From 5a0cb28f369c104bb371974df876c8c705b0ee7e Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Mar 2023 16:21:45 +0100 Subject: Refactor: Use better file layout --- system/services/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 system/services/default.nix (limited to 'system/services/default.nix') diff --git a/system/services/default.nix b/system/services/default.nix new file mode 100644 index 0000000..acf20f5 --- /dev/null +++ b/system/services/default.nix @@ -0,0 +1,9 @@ +{config, ...}: { + imports = [ + ./acme + ./nginx + ./nix + ./opensshd + ./rust-motd + ]; +} -- cgit 1.4.1 From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:43:26 +0100 Subject: Fix(system/mail): Only accept connections on safe ports It is sort of standard to ignore connections over the unencrypted port 25, thus we are doing the same. --- system/mail/default.nix | 4 ++-- system/services/default.nix | 2 ++ system/services/firewall/default.nix | 11 +++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 system/services/firewall/default.nix (limited to 'system/services/default.nix') diff --git a/system/mail/default.nix b/system/mail/default.nix index 8eaa53b..7102958 100644 --- a/system/mail/default.nix +++ b/system/mail/default.nix @@ -30,13 +30,11 @@ in { "admin@vhack.eu" = all_admins; }; - mailDirectory = "/srv/mail/vmail"; dkimKeyDirectory = "/srv/mail/dkim"; sieveDirectory = "/srv/mail/sieve"; backup.snapshotRoot = "/srv/mail/backup"; - enableImap = false; enableImapSsl = true; enablePop3 = false; @@ -44,8 +42,10 @@ in { # SMTP enableSubmission = false; enableSubmissionSsl = true; + openFirewall = false; # handled below keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; certificateScheme = 1; certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; + } diff --git a/system/services/default.nix b/system/services/default.nix index acf20f5..4c39b8b 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,8 @@ {config, ...}: { imports = [ ./acme + ./firewall + ./minecraft ./nginx ./nix ./opensshd diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix new file mode 100644 index 0000000..23dbcc4 --- /dev/null +++ b/system/services/firewall/default.nix @@ -0,0 +1,11 @@ +# vim: ts=2 +{...}: { + networking.firewall = { + allowedTCPPorts = [ + # for mail protocols: + 465 # SMTP SSL + 995 # POP3 SSL + 993 # IMAP SSL + ]; + }; +} -- cgit 1.4.1 From 055f4e0191bba4c0dc1000dd2089906119717883 Mon Sep 17 00:00:00 2001 From: ene Date: Sun, 19 Mar 2023 17:46:18 +0100 Subject: Fix(system/services/minecraft): Remove to make compile --- system/services/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/services/default.nix') diff --git a/system/services/default.nix b/system/services/default.nix index 4c39b8b..f36cb29 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,7 +2,7 @@ imports = [ ./acme ./firewall - ./minecraft + #./minecraft ./nginx ./nix ./opensshd -- cgit 1.4.1