From 3d76e6ecaba261edefc2f806f5dc72745348a743 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 22 Jun 2024 16:27:13 +0200 Subject: [PATCH 1/4] rspamd: init reputation --- hosts/falkenstein/modules/mail/rspamd.nix | 68 +++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix index 15dbdde..87223e5 100644 --- a/hosts/falkenstein/modules/mail/rspamd.nix +++ b/hosts/falkenstein/modules/mail/rspamd.nix @@ -31,6 +31,74 @@ allow_username_mismatch = true; path = /var/lib/rspamd/dkim/$domain.key; ''; + "reputation.conf".text = '' + rules { + ip_reputation = { + selector "ip" { + } + backend "redis" { + servers = "/run/redis-rspamd/redis.sock"; + } + + symbol = "IP_REPUTATION"; + } + spf_reputation = { + selector "spf" { + } + backend "redis" { + servers = "/run/redis-rspamd/redis.sock"; + } + + symbol = "SPF_REPUTATION"; + } + dkim_reputation = { + selector "dkim" { + } + backend "redis" { + servers = "/run/redis-rspamd/redis.sock"; + } + + symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT + } + generic_reputation = { + selector "generic" { + selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html + } + backend "redis" { + servers = "/run/redis-rspamd/redis.sock"; + } + + symbol = "GENERIC_REPUTATION"; + } + } + ''; + "groups.conf".text = '' + group "reputation" { + symbols = { + "IP_REPUTATION_HAM" { + weight = 1.0; + } + "IP_REPUTATION_SPAM" { + weight = 4.0; + } + + "DKIM_REPUTATION" { + weight = 1.0; + } + + "SPF_REPUTATION_HAM" { + weight = 1.0; + } + "SPF_REPUTATION_SPAM" { + weight = 2.0; + } + + "GENERIC_REPUTATION" { + weight = 1.0; + } + } + } + ''; }; }; redis = { From bff20285d2a2e0e93ed01d8dd6d992272ce2abfb Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 22 Jun 2024 16:27:40 +0200 Subject: [PATCH 2/4] auth updates --- hosts/nuc/modules/authentik/default.nix | 8 ++++++++ hosts/nuc/modules/matrix/default.nix | 3 +++ 2 files changed, 11 insertions(+) diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix index 6913f98..5ee7e45 100644 --- a/hosts/nuc/modules/authentik/default.nix +++ b/hosts/nuc/modules/authentik/default.nix @@ -12,7 +12,15 @@ in services.authentik = { enable = true; environmentFile = config.age.secrets.authentik-core.path; + settings = { + cert_discovery_dir = "env://CREDENTIALS_DIRECTORY"; + }; }; + systemd.services.authentik-worker.serviceConfig.LoadCredential = [ + "${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt" + "${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key" + ]; + services.authentik-ldap = { enable = true; environmentFile = config.age.secrets.authentik-ldap.path; diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix index 07591f4..161c056 100644 --- a/hosts/nuc/modules/matrix/default.nix +++ b/hosts/nuc/modules/matrix/default.nix @@ -72,6 +72,9 @@ in reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock reverse_proxy 127.0.0.1:8008 + handle /_synapse/metrics* { + respond 404 + } ''; # element From 97a9bbce42aa96d03d8746c4514d7f70b6504411 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 22 Jun 2024 16:27:54 +0200 Subject: [PATCH 3/4] nfs: init --- hosts/fujitsu/default.nix | 1 + hosts/fujitsu/modules/nfs/default.nix | 19 +++++++++++++++ hosts/nuc/modules/networks/default.nix | 8 +++++++ hosts/thinkpad/modules/security/default.nix | 24 +++++++++++++++++++ .../modules/virtualisation/default.nix | 12 ++++------ 5 files changed, 56 insertions(+), 8 deletions(-) create mode 100644 hosts/fujitsu/modules/nfs/default.nix diff --git a/hosts/fujitsu/default.nix b/hosts/fujitsu/default.nix index bbac861..3685021 100644 --- a/hosts/fujitsu/default.nix +++ b/hosts/fujitsu/default.nix @@ -4,6 +4,7 @@ ./hardware-configuration.nix ./modules/networks ./modules/monitoring + ./modules/nfs ]; boot.loader.grub.enable = true; diff --git a/hosts/fujitsu/modules/nfs/default.nix b/hosts/fujitsu/modules/nfs/default.nix new file mode 100644 index 0000000..890a8be --- /dev/null +++ b/hosts/fujitsu/modules/nfs/default.