fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Setup mail server and restructure some things

Browse source
This commit is contained in:
yuri 2023-09-14 14:43:49 +02:00
commit 4a802ab44d
90 changed files with 512 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

4
configuration/common/default.nix → config/common/default.nix
View file

@ -3,8 +3,8 @@
imports = [ imports = [
./prometheus-node-exporter.nix ./prometheus-node-exporter.nix
./nginx.nix ./nginx.nix
../../users/colmena-deploy ../users/colmena-deploy
../../users/yuri ../users/yuri
]; ];
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";

0
configuration/common/nginx.nix → config/common/nginx.nix
View file

4
configuration/common/prometheus-node-exporter.nix → config/common/prometheus-node-exporter.nix
View file

@ -1,7 +1,7 @@
{ ... }: { lib, ... }:
{ {
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = true; enable = lib.mkDefault true;
openFirewall = true; openFirewall = true;
}; };
} }

0
configuration/proxmox-vm/default.nix → config/environments/proxmox-vm/default.nix
View file

0
configuration/proxmox-vm/hardware-configuration.nix → config/environments/proxmox-vm/hardware-configuration.nix
View file

0
hosts/coturn/acme.nix → config/hosts/coturn/acme.nix
View file

0
hosts/coturn/configuration.nix → config/hosts/coturn/configuration.nix
View file

0
hosts/coturn/coturn.nix → config/hosts/coturn/coturn.nix
View file

0
hosts/coturn/default.nix → config/hosts/coturn/default.nix
View file

0
hosts/coturn/secrets.nix → config/hosts/coturn/secrets.nix
View file

0
hosts/hydra/configuration.nix → config/hosts/hydra/configuration.nix
View file

0
hosts/hydra/default.nix → config/hosts/hydra/default.nix
View file

0
hosts/hydra/hydra.nix → config/hosts/hydra/hydra.nix
View file

0
hosts/hydra/nginx.nix → config/hosts/hydra/nginx.nix
View file

0
hosts/hydra/nix-serve.nix → config/hosts/hydra/nix-serve.nix
View file

0
hosts/hydra/secrets.nix → config/hosts/hydra/secrets.nix
View file

0
hosts/iperf/configuration.nix → config/hosts/iperf/configuration.nix
View file

0
hosts/iperf/default.nix → config/hosts/iperf/default.nix
View file

0
hosts/iperf/iperf.nix → config/hosts/iperf/iperf.nix
View file

0
hosts/jackett/configuration.nix → config/hosts/jackett/configuration.nix
View file

0
hosts/jackett/default.nix → config/hosts/jackett/default.nix
View file

0
hosts/jackett/jackett.nix → config/hosts/jackett/jackett.nix
View file

0
hosts/jellyfin/configuration.nix → config/hosts/jellyfin/configuration.nix
View file

0
hosts/jellyfin/default.nix → config/hosts/jellyfin/default.nix
View file

0
hosts/jellyfin/hardware-configuration.nix → config/hosts/jellyfin/hardware-configuration.nix
View file

0
hosts/jellyfin/jellyfin.nix → config/hosts/jellyfin/jellyfin.nix
View file

0
hosts/jellyfin/nginx.nix → config/hosts/jellyfin/nginx.nix
View file

0
hosts/jellyfin/secrets.nix → config/hosts/jellyfin/secrets.nix
View file

69
config/hosts/lifeline/configuration.nix Normal file
View file

@ -0,0 +1,69 @@
{ pkgs, ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
networking = {
hostName = "lifeline";
useDHCP = true;
wireguard = {
enable = true;
interfaces.wg0 = {
privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret";
listenPort = 51820;
ips = [
"172.16.50.1/24"
];
peers = [
{
name = "mail-1";
publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret";
allowedIPs = [ "172.16.50.2/32" ];
}
];
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
'';
};
};
nat = {
enable = true;
internalInterfaces = [ "wg0" ];
externalInterface = "ens6";
forwardPorts = [
{
destination = "172.16.50.2:25";
proto = "tcp";
sourcePort = 25;
}
{
destination = "172.16.50.2:465";
proto = "tcp";
sourcePort = 465;
}
{
destination = "172.16.50.2:993";
proto = "tcp";
sourcePort = 993;
}
];
};
firewall = {
allowedUDPPorts = [ 51820 ];
};
};
services.prometheus.exporters.node.enable = false;
system.stateVersion = "23.05";
}

7
config/hosts/lifeline/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

16
config/hosts/lifeline/hardware-configuration.nix Normal file
View file

@ -0,0 +1,16 @@
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd = {
availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
kernelModules = [ "nvme" ];
};
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4";
};
}

