104 lines
2.3 KiB
Nix
104 lines
2.3 KiB
Nix
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
../../modules
|
|
|
|
./services/fuuko-proxy.nix
|
|
./services/media.nix
|
|
./services/murmur.nix
|
|
./services/restic.nix
|
|
];
|
|
|
|
sbruder = {
|
|
nginx.hardening.enable = true;
|
|
restic = {
|
|
enable = true;
|
|
backups.system.enable = true;
|
|
};
|
|
wireguard.home.enable = true;
|
|
full = false;
|
|
infovhost.enable = true;
|
|
|
|
mailserver = {
|
|
enable = true;
|
|
fqdn = "vueko.sbruder.de";
|
|
domains = [
|
|
"jufeli.de"
|
|
"kegelschiene.net"
|
|
"psycho-power-papagei.de"
|
|
"salespointframework.org"
|
|
"sbruder.de"
|
|
];
|
|
autoconfig.enable = true;
|
|
users = import ./secrets/mail-users.nix;
|
|
};
|
|
};
|
|
|
|
networking.hostName = "vueko";
|
|
|
|
system.stateVersion = "22.11";
|
|
|
|
# sadly, too many (legitimate) mail servers have broken dnssec on reverse
|
|
# lookups
|
|
services.resolved.dnssec = "false";
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts = {
|
|
"vueko.sbruder.de" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
default = true;
|
|
|
|
root = pkgs.sbruder.imprint;
|
|
|
|
locations."/rspamd/".proxyPass = "http://127.0.0.1:11334/";
|
|
};
|
|
"vueko.vpn.sbruder.de" = {
|
|
# Allow prometheus metrics to be fetched from VPN without authentication
|
|
locations."/rspamd/metrics" = {
|
|
proxyPass = "http://127.0.0.1:11334/metrics";
|
|
extraConfig = ''
|
|
proxy_set_header X-Forwarded-For 127.0.0.1;
|
|
'';
|
|
};
|
|
};
|
|
"dav.sbruder.de" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/".proxyPass = "http://localhost:5232";
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80 # HTTP
|
|
443 # HTTPS
|
|
];
|
|
|
|
services.radicale = {
|
|
enable = true;
|
|
settings = {
|
|
auth = {
|
|
type = "htpasswd";
|
|
htpasswd_encryption = "bcrypt";
|
|
htpasswd_filename = toString (pkgs.writeText
|
|
"radicale-htpasswd"
|
|
(lib.concatMapStringsSep
|
|
"\n"
|
|
({ address, passwordHash, ... }: "${address}:${passwordHash}")
|
|
config.sbruder.mailserver.users));
|
|
};
|
|
};
|
|
};
|
|
}
|