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + fileSystems."/export" = { + device = "/dev/sda2"; + fsType = "btrfs"; + options = [ "subvol=export" "compress=zstd" "noatime" ]; + }; + + services.nfs.server = { + enable = true; + exports = '' + /export 192.168.42.2(rw,fsid=0,no_subtree_check) + /export/movies 192.168.42.2(rw,fsid=0,no_subtree_check) + /export/shows 192.168.42.2(rw,fsid=0,no_subtree_check) + ''; + }; + networking.firewall.allowedTCPPorts = [ 2049 ]; + +} diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix index 70f154e..7c260c3 100644 --- a/hosts/nuc/modules/networks/default.nix +++ b/hosts/nuc/modules/networks/default.nix @@ -1,5 +1,13 @@ { ... }: { + fileSystems."/media/movies" = { + device = "fujitsu.vpn.rfive.de:/movies"; + fsType = "nfs"; + }; + fileSystems."/media/shows" = { + device = "fujitsu.vpn.rfive.de:/movies"; + fsType = "nfs"; + }; networking = { hostName = "nuc"; domain = "rfive.de"; diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix index 416969f..f67a81f 100644 --- a/hosts/thinkpad/modules/security/default.nix +++ b/hosts/thinkpad/modules/security/default.nix @@ -20,6 +20,30 @@ sudo.u2fAuth = true; }; }; + krb5 = { + enable = true; + settings = { + libdefaults = { + default_realm = "AGDSN.DE"; + dns_lookup_realm = false; + dns_lookup_kdc = true; + ticket_lifetime = "24h"; + forwardable = "yes"; + }; + realms."AGDSN.DE" = { + kdc = "idm.agdsn.network:88"; + master_kdc = "idm.agdsn.network:88"; + admin_server = "idm.agdsn.network:749"; + default_domain = "agdsn.de"; + }; + domain_realm = { + "agdsn.de" = "AGDSN.DE"; + ".agdsn.de" = "AGDSN.DE"; + "agdsn" = "AGDSN.DE"; + ".agdsn" = "AGDSN.DE"; + }; + }; + }; }; services = { fprintd.enable = true; # log in using fingerprint diff --git a/hosts/thinkpad/modules/virtualisation/default.nix b/hosts/thinkpad/modules/virtualisation/default.nix index d38155e..7536dfc 100644 --- a/hosts/thinkpad/modules/virtualisation/default.nix +++ b/hosts/thinkpad/modules/virtualisation/default.nix @@ -1,14 +1,9 @@ { pkgs, ... }: { virtualisation = { - docker = { - rootless = { - enable = true; - setSocketVariable = true; - daemon.settings = { - iptables = false; - }; - }; + podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; }; libvirtd = { enable = true; @@ -27,5 +22,6 @@ programs.virt-manager.enable = true; environment.systemPackages = with pkgs; [ virt-viewer + podman-compose ]; } From a9f3c6836e81415a76e506448dae1615d5248a84 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 22 Jun 2024 16:28:09 +0200 Subject: [PATCH 4/4] user: remove shikane config --- flake.lock | 30 ++-- users/rouven/default.nix | 2 +- users/rouven/modules/default.nix | 2 +- users/rouven/modules/ssh/default.nix | 7 +- users/rouven/modules/wayland/shikane.nix | 183 ++--------------------- users/rouven/options/default.nix | 3 - users/rouven/options/shikane.nix | 77 ---------- 7 files changed, 37 insertions(+), 267 deletions(-) delete mode 100644 users/rouven/options/default.nix delete mode 100644 users/rouven/options/shikane.nix diff --git a/flake.lock b/flake.lock index 0960aa1..d5b20ea 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1716561646, - "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", + "lastModified": 1718371084, + "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=", "owner": "ryantm", "repo": "agenix", - "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", + "rev": "3a56735779db467538fb2e577eda28a9daacaca6", "type": "github" }, "original": { @@ -38,11 +38,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1715166702, - "narHash": "sha256-PJxwZoT1JWxMaKRdTLMHN55mdYlhZn2L5VpvyevKkug=", + "lastModified": 1718106692, + "narHash": "sha256-IGMrKVU2fXgn30LQduJIg89HefHLlPMgJ3mnnKpnNfU=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "84c3ce6fe7c174ed1a53cbc5e36cf6a70f4dcc1b", + "rev": "11f5e0fd17dd44d9946a23271d201b257df9f0f4", "type": "github" }, "original": { @@ -300,11 +300,11 @@ ] }, "locked": { - "lastModified": 1717931644, - "narHash": "sha256-Sz8Wh9cAiD5FhL8UWvZxBfnvxETSCVZlqWSYWaCPyu0=", + "lastModified": 1718788307, + "narHash": "sha256-SqiOz0sljM0GjyQEVinPXQxaGcbOXw5OgpCWGPgh/vo=", "owner": "nix-community", "repo": "home-manager", - "rev": "3d65009effd77cb0d6e7520b68b039836a7606cf", + "rev": "d7830d05421d0ced83a0f007900898bdcaf2a2ca", "type": "github" }, "original": { @@ -448,11 +448,11 @@ ] }, "locked": { - "lastModified": 1717995391, - "narHash": "sha256-lcJ7McLYCOZGmoUqWubg739iFIqVtPD+qDNQx6GPWCY=", + "lastModified": 1718507237, + "narHash": "sha256-xBEWCxWeRpWQggFFp8ugJCDa63cOJsVvx71R9F0Eowg=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "ab78ec24f803bab7a18370220ae3db92d6d33c94", + "rev": "6af2c5e58c20311276f59d247341cafeebfcb6f4", "type": "github" }, "original": { @@ -463,11 +463,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1717786204, - "narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=", + "lastModified": 1718895438, + "narHash": "sha256-k3JqJrkdoYwE3fHE6xGDY676AYmyh4U2Zw+0Bwe5DLU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "051f920625ab5aabe37c920346e3e69d7d34400e", + "rev": "d603719ec6e294f034936c0d0dc06f689d91b6c3", "type": "github" }, "original": { diff --git a/users/rouven/default.nix b/users/rouven/default.nix index 5b89c9e..e2fffc7 100644 --- a/users/rouven/default.nix +++ b/users/rouven/default.nix @@ -21,7 +21,7 @@ home-manager.useGlobalPkgs = true; home-manager.users.rouven = { ... }: { - imports = [ ./modules ./options ]; + imports = [ ./modules ]; config = { home.username = "rouven"; diff --git a/users/rouven/modules/default.nix b/users/rouven/modules/default.nix index efddb7d..1f50908 100644 --- a/users/rouven/modules/default.nix +++ b/users/rouven/modules/default.nix @@ -10,7 +10,7 @@ ./mpv ./ssh ./theme - ./tex + # ./tex ./packages.nix ]; } diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix index 190dd8c..496cd42 100644 --- a/users/rouven/modules/ssh/default.nix +++ b/users/rouven/modules/ssh/default.nix @@ -1,10 +1,11 @@ -{ ... }: +{ pkgs, ... }: let git = "~/.ssh/git"; in { programs.ssh = { enable = true; + package = pkgs.openssh_gssapi; compression = true; controlMaster = "auto"; controlPersist = "10m"; @@ -67,13 +68,15 @@ in user = "r5"; extraOptions = { VerifyHostKeyDNS = "yes"; + GSSAPIAuthentication = "yes"; }; }; "*.agdsn.network" = { user = "r5"; extraOptions = { - ProxyJump = "dijkstra"; + # ProxyJump = "dijkstra"; VerifyHostKeyDNS = "yes"; + GSSAPIAuthentication = "yes"; }; }; "git@git.agdsn.de" = { diff --git a/users/rouven/modules/wayland/shikane.nix b/users/rouven/modules/wayland/shikane.nix index b4d1ce6..c1580ab 100644 --- a/users/rouven/modules/wayland/shikane.nix +++ b/users/rouven/modules/wayland/shikane.nix @@ -1,172 +1,19 @@ +{ pkgs, ... }: { - services.shikane = { - enable = true; - settings = { - profile = [ - { - name = "home"; - output = [ - { - match = "eDP-1"; - enable = true; - position = { - x = 1920; - y = 0; - }; - } - { - match = "DP-2"; - enable = true; - position = { - x = 0; - y = 0; - }; - } - { - match = "HDMI-A-1"; - enable = true; - position = { - x = 3840; - y = 