|  | Commit message (Collapse) | Author | Age | 
|---|
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | It will (at some point) be installed through direnv, when it is in nixpkgs. | 
| | |  | 
| | 
| 
| 
| | This comes with better dependency handling and further visual upgrades. | 
| | |  | 
| |\  
| | 
| | 
| | 
| | 
| | | (#30) from website into develop
                                                Reviewed-on: https://codeberg.org/vhack.eu/nixos-server/pulls/30 | 
| |/ |  | 
| |\  
| | 
| | 
| | 
| | 
| | | websites' (#29) from server1_webpage into develop
Reviewed-on: https://codeberg.org/vhack.eu/nixos-server/pulls/29 | 
| | | |  | 
| |\| 
| | 
| | 
| | | Reviewed-on: https://codeberg.org/vhack.eu/nixos-server/pulls/25 | 
| | | |  | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | See https://spdx.dev/resources/learn/ for information about
'LICENSE.spdx'.
I'm not fully sure, if the spdx spec is correctly applied.
The decision to go for the  GPL-3.0-or-later is obviously open to be
changed, if it should be desired. | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | This allows to group different update commands together and to raise
awareness of the update task.
The `grep '[^0-9]_[0-9] flake.lock'` is needed to check if multiple
imports exists for the same input as nix will name them 'nixpkgs_1'
'nixpkgs_2' and so on. Having multiple inputs for the same thing just
increases the needed storage space, if no other inputs are set to
follow, but can break a flake's evaluation because of a partial update
e.g., nixpkgs follows our version, but we leave rust-overlay unfollowed.
This example would result in a newer cargo version (rust-overlay) getting
combined with old packages (nixpkgs), which introduces the
aforementioned partial update. | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | [Direnv](https://github.com/direnv/direnv) in combination with
[Nix integration](https://github.com/direnv/direnv/wiki/Nix) — in this
case [Nix-direnv](https://github.com/nix-community/nix-direnv) — allows
for reliable build environments (and some uncluttering of the PATH).
Setting it up is rather easy, just see [Nix-direnv's install
instructions](https://github.com/nix-community/nix-direnv#installation). | 
| | | |  | 
| |\| 
| | 
| | 
| | 
| | | Reviewed-on: https://git.sils.li/vhack.eu/nixos-server/pulls/22
Reviewed-by: sils <sils@sils.li> | 
| | | 
| | 
| | 
| | 
| | | Shouldn't cause any trouble and is necessary to keep
              things secure. | 
| | | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | 
| | | As the previous configuration only opened some ports, receiving mail was
impossible. This allows NSM to open the required ports directly,
ensuring that none was missed.
SECURITY:
As all other options than SSL are still disabled, this change should not
introduce unencrypted mail transfer.
This has not been tested. | 
| | | |  | 
| | | |  | 
| | | |  | 
| | | |  | 
| | |\  
| | | 
| | | 
| | | 
| | | 
| | | | server1_develop
Reviewed-on: https://git.sils.li/vhack.eu/nixos-server/pulls/24 | 
| | | | 
| | | 
| | | 
| | | | This should reduce the log spam even further. | 
| | | | |  | 
| | |\| 
| | | 
| | | 
| | | 
| | | 
| | | | server1_fail2ban into server1_develop
CC: #23 | 
| | |/  
| |   
| |   
| | | This should clear the logs somewhat. | 
| | | 
| | 
| | 
| | 
| | | Before, new certs were requested at every rebuild.
           This caused issues due to letsencrypt ratelimiting. | 
| | | 
| | 
| | 
| | 
| | 
| | | This reverts commit ecb274ba49042f1dfdf63b9c54ff6920f24a9a58.
It may be a security-risk, but I care much more about a running
mailserver for now. | 
| | | 
| | 
| | 
| | | The old one, could have exposed a weak hash. | 
| | |\ |  | 
| | | | 
| | | 
| | | 
| | | | The commit didn't work and effectively disabled ipv6 | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | | This is somewhat misconfigured, as it makes to config not compilable. I
assume, that this route setting is needed, but believe, that having a
compiling config is better. | 
| | | | 
| | | 
| | | 
| | | 
| | | | The hardware settings are (somewhat) host specific, and putting them in
`system` just builds the wrong expectations. | 
| | | | 
| | | 
| | | 
| | | 
| | | | The old values did work, but these should just make things a bit
clearer. | 
| | |\| |  | 
| | | | |  | 
| | | | 
| | | 
| | | 
| | | 
| | | | It is sort of standard to ignore connections over the unencrypted port
25, thus we are doing the same. | 
| | | | |  | 
| | | | 
| | | 
| | | 
| | | | I just think this is easier to read. | 
| | | | 
| | | 
| | | 
| | | 
| | | | This is something that just makes the file system easier to traverse, but
isn't really necessary. | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | | As outlined in commit 19f0808, placing a password hash in the world
readable nix-store is perfectly safe as long as the hashing function is
not reversible, which should be a necessity for a password hash. | 
| | | | 
| | | 
| | | 
| | | 
| | | | All users are in the wheel group, thus direct login as root is no longer
needed. | 
| | | | |  | 
| | | | 
| | | 
| | | 
| | | 
| | | 
| | | | This is inherently unsafe because it requires an unencrypted handshake.
Considering that all protocols also work directly with TLS i.e., the
encrypted variant, disabling this shouldn't be a drawback. | 
| | | | |  |