diff options
| author | ene <ene@sils.li> | 2023-03-20 15:06:45 +0100 |
|---|---|---|
| committer | ene <ene@sils.li> | 2023-03-20 15:06:45 +0100 |
| commit | 034bba88dd9e2e1099774dcb33f77a4c904627ba (patch) | |
| tree | 7e48f79857dc58df67f6d8e0f809f693dbd09116 | |
| parent | Merge branch 'server1_network' into server1_develop (diff) | |
| parent | Fix(system/services/minecraft): Remove to make compile (diff) | |
| download | nixos-server-034bba88dd9e2e1099774dcb33f77a4c904627ba.zip | |
Merge branch 'server1_mail' into server1_develop
Diffstat (limited to '')
| -rw-r--r-- | flake.lock | 92 | ||||
| -rw-r--r-- | flake.nix | 10 | ||||
| -rw-r--r-- | hosts/server1/configuration.nix | 2 | ||||
| -rw-r--r-- | hosts/server1/networking.nix | 1 | ||||
| -rw-r--r-- | services/default.nix | 9 | ||||
| -rw-r--r-- | services/services/acme.nix | 6 | ||||
| -rw-r--r-- | system/default.nix | 9 | ||||
| -rw-r--r-- | system/file_system_layouts/default.nix (renamed from system/system/fileSystemLayouts.nix) | 0 | ||||
| -rw-r--r-- | system/hardware/default.nix (renamed from system/system/hardware.nix) | 0 | ||||
| -rw-r--r-- | system/mail/default.nix | 51 | ||||
| -rw-r--r-- | system/packages/default.nix (renamed from system/system/packages.nix) | 0 | ||||
| -rw-r--r-- | system/services/acme/default.nix | 30 | ||||
| -rw-r--r-- | system/services/default.nix | 11 | ||||
| -rw-r--r-- | system/services/firewall/default.nix | 11 | ||||
| -rw-r--r-- | system/services/minecraft/default.nix (renamed from services/services/minecraft.nix) | 0 | ||||
| -rw-r--r-- | system/services/nginx/default.nix (renamed from services/services/nginx.nix) | 0 | ||||
| -rw-r--r-- | system/services/nix/default.nix (renamed from services/services/nix.nix) | 0 | ||||
| -rw-r--r-- | system/services/opensshd/default.nix (renamed from services/services/opensshd.nix) | 1 | ||||
| -rw-r--r-- | system/services/rust-motd/default.nix (renamed from services/services/rust-motd.nix) | 0 | ||||
| -rw-r--r-- | system/users/default.nix (renamed from system/system/users.nix) | 7 |
20 files changed, 207 insertions, 33 deletions
@@ -1,12 +1,28 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { - "lastModified": 1675512093, - "narHash": "sha256-u1CY4feK14B57E6T+0Bhkuoj8dpBxCPrWO+SP87UVP8=", + "lastModified": 1679058649, + "narHash": "sha256-tXbTGzCFFk5G0IOlhhuQtf3KQ0+9RNDk4O2YmEgvppk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8e8240194eda25b61449f29bb5131e02b28a5486", + "rev": "328c9c6f597b1edb75a114df61113d87c61ad60d", "type": "github" }, "original": { @@ -16,9 +32,77 @@ "type": "github" } }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1669542132, + "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a115bb9bd56831941be3776c8a94005867f316a7", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "utils": "utils" + }, + "locked": { + "lastModified": 1671659164, + "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-22.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, @@ -4,17 +4,25 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11"; }; outputs = { self, nixpkgs, + simple-nixos-mailserver, ... } @ attrs: { nixosConfigurations."server1" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = attrs; - modules = [./hosts/server1/configuration.nix]; + modules = [ + ./hosts/server1/configuration.nix + simple-nixos-mailserver.nixosModule + { + mailserver = import ./system/mail {}; + } + ]; }; }; } diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix index 729ef0f..694b6b4 100644 --- a/hosts/server1/configuration.nix +++ b/hosts/server1/configuration.nix @@ -3,8 +3,6 @@ ./networking.nix # network configuration that just works ../../system - - ../../services ]; boot.cleanTmpDir = true; diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index d3c5422..cd0484f 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -46,6 +46,5 @@ }; services.udev.extraRules = '' ATTR{address}=="66:22:6d:82:93:9b", NAME="eth0" - ''; } diff --git a/services/default.nix b/services/default.nix deleted file mode 100644 index c301ba1..0000000 --- a/services/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{config, ...