persist zulip

deploy.sh

@@ -0,0 +1,5 @@
+# usage:
+# $ ./deploy.sh <hostname> <ip>
+# example usage:
+# $ ./deply.sh 109-199-104-83 109.199.104.83
+nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config ./hardware-configuration.nix --flake .?ref=411ee0c#$1 --target-host root@$2

hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

machines.nix

@@ -19,6 +19,9 @@
       # networking
       ./modules/nixos/laptop.nix
 
+      # vpn
+      ./modules/nixos/openvpn-client.nix
+
       # ly display manager
       ./modules/nixos/ly.nix
 
@@ -58,8 +61,6 @@
       ./modules/nixos/networking/ssh-as-root.nix
       ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
 
-      # TODO add Impermanence to the following services
-
       # simple-nixos-mailserver email server
       # mail.domain
       ./modules/nixos/mailserver.nix
@@ -68,16 +69,15 @@
       # webmail.domain
       ./modules/nixos/roundcube.nix
 
+      # BROKEN
       # forgejo
       # git.domain
-      ./modules/nixos/forgejo.nix
+      # ./modules/nixos/forgejo.nix
 
       # BROKEN
       # zulip chat client
       # chat.domain
-      # zulip chat server
+      ./modules/nixos/zulip.nix
-      # zulip.domain
-      # ./modules/nixos/zulip.nix
     ];
   };
 }

modules/nixos/mailserver.nix

@@ -2,10 +2,14 @@
   mailserver = {
     enable = true;
     stateVersion = 3;
+
+    # domain bs
     fqdn = "mail.${config.networking.domain}";
     domains = ["${config.networking.domain}"];
     x509.useACMEHost = config.mailserver.fqdn;
+
     loginAccounts = {
+      # test acc
       "test@${config.networking.domain}" = {
         hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
       };
@@ -15,6 +19,17 @@
       };
     };
   };
+
+  # put dkim key into /etc for declarability
+  mailserver.dkimKeyDirectory = "/etc/dkim";
+  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key" = {
+    source = config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
+    mode = "600";
+    user = config.services.rspamd.user;
+    group = config.services.rspamd.group;
+  };
+
+  # does acme for me
   services.nginx = {
     enable = true;
     virtualHosts = {
@@ -28,9 +43,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+
+  # persist directories per the backup guidelines
   environment.persistence."/persist" = {
     directories = [
-      "/var/dkim"
+      # not needed bc the dkim dir is declared
+      # "/var/dkim"
       "/var/vmail"
       "/var/lib/redis-rspamd"
       "/var/lib/acme"

modules/nixos/openvpn-client.nix

@@ -0,0 +1,8 @@
+{lib, ...}: {
+  services.openvpn.servers = {
+    "173.249.5.230" = {config = ''config /etc/openvpn-confs/173.249.5.230.ovpn'';};
+  };
+  networking.enableIPv6 = lib.mkForce false;
+  environment.persistence."/persist".directories = ["/etc/openvpn-confs"];
+  boot.kernelParams = ["ipv6.disable=1"];
+}

modules/nixos/zulip.nix

@@ -8,25 +8,47 @@
     # host domain
     host = "chat.${config.networking.domain}";
 
-    # secrets
+    # secrets; head rolled on keyboard for all :)
     camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
     rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
     secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
     sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
     avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
-    extraSecrets = {
+
-      email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;
+    # TODO check for parity with `mailserver-acc-admin-pw.age`
-    };
+    extraSecrets.email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;
 
     # settings
     zulipSettings = rec {
-      EMAIL_USE_TLS = true;
+      # email users
-      EMAIL_PORT = 587;
+      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
+      EMAIL_HOST_USER = ZULIP_ADMINISTRATOR;
+
+      # configure mailserver port
+      EMAIL_HOST = config.mailserver.fqdn;
+      EMAIL_USE_SSL = true;
+      EMAIL_PORT = 465;
+
+      # setting to allow realm creation; probably unsafe, might delete later :3
+      OPEN_REALM_CREATION = true;
+
+      # send all noreply emails from `admin@galaxious.de`
+      # TODO configure admin to send from any address
       ADD_TOKENS_TO_NOREPLY_ADDRESS = false;
       NOREPLY_EMAIL_ADDRESS = ZULIP_ADMINISTRATOR;
-      OPEN_REALM_CREATION = true;
+
+      # domain name
       EXTERNAL_HOST = config.services.zulip.host;
-      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
     };
   };
+  # persist
+  environment.persistence."/persist".directories = [
+    # messages
+    "/var/lib/rabbitmq"
+    # uploads
+    "/var/lib/zulip"
+
+    # contrived, but in the store a couple layers down
+    # "/var/lib/redis-zulip"
+  ];
 }

