nixos-config/machines/vueko/configuration.nix

104 lines
2.3 KiB
Nix

# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/fuuko-proxy.nix
./services/media.nix
./services/murmur.nix
./services/restic.nix
];
sbruder = {
nginx.hardening.enable = true;
restic = {
enable = true;
backups.system.enable = true;
};
wireguard.home.enable = true;
full = false;
infovhost.enable = true;
mailserver = {
enable = true;
fqdn = "vueko.sbruder.de";
domains = [
"jufeli.de"
"kegelschiene.net"
"psycho-power-papagei.de"
"salespointframework.org"
"sbruder.de"
];
autoconfig.enable = true;
users = import ./secrets/mail-users.nix;
};
};
networking.hostName = "vueko";
system.stateVersion = "22.11";
# sadly, too many (legitimate) mail servers have broken dnssec on reverse
# lookups
services.resolved.dnssec = "false";
services.nginx = {
enable = true;
virtualHosts = {
"vueko.sbruder.de" = {
enableACME = true;
forceSSL = true;
default = true;
root = pkgs.sbruder.imprint;
locations."/rspamd/".proxyPass = "http://127.0.0.1:11334/";
};
"vueko.vpn.sbruder.de" = {
# Allow prometheus metrics to be fetched from VPN without authentication
locations."/rspamd/metrics" = {
proxyPass = "http://127.0.0.1:11334/metrics";
extraConfig = ''
proxy_set_header X-Forwarded-For 127.0.0.1;
'';
};
};
"dav.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:5232";
};
};
};
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
];
services.radicale = {
enable = true;
settings = {
auth = {
type = "htpasswd";
htpasswd_encryption = "bcrypt";
htpasswd_filename = toString (pkgs.writeText
"radicale-htpasswd"
(lib.concatMapStringsSep
"\n"
({ address, passwordHash, ... }: "${address}:${passwordHash}")
config.sbruder.mailserver.users));
};
};
};
}