From 820efecae8c72ee3f9c6f4981d43ce19fe660dc3 Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 19:40:49 +0100 Subject: Feat: Add mailserver --- flake.lock | 86 +++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 34 +++++++++++++++++- services/services/acme.nix | 23 +++++++++++++ 3 files changed, 141 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 8af459c..7848d91 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { "lastModified": 1675512093, @@ -16,9 +32,77 @@ "type": "github" } }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1669542132, + "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a115bb9bd56831941be3776c8a94005867f316a7", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "utils": "utils" + }, + "locked": { + "lastModified": 1671659164, + "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-22.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 9df3c84..e087f96 100644 --- a/flake.nix +++ b/flake.nix @@ -4,17 +4,49 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11"; }; outputs = { self, nixpkgs, + simple-nixos-mailserver, ... } @ attrs: { nixosConfigurations."server1" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = attrs; - modules = [./hosts/server1/configuration.nix]; + modules = [ + ./hosts/server1/configuration.nix + simple-nixos-mailserver.nixosModule + { + mailserver = { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + backup.snapshotRoot = "/srv/mail/backup"; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = ["sils@vhack.eu"]; + "postmaster@vhack.eu" = ["sils@vhack.eu"]; + }; + + sieveDirectory = "/srv/mail/sieve"; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + }; + } + ]; }; }; } diff --git a/services/services/acme.nix b/services/services/acme.nix index 42f9ed5..7e39174 100644 --- a/services/services/acme.nix +++ b/services/services/acme.nix @@ -1,6 +1,29 @@ {...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + security.acme = { acceptTerms = true; defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + }; + }; }; } -- cgit 1.4.1 From db52be26814508c7dcc4f04c41b84c4ea0744f90 Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 19:52:27 +0100 Subject: Fix: Add imap and smtp subdomains to cert --- services/services/acme.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/services/services/acme.nix b/services/services/acme.nix index 7e39174..a163e77 100644 --- a/services/services/acme.nix +++ b/services/services/acme.nix @@ -23,6 +23,7 @@ "server1.vhack.eu" = { webroot = "/var/lib/acme/.challenges"; group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; }; }; }; -- cgit 1.4.1 From 929625982889a242d4dd073585bf3799e8ea5a62 Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 19:53:55 +0100 Subject: Feat: Added admin@vhack.eu mail --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index e087f96..554e168 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,7 @@ extraVirtualAliases = { "abuse@vhack.eu" = ["sils@vhack.eu"]; "postmaster@vhack.eu" = ["sils@vhack.eu"]; + "admin@vhack.eu" = ["sils@vhack.eu"]; }; sieveDirectory = "/srv/mail/sieve"; -- cgit 1.4.1 From c7507b123f80929d1cad9dc08ffb547d991a635b Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 20:02:34 +0100 Subject: Fix: Try to fix ipv6 --- hosts/server1/networking.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index 26d6719..cc6d816 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -19,7 +19,7 @@ ]; ipv6.addresses = [ { - address = "2a03:4000:6a:3f3:6422:6dff:fe82:939b"; + address = "2a03:4000:6a:3f3::1"; prefixLength = 64; } { -- cgit 1.4.1 From 5a0cb28f369c104bb371974df876c8c705b0ee7e Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:21:45 +0100 Subject: Refactor: Use better file layout --- flake.nix | 27 +----------- hosts/server1/configuration.nix | 2 - hosts/server1/networking.nix | 1 - services/default.nix | 9 ---- services/services/acme.nix | 30 ------------- services/services/minecraft.nix | 26 ----------- services/services/nginx.nix | 15 ------- services/services/nix.nix | 18 -------- services/services/opensshd.nix | 18 -------- services/services/rust-motd.nix | 79 ---------------------------------- system/default.nix | 9 ++-- system/file_system_layouts/default.nix | 45 +++++++++++++++++++ system/hardware/default.nix | 9 ++++ system/mail/default.nix | 27 ++++++++++++ system/packages/default.nix | 9 ++++ system/services/acme/default.nix | 30 +++++++++++++ system/services/default.nix | 9 ++++ system/services/minecraft/default.nix | 26 +++++++++++ system/services/nginx/default.nix | 15 +++++++ system/services/nix/default.nix | 18 ++++++++ system/services/opensshd/default.nix | 18 ++++++++ system/services/rust-motd/default.nix | 79 ++++++++++++++++++++++++++++++++++ system/system/fileSystemLayouts.nix | 45 ------------------- system/system/hardware.nix | 9 ---- system/system/packages.nix | 9 ---- system/system/users.nix | 59 ------------------------- system/users/default.nix | 59 +++++++++++++++++++++++++ 27 files changed, 350 insertions(+), 350 deletions(-) delete mode 100644 services/default.nix delete mode 100644 services/services/acme.nix delete mode 100644 services/services/minecraft.nix delete mode 100644 services/services/nginx.nix delete mode 100644 services/services/nix.nix delete mode 100644 services/services/opensshd.nix delete mode 100644 services/services/rust-motd.nix create mode 100644 system/file_system_layouts/default.nix create mode 100644 system/hardware/default.nix create mode 100644 system/mail/default.nix create mode 100644 system/packages/default.nix create mode 100644 system/services/acme/default.nix create mode 100644 system/services/default.nix create mode 100644 system/services/minecraft/default.nix create mode 100644 system/services/nginx/default.nix create mode 100644 system/services/nix/default.nix create mode 100644 system/services/opensshd/default.nix create mode 100644 system/services/rust-motd/default.nix delete mode 100644 system/system/fileSystemLayouts.nix delete mode 100644 system/system/hardware.nix delete mode 100644 system/system/packages.nix delete mode 100644 system/system/users.nix create mode 100644 system/users/default.nix diff --git a/flake.nix b/flake.nix index 554e168..36ae34e 100644 --- a/flake.nix +++ b/flake.nix @@ -20,32 +20,7 @@ ./hosts/server1/configuration.nix simple-nixos-mailserver.nixosModule { - mailserver = { - enable = true; - fqdn = "server1.vhack.eu"; - domains = ["vhack.eu"]; - - mailDirectory = "/srv/mail/vmail"; - dkimKeyDirectory = "/srv/mail/dkim"; - backup.snapshotRoot = "/srv/mail/backup"; - - loginAccounts = { - "sils@vhack.eu" = { - hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; - }; - }; - - extraVirtualAliases = { - "abuse@vhack.eu" = ["sils@vhack.eu"]; - "postmaster@vhack.eu" = ["sils@vhack.eu"]; - "admin@vhack.eu" = ["sils@vhack.eu"]; - }; - - sieveDirectory = "/srv/mail/sieve"; - keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; - certificateScheme = 1; - certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; - }; + mailserver = import ./system/mail {}; } ]; }; diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix index 729ef0f..694b6b4 100644 --- a/hosts/server1/configuration.nix +++ b/hosts/server1/configuration.nix @@ -3,8 +3,6 @@ ./networking.nix # network configuration that just works ../../system - - ../../services ]; boot.cleanTmpDir = true; diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index cc6d816..027bc27 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -44,6 +44,5 @@ }; services.udev.extraRules = '' ATTR{address}=="66:22:6d:82:93:9b", NAME="eth0" - ''; } diff --git a/services/default.nix b/services/default.nix deleted file mode 100644 index c301ba1..0000000 --- a/services/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{config, ...}: { - imports = [ - ./services/acme.nix - ./services/nginx.nix - ./services/nix.nix - ./services/opensshd.nix - ./services/rust-motd.nix - ]; -} diff --git a/services/services/acme.nix b/services/services/acme.nix deleted file mode 100644 index a163e77..0000000 --- a/services/services/acme.nix +++ /dev/null @@ -1,30 +0,0 @@ -{...}: { - users.users.nginx.extraGroups = ["acme"]; - - services.nginx = { - enable = true; - virtualHosts = { - "acmechallenge.vhack.eu" = { - serverAliases = ["*.vhack.eu"]; - locations."/.well-known/acme-challenge" = { - root = "/var/lib/acme/.challenges"; - }; - locations."/" = { - return = "301 https://$host$request_uri"; - }; - }; - }; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "admin@vhack.eu"; - certs = { - "server1.vhack.eu" = { - webroot = "/var/lib/acme/.challenges"; - group = "nginx"; - extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; - }; - }; - }; -} diff --git a/services/services/minecraft.nix b/services/services/minecraft.nix deleted file mode 100644 index 754c974..0000000 --- a/services/services/minecraft.