Setup mail server and restructure some things
This commit is contained in:
parent
fa3db3bad6
commit
4a802ab44d
|
@ -3,8 +3,8 @@
|
|||
imports = [
|
||||
./prometheus-node-exporter.nix
|
||||
./nginx.nix
|
||||
../../users/colmena-deploy
|
||||
../../users/yuri
|
||||
../users/colmena-deploy
|
||||
../users/yuri
|
||||
];
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
|
@ -1,7 +1,7 @@
|
|||
{ ... }:
|
||||
{ lib, ... }:
|
||||
{
|
||||
services.prometheus.exporters.node = {
|
||||
enable = true;
|
||||
enable = lib.mkDefault true;
|
||||
openFirewall = true;
|
||||
};
|
||||
}
|
69
config/hosts/lifeline/configuration.nix
Normal file
69
config/hosts/lifeline/configuration.nix
Normal file
|
@ -0,0 +1,69 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/vda";
|
||||
};
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
|
||||
|
||||
networking = {
|
||||
hostName = "lifeline";
|
||||
useDHCP = true;
|
||||
wireguard = {
|
||||
enable = true;
|
||||
interfaces.wg0 = {
|
||||
privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret";
|
||||
listenPort = 51820;
|
||||
ips = [
|
||||
"172.16.50.1/24"
|
||||
];
|
||||
peers = [
|
||||
{
|
||||
name = "mail-1";
|
||||
publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
|
||||
presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret";
|
||||
allowedIPs = [ "172.16.50.2/32" ];
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
|
||||
'';
|
||||
postShutdown = ''
|
||||
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
|
||||
'';
|
||||
};
|
||||
};
|
||||
nat = {
|
||||
enable = true;
|
||||
internalInterfaces = [ "wg0" ];
|
||||
externalInterface = "ens6";
|
||||
forwardPorts = [
|
||||
{
|
||||
destination = "172.16.50.2:25";
|
||||
proto = "tcp";
|
||||
sourcePort = 25;
|
||||
}
|
||||
{
|
||||
destination = "172.16.50.2:465";
|
||||
proto = "tcp";
|
||||
sourcePort = 465;
|
||||
}
|
||||
{
|
||||
destination = "172.16.50.2:993";
|
||||
proto = "tcp";
|
||||
sourcePort = 993;
|
||||
}
|
||||
];
|
||||
};
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 51820 ];
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus.exporters.node.enable = false;
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
7
config/hosts/lifeline/default.nix
Normal file
7
config/hosts/lifeline/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
}
|
16
config/hosts/lifeline/hardware-configuration.nix
Normal file
16
config/hosts/lifeline/hardware-configuration.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||
kernelModules = [ "nvme" ];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/vda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
}
|
19
config/hosts/lifeline/secrets.nix
Normal file
19
config/hosts/lifeline/secrets.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{ ... }:
|
||||
{
|
||||
deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = {
|
||||
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = {
|
||||
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
}
|
61
config/hosts/mail-1/configuration.nix
Normal file
61
config/hosts/mail-1/configuration.nix
Normal file
|
@ -0,0 +1,61 @@
|
|||
{ ... }:
|
||||
{
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/vda";
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "mail-1";
|
||||
useDHCP = true;
|
||||
defaultGateway = {
|
||||
address = "172.16.50.1";
|
||||
interface = "wg0";
|
||||
};
|
||||
interfaces.enp6s18.ipv4 = {
|
||||
routes = [
|
||||
{
|
||||
address = "10.201.0.0";
|
||||
prefixLength = 16;
|
||||
via = "10.202.41.1";
|
||||
}
|
||||
{
|
||||
address = "10.202.0.0";
|
||||
prefixLength = 16;
|
||||
via = "10.202.41.1";
|
||||
}
|
||||
{
|
||||
address = "172.21.87.0"; # management VPN
|
||||
prefixLength = 24;
|
||||
via = "10.202.41.1";
|
||||
}
|
||||
{
|
||||
address = "217.160.117.160"; #
|
||||
prefixLength = 32;
|
||||
via = "10.202.41.1";
|
||||
}
|
||||
];
|
||||
};
|
||||
wireguard = {
|
||||
enable = true;
|
||||
interfaces.wg0 = {
|
||||
ips = [
|
||||
"172.16.50.2/24"
|
||||
];
|
||||
peers = [
|
||||
{
|
||||
name = "lifeline";
|
||||
publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY=";
|
||||
presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret";
|
||||
endpoint = "lifeline.io.grzb.de:51820";
|
||||
allowedIPs = [ "0.0.0.0/0" ];
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
7
config/hosts/mail-1/default.nix
Normal file
7
config/hosts/mail-1/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
./simple-nixos-mailserver.nix
|
||||
];
|
||||
}
|
85
config/hosts/mail-1/secrets.nix
Normal file
85
config/hosts/mail-1/secrets.nix
Normal file
|
@ -0,0 +1,85 @@
|
|||
{ keyCommandEnv, ... }:
|
||||
{
|
||||
deployment.keys = {
|
||||
"wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "systemd-network";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"wireguard-mail-1-wg0-privatekey.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "systemd-network";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-fiona-grzb-de.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-yuri-nekover-se.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-mio-vs-grzb-de.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-fubuki-wg-grzb-de.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-cloud-nekover-se.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-status-nekover-se.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-matrix-nekover-se.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