pub-keys.nix

@@ -1,10 +1,11 @@
 {
   age.secrets = {
     andromeda-pw.file = ./secrets/andromeda-pw.age;
+    "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
     mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
-    "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age";
+    "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age";
     zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age;
     zulip-camoKey.file = ./secrets/zulip-camoKey.age;
     zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age;
@@ -16,7 +17,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFD4kO9MhIHUiwYvX3VoFmDDTfWGesimrxUwFTmxTZ0D root@109-199-104-83";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH5TA6Br8K4xTjD5YcXQDh4UQSvuE0lEs1UxUytDiAn root@109-199-104-83";
     };
   };
 }

secrets/mailserver-acc-test-pw.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg xKR9bPGrd4bpdJEiP2n51SrEsG7ylsS5/ewD9WBr2WM
+-> ssh-ed25519 mT2fyg at6Q9eK1o8Mk0+fJh+mnIVrvV1tASV+PGuV8MXuwR2c
-WMyKGvjzZlNRsujnuFU1oklcd+IZD4gv1C7/5reMnLY
+cm3wvsLAemeeTFok7yBocNlfwewKruPnymG+wsT5g+Y
--> ssh-ed25519 UHxfvA IWgm1Vn8nQEan2i9shbX8tSez/uIXTHDEO5eGXhLrSo
+-> ssh-ed25519 UHxfvA aaQqfrUfUnLzwUVT6nCRPIAVlIhIWAJcPyeg3J6BQUI
-e5uHHcdHru0zfhByA15AvOjhgoMqte/oaI1zkoUjjgg
+4sh8ZV14csafSs8yAtFZIccSkiz6YnseV3DJcuhw7dQ
--> ssh-ed25519 ZES6hg sy+1upJggjItuGBgOZmXQwmF7joSAw8JSzH90UYIIng
+-> ssh-ed25519 yXDKAA KmwRbJURujQhlqOIVxzlVjyvaYRfyuJAVGWMZdkFaAE
-GS9GAZMT3hc+IfbUUquFaTM7Q57LSzxEUS95CjqB1Yg
+mX083o2XdnnYgqLs5NeppwMbFHDHTucMiHHZuYdzLvo
---- 4pW1Y7aE72Adf8Ru9YSB35gaTA0eoamnpyFlRLkBS3M
+--- Ay/SP2CXGOhSzO4KoiXFQhJMMdHaecxXOtNkGBK/RO0
-4V8 b<>Z<EFBFBD>@<0C><><EFBFBD>D6<44>eE;<3B><>P<EFBFBD>a)<29>	C<>P<>Љ<EFBFBD><EFBFBD><EFBFBD>?<EFBFBD>BUQ<EFBFBD>V#u<><75><0E>hgd<67><64><EFBFBD><EFBFBD>~Nm<4E><6D>&J<><4A><EFBFBD><EFBFBD><12><>^SH<>{<7B>M<EFBFBD>RF<52><46>Tx<54><78>g<EFBFBD>ή<EFBFBD>y,<2C>ͣ<EFBFBD>O
+ Z<11>?<14><EFBFBD><EFBFBD><EFBFBD><EFBFBD>B<EFBFBD><1E>F<EFBFBD>9_N`<60><>8<EFBFBD><38><EFBFBD>&<26><><1D>@<40><>)q<>7<EFBFBD>a<EFBFBD>O

