refactor networking domain

2024-11-14 21:03:10 +01:00 · 2023-09-19 13:47:08 +02:00 · 2023-09-19 13:47:08 +02:00 · 671f4eb06c
parent 5cbf915808
commit 671f4eb06c
17 changed files with 125 additions and 87 deletions
--- a/flake.lock
+++ b/flake.lock
@ -88,11 +88,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1694158470,
-        "narHash": "sha256-yWx9eBDHt6WR3gr65+J85KreHdMypty/P6yM35tIYYM=",
+        "lastModified": 1695052866,
+        "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "d0cfc042eba92eb206611c9e8784d41a2c053bab",
+        "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
        "type": "github"
      },
      "original": {
@ -236,11 +236,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1694479651,
-        "narHash": "sha256-X8G8vOZXLnPZ6ktH+Q2CueS3IZS1twotcZy2A2h7fgs=",
+        "lastModified": 1695090634,
+        "narHash": "sha256-zwkbWSFXP0+BZH2F0j46ohnIjI/RU55Q6lWjPK9FeL4=",
        "owner": "helix-editor",
        "repo": "helix",
-        "rev": "ccabfee3811bdcc8372beaae777a98fd36e2657e",
+        "rev": "1c88432efc3724f60b27d580b8b490040a3048f6",
        "type": "github"
      },
      "original": {
@ -255,11 +255,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694469544,
-        "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=",
+        "lastModified": 1695103414,
+        "narHash": "sha256-/kr1AQ8aPWl3OaTzZARhGPSS044vZq1Vh4wYX77T1DE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "5171f5ef654425e09d9c2100f856d887da595437",
+        "rev": "92364581dd3ada6981c4ddc5def8a35a1b945e75",
        "type": "github"
      },
      "original": {
@ -290,11 +290,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1690797372,
-        "narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=",
+        "lastModified": 1694622745,
+        "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851",
+        "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e",
        "type": "github"
      },
      "original": {
@ -356,11 +356,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694430658,
-        "narHash": "sha256-8+OZ98kD63e/GaOiJimXHR/VYiTYwr25jTYGEHHOfq4=",
+        "lastModified": 1694921880,
+        "narHash": "sha256-yU36cs5UdzhTwsM9bUWUz43N//ELzQ1ro69C07pU/8E=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "9a5c4996d0918a151269600dfdf6ad3b3748f6a4",
+        "rev": "9d2bcc47110b3b6217dfebd6761ba20bc78aedf2",
        "type": "github"
      },
      "original": {
@ -371,11 +371,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1694432324,
-        "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=",
+        "lastModified": 1695109627,
+        "narHash": "sha256-4rpyoVzmunIG6xWA/EonnSSqC69bDBzciFi6SjBze/0=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779",
+        "rev": "cb4dc98f776ddb6af165e6f06b2902efe31ca67a",
        "type": "github"
      },
      "original": {
@ -432,11 +432,11 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1693675694,
-        "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
+        "lastModified": 1694908564,
+        "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
+        "rev": "596611941a74be176b98aeba9328aa9d01b8b322",
        "type": "github"
      },
      "original": {
@ -448,11 +448,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1694183432,
-        "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=",
+        "lastModified": 1694959747,
+        "narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b",
+        "rev": "970a59bd19eff3752ce552935687100c46e820a5",
        "type": "github"
      },
      "original": {
@ -468,11 +468,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694162494,
-        "narHash": "sha256-VbgzfheTTfu7FiPfO7RhFkNmyivpsvQIzK+Rb4Y2DmM=",
+        "lastModified": 1694795979,
+        "narHash": "sha256-u86BfJNeHwPJrVfJE11OrBx6n/2NICohJsOkBARdWn0=",
        "owner": "therealr5",
        "repo": "pfersel",
-        "rev": "08726054ecda287311618178d0d98de097d4c4b8",
+        "rev": "2fcfdf8a481db9e2fe0d241ee9ac2739c1aace71",
        "type": "github"
      },
      "original": {
@ -607,11 +607,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1694495315,
-        "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=",
+        "lastModified": 1695101768,
+        "narHash": "sha256-1/j5/348l2+yxQUfkJCUpA6cDefS3H7V94kawk9uuRc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415",
+        "rev": "4356a5a0c12c9dc1b6bdde0631c7600d9377ed8b",
        "type": "github"
      },
      "original": {
--- a/hosts/falkenstein-1/modules/mail/default.nix
+++ b/hosts/falkenstein-1/modules/mail/default.nix
@ -1,8 +1,8 @@
 { config, pkgs, ... }:

 let
-  domain = "rfive.de";
-  hostname = "falkenstein.vpn.${domain}";
+  domain = config.networking.domain;
+  hostname = "mail.${domain}";
  # see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
  header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
    /^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
@ -67,13 +67,9 @@ in
      networks = [ "127.0.0.1" "141.30.30.169" ];
      sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
      sslKey = "/var/lib/acme/${hostname}/key.pem";
-
-      extraAliases = ''
-        postmaster:     root
-        abuse:          postmaster
-      '';
      config = {
        home_mailbox = "Maildir/";
+        smtp_helo_name = "falkenstein.vpn.rfive.de";
        smtp_use_tls = true;
        smtpd_use_tls = true;
        smtpd_tls_protocols = [
@ -100,6 +96,7 @@ in
          "reject_unauth_destination"
        ];
        smtp_header_checks = "pcre:${header_cleanup}";
+
        alias_maps = [ "hash:/etc/aliases" ];
        smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
        non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
@ -272,9 +269,9 @@ in
          reporting {
            # Required attributes
            enabled = true; # Enable reports in general
-            email = 'reports@rfive.de'; # Source of DMARC reports
-            domain = 'rfive.de'; # Domain to serve
-            org_name = 'rfive.de'; # Organisation
+            email = 'reports@${config.networking.domain}'; # Source of DMARC reports
+            domain = '${config.networking.domain}'; # Domain to serve
+            org_name = '${config.networking.domain}'; # Organisation
            from_name = 'DMARC Aggregate Report';
          }
        '';
@ -300,7 +297,7 @@ in
      enableACME = true;
      forceSSL = true;
    };
-    "rspamd.rfive.de" = {
+    "rspamd.${config.networking.domain}" = {
      enableACME = true;
      forceSSL = true;
      locations = {
--- a/hosts/falkenstein-1/modules/networks/default.nix
+++ b/hosts/falkenstein-1/modules/networks/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  sops.secrets = {
    "wireguard/dorm/private" = {
@ -10,6 +10,7 @@
  };
  networking = {
    hostName = "falkenstein-1";
+    domain = "rfive.de";
    useNetworkd = true;
    enableIPv6 = true;
  };
--- a/hosts/falkenstein-1/modules/nginx/default.nix
+++ b/hosts/falkenstein-1/modules/nginx/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
@ -8,16 +8,16 @@
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts."rfive.de" = {
+    virtualHosts."${config.networking.domain}" = {
      enableACME = true;
      forceSSL = true;
-      root = "/srv/web/rfive.de";
+      root = "/srv/web/${config.networking.domain}";
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults = {
-      email = "rouven@rfive.de";
+      email = "rouven@${config.networking.domain}";
    };
  };
 }
--- a/hosts/falkenstein-1/modules/purge/default.nix
+++ b/hosts/falkenstein-1/modules/purge/default.nix
@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "purge.rfive.de";
+  domain = "purge.${config.networking.domain}";
 in
 {
  sops.secrets."purge/token".owner = "purge";
--- a/hosts/falkenstein-1/modules/trucksimulatorbot/default.nix
+++ b/hosts/falkenstein-1/modules/trucksimulatorbot/default.nix
@ -1,6 +1,6 @@
 { config, pkgs, trucksimulatorbot, ... }:
 let
-  domain = "trucksimulatorbot.rfive.de";
+  domain = "trucksimulatorbot.${config.networking.domain}";
 in
 {
  services.trucksimulatorbot = {
--- a/hosts/nuc/modules/hydra/default.nix
+++ b/hosts/nuc/modules/hydra/default.nix
@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "hydra.rfive.de";
+  domain = "hydra.${config.networking.domain}";
 in
 {
  services.hydra = {
--- a/hosts/nuc/modules/networks/default.nix
+++ b/hosts/nuc/modules/networks/default.nix
@ -2,6 +2,7 @@
 {
  networking = {
    hostName = "nuc";
+    domain = "rfive.de";
    useNetworkd = true;
    enableIPv6 = true;
  };
--- a/hosts/nuc/modules/nextcloud/default.nix
+++ b/hosts/nuc/modules/nextcloud/default.nix
@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 let
-  domain = "nextcloud.rfive.de";
+  domain = "nextcloud.${config.networking.domain}";
 in
 {
  sops.secrets = {
--- a/hosts/nuc/modules/nginx/default.nix
+++ b/hosts/nuc/modules/nginx/default.nix
@ -15,7 +15,7 @@ in
  security.acme = {
    acceptTerms = true;
    defaults = {
-      email = "rouven@rfive.de";
+      email = "rouven@${config.networking.domain}";
    };
  };
 }
--- a/hosts/nuc/modules/uptime-kuma/default.nix
+++ b/hosts/nuc/modules/uptime-kuma/default.nix
@ -1,6 +1,6 @@
-{ ... }:
+{ config, ... }:
 let
-  domain = "monitoring.rfive.de";
+  domain = "monitoring.${config.networking.domain}";
 in
 {
  services.uptime-kuma = {
--- a/hosts/nuc/modules/vaultwarden/default.nix
+++ b/hosts/nuc/modules/vaultwarden/default.nix
@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "vault.rfive.de";
+  domain = "vault.${config.networking.domain}";
 in
 {
  sops.secrets."vaultwarden/env".owner = "vaultwarden";
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -50,17 +50,27 @@
    # extraOptions = ''
    #   builders-use-substitutes = true
    # '';
-    # buildMachines = [
-    #   {
-    #     hostName = "nuc.lan";
-    #     system = "x86_64-linux";
-    #     protocol = "ssh-ng";
-    #     maxJobs = 4;
-    #     speedFactor = 1;
-    #     supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-    #     mandatoryFeatures = [ ];
-    #   }
-    # ];
+    #   buildMachines = [
+    #     {
+    #       hostName = "nuc.lan";
+    #       system = "x86_64-linux";
+    #       protocol = "ssh-ng";
+    #       maxJobs = 2;
+    #       speedFactor = 1;
+    #       supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    #       mandatoryFeatures = [ ];
+    #     }
+    #     {
+    #       hostName = "quitte.ifsr.de";
+    #       system = "x86_64-linux";
+    #       protocol = "ssh-ng";
+    #       maxJobs = 12;
+    #       sshUser = "rouven.seifert";
+    #       speedFactor = 10;
+    #       supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    #       mandatoryFeatures = [ ];
+    #     }
+    #   ];
  };

