From c9a5c521dbc7785aa4a6c1f410e547202075c13b Mon Sep 17 00:00:00 2001 From: andromeda Date: Tue, 6 Jan 2026 14:52:34 +0100 Subject: [PATCH] stash --- flake.nix | 10 +- machines.nix | 39 ++++++- machines/109-199-104-83.nix | 35 ++++++ machines/109-199-104-83/configuration.nix | 105 ------------------ machines/lenovo/configuration.nix | 1 + modules/nixos/boot/109-199-104-83.nix | 3 + modules/nixos/common.nix | 16 +++ modules/nixos/mailserver.nix | 30 +++++ .../nixos/networking/domains/galaxious.de.nix | 3 + modules/nixos/networking/hard-ssh.nix | 19 ++++ .../networking/networks/109-199-104-83.nix | 27 +++++ modules/nixos/networking/ssh-as-root.nix | 3 + modules/nixos/roundcube.nix | 12 ++ modules/nixos/zulip.nix | 67 ++++------- pub-keys.nix | 2 + secrets/mailserver-acc-admin-pw.age | 9 ++ secrets/mailserver-acc-zulip+admin-pw.age | Bin 0 -> 506 bytes secrets/secrets.nix | 2 + 18 files changed, 228 insertions(+), 155 deletions(-) create mode 100644 machines/109-199-104-83.nix delete mode 100644 machines/109-199-104-83/configuration.nix create mode 100644 modules/nixos/boot/109-199-104-83.nix create mode 100644 modules/nixos/common.nix create mode 100644 modules/nixos/mailserver.nix create mode 100644 modules/nixos/networking/domains/galaxious.de.nix create mode 100644 modules/nixos/networking/hard-ssh.nix create mode 100644 modules/nixos/networking/networks/109-199-104-83.nix create mode 100644 modules/nixos/networking/ssh-as-root.nix create mode 100644 modules/nixos/roundcube.nix create mode 100644 secrets/mailserver-acc-admin-pw.age create mode 100644 secrets/mailserver-acc-zulip+admin-pw.age diff --git a/flake.nix b/flake.nix index 8bd44d7..0965a26 100644 --- a/flake.nix +++ b/flake.nix @@ -62,7 +62,6 @@ modules = modules ++ [ - ./machines/${machine.hostname}/configuration.nix ./users.nix ./secrets.nix impermanence.nixosModules.impermanence @@ -77,6 +76,15 @@ nix-zulip'.overlays.default ]; } + ( + if machine.hostname != "109-199-104-83" + then + {config, ...}: { + imports = [./machines/${machine.hostname}/configuration.nix]; + networking.domain = config.networking.hostName; # temporary fix + } + else {imports = machine.modules;} + ) ]; }; configurationWithHomeManager = machine: (configuration machine diff --git a/machines.nix b/machines.nix index 2e6d191..90a2e61 100644 --- a/machines.nix +++ b/machines.nix @@ -6,10 +6,47 @@ "andromeda" "mtgmonkey" ]; + modules = [ + ]; }; "109-199-104-83" = { - hostname = "109-199-104-83"; system = "x86_64-linux"; users = []; + modules = [ + # hardware configuration + # verbatim as `nixos-generate-config` AND `system.stateVersion` + ./machines/109-199-104-83.nix + + # boot process + # grub boot on /dev/sda + ./modules/nixos/boot/109-199-104-83.nix + + # networking + ./modules/nixos/networking/domains/galaxious.de.nix + ./modules/nixos/networking/networks/109-199-104-83.nix + + # ssh through port 5522 among other things + ./modules/nixos/networking/hard-ssh.nix + ./modules/nixos/networking/ssh-as-root.nix + + # boilerplate settings + ./modules/nixos/common.nix + + # simple-nixos-mailserver email server + # mail.domain + ./modules/nixos/mailserver.nix + + # roundcube webmail client + # webmail.domain + ./modules/nixos/roundcube.nix + + # zulip chat client + # chat.domain + # zulip chat server + # zulip.domain + ./modules/nixos/zulip.nix + { + } + ]; }; } diff --git a/machines/109-199-104-83.nix b/machines/109-199-104-83.nix new file mode 100644 index 0000000..9b61ca4 --- /dev/null +++ b/machines/109-199-104-83.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/159e6a69-b4e2-49c3-a6f0-5fcba0ea6a59"; + fsType = "ext4"; + }; + + fileSystems."/efi" = { + device = "systemd-1"; + fsType = "autofs"; + }; + + swapDevices = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + system.stateVersion = "25.11"; +} diff --git a/machines/109-199-104-83/configuration.nix b/machines/109-199-104-83/configuration.nix deleted file mode 100644 index a7371c2..0000000 --- a/machines/109-199-104-83/configuration.