0; - }; - } - ]; - } - { - name = "home-vertical"; - output = [ - { - match = "eDP-1"; - enable = true; - position = { - x = 1080; - y = 0; - }; - } - { - match = "DP-3"; - enable = true; - position = { - x = 0; - y = 0; - }; - transform = "270"; - } - { - match = "HDMI-A-1"; - enable = true; - position = { - x = 3000; - y = 0; - }; - } - ]; - } - { - name = "external-monitor-default"; - output = [ - { - match = "eDP-1"; - enable = true; - position = { - x = 0; - y = 0; - }; - } - { - match = "HDMI-A-1"; - enable = true; - position = { - x = 1920; - y = 0; - }; - } - ]; - } - { - name = "external-monitor-usb-c"; - output = [ - { - match = "eDP-1"; - enable = true; - position = { - x = 0; - y = 1440; - }; - } - { - match = "/P24h/"; - enable = true; - mode = { - height = 1440; - width = 2560; - refresh = 60; - }; - position = { - x = 0; - y = 0; - }; - } - ]; - } - { - name = "external-monitor-usb-c"; - output = [ - { - match = "eDP-1"; - enable = true; - position = { - x = 1920; - y = 0; - }; - } - { - match = "DP-2"; - enable = true; - position = { - x = 0; - y = 0; - }; - } - ]; - } - # vertical mode if on dp-3 - { - name = "external-monitor-usb-c-vertical"; - output = [ - { - match = "eDP-1"; - enable = true; - position = { - x = 1080; - y = 840; - }; - } - { - match = "DP-3"; - enable = true; - position = { - x = 0; - y = 0; - }; - transform = "270"; - } - ]; - } - { - name = "builtin"; - output = [ - { - match = "eDP-1"; - enable = true; - position = { - x = 0; - y = 0; - }; - } - ]; - } - ]; + + home.packages = [ + pkgs.shikane + ]; + systemd.user.services.shikane = { + Unit = { + Description = "Dynamic output configuration tool"; + Documentation = "man:shikane(1)"; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; }; + + Service = { ExecStart = "${pkgs.shikane}/bin/shikane"; }; + + Install = { WantedBy = [ "graphical-session.target" ]; }; }; } diff --git a/users/rouven/options/default.nix b/users/rouven/options/default.nix deleted file mode 100644 index f8c03ee..0000000 --- a/users/rouven/options/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - imports = [ ./shikane.nix ]; -} diff --git a/users/rouven/options/shikane.nix b/users/rouven/options/shikane.nix deleted file mode 100644 index 7b41407..0000000 --- a/users/rouven/options/shikane.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.shikane; - tomlFormat = pkgs.formats.toml { }; -in -{ - meta.maintainers = [ maintainers.therealr5 ]; - options.services.shikane = { - - enable = mkEnableOption - "shikane, A dynamic output configuration tool that automatically detects and configures connected outputs based on a set of profiles."; - - package = mkPackageOption pkgs "shikane" { }; - - settings = mkOption { - type = tomlFormat.type; - default = { }; - example = literalExpression '' - { - profile = [ - { - name = "external-monitor-default"; - output = [ - { - match = "eDP-1"; - enable = true; - } - { - match = "HDMI-A-1"; - enable = true; - position = { - x = 1920; - y = 0; - }; - } - ]; - } - { - name = "builtin-monitor-only"; - output = [ - { - match = "eDP-1"; - enable = true; - } - ]; - } - ]; - } - ''; - description = '' - Configuration written to - $XDG_CONFIG_HOME/shikane/config.toml. - - See - for more information. - ''; - }; - }; - - config = mkIf cfg.enable { - systemd.user.services.shikane = { - Unit = { - Description = "Dynamic output configuration tool"; - Documentation = "man:shikane(1)"; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; - }; - - Service = { ExecStart = "${cfg.package}/bin/shikane -c ${tomlFormat.generate "shikane-config.toml" cfg.settings}"; }; - - Install = { WantedBy = [ "graphical-session.target" ]; }; - }; - }; -}