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - config, - pkgs, - ... -}: { - users = { - groups.minecraft = {}; - users.minecraft = { - isSystemUser = true; - group = "minecraft"; - }; - }; - systemd.services.minecraft = { - wantedBy = ["multi-user.target"]; - after = "network.target"; - description = "Minecraft Server"; - serviceConfig = { - WorkingDirectory = "/srv/minecraft"; - User = "minecraft"; - Group = "minecraft"; - Restart = "always"; - ExecStart = "${pkgs.openjdk}/bin/java -Xms10G -Xmx10G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true -jar paper.jar --nogui"; - SyslogIdentifier = "minecraft-server"; - }; - }; -} diff --git a/services/services/nginx.nix b/services/services/nginx.nix deleted file mode 100644 index 204783b..0000000 --- a/services/services/nginx.nix +++ /dev/null @@ -1,15 +0,0 @@ -{...}: { - networking.firewall = { - allowedTCPPorts = [80 443]; - }; - services.nginx = { - enable = true; - virtualHosts = { - "vhack.eu" = { - forceSSL = true; - enableACME = true; - root = "/srv/www/vhack.eu"; - }; - }; - }; -} diff --git a/services/services/nix.nix b/services/services/nix.nix deleted file mode 100644 index bd562ec..0000000 --- a/services/services/nix.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - nix = { - # gc = { - # automatic = true; - # dates = "daily"; - # options = "--delete-older-than 3"; - # }; - settings = { - auto-optimise-store = true; - experimental-features = ["nix-command" "flakes"]; - }; - }; -} diff --git a/services/services/opensshd.nix b/services/services/opensshd.nix deleted file mode 100644 index cb9f2ba..0000000 --- a/services/services/opensshd.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - pkg, - ... -}: { - services.openssh = { - enable = true; - passwordAuthentication = false; - hostKeys = [ - { - comment = "key comment"; - path = "/srv/sshd/ssh_host_ed25519_key"; - rounds = 1000; - type = "ed25519"; - } - ]; - }; -} diff --git a/services/services/rust-motd.nix b/services/services/rust-motd.nix deleted file mode 100644 index 21bc1cd..0000000 --- a/services/services/rust-motd.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ - config, - pkgs, - ... -}: { - programs.rust-motd = { - enable = true; - enableMotdInSSHD = true; - refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) - settings = { - global = { - progress_full_character = "="; - progress_empty_character = "-"; - progress_prefix = "["; - progress_suffix = "]"; - time_format = "%Y-%m-%d %H:%M:%S"; - }; - - banner = { - color = "red"; - command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; - # if you don't want a dependency on figlet, you can generate your - # banner however you want, put it in a file, and then use something like: - # command = "cat banner.txt" - }; - - # [weather] - # url = "https://wttr.in/New+York,New+York?0" - # proxy = "http://proxy:8080" - - # [service_status] - # Accounts = "accounts-daemon" - # Cron = "cron" - - # [docker_status] - # Local containers MUST start with a slash - # https://github.com/moby/moby/issues/6705 - #"/nextcloud-nextcloud-1" = "Nextcloud" - #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database" - - uptime = { - prefix = "Uptime:"; - }; - - # [user_service_status] - # gpg-agent = "gpg-agent" - - #s_s_l_certs = { - # sort_method = "manual" - # - # certs = { - # CertName1 = "/path/to/cert1.pem" - # CertName2 = "/path/to/cert2.pem" - # } - #}; - - filesystems = { - root = "/"; - }; - - memory = { - swap_pos = "beside"; # or "below" or "none" - }; - - fail2_ban = { - jails = ["sshd"]; #, "anotherjail"] - }; - - last_login = { - sils = 2; - soispha = 2; - nightingale = 2; - }; - - last_run = { - }; - }; - }; -} diff --git a/system/default.nix b/system/default.nix index 2af4982..9aa5d9e 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,8 +1,9 @@ {config, ...