Setup mail server and restructure some things

2023-09-14 14:43:49 +02:00 · 2023-09-14 14:43:49 +02:00 · ba93d164cf
parent 4c382e629d
commit ba93d164cf
90 changed files with 512 additions and 66 deletions
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@ -3,8 +3,8 @@
  imports = [
    ./prometheus-node-exporter.nix
    ./nginx.nix
-    ../../users/colmena-deploy
+    ../users/colmena-deploy
-    ../../users/yuri
+    ../users/yuri
  ];
  time.timeZone = "Europe/Berlin";
--- a/configuration/common/nginx.nix
+++ b/configuration/common/nginx.nix
--- a/configuration/common/prometheus-node-exporter.nix
+++ b/configuration/common/prometheus-node-exporter.nix
@ -1,7 +1,7 @@
-{ ... }:
+{ lib, ... }:
 {
  services.prometheus.exporters.node = {
-    enable = true;
+    enable = lib.mkDefault true;
    openFirewall = true;
  };
 }
--- a/config/environments/proxmox-vm/default.nix
+++ b/config/environments/proxmox-vm/default.nix
--- a/config/environments/proxmox-vm/hardware-configuration.nix
+++ b/config/environments/proxmox-vm/hardware-configuration.nix
--- a/config/hosts/coturn/acme.nix
+++ b/config/hosts/coturn/acme.nix
--- a/config/hosts/coturn/configuration.nix
+++ b/config/hosts/coturn/configuration.nix
--- a/config/hosts/coturn/coturn.nix
+++ b/config/hosts/coturn/coturn.nix
--- a/config/hosts/coturn/default.nix
+++ b/config/hosts/coturn/default.nix
--- a/config/hosts/coturn/secrets.nix
+++ b/config/hosts/coturn/secrets.nix
--- a/config/hosts/hydra/configuration.nix
+++ b/config/hosts/hydra/configuration.nix
--- a/config/hosts/hydra/default.nix
+++ b/config/hosts/hydra/default.nix
--- a/config/hosts/hydra/hydra.nix
+++ b/config/hosts/hydra/hydra.nix
--- a/config/hosts/hydra/nginx.nix
+++ b/config/hosts/hydra/nginx.nix
--- a/config/hosts/hydra/nix-serve.nix
+++ b/config/hosts/hydra/nix-serve.nix
--- a/config/hosts/hydra/secrets.nix
+++ b/config/hosts/hydra/secrets.nix
--- a/config/hosts/iperf/configuration.nix
+++ b/config/hosts/iperf/configuration.nix
--- a/config/hosts/iperf/default.nix
+++ b/config/hosts/iperf/default.nix
--- a/config/hosts/iperf/iperf.nix
+++ b/config/hosts/iperf/iperf.nix
--- a/config/hosts/jackett/configuration.nix
+++ b/config/hosts/jackett/configuration.nix
--- a/config/hosts/jackett/default.nix
+++ b/config/hosts/jackett/default.nix
--- a/config/hosts/jackett/jackett.nix
+++ b/config/hosts/jackett/jackett.nix
--- a/config/hosts/jellyfin/configuration.nix
+++ b/config/hosts/jellyfin/configuration.nix
--- a/config/hosts/jellyfin/default.nix
+++ b/config/hosts/jellyfin/default.nix
--- a/config/hosts/jellyfin/hardware-configuration.nix
+++ b/config/hosts/jellyfin/hardware-configuration.nix
--- a/config/hosts/jellyfin/jellyfin.nix
+++ b/config/hosts/jellyfin/jellyfin.nix
--- a/config/hosts/jellyfin/nginx.nix
+++ b/config/hosts/jellyfin/nginx.nix
--- a/config/hosts/jellyfin/secrets.nix
+++ b/config/hosts/jellyfin/secrets.nix
--- a/config/hosts/lifeline/configuration.nix
+++ b/config/hosts/lifeline/configuration.nix
@ -0,0 +1,69 @@
 { pkgs, ... }:
 {
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
  networking = {
    hostName = "lifeline";
    useDHCP = true;
    wireguard = {
      enable = true;
      interfaces.wg0 = {
        privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret";
        listenPort = 51820;
        ips = [
          "172.16.50.1/24"
        ];
        peers = [
          {
            name = "mail-1";
            publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
            presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret";
            allowedIPs = [ "172.16.50.2/32" ];
          }
        ];
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
        '';
      };
    };
    nat = {
      enable = true;
      internalInterfaces = [ "wg0" ];
      externalInterface = "ens6";
      forwardPorts = [
        {
          destination = "172.16.50.2:25";
          proto = "tcp";
          sourcePort = 25;
        }
        {
          destination = "172.16.50.2:465";
          proto = "tcp";
          sourcePort = 465;
        }
        {
          destination = "172.16.50.2:993";
          proto = "tcp";
          sourcePort = 993;
        }
      ];
    };
    firewall = {
      allowedUDPPorts = [ 51820 ];
    };
  };
  services.prometheus.exporters.node.enable = false;
  system.stateVersion = "23.05";
 }
--- a/config/hosts/lifeline/default.nix
+++ b/config/hosts/lifeline/default.nix
