From 820efecae8c72ee3f9c6f4981d43ce19fe660dc3 Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 19:40:49 +0100 Subject: Feat: Add mailserver --- flake.lock | 86 +++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 34 +++++++++++++++++- services/services/acme.nix | 23 +++++++++++++ 3 files changed, 141 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 8af459c..7848d91 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { "lastModified": 1675512093, @@ -16,9 +32,77 @@ "type": "github" } }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1669542132, + "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a115bb9bd56831941be3776c8a94005867f316a7", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "nixpkgs": "nixpkgs_2", + "nixpkgs-22_11": "nixpkgs-22_11", + "utils": "utils" + }, + "locked": { + "lastModified": 1671659164, + "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-22.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 9df3c84..e087f96 100644 --- a/flake.nix +++ b/flake.nix @@ -4,17 +4,49 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11"; }; outputs = { self, nixpkgs, + simple-nixos-mailserver, ... } @ attrs: { nixosConfigurations."server1" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = attrs; - modules = [./hosts/server1/configuration.nix]; + modules = [ + ./hosts/server1/configuration.nix + simple-nixos-mailserver.nixosModule + { + mailserver = { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + backup.snapshotRoot = "/srv/mail/backup"; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = ["sils@vhack.eu"]; + "postmaster@vhack.eu" = ["sils@vhack.eu"]; + }; + + sieveDirectory = "/srv/mail/sieve"; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + }; + } + ]; }; }; } diff --git a/services/services/acme.nix b/services/services/acme.nix index 42f9ed5..7e39174 100644 --- a/services/services/acme.nix +++ b/services/services/acme.nix @@ -1,6 +1,29 @@ {...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + security.acme = { acceptTerms = true; defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + }; + }; }; } -- cgit 1.4.1 From db52be26814508c7dcc4f04c41b84c4ea0744f90 Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 19:52:27 +0100 Subject: Fix: Add imap and smtp subdomains to cert --- services/services/acme.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/services/services/acme.nix b/services/services/acme.nix index 7e39174..a163e77 100644 --- a/services/services/acme.nix +++ b/services/services/acme.nix @@ -23,6 +23,7 @@ "server1.vhack.eu" = { webroot = "/var/lib/acme/.challenges"; group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; }; }; }; -- cgit 1.4.1 From 929625982889a242d4dd073585bf3799e8ea5a62 Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 19:53:55 +0100 Subject: Feat: Added admin@vhack.eu mail --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index e087f96..554e168 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,7 @@ extraVirtualAliases = { "abuse@vhack.eu" = ["sils@vhack.eu"]; "postmaster@vhack.eu" = ["sils@vhack.eu"]; + "admin@vhack.eu" = ["sils@vhack.eu"]; }; sieveDirectory = "/srv/mail/sieve"; -- cgit 1.4.1 From c7507b123f80929d1cad9dc08ffb547d991a635b Mon Sep 17 00:00:00 2001 From: sils Date: Tue, 7 Mar 2023 20:02:34 +0100 Subject: Fix: Try to fix ipv6 --- hosts/server1/networking.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index 26d6719..cc6d816 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -19,7 +19,7 @@ ]; ipv6.addresses = [ { - address = "2a03:4000:6a:3f3:6422:6dff:fe82:939b"; + address = "2a03:4000:6a:3f3::1"; prefixLength = 64; } { -- cgit 1.4.1 From 5a0cb28f369c104bb371974df876c8c705b0ee7e Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:21:45 +0100 Subject: Refactor: Use better file layout --- flake.nix | 27 +----------- hosts/server1/configuration.nix | 2 - hosts/server1/networking.nix | 1 - services/default.nix | 9 ---- services/services/acme.nix | 30 ------------- services/services/minecraft.nix | 26 ----------- services/services/nginx.nix | 15 ------- services/services/nix.nix | 18 -------- services/services/opensshd.nix | 18 -------- services/services/rust-motd.nix | 79 ---------------------------------- system/default.nix | 9 ++-- system/file_system_layouts/default.nix | 45 +++++++++++++++++++ system/hardware/default.nix | 9 ++++ system/mail/default.nix | 27 ++++++++++++ system/packages/default.nix | 9 ++++ system/services/acme/default.nix | 30 +++++++++++++ system/services/default.nix | 9 ++++ system/services/minecraft/default.nix | 26 +++++++++++ system/services/nginx/default.nix | 15 +++++++ system/services/nix/default.nix | 18 ++++++++ system/services/opensshd/default.nix | 18 ++++++++ system/services/rust-motd/default.nix | 79 ++++++++++++++++++++++++++++++++++ system/system/fileSystemLayouts.nix | 45 ------------------- system/system/hardware.nix | 9 ---- system/system/packages.nix | 9 ---- system/system/users.nix | 59 ------------------------- system/users/default.nix | 59 +++++++++++++++++++++++++ 27 files changed, 350 insertions(+), 350 deletions(-) delete mode 100644 services/default.nix delete mode 100644 services/services/acme.nix delete mode 100644 services/services/minecraft.nix delete mode 100644 services/services/nginx.nix delete mode 100644 services/services/nix.nix delete mode 100644 services/services/opensshd.nix delete mode 100644 services/services/rust-motd.nix create mode 100644 system/file_system_layouts/default.nix create mode 100644 system/hardware/default.nix create mode 100644 system/mail/default.nix create mode 100644 system/packages/default.nix create mode 100644 system/services/acme/default.nix create mode 100644 system/services/default.nix create mode 100644 system/services/minecraft/default.nix create mode 100644 system/services/nginx/default.nix create mode 100644 system/services/nix/default.nix create mode 100644 