}: { imports = [ - ./system/fileSystemLayouts.nix - ./system/hardware.nix - ./system/packages.nix - ./system/users.nix + ./file_system_layouts + ./hardware + ./packages + ./services + ./users ]; } diff --git a/system/file_system_layouts/default.nix b/system/file_system_layouts/default.nix new file mode 100644 index 0000000..9d03a05 --- /dev/null +++ b/system/file_system_layouts/default.nix @@ -0,0 +1,45 @@ +{ + modulesPath, + config, + lib, + ... +}: +with lib; let + cfg = config.system.fileSystemLayouts; +in { + options.system.fileSystemLayouts = { + mainDisk = mkOption { + type = lib.types.path; + example = literalExpression "/dev/disk/by-uuid/0442cb6d-f13a-4635-b487-fa76189774c5"; + description = lib.mdDoc "Path to the main disk"; + }; + }; + config = { + fileSystems = { + "/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["defaults" "size=2G" "mode=755"]; + }; + "/nix" = { + device = cfg.mainDisk; + fsType = "btrfs"; + options = ["subvol=nix" "compress-force=zstd"]; + }; + "/srv" = { + device = cfg.mainDisk; + fsType = "btrfs"; + options = ["subvol=storage" "compress-force=zstd"]; + }; + "/boot" = { + device = cfg.mainDisk; + options = ["subvol=boot" "compress-force=zstd"]; + }; + + "/etc/nixos" = { + device = "/srv/nix-config"; + options = ["bind"]; + }; + }; + }; +} diff --git a/system/hardware/default.nix b/system/hardware/default.nix new file mode 100644 index 0000000..c4c7dc9 --- /dev/null +++ b/system/hardware/default.nix @@ -0,0 +1,9 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/headless.nix") + ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + boot.initrd.kernelModules = ["nvme" "btrfs"]; +} diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..b09f8f1 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,27 @@ +# vim: ts=2 +{...}: { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + backup.snapshotRoot = "/srv/mail/backup"; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = ["sils@vhack.eu"]; + "postmaster@vhack.eu" = ["sils@vhack.eu"]; + "admin@vhack.eu" = ["sils@vhack.eu"]; + }; + + sieveDirectory = "/srv/mail/sieve"; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; +} diff --git a/system/packages/default.nix b/system/packages/default.nix new file mode 100644 index 0000000..4d33c6e --- /dev/null +++ b/system/packages/default.nix @@ -0,0 +1,9 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + jre_minimal + git + zsh + neovim + btrfs-progs + ]; +} diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix new file mode 100644 index 0000000..a163e77 --- /dev/null +++ b/system/services/acme/default.nix @@ -0,0 +1,30 @@ +{...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..acf20f5 --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,9 @@ +{config, ...}: { + imports = [ + ./acme + ./nginx + ./nix + ./opensshd + ./rust-motd + ]; +} diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix new file mode 100644 index 0000000..754c974 --- /dev/null +++ b/system/services/minecraft/default.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + users = { + groups.minecraft = {}; + users.minecraft = { + isSystemUser = true; + group = "minecraft"; + }; + }; + systemd.services.minecraft = { + wantedBy = ["multi-user.target"]; + after = "network.target"; + description = "Minecraft Server"; + serviceConfig = { + WorkingDirectory = "/srv/minecraft"; + User = "minecraft"; + Group = "minecraft"; + Restart = "always"; + ExecStart = "${pkgs.openjdk}/bin/java -Xms10G -Xmx10G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true -jar paper.jar --nogui"; + SyslogIdentifier = "minecraft-server"; + }; + }; +} diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix new file mode 100644 index 0000000..204783b --- /dev/null +++ b/system/services/nginx/default.nix @@ -0,0 +1,15 @@ +{...}: { + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + virtualHosts = { + "vhack.eu" = { + forceSSL = true; + enableACME = true; + root = "/srv/www/vhack.eu"; + }; + }; + }; +} diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix new file mode 100644 index 0000000..bd562ec --- /dev/null +++ b/system/services/nix/default.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: { + nix = { + # gc = { + # automatic = true; + # dates = "daily"; + # options = "--delete-older-than 3"; + # }; + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + }; + }; +} diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix new file mode 100644 index 0000000..cb9f2ba --- /dev/null +++ b/system/services/opensshd/default.nix @@ -0,0 +1,18 @@ +{ + config, + pkg, + ... +}: { + services.openssh = { + enable = true; + passwordAuthentication = false; + hostKeys = [ + { + comment = "key comment"; + path = "/srv/sshd/ssh_host_ed25519_key"; + rounds = 1000; + type = "ed25519"; + } + ]; + }; +} diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix new file mode 100644 index 0000000..21bc1cd --- /dev/null +++ b/system/services/rust-motd/default.nix @@ -0,0 +1,79 @@ +{ + config, + pkgs, + ... +}: { + programs.rust-motd = { + enable = true; + enableMotdInSSHD = true; + refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) + settings = { + global = { + progress_full_character = "="; + progress_empty_character = "-"; + progress_prefix = "["; + progress_suffix = "]"; + time_format = "%Y-%m-%d %H:%M:%S"; + }; + + banner = { + color = "red"; + command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; + # if you don't want a dependency on figlet, you can generate your + # banner however you want, put it in a file, and then use something like: + # command = "cat banner.txt" + }; + + # [weather] + # url = "https://wttr.in/New+York,New+York?0" + # proxy = "http://proxy:8080" + + # [service_status] + # Accounts = "accounts-daemon" + # Cron = "cron" + + # [docker_status] + # Local containers MUST start with a slash + # https://github.com/moby/moby/issues/6705 + #"/nextcloud-nextcloud-1" = "Nextcloud" + #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database" + + uptime = { + prefix = "Uptime:"; + }; + + # [user_service_status] + # gpg-agent = "gpg-agent" + + #s_s_l_certs = { + # sort_method = "manual" + # + # certs = { + # CertName1 = "/path/to/cert1.pem" + # CertName2 = "/path/to/cert2.pem" + # } + #}; + + filesystems = { + root = "/"; + }; + + memory = { + swap_pos = "beside"; # or "below" or "none" + }; + + fail2_ban = { + jails = ["sshd"]; #, "anotherjail"] + }; + + last_login = { + sils = 2; + soispha = 2; + nightingale = 2; + }; + + last_run = { + }; + }; + }; +} diff --git a/system/system/fileSystemLayouts.nix b/system/system/fileSystemLayouts.nix deleted file mode 100644 index 9d03a05..0000000 --- a/system/system/fileSystemLayouts.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - modulesPath, - config, - lib, - ... -}: -with lib; let - cfg = config.system.fileSystemLayouts; -in { - options.system.fileSystemLayouts = { - mainDisk = mkOption { - type = lib.types.path; - example = literalExpression "/dev/disk/by-uuid/0442cb6d-f13a-4635-b487-fa76189774c5"; - description = lib.mdDoc "Path to the main disk"; - }; - }; - config = { - fileSystems = { - "/" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["defaults" "size=2G" "mode=755"]; - }; - "/nix" = { - device = cfg.mainDisk; - fsType = "btrfs"; - options = ["subvol=nix" "compress-force=zstd"]; - }; - "/srv" = { - device = cfg.mainDisk; - fsType = "btrfs"; - options = ["subvol=storage" "compress-force=zstd"]; - }; - "/boot" = { - device = cfg.mainDisk; - options = ["subvol=boot" "compress-force=zstd"]; - }; - - "/etc/nixos" = { - device = "/srv/nix-config"; - options = ["bind"]; - }; - }; - }; -} diff --git a/system/system/hardware.nix b/system/system/hardware.nix deleted file mode 100644 index c4c7dc9..0000000 --- a/system/system/hardware.nix +++ /dev/null @@ -1,9 +0,0 @@ -{modulesPath, ...}: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/headless.nix") - ]; - boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; - boot.initrd.kernelModules = ["nvme" "btrfs"]; -} diff --git a/system/system/packages.nix b/system/system/packages.nix deleted file mode 100644 index 4d33c6e..0000000 --- a/system/system/packages.nix +++ /dev/null @@ -1,9 +0,0 @@ -{pkgs, ...}: { - environment.systemPackages = with pkgs; [ - jre_minimal - git - zsh - neovim - btrfs-progs - ]; -} diff --git a/system/system/users.nix b/system/system/users.nix deleted file mode 100644 index 34e1648..0000000 --- a/system/system/users.nix +++ /dev/null @@ -1,59 +0,0 @@ -{pkgs, ...}: { - users.mutableUsers = false; - users.defaultUserShell = pkgs.zsh; - - users.users = { - root = { - #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - ]; - }; - - sils = { - name = "sils"; - isNormalUser = true; - home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE - uid = 1000; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - ]; - }; - - soispha = { - name = "soispha"; - isNormalUser = true; - home = "/srv/home/soispha"; - initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; - uid = 1001; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - ]; - }; - - nightingale = { - name = "nightingale"; - isNormalUser = true; - home = "/srv/home/nightingale"; - initialHashedPassword = null; # TODO CHANGE - uid = 1002; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - ]; - }; - }; -} -# vim: ts=2 - diff --git a/system/users/default.nix b/system/users/default.nix new file mode 100644 index 0000000..34e1648 --- /dev/null +++ b/system/users/default.nix @@ -0,0 +1,59 @@ +{pkgs, ...