diff --git a/flake.lock b/flake.lock index af5c024..e4ad16a 100644 --- a/flake.lock +++ b/flake.lock @@ -179,11 +179,11 @@ ] }, "locked": { - "lastModified": 1699368917, - "narHash": "sha256-nUtGIWf86BOkUbtksWtfglvCZ/otP0FTZlQH8Rzc7PA=", + "lastModified": 1699783872, + "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=", "owner": "nix-community", "repo": "home-manager", - "rev": "6a8444467c83c961e2f5ff64fb4f422e303c98d3", + "rev": "280721186ab75a76537713ec310306f0eba3e407", "type": "github" }, "original": { @@ -280,11 +280,11 @@ ] }, "locked": { - "lastModified": 1699156599, - "narHash": "sha256-Qk9ZE/pG9lNIGUVNArJxL0Hc0Soa92eQPPIhcDwWinU=", + "lastModified": 1699760693, + "narHash": "sha256-u/gkNUHQR/q23voqE5J4xmEWQIAqR+g3lUnCtzn0k7Y=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "5388a4002179d6778d212dc2fdcc7ac3fdbd5b65", + "rev": "8aff4ca3dee60d1422489fe8d52c2f837b3ad113", "type": "github" }, "original": { @@ -295,11 +295,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1699159446, - "narHash": "sha256-cL63IjsbPl2otS7R4kdXbVOJOXYMpGw5KGZoWgdCuCM=", + "lastModified": 1699997707, + "narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "627bc9b88256379578885a7028c9e791c29fb581", + "rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9", "type": "github" }, "original": { @@ -309,11 +309,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699099776, - "narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=", + "lastModified": 1699781429, + "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb", + "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d", "type": "github" }, "original": { @@ -355,11 +355,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1699110214, - "narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=", + "lastModified": 1699756042, + "narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee", + "rev": "9502d0245983bb233da8083b55d60d96fd3c29ff", "type": "github" }, "original": { @@ -489,11 +489,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1699311858, - "narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=", + "lastModified": 1699951338, + "narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "664187539871f63857bda2d498f452792457b998", + "rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46", "type": "github" }, "original": { diff --git a/hosts/falkenstein-1/default.nix b/hosts/falkenstein-1/default.nix index 30a6bb2..5125175 100644 --- a/hosts/falkenstein-1/default.nix +++ b/hosts/falkenstein-1/default.nix @@ -58,6 +58,7 @@ ports = [ 2222 ]; settings.PasswordAuthentication = false; }; + programs.mosh.enable = true; security = { audit.enable = true; auditd.enable = true; diff --git a/hosts/falkenstein-1/modules/mail/default.nix b/hosts/falkenstein-1/modules/mail/default.nix index edb8489..c9454d5 100644 --- a/hosts/falkenstein-1/modules/mail/default.nix +++ b/hosts/falkenstein-1/modules/mail/default.nix @@ -21,7 +21,6 @@ in 993 # IMAP 4190 # sieve ]; - users.users.postfix.extraGroups = [ "opendkim" ]; users.users.rouven = { description = "Rouven Seifert"; isNormalUser = true; @@ -98,8 +97,6 @@ in smtp_header_checks = "pcre:${header_cleanup}"; alias_maps = [ "hash:/etc/aliases" ]; - smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; - non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_type = "dovecot"; @@ -201,14 +198,6 @@ in ''; }; - opendkim = { - enable = true; - domains = "csl:${domain}"; - selector = "falkenstein"; - configFile = pkgs.writeText "opendkim-config" '' - UMask 0117 - ''; - }; rspamd = { enable = true; postfix.enable = true; @@ -220,6 +209,9 @@ in read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; ''; + "milter_headers.conf".text = '' + use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ]; + ''; "dmarc.conf".text = '' reporting { # Required attributes @@ -230,6 +222,16 @@ in from_name = 'DMARC Aggregate Report'; } ''; + "dkim_signing.conf".text = '' + selector = "rspamd"; + allow_username_mismatch = true; + domain { + rfive.de { + path = /var/lib/rspamd/dkim/rfive.key; + selector = "rspamd"; + } + } + ''; }; }; redis = { diff --git a/hosts/falkenstein-1/modules/nginx/default.nix b/hosts/falkenstein-1/modules/nginx/default.nix index 59b5042..d68e066 100644 --- a/hosts/falkenstein-1/modules/nginx/default.nix +++ b/hosts/falkenstein-1/modules/nginx/default.nix @@ -1,46 +1,63 @@ -{ config, ... }: -# matrix homeserver discovery -let - matrix_domain = "matrix.