system/services/opensshd/default.nix create mode 100644 system/services/rust-motd/default.nix delete mode 100644 system/system/fileSystemLayouts.nix delete mode 100644 system/system/hardware.nix delete mode 100644 system/system/packages.nix delete mode 100644 system/system/users.nix create mode 100644 system/users/default.nix diff --git a/flake.nix b/flake.nix index 554e168..36ae34e 100644 --- a/flake.nix +++ b/flake.nix @@ -20,32 +20,7 @@ ./hosts/server1/configuration.nix simple-nixos-mailserver.nixosModule { - mailserver = { - enable = true; - fqdn = "server1.vhack.eu"; - domains = ["vhack.eu"]; - - mailDirectory = "/srv/mail/vmail"; - dkimKeyDirectory = "/srv/mail/dkim"; - backup.snapshotRoot = "/srv/mail/backup"; - - loginAccounts = { - "sils@vhack.eu" = { - hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; - }; - }; - - extraVirtualAliases = { - "abuse@vhack.eu" = ["sils@vhack.eu"]; - "postmaster@vhack.eu" = ["sils@vhack.eu"]; - "admin@vhack.eu" = ["sils@vhack.eu"]; - }; - - sieveDirectory = "/srv/mail/sieve"; - keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; - certificateScheme = 1; - certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; - }; + mailserver = import ./system/mail {}; } ]; }; diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix index 729ef0f..694b6b4 100644 --- a/hosts/server1/configuration.nix +++ b/hosts/server1/configuration.nix @@ -3,8 +3,6 @@ ./networking.nix # network configuration that just works ../../system - - ../../services ]; boot.cleanTmpDir = true; diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index cc6d816..027bc27 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -44,6 +44,5 @@ }; services.udev.extraRules = '' ATTR{address}=="66:22:6d:82:93:9b", NAME="eth0" - ''; } diff --git a/services/default.nix b/services/default.nix deleted file mode 100644 index c301ba1..0000000 --- a/services/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{config, ...}: { - imports = [ - ./services/acme.nix - ./services/nginx.nix - ./services/nix.nix - ./services/opensshd.nix - ./services/rust-motd.nix - ]; -} diff --git a/services/services/acme.nix b/services/services/acme.nix deleted file mode 100644 index a163e77..0000000 --- a/services/services/acme.nix +++ /dev/null @@ -1,30 +0,0 @@ -{...}: { - users.users.nginx.extraGroups = ["acme"]; - - services.nginx = { - enable = true; - virtualHosts = { - "acmechallenge.vhack.eu" = { - serverAliases = ["*.vhack.eu"]; - locations."/.well-known/acme-challenge" = { - root = "/var/lib/acme/.challenges"; - }; - locations."/" = { - return = "301 https://$host$request_uri"; - }; - }; - }; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "admin@vhack.eu"; - certs = { - "server1.vhack.eu" = { - webroot = "/var/lib/acme/.challenges"; - group = "nginx"; - extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; - }; - }; - }; -} diff --git a/services/services/minecraft.nix b/services/services/minecraft.nix deleted file mode 100644 index 754c974..0000000 --- a/services/services/minecraft.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - config, - pkgs, - ... -}: { - users = { - groups.minecraft = {}; - users.minecraft = { - isSystemUser = true; - group = "minecraft"; - }; - }; - systemd.services.minecraft = { - wantedBy = ["multi-user.target"]; - after = "network.target"; - description = "Minecraft Server"; - serviceConfig = { - WorkingDirectory = "/srv/minecraft"; - User = "minecraft"; - Group = "minecraft"; - Restart = "always"; - ExecStart = "${pkgs.openjdk}/bin/java -Xms10G -Xmx10G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true -jar paper.jar --nogui"; - SyslogIdentifier = "minecraft-server"; - }; - }; -} diff --git a/services/services/nginx.nix b/services/services/nginx.nix deleted file mode 100644 index 204783b..0000000 --- a/services/services/nginx.nix +++ /dev/null @@ -1,15 +0,0 @@ -{...}: { - networking.firewall = { - allowedTCPPorts = [80 443]; - }; - services.nginx = { - enable = true; - virtualHosts = { - "vhack.eu" = { - forceSSL = true; - enableACME = true; - root = "/srv/www/vhack.eu"; - }; - }; - }; -} diff --git a/services/services/nix.nix b/services/services/nix.nix deleted file mode 100644 index bd562ec..0000000 --- a/services/services/nix.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - nix = { - # gc = { - # automatic = true; - # dates = "daily"; - # options = "--delete-older-than 3"; - # }; - settings = { - auto-optimise-store = true; - experimental-features = ["nix-command" "flakes"]; - }; - }; -} diff --git a/services/services/opensshd.nix b/services/services/opensshd.nix deleted file mode 100644 index cb9f2ba..0000000 --- a/services/services/opensshd.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - pkg, - ... -}: { - services.openssh = { - enable = true; - passwordAuthentication = false; - hostKeys = [ - { - comment = "key comment"; - path = "/srv/sshd/ssh_host_ed25519_key"; - rounds = 1000; - type = "ed25519"; - } - ]; - }; -} diff --git a/services/services/rust-motd.nix b/services/services/rust-motd.nix deleted file mode 100644 index 21bc1cd..0000000 --- a/services/services/rust-motd.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ - config, - pkgs, - ... -}: { - programs.rust-motd = { - enable = true; - enableMotdInSSHD = true; - refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) - settings = { - global = { - progress_full_character = "="; - progress_empty_character = "-"; - progress_prefix = "["; - progress_suffix = "]"; - time_format = "%Y-%m-%d %H:%M:%S"; - }; - - banner = { - color = "red"; - command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; - # if you don't want a dependency on figlet, you can generate your - # banner however you want, put it in a file, and then use something like: - # command = "cat banner.txt" - }; - - # [weather] - # url = "https://wttr.in/New+York,New+York?0" - # proxy = "http://proxy:8080" - - # [service_status] - # Accounts = "accounts-daemon" - # Cron = "cron" - - # [docker_status] - # Local containers MUST start with a slash - # https://github.com/moby/moby/issues/6705 - #"/nextcloud-nextcloud-1" = "Nextcloud" - #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database" - - uptime = { - prefix = "Uptime:"; - }; - - # [user_service_status] - # gpg-agent = "gpg-agent" - - #s_s_l_certs = { - # sort_method = "manual" - # - # certs = { - # CertName1 = "/path/to/cert1.pem" - # CertName2 = "/path/to/cert2.pem" - # } - #}; - - filesystems = { - root = "/"; - }; - - memory = { - swap_pos = "beside"; # or "below" or "none" - }; - - fail2_ban = { - jails = ["sshd"]; #, "anotherjail"] - }; - - last_login = { - sils = 2; - soispha = 2; - nightingale = 2; - }; - - last_run = { - }; - }; - }; -} diff --git a/system/default.nix b/system/default.nix index 2af4982..9aa5d9e 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,8 +1,9 @@ {config, ...}: { imports = [ - ./system/fileSystemLayouts.nix - ./system/hardware.nix - ./system/packages.nix - ./system/users.nix + ./file_system_layouts + ./hardware + ./packages + ./services + ./users ]; } diff --git a/system/file_system_layouts/default.nix b/system/file_system_layouts/default.nix new file mode 100644 index 0000000..9d03a05 --- /dev/null +++ b/system/file_system_layouts/default.nix @@ -0,0 +1,45 @@ +{ + modulesPath, + config, + lib, + ... +}: +with lib; let + cfg = config.system.fileSystemLayouts; +in { + options.system.fileSystemLayouts = { + mainDisk = mkOption { + type = lib.types.path; + example = literalExpression "/dev/disk/by-uuid/0442cb6d-f13a-4635-b487-fa76189774c5"; + description = lib.mdDoc "Path to the main disk"; + }; + }; + config = { + fileSystems = { + "/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["defaults" "size=2G" "mode=755"]; + }; + "/nix" = { + device = cfg.mainDisk; + fsType = "btrfs"; + options = ["subvol=nix" "compress-force=zstd"]; + }; + "/srv" = { + device = cfg.mainDisk; + fsType = "btrfs"; + options = ["subvol=storage" "compress-force=zstd"]; + }; + "/boot" = { + device = cfg.mainDisk; + options = ["subvol=boot" "compress-force=zstd"]; + }; + + "/etc/nixos" = { + device = "/srv/nix-config"; + options = ["bind"]; + }; + }; + }; +} diff --git a/system/hardware/default.nix b/system/hardware/default.nix new file mode 100644 index 0000000..c4c7dc9 --- /dev/null +++ b/system/hardware/default.nix @@ -0,0 +1,9 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/headless.nix") + ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + boot.initrd.kernelModules = ["nvme" "btrfs"]; +} diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..b09f8f1 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,27 @@ +# vim: ts=2 +{...}: { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + backup.snapshotRoot = "/srv/mail/backup"; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = ["sils@vhack.eu"]; + "postmaster@vhack.eu" = ["sils@vhack.eu"]; + "admin@vhack.eu" = ["sils@vhack.eu"]; + }; + + sieveDirectory = "/srv/mail/sieve"; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; +} diff --git a/system/packages/default.nix b/system/packages/default.nix new file mode 100644 index 0000000..4d33c6e --- /dev/null +++ b/system/packages/default.nix @@ -0,0 +1,9 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + jre_minimal + git + zsh + neovim + btrfs-progs + ]; +} diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix new file mode 100644 index 0000000..a163e77 --- /dev/null +++ b/system/services/acme/default.nix @@ -0,0 +1,30 @@ +{...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..acf20f5 --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,9 @@ +{config, ...}: { + imports = [ + ./acme + ./nginx + ./nix + ./opensshd + ./rust-motd + ]; +} diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix new file mode 100644 index 0000000..754c974 --- /dev/null +++ b/system/services/minecraft/default.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + users = { + groups.minecraft = {}; + users.minecraft = { + isSystemUser = true; + group = "minecraft"; + }; + }; + systemd.services.minecraft = { + wantedBy = ["multi-user.target"]; + after = "network.target"; + description = "Minecraft Server"; + serviceConfig = { + WorkingDirectory = "/srv/minecraft"; + User = "minecraft"; + Group = "minecraft"; + Restart = "always"; + ExecStart = "${pkgs.openjdk}/bin/java -Xms10G -Xmx10G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true -jar paper.jar --nogui"; + SyslogIdentifier = "minecraft-server"; + }; + }; +} diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix new file mode 100644 index 0000000..204783b --- /dev/null +++ b/system/services/nginx/default.nix @@ -0,0 +1,15 @@ +{...}: { + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + virtualHosts = { + "vhack.eu" = { + forceSSL = true; + enableACME = true; + root = "/srv/www/vhack.eu"; + }; + }; + }; +} diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix new file mode 100644 index 0000000..bd562ec --- /dev/null +++ b/system/services/nix/default.