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ - config, - modulesPath, - machine, - ... -}: { - # zulip config - services.zulip = { - enable = true; - host = "chat.${config.networking.domain}"; - camoKeyFile = builtins.toFile "camoKeyFile" "key"; - rabbitmqPasswordFile = builtins.toFile "rabbitmqPasswordFile" "password"; - secretKeyFile = builtins.toFile "secretKeyFile" "secret key"; - sharedSecretKeyFile = builtins.toFile "sharedSecretKeyFile" "shared secret key"; - avatarSaltKeyFile = builtins.toFile "avatarSaltKeyFile" "avatar salt key"; - zulipSettings = { - EXTERNAL_HOST = "EXTERNAL_HOST"; - ZULIP_ADMINISTRATOR = "ZULIP_ADMINISTRATOR"; - }; - }; - - # roundcube config - services.roundcube = { - enable = true; - hostName = "webmail.${config.networking.domain}"; - extraConfig = '' - $config['imap_host'] = "ssl://${config.mailserver.fqdn}"; - $config['smtp_host'] = "ssl://${config.mailserver.fqdn}"; - $config['smtp_user'] = "%u"; - $config['smtp_pass'] = "%p"; - ''; - }; - - # mailserver config - mailserver = { - enable = true; - stateVersion = 3; - fqdn = "mail.${config.networking.domain}"; - domains = ["${config.networking.domain}"]; - x509.useACMEHost = config.mailserver.fqdn; - loginAccounts = { - "test@${config.networking.domain}" = { - hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path; - }; - }; - }; - - # cert config - security.acme = { - acceptTerms = true; - defaults.email = "mtgmonket@gmail.com"; - }; - services.nginx = { - enable = true; - virtualHosts."mail.${config.networking.domain}" = { - forceSSL = true; - enableACME = true; - }; - }; - - # system config - system.stateVersion = "25.11"; - nix.settings.experimental-features = ["flakes" "nix-command"]; - imports = [(modulesPath + "/profiles/qemu-guest.nix")]; - fileSystems."/" = { - device = "/dev/sda1"; - fsType = "ext4"; - }; - boot.loader.grub.device = "/dev/sda"; - boot.loader.timeout = 30; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"]; - boot.initrd.kernelModules = ["nvme"]; - boot.tmp.cleanOnBoot = true; - zramSwap.enable = true; - networking = { - useNetworkd = true; - usePredictableInterfaceNames = true; - hostName = machine.hostname; - domain = "galaxious.de"; - firewall = { - enable = true; - allowedTCPPorts = [80 443]; - allowedUDPPorts = [80 443]; - }; - }; - systemd.network = { - enable = true; - networks."40-wan" = { - matchConfig.Name = "enx0050565f4fff"; - address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"]; - routes = [ - { - Gateway = "109.199.96.1"; - GatewayOnLink = true; - } - {Gateway = "fe80::1";} - ]; - dns = ["2620:fe::fe" "9.9.9.9"]; - }; - }; - services.openssh.enable = true; - users.mutableUsers = false; - users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda]; - programs.noshell.enable = true; -} diff --git a/machines/lenovo/configuration.nix b/machines/lenovo/configuration.nix index 152d136..05dd082 100644 --- a/machines/lenovo/configuration.nix +++ b/machines/lenovo/configuration.nix @@ -8,6 +8,7 @@ imports = [ ./impermanence.nix (modulesPath + "/installer/scan/not-detected.nix") + ../../modules/nixos/zulip.nix ]; boot.loader = { efi.canTouchEfiVariables = true; diff --git a/modules/nixos/boot/109-199-104-83.nix b/modules/nixos/boot/109-199-104-83.nix new file mode 100644 index 0000000..ec2def1 --- /dev/null +++ b/modules/nixos/boot/109-199-104-83.nix @@ -0,0 +1,3 @@ +{ + boot.loader.grub.device = "/dev/sda"; +} diff --git a/modules/nixos/common.nix b/modules/nixos/common.nix new file mode 100644 index 0000000..3c00de0 --- /dev/null +++ b/modules/nixos/common.nix @@ -0,0 +1,16 @@ +{config, ...