| Commit message (Collapse) | Author |
|---|
|
As the previous configuration only opened some ports, receiving mail was
impossible. This allows NSM to open the required ports directly,
ensuring that none was missed.
SECURITY:
As all other options than SSL are still disabled, this change should not
introduce unencrypted mail transfer.
This has not been tested.
|
|
|
|
|
|
|
|
|
|
This should reduce the log spam even further.
|
|
|
|
This should clear the logs somewhat.
|
|
Before, new certs were requested at every rebuild.
This caused issues due to letsencrypt ratelimiting.
|
|
This reverts commit ecb274ba49042f1dfdf63b9c54ff6920f24a9a58.
It may be a security-risk, but I care much more about a running
mailserver for now.
|
|
The old one, could have exposed a weak hash.
|
|
server1_nginx into server1""
This reverts commit b0599a3d23878da7335e6ae754ebffbd9ac7cbc3.
This may seem ridiculous, and it is, but some things are just necessary.
|
|
The used ips were straight up wrong.
|
|
Assigning a specific interface for a gateway should make it easier for
nixos to configure it.
|
|
This doesn't compile.
|
|
server1"
This reverts commit 563521c360073d5c28d2553ec4e1792eb2b14258, reversing
changes made to c50431b189e982a631d2d4864b304f33169bacdb.
This is necessary, because it makes a stable base unavailable.
|
|
The commit didn't work and effectively disabled ipv6
|
|
This is somewhat misconfigured, as it makes to config not compilable. I
assume, that this route setting is needed, but believe, that having a
compiling config is better.
|
|
The hardware settings are (somewhat) host specific, and putting them in
`system` just builds the wrong expectations.
|
|
The old values did work, but these should just make things a bit
clearer.
|
|
|
|
It is sort of standard to ignore connections over the unencrypted port
25, thus we are doing the same.
|
|
|
|
I just think this is easier to read.
|
|
This is something that just makes the file system easier to traverse, but
isn't really necessary.
|
|
As outlined in commit 19f0808, placing a password hash in the world
readable nix-store is perfectly safe as long as the hashing function is
not reversible, which should be a necessity for a password hash.
|
|
All users are in the wheel group, thus direct login as root is no longer
needed.
|
|
|
|
This is inherently unsafe because it requires an unencrypted handshake.
Considering that all protocols also work directly with TLS i.e., the
encrypted variant, disabling this shouldn't be a drawback.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This provides an html file located at /srv/www/vhack.eu/index.html over
https.
|
|
|
|
We used the domain name instead of the host name, which obviously
doesn't work for multiple host. In addition to that I changed some
directory to make importing easier and enabled the "nix-command" and
"flakes" experimental options, to make the `nix flake check` command
usable.
Refs: #15
|
|
Nix flakes make a lot of things very easy.
|
|
Someone put a string, where a list of strings belonged. I took the
freedom to change that.
|
|
We run a headless server, so some things, like emergency boot mode, don't really make sense. This
import disables these.
|
|
|
|
|
|
Saving hashed passwords should be relatively safe, as long as the hashing
algorithm isn't flawed. Considering, that we use yescrypt with higher
than average parameters ('jFT' instead of 'j9T'), we should be safe for
now.
|
|
|
|
This reverts commit 5a137ce8b8f4b1dcfee03d001938c0fa25df842f.
|
|
resolve conflicts with target branch
|
|
The passwords will be stored in a specific password file, which because it
isn't part of this repository is secure.
Refs: #9
|
|
The names of the settings in the GitHub repository are outdated, this
commit changes the setting name to the real ones.
|
|
I changed the valid ssh-host-keys from both rsa and ed25519 to
only ed25519 and moved them to `/srv/ssh` to make them persistent.
In addition to that, I also increased the rounds for the ed25519 key to
1000.
This fixes the ssh-host-key issue introduced by pull request #5.
Fixes: #5
|
