diff --git a/README.md b/README.md index 0ddc915..f3ff301 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,6 @@ sda ├─sda1 / ├─sda14 # BIOS boot └─sda15 /boot/efi # EFI stuff -zram0 [SWAP] ``` ### vm diff --git a/flake.lock b/flake.lock index 425358b..2de47a7 100644 --- a/flake.lock +++ b/flake.lock @@ -180,11 +180,11 @@ ] }, "locked": { - "lastModified": 1709485962, - "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=", + "lastModified": 1709938482, + "narHash": "sha256-2Vw2WOFmEXWQH8ziFNOr0U48Guh5FacuD6BOEIcE99s=", "owner": "nix-community", "repo": "home-manager", - "rev": "d579633ff9915a8f4058d5c439281097e92380a8", + "rev": "17431970b4ebc75a92657101ccffcfc9e1f9d8f0", "type": "github" }, "original": { @@ -281,11 +281,11 @@ ] }, "locked": { - "lastModified": 1709435391, - "narHash": "sha256-s4itTkIVxn5lYeTzwkbAgl99atnjdZv1idI1118vdzA=", + "lastModified": 1709906691, + "narHash": "sha256-206XMy1NGW42bnHukJl5W2F90yHNoJc7+H3i+/8i2Pg=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "93554c04c2f1c02f4a383538e8848d511c3129e9", + "rev": "2ad5ebce1e1be47a8cf330d85265ac09ffa15178", "type": "github" }, "original": { @@ -296,11 +296,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1709703039, + "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d", "type": "github" }, "original": { @@ -488,11 +488,11 @@ ] }, "locked": { - "lastModified": 1709309746, - "narHash": "sha256-janCP2IoaBQIYQVn/LSYXncheCQ2l7u8E7V2XgHz2G8=", + "lastModified": 1709987509, + "narHash": "sha256-q7iK2q1Sff0FQfsp4G5wX0A8r+k1p6XLOlrICueXtlI=", "owner": "rouven0", "repo": "TruckSimulatorBot", - "rev": "6a6bd63946a031ac020a9463cddb3a99de9385fd", + "rev": "db517d53381e3ccea75653e8d29a68d0800cb8c0", "type": "github" }, "original": { diff --git a/hosts/falkenstein/default.nix b/hosts/falkenstein/default.nix index b84a17a..60cacca 100644 --- a/hosts/falkenstein/default.nix +++ b/hosts/falkenstein/default.nix @@ -5,6 +5,7 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ./modules/backup + ./modules/dns ./modules/fail2ban ./modules/mail ./modules/networks @@ -27,7 +28,6 @@ initrd.systemd.enable = true; kernelPackages = pkgs.linuxPackages_latest; }; - zramSwap.enable = true; time.timeZone = "Europe/Berlin"; diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix new file mode 100644 index 0000000..48b2eb8 --- /dev/null +++ b/hosts/falkenstein/modules/dns/default.nix @@ -0,0 +1,66 @@ +{ pkgs, ... }: +{ + services.bind = { + enable = true; + zones = { + "rfive.de" = { + master = true; + slaves = [ + "185.181.104.96" + ]; + extraConfig = '' + also-notify {185.181.104.96;}; + ''; + file = pkgs.writeText "rfive.de_zone.txt" '' + $TTL 3600 + $ORIGIN rfive.de. + + rfive.de. 86400 IN SOA ns.rfive.de. hostmaster.rfive.de. 2024030832 10800 3600 604800 3600 + @ 3600 IN NS ns.rfive.de. + @ 3600 IN NS ns.inwx.de. + @ 3600 IN NS ns2.inwx.de. + + ns.rfive.de. 3600 IN A 23.88.121.184 + ns.rfive.de. 3600 IN AAAA 2a01:4f8:c012:49de::1 + + @ IN A 23.88.121.184 + @ IN AAAA 2a01:4f8:c012:49de::1 + @ IN CAA 0 iodef "mailto:ca@rfive.de" + @ IN CAA 0 issue "letsencrypt.org" + @ IN CAA 0 issuewild ";" + + nuc IN A 141.30.227.6 + + falkenstein IN A 23.88.121.184 + falkenstein IN AAAA 2a01:4f8:c012:49de::1 + falkenstein IN SSHFP 1 1 DE42CA418093CF94EABC124E101AE4D8DE02C69F + falkenstein IN SSHFP 1 2 149100F5C3CA333E20E7B03EB463B0FB23D34FFE1FC65EFAADDDBE51 8EC35990 + falkenstein IN SSHFP 4 1 70A38677DEE50C5B67AA11400A6BCD4984355C2A + falkenstein IN SSHFP 4 2 B25AD18A23C885AE965875C4C9EDA4E4EDFD3503334B10F0BFE7527B EB178CB2 + + @ IN MX 1 mail.rfive.de. + mail IN A 23.88.121.184 + mail IN AAAA 2a01:4f8:c012:49de::1 + + @ IN TXT "v=spf1 mx ~all" + rspamd._domainkey IN TXT "v=DKIM1; k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" + _dmarc IN TXT "v=DMARC1; p=none; adkim=s; fo=1; rua=mailto:dmarc@rfive.de; ruf=mailto:dmarc@rfive.de" + + cache IN CNAME nuc.rfive.de. + chat IN CNAME nuc.rfive.de. + img.trucks IN CNAME falkenstein.rfive.de. + matrix IN CNAME nuc.rfive.de. + purge IN CNAME falkenstein.rfive.de. + rspamd IN CNAME falkenstein.rfive.de. + seafile IN CNAME nuc.rfive.de. + trucks IN CNAME falkenstein.rfive.de. + vault IN CNAME nuc.rfive.de. + + _discord IN TXT "dh=0bcca75b0a56c304f0c23fbdb3f12009411e8c0c" + ''; + }; + }; + }; + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; +} diff --git a/hosts/falkenstein/modules/mail/default.nix b/hosts/falkenstein/modules/mail/default.nix index 1e96bae..4f5ef3f 100644 --- a/hosts/falkenstein/modules/mail/default.nix +++ b/hosts/falkenstein/modules/mail/default.nix @@ -44,7 +44,8 @@ in sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { home_mailbox = "Maildir/"; - smtp_helo_name = "falkenstein.vpn.rfive.de"; + smtp_helo_name = config.networking.fqdn; + smtpd_banner = "${config.networking.fqdn} ESMTP $mail_name"; smtp_use_tls = true; smtpd_use_tls = true; smtpd_tls_protocols = [ @@ -220,7 +221,6 @@ in "dkim_signing.conf".text = '' selector = "rspamd"; allow_username_mismatch = true; - allow_hdrfrom_mismatch = true; path = /var/lib/rspamd/dkim/$domain.key; ''; }; diff --git a/hosts/falkenstein/modules/networks/default.nix b/hosts/falkenstein/modules/networks/default.nix index 4452579..163bf41 100644 --- a/hosts/falkenstein/modules/networks/default.nix +++ b/hosts/falkenstein/modules/networks/default.nix @@ -31,6 +31,10 @@ "2620:fe::fe" "2620:fe::9" ]; + extraConfig = '' + [Resolve] + DNSStubListener=no + ''; }; systemd.network = { enable = true; @@ -72,7 +76,7 @@ wireguardPeerConfig = { PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ="; PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path; - Endpoint = "dorm.vpn.rfive.de:51820"; + Endpoint = "nuc.rfive.de:51820"; AllowedIPs = "192.168.42.0/24, 192.168.43.0/24"; }; } diff --git a/hosts/falkenstein/modules/trucksimulatorbot/default.nix b/hosts/falkenstein/modules/trucksimulatorbot/default.nix index 18d4496..6e9ecd3 100644 --- a/hosts/falkenstein/modules/trucksimulatorbot/default.nix +++ b/hosts/falkenstein/modules/trucksimulatorbot/default.nix @@ -1,6 +1,6 @@ { config, pkgs, trucksimulatorbot, ... }: let - domain = "trucksimulatorbot.${config.networking.domain}"; + domain = "trucks.${config.networking.domain}"; in { services.trucksimulatorbot = { @@ -24,7 +24,7 @@ in ensureDatabases = [ "trucksimulator" ]; }; services.nginx.virtualHosts = { - "images.${domain}" = { + "img.${domain}" = { enableACME = true; forceSSL = true; locations."/" = { diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index 670f0ea..7415d60 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -7,13 +7,9 @@ ./modules/networks ./modules/backup ./modules/cache - # ./modules/grafana - ./modules/hydra - # ./modules/prometheus ./modules/matrix ./modules/mautrix-telegram ./modules/seafile - ./modules/uptime-kuma ./modules/vaultwarden ./modules/nginx ]; @@ -69,8 +65,6 @@ programs.mosh.enable = true; - # firmware updates - services.fwupd.enable = true; users.users.root.initialHashedPassword = "$y$j9T$hYM7FT2hn3O7OWBn9uz8e0$XquxONcPSke6YjdRGwOzGxC0/92hgP7PIB0y0K.Qdr/"; users.users.root.openssh.authorizedKeys.keyFiles = [ ../../keys/ssh/rouven-thinkpad diff --git a/hosts/nuc/modules/uptime-kuma/default.nix b/hosts/nuc/modules/uptime-kuma/default.nix deleted file mode 100644 index 9d2e32b..0000000 --- a/hosts/nuc/modules/uptime-kuma/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: -let - domain = "uptime.${config.networking.domain}"; -in -{ - services.uptime-kuma = { - enable = true; - }; - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3001"; - proxyWebsockets = true; - }; - }; - -} diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 3d1cbdb..7bfaf31 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -151,7 +151,7 @@ wireguardPeerConfig = { PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ="; PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path; - Endpoint = "dorm.vpn.rfive.de:51820"; + Endpoint = "nuc.rfive.de:51820"; AllowedIPs = "192.168.42.0/24, 192.168.43.0/24"; }; } diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index d66570a..ff2d7ec 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -8,7 +8,7 @@ zip unzip man-pages - cinnamon.nemo + pcmanfm xdg-utils # used for xdg-open appimage-run seafile-client diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix index fb95c2e..59fd80d 100644 --- a/users/rouven/modules/ssh/default.nix +++ b/users/rouven/modules/ssh/default.nix @@ -22,7 +22,7 @@ in identityFile = git; }; "rfive.de" = { - hostname = "falkenstein.vpn.rfive.de"; + hostname = "falkenstein.rfive.de"; user = "root"; extraOptions = { VerifyHostKeyDNS = "yes"; diff --git a/users/rouven/modules/wayland/default.nix b/users/rouven/modules/wayland/default.nix index 16f0b52..e68e13b 100644 --- a/users/rouven/modules/wayland/default.nix +++ b/users/rouven/modules/wayland/default.nix @@ -29,7 +29,7 @@ { event = "lock"; command = lib.getExe pkgs.swaylock-effects; } ]; timeouts = [ - { timeout = 300; command = lib.getExe pkgs.swaylock-effects; } + # { timeout = 300; command = lib.getExe pkgs.swaylock-effects; } ]; systemdTarget = "graphical-session.target"; };