"mail-social-nekover-se.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
|
||||
destDir = "/secrets";
|
||||
user = "root";
|
||||
group = "root";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
};
|
||||
}
|
66
config/hosts/mail-1/simple-nixos-mailserver.nix
Normal file
66
config/hosts/mail-1/simple-nixos-mailserver.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ simple-nixos-mailserver, ... }:
|
||||
{
|
||||
imports = [
|
||||
simple-nixos-mailserver.nixosModule {
|
||||
mailserver = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
fqdn = "mail-1.grzb.de";
|
||||
enableImap = false;
|
||||
enableImapSsl = true;
|
||||
enableSubmission = false;
|
||||
enableSubmissionSsl = true;
|
||||
lmtpSaveToDetailMailbox = "no";
|
||||
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
|
||||
loginAccounts = {
|
||||
"fiona@grzb.de" = {
|
||||
hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
|
||||
aliases = [ "@grzb.de" ];
|
||||
catchAll = [ "grzb.de" ];
|
||||
};
|
||||
"yuri@nekover.se" = {
|
||||
hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
|
||||
aliases = [ "@nekover.se" ];
|
||||
catchAll = [ "nekover.se" ];
|
||||
};
|
||||
"mio@vs.grzb.de" = {
|
||||
hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
|
||||
sendOnly = true;
|
||||
aliases = [ "root@vs.grzb.de" ];
|
||||
};
|
||||
"fubuki@wg.grzb.de" = {
|
||||
hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
|
||||
sendOnly = true;
|
||||
aliases = [ "root@wg.grzb.de" ];
|
||||
};
|
||||
"cloud@nekover.se" = {
|
||||
hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
|
||||
sendOnly = true;
|
||||
};
|
||||
"status@nekover.se" = {
|
||||
hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
|
||||
sendOnly = true;
|
||||
};
|
||||
"matrix@nekover.se" = {
|
||||
hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
|
||||
sendOnly = true;
|
||||
aliases = [ "nyareply@nekover.se" ];
|
||||
};
|
||||
"social@nekover.se" = {
|
||||
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
|
||||
sendOnly = true;
|
||||
aliases = [ "nyareply@nekover.se" ];
|
||||
};
|
||||
};
|
||||
certificateScheme = "acme-nginx";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
services.postfix = {
|
||||
transport = "relay:[mail-2.grzb.de]";
|
||||
extraConfig = ''
|
||||
proxy_interfaces = 212.53.203.19
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -9,6 +9,15 @@
|
|||
proxyPass = "http://jellyfin.vs.grzb.de:80";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."mail-1.grzb.de" = {
|
||||
listen = [{
|
||||
addr = "0.0.0.0";
|
||||
port = 80;
|
||||
}];
|
||||
locations."^~ /.well-known/acme-challenge/" = {
|
||||
proxyPass = "http://mail-1.vs.grzb.de:80";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."matrix.nekover.se" = {
|
||||
listen = [{
|
||||
addr = "0.0.0.0";
|
|
@ -8,7 +8,6 @@
|
|||
./git.grzb.de.nix
|
||||
./mewtube.nekover.se.nix
|
||||
./nekover.se.nix
|
||||
./nextcloud.grzb.de.nix
|
||||
./social.nekover.se.nix
|
||||
];
|
||||
|
145
flake.lock
145
flake.lock
|
@ -1,12 +1,44 @@
|
|||
{
|
||||
"nodes": {
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668681692,
|
||||
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixlib": {
|
||||
"locked": {
|
||||
"lastModified": 1689469483,
|
||||
"narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=",
|
||||
"lastModified": 1693701915,
|
||||
"narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c",
|
||||
"rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -23,11 +55,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690133435,
|
||||
"narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=",
|
||||
"lastModified": 1693791338,
|
||||
"narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586",
|
||||
"rev": "8ee78470029e641cddbd8721496da1316b47d3b4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -38,11 +70,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1693725722,
|
||||
"narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=",
|
||||
"lastModified": 1694493899,
|
||||
"narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e",
|
||||
"rev": "c5167858ca4870e933da123762eb55363ccefe2b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -52,13 +84,43 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"nixpkgs-22_11": {
|
||||
"locked": {
|
||||
"lastModified": 1693723626,
|
||||
"narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=",
|
||||
"lastModified": 1669558522,
|
||||
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b",
|
||||
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-22.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-23_05": {
|
||||
"locked": {
|
||||
"lastModified": 1684782344,
|
||||
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-23.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1694502577,
|
||||
"narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -68,11 +130,66 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1670751203,
|
||||
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-unstable",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixos-generators": "nixos-generators",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"simple-nixos-mailserver": "simple-nixos-mailserver"
