120 lines
2.6 KiB
Nix
120 lines
2.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
||
|
||
{
|
||
imports = [
|
||
./hardware-configuration.nix
|
||
../../modules
|
||
|
||
./services/coturn.nix
|
||
./services/element-web.nix
|
||
];
|
||
|
||
sbruder = {
|
||
nginx.hardening.enable = true;
|
||
restic.system.enable = true;
|
||
wireguard.home.enable = true;
|
||
full = false;
|
||
|
||
mailserver = {
|
||
enable = true;
|
||
fqdn = "vueko.sbruder.de";
|
||
domains = [
|
||
"kegelschiene.net"
|
||
"sbruder.de"
|
||
];
|
||
users = import ./secrets/mail-users.nix;
|
||
rejectSenders = import ./secrets/mail-reject-senders.nix;
|
||
};
|
||
};
|
||
|
||
networking.hostName = "vueko";
|
||
|
||
system.stateVersion = "20.09";
|
||
|
||
# sadly, too many (legitimate) mail servers have broken dnssec on reverse
|
||
# lookups
|
||
services.resolved.dnssec = "false";
|
||
|
||
services.nginx = {
|
||
enable = true;
|
||
|
||
recommendedGzipSettings = true;
|
||
recommendedOptimisation = true;
|
||
recommendedProxySettings = true;
|
||
recommendedTlsSettings = true;
|
||
|
||
virtualHosts = {
|
||
"vueko.sbruder.de" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
|
||
default = true;
|
||
|
||
root = pkgs.sbruder.imprint;
|
||
};
|
||
"dav.sbruder.de" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
|
||
locations."/".proxyPass = "http://localhost:5232";
|
||
};
|
||
"mumble.sbruder.de" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
};
|
||
"bangs.sbruder.de" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
locations."/".proxyPass = "http://localhost:8000";
|
||
};
|
||
};
|
||
};
|
||
|
||
networking.firewall.allowedTCPPorts = [
|
||
80 # HTTP
|
||
443 # HTTPS
|
||
];
|
||
|
||
services.radicale = {
|
||
enable = true;
|
||
settings = {
|
||
auth = {
|
||
type = "htpasswd";
|
||
htpasswd_encryption = "bcrypt";
|
||
htpasswd_filename = toString (pkgs.writeText
|
||
"radicale-htpasswd"
|
||
(lib.concatMapStringsSep
|
||
"\n"
|
||
({ address, passwordHash, ... }: "${address}:${passwordHash}")
|
||
config.sbruder.mailserver.users));
|
||
};
|
||
};
|
||
};
|
||
|
||
sops.secrets.murmur-superuser = {
|
||
owner = config.users.users.murmur.name;
|
||
sopsFile = ./secrets.yaml;
|
||
};
|
||
|
||
users.users.murmur.isSystemUser = true; # Infinisil’s module does not set that
|
||
services.murmur = {
|
||
enable = true;
|
||
openFirewall = true;
|
||
superuserPasswordFile = config.sops.secrets.murmur-superuser.path;
|
||
acmeDomain = "mumble.sbruder.de";
|
||
config = {
|
||
bandwidth = "128000";
|
||
obfuscate = true;
|
||
logfile = ""; # log to stdout
|
||
|
||
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
|
||
username = "[-_a-zäöüß]+|SuperUser";
|
||
};
|
||
};
|
||
|
||
services.bang-evaluator = {
|
||
enable = true;
|
||
listenAddress = ":8000";
|
||
};
|
||
}
|