stash

18 files changed, 228 insertions, 155 deletions

diff --git a/flake.nix b/flake.nix
index 8bd44d7..0965a26 100644
--- a/flake.nix
+++ b/flake.nix
@@ -62,7 +62,6 @@
         modules =
           modules
           ++ [
-            ./machines/${machine.hostname}/configuration.nix
             ./users.nix
             ./secrets.nix
             impermanence.nixosModules.impermanence
@@ -77,6 +76,15 @@
                 nix-zulip'.overlays.default
               ];
             }
+            (
+              if machine.hostname != "109-199-104-83"
+              then
+                {config, ...}: {
+                  imports = [./machines/${machine.hostname}/configuration.nix];
+                  networking.domain = config.networking.hostName; # temporary fix
+                }
+              else {imports = machine.modules;}
+            )
           ];
       };
     configurationWithHomeManager = machine: (configuration machine
diff --git a/machines.nix b/machines.nix
index 2e6d191..90a2e61 100644
--- a/machines.nix
+++ b/machines.nix
@@ -6,10 +6,47 @@
       "andromeda"
       "mtgmonkey"
     ];
+    modules = [
+    ];
   };
   "109-199-104-83" = {
-    hostname = "109-199-104-83";
     system = "x86_64-linux";
     users = [];
+    modules = [
+      # hardware configuration
+      # verbatim as `nixos-generate-config` AND `system.stateVersion`
+      ./machines/109-199-104-83.nix
+
+      # boot process
+      # grub boot on /dev/sda
+      ./modules/nixos/boot/109-199-104-83.nix
+
+      # networking
+      ./modules/nixos/networking/domains/galaxious.de.nix
+      ./modules/nixos/networking/networks/109-199-104-83.nix
+
+      # ssh through port 5522 among other things
+      ./modules/nixos/networking/hard-ssh.nix
+      ./modules/nixos/networking/ssh-as-root.nix
+
+      # boilerplate settings
+      ./modules/nixos/common.nix
+
+      # simple-nixos-mailserver email server
+      # mail.domain
+      ./modules/nixos/mailserver.nix
+
+      # roundcube webmail client
+      # webmail.domain
+      ./modules/nixos/roundcube.nix
+
+      # zulip chat client
+      # chat.domain
+      # zulip chat server
+      # zulip.domain
+      ./modules/nixos/zulip.nix
+      {
+      }
+    ];
   };
 }
diff --git a/machines/109-199-104-83.nix b/machines/109-199-104-83.nix
new file mode 100644
index 0000000..9b61ca4
--- /dev/null
+++ b/machines/109-199-104-83.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/159e6a69-b4e2-49c3-a6f0-5fcba0ea6a59";
+    fsType = "ext4";
+  };
+
+  fileSystems."/efi" = {
+    device = "systemd-1";
+    fsType = "autofs";
+  };
+
+  swapDevices = [];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  system.stateVersion = "25.11";
+}
diff --git a/machines/109-199-104-83/configuration.nix b/machines/109-199-104-83/configuration.nix
deleted file mode 100644
index a7371c2..0000000
--- a/machines/109-199-104-83/configuration.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{
-  config,
-  modulesPath,
-  machine,
-  ...
-}: {
-  # zulip config
-  services.zulip = {
-    enable = true;
-    host = "chat.${config.networking.domain}";
-    camoKeyFile = builtins.toFile "camoKeyFile" "key";
-    rabbitmqPasswordFile = builtins.toFile "rabbitmqPasswordFile" "password";
-    secretKeyFile = builtins.toFile "secretKeyFile" "secret key";
-    sharedSecretKeyFile = builtins.toFile "sharedSecretKeyFile" "shared secret key";
-    avatarSaltKeyFile = builtins.toFile "avatarSaltKeyFile" "avatar salt key";
-    zulipSettings = {
-      EXTERNAL_HOST = "EXTERNAL_HOST";
-      ZULIP_ADMINISTRATOR = "ZULIP_ADMINISTRATOR";
-    };
-  };
-
-  # roundcube config
-  services.roundcube = {
-    enable = true;
-    hostName = "webmail.${config.networking.domain}";
-    extraConfig = ''
-      $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
-      $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
-      $config['smtp_user'] = "%u";
-      $config['smtp_pass'] = "%p";
-    '';
-  };
-
-  # mailserver config
-  mailserver = {
-    enable = true;
-    stateVersion = 3;
-    fqdn = "mail.${config.networking.domain}";
-    domains = ["${config.networking.domain}"];
-    x509.useACMEHost = config.mailserver.fqdn;
-    loginAccounts = {
-      "test@${config.networking.domain}" = {
-        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
-      };
-    };
-  };
-
-  # cert config
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "mtgmonket@gmail.com";
-  };
-  services.nginx = {
-    enable = true;
-    virtualHosts."mail.${config.networking.domain}" = {
-      forceSSL = true;
-      enableACME = true;
-    };
-  };
-
-  # system config
-  system.stateVersion = "25.11";
-  nix.settings.experimental-features = ["flakes" "nix-command"];
-  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
-  fileSystems."/" = {
-    device = "/dev/sda1";
-    fsType = "ext4";
-  };
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.timeout = 30;
-  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
-  boot.initrd.kernelModules = ["nvme"];
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
-  networking = {
-    useNetworkd = true;
-    usePredictableInterfaceNames = true;
-    hostName = machine.hostname;
-    domain = "galaxious.de";
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [80 443];
-      allowedUDPPorts = [80 443];
-    };
-  };
-  systemd.network = {
-    enable = true;
-    networks."40-wan" = {
-      matchConfig.Name = "enx0050565f4fff";
-      address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"];
-      routes = [
-        {
-          Gateway = "109.199.96.1";
-          GatewayOnLink = true;
-        }
-        {Gateway = "fe80::1";}
-      ];
-      dns = ["2620:fe::fe" "9.9.9.9"];
-    };
-  };
-  services.openssh.enable = true;
-  users.mutableUsers = false;
-  users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
-  programs.noshell.enable = true;
-}
diff --git a/machines/lenovo/configuration.nix b/machines/lenovo/configuration.nix
index 152d136..05dd082 100644
--- a/machines/lenovo/configuration.nix
+++ b/machines/lenovo/configuration.nix
@@ -8,6 +8,7 @@
   imports = [
     ./impermanence.nix
     (modulesPath + "/installer/scan/not-detected.nix")
+    ../../modules/nixos/zulip.nix
   ];
   boot.loader = {
     efi.canTouchEfiVariables = true;
diff --git a/modules/nixos/boot/109-199-104-83.nix b/modules/nixos/boot/109-199-104-83.nix
new file mode 100644
index 0000000..ec2def1
--- /dev/null
+++ b/modules/nixos/boot/109-199-104-83.nix
@@ -0,0 +1,3 @@
+{
+  boot.loader.grub.device = "/dev/sda";
+}
diff --git a/modules/nixos/common.nix b/modules/nixos/common.nix
new file mode 100644
index 0000000..3c00de0
--- /dev/null
+++ b/modules/nixos/common.nix
@@ -0,0 +1,16 @@
+{config, ...}: {
+  # flakes usage
+  nix.settings.experimental-features = [
+    "flakes"
+    "nix-command"
+  ];
+
+  # allows users to customize shell in `$XDG_CONFIG_HOME/shell` rather than
+  # needing /etc/shells. Useful for home-manager. Falls back.
+  programs.noshell.enable = true;
+
+  # cleans /tmp to maintain a tidy system
+  boot.tmp.cleanOnBoot = true;
+
+  networking.domain = config.networking.hostname;
+}
diff --git a/modules/nixos/mailserver.nix b/modules/nixos/mailserver.nix
new file mode 100644
index 0000000..c71dc03
--- /dev/null
+++ b/modules/nixos/mailserver.nix
@@ -0,0 +1,30 @@
+{config, ...}: {
+  mailserver = {
+    enable = true;
+    stateVersion = 3;
+    fqdn = "mail.${config.networking.domain}";
+    domains = ["${config.networking.domain}"];
+    x509.useACMEHost = config.mailserver.fqdn;
+    loginAccounts = {
+      "test@${config.networking.domain}" = {
+        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
+      };
+      "admin@${config.networking.domain}" = {
+        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-admin-pw.path;
+      };
+    };
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "mail.${config.networking.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "mtgmonket@gmail.com";
+  };
+}
diff --git a/modules/nixos/networking/domains/galaxious.de.nix b/modules/nixos/networking/domains/galaxious.de.nix
new file mode 100644
index 0000000..eab573e
--- /dev/null
+++ b/modules/nixos/networking/domains/galaxious.de.nix
@@ -0,0 +1,3 @@
+{
+  networking.domain = "galaxious.de";
+}
diff --git a/modules/nixos/networking/hard-ssh.nix b/modules/nixos/networking/hard-ssh.nix
new file mode 100644
index 0000000..849af9b
--- /dev/null
+++ b/modules/nixos/networking/hard-ssh.nix
@@ -0,0 +1,19 @@
+{
+  services.openssh = {
+    enable = true;
+    allowSFTP = false;
+    ports = [5522];
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = true;
+    };
+    extraConfig = ''
+      AllowTcpForwarding no
+      AllowAgentForwarding no
+      MaxAuthTries 3
+      MaxSessions 4
+      TCPKeepAlive no
+    '';
+  };
+}
diff --git a/modules/nixos/networking/networks/109-199-104-83.nix b/modules/nixos/networking/networks/109-199-104-83.nix
new file mode 100644
index 0000000..2cacb55
--- /dev/null
+++ b/modules/nixos/networking/networks/109-199-104-83.nix
@@ -0,0 +1,27 @@
+{
+  networking = {
+    useNetworkd = true;
+    usePredictableInterfaceNames = true;
+    hostName = "109-199-104-83";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [80 443];
+      allowedUDPPorts = [80 443];
+    };
+  };
+  systemd.network = {
+    enable = true;
+    networks."40-wan" = {
+      matchConfig.Name = "enx0050565f4fff";
+      address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"];
+      routes = [
+        {
+          Gateway = "109.199.96.1";
+          GatewayOnLink = true;
+        }
+        {Gateway = "fe80::1";}
+      ];
+      dns = ["2620:fe::fe" "9.9.9.9"];
+    };
+  };
+}
diff --git a/modules/nixos/networking/ssh-as-root.nix b/modules/nixos/networking/ssh-as-root.nix
new file mode 100644
index 0000000..d882a46
--- /dev/null
+++ b/modules/nixos/networking/ssh-as-root.nix
@@ -0,0 +1,3 @@
+{
+  services.openssh.settings.PermitRootLogin = "yes";
+}
diff --git a/modules/nixos/roundcube.nix b/modules/nixos/roundcube.nix
new file mode 100644
index 0000000..0749af5
--- /dev/null
+++ b/modules/nixos/roundcube.nix
@@ -0,0 +1,12 @@
+{config, ...}: {
+  services.roundcube = {
+    enable = true;
+    hostName = "webmail.${config.networking.domain}";
+    extraConfig = ''
+      $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
+      $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
+      $config['smtp_user'] = "%u";
+      $config['smtp_pass'] = "%p";
+    '';
+  };
+}
diff --git a/modules/nixos/zulip.nix b/modules/nixos/zulip.nix
index cc74179..736ffad 100644
--- a/modules/nixos/zulip.nix
+++ b/modules/nixos/zulip.nix
@@ -1,52 +1,23 @@
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [];
-  options.x = {
-    zulip = {
-      enable = true;
-      admin_email = lib.mkOption {
-        type = lib.types.str;
-        default = "admin+zulip@${config.networking.domain}";
-      };
-      integration = {
-        persistance.enable = lib.mkOption {
-          type = lib.types.bool;
-          description = "whether persistance is enabled";
-          default = lib.mkDefault false;
-        };
-        mailserver.enable = lib.mkOption {
-          type = lib.types.bool;
-          description = "creates simple-nixos-mailserver login automatically for admin user";
-        };
-      };
+{config, ...}: {
+  imports = [
+    ./mailserver.nix
+  ];
+  services.zulip = {
+    enable = true;
+    host = "zulip.${config.networking.domain}";
+    camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
+    rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
+    secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
+    sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
+    avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
+    zulipSettings = {
+      ZULIP_ADMINISTRATOR = "admin+zulip@${config.networking.domain}";
+      EXTERNAL_HOST = "chat.${config.networking.domain}";
     };
   };
-  config = let
-    cfg = config.x.zulip;
-  in
-    lib.mkIf cfg.enable {
-      services.zulip = {
-        enable = true;
-        host = "zulip.${config.networking.domain}";
-        camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
-        rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
-        secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
-        sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
-        avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
-        zulipSettings = {
-          ZULIP_ADMINISTRATOR = cfg.admin_email;
-          EXTERNAL_HOST = "chat.${config.networking.domain}";
-        };
-      };
-      services.mailserver.loginAccounts = lib.mkIf cfg.integration.mailserver.enable {
-        "admin+zulip@${config.networking.domain}" = {
-          hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
-        };
-      };
+  mailserver.loginAccounts = {
+    "zulip+admin@${config.networking.domain}" = {
+      hashedPasswordFile = builtins.toString config.age.secrets."mailserver-acc-zulip+admin-pw".path;
     };
+  };
 }
diff --git a/pub-keys.nix b/pub-keys.nix
index fcaa7d8..c02ac37 100644
--- a/pub-keys.nix
+++ b/pub-keys.nix
@@ -3,6 +3,8 @@
     andromeda-pw.file = ./secrets/andromeda-pw.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
+    mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
+    "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age";
   };
   pub-keys = {
     ssh = {
diff --git a/secrets/mailserver-acc-admin-pw.age b/secrets/mailserver-acc-admin-pw.age
new file mode 100644
index 0000000..8f2fe15
--- /dev/null
+++ b/secrets/mailserver-acc-admin-pw.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04
+07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU
+-> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs
+XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8
+-> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4
+YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg
+--- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI
+Ց��}�_rT6�Uwz�|�<�_�����5���!~�N��cǦi�*�E�M?H?�QSb�����\�۝��z�K	?z��;��R�Jp�Ҷ�ɴs�蔈�y��
\ No newline at end of file
diff --git a/secrets/mailserver-acc-zulip+admin-pw.age b/secrets/mailserver-acc-zulip+admin-pw.age
new file mode 100644
index 0000000..318b0ad
--- /dev/null
+++ b/secrets/mailserver-acc-zulip+admin-pw.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 53dff54..56de4d5 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,6 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
   "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
+  "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
+  "mailserver-acc-zulip+admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
 }