|
||||
}
|
||||
},
|
||||
"simple-nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-22_11": "nixpkgs-22_11",
|
||||
"nixpkgs-23_05": "nixpkgs-23_05",
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1687462267,
|
||||
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"ref": "nixos-23.05",
|
||||
"repo": "nixos-mailserver",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"locked": {
|
||||
"lastModified": 1605370193,
|
||||
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
13
flake.nix
13
flake.nix
|
@ -6,9 +6,10 @@
|
|||
url = "github:nix-community/nixos-generators";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let
|
||||
hosts = import ./hosts.nix inputs;
|
||||
helper = import ./helper.nix inputs;
|
||||
in {
|
||||
|
@ -25,13 +26,13 @@
|
|||
nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts;
|
||||
|
||||
specialArgs = {
|
||||
inherit hosts;
|
||||
inherit hosts simple-nixos-mailserver;
|
||||
};
|
||||
};
|
||||
} // builtins.mapAttrs (helper.generateColmenaHost) hosts;
|
||||
|
||||
hydraJobs = {
|
||||
nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts;
|
||||
nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts;
|
||||
};
|
||||
|
||||
# Generate a base VM image for Proxmox with `nix build .#base-proxmox`
|
||||
|
@ -39,9 +40,9 @@
|
|||
base-proxmox = nixos-generators.nixosGenerate {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./configuration/common
|
||||
./configuration/nixos-generators
|
||||
./configuration/proxmox-vm
|
||||
./config/common
|
||||
./config/nixos-generators
|
||||
./config/environments/proxmox-vm
|
||||
];
|
||||
format = "proxmox";
|
||||
};
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
};
|
||||
|
||||
# Set imports and optionally import colmena secrets configuration
|
||||
imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix;
|
||||
imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./config/hosts/${name}/secrets.nix) ./config/hosts/${name}/secrets.nix;
|
||||
};
|
||||
|
||||
generateNixConfiguration = name: specialArgs: {
|
||||
|
|
36
hosts.nix
36
hosts.nix
|
@ -3,66 +3,90 @@ let
|
|||
# Set of environment specific modules
|
||||
environments = {
|
||||
"proxmox" = [
|
||||
./configuration/proxmox-vm
|
||||
];
|
||||
./config/environments/proxmox-vm
|
||||
];
|
||||
};
|
||||
generateDefaults = hosts: builtins.mapAttrs (name: {
|
||||
hostNixpkgs ? nixpkgs,
|
||||
system ? "x86_64-linux",
|
||||
# pkgs is explicitly defined so that overlays for each host can easily be created
|
||||
pkgs ? hostNixpkgs.legacyPackages.${system},
|
||||
environment ? "proxmox",
|
||||
environment ? "",
|
||||
site
|
||||
}: {
|
||||
inherit hostNixpkgs system pkgs environment site;
|
||||
# define common and host modules and additionally add environment specific modules
|
||||
modules = [
|
||||
./configuration/common
|
||||
./hosts/${name}
|
||||
] ++ environments.${environment};
|
||||
./config/common
|
||||
./config/hosts/${name}
|
||||
] ++ (if environment != "" then environments.${environment} else []);
|
||||
}) hosts;
|
||||
in
|
||||
generateDefaults {
|
||||
#fee = {
|
||||
# site = "wg";
|
||||
# environment = "bare-metal";
|
||||
#};
|
||||
hydra = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
iperf = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
jackett = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
jellyfin = {
|
||||
hostNixpkgs = nixpkgs-unstable;
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
lifeline = {
|
||||
site = "io";
|
||||
};
|
||||
mail-1 = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
matrix = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
metrics = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
netbox = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
nextcloud = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
nitter = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
coturn = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
tor-relay = {
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
web-public-2 = {
|
||||
hostNixpkgs = nixpkgs-unstable;
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
web-nonpublic-linuxcrewd = {
|
||||
hostNixpkgs = nixpkgs-unstable;
|
||||
site = "vs";
|
||||
environment = "proxmox";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.nginx.virtualHosts."nextcloud.grzb.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
listen = [
|
||||
{
|
||||
addr = "localhost";
|
||||
port = 1234;
|
||||
} # workaround for enableACME check
|
||||
{
|
||||
addr = "localhost";
|
||||
port = 8443;
|
||||
ssl = true;
|
||||
proxyProtocol = true;
|
||||
}];
|
||||
locations."/" = {
|
||||
proxyPass = "http://nextcloud-grzb.vs.grzb.de:80";
|
||||
};
|
||||
locations."= /.well-known/carddav" = {
|
||||
return = "301 $scheme://$host/remote.php/dav";
|
||||
};
|
||||
locations."= /.well-known/caldav" = {
|
||||
return = "301 $scheme://$host/remote.php/dav";
|
||||
extraConfig = ''
|
||||
proxy_read_timeout 3600;
|
||||
proxy_request_buffering off;
|
||||
'';
|
||||
};
|
||||
extraConfig = ''
|
||||
client_max_body_size 4096m;
|
||||
'';
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue