Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

changes

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2024-10-16 20:24:40 +02:00
parent b7bfb0f62a
commit c681eb3139
110 changed files with 2924 additions and 720 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
hosts/fw-new.cloonar.com/modules/gitea-vm.nix
View File

@@ -1,169 +0,0 @@
{ nixpkgs, pkgs, ... }: let
hostname = "git-02";
json = pkgs.formats.json { };
in {
microvm.vms = {
# gitea = {
# config = {
# microvm = {
# hypervisor = "cloud-hypervisor";
# shares = [
# {
# source = "/nix/store";
# mountPoint = "/nix/.ro-store";
# tag = "ro-store";
# proto = "virtiofs";
# }
# {
# source = "/var/lib/acme/git.cloonar.com";
# mountPoint = "/var/lib/acme/${hostname}.cloonar.com";
# tag = "ro-cert";
# proto = "virtiofs";
# }
# ];
# interfaces = [
# {
# type = "tap";
# id = "vm-${hostname}";
# mac = "02:00:00:00:00:01";
# }
# ];
# };
#
# imports = [
# ../fleet.nix
# ];
#
# environment.systemPackages = with pkgs; [
# vim # my preferred editor
# ];
#
# networking = {
# hostName = hostname;
# firewall = {
# enable = true;
# allowedTCPPorts = [ 22 80 443 ];
# };
# };
#
# services.nginx.enable = true;
# services.nginx.virtualHosts."${hostname}.cloonar.com" = {
# sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem";
# sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem";
# sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem";
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3001/";
# };
# };
#
# services.gitea = {
# enable = true;
# appName = "Cloonar Gitea server"; # Give the site a name
# settings = {
# server = {
# ROOT_URL = "https://${hostname}.cloonar.com/";
# HTTP_PORT = 3001;
# DOMAIN = "${hostname}.cloonar.com";
# };
# openid = {
# ENABLE_OPENID_SIGNIN = true;
# ENABLE_OPENID_SIGNUP = true;
# WHITELISTED_URIS = "auth.cloonar.com";
# };
# service = {
# DISABLE_REGISTRATION = true;
# ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
# SHOW_REGISTRATION_BUTTON = false;
# };
# actions.ENABLED=true;
# };
# };
#
# services.openssh.enable = true;
# users.users.root.openssh.authorizedKeys.keys = [
# "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
# ];
#
# system.stateVersion = "22.05";
# };
# };
gitea-runner = {
config = {
microvm = {
mem = 12288;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/run/secrets";
mountPoint = "/run/secrets";
tag = "ro-token";
proto = "virtiofs";
}
];
volumes = [
{
image = "rootfs.img";
mountPoint = "/";
size = 102400;
}
];
interfaces = [
{
type = "tap";
id = "vm-gitea-runner";
mac = "02:00:00:00:00:02";
}
];
};
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking.hostName = "gitea-runner";
virtualisation.podman.enable = true;
services.gitea-actions-runner.instances.vm = {
enable = true;
url = "https://git.cloonar.com";
name = "vm";
tokenFile = "/run/secrets/gitea-runner-token";
labels = [
"ubuntu-latest:docker://shivammathur/node:latest"
];
settings = {
container = {
network = "podman";
};
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
};
sops.secrets.gitea-runner-token = {};
environment = {
systemPackages = [
pkgs.qemu
pkgs.quickemu
];
};
}

1
hosts/fw-new/channel Normal file
View File

@@ -0,0 +1 @@
https://channels.nixos.org/nixos-23.11

68
hosts/fw-new.cloonar.com/configuration.nix → hosts/fw-new/configuration.nix
View File

@@ -1,4 +1,5 @@
{ lib, pkgs, ... }: {
imports = [
./fleet.nix
./utils/bento.nix
@@ -9,20 +10,20 @@
./utils/modules/autoupgrade.nix
./utils/modules/promtail
./utils/modules/borgbackup.nix
# ./utils/modules/borgbackup.nix
# ./utils/modules/netdata.nix
# fw
./modules/networking.nix
./modules/firewall.nix
./modules/dhcp4.nix
# ./modules/dhcp4.nix
./modules/unbound.nix
./modules/avahi.nix
./modules/openconnect.nix
./modules/wireguard.nix
./modules/podman.nix
./modules/omada.nix
./modules/ddclient.nix
# ./modules/ddclient.nix
# ./modules/wol.nix
# microvm
@@ -33,30 +34,26 @@
./modules/web
# git
./modules/gitea.nix
# ./modules/gitea.nix
./modules/fwmetrics.nix
# ./modules/firefox-sync.nix
# home assistant
./modules/home-assistant
./modules/deconz.nix
# ./modules/deconz.nix
# ./modules/mopidy.nix
# ./modules/mosquitto.nix
./modules/mosquitto.nix
./modules/snapserver.nix
# gaming
./modules/palworld.nix
# ./modules/palworld.nix
# ./modules/ark-survival-evolved.nix
./hardware-configuration.nix
];
nixpkgs.overlays = [
(import ./utils/overlays/packages.nix)
];
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
@@ -67,13 +64,11 @@
time.timeZone = "Europe/Vienna";
services.logind.extraConfig = "RuntimeDirectorySize=2G";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;
environment.systemPackages = with pkgs; [
bento
# bento
conntrack-tools # view network connection states
ethtool # manage NIC settings (offload, NIC feeatures, ...)
git
@@ -89,36 +84,15 @@
options = "--delete-older-than 60d";
};
services.auto-cpufreq.enable = true;
services.auto-cpufreq.settings = {
charger = {
governor = "powersave";
turbo = "auto";
};
};
# services.auto-cpufreq.enable = true;
# services.auto-cpufreq.settings = {
# charger = {
# governor = "powersave";
# turbo = "auto";
# };
# };
boot = {
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
# kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd
kernelParams = [
"rootwait"
"earlycon" # enable early console, so we can see the boot messages via serial port / HDMI
"consoleblank=0" # disable console blanking(screen saver)
"console=ttyS2,1500000" # serial port
"console=tty1" # HDMI
# docker optimizations
"cgroup_enable=cpuset"
"cgroup_memory=1"
"cgroup_enable=memory"
"swapaccount=1"
];
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
# zramSwap.enable = true;
networking.hostName = "fw-new";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
@@ -126,8 +100,10 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
services.logind.extraConfig = "RuntimeDirectorySize=8G";
# backups
borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
# borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
system.stateVersion = "23.11";
}

0
hosts/fw-new.cloonar.com/fleet.nix → hosts/fw-new/fleet.nix
View File

18
hosts/fw-new.cloonar.com/hardware-configuration.nix → hosts/fw-new/hardware-configuration.nix
View File

@@ -4,19 +4,19 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
kernel.sysctl = {
"kernel.printk" = "1 4 1 7";
};
supportedFilesystems = lib.mkForce [ "vfat" "fat32" "exfat" "ext4" "btrfs" ];
initrd.includeDefaultModules = lib.mkForce false;
initrd.availableKernelModules = lib.mkForce [ "nvme" "mmc_block" "usbhid" "hid" "input_leds" ];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
initrd.availableKernelModules = lib.mkForce [ "nvme" "mmc_block" "hid" "dm_mod" "dm_crypt" "input_leds" ];
# kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd
kernelParams = [
@@ -43,7 +43,7 @@
];
};
enableRedistributableFirmware = true;
enableRedistributableFirmware = lib.mkForce true;
firmware = [
(pkgs.callPackage ./pkgs/orangepi-firmware {})
];

0
hosts/fw-new.cloonar.com/modules/ark-survival-evolved.nix → hosts/fw-new/modules/ark-survival-evolved.nix
View File

0
hosts/fw-new.cloonar.com/modules/avahi.nix → hosts/fw-new/modules/avahi.nix
View File

1
hosts/fw-new.cloonar.com/modules/ddclient.nix → hosts/fw-new/modules/ddclient.nix
View File

@@ -13,6 +13,7 @@
"vpn.cloonar.com"
"git.cloonar.com"
"palworld.cloonar.com"
"matrix.cloonar.com"
];
};

0
hosts/fw-new.cloonar.com/modules/deconz.nix → hosts/fw-new/modules/deconz.nix
View File

110
hosts/fw-new.cloonar.com/modules/dhcp4.nix → hosts/fw-new/modules/dhcp4.nix
View File

@@ -23,15 +23,15 @@
{
pools = [
{
pool = "10.42.96.100 - 10.42.96.240";
pool = "10.42.112.100 - 10.42.112.240";
}
];
subnet = "10.42.96.0/24";
subnet = "10.42.112.0/24";
interface = "lan";
option-data = [
{
name = "routers";
data = "10.42.96.1";
data = "10.42.112.1";
}
{
name = "domain-name";
@@ -43,18 +43,18 @@
}
{
name = "domain-name-servers";
data = "10.42.96.1";
data = "10.42.112.1";
}
];
reservations = [
{
hw-address = "04:7c:16:d5:63:5e";
ip-address = "10.42.96.5";
ip-address = "10.42.112.5";
server-hostname = "omada.cloonar.com";
}
{
hw-address = "30:05:5c:56:62:37";
ip-address = "10.42.96.100";
ip-address = "10.42.112.100";
server-hostname = "brn30055c566237.cloonar.com";
}
];
@@ -62,15 +62,15 @@
{
pools = [
{
pool = "10.42.97.100 - 10.42.97.240";
pool = "10.42.113.100 - 10.42.113.240";
}
];
subnet = "10.42.97.0/24";
subnet = "10.42.113.0/24";
interface = "server";
option-data = [
{
name = "routers";
data = "10.42.97.1";
data = "10.42.113.1";
}
{
name = "domain-name";
@@ -78,33 +78,33 @@
}
{
name = "domain-name-servers";
data = "10.42.97.1";
data = "10.42.113.1";
}
];
reservations = [
{
hw-address = "1a:c4:04:6e:29:bd";
ip-address = "10.42.97.2";
ip-address = "10.42.113.2";
server-hostname = "omada.cloonar.com";
}
{
hw-address = "02:00:00:00:00:03";
ip-address = "10.42.97.5";
ip-address = "10.42.113.5";
server-hostname = "web-02.cloonar.com";
}
{
hw-address = "ea:db:d4:c1:18:ba";
ip-address = "10.42.97.50";
ip-address = "10.42.113.50";
server-hostname = "git.cloonar.com";
}
{
hw-address = "c2:4f:64:dd:13:0c";
ip-address = "10.42.97.20";
ip-address = "10.42.113.20";
server-hostname = "home-assistant.cloonar.com";
}
{
hw-address = "1a:c4:04:6e:29:02";
ip-address = "10.42.97.25";
ip-address = "10.42.113.25";
server-hostname = "deconz.cloonar.com";
}
];
@@ -112,15 +112,15 @@
{
pools = [
{
pool = "10.42.101.100 - 10.42.101.240";
pool = "10.42.117.100 - 10.42.117.240";
}
];
subnet = "10.42.101.0/24";
subnet = "10.42.117.0/24";
interface = "infrastructure";
option-data = [
{
name = "routers";
data = "10.42.101.1";
data = "10.42.117.1";
}
{
name = "domain-name";
@@ -128,12 +128,12 @@
}
{
name = "domain-name-servers";
data = "10.42.101.1";
data = "10.42.117.1";
}
{
name = "capwap-ac-v4";
code = 138;
data = "10.42.97.2";
data = "10.42.117.2";
}
];
reservations = [
@@ -142,15 +142,15 @@
{
pools = [
{
pool = "10.42.99.100 - 10.42.99.240";
pool = "10.42.115.100 - 10.42.115.240";
}
];
subnet = "10.42.99.0/24";
subnet = "10.42.115.0/24";
interface = "multimedia";
option-data = [
{
name = "routers";
data = "10.42.99.1";
data = "10.42.115.1";
}
{
name = "domain-name";
@@ -158,43 +158,43 @@
}
{
name = "domain-name-servers";
data = "10.42.99.1";
data = "10.42.115.1";
}
];
reservations = [
{
hw-address = "c4:a7:2b:c7:ea:30";
ip-address = "10.42.99.10";
ip-address = "10.42.115.10";
hostname = "metz.cloonar.multimedia";
}
{
hw-address = "f0:2f:9e:d4:3b:21";
ip-address = "10.42.99.11";
ip-address = "10.42.115.11";
hostname = "firetv-living";
}
{
hw-address = "bc:33:29:ed:24:f0";
ip-address = "10.42.99.12";
ip-address = "10.42.115.12";
hostname = "ps5";
}
{
hw-address = "e4:2a:ac:32:3f:79";
ip-address = "10.42.99.13";
ip-address = "10.42.115.13";
hostname = "xbox";
}
{
hw-address = "98:b6:e9:b6:ef:f4";
ip-address = "10.42.99.14";
ip-address = "10.42.115.14";
hostname = "switch";
}
{
hw-address = "f0:2f:9e:c1:74:72";
ip-address = "10.42.99.21";
ip-address = "10.42.115.21";
hostname = "firetv-bedroom";
}
{
hw-address = "30:05:5c:56:62:37";
ip-address = "10.42.99.100";
ip-address = "10.42.115.100";
server-hostname = "brn30055c566237";
}
];
@@ -202,15 +202,15 @@
{
pools = [
{
pool = "10.42.254.10 - 10.42.254.254";
pool = "10.42.127.10 - 10.42.127.254";
}
];
subnet = "10.42.254.0/24";
subnet = "10.42.127.0/24";
interface = "guest";
option-data = [
{
name = "routers";
data = "10.42.254.1";
data = "10.42.127.1";
}
{
name = "domain-name-servers";
@@ -221,15 +221,15 @@
{
pools = [
{
pool = "10.42.100.100 - 10.42.100.240";
pool = "10.42.116.100 - 10.42.116.240";
}
];
subnet = "10.42.100.0/24";
subnet = "10.42.116.0/24";
interface = "smart";
option-data = [
{
name = "routers";
data = "10.42.100.1";
data = "10.42.116.1";
}
{
name = "domain-name";
@@ -237,7 +237,7 @@
}
{
name = "domain-name-servers";
data = "10.42.100.1";
data = "10.42.116.1";
}
];
reservations = [
@@ -282,89 +282,89 @@
{
hw-address = "60:a4:23:97:4a:ec";
ip-address = "10.42.100.21";
ip-address = "10.42.116.21";
server-hostname = "shellymotionsensor-60A423974AEC";
}
{
hw-address = "8c:aa:b5:61:6f:e2";
ip-address = "10.42.100.103";
ip-address = "10.42.116.103";
server-hostname = "ShellyBulbDuo-8CAAB5616FE2";
}
{
hw-address = "8c:aa:b5:61:6e:9e";
ip-address = "10.42.100.104";
ip-address = "10.42.116.104";
server-hostname = "ShellyBulbDuo-8CAAB5616E9E";
}
{
hw-address = "cc:50:e3:bc:27:64";
ip-address = "10.42.100.112";
ip-address = "10.42.116.112";
server-hostname = "Nuki_Bridge_1A753F72";
}
{
hw-address = "e8:db:84:a9:ea:be";
ip-address = "10.42.100.117";
ip-address = "10.42.116.117";
server-hostname = "ShellyBulbDuo-E8DB84A9EABE";
}
{
hw-address = "e8:db:84:a9:d1:8b";
ip-address = "10.42.100.119";
ip-address = "10.42.116.119";
server-hostname = "shellycolorbulb-E8DB84A9D18B";
}
{
hw-address = "3c:61:05:e5:96:e0";
ip-address = "10.42.100.120";
ip-address = "10.42.116.120";
server-hostname = "shellycolorbulb-3C6105E596E0";
}
{
hw-address = "e8:db:84:a9:d7:ef";
ip-address = "10.42.100.121";
ip-address = "10.42.116.121";
server-hostname = "shellycolorbulb-E8DB84A9D7EF";
}
{
hw-address = "e8:db:84:aa:51:aa";
ip-address = "10.42.100.122";
ip-address = "10.42.116.122";
server-hostname = "shellycolorbulb-E8DB84AA51AA";
}
{
hw-address = "34:94:54:79:bc:57";
ip-address = "10.42.100.130";
ip-address = "10.42.116.130";
server-hostname = "shellycolorbulb-34945479bc57";
}
{
hw-address = "48:55:19:d9:a1:b2";
ip-address = "10.42.100.131";
ip-address = "10.42.116.131";
server-hostname = "shellycolorbulb-485519d9a1b2";
}
{
hw-address = "48:55:19:d9:ae:95";
ip-address = "10.42.100.132";
ip-address = "10.42.116.132";
server-hostname = "shellycolorbulb-485519d9ae95";
}
{
hw-address = "48:55:19:d9:4a:28";
ip-address = "10.42.100.133";
ip-address = "10.42.116.133";
server-hostname = "shellycolorbulb-485519d94a28";
}
{
hw-address = "48:55:19:da:6b:6a";
ip-address = "10.42.100.134";
ip-address = "10.42.116.134";
server-hostname = "shellycolorbulb-485519da6b6a";
}
{
hw-address = "48:55:19:d9:e0:18";
ip-address = "10.42.100.135";
ip-address = "10.42.116.135";
server-hostname = "shellycolorbulb-485519d9e018";
}
{
hw-address = "34:6f:24:f3:af:ad";
ip-address = "10.42.100.137";
ip-address = "10.42.116.137";
server-hostname = "daikin86604";
}
{
hw-address = "34:6f:24:c1:f8:54";
ip-address = "10.42.100.139";
ip-address = "10.42.116.139";
server-hostname = "daikin53800";
}
];