  environment.persistence."/nix/persist/system" = {
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@ -127,4 +127,5 @@
      ];
    };
  };
+  services.resolved.dnssec = "true";
 }
--- a/pkgs/gnome-break-timer/default.nix
+++ b/pkgs/gnome-break-timer/default.nix
@ -3,7 +3,7 @@
 , fetchurl
 , meson
 , vala
-, pkgconfig
+, pkg-config
 , cairo
 , gsound
 , gtk3
@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
    meson
    ninja
    vala
-    pkgconfig
+    pkg-config
    cairo
    gsound
    gtk3
--- a/users/rouven/modules/accounts/default.nix
+++ b/users/rouven/modules/accounts/default.nix
@ -52,13 +52,12 @@ in
      userName = address;
      passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/rfive";
      imap = {
-        host = "falkenstein.vpn.rfive.de";
+        host = "mail.rfive.de";
        port = 993;
      };
      smtp = {
-        host = "falkenstein.vpn.rfive.de";
-        port = 587;
-        tls.useStartTls = true;
+        host = "mail.rfive.de";
+        port = 465;
      };
      msmtp.enable = true;
      thunderbird.enable = true;
@ -92,6 +91,16 @@ in
            farPattern = "Drafts";
            extraConfig.Create = "near";
          };
+          channels.github = {
+            nearPattern = "GitHub";
+            farPattern = "GitHub";
+            extraConfig.Create = "near";
+          };
+          channels.reports = {
+            nearPattern = "Reports";
+            farPattern = "Reports";
+            extraConfig.Create = "near";
+          };
        };
        extraConfig = {
          account = {
@ -103,7 +112,7 @@ in
        {
          enable = true;
          mailboxName = " 󰒋 rfive.de";
-          extraMailboxes = lib.lists.forEach [ c.sent c.trash c.junk c.drafts ] (x: x.nearPattern);
+          extraMailboxes = lib.lists.forEach [ c.sent c.trash c.junk c.drafts c.reports c.github ] (x: x.nearPattern);
        };
    };
    "TU-Dresden" = rec {
@ -191,27 +200,41 @@ in
      passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/ifsr";
      imap = {
        host = "mail.ifsr.de";
-        port = 143;
-        tls.useStartTls = true;
+        port = 993;
      };
      smtp = {
        host = "mail.ifsr.de";
-        port = 587;
-        tls.useStartTls = true;
+        port = 465;
      };
      mbsync = {
        enable = true;
        create = "maildir";
        expunge = "both";
        groups.ifsr = {
+          # TODO beautify with nix magic
          channels.inbox = {
            nearPattern = "INBOX";
            farPattern = "INBOX";
            extraConfig.Create = "near";
          };
-          channels.admin = {
-            nearPattern = "Admin spam";
-            farPattern = "Admin spam";
+          channels.root = {
+            nearPattern = "Root";
+            farPattern = "Root";
+            extraConfig.Create = "near";
+          };
+          channels.ese = {
+            nearPattern = "ESE";
+            farPattern = "ESE";
+            extraConfig.Create = "near";
+          };
+          channels.github = {
+            nearPattern = "GitHub";
+            farPattern = "GitHub";
+            extraConfig.Create = "near";
+          };
+          channels.reports = {
+            nearPattern = "Reports";
+            farPattern = "Reports";
            extraConfig.Create = "near";
          };
          channels.trash = {
@ -225,8 +248,8 @@ in
            extraConfig.Create = "near";
          };
          channels.junk = {
-            nearPattern = "Junk";
-            farPattern = "Public/Spam";
+            nearPattern = "Spam";
+            farPattern = "Spam";
            extraConfig.Create = "near";
          };
          channels.drafts = {
@ -247,7 +270,7 @@ in
        {
          enable = true;
          mailboxName = "  iFSR";
-          extraMailboxes = lib.lists.forEach [ c.admin c.sent c.trash c.junk c.drafts ] (x: x.nearPattern);
+          extraMailboxes = lib.lists.forEach [ c.root c.ese c.github c.reports c.sent c.trash c.junk c.drafts ] (x: x.nearPattern);
        };
    };
    "gmail" = rec {
--- a/users/rouven/modules/packages.nix
+++ b/users/rouven/modules/packages.nix
@ -12,6 +12,7 @@
    gimp
    ffmpeg
    drawio
+    leafpad