19
config/hosts/lifeline/secrets.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }:
{
deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

61
config/hosts/mail-1/configuration.nix Normal file
View file

@ -0,0 +1,61 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "mail-1";
useDHCP = true;
defaultGateway = {
address = "172.16.50.1";
interface = "wg0";
};
interfaces.enp6s18.ipv4 = {
routes = [
{
address = "10.201.0.0";
prefixLength = 16;
via = "10.202.41.1";
}
{
address = "10.202.0.0";
prefixLength = 16;
via = "10.202.41.1";
}
{
address = "172.21.87.0"; # management VPN
prefixLength = 24;
via = "10.202.41.1";
}
{
address = "217.160.117.160"; #
prefixLength = 32;
via = "10.202.41.1";
}
];
};
wireguard = {
enable = true;
interfaces.wg0 = {
ips = [
"172.16.50.2/24"
];
peers = [
{
name = "lifeline";
publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY=";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret";
endpoint = "lifeline.io.grzb.de:51820";
allowedIPs = [ "0.0.0.0/0" ];
persistentKeepalive = 25;
}
];
privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret";
};
};
};
system.stateVersion = "23.05";
}

7
config/hosts/mail-1/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./simple-nixos-mailserver.nix
];
}

85
config/hosts/mail-1/secrets.nix Normal file
View file

@ -0,0 +1,85 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-mail-1-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fiona-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-yuri-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-mio-vs-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fubuki-wg-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-cloud-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-status-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-matrix-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

66
config/hosts/mail-1/simple-nixos-mailserver.nix Normal file
View file

@ -0,0 +1,66 @@
{ simple-nixos-mailserver, ... }:
{
imports = [
simple-nixos-mailserver.nixosModule {
mailserver = {
enable = true;
openFirewall = true;
fqdn = "mail-1.grzb.de";
enableImap = false;
enableImapSsl = true;
enableSubmission = false;
enableSubmissionSsl = true;
lmtpSaveToDetailMailbox = "no";
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
loginAccounts = {
"fiona@grzb.de" = {
hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
aliases = [ "@grzb.de" ];
catchAll = [ "grzb.de" ];
};
"yuri@nekover.se" = {
hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
aliases = [ "@nekover.se" ];
catchAll = [ "nekover.se" ];
};
"mio@vs.grzb.de" = {
hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
sendOnly = true;
aliases = [ "root@vs.grzb.de" ];
};
"fubuki@wg.grzb.de" = {
hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
sendOnly = true;
aliases = [ "root@wg.grzb.de" ];
};
"cloud@nekover.se" = {
hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
sendOnly = true;
};
"status@nekover.se" = {
hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
sendOnly = true;
};
"matrix@nekover.se" = {
hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = {
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
};
certificateScheme = "acme-nginx";
};
}
];
services.postfix = {
transport = "relay:[mail-2.grzb.de]";
extraConfig = ''
proxy_interfaces = 212.53.203.19
'';
};
}

0
hosts/matrix/configuration.nix → config/hosts/matrix/configuration.nix
View file

0
hosts/matrix/default.nix → config/hosts/matrix/default.nix
View file

0
hosts/matrix/hardware-configuration.nix → config/hosts/matrix/hardware-configuration.nix
View file

0
hosts/matrix/matrix-synapse.nix → config/hosts/matrix/matrix-synapse.nix
View file

0
hosts/matrix/nginx.nix → config/hosts/matrix/nginx.nix
View file

0
hosts/matrix/postgresql.nix → config/hosts/matrix/postgresql.nix
View file

0
hosts/matrix/secrets.nix → config/hosts/matrix/secrets.nix
View file

0
hosts/metrics/configuration.nix → config/hosts/metrics/configuration.nix
View file

0
hosts/metrics/default.nix → config/hosts/metrics/default.nix
View file

0
hosts/metrics/grafana.nix → config/hosts/metrics/grafana.nix
View file

0
hosts/metrics/nginx.nix → config/hosts/metrics/nginx.nix
View file

0
hosts/metrics/prometheus.nix → config/hosts/metrics/prometheus.nix
View file

0
hosts/metrics/secrets.nix → config/hosts/metrics/secrets.nix
View file

0
hosts/netbox/configuration.nix → config/hosts/netbox/configuration.nix
View file

0
hosts/netbox/default.nix → config/hosts/netbox/default.nix
View file

0
hosts/netbox/netbox.nix → config/hosts/netbox/netbox.nix
View file

0
hosts/netbox/nginx.nix → config/hosts/netbox/nginx.nix
View file

0
hosts/netbox/secrets.nix → config/hosts/netbox/secrets.nix
View file

0
hosts/nextcloud/configuration.nix → config/hosts/nextcloud/configuration.nix
View file