@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./hardware-configuration.nix
  ];
 }
--- a/config/hosts/lifeline/hardware-configuration.nix
+++ b/config/hosts/lifeline/hardware-configuration.nix
@ -0,0 +1,16 @@
 { modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd = {
    availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
    kernelModules = [ "nvme" ];
  };
  fileSystems."/" = { 
    device = "/dev/vda1";
    fsType = "ext4";
  };
 }
--- a/config/hosts/lifeline/secrets.nix
+++ b/config/hosts/lifeline/secrets.nix
@ -0,0 +1,19 @@
 { ... }:
 {
  deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = {
    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ];
    destDir = "/secrets";
    user = "root";
    group = "root";
    permissions = "0640";
    uploadAt = "pre-activation";
  };
  deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = {
    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ];
    destDir = "/secrets";
    user = "root";
    group = "root";
    permissions = "0640";
    uploadAt = "pre-activation";
  };
 }
--- a/config/hosts/mail-1/configuration.nix
+++ b/config/hosts/mail-1/configuration.nix
@ -0,0 +1,61 @@
 { ... }:
 {
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };
  networking = {
    hostName = "mail-1";
    useDHCP = true;
    defaultGateway = {
      address = "172.16.50.1";
      interface = "wg0";
    };
    interfaces.enp6s18.ipv4 = {
      routes = [
        {
          address = "10.201.0.0";
          prefixLength = 16;
          via = "10.202.41.1";
        }
        {
          address = "10.202.0.0";
          prefixLength = 16;
          via = "10.202.41.1";
        }
        {
          address = "172.21.87.0"; # management VPN
          prefixLength = 24;
          via = "10.202.41.1";
        }
        {
          address = "217.160.117.160"; # 
          prefixLength = 32;
          via = "10.202.41.1";
        }
      ];
    };
    wireguard = {
      enable = true;
      interfaces.wg0 = {
        ips = [
          "172.16.50.2/24"
        ];
        peers = [
          {
            name = "lifeline";
            publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY=";
            presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret";
            endpoint = "lifeline.io.grzb.de:51820";
            allowedIPs = [ "0.0.0.0/0" ];
            persistentKeepalive = 25;
          }
        ];
        privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret";
      };
    };
  };
  system.stateVersion = "23.05";
 }
--- a/config/hosts/mail-1/default.nix
+++ b/config/hosts/mail-1/default.nix
@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./simple-nixos-mailserver.nix
  ];
 }
--- a/config/hosts/mail-1/secrets.nix
+++ b/config/hosts/mail-1/secrets.nix
@ -0,0 +1,85 @@
 { keyCommandEnv, ... }:
 {
  deployment.keys = {
    "wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
      destDir = "/secrets";
      user = "root";
      group = "systemd-network";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "wireguard-mail-1-wg0-privatekey.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
      destDir = "/secrets";
      user = "root";
      group = "systemd-network";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-fiona-grzb-de.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-yuri-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-mio-vs-grzb-de.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-fubuki-wg-grzb-de.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-cloud-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-status-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-matrix-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "mail-social-nekover-se.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/mail-1/simple-nixos-mailserver.nix
+++ b/config/hosts/mail-1/simple-nixos-mailserver.nix
@ -0,0 +1,66 @@
 { simple-nixos-mailserver, ... }:
 {
  imports = [
    simple-nixos-mailserver.nixosModule {
      mailserver = {
        enable = true;
        openFirewall = true;
        fqdn = "mail-1.grzb.de";
        enableImap = false;
        enableImapSsl = true;
        enableSubmission = false;
        enableSubmissionSsl = true;
        lmtpSaveToDetailMailbox = "no";
        domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
        loginAccounts = {
          "fiona@grzb.de" = {
            hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
            aliases = [ "@grzb.de" ];
            catchAll = [ "grzb.de" ];
          };
          "yuri@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
            aliases = [ "@nekover.se" ];
            catchAll = [ "nekover.se" ];
          };
          "mio@vs.grzb.de" = {
            hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
            sendOnly = true;
            aliases = [ "root@vs.grzb.de" ];
          };
          "fubuki@wg.grzb.de" = {
            hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
            sendOnly = true;
            aliases = [ "root@wg.grzb.de" ];
          };
          "cloud@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
            sendOnly = true;
          };
          "status@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
            sendOnly = true;
          };
          "matrix@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
            sendOnly = true;
            aliases = [ "nyareply@nekover.se" ];
          };
          "social@nekover.se" = {
            hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
            sendOnly = true;
            aliases = [ "nyareply@nekover.se" ];
          };
        };
        certificateScheme = "acme-nginx";
      };
    }
  ];
  services.postfix = {
    transport = "relay:[mail-2.grzb.de]";
    extraConfig = ''
      proxy_interfaces = 212.53.203.19
    '';
  };
 }
--- a/config/hosts/matrix/configuration.nix
+++ b/config/hosts/matrix/configuration.nix
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
--- a/config/hosts/matrix/hardware-configuration.nix
+++ b/config/hosts/matrix/hardware-configuration.nix
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
--- a/config/hosts/matrix/postgresql.nix
+++ b/config/hosts/matrix/postgresql.nix
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
--- a/config/hosts/metrics/configuration.nix
+++ b/config/hosts/metrics/configuration.nix
--- a/config/hosts/metrics/default.nix
+++ b/config/hosts/metrics/default.nix
--- a/config/hosts/metrics/grafana.nix
+++ b/config/hosts/metrics/grafana.nix
--- a/config/hosts/metrics/nginx.nix
+++ b/config/hosts/metrics/nginx.nix
--- a/config/hosts/metrics/prometheus.nix
+++ b/config/hosts/metrics/prometheus.nix
--- a/config/hosts/metrics/secrets.nix
+++ b/config/hosts/metrics/secrets.nix
--- a/config/hosts/netbox/configuration.nix
+++ b/config/hosts/netbox/configuration.nix
--- a/config/hosts/netbox/default.nix
+++ b/config/hosts/netbox/default.nix
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
--- a/config/hosts/netbox/nginx.nix
+++ b/config/hosts/netbox/nginx.nix
--- a/config/hosts/netbox/secrets.nix
+++ b/config/hosts/netbox/secrets.nix
--- a/config/hosts/nextcloud/configuration.nix
+++ b/config/hosts/nextcloud/configuration.nix
--- a/config/hosts/nextcloud/default.nix
+++ b/config/hosts/nextcloud/default.nix
--- a/config/hosts/nextcloud/hardware-configuration.nix
+++ b/config/hosts/nextcloud/hardware-configuration.nix
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
--- a/config/hosts/nextcloud/secrets.nix
+++ b/config/hosts/nextcloud/secrets.nix
--- a/config/hosts/nitter/configuration.nix
+++ b/config/hosts/nitter/configuration.nix
--- a/config/hosts/nitter/default.nix
+++ b/config/hosts/nitter/default.nix
--- a/config/hosts/nitter/nginx.nix
+++ b/config/hosts/nitter/nginx.nix
--- a/config/hosts/nitter/nitter.nix
+++ b/config/hosts/nitter/nitter.nix
--- a/config/hosts/tor-relay/configuration.nix
+++ b/config/hosts/tor-relay/configuration.nix
--- a/config/hosts/tor-relay/default.nix
+++ b/config/hosts/tor-relay/default.nix
--- a/config/hosts/tor-relay/tor.nix
+++ b/config/hosts/tor-relay/tor.nix
--- a/config/hosts/web-nonpublic-linuxcrewd/configuration.nix
+++ b/config/hosts/web-nonpublic-linuxcrewd/configuration.nix
--- a/config/hosts/web-nonpublic-linuxcrewd/default.nix
+++ b/config/hosts/web-nonpublic-linuxcrewd/default.nix
--- a/config/hosts/web-nonpublic-linuxcrewd/nginx.nix
+++ b/config/hosts/web-nonpublic-linuxcrewd/nginx.nix
--- a/config/hosts/web-public-2/configuration.nix
+++ b/config/hosts/web-public-2/configuration.nix
--- a/config/hosts/web-public-2/default.nix
+++ b/config/hosts/web-public-2/default.nix
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -9,6 +9,15 @@
      proxyPass = "http://jellyfin.vs.grzb.de:80";
    };
  };
  services.nginx.virtualHosts."mail-1.grzb.de" = {
