summary refs log tree commit diff stats
Commit message (Collapse)AuthorAge
* Docs(License): AddSoispha2023-04-18
| | | | | | | | | | See https://spdx.dev/resources/learn/ for information about 'LICENSE.spdx'. I'm not fully sure, if the spdx spec is correctly applied. The decision to go for the GPL-3.0-or-later is obviously open to be changed, if it should be desired.
* Build: Add update scriptSoispha2023-04-18
| | | | | | | | | | | | | | | This allows to group different update commands together and to raise awareness of the update task. The `grep '[^0-9]_[0-9] flake.lock'` is needed to check if multiple imports exists for the same input as nix will name them 'nixpkgs_1' 'nixpkgs_2' and so on. Having multiple inputs for the same thing just increases the needed storage space, if no other inputs are set to follow, but can break a flake's evaluation because of a partial update e.g., nixpkgs follows our version, but we leave rust-overlay unfollowed. This example would result in a newer cargo version (rust-overlay) getting combined with old packages (nixpkgs), which introduces the aforementioned partial update.
* Build(flake): Enable direnv integrationSoispha2023-04-18
| | | | | | | | | | [Direnv](https://github.com/direnv/direnv) in combination with [Nix integration](https://github.com/direnv/direnv/wiki/Nix) — in this case [Nix-direnv](https://github.com/nix-community/nix-direnv) — allows for reliable build environments (and some uncluttering of the PATH). Setting it up is rather easy, just see [Nix-direnv's install instructions](https://github.com/nix-community/nix-direnv#installation).
* Chore(flake): Update and add follows for inputsSoispha2023-04-18
|
* Chore(flake): Updatesils2023-04-08
| | | | | Shouldn't cause any trouble and is necessary to keep things secure.
* Fix(system/mail): Allow opening ports in the firewallene2023-04-07
| | | | | | | | | | | As the previous configuration only opened some ports, receiving mail was impossible. This allows NSM to open the required ports directly, ensuring that none was missed. SECURITY: As all other options than SSL are still disabled, this change should not introduce unencrypted mail transfer. This has not been tested.
* Fix(system/services/rust-motd): Quote ssl-cert namesene2023-03-25
|
* Feat(system/services/rust-motd): Info about filesystemsene2023-03-25
|
* Feat(system/services/rust-motd): Show status of ssl-certsene2023-03-25
|
* Fix(system/services/rust-motd): Add fail2ban binaryene2023-03-25
|
* Merge pull request 'server1_fail2ban' (#24) from server1_fail2ban into ↵ene2023-03-25
|\ | | | | | | | | | | server1_develop Reviewed-on: https://git.sils.li/vhack.eu/nixos-server/pulls/24
| * Feat(system/services/fail2ban): Add dovecot jailene2023-03-25
| | | | | | | | This should reduce the log spam even further.
| * Fix(system/services/fail2ban): Make db persistentene2023-03-25
| |
* | Merge pull request 'Feat(system/services/fail2ban): Add fail2ban' (#23) from ↵ene2023-03-25
|\| | | | | | | | | | | server1_fail2ban into server1_develop CC: #23
| * Feat(system/services/fail2ban): Add fail2banene2023-03-25
|/ | | | This should clear the logs somewhat.
* Fix(acme): Store certs permanently.sils2023-03-20
| | | | | Before, new certs were requested at every rebuild. This caused issues due to letsencrypt ratelimiting.
* Revert "Fix(system/mail): Change placeholder"sils2023-03-20
| | | | | | This reverts commit ecb274ba49042f1dfdf63b9c54ff6920f24a9a58. It may be a security-risk, but I care much more about a running mailserver for now.
* Fix(system/mail): Change placeholderene2023-03-20
| | | | The old one, could have exposed a weak hash.
* Merge branch 'server1_hardware' into server1_developene2023-03-20
|\
| * Revert "Fix(hosts/server1/networking): Remove ipv6 route"ene2023-03-19
| | | | | | | | The commit didn't work and effectively disabled ipv6
| * Fix(hosts/server1/networking): Remove ipv6 routeene2023-03-19
| | | | | | | | | | | | This is somewhat misconfigured, as it makes to config not compilable. I assume, that this route setting is needed, but believe, that having a compiling config is better.
| * Refactor(system/hardware): Move hardware to hostene2023-03-19
| | | | | | | | | | The hardware settings are (somewhat) host specific, and putting them in `system` just builds the wrong expectations.
| * Fix(system/hardware): Use actually needed modules and UUIDene2023-03-19
| | | | | | | | | | The old values did work, but these should just make things a bit clearer.