0
hosts/nextcloud/default.nix → config/hosts/nextcloud/default.nix
View file

0
hosts/nextcloud/hardware-configuration.nix → config/hosts/nextcloud/hardware-configuration.nix
View file

0
hosts/nextcloud/nextcloud.nix → config/hosts/nextcloud/nextcloud.nix
View file

0
hosts/nextcloud/secrets.nix → config/hosts/nextcloud/secrets.nix
View file

0
hosts/nitter/configuration.nix → config/hosts/nitter/configuration.nix
View file

0
hosts/nitter/default.nix → config/hosts/nitter/default.nix
View file

0
hosts/nitter/nginx.nix → config/hosts/nitter/nginx.nix
View file

0
hosts/nitter/nitter.nix → config/hosts/nitter/nitter.nix
View file

0
hosts/tor-relay/configuration.nix → config/hosts/tor-relay/configuration.nix
View file

0
hosts/tor-relay/default.nix → config/hosts/tor-relay/default.nix
View file

0
hosts/tor-relay/tor.nix → config/hosts/tor-relay/tor.nix
View file

0
hosts/web-nonpublic-linuxcrewd/configuration.nix → config/hosts/web-nonpublic-linuxcrewd/configuration.nix
View file

0
hosts/web-nonpublic-linuxcrewd/default.nix → config/hosts/web-nonpublic-linuxcrewd/default.nix
View file

0
hosts/web-nonpublic-linuxcrewd/nginx.nix → config/hosts/web-nonpublic-linuxcrewd/nginx.nix
View file

0
hosts/web-public-2/configuration.nix → config/hosts/web-public-2/configuration.nix
View file

0
hosts/web-public-2/default.nix → config/hosts/web-public-2/default.nix
View file

0
hosts/web-public-2/nginx.nix → config/hosts/web-public-2/nginx.nix
View file

9
hosts/web-public-2/virtualHosts/acme-challenge.nix → config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -9,6 +9,15 @@
proxyPass = "http://jellyfin.vs.grzb.de:80"; proxyPass = "http://jellyfin.vs.grzb.de:80";
}; };
}; };
services.nginx.virtualHosts."mail-1.grzb.de" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://mail-1.vs.grzb.de:80";
};
};
services.nginx.virtualHosts."matrix.nekover.se" = { services.nginx.virtualHosts."matrix.nekover.se" = {
listen = [{ listen = [{
addr = "0.0.0.0"; addr = "0.0.0.0";

0
hosts/web-public-2/virtualHosts/anisync.grzb.de.nix → config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
View file

1
hosts/web-public-2/virtualHosts/default.nix → config/hosts/web-public-2/virtualHosts/default.nix
View file

@ -8,7 +8,6 @@
./git.grzb.de.nix ./git.grzb.de.nix
./mewtube.nekover.se.nix ./mewtube.nekover.se.nix
./nekover.se.nix ./nekover.se.nix
./nextcloud.grzb.de.nix
./social.nekover.se.nix ./social.nekover.se.nix
]; ];

0
hosts/web-public-2/virtualHosts/element-web-config/config.json → config/hosts/web-public-2/virtualHosts/element-web-config/config.json
View file

0
hosts/web-public-2/virtualHosts/element.nekover.se.nix → config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
View file

0
hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix → config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
View file

0
hosts/web-public-2/virtualHosts/git.grzb.de.nix → config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
View file

0
hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix → config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
View file

0
hosts/web-public-2/virtualHosts/nekover.se.nix → config/hosts/web-public-2/virtualHosts/nekover.se.nix
View file

0
hosts/web-public-2/virtualHosts/social.nekover.se.nix → config/hosts/web-public-2/virtualHosts/social.nekover.se.nix
View file

0
configuration/nixos-generators/default.nix → config/nixos-generators/default.nix
View file

0
users/colmena-deploy/default.nix → config/users/colmena-deploy/default.nix
View file

0
users/yuri/default.nix → config/users/yuri/default.nix
View file

145
flake.lock generated
View file

@ -1,12 +1,44 @@
{ {
"nodes": { "nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1689469483, "lastModified": 1693701915,
"narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=", "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c", "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -23,11 +55,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1690133435, "lastModified": 1693791338,
"narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=", "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586", "rev": "8ee78470029e641cddbd8721496da1316b47d3b4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -38,11 +70,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1693725722, "lastModified": 1694493899,
"narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=", "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e", "rev": "c5167858ca4870e933da123762eb55363ccefe2b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -52,13 +84,43 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-22_11": {
"locked": { "locked": {
"lastModified": 1693723626, "lastModified": 1669558522,
"narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=", "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b", "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1694502577,
"narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -68,11 +130,66 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": { "root": {
"inputs": { "inputs": {
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils"
},
"locked": {
"lastModified": 1687462267,
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
} }
} }
}, },