    listen = [{ 
      addr = "0.0.0.0";
      port = 80;
    }];
    locations."^~ /.well-known/acme-challenge/" = {
      proxyPass = "http://mail-1.vs.grzb.de:80";
    };
  };
  services.nginx.virtualHosts."matrix.nekover.se" = {
    listen = [{ 
      addr = "0.0.0.0";
--- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
--- a/config/hosts/web-public-2/virtualHosts/default.nix
+++ b/config/hosts/web-public-2/virtualHosts/default.nix
@ -8,7 +8,6 @@
    ./git.grzb.de.nix
    ./mewtube.nekover.se.nix
    ./nekover.se.nix
    ./nextcloud.grzb.de.nix
    ./social.nekover.se.nix
  ];
--- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json
+++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
--- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
--- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
--- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
--- a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix
--- a/configuration/nixos-generators/default.nix
+++ b/configuration/nixos-generators/default.nix
--- a/config/users/colmena-deploy/default.nix
+++ b/config/users/colmena-deploy/default.nix
--- a/config/users/yuri/default.nix
+++ b/config/users/yuri/default.nix
--- a/flake.lock
+++ b/flake.lock
@ -1,12 +1,44 @@
 {
  "nodes": {
    "blobs": {
      "flake": false,
      "locked": {
        "lastModified": 1604995301,
        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "repo": "blobs",
        "type": "gitlab"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1668681692,
        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1689469483,
+        "lastModified": 1693701915,
-        "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=",
+        "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c",
+        "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
        "type": "github"
      },
      "original": {
@ -23,11 +55,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1690133435,
+        "lastModified": 1693791338,
-        "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=",
+        "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586",
+        "rev": "8ee78470029e641cddbd8721496da1316b47d3b4",
        "type": "github"
      },
      "original": {
@ -38,11 +70,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1693725722,
+        "lastModified": 1694493899,
-        "narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=",
+        "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e",
+        "rev": "c5167858ca4870e933da123762eb55363ccefe2b",
        "type": "github"
      },
      "original": {
@ -52,13 +84,43 @@
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
+    "nixpkgs-22_11": {
      "locked": {
-        "lastModified": 1693723626,
+        "lastModified": 1669558522,
-        "narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=",
+        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b",
+        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-22.11",
        "type": "indirect"
      }
    },
    "nixpkgs-23_05": {
      "locked": {
        "lastModified": 1684782344,
        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-23.05",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1694502577,
        "narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72",
        "type": "github"
      },
      "original": {
@ -68,11 +130,66 @@
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1670751203,
        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-unstable",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "simple-nixos-mailserver": "simple-nixos-mailserver"
      }
    },
    "simple-nixos-mailserver": {
      "inputs": {
        "blobs": "blobs",
        "flake-compat": "flake-compat",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-22_11": "nixpkgs-22_11",
        "nixpkgs-23_05": "nixpkgs-23_05",
        "utils": "utils"
      },
      "locked": {
        "lastModified": 1687462267,
        "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
        "rev": "24128c3052090311688b09a400aa408ba61c6ee5",
        "type": "gitlab"
      },
      "original": {
        "owner": "simple-nixos-mailserver",
        "ref": "nixos-23.05",
        "repo": "nixos-mailserver",
        "type": "gitlab"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -6,9 +6,10 @@
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
