diff --git a/machines/vueko/configuration.nix b/machines/vueko/configuration.nix index bd93907..7e20e4d 100644 --- a/machines/vueko/configuration.nix +++ b/machines/vueko/configuration.nix @@ -1,5 +1,4 @@ -{ config, pkgs, ... }: - +{ config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix @@ -9,9 +8,62 @@ sbruder = { restic.enable = true; full = false; + + mailserver = { + enable = true; + fqdn = "vueko.sbruder.de"; + domains = [ + "kegelschiene.net" + "sbruder.de" + ]; + users = import ./secrets/mail-users.nix; + rejectSenders = import ./secrets/mail-reject-senders.nix; + }; }; networking.hostName = "vueko"; system.stateVersion = "20.09"; + + services.nginx = { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts = { + "vueko.sbruder.de" = { + enableACME = true; + forceSSL = true; + }; + "dav.sbruder.de" = { + enableACME = true; + forceSSL = true; + + locations."/".proxyPass = "http://localhost:5232"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPS + ]; + + services.radicale = { + enable = true; + config = lib.generators.toINI { } { + auth = { + type = "htpasswd"; + htpasswd_encryption = "bcrypt"; + htpasswd_filename = toString (pkgs.writeText + "radicale-htpasswd" + (lib.concatMapStringsSep + "\n" + ({ address, passwordHash, ... }: "${address}:${passwordHash}") + config.sbruder.mailserver.users)); + }; + }; + }; } diff --git a/machines/vueko/secrets/mail-reject-senders.nix b/machines/vueko/secrets/mail-reject-senders.nix new file mode 100644 index 0000000..aa2ff6e Binary files /dev/null and b/machines/vueko/secrets/mail-reject-senders.nix differ diff --git a/machines/vueko/secrets/mail-users.nix b/machines/vueko/secrets/mail-users.nix new file mode 100644 index 0000000..ed1dabe Binary files /dev/null and b/machines/vueko/secrets/mail-users.nix differ