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg FckDPvAO+2LoXSeSdk98iOtLYddEJMdCuzUWHOuRn3Y
+-> ssh-ed25519 mT2fyg sRu0FIphSJVMBcC02mo1YuZdy3i2+/jMeN3ROvxp4kM
-gDxYp3LbyHuRIJRRr8Ax1nEbZvyzOFRYD22JuAZm91k
+sEwx23t3IAauISKesq+110ZKRKxQv3Zesd0AJufYOLs
--> ssh-ed25519 UHxfvA Cbu32dAgNSi6rHk9sfmPkSB1TGDZipxlXO+G5mz9SQA
+-> ssh-ed25519 UHxfvA +YaJGPRT7nX2CqVzw1ixNLpW7MfzEnj44pSwj4iUwhI
-oU67uMNnAnrmFaC+IRuFykN05R3zfd1gvwKgt+BjA20
+E2U6Q+4uesNCWK7uVSztrA84TU/n/xLFm3PJH0hO/EM
--> ssh-ed25519 ZES6hg zovj1v3RgqL7ZzWvi9E4NN5ugdyNLXweC4z/F6544lI
+-> ssh-ed25519 yXDKAA V2kygl0BK/oYpKnnheslBO2YqXFdQWFgtqfmDNdgolc
-MnV7cWUcPxvckPbbwi+DsFokWPCuw83pWu1Zz4pHftQ
+NpJNN4nfrbgOav8Y38C9DwKFZH+QTRp/US/8kyo9m0o
---- zSHop8M98qVi6eCboZWh6j7zZCRNVQyJK3y+751Nd90
+--- LdqtfywtHOAy3AZ7AexZU0TJMU/ugq+ZYN07706rNxY
-<EFBFBD><02>K<EFBFBD>t<EFBFBD>w<EFBFBD>1<EFBFBD>
<01><><EFBFBD><EFBFBD>3<0B><19><>l<EFBFBD><6C><EFBFBD>1S̾<53>>P<16><>2<EFBFBD><32>#<23><><EFBFBD><0B>EpK<08><>E<EFBFBD>{Y<><59>J<EFBFBD><06>^<5E><>z<EFBFBD><1F><>V)@<0F>V^<5E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><12><><EFBFBD><EFBFBD><EFBFBD>-(P<>O<EFBFBD>H<EFBFBD>$h<>
+<EFBFBD>
+U$<24>Ap<>nG<6E>Neɕ<65>u<EFBFBD>y`!<21>ʤ<EFBFBD><CAA4><EFBFBD>f;ipv<70>Y<EFBFBD><59>V_3<5F><33>N+<06><><EFBFBD>k#<23>{<7B><><EFBFBD><EFBFBD><EFBFBD>W<EFBFBD>*<2A>n(<28><0F><03><><14><>ջG6<47><36>݈yc`<60><>q<EFBFBD>:$K]?͗b=<3D>'<27>^<5E>9

secrets/secrets.nix

@@ -8,6 +8,9 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
 
+  # dkim private keys
+  "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
+
   # mail account passwords
   "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
   "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];

secrets/zulip-camoKey.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg WRvospjFKe1OruLGih6656ci9xufMEH4Rx0kva8/gQg
+-> ssh-ed25519 mT2fyg 5ADzKAtycqfFpqW/dp71FTaK2gchzdWFNqxPyZ6deSY
-e1b4rePZCaUG2Za47DYVVGvXAAR+llIlllZiiHzgBsU
++aISA4YwF1l9S0fmE84wOvAJpM221bwPDYvXELTVv9k
--> ssh-ed25519 UHxfvA 5P33StVyzPB+CTYHY5hHUfPN0sBzgIeFeWrc/VWBekg
+-> ssh-ed25519 UHxfvA uKYcpPbaXA4r1OmlkuiIu/EqQ3IiHR7JpItnVgTaW2g
-nqcbiVZFgC+3dcpbC7OHT7XFDdZymWx9d3uLUrvVvi4
+LjySgI4mTlaZY81IJc6DmBh43l2qeGlQnZi+rOlbtb8
--> ssh-ed25519 ZES6hg wOuYIeGPeRa1uEcdsUfNEs2XepAPfKIHhPJNUx6ZPg0
+-> ssh-ed25519 yXDKAA TMwoM06ZJsjkZ7eLguxqYB05jcRn+tTgVzE7WQIf0mw
-gVwyYcpH/LwXmhPHGLUXcre/FR2MTqAue1Azf5jESUc
+vKwCkWsywGsgVv6Y278Mi28MhCYBRRUnfg4+EouOw+0
---- 3CMHIF8A8YAKdSfyYOsGqk/BcotL9o8WzM7ZHlqcQuM
+--- CScrim9wya9AhElXBtKBR3XBZDL83/g3MTfdF258GJ8
-<EFBFBD>DF
l<><11><><EFBFBD>iY<69><59><EFBFBD><EFBFBD><EFBFBD><<10>S<EFBFBD><53>L<EFBFBD><4C><05><>jj<6A><6A>PЦ<10>Z<EFBFBD><5A><EFBFBD>t<EFBFBD><74><EFBFBD>xp<78>5<EFBFBD>
<P<><50><EFBFBD><EFBFBD><EFBFBD>g<EFBFBD><67>!<21><12><>GƂǻ
+K#<23>>8}c<><EFBFBD><7F>}8<><38>L<04>(<28><>c<EFBFBD><63>
+<EFBFBD>w1<EFBFBD>"O<><4F>

