Compare commits

...

4 commits

Author SHA1 Message Date
Rouven Seifert a9f3c6836e user: remove shikane config 2024-06-22 16:28:09 +02:00
Rouven Seifert 97a9bbce42 nfs: init 2024-06-22 16:27:54 +02:00
Rouven Seifert bff20285d2 auth updates 2024-06-22 16:27:40 +02:00
Rouven Seifert 3d76e6ecab rspamd: init reputation 2024-06-22 16:27:13 +02:00
15 changed files with 172 additions and 275 deletions

View file

@ -12,11 +12,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1716561646,
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
"lastModified": 1718371084,
"narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
"rev": "3a56735779db467538fb2e577eda28a9daacaca6",
"type": "github"
},
"original": {
@ -38,11 +38,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1715166702,
"narHash": "sha256-PJxwZoT1JWxMaKRdTLMHN55mdYlhZn2L5VpvyevKkug=",
"lastModified": 1718106692,
"narHash": "sha256-IGMrKVU2fXgn30LQduJIg89HefHLlPMgJ3mnnKpnNfU=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "84c3ce6fe7c174ed1a53cbc5e36cf6a70f4dcc1b",
"rev": "11f5e0fd17dd44d9946a23271d201b257df9f0f4",
"type": "github"
},
"original": {
@ -300,11 +300,11 @@
]
},
"locked": {
"lastModified": 1717931644,
"narHash": "sha256-Sz8Wh9cAiD5FhL8UWvZxBfnvxETSCVZlqWSYWaCPyu0=",
"lastModified": 1718788307,
"narHash": "sha256-SqiOz0sljM0GjyQEVinPXQxaGcbOXw5OgpCWGPgh/vo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3d65009effd77cb0d6e7520b68b039836a7606cf",
"rev": "d7830d05421d0ced83a0f007900898bdcaf2a2ca",
"type": "github"
},
"original": {
@ -448,11 +448,11 @@
]
},
"locked": {
"lastModified": 1717995391,
"narHash": "sha256-lcJ7McLYCOZGmoUqWubg739iFIqVtPD+qDNQx6GPWCY=",
"lastModified": 1718507237,
"narHash": "sha256-xBEWCxWeRpWQggFFp8ugJCDa63cOJsVvx71R9F0Eowg=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "ab78ec24f803bab7a18370220ae3db92d6d33c94",
"rev": "6af2c5e58c20311276f59d247341cafeebfcb6f4",
"type": "github"
},
"original": {
@ -463,11 +463,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1717786204,
"narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
"lastModified": 1718895438,
"narHash": "sha256-k3JqJrkdoYwE3fHE6xGDY676AYmyh4U2Zw+0Bwe5DLU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
"rev": "d603719ec6e294f034936c0d0dc06f689d91b6c3",
"type": "github"
},
"original": {

View file

@ -31,6 +31,74 @@
allow_username_mismatch = true;
path = /var/lib/rspamd/dkim/$domain.key;
'';
"reputation.conf".text = ''
rules {
ip_reputation = {
selector "ip" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "IP_REPUTATION";
}
spf_reputation = {
selector "spf" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "SPF_REPUTATION";
}
dkim_reputation = {
selector "dkim" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
}
generic_reputation = {
selector "generic" {
selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "GENERIC_REPUTATION";
}
}
'';
"groups.conf".text = ''
group "reputation" {
symbols = {
"IP_REPUTATION_HAM" {
weight = 1.0;
}
"IP_REPUTATION_SPAM" {
weight = 4.0;
}
"DKIM_REPUTATION" {
weight = 1.0;
}
"SPF_REPUTATION_HAM" {
weight = 1.0;
}
"SPF_REPUTATION_SPAM" {
weight = 2.0;
}
"GENERIC_REPUTATION" {
weight = 1.0;
}
}
}
'';
};
};
redis = {

View file

@ -4,6 +4,7 @@
./hardware-configuration.nix
./modules/networks
./modules/monitoring
./modules/nfs
];
boot.loader.grub.enable = true;

