summaryrefslogtreecommitdiff
path: root/modules/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos')
-rw-r--r--modules/nixos/boot/109-199-104-83.nix3
-rw-r--r--modules/nixos/common.nix16
-rw-r--r--modules/nixos/mailserver.nix30
-rw-r--r--modules/nixos/networking/domains/galaxious.de.nix3
-rw-r--r--modules/nixos/networking/hard-ssh.nix19
-rw-r--r--modules/nixos/networking/networks/109-199-104-83.nix27
-rw-r--r--modules/nixos/networking/ssh-as-root.nix3
-rw-r--r--modules/nixos/roundcube.nix12
-rw-r--r--modules/nixos/zulip.nix67
9 files changed, 132 insertions, 48 deletions
diff --git a/modules/nixos/boot/109-199-104-83.nix b/modules/nixos/boot/109-199-104-83.nix
new file mode 100644
index 0000000..ec2def1
--- /dev/null
+++ b/modules/nixos/boot/109-199-104-83.nix
@@ -0,0 +1,3 @@
+{
+ boot.loader.grub.device = "/dev/sda";
+}
diff --git a/modules/nixos/common.nix b/modules/nixos/common.nix
new file mode 100644
index 0000000..3c00de0
--- /dev/null
+++ b/modules/nixos/common.nix
@@ -0,0 +1,16 @@
+{config, ...}: {
+ # flakes usage
+ nix.settings.experimental-features = [
+ "flakes"
+ "nix-command"
+ ];
+
+ # allows users to customize shell in `$XDG_CONFIG_HOME/shell` rather than
+ # needing /etc/shells. Useful for home-manager. Falls back.
+ programs.noshell.enable = true;
+
+ # cleans /tmp to maintain a tidy system
+ boot.tmp.cleanOnBoot = true;
+
+ networking.domain = config.networking.hostname;
+}
diff --git a/modules/nixos/mailserver.nix b/modules/nixos/mailserver.nix
new file mode 100644
index 0000000..c71dc03
--- /dev/null
+++ b/modules/nixos/mailserver.nix
@@ -0,0 +1,30 @@
+{config, ...}: {
+ mailserver = {
+ enable = true;
+ stateVersion = 3;
+ fqdn = "mail.${config.networking.domain}";
+ domains = ["${config.networking.domain}"];
+ x509.useACMEHost = config.mailserver.fqdn;
+ loginAccounts = {
+ "test@${config.networking.domain}" = {
+ hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
+ };
+ "admin@${config.networking.domain}" = {
+ hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-admin-pw.path;
+ };
+ };
+ };
+ services.nginx = {
+ enable = true;
+ virtualHosts = {
+ "mail.${config.networking.domain}" = {
+ forceSSL = true;
+ enableACME = true;
+ };
+ };
+ };
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "mtgmonket@gmail.com";
+ };
+}
diff --git a/modules/nixos/networking/domains/galaxious.de.nix b/modules/nixos/networking/domains/galaxious.de.nix
new file mode 100644
index 0000000..eab573e
--- /dev/null
+++ b/modules/nixos/networking/domains/galaxious.de.nix
@@ -0,0 +1,3 @@
+{
+ networking.domain = "galaxious.de";
+}
diff --git a/modules/nixos/networking/hard-ssh.nix b/modules/nixos/networking/hard-ssh.nix
new file mode 100644
index 0000000..849af9b
--- /dev/null
+++ b/modules/nixos/networking/hard-ssh.nix
@@ -0,0 +1,19 @@
+{
+ services.openssh = {
+ enable = true;
+ allowSFTP = false;
+ ports = [5522];
+ settings = {
+ PermitRootLogin = "no";
+ PasswordAuthentication = false;
+ KbdInteractiveAuthentication = true;
+ };
+ extraConfig = ''
+ AllowTcpForwarding no
+ AllowAgentForwarding no
+ MaxAuthTries 3
+ MaxSessions 4
+ TCPKeepAlive no
+ '';
+ };
+}
diff --git a/modules/nixos/networking/networks/109-199-104-83.nix b/modules/nixos/networking/networks/109-199-104-83.nix
new file mode 100644
index 0000000..2cacb55
--- /dev/null
+++ b/modules/nixos/networking/networks/109-199-104-83.nix
@@ -0,0 +1,27 @@
+{
+ networking = {
+ useNetworkd = true;
+ usePredictableInterfaceNames = true;
+ hostName = "109-199-104-83";
+ firewall = {
