 +01:00
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
|
|
|
|
virtualHosts = {
|
|
|
|
"vueko.sbruder.de" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
2021-02-14 19:49:05 +01:00
|
|
|
|
|
|
|
root = pkgs.sbruder.imprint;
|
2021-02-06 12:18:55 +01:00
|
|
|
};
|
|
|
|
"dav.sbruder.de" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
|
|
|
|
locations."/".proxyPass = "http://localhost:5232";
|
|
|
|
};
|
2021-02-07 12:29:22 +01:00
|
|
|
"mumble.sbruder.de" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
};
|
2021-02-07 21:02:11 +01:00
|
|
|
"bangs.sbruder.de" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/".proxyPass = "http://localhost:8000";
|
|
|
|
};
|
2021-02-06 12:18:55 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
80 # HTTP
|
|
|
|
443 # HTTPS
|
|
|
|
];
|
|
|
|
|
|
|
|
services.radicale = {
|
|
|
|
enable = true;
|
|
|
|
config = lib.generators.toINI { } {
|
|
|
|
auth = {
|
|
|
|
type = "htpasswd";
|
|
|
|
htpasswd_encryption = "bcrypt";
|
|
|
|
htpasswd_filename = toString (pkgs.writeText
|
|
|
|
"radicale-htpasswd"
|
|
|
|
(lib.concatMapStringsSep
|
|
|
|
"\n"
|
|
|
|
({ address, passwordHash, ... }: "${address}:${passwordHash}")
|
|
|
|
config.sbruder.mailserver.users));
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2021-02-07 12:29:22 +01:00
|
|
|
|
|
|
|
krops.secrets.murmur-superuser.owner = config.users.users.murmur.name;
|
|
|
|
|
|
|
|
services.murmur = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
superuserPasswordFile = config.krops.secrets.murmur-superuser.path;
|
|
|
|
acmeDomain = "mumble.sbruder.de";
|
|
|
|
config = {
|
|
|
|
bandwidth = "128000";
|
|
|
|
obfuscate = true;
|
|
|
|
logfile = ""; # log to stdout
|
|
|
|
|
|
|
|
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
|
|
|
|
username = "[-_a-zäöüß]+|SuperUser";
|
|
|
|
};
|
|
|
|
};
|
2021-02-07 21:02:11 +01:00
|
|
|
|
|
|
|
services.bang-evaluator = {
|
|
|
|
enable = true;
|
|
|
|
listenAddress = ":8000";
|
|
|
|
};
|
2021-02-01 17:33:29 +01:00
|
|
|
}
|