0
hosts/fw-new.cloonar.com/modules/firefox-sync.nix → hosts/fw-new/modules/firefox-sync.nix
View File

38
hosts/fw-new.cloonar.com/modules/firewall.nix → hosts/fw-new/modules/firewall.nix
View File

@@ -32,13 +32,13 @@
iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic"
iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic"
iifname "lan" tcp dport 5931 counter accept comment "Spice"
iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname { "wan", "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
# Accept mDNS for avahi reflection
iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept
iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept
iifname "server" ip saddr 10.42.113.20/32 tcp dport { llmnr } counter accept
iifname "server" ip saddr 10.42.113.20/32 udp dport { mdns, llmnr } counter accept
# Allow all returning traffic
ct state { established, related } counter accept
@@ -81,15 +81,15 @@
iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept
iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept
# avahi
iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept
iifname "server" ip saddr 10.42.113.20/32 oifname { "lan" } counter accept
# smart home coap
iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept
iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept
iifname "smart" oifname "server" ip daddr 10.42.113.20/32 udp dport { 5683 } counter accept
iifname "smart" oifname "server" ip daddr 10.42.113.20/32 tcp dport { 1883 } counter accept
# Forward to git server
oifname "server" ip daddr 10.42.97.50 tcp dport { 22 } counter accept
oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept
oifname "server" ip daddr 10.42.113.50 tcp dport { 22 } counter accept
oifname "server" ip daddr 10.42.113.5 tcp dport { 80, 443 } counter accept
# lan and vpn to any
# TODO: disable wan when finished
@@ -101,11 +101,11 @@
# accept palword server
iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept comment "palworld"
# forward to ark server
oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved"
oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved"
oifname "server" ip daddr 10.42.113.201 tcp dport { 27020 } counter accept comment "ark survival evolved"
oifname "server" ip daddr 10.42.113.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved"
# firefox-sync
oifname "server" ip daddr 10.42.97.51 tcp dport { 5000 } counter accept comment "firefox-sync"
oifname "server" ip daddr 10.42.113.51 tcp dport { 5000 } counter accept comment "firefox-sync"
# allow all established, related
ct state { established, related } accept comment "Allow established traffic"
@@ -137,20 +137,20 @@
chain prerouting {
type nat hook prerouting priority filter; policy accept;
iifname "server" ip daddr 10.42.96.255 udp dport { 9 } dnat to 10.42.96.255
iifname "wan" tcp dport { 22 } dnat to 10.42.97.50
iifname "wan" tcp dport { 80, 443 } dnat to 10.42.97.5
iifname "wan" tcp dport { 5000 } dnat to 10.42.97.51
iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201
iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201
# iifname "wan" tcp dport { 22 } dnat to 10.42.113.50
iifname "wan" tcp dport { 80, 443 } dnat to 10.42.113.5
iifname "wan" tcp dport { 5000 } dnat to 10.42.113.51
iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.113.201
iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.113.201
}
# Setup NAT masquerading on external interfaces
chain postrouting {
type nat hook postrouting priority filter; policy accept;
oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.51 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.50 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.51 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.201 masquerade
}
'';
};

0
hosts/fw-new.cloonar.com/modules/fwmetrics.nix → hosts/fw-new/modules/fwmetrics.nix
View File

175
hosts/fw-new/modules/gitea-vm.nix Normal file
View File

@@ -0,0 +1,175 @@
{ config, nixpkgs, pkgs, ... }: let
hostname = "git";
json = pkgs.formats.json { };
pkgs-with-gitea = import (builtins.fetchGit {
name = "new-gitea";
url = "https://github.com/nixos/nixpkgs/";
rev = "159be5db480d1df880a0135ca0bfed84c2f88353";
}) {};
in {
microvm.vms = {
gitea = {
config = {
microvm = {
hypervisor = "cloud-hypervisor";
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/var/lib/acme/git.cloonar.com";
mountPoint = "/var/lib/acme/${hostname}.cloonar.com";
tag = "ro-cert";
proto = "virtiofs";
}
];
interfaces = [
{
type = "tap";
id = "vm-${hostname}";
mac = "02:00:00:00:00:01";
}
];
};
imports = [
../fleet.nix
];
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking = {
hostName = hostname;
firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."${hostname}.cloonar.com" = {
sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem";
sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
services.gitea = {
enable = true;
package = pkgs-with-gitea.gitea;
appName = "Cloonar Gitea server"; # Give the site a name
settings = {
server = {
ROOT_URL = "https://${hostname}.cloonar.com/";
HTTP_PORT = 3001;
DOMAIN = "${hostname}.cloonar.com";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.cloonar.com";
};
service = {
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
actions.ENABLED=true;
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
gitea-runner = {
config = {
microvm = {
mem = 12288;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/run/secrets";
mountPoint = "/run/secrets";
tag = "ro-token";
proto = "virtiofs";
}
];
volumes = [
{
image = "rootfs.img";
mountPoint = "/";
size = 102400;
}
];
interfaces = [
{
type = "tap";
id = "vm-gitea-runner";
mac = "02:00:00:00:00:02";
}
];
};
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking.hostName = "gitea-runner";
virtualisation.podman.enable = true;
services.gitea-actions-runner.instances.vm = {
enable = true;
url = "https://git.cloonar.com";
name = "vm";
tokenFile = "/run/secrets/gitea-runner-token";
labels = [
"ubuntu-latest:docker://shivammathur/node:latest"
];
settings = {
container = {
network = "podman";
};
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
};
sops.secrets.gitea-runner-token = {};
environment = {
systemPackages = [
pkgs.qemu
pkgs.quickemu
];
};
}

0
hosts/fw-new.cloonar.com/modules/gitea.nix → hosts/fw-new/modules/gitea.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/3dprinter.nix → hosts/fw-new/modules/home-assistant/3dprinter.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/ac.nix → hosts/fw-new/modules/home-assistant/ac.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/battery.nix → hosts/fw-new/modules/home-assistant/battery.nix
View File

54
hosts/fw-new.cloonar.com/modules/home-assistant/default.nix → hosts/fw-new/modules/home-assistant/default.nix
View File

@@ -1,6 +1,12 @@
{ config, pkgs, ... }:
let
domain = "home-assistant.cloonar.com";
release2405 = import <nixos-24.05> { config = config.nixpkgs.config; };
pkgs-with-home-assistant = import (builtins.fetchGit {
name = "new-home-assistant";
url = "https://github.com/nixos/nixpkgs/";
rev = "268bb5090a3c6ac5e1615b38542a868b52ef8088";
}) {};
in
{
users.users.hass = {
@@ -30,26 +36,26 @@ in
ephemeral = false;
privateNetwork = true;
hostBridge = "server";
hostAddress = "10.42.97.1";
localAddress = "10.42.97.20/24";
hostAddress = "10.42.113.1";
localAddress = "10.42.113.20/24";
extraFlags = [
"--capability=CAP_NET_ADMIN"
];
allowedDevices = [
{
modifier = "rwm";
node = "char-usb_device";
}
{
modifier = "rwm";
node = "char-ttyUSB";
}
];
# allowedDevices = [
# {
# modifier = "rwm";
# node = "char-usb_device";
# }
# {
# modifier = "rwm";
# node = "char-ttyUSB";
# }
# ];
bindMounts = {
"/dev/ttyUSB0" = {
hostPath = "/dev/ttyUSB0";
isReadOnly = false;
};
# "/dev/ttyUSB0" = {
# hostPath = "/dev/ttyUSB0";
# isReadOnly = false;
# };
"/etc/localtime" = {
hostPath = "/etc/localtime";
};
@@ -104,6 +110,7 @@ in
environment.systemPackages = [
pkgs.wol
pkgs.mariadb
];
services.nginx.enable = true;
@@ -127,6 +134,7 @@ in
};
services.home-assistant = {
package = pkgs-with-home-assistant.home-assistant;
enable = true;
};
@@ -140,6 +148,17 @@ in
"tplink_omada"
];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "hass" ];
};
services.mysqlBackup = {
enable = true;
databases = [ "hass" ];
};
services.home-assistant.config =
let
hiddenEntities = [
@@ -148,6 +167,9 @@ in
];
in
{
recorder = {
db_url = "mysql://hass@localhost/hass?unix_socket=/var/run/mysqld/mysqld.sock";
};
homeassistant = {
name = "Home";
latitude = "!secret home_latitude";

0
hosts/fw-new.cloonar.com/modules/home-assistant/electricity.nix → hosts/fw-new/modules/home-assistant/electricity.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/enocean.nix → hosts/fw-new/modules/home-assistant/enocean.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/ldap.nix → hosts/fw-new/modules/home-assistant/ldap.nix
View File

18
hosts/fw-new.cloonar.com/modules/home-assistant/light.nix → hosts/fw-new/modules/home-assistant/light.nix
View File

@@ -370,6 +370,7 @@
{
platform = "group";
name = "Livingroom Lights";
all = true;
entities = [
"light.livingroom_switch"
"light.living_bulb_1"
@@ -380,6 +381,23 @@
"light.living_bulb_6"
];
}
{
platform = "switch";
name = "Bedroom Switch";
entity_id = "switch.bedroom_switch";
}
{
platform = "group";
name = "Bedroom Lights";
all = true;
entities = [
"light.bedroom_switch"
"light.bedroom_bulb_1"
"light.bedroom_bulb_2"
"light.bedroom_bulb_3"
"light.bedroom_bulb_4"
];
}
];
};
}

0
hosts/fw-new.cloonar.com/modules/home-assistant/locks.nix → hosts/fw-new/modules/home-assistant/locks.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/multimedia.nix → hosts/fw-new/modules/home-assistant/multimedia.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/music.nix → hosts/fw-new/modules/home-assistant/music.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/notify.nix → hosts/fw-new/modules/home-assistant/notify.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/pc.nix → hosts/fw-new/modules/home-assistant/pc.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/presense.nix → hosts/fw-new/modules/home-assistant/presense.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/pushover.nix → hosts/fw-new/modules/home-assistant/pushover.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/roborock.nix → hosts/fw-new/modules/home-assistant/roborock.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/scene-switch.nix → hosts/fw-new/modules/home-assistant/scene-switch.nix
View File

24
hosts/fw-new.cloonar.com/modules/home-assistant/shelly.nix → hosts/fw-new/modules/home-assistant/shelly.nix
View File

@@ -7,17 +7,21 @@ let
{ name = "Living Bulb 4"; id = "485519D94A28"; }
{ name = "Living Bulb 5"; id = "485519DA6B6A"; }
{ name = "Living Bulb 6"; id = "485519D9E018"; }
{ name = "Bedroom Bulb 1"; id = "08f9e06f4eb4"; }
{ name = "Bedroom Bulb 2"; id = "485519ee0ed9"; }
{ name = "Bedroom Bulb 3"; id = "08f9e06fe779"; }
{ name = "Bedroom Bulb 4"; id = "485519ee00a0"; }
];
switches = [
{ name = "Kitchen Switch"; id = "483FDA8274C2"; relay = "0"; }
{ name = "Livingroom Switch"; id = "483FDA8274C2"; relay = "1"; }
];
switches = [];
proswitches = [
{ name = "Hallway Circuit"; id = "c8f09e894448"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "c8f09e894448"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "c8f09e894448"; relay = "2"; }
{ name = "Livingroom Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "0"; }
{ name = "Kitchen Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "1"; }
{ name = "Bedroom Switch"; id = "shelly1pmminig3-34b7da933fe0"; relay = "0"; }
{ name = "Hallway Circuit"; id = "shellypro3-c8f09e894448"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "shellypro3-c8f09e894448"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "shellypro3-c8f09e894448"; relay = "2"; }
];
in {
services.home-assistant.extraComponents = [
@@ -45,14 +49,14 @@ in {
in {
name = switch.name;
unique_id = unique_id;
state_topic = "shellies/shellypro3-${switch.id}/status/switch:${switch.relay}";
state_topic = "shellies/${switch.id}/status/switch:${switch.relay}";
value_template = "{{ value_json.output }}";
state_on = true;
state_off = false;
command_topic = "shellies/shellypro3-c8f09e894448/rpc";
command_topic = "shellies/${switch.id}/rpc";
payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}";
payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}";
availability_topic = "shellies/shellypro3-${switch.id}/online";
availability_topic = "shellies/${switch.id}/online";
payload_available = "true";
payload_not_available = "false";
}

0
hosts/fw-new.cloonar.com/modules/home-assistant/sleep.nix → hosts/fw-new/modules/home-assistant/sleep.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/snapcast.nix → hosts/fw-new/modules/home-assistant/snapcast.nix
View File

0
hosts/fw-new.cloonar.com/modules/microvm.nix → hosts/fw-new/modules/microvm.nix
View File

0
hosts/fw-new.cloonar.com/modules/mopidy.nix → hosts/fw-new/modules/mopidy.nix
View File

0
hosts/fw-new.cloonar.com/modules/mosquitto.nix → hosts/fw-new/modules/mosquitto.nix
View File

54
hosts/fw-new.cloonar.com/modules/networking.nix → hosts/fw-new/modules/networking.nix
View File

@@ -11,13 +11,9 @@
wait-online.anyInterface = true;
links = {
"10-wan" = {
matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c1";
matchConfig.PermanentMACAddress = "c0:74:2b:fd:9a:7f";
linkConfig.Name = "wan";
};
"20-lan" = {
matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c2";
linkConfig.Name = "lan";
};
};
netdevs = {
"30-server".netdevConfig = {
@@ -40,48 +36,42 @@
nameservers = [ "10.42.97.1" ];
# resolvconf.enable = false;
vlans = {
infrastructure = {
id = 101;
interface = "enp5s0";
lan = {
id = 95;
interface = "enP3p49s0";
};
vserver = {
id = 97;
interface = "enp5s0";
interface = "enP3p49s0";
};
multimedia = {
id = 99;
interface = "enp5s0";
id = 98;
interface = "enP3p49s0";
};
smart = {
id = 100;
interface = "enp5s0";
id = 99;
interface = "enP3p49s0";
};
infrastructure = {
id = 100;
interface = "enP3p49s0";
};
guest = {
id = 254;
interface = "enp5s0";
id = 111;
interface = "enP3p49s0";
};
};
# macvlans.server = {
# interface = "vserver";
# mode = "bridge";
# };
# bridges = {
# server = {
# interfaces = [ "vserver" ];
# };
# };
interfaces = {
# Don't request DHCP on the physical interfaces
lan.useDHCP = false;
enp4s0.useDHCP = false;
enp5s0.useDHCP = false;
enP3p49s0.useDHCP = false;
# Handle the VLANs
wan.useDHCP = true;
lan = {
ipv4.addresses = [{
address = "10.42.96.1";
address = "10.42.95.1";
prefixLength = 24;
}];
};
@@ -91,19 +81,19 @@
prefixLength = 24;
}];
};
infrastructure = {
multimedia = {
ipv4.addresses = [{
address = "10.42.101.1";
address = "10.42.98.1";
prefixLength = 24;
}];
};
multimedia = {
smart = {
ipv4.addresses = [{
address = "10.42.99.1";
prefixLength = 24;
}];
};
smart = {
infrastructure = {
ipv4.addresses = [{
address = "10.42.100.1";
prefixLength = 24;
@@ -111,7 +101,7 @@
};
guest = {
ipv4.addresses = [{
address = "10.42.254.1";
address = "10.42.111.1";
prefixLength = 24;
}];
};

0
hosts/fw-new.cloonar.com/modules/omada.nix → hosts/fw-new/modules/omada.nix
View File

0
hosts/fw-new.cloonar.com/modules/openconnect.nix → hosts/fw-new/modules/openconnect.nix
View File

0
hosts/fw-new.cloonar.com/modules/palworld.nix → hosts/fw-new/modules/palworld.nix
View File

0
hosts/fw-new.cloonar.com/modules/podman.nix → hosts/fw-new/modules/podman.nix
View File

0
hosts/fw-new.cloonar.com/modules/postgresql.nix → hosts/fw-new/modules/postgresql.nix
View File

0
hosts/fw-new.cloonar.com/modules/snapserver.nix → hosts/fw-new/modules/snapserver.nix
View File

0
hosts/fw-new.cloonar.com/modules/staticids.nix → hosts/fw-new/modules/staticids.nix
View File

0
hosts/fw-new.cloonar.com/modules/sysbox.nix → hosts/fw-new/modules/sysbox.nix
View File

150
hosts/fw-new.cloonar.com/modules/unbound.nix → hosts/fw-new/modules/unbound.nix
View File

@@ -259,81 +259,81 @@ in {
enable = true;
settings = cfg;
};
systemd.services.unbound-sync = {
enable = true;
path = with pkgs; [ unbound inotify-tools ];
script = ''
function readFile() {
if [[ "''\$2" == "A" ]] ; then
cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
do
echo "''\${address},''\${hostname}"
done
else
cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source
do
echo "''\${address},''\${hostname}"
done
fi
}
function readFileUnique() {
readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
do
if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then
echo ''\${hostname} ''\$2 ''\${address}
unbound-control local_data ''\${hostname} ''\$2 ''\${address}
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
done
fi
else
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
if [[ "''\${hostname}" != "" ]]; then
domain=cloonar.com
if [[ "''\${ip2}" == 99 ]]; then
domain=cloonar.multimedia
fi
if [[ "''\${ip2}" == 100 ]]; then
domain=cloonar.smart
fi
if [[ "''\${hostname}" != *. ]]; then
unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address}
else
unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address}
fi
fi
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
done
fi
fi
done
}
function syncFile() {
# readFileUnique "''\$1" "''\$2"
while true; do
readFileUnique "''\$1" "''\$2"
sleep 10
done
}
syncFile "/var/lib/kea/dhcp4.leases" A &
# syncFile "/var/lib/kea/dhcp6.leases" AAAA &
wait
'';
wants = [ "network-online.target" "unbound.service" ];
after = [ "network-online.target" "unbound.service" ];
partOf = [ "unbound.service" ];
wantedBy = [ "multi-user.target" ];
};
# systemd.services.unbound-sync = {
# enable = true;
# path = with pkgs; [ unbound inotify-tools ];
# script = ''
# function readFile() {
# if [[ "''\$2" == "A" ]] ; then
# cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
# do
# echo "''\${address},''\${hostname}"
# done
# else
# cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source
# do
# echo "''\${address},''\${hostname}"
# done
# fi
# }
#
# function readFileUnique() {
# readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
# do
# if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then
# echo ''\${hostname} ''\$2 ''\${address}
# unbound-control local_data ''\${hostname} ''\$2 ''\${address}
# if [[ "''\$2" == "A" ]] ; then
# echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
# do
# unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
# unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
# done
# fi
# else
# if [[ "''\$2" == "A" ]] ; then
# echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
# do
# if [[ "''\${hostname}" != "" ]]; then
# domain=cloonar.com
# if [[ "''\${ip2}" == 99 ]]; then
# domain=cloonar.multimedia
# fi
# if [[ "''\${ip2}" == 100 ]]; then
# domain=cloonar.smart
# fi
# if [[ "''\${hostname}" != *. ]]; then
# unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address}
# else
# unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address}
# fi
#
# fi
# unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
# unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
# done
# fi
# fi
# done
# }
#
# function syncFile() {
# # readFileUnique "''\$1" "''\$2"
# while true; do
# readFileUnique "''\$1" "''\$2"
# sleep 10
# done
# }
#
# syncFile "/var/lib/kea/dhcp4.leases" A &
# # syncFile "/var/lib/kea/dhcp6.leases" AAAA &
# wait
# '';
# wants = [ "network-online.target" "unbound.service" ];
# after = [ "network-online.target" "unbound.service" ];
# partOf = [ "unbound.service" ];
# wantedBy = [ "multi-user.target" ];
# };
networking.firewall.allowedUDPPorts = [ 53 5353 ];
}

0
hosts/fw-new.cloonar.com/modules/update-containers.nix → hosts/fw-new/modules/update-containers.nix
View File

0
hosts/fw-new.cloonar.com/modules/web/default.nix → hosts/fw-new/modules/web/default.nix
View File

0
hosts/fw-new.cloonar.com/modules/web/proxies.nix → hosts/fw-new/modules/web/proxies.nix
View File

0
hosts/fw-new.cloonar.com/modules/web/secrets.yaml → hosts/fw-new/modules/web/secrets.yaml
View File

0
hosts/fw-new.cloonar.com/modules/web/zammad.nix → hosts/fw-new/modules/web/zammad.nix
View File

6
hosts/fw-new.cloonar.com/modules/wireguard.nix → hosts/fw-new/modules/wireguard.nix
View File

@@ -8,18 +8,18 @@
networking.wireguard.interfaces = {
wg_cloonar = {
ips = [ "10.42.98.1/24" ];
ips = [ "10.42.114.1/24" ];
listenPort = 51820;
# publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=
privateKeyFile = config.sops.secrets.wg_cloonar_key.path;
peers = [
{ # Notebook
publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=";
allowedIPs = [ "10.42.98.201/32" ];
allowedIPs = [ "10.42.114.201/32" ];
}
{ # iPhone
publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0=";
allowedIPs = [ "10.42.98.202/32" ];
allowedIPs = [ "10.42.114.202/32" ];
}
];
};

0
hosts/fw-new.cloonar.com/modules/wol.nix → hosts/fw-new/modules/wol.nix
View File

0
hosts/fw-new.cloonar.com/pkgs/kernel/rk35xx_vendor_config → hosts/fw-new/pkgs/kernel/rk35xx_vendor_config
View File

8
hosts/fw-new.cloonar.com/pkgs/kernel/vendor.nix → hosts/fw-new/pkgs/kernel/vendor.nix
View File

@@ -15,13 +15,19 @@
}:
(linuxManualConfig rec {
modDirVersion = "6.1.43";
# modDirVersion = "5.10.65";
version = "${modDirVersion}-xunlong-rk3588";
extraMeta.branch = "6.1";
# extraMeta.branch = "5.10";
# https://github.com/orangepi-xunlong/linux-orangepi/tree/orange-pi-6.1-rk35xx
src = fetchFromGitHub {
owner = "orangepi-xunlong";
repo = "linux-orangepi";
# rev = "122b41d84d018af909a766e48f3f90cbea9868e0";
# hash = "sha256-kOhxDP1hbrrIriOXizgZoB0I+3/JWOPcOCdNeXcPJV0=";
# rev = "eb1c681e5184e51d8ce1f351559d149d17f48b57";
# hash = "sha256-kOhxDP1hbrrIriOXizgZoB0I+3/JWOPcOCdNeXcPJV0=";
rev = "752c0d0a12fdce201da45852287b48382caa8c0f";
hash = "sha256-tVu/3SF/+s+Z6ytKvuY+ZwqsXUlm40yOZ/O5kfNfUYc=";
};
@@ -41,5 +47,5 @@
})
.overrideAttrs (old: {
name = "k"; # dodge uboot length limits
nativeBuildInputs = old.nativeBuildInputs ++ [ubootTools];
# nativeBuildInputs = old.nativeBuildInputs ++ [ubootTools];
})

0
hosts/fw-new.cloonar.com/pkgs/mali-firmware/default.nix → hosts/fw-new/pkgs/mali-firmware/default.nix
View File

0
hosts/fw-new.cloonar.com/pkgs/orangepi-firmware/default.nix → hosts/fw-new/pkgs/orangepi-firmware/default.nix
View File

32
hosts/fw-new.cloonar.com/secrets.yaml → hosts/fw-new/secrets.yaml
View File

@@ -23,29 +23,29 @@ sops:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpalJkZWNhUzRJdTdhaElh
VlNGd3AzaW5ha1d4ekVESStQSC9mTnBGRzFRCmszVHVBMjFRZjRuejRjenhvdGZl
RkMxMmowbWdndDZvcHc5RDZBNGh2THcKLS0tIFVuU0ZIOXlpZEE1alVGaXhnbWhQ
T1BiZitwUHEvRGx2ZkdTTWJZQzJpOU0KH035L5mbJ1fDjmuNbmfCGZdJ/4eE9FeI
qM5/d51C3fP1uRjeLJFxObNlu/QG9MKql80fYF0NUboVGIUzHwv9gw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YlN0a1M2cStpbUtMMWFZ
RzQrMGZmbkN2c01yOHhvbllwQUVpcWhmU3lrCkQxeHNQb2pKa3pOYnB3aEFjTGl1
c1IvSnZnTS9JMFJ1L1E0cXRybEJ6KzQKLS0tIDdPNTNwZDdMRzhyVzNzdXRESlZO
TkRXeUsxTWpodWtIT3Mza3o3SlZGdUkK/U6+p4rYGLhTWSHPOysau+iCoWseiLht
oT8a2hp9dSh1ofseyBfgeDeBN7Td9Z9FTBXBgcM911Sdq3VffQJHgw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdm01UEx6OFZkOW5QTnp3
bUpuczZUUFdhRnhBbUxabGNFY0Rzd3pDdGp3CnRZMk9JRTV5Q1Jwa1J5Q1dtd0lM
YzZKVzVRNldEa3JEL3h6TURPcHc4MWMKLS0tIGVEQnJ3N3c1ZHJ1Nitta2JRWDZP
VFZ3Qm5SYzRyVitTV2JkN2hWNEVMSDAKwHMncahsEQTsahAXr9VJFgsahUJ4yrOD
E1x6RAAI+2q8v3hPO8Rd8i6i/sELyM+NdK81WRrGwn8FHR8yZC7zoA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheVYzaDRndjhXMmhYaGdC
ZFcyUlZNd28wbFdsUEk2OWt5aEYwSzBsWVFrCnZjOHg2bXFPNlgwa3E3NkZlOXpJ
T2llSXJLNmcwWVVYdDdJY24xV1laWmMKLS0tIFhwTFdKaHk4NG91L2Y3OUZ4eHhD
V000QkdMWUhBV3E3dklnbTgvQVFUVG8KRkTaCoXdzF6+di4o9MoZIVUtM7YCxfiF
3PP2lurWxmSmGDhD7OwIgM+EQ0sKViDbcvGs6Oo8BKClgSx7i9kvPg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
- recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYWozckZEcGJRK0NoTEcr
N0JsUG9UMGV1NTNxa0RmK3QyYVp0Wm04S25vCkxsSnpWQ3NGaGZMalEreUZkZVZE
ZUk4R1M3cDdaU0NBa21Hc2lTaXFhdGcKLS0tIFcwRGJZU0hmUW5aRHZsNG1NZ25n
ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw
tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbUMxNy9VTkJkMkszcUdx
MjJlRDk4TnoxMVEzSDdIK3J5dktWWHl5MHl3CmtjS013OXlqSjNhTlNBWURTRmht
eFVLRU1Kbm5OdUtHRm5Nb3NGdzBwWHMKLS0tIE51M2tnaEUzMlRIeDEzZjhxV3RH
clE0QWFvRit2N1hsaDlUcUpDbFdhUlEKA+8ukUbm61s2B7XzbBclbmL1G+cHP9DO
XGOzmtpNm/kPKZCj9CuMBB3Ze4pEQglv66YQPafzQhmP4LMoWrOQrA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-02T22:57:14Z"
mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str]