${config.networking.domain}"; - serverConfig = { - "m.server" = "${matrix_domain}:443"; - }; - clientConfig = { - "m.homeserver" = { - base_url = "https://${matrix_domain}"; - # server_name = config.networking.domain; - }; - "org.matrix.msc3575.proxy" = { - url = "https://${matrix_domain}"; - }; - }; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in +{ config, lib, ... }: { - networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; + # set default options for virtualHosts + options = with lib; { + services.nginx.virtualHosts = mkOption { + type = types.attrsOf (types.submodule + ({ name, ... }: { + # split up nginx access logs per vhost + extraConfig = '' + access_log /var/log/nginx/${name}_access.log; + error_log /var/log/nginx/${name}_error.log; + ''; + }) + ); + }; + }; + config = + let + # matrix homeserver discovery + matrix_domain = "matrix.${config.networking.domain}"; + serverConfig = { + "m.server" = "${matrix_domain}:443"; + }; + clientConfig = { + "m.homeserver" = { + base_url = "https://${matrix_domain}"; + # server_name = config.networking.domain; + }; + "org.matrix.msc3575.proxy" = { + url = "https://${matrix_domain}"; + }; + }; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + in + { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; - virtualHosts."${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - root = "/srv/web/${config.networking.domain}"; - locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + virtualHosts."${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + root = "/srv/web/${config.networking.domain}"; + locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + }; + }; + security.acme = { + acceptTerms = true; + defaults = { + email = "rouven@${config.networking.domain}"; + }; + }; }; - }; - security.acme = { - acceptTerms = true; - defaults = { - email = "rouven@${config.networking.domain}"; - }; - }; } diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index b7f544c..1cb0327 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -70,6 +70,7 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; + programs.mosh.enable = true; security = { audit.enable = true; auditd.enable = true; diff --git a/hosts/nuc/modules/nginx/default.nix b/hosts/nuc/modules/nginx/default.nix index 20b1a53..56dd53a 100644 --- a/hosts/nuc/modules/nginx/default.nix +++ b/hosts/nuc/modules/nginx/default.nix @@ -1,21 +1,34 @@ { lib, config, ... }: -let - v = (builtins.attrNames config.services.nginx.virtualHosts); -in { - networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - # virtualHosts = lib.genAttrs v (name: { extraConfig = " lohustuff goes ith ${name}"; }); + # set default options for virtualHosts + options = with lib; { + services.nginx.virtualHosts = mkOption { + type = types.attrsOf (types.submodule + ({ name, ... }: { + # split up nginx access logs per vhost + extraConfig = '' + access_log /var/log/nginx/${name}_access.log; + error_log /var/log/nginx/${name}_error.log; + ''; + }) + ); + }; }; - security.acme = { - acceptTerms = true; - defaults = { - email = "rouven@${config.networking.domain}"; + config = { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + # virtualHosts = lib.genAttrs v (name: { extraConfig = " lohustuff goes ith ${name}"; }); + }; + security.acme = { + acceptTerms = true; + defaults = { + email = "rouven@${config.networking.domain}"; + }; }; }; } diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 7129b00..01d43fa 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -200,6 +200,7 @@ openssl cups agenix.packages.x86_64-linux.default + mosh ]; services.mysql = { diff --git a/recovery.bin b/recovery.bin new file mode 