nixos-config/machines/vueko/configuration.nix

# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ../../modules

    ./services/fuuko-proxy.nix # FIXME!
    ./services/media.nix
    ./services/restic.nix
  ];

  sbruder = {
    nginx.hardening.enable = true;
    restic.system.enable = true;
    wireguard.home.enable = true;
    full = false;
    infovhost.enable = true;

    mailserver = {
      enable = true;
      fqdn = "vueko.sbruder.de";
      domains = [
        "jufeli.de"
        "kegelschiene.net"
        "psycho-power-papagei.de"
        "salespointframework.org"
        "sbruder.de"
      ];
      autoconfig.enable = true;
      users = import ./secrets/mail-users.nix;
    };
  };

  networking.hostName = "vueko";

  system.stateVersion = "22.11";

  # sadly, too many (legitimate) mail servers have broken dnssec on reverse
  # lookups
  services.resolved.dnssec = "false";

  services.nginx = {
    enable = true;

    virtualHosts = {
      "vueko.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        default = true;

        root = pkgs.sbruder.imprint;

        locations."/rspamd/".proxyPass = "http://127.0.0.1:11334/";
      };
      "vueko.vpn.sbruder.de" = {
        # Allow prometheus metrics to be fetched from VPN without authentication
        locations."/rspamd/metrics" = {
          proxyPass = "http://127.0.0.1:11334/metrics";
          extraConfig = ''
            proxy_set_header X-Forwarded-For 127.0.0.1;
          '';
        };
      };
      "dav.sbruder.de" = {
        enableACME = true;
        forceSSL = true;

        locations."/".proxyPass = "http://localhost:5232";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80 # HTTP
    443 # HTTPS
  ];

  services.radicale = {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
        htpasswd_encryption = "bcrypt";
        htpasswd_filename = toString (pkgs.writeText
          "radicale-htpasswd"
          (lib.concatMapStringsSep
            "\n"
            ({ address, passwordHash, ... }: "${address}:${passwordHash}")
            config.sbruder.mailserver.users));
      };
    };
  };
}