rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-04-25 16:08:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

falkenstein-1 -> falkenstein

Browse source
This commit is contained in:
Rouven Seifert 2023-11-20 22:46:51 +01:00
parent 41d348b037
commit bad96e4197
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
19 changed files with 41 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

73
hosts/falkenstein/default.nix Normal file
View file

@ -0,0 +1,73 @@
{ config, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./modules/backup
./modules/fail2ban
./modules/mail
./modules/networks
./modules/nginx
./modules/pfersel
./modules/purge
./modules/trucksimulatorbot
];
boot = {
loader = {
grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "/dev/sda";
};
efi.efiSysMountPoint = "/boot/efi";
};
initrd.systemd.enable = true;
};
zramSwap.enable = true;
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
systemd.package = pkgs.systemd.override { withHomed = false; };
environment.systemPackages = with pkgs; [
vim
wget
htop-vim
helix
lsof
python3
];
programs.git = {
enable = true;
config = {
user.name = "Rouven Seifert";
user.email = "rouven@rfive.de";
};
};
services.qemuGuest.enable = true;
systemd.services.qemu-guest-agent.path = [ pkgs.shadow ]; # fix root password reset
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
# clean up the logs a bit
ports = [ 2222 ];
settings.PasswordAuthentication = false;
};
programs.mosh.enable = true;
security = {
audit.enable = true;
auditd.enable = true;
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../keys/ssh/rouven-thinkpad
../../keys/ssh/rouven-pixel
# ../../keys/ssh/rouven-smartcard
];
system.stateVersion = "22.11";
}

40
hosts/falkenstein/hardware-configuration.nix Normal file
View file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/da06b92f-6eb6-45d5-9409-4d897a40d70e";
fsType = "ext4";
};
fileSystems."/boot/efi" =
{
device = "/dev/disk/by-uuid/B677-3035";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

30
hosts/falkenstein/modules/backup/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, pkgs, ... }:
{
age.secrets."borg/passphrase" = {
file = ../../../../secrets/falkenstein/borg/passphrase.age;
};
environment.systemPackages = [ pkgs.borgbackup ];
services.borgmatic = {
enable = true;
settings = {
source_directories = [
"/var/lib"
"/var/log"
"/root"
];
repositories = [
{
path = "ssh://root@192.168.42.2/mnt/backup/falkenstein";
label = "nuc";
}
];
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}";
compression = "lz4";
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 3;
};
};
}

25
hosts/falkenstein/modules/fail2ban/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ ... }:
{
services.fail2ban = {
enable = true;
bantime = "10m";
bantime-increment = {
enable = true;
};
jails = {
dovecot = ''
enabled = true
# aggressive mode add blocking for aborted connections
filter = dovecot[mode=aggressive]
bantime = 10m
maxretry = 3
'';
postfix = ''
enabled = true
filter = postfix[mode=aggressive]
maxretry = 3
'';
};
};
}

