nixos-config/machines/vueko/configuration.nix

120 lines
2.6 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/coturn.nix
./services/element-web.nix
];
sbruder = {
nginx.hardening.enable = true;
restic.system.enable = true;
wireguard.home.enable = true;
full = false;
mailserver = {
enable = true;
fqdn = "vueko.sbruder.de";
domains = [
"kegelschiene.net"
"sbruder.de"
];
users = import ./secrets/mail-users.nix;
rejectSenders = import ./secrets/mail-reject-senders.nix;
};
};
networking.hostName = "vueko";
system.stateVersion = "20.09";
# sadly, too many (legitimate) mail servers have broken dnssec on reverse
# lookups
services.resolved.dnssec = "false";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"vueko.sbruder.de" = {
enableACME = true;
forceSSL = true;
default = true;
root = pkgs.sbruder.imprint;
};
"dav.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:5232";
};
"mumble.sbruder.de" = {
enableACME = true;
forceSSL = true;
};
"bangs.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8000";
};
};
};
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
];
services.radicale = {
enable = true;
settings = {
auth = {
type = "htpasswd";
htpasswd_encryption = "bcrypt";
htpasswd_filename = toString (pkgs.writeText
"radicale-htpasswd"
(lib.concatMapStringsSep
"\n"
({ address, passwordHash, ... }: "${address}:${passwordHash}")
config.sbruder.mailserver.users));
};
};
};
sops.secrets.murmur-superuser = {
owner = config.users.users.murmur.name;
sopsFile = ./secrets.yaml;
};
users.users.murmur.isSystemUser = true; # Infinisils module does not set that
services.murmur = {
enable = true;
openFirewall = true;
superuserPasswordFile = config.sops.secrets.murmur-superuser.path;
acmeDomain = "mumble.sbruder.de";
config = {
bandwidth = "128000";
obfuscate = true;
logfile = ""; # log to stdout
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
username = "[-_a-zäöüß]+|SuperUser";
};
};
services.bang-evaluator = {
enable = true;
listenAddress = ":8000";
};
}