}: { + # flakes usage + nix.settings.experimental-features = [ + "flakes" + "nix-command" + ]; + + # allows users to customize shell in `$XDG_CONFIG_HOME/shell` rather than + # needing /etc/shells. Useful for home-manager. Falls back. + programs.noshell.enable = true; + + # cleans /tmp to maintain a tidy system + boot.tmp.cleanOnBoot = true; + + networking.domain = config.networking.hostname; +} diff --git a/modules/nixos/mailserver.nix b/modules/nixos/mailserver.nix new file mode 100644 index 0000000..c71dc03 --- /dev/null +++ b/modules/nixos/mailserver.nix @@ -0,0 +1,30 @@ +{config, ...}: { + mailserver = { + enable = true; + stateVersion = 3; + fqdn = "mail.${config.networking.domain}"; + domains = ["${config.networking.domain}"]; + x509.useACMEHost = config.mailserver.fqdn; + loginAccounts = { + "test@${config.networking.domain}" = { + hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path; + }; + "admin@${config.networking.domain}" = { + hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-admin-pw.path; + }; + }; + }; + services.nginx = { + enable = true; + virtualHosts = { + "mail.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "mtgmonket@gmail.com"; + }; +} diff --git a/modules/nixos/networking/domains/galaxious.de.nix b/modules/nixos/networking/domains/galaxious.de.nix new file mode 100644 index 0000000..eab573e --- /dev/null +++ b/modules/nixos/networking/domains/galaxious.de.nix @@ -0,0 +1,3 @@ +{ + networking.domain = "galaxious.de"; +} diff --git a/modules/nixos/networking/hard-ssh.nix b/modules/nixos/networking/hard-ssh.nix new file mode 100644 index 0000000..849af9b --- /dev/null +++ b/modules/nixos/networking/hard-ssh.nix @@ -0,0 +1,19 @@ +{ + services.openssh = { + enable = true; + allowSFTP = false; + ports = [5522]; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = true; + }; + extraConfig = '' + AllowTcpForwarding no + AllowAgentForwarding no + MaxAuthTries 3 + MaxSessions 4 + TCPKeepAlive no + ''; + }; +} diff --git a/modules/nixos/networking/networks/109-199-104-83.nix b/modules/nixos/networking/networks/109-199-104-83.nix new file mode 100644 index 0000000..2cacb55 --- /dev/null +++ b/modules/nixos/networking/networks/109-199-104-83.nix @@ -0,0 +1,27 @@ +{ + networking = { + useNetworkd = true; + usePredictableInterfaceNames = true; + hostName = "109-199-104-83"; + firewall = { + enable = true; + allowedTCPPorts = [80 443]; + allowedUDPPorts = [80 443]; + }; + }; + systemd.network = { + enable = true; + networks."40-wan" = { + matchConfig.Name = "enx0050565f4fff"; + address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"]; + routes = [ + { + Gateway = "109.199.96.1"; + GatewayOnLink = true; + } + {Gateway = "fe80::1";} + ]; + dns = ["2620:fe::fe" "9.9.9.9"]; + }; + }; +} diff --git a/modules/nixos/networking/ssh-as-root.nix b/modules/nixos/networking/ssh-as-root.nix new file mode 100644 index 0000000..d882a46 --- /dev/null +++ b/modules/nixos/networking/ssh-as-root.nix @@ -0,0 +1,3 @@ +{ + services.openssh.settings.PermitRootLogin = "yes"; +} diff --git a/modules/nixos/roundcube.nix b/modules/nixos/roundcube.nix new file mode 100644 index 0000000..0749af5 --- /dev/null +++ b/modules/nixos/roundcube.nix @@ -0,0 +1,12 @@ +{config, ...}: { + services.roundcube = { + enable = true; + hostName = "webmail.${config.networking.domain}"; + extraConfig = '' + $config['imap_host'] = "ssl://${config.mailserver.fqdn}"; + $config['smtp_host'] = "ssl://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; +} diff --git a/modules/nixos/zulip.nix b/modules/nixos/zulip.nix index cc74179..736ffad 100644 --- a/modules/nixos/zulip.nix +++ b/modules/nixos/zulip.nix @@ -1,52 +1,23 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = []; - options.x = { - zulip = { - enable = true; - admin_email = lib.mkOption { - type = lib.types.str; - default = "admin+zulip@${config.networking.domain}"; - }; - integration = { - persistance.enable = lib.mkOption { - type = lib.types.bool; - description = "whether persistance is enabled"; - default = lib.mkDefault false; - }; - mailserver.enable = lib.mkOption { - type = lib.types.bool; - description = "creates simple-nixos-mailserver login automatically for admin user"; - }; - }; +{config, ...