+ enable = true;
+ allowedTCPPorts = [80 443];
+ allowedUDPPorts = [80 443];
+ };
+ };
+ systemd.network = {
+ enable = true;
+ networks."40-wan" = {
+ matchConfig.Name = "enx0050565f4fff";
+ address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"];
+ routes = [
+ {
+ Gateway = "109.199.96.1";
+ GatewayOnLink = true;
+ }
+ {Gateway = "fe80::1";}
+ ];
+ dns = ["2620:fe::fe" "9.9.9.9"];
+ };
+ };
+}
diff --git a/modules/nixos/networking/ssh-as-root.nix b/modules/nixos/networking/ssh-as-root.nix
new file mode 100644
index 0000000..d882a46
--- /dev/null
+++ b/modules/nixos/networking/ssh-as-root.nix
@@ -0,0 +1,3 @@
+{
+ services.openssh.settings.PermitRootLogin = "yes";
+}
diff --git a/modules/nixos/roundcube.nix b/modules/nixos/roundcube.nix
new file mode 100644
index 0000000..0749af5
--- /dev/null
+++ b/modules/nixos/roundcube.nix
@@ -0,0 +1,12 @@
+{config, ...}: {
+ services.roundcube = {
+ enable = true;
+ hostName = "webmail.${config.networking.domain}";
+ extraConfig = ''
+ $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
+ $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
+ $config['smtp_user'] = "%u";
+ $config['smtp_pass'] = "%p";
+ '';
+ };
+}
diff --git a/modules/nixos/zulip.nix b/modules/nixos/zulip.nix
index cc74179..736ffad 100644
--- a/modules/nixos/zulip.nix
+++ b/modules/nixos/zulip.nix
@@ -1,52 +1,23 @@
-{
- config,
- lib,
- pkgs,
- modulesPath,
- ...
-}: {
- imports = [];
- options.x = {
- zulip = {
- enable = true;
- admin_email = lib.mkOption {
- type = lib.types.str;
- default = "admin+zulip@${config.networking.domain}";
- };
- integration = {
- persistance.enable = lib.mkOption {
- type = lib.types.bool;
- description = "whether persistance is enabled";
- default = lib.mkDefault false;
- };
- mailserver.enable = lib.mkOption {
- type = lib.types.bool;
- description = "creates simple-nixos-mailserver login automatically for admin user";
- };
- };
+{config, ...}: {
+ imports = [
+ ./mailserver.nix
+ ];
+ services.zulip = {
+ enable = true;
+ host = "zulip.${config.networking.domain}";
+ camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
+ rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
+ secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
+ sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
+ avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
+ zulipSettings = {
+ ZULIP_ADMINISTRATOR = "admin+zulip@${config.networking.domain}";
+ EXTERNAL_HOST = "chat.${config.networking.domain}";
};
};
- config = let
- cfg = config.x.zulip;
- in
- lib.mkIf cfg.enable {
- services.zulip = {
- enable = true;
- host = "zulip.${config.networking.domain}";
- camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
- rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
- secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
- sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
- avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
- zulipSettings = {
- ZULIP_ADMINISTRATOR = cfg.admin_email;
- EXTERNAL_HOST = "chat.${config.networking.domain}";
- };
- };
- services.mailserver.loginAccounts = lib.mkIf cfg.integration.mailserver.enable {
- "admin+zulip@${config.networking.domain}" = {
- hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
- };
- };
+ mailserver.loginAccounts = {
+ "zulip+admin@${config.networking.domain}" = {
+ hashedPasswordFile = builtins.toString config.age.secrets."mailserver-acc-zulip+admin-pw".path;
};
+ };
}
generated by cgit v1.3 (git 2.53.0) at 2026-05-07 03:07:49 +0000