255 lines
6 KiB
Nix
255 lines
6 KiB
Nix
{ pkgs, config, ... }:
|
|
let
|
|
myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
|
|
stalwartCaddyCertsDir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru";
|
|
stalwartCertsDir = "/var/lib/stalwart-mail/certs";
|
|
in
|
|
{
|
|
age.secrets = {
|
|
stalwart-admin-password = {
|
|
file = ../../secrets/stalwart-admin-password.age;
|
|
owner = "stalwart-mail";
|
|
};
|
|
restic-environment = {
|
|
file = ../../secrets/restic-environment.age;
|
|
owner = "root";
|
|
};
|
|
restic-password = {
|
|
file = ../../secrets/restic-password.age;
|
|
owner = "root";
|
|
};
|
|
};
|
|
|
|
users.users = {
|
|
flygrounder = {
|
|
openssh.authorizedKeys.keys = [
|
|
myKey
|
|
];
|
|
};
|
|
root = {
|
|
openssh.authorizedKeys.keys = [
|
|
myKey
|
|
];
|
|
};
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [ restic iperf ];
|
|
|
|
home-manager.users.flygrounder.custom = {
|
|
catppuccin.enable = true;
|
|
cli.enable = true;
|
|
neovim.enable = true;
|
|
};
|
|
|
|
services = {
|
|
caddy = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"flygrounder.ru" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:1234
|
|
'';
|
|
};
|
|
"mtg-bot.flygrounder.ru" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:3000
|
|
'';
|
|
};
|
|
"syncthing.flygrounder.ru" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:8384 {
|
|
header_up Host localhost
|
|
}
|
|
'';
|
|
};
|
|
"vaultwarden.flygrounder.ru" = {
|
|
extraConfig = ''
|
|
encode zstd gzip
|
|
|
|
reverse_proxy localhost:8222 {
|
|
header_up X-Real-IP {remote_host}
|
|
}
|
|
'';
|
|
};
|
|
"mail.flygrounder.ru" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:8080
|
|
'';
|
|
};
|
|
"git.flygrounder.ru" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:7237
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
forgejo = {
|
|
enable = true;
|
|
settings = {
|
|
service.DISABLE_REGISTRATION = true;
|
|
server = {
|
|
ROOT_URL = "https://git.flygrounder.ru/";
|
|
HTTP_PORT = 7237;
|
|
};
|
|
};
|
|
};
|
|
stalwart = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
settings = {
|
|
server = {
|
|
hostname = "mail.flygrounder.ru";
|
|
tls = {
|
|
enable = true;
|
|
implicit = true;
|
|
};
|
|
listener = {
|
|
smtp = {
|
|
protocol = "smtp";
|
|
bind = "0.0.0.0:25";
|
|
};
|
|
submissions = {
|
|
bind = "0.0.0.0:465";
|
|
protocol = "smtp";
|
|
tls.implicit = true;
|
|
};
|
|
imaps = {
|
|
bind = "0.0.0.0:993";
|
|
protocol = "imap";
|
|
tls.implicit = true;
|
|
};
|
|
jmap = {
|
|
bind = "127.0.0.1:8080";
|
|
protocol = "http";
|
|
};
|
|
};
|
|
};
|
|
certificate."default" = {
|
|
cert = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.crt}%";
|
|
private-key = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.key}%";
|
|
};
|
|
|
|
authentication.fallback-admin = {
|
|
user = "admin";
|
|
secret = "%{file:/run/agenix/stalwart-admin-password}%";
|
|
};
|
|
tracer."log" = {
|
|
type = "log";
|
|
path = "/var/log/stalwart-mail";
|
|
};
|
|
};
|
|
};
|
|
openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
vaultwarden = {
|
|
enable = true;
|
|
config = {
|
|
DOMAIN = "https://vaultwarden.flygrounder.ru";
|
|
SIGNUPS_ALLOWED = false;
|
|
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = 8222;
|
|
ROCKET_LOG = "critical";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
paths.stalwart-certs = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
pathConfig = {
|
|
PathModified = "${stalwartCaddyCertsDir}/mail.flygrounder.ru.crt";
|
|
};
|
|
};
|
|
services.stalwart-certs = {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
};
|
|
script = ''
|
|
mkdir -p ${stalwartCertsDir}
|
|
cp -L ${stalwartCaddyCertsDir}/*.{key,crt} ${stalwartCertsDir}/
|
|
chown stalwart-mail:stalwart-mail ${stalwartCertsDir}/*
|
|
chmod 600 ${stalwartCertsDir}/*
|
|
systemctl restart stalwart
|
|
'';
|
|
};
|
|
};
|
|
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
./disko-config.nix
|
|
];
|
|
|
|
nix.settings.trusted-users = [ "flygrounder" ];
|
|
|
|
networking = {
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
80
|
|
443
|
|
25
|
|
465
|
|
993
|
|
5201
|
|
];
|
|
allowedUDPPorts = [
|
|
5201
|
|
];
|
|
};
|
|
nameservers = [
|
|
"1.1.1.1"
|
|
"8.8.8.8"
|
|
];
|
|
interfaces.ens3.ipv4.addresses = [
|
|
{
|
|
address = "62.109.27.62";
|
|
prefixLength = 32;
|
|
}
|
|
];
|
|
defaultGateway = {
|
|
address = "10.0.0.1";
|
|
interface = "ens3";
|
|
};
|
|
};
|
|
|
|
services.restic.backups =
|
|
let
|
|
mkBackup =
|
|
{ service, path }:
|
|
{
|
|
paths = [
|
|
path
|
|
];
|
|
repository = "s3:https://s3.firstvds.ru/flygrounder-backups/${service}";
|
|
initialize = true;
|
|
timerConfig = {
|
|
OnCalendar = "03:00";
|
|
Persistent = true;
|
|
RandomizedDelaySec = "10m";
|
|
};
|
|
environmentFile = "/run/agenix/restic-environment";
|
|
passwordFile = "/run/agenix/restic-password";
|
|
backupPrepareCommand = "systemctl stop ${service}";
|
|
backupCleanupCommand = "systemctl start ${service}";
|
|
pruneOpts = [
|
|
"--keep-daily 14"
|
|
"--keep-weekly 4"
|
|
"--keep-monthly 2"
|
|
];
|
|
};
|
|
in
|
|
{
|
|
stalwart = mkBackup {
|
|
service = "stalwart";
|
|
path = config.services.stalwart.dataDir;
|
|
};
|
|
vaultwarden = mkBackup {
|
|
service = "vaultwarden";
|
|
path = "/var/lib/vaultwarden";
|
|
};
|
|
};
|
|
}
|