}: { + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + users.users = { + root = { + #uid = 0; + #initialHashedPassword = null; # to lock root + # Backup, if something happens. TODO remove this later + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + sils = { + name = "sils"; + isNormalUser = true; + home = "/srv/home/sils"; + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + uid = 1000; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + ]; + }; + + soispha = { + name = "soispha"; + isNormalUser = true; + home = "/srv/home/soispha"; + initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; + uid = 1001; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + nightingale = { + name = "nightingale"; + isNormalUser = true; + home = "/srv/home/nightingale"; + initialHashedPassword = null; # TODO CHANGE + uid = 1002; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + ]; + }; + }; +} +# vim: ts=2 + -- cgit 1.4.1 From 1cacce0cbeb3c1018ac8960391f83c25dcaa17a0 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:25:25 +0100 Subject: Chore(flake): Update --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 7848d91..96245b1 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1675512093, - "narHash": "sha256-u1CY4feK14B57E6T+0Bhkuoj8dpBxCPrWO+SP87UVP8=", + "lastModified": 1679058649, + "narHash": "sha256-tXbTGzCFFk5G0IOlhhuQtf3KQ0+9RNDk4O2YmEgvppk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8e8240194eda25b61449f29bb5131e02b28a5486", + "rev": "328c9c6f597b1edb75a114df61113d87c61ad60d", "type": "github" }, "original": { -- cgit 1.4.1 From f77f8848301bd0eaf742f177771554f6ce942bb9 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:27:54 +0100 Subject: Fix(system/mail): Disable protocols with STARTTLS This is inherently unsafe because it requires an unencrypted handshake. Considering that all protocols also work directly with TLS i.e., the encrypted variant, disabling this shouldn't be a drawback. --- system/mail/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/system/mail/default.nix b/system/mail/default.nix index b09f8f1..6fe82fd 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -4,6 +4,14 @@ fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; backup.snapshotRoot = "/srv/mail/backup"; -- cgit 1.4.1 From 6ba9c1452144b327963c9f0ae57ec5662b4f6ec1 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:54:20 +0100 Subject: Fix(system/mail): Make extraVirtualAliases fairer --- system/mail/default.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index 6fe82fd..67531af 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -1,5 +1,11 @@ # vim: ts=2 -{...}: { +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { enable = true; fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; @@ -23,9 +29,9 @@ }; extraVirtualAliases = { - "abuse@vhack.eu" = ["sils@vhack.eu"]; - "postmaster@vhack.eu" = ["sils@vhack.eu"]; - "admin@vhack.eu" = ["sils@vhack.eu"]; + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; }; sieveDirectory = "/srv/mail/sieve"; -- cgit 1.4.1 From dc4334de217175ad7d1c0a4e2e3f98b2fef51784 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:56:04 +0100 Subject: Fix(system/users): Remove unneeded root ssh login keys All users are in the wheel group, thus direct login as root is no longer needed. --- system/services/opensshd/default.nix | 1 - system/users/default.nix | 7 ++----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix index cb9f2ba..75c5aef 100644 --- a/system/services/opensshd/default.nix +++ b/system/services/opensshd/default.nix @@ -8,7 +8,6 @@ passwordAuthentication = false; hostKeys = [ { - comment = "key comment"; path = "/srv/sshd/ssh_host_ed25519_key"; rounds = 1000; type = "ed25519"; diff --git a/system/users/default.nix b/system/users/default.nix index 34e1648..3555221 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -5,11 +5,8 @@ users.users = { root = { #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later + initialHashedPassword = null; # to lock root openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" ]; }; @@ -17,7 +14,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; uid = 1000; extraGroups = [ "wheel" -- cgit 1.4.1 From 414ad162bc5ecdf71e3c5d674c18c6d65bd03a45 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:12:34 +0100 Subject: Fix(system/mail): Declare the password directly As outlined in commit 19f0808, placing a password hash in the world readable nix-store is perfectly safe as long as the hashing function is not reversible, which should be a necessity for a password hash. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index 67531af..2f58c03 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -24,7 +24,7 @@ in { loginAccounts = { "sils@vhack.eu" = { - hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; }; -- cgit 1.4.1 From a24dc7da41c18ef68ea32b27995c60c9494f579c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:34:44 +0100 Subject: Feat(system/mail): Use '/' to separate mailboxes This is something that just makes the file system easier to traverse, but isn't really necessary. --- system/mail/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/mail/default.nix b/system/mail/default.nix index 2f58c03..98af119 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -17,6 +17,7 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + useFsLayout = true; mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; -- cgit 1.4.1 From d6fbe642e5762f1bd79dcfb0e68bf7df1c902d8d Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:22:46 +0100 Subject: Style(system/mail): Reorder options I just think this is easier to read. --- system/mail/default.nix | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index 98af119..7a206f5 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -10,19 +10,8 @@ in { fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; - enableImap = false; - enableImapSsl = true; - enablePop3 = false; - enablePop3Ssl = true; - # SMTP - enableSubmission = false; - enableSubmissionSsl = true; useFsLayout = true; - mailDirectory = "/srv/mail/vmail"; - dkimKeyDirectory = "/srv/mail/dkim"; - backup.snapshotRoot = "/srv/mail/backup"; - loginAccounts = { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; @@ -35,7 +24,21 @@ in { "admin@vhack.eu" = all_admins; }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; -- cgit 1.4.1 From f2ab8429778b5b5c422160da6a11c15af815b55c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:52:49 +0100 Subject: Feat(system/mail): Add other users, so the admin thing works --- system/mail/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/system/mail/default.nix b/system/mail/default.nix index 7a206f5..8eaa53b 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -16,6 +16,12 @@ in { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; }; extraVirtualAliases = { -- cgit 1.4.1 From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:43:26 +0100 Subject: Fix(system/mail): Only accept connections on safe ports It is sort of standard to ignore connections over the unencrypted port 25, thus we are doing the same. --- system/mail/default.nix | 4 ++-- system/services/default.nix | 2 ++ system/services/firewall/default.nix | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 system/services/firewall/default.nix diff --git a/system/mail/default.nix b/system/mail/default.nix index 8eaa53b..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -30,13 +30,11 @@ in { "admin@vhack.eu" = all_admins; }; - mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; backup.snapshotRoot = "/srv/mail/backup"; - enableImap = false; enableImapSsl = true; enablePop3 = false; @@ -44,8 +42,10 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + openFirewall = false; # handled below keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + } diff --git a/system/services/default.nix b/system/services/default.nix index acf20f5..4c39b8b 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,8 @@ {config, ...}: { imports = [ ./acme + ./firewall + ./minecraft ./nginx ./nix ./opensshd diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} -- cgit 1.4.1 From 055f4e0191bba4c0dc1000dd2089906119717883 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:46:18 +0100 Subject: Fix(system/services/minecraft): Remove to make compile --- system/services/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/services/default.nix b/system/services/default.nix index 4c39b8b..f36cb29 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,7 +2,7 @@ imports = [ ./acme ./firewall - ./minecraft + #./minecraft ./nginx ./nix ./opensshd -- cgit 1.4.1