View file

@ -0,0 +1,19 @@
{ ... }:
{
fileSystems."/export" = {
device = "/dev/sda2";
fsType = "btrfs";
options = [ "subvol=export" "compress=zstd" "noatime" ];
};
services.nfs.server = {
enable = true;
exports = ''
/export 192.168.42.2(rw,fsid=0,no_subtree_check)
/export/movies 192.168.42.2(rw,fsid=0,no_subtree_check)
/export/shows 192.168.42.2(rw,fsid=0,no_subtree_check)
'';
};
networking.firewall.allowedTCPPorts = [ 2049 ];
}

View file

@ -12,7 +12,15 @@ in
services.authentik = {
enable = true;
environmentFile = config.age.secrets.authentik-core.path;
settings = {
cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
};
};
systemd.services.authentik-worker.serviceConfig.LoadCredential = [
"${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt"
"${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key"
];
services.authentik-ldap = {
enable = true;
environmentFile = config.age.secrets.authentik-ldap.path;

View file

@ -72,6 +72,9 @@ in
reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock
reverse_proxy 127.0.0.1:8008
handle /_synapse/metrics* {
respond 404
}
'';
# element

View file

@ -1,5 +1,13 @@
{ ... }:
{
fileSystems."/media/movies" = {
device = "fujitsu.vpn.rfive.de:/movies";
fsType = "nfs";
};
fileSystems."/media/shows" = {
device = "fujitsu.vpn.rfive.de:/movies";
fsType = "nfs";
};
networking = {
hostName = "nuc";
domain = "rfive.de";

View file

@ -20,6 +20,30 @@
sudo.u2fAuth = true;
};
};
krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = "AGDSN.DE";
dns_lookup_realm = false;
dns_lookup_kdc = true;
ticket_lifetime = "24h";
forwardable = "yes";
};
realms."AGDSN.DE" = {
kdc = "idm.agdsn.network:88";
master_kdc = "idm.agdsn.network:88";
admin_server = "idm.agdsn.network:749";
default_domain = "agdsn.de";
};
domain_realm = {
"agdsn.de" = "AGDSN.DE";
".agdsn.de" = "AGDSN.DE";
"agdsn" = "AGDSN.DE";
".agdsn" = "AGDSN.DE";
};
};
};
};
services = {
fprintd.enable = true; # log in using fingerprint

View file

@ -1,14 +1,9 @@
{ pkgs, ... }:
{
virtualisation = {
docker = {
rootless = {
enable = true;
setSocketVariable = true;
daemon.settings = {
iptables = false;
};
};
podman = {
enable = true;
defaultNetwork.settings.dns_enabled = true;
};
libvirtd = {
enable = true;
@ -27,5 +22,6 @@
programs.virt-manager.enable = true;
environment.systemPackages = with pkgs; [
virt-viewer
podman-compose
];
}

View file

@ -21,7 +21,7 @@
home-manager.useGlobalPkgs = true;
home-manager.users.rouven = { ... }: {
imports = [ ./modules ./options ];
imports = [ ./modules ];
config = {
home.username = "rouven";

View file

@ -10,7 +10,7 @@
./mpv
./ssh
./theme
./tex
# ./tex
./packages.nix
];
}

View file

@ -1,10 +1,11 @@
{ ... }:
{ pkgs, ... }:
let
git = "~/.ssh/git";
in
{
programs.ssh = {
enable = true;
package = pkgs.openssh_gssapi;
compression = true;
controlMaster = "auto";
controlPersist = "10m";
@ -67,13 +68,15 @@ in
user = "r5";
extraOptions = {
VerifyHostKeyDNS = "yes";
GSSAPIAuthentication = "yes";
};
};
"*.agdsn.network" = {
user = "r5";
extraOptions = {
ProxyJump = "dijkstra";
# ProxyJump = "dijkstra";
VerifyHostKeyDNS = "yes";
GSSAPIAuthentication = "yes";
};
};
"git@git.agdsn.de" = {

