diff options
Diffstat (limited to '')
-rw-r--r-- | system/default.nix | 9 | ||||
-rw-r--r-- | system/file_system_layouts/default.nix (renamed from system/system/fileSystemLayouts.nix) | 0 | ||||
-rw-r--r-- | system/hardware/default.nix (renamed from system/system/hardware.nix) | 0 | ||||
-rw-r--r-- | system/mail/default.nix | 51 | ||||
-rw-r--r-- | system/packages/default.nix (renamed from system/system/packages.nix) | 0 | ||||
-rw-r--r-- | system/services/acme/default.nix | 30 | ||||
-rw-r--r-- | system/services/default.nix | 11 | ||||
-rw-r--r-- | system/services/firewall/default.nix | 11 | ||||
-rw-r--r-- | system/services/minecraft/default.nix (renamed from services/services/minecraft.nix) | 0 | ||||
-rw-r--r-- | system/services/nginx/default.nix (renamed from services/services/nginx.nix) | 0 | ||||
-rw-r--r-- | system/services/nix/default.nix (renamed from services/services/nix.nix) | 0 | ||||
-rw-r--r-- | system/services/opensshd/default.nix (renamed from services/services/opensshd.nix) | 1 | ||||
-rw-r--r-- | system/services/rust-motd/default.nix (renamed from services/services/rust-motd.nix) | 0 | ||||
-rw-r--r-- | system/users/default.nix (renamed from system/system/users.nix) | 7 |
14 files changed, 110 insertions, 10 deletions
diff --git a/system/default.nix b/system/default.nix index 2af4982..9aa5d9e 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,8 +1,9 @@ {config, ...}: { imports = [ - ./system/fileSystemLayouts.nix - ./system/hardware.nix - ./system/packages.nix - ./system/users.nix + ./file_system_layouts + ./hardware + ./packages + ./services + ./users ]; } diff --git a/system/system/fileSystemLayouts.nix b/system/file_system_layouts/default.nix index 9d03a05..9d03a05 100644 --- a/system/system/fileSystemLayouts.nix +++ b/system/file_system_layouts/default.nix diff --git a/system/system/hardware.nix b/system/hardware/default.nix index c4c7dc9..c4c7dc9 100644 --- a/system/system/hardware.nix +++ b/system/hardware/default.nix diff --git a/system/mail/default.nix b/system/mail/default.nix new file mode 100644 index 0000000..7102958 --- /dev/null +++ b/system/mail/default.nix @@ -0,0 +1,51 @@ +# vim: ts=2 +{...}: let + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { + enable = true; + fqdn = "server1.vhack.eu"; + domains = ["vhack.eu"]; + + useFsLayout = true; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; + }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$THIS_PASSWORD_HASH_IS_NOT_REAL,_PLEASE_CHANGE_IT_..._"; # TODO change + }; + }; + + extraVirtualAliases = { + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; + }; + + mailDirectory = "/srv/mail/vmail"; + dkimKeyDirectory = "/srv/mail/dkim"; + sieveDirectory = "/srv/mail/sieve"; + backup.snapshotRoot = "/srv/mail/backup"; + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + openFirewall = false; # handled below + + keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; + certificateScheme = 1; + certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + +} diff --git a/system/system/packages.nix b/system/packages/default.nix index 4d33c6e..4d33c6e 100644 --- a/system/system/packages.nix +++ b/system/packages/default.nix diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix new file mode 100644 index 0000000..a163e77 --- /dev/null +++ b/system/services/acme/default.nix @@ -0,0 +1,30 @@ +{...}: { + users.users.nginx.extraGroups = ["acme"]; + + services.nginx = { + enable = true; + virtualHosts = { + "acmechallenge.vhack.eu" = { + serverAliases = ["*.vhack.eu"]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@vhack.eu"; + certs = { + "server1.vhack.eu" = { + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"]; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..f36cb29 --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,11 @@ +{config, ...}: { + imports = [ + ./acme + ./firewall + #./minecraft + ./nginx + ./nix + ./opensshd + ./rust-motd + ]; +} diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} diff --git a/services/services/minecraft.nix b/system/services/minecraft/default.nix index 754c974..754c974 100644 --- a/services/services/minecraft.nix +++ b/system/services/minecraft/default.nix diff --git a/services/services/nginx.nix b/system/services/nginx/default.nix index 204783b..204783b 100644 --- a/services/services/nginx.nix +++ b/system/services/nginx/default.nix diff --git a/services/services/nix.nix b/system/services/nix/default.nix index bd562ec..bd562ec 100644 --- a/services/services/nix.nix +++ b/system/services/nix/default.nix diff --git a/services/services/opensshd.nix b/system/services/opensshd/default.nix index cb9f2ba..75c5aef 100644 --- a/services/services/opensshd.nix +++ b/system/services/opensshd/default.nix @@ -8,7 +8,6 @@ passwordAuthentication = false; hostKeys = [ { - comment = "key comment"; path = "/srv/sshd/ssh_host_ed25519_key"; rounds = 1000; type = "ed25519"; diff --git a/services/services/rust-motd.nix b/system/services/rust-motd/default.nix index 21bc1cd..21bc1cd 100644 --- a/services/services/rust-motd.nix +++ b/system/services/rust-motd/default.nix diff --git a/system/system/users.nix b/system/users/default.nix index 34e1648..3555221 100644 --- a/system/system/users.nix +++ b/system/users/default.nix @@ -5,11 +5,8 @@ users.users = { root = { #uid = 0; - #initialHashedPassword = null; # to lock root - # Backup, if something happens. TODO remove this later + initialHashedPassword = null; # to lock root openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" ]; }; @@ -17,7 +14,7 @@ name = "sils"; isNormalUser = true; home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; # TODO CHANGE + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; uid = 1000; extraGroups = [ "wheel" |