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: { + nix = { + # gc = { + # automatic = true; + # dates = "daily"; + # options = "--delete-older-than 3"; + # }; + settings = { + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + }; + }; +} diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix new file mode 100644 index 0000000..cb9f2ba --- /dev/null +++ b/system/services/opensshd/default.nix @@ -0,0 +1,18 @@ +{ + config, + pkg, + ... +}: { + services.openssh = { + enable = true; + passwordAuthentication = false; + hostKeys = [ + { + comment = "key comment"; + path = "/srv/sshd/ssh_host_ed25519_key"; + rounds = 1000; + type = "ed25519"; + } + ]; + }; +} diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix new file mode 100644 index 0000000..21bc1cd --- /dev/null +++ b/system/services/rust-motd/default.nix @@ -0,0 +1,79 @@ +{ + config, + pkgs, + ... +}: { + programs.rust-motd = { + enable = true; + enableMotdInSSHD = true; + refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) + settings = { + global = { + progress_full_character = "="; + progress_empty_character = "-"; + progress_prefix = "["; + progress_suffix = "]"; + time_format = "%Y-%m-%d %H:%M:%S"; + }; + + banner = { + color = "red"; + command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; + # if you don't want a dependency on figlet, you can generate your + # banner however you want, put it in a file, and then use something like: + # command = "cat banner.txt" + }; + + # [weather] + # url = "https://wttr.in/New+York,New+York?0" + # proxy = "http://proxy:8080" + + # [service_status] + # Accounts = "accounts-daemon" + # Cron = "cron" + + # [docker_status] + # Local containers MUST start with a slash + # https://github.com/moby/moby/issues/6705 + #"/nextcloud-nextcloud-1" = "Nextcloud" + #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database" + + uptime = { + prefix = "Uptime:"; + }; + + # [user_service_status] + # gpg-agent = "gpg-agent" + + #s_s_l_certs = { + # sort_method = "manual" + # + # certs = { + # CertName1 = "/path/to/cert1.pem" + # CertName2 = "/path/to/cert2.pem" + # } + #}; + + filesystems = { + root = "/"; + }; + + memory = { + swap_pos = "beside"; # or "below" or "none" + }; + + fail2_ban = { + jails = ["sshd"]; #, "anotherjail"] + }; + + last_login = { + sils = 2; + soispha = 2; + nightingale = 2; + }; + + last_run = { + }; + }; + }; +} diff --git a/system/system/fileSystemLayouts.nix b/system/system/fileSystemLayouts.nix deleted file mode 100644 index 9d03a05..0000000 --- a/system/system/fileSystemLayouts.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - modulesPath, - config, - lib, - ... -}: -with lib; let - cfg = config.system.fileSystemLayouts; -in { - options.system.fileSystemLayouts = { - mainDisk = mkOption { - type = lib.types.path; - example = literalExpression "/dev/disk/by-uuid/0442cb6d-f13a-4635-b487-fa76189774c5"; - description = lib.mdDoc "Path to the main disk"; - }; - }; - config = { - fileSystems = { - "/" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["defaults" "size=2G" "mode=755"]; - }; - "/nix" = { - device = cfg.mainDisk; - fsType = "btrfs"; - options = ["subvol=nix" "compress-force=zstd"]; - }; - "/srv" = { - device = cfg.mainDisk; - fsType = "btrfs"; - options = ["subvol=storage" "compress-force=zstd"]; - }; - "/boot" = { - device = cfg.mainDisk; - options = ["subvol=boot" "compress-force=zstd"]; - }; - - "/etc/nixos" = { - device = "/srv/nix-config"; - options = ["bind"]; - }; - }; - }; -} diff --git a/system/system/hardware.nix b/system/system/hardware.nix deleted file mode 100644 index c4c7dc9..0000000 --- a/system/system/hardware.nix +++ /dev/null @@ -1,9 +0,0 @@ -{modulesPath, ...}: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/headless.nix") - ]; - boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; - boot.initrd.kernelModules = ["nvme" "btrfs"]; -} diff --git a/system/system/packages.nix b/system/system/packages.nix deleted file mode 100644 index 4d33c6e..0000000 --- a/system/system/packages.nix +++ /dev/null @@ -1,9 +0,0 @@ -{pkgs, ...}: { - environment.systemPackages = with pkgs; [ - jre_minimal - git - zsh - neovim - btrfs-progs - ]; -} diff --git a/system/system/users.nix b/system/system/users.nix deleted file mode 100644 index 34e1648..0000000 --- a/system/system/users.nix +++ /dev/null @@ -1,59 +0,0 @@ -{pkgs, ...}: { - users.mutableUsers = false; - users.defaultUserShell = pkgs.zsh; - - users.users = { - root = { - #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - ]; - }; - - sils = { - name = "sils"; - isNormalUser = true; - home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE - uid = 1000; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - ]; - }; - - soispha = { - name = "soispha"; - isNormalUser = true; - home = "/srv/home/soispha"; - initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; - uid = 1001; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - ]; - }; - - nightingale = { - name = "nightingale"; - isNormalUser = true; - home = "/srv/home/nightingale"; - initialHashedPassword = null; # TODO CHANGE - uid = 1002; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - ]; - }; - }; -} -# vim: ts=2 - diff --git a/system/users/default.nix b/system/users/default.nix new file mode 100644 index 0000000..34e1648 --- /dev/null +++ b/system/users/default.nix @@ -0,0 +1,59 @@ +{pkgs, ...}: { + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + users.users = { + root = { + #uid = 0; + #initialHashedPassword = null; # to lock root + # Backup, if something happens. TODO remove this later + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + sils = { + name = "sils"; + isNormalUser = true; + home = "/srv/home/sils"; + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + uid = 1000; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + ]; + }; + + soispha = { + name = "soispha"; + isNormalUser = true; + home = "/srv/home/soispha"; + initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; + uid = 1001; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; + + nightingale = { + name = "nightingale"; + isNormalUser = true; + home = "/srv/home/nightingale"; + initialHashedPassword = null; # TODO CHANGE + uid = 1002; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + ]; + }; + }; +} +# vim: ts=2 + -- cgit 1.4.1 From 1cacce0cbeb3c1018ac8960391f83c25dcaa17a0 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:25:25 +0100 Subject: Chore(flake): Update --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 7848d91..96245b1 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1675512093, - "narHash": "sha256-u1CY4feK14B57E6T+0Bhkuoj8dpBxCPrWO+SP87UVP8=", + "lastModified": 