0
hosts/fw-new.cloonar.com/utils → hosts/fw-new/utils
View File

60
hosts/fw.cloonar.com/configuration.nix
View File

@@ -49,6 +49,9 @@
./modules/palworld.nix
# ./modules/ark-survival-evolved.nix
# setup network
./modules/setupnetwork.nix
./hardware-configuration.nix
];
@@ -84,37 +87,42 @@
inotify-tools
];
nix.gc = {
automatic = true;
options = "--delete-older-than 60d";
nix = {
settings.auto-optimise-store = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 60d";
};
# Free up to 1GiB whenever there is less than 100MiB left.
extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
};
services.auto-cpufreq.enable = true;
services.auto-cpufreq.settings = {
charger = {
governor = "powersave";
turbo = "auto";
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "powersave"; # powersave or performance
CPU_ENERGY_PERF_POLICY_ON_AC = "power"; # power or performance
# CPU_MIN_PERF_ON_AC = 0;
# CPU_MAX_PERF_ON_AC = 100; # max 100
};
};
boot = {
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
# kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd
kernelParams = [
"rootwait"
"earlycon" # enable early console, so we can see the boot messages via serial port / HDMI
"consoleblank=0" # disable console blanking(screen saver)
"console=ttyS2,1500000" # serial port
"console=tty1" # HDMI
# docker optimizations
"cgroup_enable=cpuset"
"cgroup_memory=1"
"cgroup_enable=memory"
"swapaccount=1"
];
systemd.services = {
powertop = {
wantedBy = [ "multi-user.target" ];
after = [ "multi-user.target" ];
description = "Powertop tunings";
path = [ pkgs.kmod ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = "${pkgs.powertop}/bin/powertop --auto-tune && for dev in /sys/class/net/*; do echo on > \"$dev/device/power/control\"; done'";
};
};
};
boot.tmp.cleanOnBoot = true;

5
hosts/fw.cloonar.com/hardware-configuration.nix
View File

@@ -1,6 +1,9 @@
{ lib, config, modulesPath, ... }:
{
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot = {
enable = true;
configurationLimit = 5;
};
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" "kvm-intel" ];

1
hosts/fw.cloonar.com/modules/ddclient.nix
View File

@@ -13,6 +13,7 @@
"vpn.cloonar.com"
"git.cloonar.com"
"palworld.cloonar.com"
"matrix.cloonar.com"
];
};

5
hosts/fw.cloonar.com/modules/dhcp4.nix
View File

@@ -92,6 +92,11 @@
ip-address = "10.42.97.5";
server-hostname = "web-02.cloonar.com";
}
{
hw-address = "02:00:00:00:00:04";
ip-address = "10.42.97.6";
server-hostname = "matrix.cloonar.com";
}
{
hw-address = "ea:db:d4:c1:18:ba";
ip-address = "10.42.97.50";

8
hosts/fw.cloonar.com/modules/firewall.nix
View File

@@ -33,7 +33,7 @@
iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic"
iifname "lan" tcp dport 5931 counter accept comment "Spice"
iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "multimedia", "smart", "infrastructure", "podman0", "setup" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
# Accept mDNS for avahi reflection
@@ -92,10 +92,9 @@
oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept
# lan and vpn to any
# TODO: disable wan when finished
iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter log prefix "basic forward allow rule" accept
iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept
iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
iifname { "infrastructure" } oifname { "server", "vserver" } counter accept
iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept
iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld"
# accept palword server
@@ -121,6 +120,7 @@
"wg_cloonar",
"podman*",
"guest",
"setup",
"vb-*",
"vm-*",
} oifname {

62
hosts/fw.cloonar.com/modules/home-assistant/default.nix
View File

@@ -1,6 +1,11 @@
{ config, pkgs, ... }:
let
domain = "home-assistant.cloonar.com";
pkgs-with-home-assistant = import (builtins.fetchGit {
name = "new-home-assistant";
url = "https://github.com/nixos/nixpkgs/";
rev = "268bb5090a3c6ac5e1615b38542a868b52ef8088";
}) {};
in
{
users.users.hass = {
@@ -35,21 +40,21 @@ in
extraFlags = [
"--capability=CAP_NET_ADMIN"
];
allowedDevices = [
{
modifier = "rwm";
node = "char-usb_device";
}
{
modifier = "rwm";
node = "char-ttyUSB";
}
];
# allowedDevices = [
# {
# modifier = "rwm";
# node = "char-usb_device";
# }
# {
# modifier = "rwm";
# node = "char-ttyUSB";
# }
# ];
bindMounts = {
"/dev/ttyUSB0" = {
hostPath = "/dev/ttyUSB0";
isReadOnly = false;
};
# "/dev/ttyUSB0" = {
# hostPath = "/dev/ttyUSB0";
# isReadOnly = false;
# };
"/etc/localtime" = {
hostPath = "/etc/localtime";
};
@@ -104,6 +109,7 @@ in
environment.systemPackages = [
pkgs.wol
pkgs.mariadb
];
services.nginx.enable = true;
@@ -127,6 +133,7 @@ in
};
services.home-assistant = {
package = pkgs-with-home-assistant.home-assistant;
enable = true;
};
@@ -140,6 +147,30 @@ in
"tplink_omada"
];
services.home-assistant.extraPackages = ps: with ps; [
mysqlclient
];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "hass" ];
ensureUsers = [
{
name = "hass";
ensurePermissions = {
"hass.*" = "ALL PRIVILEGES";
};
}
];
};
services.mysqlBackup = {
enable = true;
databases = [ "hass" ];
};
services.home-assistant.config =
let
hiddenEntities = [
@@ -148,6 +179,9 @@ in
];
in
{
recorder = {
db_url = "mysql://hass@localhost/hass?unix_socket=/var/run/mysqld/mysqld.sock";
};
homeassistant = {
name = "Home";
latitude = "!secret home_latitude";

32
hosts/fw.cloonar.com/modules/home-assistant/light.nix
View File

@@ -370,6 +370,7 @@
{
platform = "group";
name = "Livingroom Lights";
all = true;
entities = [
"light.livingroom_switch"
"light.living_bulb_1"
@@ -380,6 +381,37 @@
"light.living_bulb_6"
];
}
{
platform = "switch";
name = "Kitchen Switch";
entity_id = "switch.kitchen_switch";
}
{
platform = "group";
name = "Kitchen Lights";
all = true;
entities = [
"light.kitchen_switch"
"light.kitchen"
];
}
{
platform = "switch";
name = "Bedroom Switch";
entity_id = "switch.bedroom_switch";
}
{
platform = "group";
name = "Bedroom Lights";
all = true;
entities = [
"light.bedroom_switch"
"light.bedroom_bulb_1"
"light.bedroom_bulb_2"
"light.bedroom_bulb_3"
"light.bedroom_bulb_4"
];
}
];
};
}

2
hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix
View File

@@ -48,7 +48,7 @@
friendly_name = "Any multimedia device on";
device_class = "connectivity";
value_template = ''
{% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float > 5)) %}
{% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float(default=0) > 5)) %}
on
{% else %}
off

21
hosts/fw.cloonar.com/modules/home-assistant/shelly.nix
View File

@@ -7,17 +7,22 @@ let
{ name = "Living Bulb 4"; id = "485519D94A28"; }
{ name = "Living Bulb 5"; id = "485519DA6B6A"; }
{ name = "Living Bulb 6"; id = "485519D9E018"; }
{ name = "Bedroom Bulb 1"; id = "08F9E06F4EB4"; }
{ name = "Bedroom Bulb 2"; id = "485519EE0ED9"; }
{ name = "Bedroom Bulb 3"; id = "08F9E06FE779"; }
{ name = "Bedroom Bulb 4"; id = "485519EE00A0"; }
];
switches = [
{ name = "Kitchen Switch"; id = "483FDA8274C2"; relay = "0"; }
{ name = "Livingroom Switch"; id = "483FDA8274C2"; relay = "1"; }
];
proswitches = [
{ name = "Hallway Circuit"; id = "c8f09e894448"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "c8f09e894448"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "c8f09e894448"; relay = "2"; }
{ name = "Livingroom Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "0"; }
{ name = "Kitchen Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "1"; }
{ name = "Bedroom Switch"; id = "shelly1pmminig3-34b7da933fe0"; relay = "0"; }
{ name = "Hallway Circuit"; id = "shellypro3-c8f09e894448"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "shellypro3-c8f09e894448"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "shellypro3-c8f09e894448"; relay = "2"; }
];
in {
services.home-assistant.extraComponents = [
@@ -45,14 +50,14 @@ in {
in {
name = switch.name;
unique_id = unique_id;
state_topic = "shellies/shellypro3-${switch.id}/status/switch:${switch.relay}";
state_topic = "shellies/${switch.id}/status/switch:${switch.relay}";
value_template = "{{ value_json.output }}";
state_on = true;
state_off = false;
command_topic = "shellies/shellypro3-c8f09e894448/rpc";
command_topic = "shellies/${switch.id}/rpc";
payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}";
payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}";
availability_topic = "shellies/shellypro3-${switch.id}/online";
availability_topic = "shellies/${switch.id}/online";
payload_available = "true";
payload_not_available = "false";
}

16
hosts/fw.cloonar.com/modules/home-assistant/sleep.nix
View File

@@ -14,6 +14,14 @@
{
delay = 1700;
}
{
service = "switch.turn_on";
entity_id = "switch.hallway_circuit";
}
{
service = "switch.turn_on";
entity_id = "switch.bathroom_circuit";
}
{
service = "switch.turn_on";
entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe"; # livingroom
@@ -64,6 +72,14 @@
service = "switch.turn_off";
entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe";
}
{
service = "switch.turn_off";
entity_id = "switch.hallway_circuit";
}
{
service = "switch.turn_off";
entity_id = "switch.bathroom_circuit";
}
];
}
];

58
hosts/fw.cloonar.com/modules/setupnetwork.nix Normal file
View File

@@ -0,0 +1,58 @@
{ ... }: {
networking = {
vlans = {
setup = {
id = 110;
interface = "enp5s0";
};
};
interfaces = {
setup = {
ipv4.addresses = [{
address = "10.42.110.1";
prefixLength = 24;
}];
};
};
};
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [
"setup"
];
};
subnet4 = [
{
pools = [
{
pool = "10.42.110.100 - 10.42.110.240";
}
];
subnet = "10.42.110.0/24";
interface = "setup";
option-data = [
{
name = "routers";
data = "10.42.110.1";
}
{
name = "domain-name";
data = "cloonar.com";
}
{
name = "domain-search";
data = "cloonar.com";
}
{
name = "domain-name-servers";
data = "10.42.97.1";
}
];
}
];
};
};
}

9
hosts/fw.cloonar.com/modules/unbound.nix
View File

@@ -23,9 +23,9 @@ let
cfg = {
remote-control.control-enable = true;
server = {
include = [
"\"${adblockLocalZones}\""
];
# include = [
# "\"${adblockLocalZones}\""
# ];
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
@@ -56,6 +56,7 @@ let
"\"snapcast.cloonar.com IN A 10.42.97.21\""
"\"home-assistant.cloonar.com IN A 10.42.97.20\""
"\"web-02.cloonar.com IN A 10.42.97.5\""
"\"matrix.cloonar.com IN A 10.42.97.5\""
"\"support.cloonar.com IN A 10.42.97.5\""
"\"git.cloonar.com IN A 10.42.97.50\""
"\"sync.cloonar.com IN A 10.42.97.51\""
@@ -73,6 +74,7 @@ let
"\"mieterhilfe.at IN A 10.254.240.109\""
"\"wohnpartner-wien.at IN A 10.254.240.109\""
"\"new.wohnberatung-wien.at IN A 10.254.240.109\""
"\"new.wohnpartner-wien.at IN A 10.254.240.109\""
"\"wohnberatung-wien.at IN A 10.254.240.109\""
"\"wienbautvor.at IN A 10.254.240.109\""
"\"wienwohntbesser.at IN A 10.254.240.109\""
@@ -94,6 +96,7 @@ let
"\"b.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\""
"\"b.stage.new.wohnpartner-wien.at IN A 10.254.240.110\""
"\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"b.stage.wienbautvor.at IN A 10.254.240.110\""
"\"b.stage.wienwohntbesser.at IN A 10.254.240.110\""

19
hosts/fw.cloonar.com/modules/web/default.nix
View File

@@ -1,10 +1,18 @@
{ lib, nixpkgs, pkgs, ... }: let
{ lib, pkgs, config, ... }: let
hostname = "web-02";
json = pkgs.formats.json { };
impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
in {
microvm.vms = {
web = {
pkgs = import pkgs.path {
config = {
permittedInsecurePackages = [
# needed for matrix
"olm-3.2.16"
];
};
};
config = {
microvm = {
mem = 4096;
@@ -47,6 +55,7 @@ in {
# ./zammad.nix
./proxies.nix
./matrix.nix
];
time.timeZone = "Europe/Vienna";
@@ -93,6 +102,14 @@ in {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
# backups
# borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";