289
hosts/falkenstein/modules/mail/default.nix Normal file
View file

@ -0,0 +1,289 @@
{ config, pkgs, ... }:
let
domain = config.networking.domain;
hostname = "mail.${domain}";
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE
/^\s*Mime-Version/ IGNORE
'';
in
{
networking.firewall.allowedTCPPorts = [
25 # insecure SMTP
465
587 # SMTP
993 # IMAP
4190 # sieve
];
users.users.rouven = {
description = "Rouven Seifert";
isNormalUser = true;
};
environment.etc = {
"dovecot/sieve-pipe/sa-learn-spam.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_spam
'';
mode = "0555";
};
"dovecot/sieve-pipe/sa-learn-ham.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_ham
'';
mode = "0555";
};
"dovecot/sieve/report-spam.sieve" = {
source = ./report-spam.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
"dovecot/sieve/report-ham.sieve" = {
source = ./report-ham.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
};
services = {
postfix = {
enable = true;
enableSubmission = true;
enableSubmissions = true;
hostname = "${hostname}";
domain = "${domain}";
origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ];
networks = [ "127.0.0.1" "141.30.30.169" ];
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${hostname}/key.pem";
config = {
home_mailbox = "Maildir/";
smtp_helo_name = "falkenstein.vpn.rfive.de";
smtp_use_tls = true;
smtpd_use_tls = true;
smtpd_tls_protocols = [
"!SSLv2"
"!SSLv3"
"!TLSv1"
"!TLSv1.1"
];
smtpd_recipient_restrictions = [
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
"reject_non_fqdn_sender"
"reject_non_fqdn_recipient"
"reject_unknown_sender_domain"
"reject_unknown_recipient_domain"
"reject_unauth_destination"
"reject_unauth_pipelining"
"reject_invalid_hostname"
];
smtpd_relay_restrictions = [
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
];
smtp_header_checks = "pcre:${header_cleanup}";
alias_maps = [ "hash:/etc/aliases" ];
smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth";
smtpd_sasl_type = "dovecot";
mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
};
};
dovecot2 = {
enable = true;
enableImap = true;
enableQuota = false;
enableLmtp = true;
mailLocation = "maildir:~/Maildir";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
protocols = [ "imap" "sieve" ];
mailPlugins = {
globally.enable = [ "listescape" ];
perProtocol = {
imap = {
enable = [ "imap_sieve" "imap_filter_sieve" ];
};
lmtp = {
enable = [ "sieve" ];
};
};
};
mailboxes = {
Spam = {
auto = "create";
specialUse = "Junk";
};
Sent = {
auto = "create";
specialUse = "Sent";
};
Drafts = {
auto = "create";
specialUse = "Drafts";
};
Trash = {
auto = "create";
specialUse = "Trash";
};
};
modules = [
pkgs.dovecot_pigeonhole
];
extraConfig = ''
auth_username_format = %Ln
userdb {
driver = passwd
args = blocking=no
}
service auth {
unix_listener /var/lib/postfix/auth {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
}
namespace inbox {
separator = /
inbox = yes
}
service lmtp {
unix_listener dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
client_limit = 1
}
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY APPEND FLAG
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
# From Junk folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
}
'';
};
rspamd = {
enable = true;
postfix.enable = true;
locals = {
"worker-controller.inc".text = ''
password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy";
'';
"redis.conf".text = ''
read_servers = "127.0.0.1";
write_servers = "127.0.0.1";
'';
"milter_headers.conf".text = ''
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
'';
"dmarc.conf".text = ''
reporting {
# Required attributes
enabled = true; # Enable reports in general
email = 'reports@${config.networking.domain}'; # Source of DMARC reports
domain = '${config.networking.domain}'; # Domain to serve
org_name = '${config.networking.domain}'; # Organisation
from_name = 'DMARC Aggregate Report';
}
'';
"dkim_signing.conf".text = ''
selector = "rspamd";
allow_username_mismatch = true;
domain {
rfive.de {
path = /var/lib/rspamd/dkim/rfive.key;
selector = "rspamd";
}
}
'';
};
};
redis = {
vmOverCommit = true;
servers.rspamd = {
enable = true;
port = 6379;
};
};
};
security.acme.certs."${domain}" = {
reloadServices = [
"postfix.service"
"dovecot2.service"
];
};
services.nginx.virtualHosts = {
"${hostname}" = {
enableACME = true;
forceSSL = true;
};
"rspamd.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:11334";
proxyWebsockets = true;
};
};
};
};
systemd = {
services.rspamd-dmarc-report = {
description = "rspamd dmarc reporter";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
User = "rspamd";
Group = "rspamd";
};
};
timers.rspamd-dmarc-report = {
description = "Timer for daily dmarc reports";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Unit = "rspamd-dmarc-report.service";
};
};
};
}

15
hosts/falkenstein/modules/mail/report-ham.sieve Normal file
View file

@ -0,0 +1,15 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.mailbox" "*" {
set "mailbox" "${1}";
}
if string "${mailbox}" "Trash" {
stop;
}
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "sa-learn-ham.sh" [ "${username}" ];

7
hosts/falkenstein/modules/mail/report-spam.sieve Normal file
View file

@ -0,0 +1,7 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "sa-learn-spam.sh" [ "${username}" ];

