{ config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ../../modules ./services/fuuko-proxy.nix # FIXME! ./services/media.nix ./services/restic.nix ]; sbruder = { nginx.hardening.enable = true; restic.system.enable = true; wireguard.home.enable = true; full = false; mailserver = { enable = true; fqdn = "vueko.sbruder.de"; domains = [ "jufeli.de" "kegelschiene.net" "psycho-power-papagei.de" "sbruder.de" ]; autoconfig.enable = true; users = import ./secrets/mail-users.nix; }; }; networking.hostName = "vueko"; system.stateVersion = "22.11"; # sadly, too many (legitimate) mail servers have broken dnssec on reverse # lookups services.resolved.dnssec = "false"; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { "vueko.sbruder.de" = { enableACME = true; forceSSL = true; default = true; root = pkgs.sbruder.imprint; locations."/rspamd/".proxyPass = "http://127.0.0.1:11334/"; }; "vueko.vpn.sbruder.de" = { # Allow prometheus metrics to be fetched from VPN without authentication locations."/rspamd/metrics" = { proxyPass = "http://127.0.0.1:11334/metrics"; extraConfig = '' proxy_set_header X-Forwarded-For 127.0.0.1; ''; }; }; "dav.sbruder.de" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://localhost:5232"; }; }; }; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPS ]; services.radicale = { enable = true; settings = { auth = { type = "htpasswd"; htpasswd_encryption = "bcrypt"; htpasswd_filename = toString (pkgs.writeText "radicale-htpasswd" (lib.concatMapStringsSep "\n" ({ address, passwordHash, ... }: "${address}:${passwordHash}") config.sbruder.mailserver.users)); }; }; }; }