View file

@ -1,172 +1,19 @@
{ pkgs, ... }:
{
services.shikane = {
enable = true;
settings = {
profile = [
{
name = "home";
output = [
{
match = "eDP-1";
enable = true;
position = {
x = 1920;
y = 0;
};
}
{
match = "DP-2";
enable = true;
position = {
x = 0;
y = 0;
};
}
{
match = "HDMI-A-1";
enable = true;
position = {
x = 3840;
y = 0;
};
}
];
}
{
name = "home-vertical";
output = [
{
match = "eDP-1";
enable = true;
position = {
x = 1080;
y = 0;
};
}
{
match = "DP-3";
enable = true;
position = {
x = 0;
y = 0;
};
transform = "270";
}
{
match = "HDMI-A-1";
enable = true;
position = {
x = 3000;
y = 0;
};
}
];
}
{
name = "external-monitor-default";
output = [
{
match = "eDP-1";
enable = true;
position = {
x = 0;
y = 0;
};
}
{
match = "HDMI-A-1";
enable = true;
position = {
x = 1920;
y = 0;
};
}
];
}
{
name = "external-monitor-usb-c";
output = [
{
match = "eDP-1";
enable = true;
position = {
x = 0;
y = 1440;
};
}
{
match = "/P24h/";
enable = true;
mode = {
height = 1440;
width = 2560;
refresh = 60;
};
position = {
x = 0;
y = 0;
};
}
];
}
{
name = "external-monitor-usb-c";
output = [
{
match = "eDP-1";
enable = true;
position = {
x = 1920;
y = 0;
};
}
{
match = "DP-2";
enable = true;
position = {
x = 0;
y = 0;
};
}
];
}
# vertical mode if on dp-3
{
name = "external-monitor-usb-c-vertical";
output = [
{
match = "eDP-1";
enable = true;
position = {
x = 1080;
y = 840;
};
}
{
match = "DP-3";
enable = true;
position = {
x = 0;
y = 0;
};
transform = "270";
}
];
}
{
name = "builtin";
output = [
{
match = "eDP-1";
enable = true;
position = {
x = 0;
y = 0;
};
}
];
}
];
home.packages = [
pkgs.shikane
];
systemd.user.services.shikane = {
Unit = {
Description = "Dynamic output configuration tool";
Documentation = "man:shikane(1)";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
Service = { ExecStart = "${pkgs.shikane}/bin/shikane"; };
Install = { WantedBy = [ "graphical-session.target" ]; };
};
}

View file

@ -1,3 +0,0 @@
{
imports = [ ./shikane.nix ];
}

View file

@ -1,77 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.shikane;
tomlFormat = pkgs.formats.toml { };
in
{
meta.maintainers = [ maintainers.therealr5 ];
options.services.shikane = {
enable = mkEnableOption
"shikane, A dynamic output configuration tool that automatically detects and configures connected outputs based on a set of profiles.";
package = mkPackageOption pkgs "shikane" { };
settings = mkOption {
type = tomlFormat.type;
default = { };
example = literalExpression ''
{
profile = [
{
name = "external-monitor-default";
output = [
{
match = "eDP-1";
enable = true;
}
{
match = "HDMI-A-1";
enable = true;
position = {
x = 1920;
y = 0;
};
}
];
}
{
name = "builtin-monitor-only";
output = [
{
match = "eDP-1";
enable = true;
}
];
}
];
}
'';
description = ''
Configuration written to
<filename>$XDG_CONFIG_HOME/shikane/config.toml</filename>.
</para><para>
See <link xlink:href="https://gitlab.com/w0lff/shikane/-/blob/master/docs/shikane.5.man.md" />
for more information.
'';
};
};
config = mkIf cfg.enable {
systemd.user.services.shikane = {
Unit = {
Description = "Dynamic output configuration tool";
Documentation = "man:shikane(1)";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
Service = { ExecStart = "${cfg.package}/bin/shikane -c ${tomlFormat.generate "shikane-config.toml" cfg.settings}"; };
Install = { WantedBy = [ "graphical-session.target" ]; };
};
};
}