}: { + imports = [ + ./mailserver.nix + ]; + services.zulip = { + enable = true; + host = "zulip.${config.networking.domain}"; + camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path; + rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path; + secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path; + sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path; + avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path; + zulipSettings = { + ZULIP_ADMINISTRATOR = "admin+zulip@${config.networking.domain}"; + EXTERNAL_HOST = "chat.${config.networking.domain}"; }; }; - config = let - cfg = config.x.zulip; - in - lib.mkIf cfg.enable { - services.zulip = { - enable = true; - host = "zulip.${config.networking.domain}"; - camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path; - rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path; - secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path; - sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path; - avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path; - zulipSettings = { - ZULIP_ADMINISTRATOR = cfg.admin_email; - EXTERNAL_HOST = "chat.${config.networking.domain}"; - }; - }; - services.mailserver.loginAccounts = lib.mkIf cfg.integration.mailserver.enable { - "admin+zulip@${config.networking.domain}" = { - hashedPasswordFile = builtins.toString config.age.secrets.secret3.path; - }; - }; + mailserver.loginAccounts = { + "zulip+admin@${config.networking.domain}" = { + hashedPasswordFile = builtins.toString config.age.secrets."mailserver-acc-zulip+admin-pw".path; }; + }; } diff --git a/pub-keys.nix b/pub-keys.nix index fcaa7d8..c02ac37 100644 --- a/pub-keys.nix +++ b/pub-keys.nix @@ -3,6 +3,8 @@ andromeda-pw.file = ./secrets/andromeda-pw.age; mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age; mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age; + mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age; + "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age"; }; pub-keys = { ssh = { diff --git a/secrets/mailserver-acc-admin-pw.age b/secrets/mailserver-acc-admin-pw.age new file mode 100644 index 0000000..8f2fe15 --- /dev/null +++ b/secrets/mailserver-acc-admin-pw.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 mT2fyg Lt6EG5R9iQWuD/eDXM+vsablwqCn7wUBKFuNO3qcq04 +07jSpN+5/CJFCaBAEVB5TYqLEnGj8Fbt6z3qIVSijqU +-> ssh-ed25519 UHxfvA 8iIyIoZxJUYrvL9DFmleATVYs0TSZvPjSFqxSWYnVFs +XDQQGlQXJqjjAqslyfJerVATPIO4vCxTPRWOcBuF7f8 +-> ssh-ed25519 Xoin5w tE8Tx9cSJH+4eJoEpG8CVf9+C1WrurERvGG0kOLatG4 +YUUPvg6Ev3+7idthbcUeLeRZ+iE8yp+uirJojSt1gVg +--- FamPgM9+DjHiHQBkCmPaHe9aLLXIL3ZPCUtmtEtNOAI +Ց}_rT6Uwz|<_5!~NcǦi*EM?H?QSb\۝zK ?z;RJpҶɴs蔈y \ No newline at end of file diff --git a/secrets/mailserver-acc-zulip+admin-pw.age b/secrets/mailserver-acc-zulip+admin-pw.age new file mode 100644 index 0000000000000000000000000000000000000000..318b0ad82f520e1dedddfbe315d0d6f47a797620 GIT binary patch literal 506 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU74KYfqOjoFKO*C{h z_R;o?40AI~47VsT%yab1FbvBw2`<+z)^^M-Ey&NR3ieKRbLBEiE;I~J4J^wpaxAC_ ziO|olG7AYe^h&7=buSGm^GFTN&kQL~uPn|qOGdXX)T1J;%uyk@I62$MP&+Ij#5uzv zIoPElFk3sx(&#kf~<%rGs~P3zj9BrN&}K{L)(hgn|5v~nUP~HVV3o)miztc&j%W$ ZxftbaBo6qo{Y`srb!y4wkZC8M008-uy;A@H literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 53dff54..56de4d5 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,4 +7,6 @@ in { "andromeda-pw.age".publicKeys = [andromeda lenovo]; "mtgmonkey-pw.age".publicKeys = [andromeda lenovo]; "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; + "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; + "mailserver-acc-zulip+admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; }