100644 index 0000000..e69de29 diff --git a/secrets/thinkpad.yaml b/secrets/thinkpad.yaml index 860938e..de78772 100644 --- a/secrets/thinkpad.yaml +++ b/secrets/thinkpad.yaml @@ -1,6 +1,6 @@ wireless-env: ENC[AES256_GCM,data:IbvDlDV5Yg4rqqo5JIzX3eyR4c37BGsqzejBHvSWjk81hfxblhL2cBZcw1hlXW7Q5zjaD0eP9akdqG1RzhdH3iaIhaIVKO8LrXsbYI7fyG3OHCxZYZZ+5QA0LnASi9QD5Olxo0b0RIdomUehnWfTegBiVi8QshrfN+G1HOWL1YxuTv67DWMnA1/XCMOgYpznYS8wzRy7VM9PQWYYISqzoFbl1QIxTJEEVKEL529NzM7TBd4YU+NpcV/TQpy5qQ7F7hSVPxXx/m4RN+Km3EbM1q8Nr0Bckjc7GeDK/P0959ofSzwBzvQyZuQ3WrALqroI21wxQHO3HgDWJlPu7+aRTxPXE2SQka7gqDK4UnZU0GBxDRFi9GKWjhAsqQyKuRH6do9b,iv:t42Gu9j+Qe9TCnjbeH6o4pz1cc1IYHZoHbWOrfIpazA=,tag:68UhGtmx3gH0n9hTO1xalQ==,type:str] uni: - zih: ENC[AES256_GCM,data:KoiT/w5SsUEFAC5beCs3R5o=,iv:qQRZfdtbiAIWUAkdgrpdR8AWDdedn9yl9NcRm0ymE2A=,tag:uyhy5n40PgsWuaEofJjmog==,type:str] + zih: ENC[AES256_GCM,data:toYEAmGZPwwV7seHcC4oCvS3Q3FFxQ==,iv:iGvVTZstsebStrD40J6cULFg/I31ynHogYjl9irW0nI=,tag:zeoo2uFTcsL25mNwG2ZjHA==,type:str] wireguard: dorm: private: ENC[AES256_GCM,data:qZ8HCTv14z3+2AL1dHLd60MVUsUV458QdQteZJYQLVC1KMlzGe7KbgM1U8c=,iv:HMGxB4l7D/PL5Xt8A6jKIejJRL0QZF3x3eb2BtttXWM=,tag:KDyQWfk2EO5AR997JKdW+Q==,type:str] @@ -23,8 +23,8 @@ sops: YW1scVZDOUFaNUJ4UkFNT2U4eFh6VGsKfv6BaEvr0ibn1cSqE9GeUe4BrYwY9RTB PNnqxnwBX01rCitKFfpNe1rBHazp+DDh9Dw2N+m/hH6gXvu7LjcwGQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-19T19:06:17Z" - mac: ENC[AES256_GCM,data:SS7Q249lMciUL+lgHMqwDmLznzMB9NIBiO+Cn/j+o3ffmOrEhaho0dpNmoEXrDj5TTPQx4HkVkT/gypMbo3T9Z2mBOhnHY7NFWqgNatmhAfTHoqqiXJGNA6lS8xpBbUoJZ8gYIIqnBLVf/LirxM1l1KVc1sgJKPaMM2kswIytP0=,iv:JoaSBETswIdYaXdEi5qiSONuNb34EwFc1ZRPI7IEdSE=,tag:M4wd7ZTCQQBIwtKqrWjzKg==,type:str] + lastmodified: "2023-11-10T22:08:45Z" + mac: ENC[AES256_GCM,data:77bQVALWGfVS9/KXc6B2kQAGiPgcoIepyaJfIckimhMPUe8qiwypn1n0S+RD46alXq7yPTiYACRdTZVvBoEO2eNxdYH8Lha4k2WWBlfucyosfrw/CdzegQ0hGo12JYukDChHRuf7RRjmrvTZ/o4EBFOJoElhtW3Kq0PQLFewPTI=,iv:6HEiVBwwATGmUomKmBkBmk5nRGkhSVJu89foTthw++o=,tag:Zkf6Ljqhn9Tle44BfF2QEA==,type:str] pgp: - created_at: "2023-08-02T14:13:52Z" enc: |- diff --git a/shared/zsh.nix b/shared/zsh.nix index 251437a..09aab50 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -25,6 +25,7 @@ la = "ls -a"; less = "bat"; update = "cd /etc/nixos && nix flake update"; + mosh = "f() {mosh $1 zsh};f"; }; histSize = 100000; histFile = "~/.local/share/zsh/history"; diff --git a/users/rouven/modules/accounts/default.nix b/users/rouven/modules/accounts/default.nix index c9af79b..4bccfa7 100644 --- a/users/rouven/modules/accounts/default.nix +++ b/users/rouven/modules/accounts/default.nix @@ -108,6 +108,16 @@ in farPattern = "Opal"; extraConfig.Create = "near"; }; + channels.FSR = { + nearPattern = "FSR"; + farPattern = "FSR"; + extraConfig.Create = "near"; + }; + channels.unispam = { + nearPattern = "Uni Spam"; + farPattern = "Uni Spam"; + extraConfig.Create = "near"; + }; channels.trash = { nearPattern = "Trash"; farPattern = "Gel&APY-schte Elemente"; @@ -235,11 +245,6 @@ in farPattern = "[Gmail]/Papierkorb"; extraConfig.Create = "near"; }; - channels.sent = { - nearPattern = "Sent"; - farPattern = "[Gmail]/Gesendet"; - extraConfig.Create = "near"; - }; channels.junk = { nearPattern = "Junk"; farPattern = "[Gmail]/Spam"; @@ -250,6 +255,16 @@ in farPattern = "[Gmail]/Entw&APw-rfe"; extraConfig.Create = "near"; }; + channels.hetzner = { + nearPattern = "Hetzner"; + farPattern = "Hetzner"; + extraConfig.Create = "near"; + }; + channels.studentenwerk = { + nearPattern = "Studentenwerk"; + farPattern = "Studentenwerk"; + extraConfig.Create = "near"; + }; }; extraConfig = { account = { diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix index 19abfba..4f13a71 100644 --- a/users/rouven/modules/ssh/default.nix +++ b/users/rouven/modules/ssh/default.nix @@ -44,14 +44,6 @@ in "quitte" = { hostname = "quitte.ifsr.de"; user = "root"; - extraOptions = { - RequestTTY = "yes"; - RemoteCommand = "zsh -i"; - }; - }; - "quitte-notty" = { - hostname = "quitte.ifsr.de"; - user = "root"; }; "tomate" = { hostname = "tomate.ifsr.de";