1679058649, + "narHash": "sha256-tXbTGzCFFk5G0IOlhhuQtf3KQ0+9RNDk4O2YmEgvppk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8e8240194eda25b61449f29bb5131e02b28a5486", + "rev": "328c9c6f597b1edb75a114df61113d87c61ad60d", "type": "github" }, "original": { -- cgit 1.4.1 From f77f8848301bd0eaf742f177771554f6ce942bb9 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:27:54 +0100 Subject: Fix(system/mail): Disable protocols with STARTTLS This is inherently unsafe because it requires an unencrypted handshake. Considering that all protocols also work directly with TLS i.e., the encrypted variant, disabling this shouldn't be a drawback. --- system/mail/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/system/mail/default.nix b/system/mail/default.nix index b09f8f1..6fe82fd 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -4,6 +4,14 @@ fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; backup.snapshotRoot = "/srv/mail/backup"; -- cgit 1.4.1 From 6ba9c1452144b327963c9f0ae57ec5662b4f6ec1 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:54:20 +0100 Subject: Fix(system/mail): Make extraVirtualAliases fairer --- system/mail/default.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index 6fe82fd..67531af 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -1,5 +1,11 @@ # vim: ts=2 -{...}: { +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { enable = true; fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; @@ -23,9 +29,9 @@ }; extraVirtualAliases = { - "abuse@vhack.eu" = ["sils@vhack.eu"]; - "postmaster@vhack.eu" = ["sils@vhack.eu"]; - "admin@vhack.eu" = ["sils@vhack.eu"]; + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; }; sieveDirectory = "/srv/mail/sieve"; -- cgit 1.4.1 From dc4334de217175ad7d1c0a4e2e3f98b2fef51784 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:56:04 +0100 Subject: Fix(system/users): Remove unneeded root ssh login keys All users are in the wheel group, thus direct login as root is no longer needed. --- system/services/opensshd/default.nix | 1 - system/users/default.nix | 7 ++----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/system/services/opensshd/default.nix b/system/services/opensshd/default.nix index cb9f2ba..75c5aef 100644 --- a/system/services/opensshd/default.nix +++ b/system/services/opensshd/default.nix @@ -8,7 +8,6 @@ passwordAuthentication = false; hostKeys = [ { - comment = "key comment"; path = "/srv/sshd/ssh_host_ed25519_key"; rounds = 1000; type = "ed25519"; diff --git a/system/users/default.nix b/system/users/default.nix index 34e1648..3555221 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -5,11 +5,8 @@ users.users = { root = { #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later + initialHashedPassword = null; # to lock root openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" ]; }; @@ -17,7 +14,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; uid = 1000; extraGroups = [ "wheel" -- cgit 1.4.1 From 414ad162bc5ecdf71e3c5d674c18c6d65bd03a45 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:12:34 +0100 Subject: Fix(system/mail): Declare the password directly As outlined in commit 19f0808, placing a password hash in the world readable nix-store is perfectly safe as long as the hashing function is not reversible, which should be a necessity for a password hash. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index 67531af..2f58c03 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -24,7 +24,7 @@ in { loginAccounts = { "sils@vhack.eu" = { - hashedPasswordFile = "/srv/mail/.secrets/silsmailpswd"; + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; }; -- cgit 1.4.1 From a24dc7da41c18ef68ea32b27995c60c9494f579c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:34:44 +0100 Subject: Feat(system/mail): Use '/' to separate mailboxes This is something that just makes the file system easier to traverse, but isn't really necessary. --- system/mail/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/system/mail/default.nix b/system/mail/default.nix index 2f58c03..98af119 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -17,6 +17,7 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + useFsLayout = true; mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; -- cgit 1.4.1 From d6fbe642e5762f1bd79dcfb0e68bf7df1c902d8d Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:22:46 +0100 Subject: Style(system/mail): Reorder options I just think this is easier to read. --- system/mail/default.nix | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index 98af119..7a206f5 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -10,19 +10,8 @@ in { fqdn = "server1.vhack.eu"; domains = ["vhack.eu"]; - enableImap = false; - enableImapSsl = true; - enablePop3 = false; - enablePop3Ssl = true; - # SMTP - enableSubmission = false; - enableSubmissionSsl = true; useFsLayout = true; - mailDirectory = "/srv/mail/vmail"; - dkimKeyDirectory = "/srv/mail/dkim"; - backup.snapshotRoot = "/srv/mail/backup"; - loginAccounts = { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; @@ -35,7 +24,21 @@ in { "admin@vhack.eu" = all_admins; }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; -- cgit 1.4.1 From f2ab8429778b5b5c422160da6a11c15af815b55c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 17:52:49 +0100 Subject: Feat(system/mail): Add other users, so the admin thing works --- system/mail/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/system/mail/default.nix b/system/mail/default.nix index 7a206f5..8eaa53b 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -16,6 +16,12 @@ in { "sils@vhack.eu" = { hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; }; extraVirtualAliases = { -- cgit 1.4.1 From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:43:26 +0100 Subject: Fix(system/mail): Only accept connections on safe ports It is sort of standard to ignore connections over the unencrypted port 25, thus we are doing the same. --- system/mail/default.nix | 4 ++-- system/services/default.nix | 2 ++ system/services/firewall/default.nix | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 system/services/firewall/default.nix diff --git a/system/mail/default.nix b/system/mail/default.nix index 8eaa53b..