484
hosts/fw.cloonar.com/modules/web/matrix.nix Normal file
View File

@@ -0,0 +1,484 @@
{ pkgs, lib, config, ... }:
let
hostname = "matrix";
fqdn = "${hostname}.cloonar.com";
baseUrl = "https://matrix.cloonar.com";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
sops.secrets.matrix-shared-secret = {
};
sops.secrets.dendrite-private-key = {
};
services.postgresql = {
enable = true;
ensureDatabases = [ "dendrite" ];
ensureUsers = [
{
name = "dendrite";
}
];
};
services.postgresqlBackup.enable = true;
services.postgresqlBackup.databases = [ "dendrite" ];
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/".extraConfig = ''
return 404;
'';
locations."/_dendrite".proxyPass = "http://[::1]:8008";
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
services.dendrite = {
enable = true;
settings = {
global = {
server_name = "cloonar.com";
private_key = "$CREDENTIALS_DIRECTORY/private_key";
database.connection_string = "postgresql:///dendrite?host=/run/postgresql";
};
client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
app_service_api.config_files = [
"$CREDENTIALS_DIRECTORY/whatsapp_registration"
"$CREDENTIALS_DIRECTORY/signal_registration"
"$CREDENTIALS_DIRECTORY/discord_registration"
];
app_service_api.database.connection_string = "";
federation_api.database.connection_string = "";
key_server.database.connection_string = "";
relay_api.database.connection_string = "";
media_api.database.connection_string = "";
room_server.database.connection_string = "";
sync_api.database.connection_string = "";
user_api.account_database.connection_string = "";
user_api.device_database.connection_string = "";
mscs.database.connection_string = "";
};
loadCredential = [
"private_key:${config.sops.secrets.dendrite-private-key.path}"
"whatsapp_registration:/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
"signal_registration:/var/lib/mautrix-signal/signal-registration.yaml"
"discord_registration:/var/lib/mautrix-discord/discord-registration.yaml"
];
environmentFile = config.sops.secrets.matrix-shared-secret.path;
};
users.users.mautrix-whatsapp = {
isSystemUser = true;
group = "mautrix-whatsapp";
home = "/var/lib/mautrix-whatsapp";
description = "Mautrix-WhatsApp bridge user";
};
users.groups.mautrix-whatsapp = {};
systemd.services.mautrix-whatsapp = let
dataDir = "/var/lib/mautrix-whatsapp";
registrationFile = "${dataDir}/whatsapp-registration.yaml";
settingsFile = "${dataDir}/config.json";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" defaultConfig;
settingsFormat = pkgs.formats.json {};
appservicePort = 29318;
defaultConfig = {
homeserver = {
address = "http://[::1]:8008";
domain = "cloonar.com";
};
appservice = {
hostname = "[::]";
port = appservicePort;
database.type = "sqlite3";
database.uri = "${dataDir}/mautrix-whatsapp.db";
id = "whatsapp";
bot.username = "whatsappbot";
bot.displayname = "WhatsApp Bridge Bot";
as_token = "";
hs_token = "";
};
bridge = {
username_template = "whatsapp_{{.}}";
displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)";
double_puppet_server_map = {};
login_shared_secret_map = {};
command_prefix = "!wa";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
history_sync.request_full_sync = false;
encryption = {
allow = true;
default = true;
require = true;
};
};
logging = {
min_level = "info";
writers = lib.singleton {
type = "stdout";
format = "pretty-colored";
time_format = " ";
};
};
};
in {
description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix";
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
preStart = ''
test -f '${settingsFile}' && rm -f '${settingsFile}'
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o '${settingsFile}' \
-i '${settingsFileUnsubstituted}'
umask $old_umask
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
--generate-registration \
--config='${settingsFile}' \
--registration='${registrationFile}'
fi
chmod 640 ${registrationFile}
umask 0177
${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
| .[0].appservice.hs_token = .[1].hs_token
| .[0]' '${settingsFile}' '${registrationFile}' \
> '${settingsFile}.tmp'
mv '${settingsFile}.tmp' '${settingsFile}'
umask $old_umask
'';
serviceConfig = {
User = "mautrix-whatsapp";
Group = "mautrix-whatsapp";
# EnvironmentFile = cfg.environmentFile;
StateDirectory = baseNameOf dataDir;
WorkingDirectory = dataDir;
ExecStart = ''
${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
--config='${settingsFile}' \
--registration='${registrationFile}' \
--ignore-unsupported-server
'';
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "on-failure";
RestartSec = "30s";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = ["@system-service"];
Type = "simple";
UMask = 0027;
};
restartTriggers = [settingsFileUnsubstituted];
};
users.users.mautrix-signal = {
isSystemUser = true;
group = "mautrix-signal";
home = "/var/lib/mautrix-signal";
description = "Mautrix-Signal bridge user";
};
users.groups.mautrix-signal = {};
systemd.services.mautrix-signal = let
pkgswithsignal = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/fd698a4ab779fb7fb95425f1b56974ba9c2fa16c.tar.gz") {
config = {
permittedInsecurePackages = [
# needed for matrix
"olm-3.2.16"
];
};
};
dataDir = "/var/lib/mautrix-signal";
registrationFile = "${dataDir}/signal-registration.yaml";
settingsFile = "${dataDir}/config.json";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" defaultConfig;
settingsFormat = pkgs.formats.json {};
appservicePort = 29328;
defaultConfig = {
homeserver = {
address = "http://[::1]:8008";
domain = "cloonar.com";
};
appservice = {
hostname = "[::]";
port = appservicePort;
database.type = "sqlite3";
database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate";
id = "signal";
bot = {
username = "signalbot";
displayname = "Signal Bridge Bot";
};
as_token = "";
hs_token = "";
};
bridge = {
username_template = "signal_{{.}}";
displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
double_puppet_server_map = { };
login_shared_secret_map = { };
command_prefix = "!signal";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
encryption = {
allow = true;
default = true;
require = true;
};
};
logging = {
min_level = "info";
writers = lib.singleton {
type = "stdout";
format = "pretty-colored";
time_format = " ";
};
};
};
in {
description = "Mautrix-Signal Service - A Signal bridge for Matrix";
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
preStart = ''
test -f '${settingsFile}' && rm -f '${settingsFile}'
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o '${settingsFile}' \
-i '${settingsFileUnsubstituted}'
umask $old_umask
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
--generate-registration \
--config='${settingsFile}' \
--registration='${registrationFile}'
fi
chmod 640 ${registrationFile}
umask 0177
${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
| .[0].appservice.hs_token = .[1].hs_token
| .[0]
| if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \
'${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
mv '${settingsFile}.tmp' '${settingsFile}'
umask $old_umask
'';
serviceConfig = {
User = "mautrix-signal";
Group = "mautrix-signal";
# EnvironmentFile = cfg.environmentFile;
StateDirectory = baseNameOf dataDir;
WorkingDirectory = dataDir;
ExecStart = ''
${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
--config='${settingsFile}' \
--registration='${registrationFile}' \
--ignore-unsupported-server
'';
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "on-failure";
RestartSec = "30s";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = ["@system-service"];
Type = "simple";
UMask = 0027;
};
restartTriggers = [settingsFileUnsubstituted];
};
users.users.mautrix-discord = {
isSystemUser = true;
group = "mautrix-discord";
home = "/var/lib/mautrix-discord";
description = "Mautrix-Discord bridge user";
};
users.groups.mautrix-discord = {};
systemd.services.mautrix-discord = let
pkgswithdiscord = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ed627539ac84809c78b2dd6d26a5cebeb5ae269.tar.gz") {
config = {
permittedInsecurePackages = [
# needed for matrix
"olm-3.2.16"
];
};
};
dataDir = "/var/lib/mautrix-discord";
registrationFile = "${dataDir}/discord-registration.yaml";
settingsFile = "${dataDir}/config.json";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" defaultConfig;
settingsFormat = pkgs.formats.json {};
appservicePort = 29329;
defaultConfig = {
homeserver = {
address = "http://[::1]:8008";
domain = "cloonar.com";
};
appservice = {
hostname = "[::]";
port = appservicePort;
database.type = "sqlite3";
database.uri = "file:${dataDir}/mautrix-discord.db?_txlock=immediate";
id = "discord";
bot = {
username = "discordbot";
displayname = "Discord Bridge Bot";
};
as_token = "";
hs_token = "";
};
bridge = {
username_template = "discord_{{.}}";
displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
double_puppet_server_map = { };
login_shared_secret_map = { };
command_prefix = "!discord";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
encryption = {
allow = true;
default = true;
require = true;
};
};
logging = {
min_level = "info";
writers = lib.singleton {
type = "stdout";
format = "pretty-colored";
time_format = " ";
};
};
};
in {
description = "Mautrix-Discord Service - A Discord bridge for Matrix";
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
preStart = ''
test -f '${settingsFile}' && rm -f '${settingsFile}'
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o '${settingsFile}' \
-i '${settingsFileUnsubstituted}'
umask $old_umask
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
--generate-registration \
--config='${settingsFile}' \
--registration='${registrationFile}'
fi
chmod 640 ${registrationFile}
umask 0177
${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
| .[0].appservice.hs_token = .[1].hs_token
| .[0]
| if env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET else . end' \
'${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
mv '${settingsFile}.tmp' '${settingsFile}'
umask $old_umask
'';
serviceConfig = {
User = "mautrix-discord";
Group = "mautrix-discord";
# EnvironmentFile = cfg.environmentFile;
StateDirectory = baseNameOf dataDir;
WorkingDirectory = dataDir;
ExecStart = ''
${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
--config='${settingsFile}' \
--registration='${registrationFile}'
'';
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "on-failure";
RestartSec = "30s";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = ["@system-service"];
Type = "simple";
UMask = 0027;
};
restartTriggers = [settingsFileUnsubstituted];
};
}

6
hosts/fw.cloonar.com/modules/web/secrets.yaml
View File

@@ -1,6 +1,8 @@
borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str]
zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
dendrite-private-key: ENC[AES256_GCM,data:ZHDIa/iYSZGofE67JU63fHRdKbs/ZyEJY45tV6H8WZAOcduGafPYBo2NCZ7nqLbc2Z9dUUgsrpzvkQ3+VaWqFUv7YsE+CbCx4CeiLGMkj8EAGzX4rkJGHMzkkc2UT7v9znCnKACS3fZtU69trqVMcf1PzgqepOHMBku37dzpwOQC/Tc3UTuO72M=,iv:Ljun1/ruY9cDBm9vu62riUrpGjrWtFFx90GeE7uc3Yo=,tag:FF4xPb1SDhK/4ITr/idvYg==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:HeS4PT0R+TRU6Htwa5TChjK1VAjAdgSS8tSnva+ga3f+mEfJPTQ02pEvS2WFvcnchmEjNYy39zL/rbtX,iv:4yR+VgdJY3VcvLg18v+5jbJDSkFzaeyLNAZ0k8ivjdQ=,tag:RA96iSFDUdlXq30c/vkvpA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -25,8 +27,8 @@ sops:
Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx
SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-16T11:12:23Z"
mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str]
lastmodified: "2024-10-14T16:53:41Z"
mac: ENC[AES256_GCM,data:DUi6zUrZBMVaYZ/BvWny7RwPgXe+vQ+odO30fGe8iZHj9d3gzB95F75CqIgENi4gVOA4CQDADE+p45z/mtl04HAh7RiT0/k21RSdQcH2W9AX525fOzeqbxbPA/tXJOctwGrytFwlK9UdJULXkJCwYrJnwNc0XPnBk1FodTykXWs=,iv:q/eapgTVL/rifrrZeIcXT5VO9bEoS4EmmEhYJ2xHvQ4=,tag:xb0Qj/wu17cLTkvefsDqiw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
hosts/fw.cloonar.com/modules/web/zammad.nix
View File

@@ -10,7 +10,6 @@
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."support.cloonar.com" = {
forceSSL = true;
enableACME = true;

5
hosts/fw.cloonar.com/secrets.yaml
View File

@@ -11,6 +11,7 @@ gitea-runner-token: ENC[AES256_GCM,data:Nd0vsnuJficsdZaqeBZXa9vD7PLMdDtV9sMX0TxU
drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str]
home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str]
home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:67imd3m6WBeGP/5Msmjy8B6sP983jMyWzRIzWgNVV5jZslX+GBJyEYzm3OTDs1iTZf4ScvuYheTH0QFPfw==,iv:7ElCpESWumbIHmmFaedcpkFm5M58ZT3vW9wb9e1Sbh4=,tag:wr4FIymtJBtCerVqae+Xlw==,type:str]
palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str]
ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str]
firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str]
@@ -47,8 +48,8 @@ sops:
ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw
tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-02T22:57:14Z"
mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str]
lastmodified: "2024-10-13T22:30:43Z"
mac: ENC[AES256_GCM,data:sEySfQaBevydqFBOab7RPCse8fOwiix6GIsXeR9paBCCCHOxDZDusdn0/k97wLeWzvHi0SJB/8+g8qlqXtRuJ/3mT1vJxfWwoJk3gz2WD+d8recG+KkdtkSGu04addHgBZQqGqhOfkRHYypVW3GaBfLteY08nvob4/yjaHCtGig=,iv:lsHvIovstgHmY6OrV3CO0tju2OQb1AcWgMov8klkSqA=,tag:zcvCoCwTgeZhhS1MOvH3HA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

0
hosts/fw-new.cloonar.com/channel → hosts/mail.social-grow.tech/channel
View File

49
hosts/mail.social-grow.tech/configuration.nix Normal file
View File

@@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
imports = [
./utils/bento.nix
./utils/modules/sops.nix
./utils/modules/lego/lego.nix
# ./modules/self-service-password.nix
./modules/rspamd.nix
./modules/openldap.nix
./modules/dovecot.nix
./modules/postfix.nix
./utils/modules/borgbackup.nix
./utils/modules/promtail
./utils/modules/victoriametrics
./utils/modules/netdata.nix
./hardware-configuration.nix
];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
networking.hostName = "mail";
networking.domain = "cloonar.com";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
# backups
borgbackup.repo = "u149513-sub7@u149513-sub7.your-backup.de:borg";
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
nix.gc = {
automatic = true;
options = "--delete-older-than 60d";
};
system.stateVersion = "22.11";
}

15
hosts/mail.social-grow.tech/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,15 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
configurationLimit = 2;
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/105A-0CC0"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