secrets/zulip-extraSecrets-email_password.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg CQp4TiQ6BcTSooH+LitGEl1sM/fVioJYwldMOf8zmmM
+-> ssh-ed25519 mT2fyg IOcD4r19Gx2AvjusnnJDHQXr/U4Ti6qKr01I9lNQDQE
-54sVzmMwQcl88oldP6GO3Ow0EjTAVYbKT5OpPN7FvE0
+fCwouMQPvhkyzehszuv0YhSfNh9zGKaFNDKaTZT0rD0
--> ssh-ed25519 UHxfvA mReulyDzGyiUDawgAphxmsalWlEMXEsn0Se6bFPKKko
+-> ssh-ed25519 UHxfvA e95raPehUz6T2FR/eT8kzfrxt/Ou6kKsqi7z/3BkfwU
-eWbx/QCT1P61UK5rKafpVCNf0zTKDQG+laK+FRbn+gY
+uHymqnY3t7IwpxWkN8xen3Vsy6R7VMoj+fR0zPnPinY
--> ssh-ed25519 ZES6hg 2Aca/70YNAiqM9Rxhq9kYap90zYfwiXDNL+FIupbyjs
+-> ssh-ed25519 yXDKAA nlR1prGysW+k8gq2npEiboFqoo9jKQ5ISxRiiCFlb0s
-26GBrhF7aIMWnW5ndm64QLOXBbu04usQnQJ0GQKbgxc
+kaGOvlQgO0nOAl12mMKvafa9ezmy8XdUC2tVPuBG4iw
---- vKsAZM3qvpU0NSm98JcnGHBYIRIiP7bXBRliRnUdB8g
+--- MRFAGURoyediqNSjGxr57a0w6n9lH2zVjfyrUZcyAYw
-<EFBFBD>
+
+z<EFBFBD>0

users/andromeda/home.nix

@@ -91,6 +91,91 @@ in {
       };
     };
     fastfetch.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        cfg.enableTridactylNative = true;
+      };
+      profiles.${config.home.username} = {
+        extensions.packages = [
+          pkgs.nur.repos.rycee.firefox-addons.tridactyl
+        ];
+        search = {
+          default = "repos";
+          privateDefault = "ddghtml";
+          order = [
+            "wiki"
+            "options"
+            "packages"
+            "repos"
+          ];
+          engines = {
+            "packages" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/packages";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "options" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/options";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "wiki" = {
+              urls = [
+                {
+                  template = "https://wiki.nixos.org/w/index.php";
+                  params = [
+                    {
+                      name = "search";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "repos" = {
+              template = "https://html.duckduckgo.com/html/";
+              params = [
+                {
+                  name = "q";
+                  value = "{searchTerms}+(site:*.gitlab.org OR site:github.com OR site:git.mtgmonkey.net OR site:sr.ht)";
+                }
+              ];
+            };
+          };
+        };
+        settings = {
+          "extensions.autoDisableScopes" = 0;
+        };
+      };
+    };
     git = {
       enable = true;
       settings = {
@@ -103,15 +188,6 @@ in {
     };
     gh.enable = true;
     home-manager.enable = true;
-    firefox = {
-      enable = true;
-      package = pkgs.firefox.override {
-        cfg.enableTridactylNative = true;
-      };
-      profiles.${config.home.username}.extensions.packages = [
-        pkgs.nur.repos.rycee.firefox-addons.tridactyl
-      ];
-    };
     lsd.enable = true;
     nvf = {
       enable = true;