* | Merge branch 'server1_mail' into server1_developene2023-03-20
|\|
| * Fix(system/services/minecraft): Remove to make compileene2023-03-19
| |
| * Fix(system/mail): Only accept connections on safe portsene2023-03-19
| | | | | | | | | | It is sort of standard to ignore connections over the unencrypted port 25, thus we are doing the same.
| * Feat(system/mail): Add other users, so the admin thing worksene2023-03-18
| |
| * Style(system/mail): Reorder optionsene2023-03-18
| | | | | | | | I just think this is easier to read.
| * Feat(system/mail): Use '/' to separate mailboxesene2023-03-18
| | | | | | | | | | This is something that just makes the file system easier to traverse, but isn't really necessary.
| * Fix(system/mail): Declare the password directlyene2023-03-18
| | | | | | | | | | | | As outlined in commit 19f0808, placing a password hash in the world readable nix-store is perfectly safe as long as the hashing function is not reversible, which should be a necessity for a password hash.
| * Fix(system/users): Remove unneeded root ssh login keysene2023-03-18
| | | | | | | | | | All users are in the wheel group, thus direct login as root is no longer needed.
| * Fix(system/mail): Make extraVirtualAliases fairerene2023-03-18
| |
| * Fix(system/mail): Disable protocols with STARTTLSene2023-03-18
| | | | | | | | | | | | This is inherently unsafe because it requires an unencrypted handshake. Considering that all protocols also work directly with TLS i.e., the encrypted variant, disabling this shouldn't be a drawback.
| * Chore(flake): Updateene2023-03-18
| |
| * Refactor: Use better file layoutene2023-03-18
| |
| * Fix: Try to fix ipv6sils2023-03-07
| |
| * Feat: Added admin@vhack.eu mailsils2023-03-07
| |
| * Fix: Add imap and smtp subdomains to certsils2023-03-07
| |
| * Feat: Add mailserversils2023-03-07
| |
* | Merge branch 'server1_network' into server1_developene2023-03-20
|\ \
| * | Fix(hosts/server1/networking): Correct ipv6ene2023-03-19
| | | | | | | | | | | | The used ips were straight up wrong.
| * | Fix(hosts/server1/networking): Fix Gatewaysene2023-03-19
| | | | | | | | | | | | | | | Assigning a specific interface for a gateway should make it easier for nixos to configure it.
* | | Revert "Revert "Merge pull request 'Feat: Add Website' (#17) from ↵ene2023-03-20
|/ / | | | | | | | | | | | | server1_nginx into server1"" This reverts commit b0599a3d23878da7335e6ae754ebffbd9ac7cbc3. This may seem ridiculous, and it is, but some things are just necessary.
* | Fix(services): Remove Minecraftene2023-03-19
| | | | | | | | This doesn't compile.
* | Revert "Merge pull request 'Feat: Add Website' (#17) from server1_nginx into ↵ene2023-03-19
| | | | | | | | | | | | | | | | | | server1" This reverts commit 563521c360073d5c28d2553ec4e1792eb2b14258, reversing changes made to c50431b189e982a631d2d4864b304f33169bacdb. This is necessary, because it makes a stable base unavailable.
* | Merge pull request 'Feat: Add Website' (#17) from server1_nginx into server1sils2023-03-07
|\| | | | | | | Reviewed-on: https://git.sils.li/vhack.eu/nixos-server/pulls/17
| * Feat: Add Websitesils2023-03-07
|/ | | | | This provides an html file located at /srv/www/vhack.eu/index.html over https.
* Merge pull request 'Merge to server1' (#16) from server1_develop into server1ene2023-02-08
|\ | | | | | | Reviewed-on: https://git.sils.li/vhack.eu/nixos-server/pulls/16
| * Merge branch 'server1_minecraft2' into server1ene2023-02-08
| |\
| | * Fix: Made the Minecraft config compileene2023-02-04
| |/ |/| | | | | | | Someone put a string, where a list of strings belonged. I took the freedom to change that.