13
flake.nix
View file

@ -6,9 +6,10 @@
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let
hosts = import ./hosts.nix inputs; hosts = import ./hosts.nix inputs;
helper = import ./helper.nix inputs; helper = import ./helper.nix inputs;
in { in {
@ -25,13 +26,13 @@
nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts; nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts;
specialArgs = { specialArgs = {
inherit hosts; inherit hosts simple-nixos-mailserver;
}; };
}; };
} // builtins.mapAttrs (helper.generateColmenaHost) hosts; } // builtins.mapAttrs (helper.generateColmenaHost) hosts;
hydraJobs = { hydraJobs = {
nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts; nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts;
}; };
# Generate a base VM image for Proxmox with `nix build .#base-proxmox` # Generate a base VM image for Proxmox with `nix build .#base-proxmox`
@ -39,9 +40,9 @@
base-proxmox = nixos-generators.nixosGenerate { base-proxmox = nixos-generators.nixosGenerate {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./configuration/common ./config/common
./configuration/nixos-generators ./config/nixos-generators
./configuration/proxmox-vm ./config/environments/proxmox-vm
]; ];
format = "proxmox"; format = "proxmox";
}; };

2
helper.nix
View file

@ -11,7 +11,7 @@
}; };
# Set imports and optionally import colmena secrets configuration # Set imports and optionally import colmena secrets configuration
imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix; imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./config/hosts/${name}/secrets.nix) ./config/hosts/${name}/secrets.nix;
}; };
generateNixConfiguration = name: specialArgs: { generateNixConfiguration = name: specialArgs: {

34
hosts.nix
View file

@ -3,7 +3,7 @@ let
# Set of environment specific modules # Set of environment specific modules
environments = { environments = {
"proxmox" = [ "proxmox" = [
./configuration/proxmox-vm ./config/environments/proxmox-vm
]; ];
}; };
generateDefaults = hosts: builtins.mapAttrs (name: { generateDefaults = hosts: builtins.mapAttrs (name: {
@ -11,58 +11,82 @@ let
system ? "x86_64-linux", system ? "x86_64-linux",
# pkgs is explicitly defined so that overlays for each host can easily be created # pkgs is explicitly defined so that overlays for each host can easily be created
pkgs ? hostNixpkgs.legacyPackages.${system}, pkgs ? hostNixpkgs.legacyPackages.${system},
environment ? "proxmox", environment ? "",
site site
}: { }: {
inherit hostNixpkgs system pkgs environment site; inherit hostNixpkgs system pkgs environment site;
# define common and host modules and additionally add environment specific modules # define common and host modules and additionally add environment specific modules
modules = [ modules = [
./configuration/common ./config/common
./hosts/${name} ./config/hosts/${name}
] ++ environments.${environment}; ] ++ (if environment != "" then environments.${environment} else []);
}) hosts; }) hosts;
in in
generateDefaults { generateDefaults {
#fee = {
# site = "wg";
# environment = "bare-metal";
#};
hydra = { hydra = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
iperf = { iperf = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
jackett = { jackett = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
jellyfin = { jellyfin = {
hostNixpkgs = nixpkgs-unstable; hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";
environment = "proxmox";
};
lifeline = {
site = "io";
};
mail-1 = {
site = "vs";
environment = "proxmox";
}; };
matrix = { matrix = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
metrics = { metrics = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
netbox = { netbox = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
nextcloud = { nextcloud = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
nitter = { nitter = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
coturn = { coturn = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
tor-relay = { tor-relay = {
site = "vs"; site = "vs";
environment = "proxmox";
}; };
web-public-2 = { web-public-2 = {
hostNixpkgs = nixpkgs-unstable; hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";
environment = "proxmox";
}; };
web-nonpublic-linuxcrewd = { web-nonpublic-linuxcrewd = {
hostNixpkgs = nixpkgs-unstable; hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";
environment = "proxmox";
}; };
} }

34
hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix
View file

@ -1,34 +0,0 @@
{ ... }:
{
services.nginx.virtualHosts."nextcloud.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "localhost";
port = 1234;
} # workaround for enableACME check
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
proxyPass = "http://nextcloud-grzb.vs.grzb.de:80";
};
locations."= /.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
locations."= /.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
extraConfig = ''
proxy_read_timeout 3600;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 4096m;
'';
};
}