{ config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ../../modules ./services/media.nix ]; sbruder = { nginx.hardening.enable = true; restic.system.enable = true; wireguard.home.enable = true; full = false; mailserver = { enable = true; fqdn = "vueko.sbruder.de"; domains = [ "kegelschiene.net" "sbruder.de" ]; users = import ./secrets/mail-users.nix; rejectSenders = import ./secrets/mail-reject-senders.nix; }; }; networking.hostName = "vueko"; system.stateVersion = "20.09"; # sadly, too many (legitimate) mail servers have broken dnssec on reverse # lookups services.resolved.dnssec = "false"; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { "vueko.sbruder.de" = { enableACME = true; forceSSL = true; default = true; root = pkgs.sbruder.imprint; }; "dav.sbruder.de" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://localhost:5232"; }; }; }; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPS ]; services.radicale = { enable = true; settings = { auth = { type = "htpasswd"; htpasswd_encryption = "bcrypt"; htpasswd_filename = toString (pkgs.writeText "radicale-htpasswd" (lib.concatMapStringsSep "\n" ({ address, passwordHash, ... }: "${address}:${passwordHash}") config.sbruder.mailserver.users)); }; }; }; }