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -30,13 +30,11 @@ in { "admin@vhack.eu" = all_admins; }; - mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; backup.snapshotRoot = "/srv/mail/backup"; - enableImap = false; enableImapSsl = true; enablePop3 = false; @@ -44,8 +42,10 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + openFirewall = false; # handled below keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + } diff --git a/system/services/default.nix b/system/services/default.nix index acf20f5..4c39b8b 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,8 @@ {config, ...}: { imports = [ ./acme + ./firewall + ./minecraft ./nginx ./nix ./opensshd diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} -- cgit 1.4.1 From 055f4e0191bba4c0dc1000dd2089906119717883 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:46:18 +0100 Subject: Fix(system/services/minecraft): Remove to make compile --- system/services/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/services/default.nix b/system/services/default.nix index 4c39b8b..f36cb29 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,7 +2,7 @@ imports = [ ./acme ./firewall - ./minecraft + #./minecraft ./nginx ./nix ./opensshd -- cgit 1.4.1 From 7881651fba877dd9a79c4c32422cd7305f0306b5 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:58:43 +0100 Subject: Fix(system/hardware): Use actually needed modules and UUID The old values did work, but these should just make things a bit clearer. --- hosts/server1/configuration.nix | 2 +- system/hardware/default.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix index 694b6b4..ad3d8a3 100644 --- a/hosts/server1/configuration.nix +++ b/hosts/server1/configuration.nix @@ -10,7 +10,7 @@ networking.hostName = "server1"; networking.domain = "vhack.eu"; - system.fileSystemLayouts.mainDisk = "/dev/vda3"; + system.fileSystemLayouts.mainDisk = "/dev/disk/by-uuid/7d960eb9-9334-4aef-9f7c-9a908a91a6db"; system.stateVersion = "22.11"; } diff --git a/system/hardware/default.nix b/system/hardware/default.nix index c4c7dc9..9fabafe 100644 --- a/system/hardware/default.nix +++ b/system/hardware/default.nix @@ -4,6 +4,6 @@ (modulesPath + "/profiles/headless.nix") ]; boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; - boot.initrd.kernelModules = ["nvme" "btrfs"]; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; } -- cgit 1.4.1 From 0b55d0277cd341eed9532677036e885c0ae038ed Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 18:01:16 +0100 Subject: Refactor(system/hardware): Move hardware to host The hardware settings are (somewhat) host specific, and putting them in `system` just builds the wrong expectations. --- hosts/server1/configuration.nix | 1 + hosts/server1/hardware.nix | 9 +++++++++ system/default.nix | 1 - system/hardware/default.nix | 9 --------- 4 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 hosts/server1/hardware.nix delete mode 100644 system/hardware/default.nix diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix index ad3d8a3..891c5dc 100644 --- a/hosts/server1/configuration.nix +++ b/hosts/server1/configuration.nix @@ -1,6 +1,7 @@ {pkgs, ...}: { imports = [ ./networking.nix # network configuration that just works + ./hardware.nix ../../system ]; diff --git a/hosts/server1/hardware.nix b/hosts/server1/hardware.nix new file mode 100644 index 0000000..9fabafe --- /dev/null +++ b/hosts/server1/hardware.nix @@ -0,0 +1,9 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/headless.nix") + ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; +} diff --git a/system/default.nix b/system/default.nix index 9aa5d9e..d67ada2 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,7 +1,6 @@ {config, ...}: { imports = [ ./file_system_layouts - ./hardware ./packages ./services ./users diff --git a/system/hardware/default.nix b/system/hardware/default.nix deleted file mode 100644 index 9fabafe..0000000 --- a/system/hardware/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{modulesPath, ...}: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/headless.nix") - ]; - boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; - boot.initrd.kernelModules = []; -} -- cgit 1.4.1 From 8711fb2f30e59e21a31e3d4b7634dc66ef5c5917 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 18:42:33 +0100 Subject: Fix(hosts/server1/networking): Remove ipv6 route This is somewhat misconfigured, as it makes to config not compilable. I assume, that this route setting is needed, but believe, that having a compiling config is better. --- hosts/server1/networking.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index 027bc27..ff83f52 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -34,10 +34,6 @@ } ]; ipv6.routes = [ - { - address = "fe80::1"; - prefixLength = 128; - } ]; }; }; -- cgit 1.4.1 From 25055f0921b0aed08e2d111fa295e0244fa44627 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 19:20:12 +0100 Subject: Revert "Fix(hosts/server1/networking): Remove ipv6 route" The commit didn't work and effectively disabled ipv6 --- hosts/server1/networking.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index ff83f52..027bc27 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -34,6 +34,10 @@ } ]; ipv6.routes = [ + { + address = "fe80::1"; + prefixLength = 128; + } ]; }; }; -- cgit 1.4.1 From 7937ec74503243bb3e2782bc61b3aa61eacc6842 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 20:16:17 +0100 Subject: Fix(hosts/server1/networking): Fix Gateways Assigning a specific interface for a gateway should make it easier for nixos to configure it. --- hosts/server1/networking.