}: { - imports = [ - ./services/acme.nix - ./services/nginx.nix - ./services/nix.nix - ./services/opensshd.nix - ./services/rust-motd.nix - ]; -} diff --git a/services/services/acme.nix b/services/services/acme.nix deleted file mode 100644 index 42f9ed5..0000000 --- a/services/services/acme.nix +++ /dev/null @@ -1,6 +0,0 @@ -{...}: { - security.acme = { - acceptTerms = true; - defaults.email = "admin@vhack.eu"; - }; -} diff --git a/system/default.nix b/system/default.nix index 2af4982..9aa5d9e 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,8 +1,9 @@ {config, ...}: { imports = [ - ./system/fileSystemLayouts.nix - ./system/hardware.nix - ./system/packages.nix - ./system/users.nix + ./file_system_layouts + ./hardware + ./packages + ./services + ./users ]; } diff --git a/system/system/fileSystemLayouts.nix b/system/file_system_layouts/default.nix index 9d03a05..9d03a05 100644 --- a/system/system/fileSystemLayouts.nix +++ b/system/file_system_layouts/default.nix diff --git a/system/system/hardware.nix b/system/hardware/default.nix index c4c7dc9..c4c7dc9 100644 --- a/system/system/hardware.nix +++ b/system/hardware/default.nix diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..7102958 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,51 @@ +# vim: ts=2 +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + useFsLayout = true; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; + }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; + }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + openFirewall = false; # handled below + + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + +} diff --git a/system/system/packages.nix b/system/packages/default.nix index 4d33c6e..4d33c6e 100644 --- a/system/system/packages.nix +++ b/system/packages/default.nix diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix new file mode 100644 index 0000000..a163e77 --- /dev/null +++ b/system/services/acme/default.nix @@ -0,0 +1,30 @@ +{...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..f36cb29 --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,11 @@ +{config, ...}: { + imports = [ + ./acme + ./firewall + #./minecraft + ./nginx + ./nix + ./opensshd + ./rust-motd + ]; +} diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} diff --git a/services/services/minecraft.nix b/system/services/minecraft/default.nix index 754c974..754c974 100644 --- a/services/services/minecraft.nix +++ b/system/services/minecraft/default.nix diff --git a/services/services/nginx.nix b/system/services/nginx/default.nix index 204783b..204783b 100644 --- a/services/services/nginx.nix +++ b/system/services/nginx/default.nix diff --git a/services/services/nix.nix b/system/services/nix/default.nix index bd562ec..bd562ec 100644 --- a/services/services/nix.nix +++ b/system/services/nix/default.nix diff --git a/services/services/opensshd.nix b/system/services/opensshd/default.nix index cb9f2ba..75c5aef 100644 --- a/services/services/opensshd.nix +++ b/system/services/opensshd/default.nix @@ -8,7 +8,6 @@ passwordAuthentication = false; hostKeys = [ { - comment = "key comment"; path = "/srv/sshd/ssh_host_ed25519_key"; rounds = 1000; type = "ed25519"; diff --git a/services/services/rust-motd.nix b/system/services/rust-motd/default.nix index 21bc1cd..21bc1cd 100644 --- a/services/services/rust-motd.nix +++ b/system/services/rust-motd/default.nix diff --git a/system/system/users.nix b/system/users/default.nix index 34e1648..3555221 100644 --- a/system/system/users.nix +++ b/system/users/default.nix @@ -5,11 +5,8 @@ users.users = { root = { #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later + initialHashedPassword = null; # to lock root openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" ]; }; @@ -17,7 +14,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; uid = 1000; extraGroups = [ "wheel" |