266
hosts/mail.social-grow.tech/modules/dovecot.nix Normal file
View File

@@ -0,0 +1,266 @@
{ pkgs
, config
, ...
}:
let
domain = config.networking.domain;
# domain = "cloonar.com";
ldapConfig = pkgs.writeText "dovecot-ldap.conf" ''
hosts = ldap.cloonar.com
tls = yes
dn = "cn=vmail,ou=system,ou=users,dc=cloonar,dc=com"
dnpass = "@ldap-password@"
auth_bind = no
ldap_version = 3
base = ou=users,dc=%Dd
user_filter = (&(objectClass=mailAccount)(mail=%u))
user_attrs = \
quota=quota_rule=*:bytes=%$, \
=home=/var/vmail/%d/%n/, \
=mail=maildir:/var/vmail/%d/%n/Maildir
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailAccount)(mail=%u))
iterate_attrs = =user=%{ldap:mail}
iterate_filter = (objectClass=mailAccount)
scope = subtree
default_pass_scheme = CRYPT
'';
doveSync = pkgs.writeShellScriptBin "dove-sync.sh" ''
#!/usr/bin/env bash
SERVER=''${1}
if [ -z "$SERVER" ]; then
echo "use as dove-sync.sh host.example.com"
exit 1
fi
doveadm user *@cloonar.com | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@optiprot.eu | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@superbros.tv | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@ghetto.at | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@szaku-consulting.at | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@korean-skin.care | while read user; do
doveadm -v sync -u $user $SERVER
done
'';
quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" ''
#!/usr/bin/env bash
PERCENT=''${1}
USER=''${2}
cat << EOF | /usr/lib/dovecot/deliver -d ''${USER} -o "plugin/quota=dict:User quota::noenforcing:proxy::quotadict"
From: no-reply@$(hostname -f)
Subject: Warning: Your mailbox is now ''${PERCENT}% full.
Your mailbox is now ''${PERCENT}% full, please clean up some mails for further incoming mails.
EOF
if [ ''${PERCENT} -ge 95 ]; then
DOMAIN="$(echo ''${USER} | awk -F'@' '{print $2}')"
cat << EOF | /usr/lib/dovecot/deliver -d postmaster@''${DOMAIN} -o "plugin/quota=dict:User quota::noenforcing:proxy::quotadict"
From: no-reply@$(hostname -f)
Subject: Mailbox Quota Warning: ''${PERCENT}% full, ''${USER}
Mailbox (''${USER}) is now ''${PERCENT}% full, please clean up some mails for
further incoming mails.
EOF
fi
'';
in
{
environment.systemPackages = with pkgs; [
doveSync
];
services.dovecot2 = {
enable = true;
enableImap = true;
enableLmtp = true;
enablePAM = false;
mailLocation = "maildir:/var/vmail/%d/%n/Maildir";
mailUser = "vmail";
mailGroup = "vmail";
extraConfig = ''
ssl = yes
ssl_cert = </var/lib/acme/imap.${domain}/fullchain.pem
ssl_key = </var/lib/acme/imap.${domain}/key.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
ssl_dh=<${config.security.dhparams.params.dovecot2.path}
mail_plugins = virtual fts fts_lucene quota acl
service lmtp {
user = vmail
unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service doveadm {
inet_listener {
port = 4170
ssl = yes
}
}
protocol imap {
mail_plugins = $mail_plugins imap_quota imap_acl
}
protocol lmtp {
postmaster_address=postmaster@${domain}
hostname=mail.cloonar.com
mail_plugins = $mail_plugins sieve
}
service auth {
unix_listener auth-userdb {
mode = 0640
user = vmail
group = vmail
}
# Postfix smtp-auth
unix_listener /var/lib/postfix/queue/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
userdb {
args = /run/dovecot2/ldap.conf
driver = ldap
}
passdb {
args = /run/dovecot2/ldap.conf
driver = ldap
}
service imap-login {
client_limit = 1000
service_count = 0
inet_listener imaps {
port = 993
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service quota-warning {
executable = script ${quotaWarning}/bin/quota-warning.sh
unix_listener quota-warning {
user = vmail
group = vmail
mode = 0660
}
}
service quota-status {
# '-p <protocol>'. Currently only 'postfix' protocol is supported.
executable = quota-status -p postfix
client_limit = 1
inet_listener {
address = 127.0.0.1
port = 12340
}
}
protocol sieve {
managesieve_logout_format = bytes ( in=%i : out=%o )
}
plugin {
sieve_dir = /var/vmail/%d/%n/sieve/scripts/
sieve = /var/vmail/%d/%n/sieve/active-script.sieve
sieve_extensions = +vacation-seconds +editheader
sieve_vacation_min_period = 1min
fts = lucene
fts_lucene = whitespace_chars=@.
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
quota_grace = 10%%
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"
}
# If you have Dovecot v2.2.8+ you may get a significant performance improvement with fetch-headers:
imapc_features = $imapc_features fetch-headers
# Read multiple mails in parallel, improves performance
mail_prefetch_count = 20
'';
modules = [
pkgs.dovecot_pigeonhole
];
protocols = [
"sieve"
];
};
users.users.vmail = {
home = "/var/vmail";
createHome = true;
isSystemUser = true;
uid = 1000;
shell = "/run/current-system/sw/bin/nologin";
};
security.dhparams = {
enable = true;
params.dovecot2 = { };
};
sops.secrets.dovecot-ldap-password = { };
systemd.services.dovecot2.preStart = ''
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
'';
systemd.services.dovecot2 = {
wants = [ "acme-imap.${domain}.service" ];
after = [ "acme-imap.${domain}.service" ];
};
users.groups.acme.members = [ "openldap" ];
/* trigger the actual certificate generation for your hostname */
security.acme.certs."imap.${domain}" = {
extraDomainNames = [
"imap-test.${domain}"
"imap-02.${domain}"
];
postRun = "systemctl restart dovecot2.service";
};
networking.firewall.allowedTCPPorts = [
143 # imap
993 # imaps
4190 # sieve
];
}

508
hosts/mail.social-grow.tech/modules/openldap.nix Normal file
View File

@@ -0,0 +1,508 @@
{
pkgs,
config,
...
}:
let
domain = config.networking.domain;
# domain = "cloonar.com";
in {
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldaps:///" ];
settings.attrs = {
olcLogLevel = "-1";
olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
olcSecurity = "tls=1";
};
settings.children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=cloonar,dc=com";
olcRootDN = "cn=admin,dc=cloonar,dc=com";
olcRootPW.path = config.sops.secrets.openldap-rootpw.path;
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to attrs=loginShell
by self write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com"
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{3}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by dn="cn=admin,dc=cloonar,dc=com" write
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
];
};
"olcOverlay=memberof,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
# "olcOverlay=syncprov,olcDatabase={1}mdb".attrs = {
# objectClass = ["olcOverlayConfig" "olcSyncProvConfig"];
# olcOverlay = "syncprov";
# olcSpSessionLog = "100";
# };
"olcDatabase={2}monitor".attrs = {
olcDatabase = "{2}monitor";
objectClass = ["olcDatabaseConfig" "olcMonitorConfig"];
olcAccess = [
''
{0}to *
by dn.exact="cn=netdata,ou=system,ou=users,dc=cloonar,dc=com" read
by * none
''
];
};
"olcDatabase={3}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{3}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=ghetto,dc=at";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
"olcOverlay=memberof,olcDatabase={3}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcDatabase={4}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{4}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=superbros,dc=tv";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
"olcOverlay=memberof,olcDatabase={4}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={4}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcDatabase={6}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{6}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=szaku-consulting,dc=at";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "olcOverlay=memberof,olcDatabase={6}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
# olcOverlay = "memberof";
# olcMemberOfRefint = "TRUE";
# };
# "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
# olcOverlay = "ppolicy";
# olcPPolicyHashCleartext = "TRUE";
# };
"olcDatabase={7}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{7}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=myhidden,dc=life";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "olcOverlay=memberof,olcDatabase={7}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
# olcOverlay = "memberof";
# olcMemberOfRefint = "TRUE";
# };
# "olcOverlay=ppolicy,olcDatabase={7}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
# olcOverlay = "ppolicy";
# olcPPolicyHashCleartext = "TRUE";
# };
"olcDatabase={8}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{8}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=korean-skin,dc=care";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "cn=module{0},cn=config" = {
# attrs = {
# objectClass = "olcModuleList";
# cn = "module{0}";
# olcModuleLoad = "ppolicy.la";
# };
# };
"cn={3}cloonar,cn=schema" = {
attrs = {
cn = "{1}cloonar";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser'
SUP (mailAccount) AUXILIARY
DESC 'Cloonar Account'
MAY (sshPublicKey $ ownCloudQuota $ quota))
''
];
};
};
"cn={2}postfix,cn=schema".attrs = {
cn = "{2}postfix";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)''
''
(1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox'
DESC 'The absolute path to the mailbox for a mail account in a non-default location'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.6 NAME 'quota'
DESC 'A string that represents the quota on a mailbox'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop'
DESC 'RFC822 Mailbox - mail alias'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount'
SUP top AUXILIARY
DESC 'Mail account objects'
MUST ( mail $ userPassword )
MAY ( cn $ description $ quota))
''
''
(1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
SUP top STRUCTURAL
DESC 'Mail aliasing/forwarding entry'
MUST ( mail $ maildrop )
MAY ( cn $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
SUP domain STRUCTURAL
DESC 'Virtual Domain entry to be used with postfix transport maps'
MUST ( dc )
MAY ( postfixTransport $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster'
SUP top AUXILIARY
DESC 'Added to a mailAlias to create a postmaster entry'
MUST roleOccupant)
''
];
};
"cn={1}openssh,cn=schema".attrs = {
cn = "{1}openssh";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.24552.500.1.1.1.13
NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.24552.500.1.1.2.0
NAME 'ldapPublicKey'
SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MUST ( sshPublicKey $ uid ))
''
];
};
"cn={1}nextcloud,cn=schema".attrs = {
cn = "{1}nextcloud";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.39430.1.1.1
NAME 'ownCloudQuota'
DESC 'User Quota (e.g. 15 GB)'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.39430.1.2.1
NAME 'ownCloud'
DESC 'ownCloud LDAP Schema'
AUXILIARY
MUST ( mail $ userPassword )
MAY ( ownCloudQuota ))
''
];
};
"cn={1}gogs,cn=schema".attrs = {
cn = "{1}gogs";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
( 1.3.6.1.4.1.28293.1.2.4 NAME 'gitlab'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow gitlab access'
MUST (mail))
''
];
};
"cn={1}homeAssistant,cn=schema".attrs = {
cn = "{1}homeAssistant";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28297.1.2.4 NAME 'homeAssistant'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow home-assistant access'
MUST (mail) )
''
];
};
# "cn={1}ttrss,cn=schema".attrs = {
# cn = "{1}ttrss";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28294.1.2.4 NAME 'ttrss'
# SUP top AUXILIARY
# DESC 'Added to an account to allow tinytinyrss access'
# MUST ( mail $ userPassword ))
# ''
# ];
# };
# "cn={1}prometheus,cn=schema".attrs = {
# cn = "{1}prometheus";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28296.1.2.4
# NAME 'prometheus'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow prometheus access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}loki,cn=schema".attrs = {
# cn = "{1}loki";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28299.1.2.4
# NAME 'loki'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow loki access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}flood,cn=schema".attrs = {
# cn = "{1}flood";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# (1.3.6.1.4.1.28300.1.2.4 NAME 'flood'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow flood access'
# MUST (mail))
# ''
# ];
# };
};
};
/* ensure openldap is launched after certificates are created */
systemd.services.openldap = {
wants = [ "acme-${domain}.service" ];
after = [ "acme-${domain}.service" ];
};
users.groups.acme.members = [ "openldap" ];
/* trigger the actual certificate generation for your hostname */
security.acme.certs."ldap.${domain}" = {
extraDomainNames = [
"ldap-test.${domain}"
"ldap-02.${domain}"
];
postRun = "systemctl restart openldap.service";
};
sops.secrets.openldap-rootpw.owner = "openldap";
networking.firewall.allowedTCPPorts = [ 389 636 ];
}

246
hosts/mail.social-grow.tech/modules/postfix.nix Normal file
View File

@@ -0,0 +1,246 @@
{ pkgs
, lib
, config
, ...
}:
let
domain = config.networking.domain;
ldapServer = "ldap.cloonar.com";
# domain = "cloonar.com";
domains = pkgs.writeText "domains.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=domains,dc=cloonar,dc=com
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = one
query_filter = (&(dc=%s)(objectClass=mailDomain))
result_attribute = postfixTransport
debuglevel = 0
'';
mailboxes = pkgs.writeText "mailboxes.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=users,dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = sub
query_filter = (&(uid=%u)(objectClass=mailAccount))
result_attribute = mail
debuglevel = 0
'';
senderLoginMaps = pkgs.writeText "sender_login_maps.cf" ''
server_host = ldap://${ldapServer}
search_base = dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = sub
query_filter = (|(&(objectClass=mailAccount)(uid=%u))(&(objectClass=mailAlias)(mail=%s)))
result_attribute = maildrop, mail
debuglevel = 0
'';
accountsmap = pkgs.writeText "accountsmap.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=users,dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = sub
query_filter = (&(objectClass=mailAccount)(uid=%u))
result_attribute = mail
debuglevel = 0
'';
aliases = pkgs.writeText "aliases.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=aliases,dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = one
query_filter = (&(objectClass=mailAlias)(mail=%s))
result_attribute = maildrop
debuglevel = 0
'';
helo_access = pkgs.writeText "helo_access" ''
/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
cloonar.com REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
ghetto.at REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
'';
in
{
services.postfix = {
enable = true;
enableSubmission = true;
hostname = "mail.${domain}";
domain = "cloonar.com";
masterConfig."465" = {
type = "inet";
private = false;
command = "smtpd";
args = [
"-o smtpd_client_restrictions=permit_sasl_authenticated,reject"
"-o syslog_name=postfix/smtps"
"-o smtpd_tls_wrappermode=yes"
"-o smtpd_sasl_auth_enable=yes"
"-o smtpd_tls_security_level=none"
"-o smtpd_reject_unlisted_recipient=no"
"-o smtpd_recipient_restrictions="
"-o smtpd_relay_restrictions=permit_sasl_authenticated,reject"
"-o milter_macro_daemon_name=ORIGINATING"
];
};
mapFiles."helo_access" = helo_access;
config = {
# debug_peer_list = "10.42.96.190";
# smtp_bind_address = config.networking.eve.ipv4.address;
# smtp_bind_address6 = "2a01:4f9:2b:1605::1";
mailbox_transport = "lmtp:unix:private/dovecot-lmtp";
virtual_mailbox_domains = "ldap:/run/postfix/domains.cf";
virtual_mailbox_maps = "ldap:/run/postfix/mailboxes.cf";
virtual_alias_maps = "ldap:/run/postfix/accountsmap.cf,ldap:/run/postfix/aliases.cf";
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
smtpd_sender_login_maps = "ldap:/run/postfix/sender_login_maps.cf";
# Do not display the name of the recipient table in the "User unknown" responses.
# The extra detail makes trouble shooting easier but also reveals information
# that is nobody elses business.
show_user_unknown_table_name = "no";
compatibility_level = "2";
# bigger attachement size
mailbox_size_limit = "202400000";
message_size_limit = "51200000";
smtpd_helo_required = "yes";
smtpd_delay_reject = "yes";
strict_rfc821_envelopes = "yes";
# send Limit
smtpd_error_sleep_time = "1s";
smtpd_soft_error_limit = "10";
smtpd_hard_error_limit = "20";
smtpd_use_tls = "yes";
smtp_tls_note_starttls_offer = "yes";
smtpd_tls_security_level = "may";
smtpd_tls_auth_only = "yes";
smtp_dns_support_level = "dnssec";
smtp_tls_security_level = "dane";
smtpd_tls_cert_file = "/var/lib/acme/mail.cloonar.com/full.pem";
smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem";
smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem";
smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path;
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path;
smtpd_tls_session_cache_database = ''btree:''${data_directory}/smtpd_scache'';
smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_mandatory_ciphers = "medium";
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
# authentication
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_local_domain = "$mydomain";
smtpd_sasl_security_options = "noanonymous";
smtpd_sasl_tls_security_options = "$smtpd_sasl_security_options";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/var/lib/postfix/queue/private/auth";
smtpd_relay_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination";
smtpd_client_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unknown_client,
permit";
smtpd_helo_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_invalid_hostname,
warn_if_reject reject_unknown_hostname,
permit";
smtpd_recipient_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_unknown_client,
permit";
smtpd_sender_restrictions = "
reject_non_fqdn_sender,
reject_unlisted_sender,
reject_authenticated_sender_login_mismatch,
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_unknown_client_hostname,
reject_unknown_address";
smtpd_etrn_restrictions = "permit_mynetworks, reject";
smtpd_data_restrictions = "reject_unauth_pipelining, reject_multi_recipient_bounce, permit";
};
};
systemd.tmpfiles.rules = [ "d /run/postfix 0750 postfix postfix -" ];
systemd.services.postfix.preStart = ''
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${domains} > /run/postfix/domains.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${mailboxes} > /run/postfix/mailboxes.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmap} > /run/postfix/accountsmap.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliases} > /run/postfix/aliases.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMaps} > /run/postfix/sender_login_maps.cf
'';
security.dhparams = {
enable = true;
params.postfix512.bits = 512;
params.postfix2048.bits = 1024;
};
security.acme.certs."mail.${domain}" = {
extraDomainNames = [
"mail-test.${domain}"
"mail-02.${domain}"
];
postRun = "systemctl restart postfix.service";
group = "postfix";
};
networking.firewall.allowedTCPPorts = [
25 # smtp
465 # smtps
587 # submission
];
}