    # sound
    pavucontrol
@ -22,6 +23,7 @@

    # internet
    google-chrome
+    filezilla

    # messaging
    discord
@ -35,9 +37,9 @@
    superTuxKart

    # yubikey and password stuff
-    # yubikey-manager
-    # yubikey-manager-qt
-    # yubioath-flutter
+    yubikey-manager
+    yubikey-manager-qt
+    yubioath-flutter
    bitwarden
    pass

@ -70,7 +72,10 @@
    indicator = true;
  };

-  programs.texlive.enable = true;
+  programs.texlive = {
+    enable = true;
+    extraPackages = tpkgs: { inherit (tpkgs) collection-basic xetex collection-fontsrecommended; };
+  };
  programs.obs-studio.enable = true;
  programs.firefox.enable = true;

@ -79,7 +84,7 @@
    defaultApplications =
      let
        image-viewers = [ "imv.desktop" "gimp.desktop" "swappy.desktop" "org.qutebrowser.qutebrowser.desktop" "google-chrome.desktop" ];
-        browsers = [ "firefox.desktop" "google-chrome.desktop" "org.qutebrowser.qutebrowser.desktop" ];
+        browsers = [ "google-chrome.desktop" "firefox.desktop" "org.qutebrowser.qutebrowser.desktop" ];
      in
      {
        "application/pdf" = [ "org.gnome.Evince.desktop" ];