  };
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let
    hosts = import ./hosts.nix inputs;
    helper = import ./helper.nix inputs;
  in {
@ -25,13 +26,13 @@
        nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts;
        specialArgs = {
-          inherit hosts;
+          inherit hosts simple-nixos-mailserver;
        };
      };
    } // builtins.mapAttrs (helper.generateColmenaHost) hosts;
    hydraJobs = {
-      nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts;
+      nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts;
    };
    # Generate a base VM image for Proxmox with `nix build .#base-proxmox`
@ -39,9 +40,9 @@
      base-proxmox = nixos-generators.nixosGenerate {
        system = "x86_64-linux";
        modules = [
-          ./configuration/common
+          ./config/common
-          ./configuration/nixos-generators
+          ./config/nixos-generators
-          ./configuration/proxmox-vm
+          ./config/environments/proxmox-vm
        ];
        format = "proxmox";
      };
--- a/helper.nix
+++ b/helper.nix
@ -11,7 +11,7 @@
    };
    # Set imports and optionally import colmena secrets configuration
-    imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix;
+    imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./config/hosts/${name}/secrets.nix) ./config/hosts/${name}/secrets.nix;
  };
  generateNixConfiguration = name: specialArgs: {
--- a/hosts.nix
+++ b/hosts.nix
@ -3,66 +3,90 @@ let
  # Set of environment specific modules
  environments = {
    "proxmox" = [
-      ./configuration/proxmox-vm
+      ./config/environments/proxmox-vm
-    ]; 
+    ];
  };
  generateDefaults = hosts: builtins.mapAttrs (name: {
    hostNixpkgs ? nixpkgs,
    system ? "x86_64-linux",
    # pkgs is explicitly defined so that overlays for each host can easily be created
    pkgs ? hostNixpkgs.legacyPackages.${system},
-    environment ? "proxmox",
+    environment ? "",
    site
  }: {
    inherit hostNixpkgs system pkgs environment site;
    # define common and host modules and additionally add environment specific modules
    modules = [
-      ./configuration/common
+      ./config/common
-      ./hosts/${name}
+      ./config/hosts/${name}
-    ] ++ environments.${environment};
+    ] ++ (if environment != "" then environments.${environment} else []);
  }) hosts;
 in
  generateDefaults {
    #fee = {
    #  site = "wg";
    #  environment = "bare-metal";
    #};
    hydra = {
      site = "vs";
      environment = "proxmox";
    };
    iperf = {
      site = "vs";
      environment = "proxmox";
    };
    jackett = {
      site = "vs";
      environment = "proxmox";
    };
    jellyfin = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };
    lifeline = {
      site = "io";
    };
    mail-1 = {
      site = "vs";
      environment = "proxmox";
    };
    matrix = {
      site = "vs";
      environment = "proxmox";
    };
    metrics = {
      site = "vs";
      environment = "proxmox";
    };
    netbox = {
      site = "vs";
      environment = "proxmox";
    };
    nextcloud = {
      site = "vs";
      environment = "proxmox";
    };
    nitter = {
      site = "vs";
      environment = "proxmox";
    };
    coturn = {
      site = "vs";
      environment = "proxmox";
    };
    tor-relay = {
      site = "vs";
      environment = "proxmox";
    };
    web-public-2 = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };
    web-nonpublic-linuxcrewd = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };
  }
--- a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix
+++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix
@ -1,34 +0,0 @@
 { ... }:
 {
  services.nginx.virtualHosts."nextcloud.grzb.de" = {
    forceSSL = true;
    enableACME = true;
    listen = [
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
      addr = "localhost";
      port = 8443;
      ssl = true;
      proxyProtocol = true;
    }];
    locations."/" = {
      proxyPass = "http://nextcloud-grzb.vs.grzb.de:80";
    };
    locations."= /.well-known/carddav" = {
      return = "301 $scheme://$host/remote.php/dav";
    };
    locations."= /.well-known/caldav" = {
      return = "301 $scheme://$host/remote.php/dav";
      extraConfig = ''
        proxy_read_timeout 3600;
        proxy_request_buffering off;
      '';
    };
    extraConfig = ''
      client_max_body_size 4096m;
    '';
  };
 }