131
hosts/mail.social-grow.tech/modules/rspamd.nix Normal file
View File

@@ -0,0 +1,131 @@
{ pkgs
, config
, ...
}:
let
domain = config.networking.domain;
localConfig = pkgs.writeText "local.conf" ''
logging {
level = "notice";
}
classifier "bayes" {
autolearn = true;
}
dkim_signing {
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "default";
allow_username_mismatch = true;
}
arc {
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "default";
allow_username_mismatch = true;
}
milter_headers {
use = ["authentication-results", "x-spam-status"];
authenticated_headers = ["authentication-results"];
}
replies {
action = "no action";
}
url_reputation {
enabled = true;
}
phishing {
openphish_enabled = true;
# too much memory
#phishtank_enabled = true;
}
neural {
enabled = true;
}
neural_group {
symbols = {
"NEURAL_SPAM" {
weight = 3.0; # sample weight
description = "Neural network spam";
}
"NEURAL_HAM" {
weight = -3.0; # sample weight
description = "Neural network ham";
}
}
}
'';
sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
in
{
services.rspamd = {
enable = true;
extraConfig = ''
.include(priority=1,duplicate=merge) "${localConfig}"
'';
postfix.enable = true;
workers.controller = {
extraConfig = ''
count = 1;
static_dir = "''${WWWDIR}";
password = "$2$7rb4gnnw8qbcy3x3m7au8c4mezecfjim$da4ahtt3gnjtbj7ni6bt1q8jwgqtzxp5ck6941m6prjxsz3udfgb";
enable_password = "$2$xo1qdd1zgozwto8yazr1o35zbarbzcgp$u8mx6hcsb1qdscejb4zadcb3iucmm4mw6btgmim9h6e5d8cpy5ib";
'';
};
};
services.dovecot2 = {
mailboxes.Spam = {
auto = "subscribe";
specialUse = "Junk";
};
extraConfig = ''
protocol imap {
mail_plugins = $mail_plugins imap_sieve
}
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
# From elsewhere to Spam folder
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/report-spam.sieve
# From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/report-ham.sieve
# Move Spam emails to Spam folder
sieve_before = /var/lib/dovecot/sieve/move-to-spam.sieve
sieve_pipe_bin_dir = ${sieve-spam-filter}/bin
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}
'';
};
services.nginx.enable = true;
services.nginx.virtualHosts."rspamd.${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/".extraConfig = ''
proxy_pass http://localhost:11334;
'';
};
# systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];
systemd.services.dovecot2.preStart = ''
mkdir -p /var/lib/dovecot/sieve/
for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
dest="/var/lib/dovecot/sieve/$(basename $i)"
cp "$i" "$dest"
${pkgs.dovecot_pigeonhole}/bin/sievec "$dest"
done
chown -R "${config.services.dovecot2.mailUser}:${config.services.dovecot2.mailGroup}" /var/lib/dovecot/sieve
'';
}

28
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/default.nix Normal file
View File

@@ -0,0 +1,28 @@
{ stdenv
, makeWrapper
, rspamd
,
}:
stdenv.mkDerivation {
name = "sieve-rspamd-filter";
nativeBuildInputs = [ makeWrapper ];
src = ./src;
installPhase = ''
for sieve in $src/*.sieve; do
install -D "$sieve" "$out/share/sieve-rspamd-filter/$(basename $sieve)"
done
mkdir $out/bin
cat > $out/bin/learn-spam.sh <<'EOF'
#!/bin/sh
exec ${rspamd}/bin/rspamc -h /run/rspamd.sock learn_spam
EOF
cat > $out/bin/learn-ham.sh <<'EOF'
#!/bin/sh
exec ${rspamd}/bin/rspamc -h /run/rspamd.sock learn_ham
EOF
chmod +x $out/bin/*.sh
'';
}

5
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/move-to-spam.sieve Normal file
View File

@@ -0,0 +1,5 @@
require ["fileinto"];
if header :is "X-Spam" "Yes" {
fileinto "Spam";
}

15
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-ham.sieve Normal file
View File

@@ -0,0 +1,15 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.mailbox" "*" {
set "mailbox" "${1}";
}
if string "${mailbox}" "Trash" {
stop;
}
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "learn-ham.sh" [ "${username}" ];

7
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-spam.sieve Normal file
View File

@@ -0,0 +1,7 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "learn-spam.sh" [ "${username}" ];

52
hosts/mail.social-grow.tech/secrets.yaml Normal file
View File

@@ -0,0 +1,52 @@
borg-passphrase: ENC[AES256_GCM,data:D6+ZedxUQ7m/m0YkM5m/B4kFsNySJjFyh8Gmhn3Mpe+mqEzzMRjAbwmGzx9i9Lnr1dTjRElUOgevnnvW5J2KRA==,iv:cG4w1KsEm1SOTni9bsbSW1+ypzjjs2Q42I+4xvcCAu0=,tag:WkkNVa27Uy5nFpmXaIH6ww==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:T/EPWSuY9Ocj6D8nL2pfPg7r/lN4TyS7SiAqhQhkr10Y3R2mzfgMrOZTg/MrYv3/uNCt5h9TBDxwmiAwSmBzBSms0T5qD8aSxLgbmc6MAG7FSm7cGFf6x/7fMgVn7DAlwMz+4t/PkVk1iCRG4IwzimXwBvq73yIZuAiIARq0Azin7YAoSKjxnZ8ACkyRVCecf45pk7ModRmPLSDK8MZcT7bcHpZt6gQKx72OXSCJTD5FRUX180miUaywf7SxF1goEGRSmwtFDhyVs8iThiqyz0IsElB/dPGR+vYQwlFNWOFUshfAifz5tHXkvaKt08EJKyVV2TUqEsUETfFEqQW+8YNym3wBvrlnXm05DrHnfjz9GOEeUr35d9ESNgS+J5SzWVDitK29ca7QiaQ+YfaDn4/4mOGKSbPUnqOgRBoqXhJMV4ddV0lTKgBrg9isBVPgaye2prcHGjtUkVw2Kyh1omT3RKv6y7X+jfOpeOWOiByN73PCsZF7g+FFlP0K5jcfm4y4yaD8y6NlEaozrabuCIpY2ZUdZ/aH11vzLAk+LB8XE6lJ5MKMNPjNRftErJ9iE3OaOyan1ovTzaGqzaEwGtx/MZpk5hWNUwcSrJvZDqDuKO4+OhwMedvCCRKtNFIbEZ49EJrtp326Y1EelhfWgls5nJFPXukHo/C17ybsP4uFySFz/M13RVTIRntn7WKoh0bH7na2XgVGtXmI2plqVA5zppCbVTzr9+pAAD9RvXTX7t12gA1iNmdxM8alOeoZ41JXHd6BDF4bvDLVMhFhlslDLZ3wNV/QPWcSczinpJlvEQ13/WFN/NTO25Y16p+oxY9g8QD3pNEkAVLOMYjnEUlV6+DQcZbxzU8RCfpEzfVsOqbztTihDgHD5ldWt/VpN4ncm/WCVCWBlT33iiTxufC8htY3SjXt8JULEt0049HNIbNwj1awZwqTgT4z06okf7sz0m8Y/U8D5MCu8uNpt7QJBftVHxCKSUmQ4NJRicMDhlrpEJklQYlRtsvKlL/ntnyf5ZoUnkX03AoG0zh4Dh0LydGKC9RsKfwJeU+684d3opBI9eIYL6Rp/XB60LKcUA6Q+m7BgB7Tjck2YbG8nFPLaV3PdmIejlE0agICJ8Hef8rnqdU/r6X92gCEBvGXNbuqsKJvDTYPafQP8U6rXc7Tq+g68zfCOijIuHyKjkzdtIom8KMi5MUdFBSXK22xB1q4ye+QaCaAdN/1Xe6KDxWiafPG+BkpExh7hXbqZU1MyiTYMExpilY30e+CmPXMdxAWmygOxwUk+mPbuWrF0oh16DYN0dS38gUbo2Z4fjRvYIoZea1pu8niQRfhTVgLZVpEN07pYPu2farsPCPIXPalXVcijVO/yi2Dg4uhTsjzW/aRZ6XDIoXRd59v5hG+L27l7gTIXfTx1+htwClRJjYxFy6hTL+ZjcKdNrz/jezXPrR7kRHNEEfJM/ysv8d/7Ghpt+wITgc22bdnxKJv9rWnoKDEQ/FRGm6Y/eMisOttUFFlznQi2lqShOxPXnnuOnpndklcxPM8FowlL4FMDN7QUW3kdXJ2j0GgN4o34oKhqvXjtjf9Dk5r5KB+GTeOhf3SJXgeR4llaSAQXjzGdZqk0g34YTa3qb8rVxDSBKEHOnKs+Cr/4H09k62S/3SzZfrBIaaZ6Ey1b+bFfnbJJlD/Y/1Hwd5IhNbMHj7bfOKC8VabieeHwMbWfkGdnnmdY5LLJqXAwANrCIYZrEpm38pYJiKes5GrAz8caK2rPIhAPShURwkjCsvowmadTvnEbO/KoaUIcqk40wYdM6NAlVme6dLXxeVN7Y3K6UAWFIIZtYarAog0Axncs30shIoy1CGd6dN87tuK+/twO/jr458fJInumXSMRy2X2K0MKPLONF9FcP/EWENa+H43Zcfo1y42HkoYxI70R2YqOlpbtJUk8/8PqVSlJBrbgpBZNzAMCbsIjhrBevISerf8Sa8X6WC/KjwswjfGJ7h+FEnrPutKJg/ajDywAI+RZ3H+5zWm/CZxBYT6k4w6gAWZva0Nlx6jWQExONGQfUBkrRrRfIHhWl3c+k5VrhyzwW9fmAB9XmT1iYbk9T+ZNU/O8HY1bAZWufS4G7GaHchbPIvz3edMvP+zrGBZXPPJE3abls9oUcVZ223NFU1RPMZwG7LqL0fzfHXl4zx82TEXn14dAIBBVr67RAejz5xOGf8I2MpYQ6RAxvfhc7bjWY9/FU1RU09ob7usJCZphm51oa4TR7kz0AH1HxSOGfCJKLdYjBxbylR1GxY1bUTokLVWEYHalCr6d4lyEmUHM3+1vBUQQ6aq81njW33yGvwclUvhWj4sB51WPaREcYQsPkYnftN/dRSKVQoEZckgmIvML3lUwiVMLGlXlcUViyQpktnWAWxXgw5GH6KXMqoI43jRmxTeR3KrVyZRJBlDj/AnGWOD37fndGuMdpmAIGX/1fZnUUCxNhhuou20LvOr8BnjcHP9pBjtRPxu4o9fFmnzNCt43SC2ivMDOLxL/Uq6batacYrRnLtK4XnNqzfpCqe1bkfBsmTbRGnwPIJrA7TThfHH322DLy/GueYiddIa5spqdIH2jI8nfjKq4SxLtwsNZ4GUG/z83YQEg0Z8I/CQhYh3Y8Gcjb4ZUrOg9n84iLADDOn2j9CI1QfsyJAt+qLEDPRJ9yMRefmq7BAxvGbNq+4YUbj4Fo6K2FwaO2quUVl7RpfVgT/WvXTJS4pAndPJt4PrG03X56ra3yOTtlZqPvGR+XGjp56hG5I5AtQ27JmB6S30EncH9sDLDPucNtEzn57cY90kAZSdDYjBkJ5/lC3xJOB4UiAs582UgyIiVlL/mvjXd1kajAcchfUYnjEUkgFuOoRysWDO/rq8aDFYg/jokUNOn4ent7xXzlfEXkpMZ00coZ7gi+CjKOf29+/ZE1wCfbRhBds/mCmAerWJo24vb632lTCWKImbHo36WuBAvKqofFNpVyMRQ+OKm9Bzr2jQD7W4+1CUk/ZatGVWJHCPsEGWt/L0Fj8K3NzF135c9d8aZ9HqC9XNqOKTZpNe9QSMc5S+tD1ZUxHVrDHny0fOKaWGVHtgyNkcyte0l16wet1z+xZcPCKr8ieMSqh+HgfT2/kWjpb1hlmyEDFmPnnbmhCDD2QWstX8vCa9JTdd0OLb3rTgPMlbxPPIiWQGSBc6tig7X3mZbebweRz5ktqrdMvK3ter9bVC9T2TF6EiCktxw+IdS9MONajvoGAaR2k1nGbfKDSVIKk1ialfv1FGJu1gUA8J0pvXqbrTJfSPOH4iuJrWJut0UpJeHrUuh0ODguNriBivobZeaRamUA/PPNvM5KCSUQUtefDnVINsJSoT4yXn55fkRwvb2957AfHI8yMRg9KtNIYj8i5KsEsw4gE53Lr+NU7Wq2O08+v2mUSNjP0REWgu0Dw0M4/Q9eykLV/ZRnhRcbUZyA==,iv:yA1CkRMapP1S3zMwu6Tj0/0/HHpwD1yRAm/qrZx/kPs=,tag:SYg2IoXeD9fMYb35J/AJ1Q==,type:str]
netdata-claim-token: ENC[AES256_GCM,data:ECx8zLnU/dj08vfA76oVbVzL3JG9MLBoFmxSjtjiFbSiFtdaHtG/8u5FEuyQ1bQMQntV91xj7x1kY8fAp7VNbWyC13pOEOrt6rvJYch14eM3bqNvfGeqgJsHmAaRbY6mBrxJBkiRJBLYVil4e1oDNZVnzFQ4ditXZbMGtAV2063K1MRI/48p,iv:viE84mOp5KSdj8vdK5XxR0W9A54oPxQO5ahnpPLeAdE=,tag:WjzKjGXRRAc7vlzreFHbng==,type:str]
openldap-rootpw: ENC[AES256_GCM,data:W0em1Dffg+IUoynwwPD4NjFksR38ZO4mhWFI83ALvYcwYIplxw/gDRLGCqbSt6TR5C65CKr1sOUiU+4Xq3UWmw==,iv:BHQhISTIYuwSM3KiSb0mEEo3BMNo6FXEDXoIvI3SZrU=,tag:tX8gfnk1JYnaNionk/jrLg==,type:str]
dovecot-ldap-password: ENC[AES256_GCM,data:JYAt8/WggwclNEPO9CaWfQsvQBA8DDJCU2km93HpowoVwIdvQ/0lQHeXndPYe1EmJGJ3vLErie+Zn2kDINIMqQ==,iv:HR0QJ0GgQks3NzhfXwjHupCKcPOekkiTcp5Jxbz7CxI=,tag:19m7F6TjGUPOuHQJuUq2pw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRWdBcmEvQkQrOXZ0SDJW
eFpFSlBxbjlUbFlDVEZzS3dLSXN6MnBFT3lnCkZ1RGhoQjhtcGxEY1E1QlBvNUl0
RWxnbzNldHBHUjhiZldYQm9iYWppcncKLS0tIG12WFdYSVdDYVZUaEFzUFhJS3A2
Q0I2b2h4aFlkNkV1a1BFamhyd0ZBWTgKZwxpdydc1lgs3u9gkh2Krs8PGfcKwJTv
n7BV0FNa242wOT4Tu28O9SN7VR1zZR52iOgV7gWsCnhkNDk9kwiLHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSHFtMUczc0tXaDZoQllM
eHFpYTFmcnpyYitwT1U2eGNuQm5MQms3YUdJCmpVS2hOVjFmUlVUZy9MZTZxQVlq
SU8xcmd2a0tvWlBMc2M1Wm5XV3ZQZTAKLS0tIG9qa2pQbDFIbFArejM1d1VRRVFY
VjJwdC8yQ1hweEllcGhYclNwTWFyZ1UKDKv14nnVx3FeL87FYFqZMU+niHBOvxHz
3L3hBMEgpR/uMSuPmF4/NLVJTsktOonW9NKOzm37KsY2HNRXbuHoQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjY2JOWTA0a3pGL0dYc2t4
aE8vTUNMNDVML2ZOSW9xeHlFRDQ5K1BLR3l3ClN4a25QZTEzaFk5bnVUYkk2dnRr
SWxNTklrZGM4enJ0WXBKaEJ6UDZUMzAKLS0tIDJudGtSVTVTV3ZrWWh6VnZFdEs3
UFVlWE9wd3hRS0d3VEg5di9kNHBIeUEKov+NZ0pt4BUd5xXX9cTFSJF355Kg0ios
Va/kbzgG2SMvxMorNFDp+yJgGXM9rOycMJ1ajemKBM3r2QMcsIiMWA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVVRBY1RVdmdkTGxkT3N0
YjJUdXU5blY3T1R2NFQwQ2MvUitTRjZOUGpjCkNMTUJOaCtGR0s4SGxENXRRd1lQ
cE9RbFUvL1RVZnZ1a3RlZ0YxbmFtOGsKLS0tIE8vMmE1YkZCM210SXEzRFZJeWZL
eC80bWxndE85RlZGRUFTcDdaZ2J1VE0KZ0FERlT1kdUE+WxSi57YowqDQtA9BoV1
MZoPePwGkRr27MHnPYIhoniUXC7mhQ4rqvcbFy6i1n4r1CqkRFBM3g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-08T11:20:50Z"
mac: ENC[AES256_GCM,data:GPUwpSAz6fj7mRxX1ebEb2sLAMLkQLuKPXk+B3+zZmA6+D7gAKrrBGUWHqYA9DMMY0r32OZSccGRmeKqdA7sWmzdIJTcBu8EyER1nJqVFJiXcOOdTkCLdOM4xW969YE0lBKpIAQ40E7YXYYwkI1JINneIBTuXkvIBmSQ3Bt2+ak=,iv:VEPNQxDLzxyTxkn8dI6xNDe9ESk2RojSNYYEwT+Ggas=,tag:cfUEKU3arSJl+lEOa+4iRA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
hosts/mail.social-grow.tech/utils Symbolic link
View File

