diff options
Diffstat (limited to 'machines')
| -rw-r--r-- | machines/109-199-104-83/configuration.nix | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/machines/109-199-104-83/configuration.nix b/machines/109-199-104-83/configuration.nix index 32f9ffa..f5ff048 100644 --- a/machines/109-199-104-83/configuration.nix +++ b/machines/109-199-104-83/configuration.nix @@ -2,8 +2,86 @@ config, modulesPath, machine, + pkgs, ... }: { + # mailserver config + mailserver = { + enable = true; + stateVersion = 3; + fqdn = "mail.galaxious.de"; + domains = ["galaxious.de"]; + x509.useACMEHost = config.mailserver.fqdn; + loginAccounts = { + "test@galaxious.de" = { + hashedPasswordFile = builtins.toString config.age.secrets.secret3.path; + }; + }; + }; + + # wildcard cert config + # systemctl start galaxious.de.service & journalctl -fu acme-galaxious.de.service + security.acme = { + acceptTerms = true; + defaults.email = "security@example.com"; + certs."mail.galaxious.de" = { + domain = "mail.galaxious.de"; + dnsProvider = "rfc2136"; + environmentFile = "/var/lib/secrets/certs.secret"; + dnsPropagationCheck = false; + }; + }; + services.bind = { + enable = true; + extraConfig = '' + include "/var/lib/secrets/dnskeys.conf"; + ''; + zones = [ + rec { + name = "galaxious.de"; + file = "/var/db/bind/${name}"; + master = true; + extraConfig = "allow-update { key rfc2136key.galaxious.de; };"; + } + ]; + }; + systemd.services.dns-rfc2136-conf = { + requiredBy = [ + "acme-galaxious.de.service" + "bind.service" + ]; + before = [ + "acme-galaxious.de.service" + "bind.service" + ]; + unitConfig = { + ConditionPathExists = "!/var/lib/secrets/dnskeys.conf"; + }; + serviceConfig = { + Type = "oneshot"; + UMask = 77; + }; + path = [pkgs.bind]; + script = '' + mkdir -p /var/lib/secrets + chmod 755 /var/lib/secrets + tsig-keygen rfc2136key.galaxious.de > /var/lib/secrets/dnskeys.conf + chown named:root /var/lib/secrets/dnskeys.conf + chmod 400 /var/lib/secrets/dnskeys.conf + + # extract secret value from the dnskeys.conf + while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf + + cat > /var/lib/secrets/certs.secret << EOF + RFC2136_NAMESERVER='127.0.0.1:53' + RFC2136_TSIG_ALGORITHM='hmac-sha256.' + RFC2136_TSIG_KEY='rfc2136key.galaxious.de' + RFC2136_TSIG_SECRET='$secret' + EOF + chmod 400 /var/lib/secrets/certs.secret + ''; + }; + system.stateVersion = "25.11"; nix.settings.experimental-features = ["flakes" "nix-command"]; imports = [(modulesPath + "/profiles/qemu-guest.nix")]; |