refactor networking domain

2025-04-25 08:06:19 +02:00 · 2023-09-19 13:47:08 +02:00 · 2023-09-19 13:47:08 +02:00 · 671f4eb06c
commit 671f4eb06c
parent 5cbf915808
17 changed files with 125 additions and 87 deletions
--- a/hosts/falkenstein-1/modules/mail/default.nix
+++ b/hosts/falkenstein-1/modules/mail/default.nix
@ -1,8 +1,8 @@
 { config, pkgs, ... }:

 let
-  domain = "rfive.de";
-  hostname = "falkenstein.vpn.${domain}";
+  domain = config.networking.domain;
+  hostname = "mail.${domain}";
  # see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
  header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
    /^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
@ -67,13 +67,9 @@ in
      networks = [ "127.0.0.1" "141.30.30.169" ];
      sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
      sslKey = "/var/lib/acme/${hostname}/key.pem";
-
-      extraAliases = ''
-        postmaster:     root
-        abuse:          postmaster
-      '';
      config = {
        home_mailbox = "Maildir/";
+        smtp_helo_name = "falkenstein.vpn.rfive.de";
        smtp_use_tls = true;
        smtpd_use_tls = true;
        smtpd_tls_protocols = [
@ -100,6 +96,7 @@ in
          "reject_unauth_destination"
        ];
        smtp_header_checks = "pcre:${header_cleanup}";
+
        alias_maps = [ "hash:/etc/aliases" ];
        smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
        non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
@ -272,9 +269,9 @@ in
          reporting {
            # Required attributes
            enabled = true; # Enable reports in general
-            email = 'reports@rfive.de'; # Source of DMARC reports
-            domain = 'rfive.de'; # Domain to serve
-            org_name = 'rfive.de'; # Organisation
+            email = 'reports@${config.networking.domain}'; # Source of DMARC reports
+            domain = '${config.networking.domain}'; # Domain to serve
+            org_name = '${config.networking.domain}'; # Organisation
            from_name = 'DMARC Aggregate Report';
          }
        '';
@ -300,7 +297,7 @@ in
      enableACME = true;
      forceSSL = true;
    };
-    "rspamd.rfive.de" = {
+    "rspamd.${config.networking.domain}" = {
      enableACME = true;
      forceSSL = true;
      locations = {
--- a/hosts/falkenstein-1/modules/networks/default.nix
+++ b/hosts/falkenstein-1/modules/networks/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  sops.secrets = {
    "wireguard/dorm/private" = {
@ -10,6 +10,7 @@
  };
  networking = {
    hostName = "falkenstein-1";
+    domain = "rfive.de";
    useNetworkd = true;
    enableIPv6 = true;
  };
--- a/hosts/falkenstein-1/modules/nginx/default.nix
+++ b/hosts/falkenstein-1/modules/nginx/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
@ -8,16 +8,16 @@
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts."rfive.de" = {
+    virtualHosts."${config.networking.domain}" = {
      enableACME = true;
      forceSSL = true;
-      root = "/srv/web/rfive.de";
+      root = "/srv/web/${config.networking.domain}";
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults = {
-      email = "rouven@rfive.de";
+      email = "rouven@${config.networking.domain}";
    };
  };
 }
--- a/hosts/falkenstein-1/modules/purge/default.nix
+++ b/hosts/falkenstein-1/modules/purge/default.nix
@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "purge.rfive.de";
+  domain = "purge.${config.networking.domain}";
 in
 {
  sops.secrets."purge/token".owner = "purge";
--- a/hosts/falkenstein-1/modules/trucksimulatorbot/default.nix
+++ b/hosts/falkenstein-1/modules/trucksimulatorbot/default.nix
@ -1,6 +1,6 @@
 { config, pkgs, trucksimulatorbot, ... }:
 let
-  domain = "trucksimulatorbot.rfive.de";
+  domain = "trucksimulatorbot.${config.networking.domain}";
 in
 {
  services.trucksimulatorbot = {
--- a/hosts/nuc/modules/hydra/default.nix
+++ b/hosts/nuc/modules/hydra/default.nix
@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "hydra.rfive.de";
+  domain = "hydra.${config.networking.domain}";
 in
 {
  services.hydra = {
--- a/hosts/nuc/modules/networks/default.nix
+++ b/hosts/nuc/modules/networks/default.nix
@ -2,6 +2,7 @@
 {
  networking = {
    hostName = "nuc";
+    domain = "rfive.de";
    useNetworkd = true;
    enableIPv6 = true;
  };
--- a/hosts/nuc/modules/nextcloud/default.nix
+++ b/hosts/nuc/modules/nextcloud/default.nix
@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 let
-  domain = "nextcloud.rfive.de";
+  domain = "nextcloud.${config.networking.domain}";
 in
 {
  sops.secrets = {
--- a/hosts/nuc/modules/nginx/default.nix
+++ b/hosts/nuc/modules/nginx/default.nix
@ -15,7 +15,7 @@ in
  security.acme = {
    acceptTerms = true;
    defaults = {
-      email = "rouven@rfive.de";
+      email = "rouven@${config.networking.domain}";
    };
  };
 }
--- a/hosts/nuc/modules/uptime-kuma/default.nix
+++ b/hosts/nuc/modules/uptime-kuma/default.nix
@ -1,6 +1,6 @@
-{ ... }:
+{ config, ... }:
 let
-  domain = "monitoring.rfive.de";
+  domain = "monitoring.${config.networking.domain}";
 in
 {
  services.uptime-kuma = {
--- a/hosts/nuc/modules/vaultwarden/default.nix
+++ b/hosts/nuc/modules/vaultwarden/default.nix
@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "vault.rfive.de";
+  domain = "vault.${config.networking.domain}";
 in
 {
  sops.secrets."vaultwarden/env".owner = "vaultwarden";
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -50,17 +50,27 @@
    # extraOptions = ''
    #   builders-use-substitutes = true
    # '';
-    # buildMachines = [
-    #   {
-    #     hostName = "nuc.lan";
-    #     system = "x86_64-linux";
-    #     protocol = "ssh-ng";
-    #     maxJobs = 4;
-    #     speedFactor = 1;
-    #     supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-    #     mandatoryFeatures = [ ];
-    #   }
-    # ];
+    #   buildMachines = [
+    #     {
+    #       hostName = "nuc.lan";
+    #       system = "x86_64-linux";
+    #       protocol = "ssh-ng";
+    #       maxJobs = 2;
+    #       speedFactor = 1;
+    #       supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    #       mandatoryFeatures = [ ];
+    #     }
+    #     {
+    #       hostName = "quitte.ifsr.de";
+    #       system = "x86_64-linux";
+    #       protocol = "ssh-ng";
+    #       maxJobs = 12;
+    #       sshUser = "rouven.seifert";
+    #       speedFactor = 10;
+    #       supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    #       mandatoryFeatures = [ ];
+    #     }
+    #   ];
  };

  environment.persistence."/nix/persist/system" = {
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@ -127,4 +127,5 @@
      ];
    };
  };
+  services.resolved.dnssec = "true";
 }