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index 26d6719..dd86494 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -5,8 +5,14 @@ nameservers = [ "8.8.8.8" ]; - defaultGateway = "89.58.56.1"; - defaultGateway6 = "fe80::1"; + defaultGateway = { + address = "89.58.56.1"; + interface = "eth0"; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; dhcpcd.enable = false; usePredictableInterfaceNames = lib.mkForce false; interfaces = { -- cgit 1.4.1 From 9243e3d00215aff3abb47e6b868ebee2eb14c0ed Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 20:17:34 +0100 Subject: Fix(hosts/server1/networking): Correct ipv6 The used ips were straight up wrong. --- hosts/server1/networking.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/hosts/server1/networking.nix b/hosts/server1/networking.nix index dd86494..d3c5422 100644 --- a/hosts/server1/networking.nix +++ b/hosts/server1/networking.nix @@ -25,11 +25,7 @@ ]; ipv6.addresses = [ { - address = "2a03:4000:6a:3f3:6422:6dff:fe82:939b"; - prefixLength = 64; - } - { - address = "fe80::6422:6dff:fe82:939b"; + address = "2a03:4000:6a:3f3::1"; prefixLength = 64; } ]; -- cgit 1.4.1 From 6e1e8125bb4186ecf32017a3a09ec980fdc2cb7d Mon Sep 17 00:00:00 2001 From: ene Date: Mon, 20 Mar 2023 15:03:19 +0100 Subject: Revert "Revert "Merge pull request 'Feat: Add Website' (#17) from server1_nginx into server1"" This reverts commit b0599a3d23878da7335e6ae754ebffbd9ac7cbc3. This may seem ridiculous, and it is, but some things are just necessary. --- flake.nix | 1 - services/default.nix | 2 ++ services/services/acme.nix | 6 ++++++ services/services/nginx.nix | 15 +++++++++++++++ 4 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 services/services/acme.nix create mode 100644 services/services/nginx.nix diff --git a/flake.nix b/flake.nix index 2e52203..9df3c84 100644 --- a/flake.nix +++ b/flake.nix @@ -18,4 +18,3 @@ }; }; } - diff --git a/services/default.nix b/services/default.nix index 8029ee2..c301ba1 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,7 @@ {config, ...}: { imports = [ + ./services/acme.nix + ./services/nginx.nix ./services/nix.nix ./services/opensshd.nix ./services/rust-motd.nix diff --git a/services/services/acme.nix b/services/services/acme.nix new file mode 100644 index 0000000..42f9ed5 --- /dev/null +++ b/services/services/acme.nix @@ -0,0 +1,6 @@ +{...}: { + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + }; +} diff --git a/services/services/nginx.nix b/services/services/nginx.nix new file mode 100644 index 0000000..204783b --- /dev/null +++ b/services/services/nginx.nix @@ -0,0 +1,15 @@ +{...}: { + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + virtualHosts = { + "vhack.eu" = { + forceSSL = true; + enableACME = true; + root = "/srv/www/vhack.eu"; + }; + }; + }; +} -- cgit 1.4.1 From ecb274ba49042f1dfdf63b9c54ff6920f24a9a58 Mon Sep 17 00:00:00 2001 From: ene Date: Mon, 20 Mar 2023 15:19:26 +0100 Subject: Fix(system/mail): Change placeholder The old one, could have exposed a weak hash. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index 7102958..be2a33f 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -20,7 +20,7 @@ in { hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; }; "nightingale@vhack.eu" = { - hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + hashedPasswordFile = "/this/is/an/non/existing/path/and/should/be/considerd/a/palce/holder"; # TODO change }; }; -- cgit 1.4.1 From 2cbf5571d702187357e9bbb90de1f5584e31dd5f Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 20 Mar 2023 15:36:06 +0100 Subject: Revert "Fix(system/mail): Change placeholder" This reverts commit ecb274ba49042f1dfdf63b9c54ff6920f24a9a58. It may be a security-risk, but I care much more about a running mailserver for now. --- system/mail/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index be2a33f..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -20,7 +20,7 @@ in { hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; }; "nightingale@vhack.eu" = { - hashedPasswordFile = "/this/is/an/non/existing/path/and/should/be/considerd/a/palce/holder"; # TODO change + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change }; }; -- cgit 1.4.1 From ab3c9aa228ecaf79fae5cc1d2bdcb84f2e12951e Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 20 Mar 2023 15:43:05 +0100 Subject: Fix(acme): Store certs permanently. Before, new certs were requested at every rebuild. This caused issues due to letsencrypt ratelimiting. --- system/file_system_layouts/default.nix | 4 ++++ system/mail/default.nix | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/system/file_system_layouts/default.nix b/system/file_system_layouts/default.nix index 9d03a05..31b0b0b 100644 --- a/system/file_system_layouts/default.nix +++ b/system/file_system_layouts/default.nix @@ -40,6 +40,10 @@ in { device = "/srv/nix-config"; options = ["bind"]; }; + "/var/lib/acme" = { + device = "/srv/acme"; + options = ["bind"]; + }; }; }; } diff --git a/system/mail/default.nix b/system/mail/default.nix index 7102958..d2fd55c 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -47,5 +47,4 @@ in { keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; - } -- cgit 1.4.1 From 8d8ad7a9f79ba88cc5b07e8f5f4d1a4cded4ff1b Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 13:41:53 +0100 Subject: Feat(system/services/fail2ban): Add fail2ban This should clear the logs somewhat. --- system/services/default.nix | 1 + system/services/fail2ban/default.nix | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 system/services/fail2ban/default.nix diff --git a/system/services/default.nix b/system/services/default.nix index f36cb29..5d9e5b6 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -7,5 +7,6 @@ ./nix ./opensshd ./rust-motd + ./fail2ban ]; } diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix new file mode 100644 index 0000000..5b5e9e7 --- /dev/null +++ b/system/services/fail2ban/default.nix @@ -0,0 +1,14 @@ +# vim: ts=2 +{...