blob: f8484f5762991bb6c29aa6373e60dabb5699b067 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
{
config,
modulesPath,
machine,
pkgs,
...
}: {
# mailserver config
mailserver = {
enable = true;
stateVersion = 3;
fqdn = "mail.galaxious.de";
domains = ["galaxious.de"];
x509.useACMEHost = config.mailserver.fqdn;
loginAccounts = {
"test@galaxious.de" = {
hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
};
};
};
# cert config
# systemctl start galaxious.de.service & journalctl -fu acme-galaxious.de.service
security.acme = {
acceptTerms = true;
defaults.email = "mtgmonket@gmail.com";
certs."mail.galaxious.de" = {
domain = "mail.galaxious.de";
dnsProvider = "rfc2136";
environmentFile = "/var/lib/secrets/certs.secret";
dnsPropagationCheck = false;
};
};
services.bind = {
enable = true;
extraConfig = ''
include "/var/lib/secrets/dnskeys.conf";
'';
zones = [
rec {
name = "galaxious.de";
file = "/var/db/bind/${name}";
master = true;
extraConfig = "allow-update { key rfc2136key.galaxious.de; };";
}
];
};
systemd.services.dns-rfc2136-conf = {
requiredBy = [
"acme-galaxious.de.service"
"bind.service"
];
before = [
"acme-galaxious.de.service"
"bind.service"
];
unitConfig = {
ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
};
serviceConfig = {
Type = "oneshot";
UMask = 77;
};
path = [pkgs.bind];
script = ''
mkdir -p /var/lib/secrets
chmod 755 /var/lib/secrets
tsig-keygen rfc2136key.galaxious.de > /var/lib/secrets/dnskeys.conf
chown named:root /var/lib/secrets/dnskeys.conf
chmod 400 /var/lib/secrets/dnskeys.conf
# extract secret value from the dnskeys.conf
while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf
cat > /var/lib/secrets/certs.secret << EOF
RFC2136_NAMESERVER='127.0.0.1:53'
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
RFC2136_TSIG_KEY='rfc2136key.galaxious.de'
RFC2136_TSIG_SECRET='$secret'
EOF
chmod 400 /var/lib/secrets/certs.secret
'';
};
system.stateVersion = "25.11";
nix.settings.experimental-features = ["flakes" "nix-command"];
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
boot.loader.grub.device = "/dev/sda";
boot.loader.timeout = 30;
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
boot.initrd.kernelModules = ["nvme"];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking = {
useNetworkd = true;
usePredictableInterfaceNames = true;
hostName = machine.hostname;
domain = "galaxious.de";
};
systemd.network = {
enable = true;
networks."40-wan" = {
matchConfig.Name = "enx0050565f4fff";
address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"];
routes = [
{
Gateway = "109.199.96.1";
GatewayOnLink = true;
}
{Gateway = "fe80::1";}
];
dns = ["2620:fe::fe" "9.9.9.9"];
};
};
services.openssh.enable = true;
users.mutableUsers = false;
users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
programs.noshell.enable = true;
}
|