84
hosts/falkenstein/modules/networks/default.nix Normal file
View file

@ -0,0 +1,84 @@
{ config, ... }:
{
age.secrets = {
"wireguard/dorm/private" = {
file = ../../../../secrets/falkenstein/wireguard/dorm/private.age;
owner = config.users.users.systemd-network.name;
};
"wireguard/dorm/preshared" = {
file = ../../../../secrets/falkenstein/wireguard/dorm/preshared.age;
owner = config.users.users.systemd-network.name;
};
};
networking = {
hostName = "falkenstein";
nftables.enable = true;
domain = "rfive.de";
useNetworkd = true;
enableIPv6 = true;
};
services.resolved = {
dnssec = "true";
fallbackDns = [
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
];
};
systemd.network = {
enable = true;
networks."10-loopback" = {
matchConfig.Name = "lo";
linkConfig.RequiredForOnline = false;
};
networks."10-wired" = {
matchConfig.Name = "ens3";
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = "yes";
Address = "2a01:4f8:c012:49de::1/64";
Gateway = "fe80::1";
};
};
netdevs."30-dorm" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
ListenPort = 51820;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
Endpoint = "dorm.vpn.rfive.de:51820";
AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
};
}
];
};
networks."30-dorm" = {
matchConfig.Name = "wg0";
networkConfig = {
DNS = "192.168.42.1";
};
addresses = [
{
addressConfig = {
Address = "192.168.43.4/24";
RouteMetric = 30;
};
}
];
routes = [
{ routeConfig = { Gateway = "0.0.0.0"; Destination = "192.168.42.0/24"; Metric = 30; }; }
];
};
};
}

63
hosts/falkenstein/modules/nginx/default.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, lib, ... }:
{
# set default options for virtualHosts
options = with lib; {
services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule
({ name, ... }: {
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
'';
})
);
};
};
config =
let
# matrix homeserver discovery
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
};
clientConfig = {
"m.homeserver" = {
base_url = "https://${matrix_domain}";
# server_name = config.networking.domain;
};
"org.matrix.msc3575.proxy" = {
url = "https://${matrix_domain}";
};
};
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
root = "/srv/web/${config.networking.domain}";
locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "rouven@${config.networking.domain}";
};
};
};
}

13
hosts/falkenstein/modules/pfersel/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, ... }:
{
age.secrets.pfersel = {
file = ../../../../secrets/falkenstein/pfersel.age;
owner = "pfersel";
};
services.pfersel = {
enable = true;
discord = {
tokenFile = config.age.secrets.pfersel.path;
};
};
}

24
hosts/falkenstein/modules/purge/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, ... }:
let
domain = "purge.${config.networking.domain}";
in
{
age.secrets.purge = {
file = ../../../../secrets/falkenstein/purge.age;
};
services.purge = {
enable = true;
discord = {
clientId = "941041925216157746";
publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402";
tokenFile = config.age.secrets.purge.path;
};
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.purge.listenPort}";
};
};
}

46
hosts/falkenstein/modules/trucksimulatorbot/default.nix Normal file
View file

@ -0,0 +1,46 @@
{ config, pkgs, trucksimulatorbot, ... }:
let
domain = "trucksimulatorbot.${config.networking.domain}";
in
{
services.trucksimulatorbot = {
enable = true;
discord = {
clientId = "831052837353816066";
publicKey = "faa7004a2a5096702f96f3ebeb45c7e8272c119b72c1a0894abc4d76d8cc8bad";
};
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureUsers = [
{
name = "trucksimulator";
ensurePermissions = {
"trucksimulator.*" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "trucksimulator" ];
};
services.nginx.virtualHosts = {
"images.${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.trucksimulatorbot.images.listenPort}";
};
};
"${domain}" = {
enableACME = true;
forceSSL = true;
locations."/invite".return = " 301 https://discord.com/api/oauth2/authorize?client_id=831052837353816066&permissions=262144&scope=bot%20applications.commands";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.trucksimulatorbot.listenPort}";
};
locations."/docs" = {
root = "${trucksimulatorbot.packages.x86_64-linux.docs}";
};
};
};
}