}: { + services.fail2ban = { + enable = true; + maxretry = 2; # ban after 2 failures + bantime-increment = { + enable = true; + rndtime = "8m"; + overalljails = true; + multipliers = "2 4 16 128 256"; + maxtime = "72h"; + }; + }; +} -- cgit 1.4.1 From 1fc72de6b6606f6c97ccf9883a88705260dd3ac8 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 13:59:51 +0100 Subject: Fix(system/services/fail2ban): Make db persistent --- system/services/fail2ban/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index 5b5e9e7..949b486 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -3,6 +3,13 @@ services.fail2ban = { enable = true; maxretry = 2; # ban after 2 failures + daemonConfig = '' + [Definition] + logtarget = SYSLOG + socket = /run/fail2ban/fail2ban.sock + pidfile = /run/fail2ban/fail2ban.pid + dbfile = /srv/fail2ban/fail2ban.sqlite3 + ''; bantime-increment = { enable = true; rndtime = "8m"; -- cgit 1.4.1 From dce980ddb127a470b188fd6efbfb8ddb5b0fe315 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:00:29 +0100 Subject: Feat(system/services/fail2ban): Add dovecot jail This should reduce the log spam even further. --- system/services/fail2ban/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index 949b486..5aee097 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -17,5 +17,14 @@ multipliers = "2 4 16 128 256"; maxtime = "72h"; }; + jails = { + dovecot = '' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 2 + ''; + }; }; } -- cgit 1.4.1 From 64a554d1af2de6d07ebe61be1f5a3181a5f90b81 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:32:23 +0100 Subject: Fix(system/services/rust-motd): Add fail2ban binary --- system/services/rust-motd/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index 21bc1cd..4f65dce 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -3,6 +3,15 @@ pkgs, ... }: { + systemd.services.rust-motd = { + path = builtins.attrValues { + inherit + (pkgs) + bash + fail2ban # Needed for rust-motd fail2ban integration + ; + }; + }; programs.rust-motd = { enable = true; enableMotdInSSHD = true; -- cgit 1.4.1 From 4758e5881daa1aa762c6e6e9734faea618dea70c Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:32:56 +0100 Subject: Feat(system/services/rust-motd): Show status of ssl-certs --- system/services/rust-motd/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index 4f65dce..100fcb4 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -54,14 +54,14 @@ # [user_service_status] # gpg-agent = "gpg-agent" - #s_s_l_certs = { - # sort_method = "manual" - # - # certs = { - # CertName1 = "/path/to/cert1.pem" - # CertName2 = "/path/to/cert2.pem" - # } - #}; + s_s_l_certs = { + sort_method = "manual"; + + certs = { + server1.vhack.eu = "/var/lib/acme/server1.vhack.eu/cert.pem"; + vhack.eu = "/var/lib/acme/vhack.eu/cert.pem"; + }; + }; filesystems = { root = "/"; -- cgit 1.4.1 From f84a9f6a80657d9c9f072a9338d46f7d8c2b79f5 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:33:48 +0100 Subject: Feat(system/services/rust-motd): Info about filesystems --- system/services/rust-motd/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index 100fcb4..f21c0c4 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -65,6 +65,9 @@ filesystems = { root = "/"; + persistent = "/srv"; + store = "/nix"; + boot = "/boot"; }; memory = { -- cgit 1.4.1 From f21504ae85559a2b5a6381afeda451e1eb310f9d Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 25 Mar 2023 14:40:30 +0100 Subject: Fix(system/services/rust-motd): Quote ssl-cert names --- system/services/rust-motd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix index f21c0c4..1a41b32 100644 --- a/system/services/rust-motd/default.nix +++ b/system/services/rust-motd/default.nix @@ -58,8 +58,8 @@ sort_method = "manual"; certs = { - server1.vhack.eu = "/var/lib/acme/server1.vhack.eu/cert.pem"; - vhack.eu = "/var/lib/acme/vhack.eu/cert.pem"; + "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem"; + "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem"; }; }; -- cgit 1.4.1 From cb92ffc878fcb417bd66b3b30ef1ff189a5aa44c Mon Sep 17 00:00:00 2001 From: ene Date: Fri, 7 Apr 2023 22:02:24 +0200 Subject: Fix(system/mail): Allow opening ports in the firewall As the previous configuration only opened some ports, receiving mail was impossible. This allows NSM to open the required ports directly, ensuring that none was missed. SECURITY: As all other options than SSL are still disabled, this change should not introduce unencrypted mail transfer. This has not been tested. --- system/mail/default.nix | 2 +- system/services/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/system/mail/default.nix b/system/mail/default.nix index d2fd55c..b1da088 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -42,7 +42,7 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; - openFirewall = false; # handled below + openFirewall = true; keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; diff --git a/system/services/default.nix b/system/services/default.nix index 5d9e5b6..6e5cb3c 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,7 +1,7 @@ {config, ...}: { imports = [ ./acme - ./firewall +# ./firewall #./minecraft ./nginx ./nix -- cgit 1.4.1 From 8ed397938bc38f11720fcf7d9b44dbb7d0c9c642 Mon Sep 17 00:00:00 2001 From: sils Date: Sat, 8 Apr 2023 08:27:52 +0200 Subject: Chore(flake): Update Shouldn't cause any trouble and is necessary to keep things secure. --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 96245b1..d23d600 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1679058649, - "narHash": "sha256-tXbTGzCFFk5G0IOlhhuQtf3KQ0+9RNDk4O2YmEgvppk=", + "lastModified": 1680899675, + "narHash": "sha256-3ogGOPFcSuhf7NrPNREFApkGkLBR2og5lyBJY7+mbig=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "328c9c6f597b1edb75a114df61113d87c61ad60d", + "rev": "d426ae4241ef89fcbd646cd796abd3e83167f54d", "type": "github" }, "original": { -- cgit 1.4.1