@@ -0,0 +1 @@
../../utils

3
hosts/nb-new.cloonar.com/configuration.nix
View File

@@ -70,6 +70,8 @@ in {
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
START_CHARGE_THRESH_BAT0 = 60;
STOP_CHARGE_THRESH_BAT0 = 80;
};
};
@@ -215,6 +217,7 @@ in {
};
};
nix = {
settings.auto-optimise-store = true;
settings.experimental-features = [ "nix-command" "flakes" ];

4
hosts/nb-new.cloonar.com/modules/sway/sway.conf
View File

@@ -5,7 +5,7 @@
# i3 config file (v4)
# font for window titles and bar
font pango:Source Sans Pro 15
font pango:Source Sans Pro 10
# use win key
set $mod Mod4
@@ -314,7 +314,7 @@ exec 'sleep 2; swaymsg workspace "$ws8"; swaymsg layout tabbed'
exec mako --default-timeout=5000
# wallpaper
output eDP-1 scale 1
output eDP-1 scale 1.5 scale_filter linear
output eDP-1 bg #282a36 solid_color
output eDP-1 bg ~/.wallpaper.png center
output DP-4 bg #282a36 solid_color

6
hosts/nb-new.cloonar.com/modules/sway/sway.nix
View File

@@ -81,9 +81,7 @@ in {
quickemu
brave
chromium
firefox
vivaldi
# unstable.cura
freecad
@@ -106,10 +104,13 @@ in {
variants = ["qt5"];
})
kdePackages.neochat
dbus-sway-environment
ddev
dracula-theme
foot
fractal
gcc
git
glib
@@ -125,6 +126,7 @@ in {
libreoffice
mako
mqttui
moonlight-qt
netflix
networkmanagerapplet
nextcloud-client

2
hosts/nb-new.cloonar.com/modules/sway/waybar.css
View File

@@ -1,5 +1,5 @@
* {
font-size: 24px;
font-size: 16px;
font-family: monospace;
}

2
hosts/nb-new.cloonar.com/users/configs/project_history
View File

@@ -1,3 +1,4 @@
/home/dominik/projects/cloonar/renovate-config
/home/dominik/projects/cloonar/bento
/home/dominik/projects/cloonar/freescout
/home/dominik/projects/cloonar/support-invoiced
@@ -17,6 +18,7 @@
/home/dominik/projects/socialgrow.tech/sgt-api
/home/dominik/projects/epicenter.works/ewcampaign
/home/dominik/projects/epicenter.works/epicenter.works
/home/dominik/projects/epicenter.works/epicenter.works-website
/home/dominik/projects/epicenter.works/epicenter-nixos
/home/dominik/projects/epicenter.works/spenden.akvorrat.at
/home/dominik/projects/epicenter.works/dearmep-website

108
hosts/nb-new.cloonar.com/users/dominik.nix
View File

@@ -10,12 +10,11 @@ let
"calendar.alarms.showmissed" = false;
"mail.uidensity" = 2;
"mail.inline_attachments" = false;
"mail.folder.views.version" = 1;
"calendar.list.sortOrder" = "cloonar-personal";
"mail.folder.views.version" = 1; "calendar.list.sortOrder" = "cloonar-personal";
"calendar.ui.version" = 3;
"calendar.timezone.local" = "Europe/Vienna";
"calendar.week.start" = 1;
"layout.css.devPixelsPerPx" = "1";
# "layout.css.devPixelsPerPx" = "1";
};
thunderbirdCalendarPersonal = {
@@ -139,6 +138,8 @@ let
privacy-badger
ublock-origin
];
persistHome = "/home/dominik";
in
{
programs.fuse.userAllowOther = true;
@@ -192,6 +193,50 @@ in
};
};
systemd.user.services = {
signald = {
Unit = {
Description = "Signal-cli daemon";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Service = {
ExecStart = "${pkgs.signal-cli}/bin/signal-cli daemon";
Restart = "always";
};
};
};
programs.chromium = {
enable = true;
commandLineArgs = [
"--enable-features=WebUIDarkMode"
"--force-dark-mode"
];
dictionaries = [
pkgs.hunspellDictsChromium.en_US
pkgs.hunspellDictsChromium.de_DE
];
extensions = [
{
# Ublock
id = "epcnnfbjfcgphgdmggkamkmgojdagdnn";
}
{
# Privacy Badger
id = "pkehgijcmpdhfbdbbnkijodmdjhbjlgp";
}
{
# Bitwarden
id = "nngceckbapebfimnlniiiahkandclblb";
}
];
};
programs.git = {
enable = true;
@@ -368,14 +413,14 @@ in
id = 0;
isDefault = true;
settings = firefoxSettings;
userChrome = firefoxUserChrome;
# userChrome = firefoxUserChrome;
search = firefoxSearchSettings;
extensions = firefoxExtensions;
};
social = {
id = 1;
settings = firefoxSettings;
userChrome = firefoxUserChrome;
# userChrome = firefoxUserChrome;
search = firefoxSearchSettings;
containersForce = true;
containers = {
@@ -418,32 +463,34 @@ in
set +eu
ssh-keygen -R git.cloonar.com
ssh-keyscan git.cloonar.com >> ~/.ssh/known_hosts
git clone git@github.com:dpolakovics/bento.git /nix/persist/user/dominik/cloonar/bento 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/freescout.git /nix/persist/user/dominik/projects/cloonar/freescout 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git /nix/persist/user/dominik/projects/cloonar/support-invoiced 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/nixos.git /nix/persist/user/dominik/projects/cloonar/cloonar-nixos 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/website.git /nix/persist/user/dominik/projects/cloonar/cloonar-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git /nix/persist/user/dominik/projects/cloonar/wohnservice-wien 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git /nix/persist/user/dominik/projects/cloonar/gbv-aktuell 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/api.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-api 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/frontend.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/website.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-website 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/module.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-module 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-api.git /nix/persist/user/dominik/projects/cloonar/amz/amz-api 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git /nix/persist/user/dominik/projects/cloonar/amz/amz-frontend 2>/dev/null
git clone gitea@git.cloonar.com:hilgenberg/website.git /nix/persist/user/dominik/projects/cloonar/hilgenberg-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git /nix/persist/user/dominik/projects/cloonar/korean-skin.care 2>/dev/null
git clone gitea@git.cloonar.com:myhidden.life/web.git /nix/persist/user/dominik/projects/myhidden.life/myhidden.life-web 2>/dev/null
git clone gitea@git.cloonar.com:renovate/renovate-config.git ${persistHome}/cloonar/renovate-config 2>/dev/null
git clone git@github.com:dpolakovics/bento.git ${persistHome}/cloonar/bento 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/freescout.git ${persistHome}/projects/cloonar/freescout 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git ${persistHome}/projects/cloonar/support-invoiced 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/nixos.git ${persistHome}/projects/cloonar/cloonar-nixos 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/website.git ${persistHome}/projects/cloonar/cloonar-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git ${persistHome}/projects/cloonar/wohnservice-wien 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git ${persistHome}/projects/cloonar/gbv-aktuell 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/api.git ${persistHome}/projects/cloonar/paraclub/paraclub-api 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/frontend.git ${persistHome}/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/website.git ${persistHome}/projects/cloonar/paraclub/paraclub-website 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/module.git ${persistHome}/projects/cloonar/paraclub/paraclub-module 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-api.git ${persistHome}/projects/cloonar/amz/amz-api 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git ${persistHome}/projects/cloonar/amz/amz-frontend 2>/dev/null
git clone gitea@git.cloonar.com:hilgenberg/website.git ${persistHome}/projects/cloonar/hilgenberg-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git ${persistHome}/projects/cloonar/korean-skin.care 2>/dev/null
git clone gitea@git.cloonar.com:myhidden.life/web.git ${persistHome}/projects/myhidden.life/myhidden.life-web 2>/dev/null
git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git /nix/persist/user/dominik/projects/socialgrow.tech/sgt-api 2>/dev/null
git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git ${persistHome}/projects/socialgrow.tech/sgt-api 2>/dev/null
ssh-keygen -R gitlab.epicenter.works
ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts
git clone git@github.com:AKVorrat/ewcampaign.git /nix/persist/user/dominik/projects/epicenter.works/ewcampaign 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/website.git /nix/persist/user/dominik/projects/epicenter.works/epicenter.works 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/nixos.git /nix/persist/user/dominik/projects/epicenter.works/epicenter-nixos 2>/dev/null
git clone git@github.com:AKVorrat/spenden.akvorrat.at.git /nix/persist/user/dominik/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null
git clone git@github.com:AKVorrat/dearmep-website.git /nix/persist/user/dominik/projects/epicenter.works/dearmep-website 2>/dev/null
git clone git@github.com:AKVorrat/ewcampaign.git ${persistHome}/projects/epicenter.works/ewcampaign 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/website.git ${persistHome}/projects/epicenter.works/epicenter.works 2>/dev/null
git clone git@github.com:AKVorrat/epicenter.works-website.git ${persistHome}/projects/epicenter.works/epicenter.works-website 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/nixos.git ${persistHome}/projects/epicenter.works/epicenter-nixos 2>/dev/null
git clone git@github.com:AKVorrat/spenden.akvorrat.at.git ${persistHome}/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null
git clone git@github.com:AKVorrat/dearmep-website.git ${persistHome}/projects/epicenter.works/dearmep-website 2>/dev/null
set -eu
'';
@@ -507,6 +554,13 @@ in
TERM = "xterm-256color";
};
};
"*.social-grow.tech" = {
user = "root"; # prod
identityFile = "~/.ssh/social-grow.tech_id_ed25519";
setEnv = {
TERM = "xterm-256color";
};
};
"amz-websrv-01.amz.at" = {
user = "ebs";
};

5
hosts/web-arm/modules/web/typo3.nix
View File

@@ -173,7 +173,6 @@ in
};
config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
@@ -189,6 +188,10 @@ in
serverAliases = instanceOpts.domainAliases;
extraConfig = ''
if ($host != '${domain}') {
return 301 $scheme://${domain}$request_uri;
}
if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}