From 16594b3e7d6687876909da5e2b2257f4c2c6cc91 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Tue, 12 Aug 2025 12:20:06 +0200 Subject: [PATCH 1/7] feat: remove ghetto.at domain --- hosts/mail/modules/openldap.nix | 46 --------------------------------- 1 file changed, 46 deletions(-) diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix index be00dea..81e63e1 100644 --- a/hosts/mail/modules/openldap.nix +++ b/hosts/mail/modules/openldap.nix @@ -111,52 +111,6 @@ in { ]; }; - "olcDatabase={3}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; - - olcDatabase = "{3}mdb"; - olcDbDirectory = "/var/lib/openldap/data"; - - olcSuffix = "dc=ghetto,dc=at"; - - olcAccess = [ - '' - {0}to attrs=userPassword - by self write - by anonymous auth - by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write - by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write - by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read - by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write - by * none - '' - '' - {1}to attrs=pgpPublicKey - by self write - by anonymous read - by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read - by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write - by * read - '' - '' - {2}to * - by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read - by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write - by * read - '' - ]; - }; - "olcOverlay=memberof,olcDatabase={3}mdb".attrs = { - objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; - olcOverlay = "memberof"; - olcMemberOfRefint = "TRUE"; - }; - "olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = { - objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; - olcOverlay = "ppolicy"; - olcPPolicyHashCleartext = "TRUE"; - }; - "olcDatabase={4}mdb".attrs = { objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; From b3a71cb9bcdbf93399d6dd44aae83f328ec90df5 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Tue, 12 Aug 2025 12:20:28 +0200 Subject: [PATCH 2/7] feat: nb remove old stuff and add cursor --- hosts/nb/modules/desktop/default.nix | 1 + hosts/nb/users/dominik.nix | 32 ---------------------------- 2 files changed, 1 insertion(+), 32 deletions(-) diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix index 647f850..0605a20 100644 --- a/hosts/nb/modules/desktop/default.nix +++ b/hosts/nb/modules/desktop/default.nix @@ -38,6 +38,7 @@ in { }) vscode + code-cursor dracula-theme diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix index 5972806..5fd5927 100644 --- a/hosts/nb/users/dominik.nix +++ b/hosts/nb/users/dominik.nix @@ -179,38 +179,6 @@ in ''; }; - /* Here goes the rest of your home-manager config, e.g. home.packages = [ pkgs.foo ]; */ - # home.persistence."/nix/persist/user/dominik" = { - # allowOther = true; - # directories = [ - # ".ApacheDirectoryStudio" - # ".config/Creality" - # ".config/github-copilot" - # ".config/libreoffice" - # ".config/Nextcloud" - # ".config/OrcaSlicer" - # ".config/rustdesk" - # ".config/rustdesk-epicenter" - # ".config/Signal" - # ".config/Signal-work" - # ".config/sops" - # ".config/VirtualBox" - # ".local/share/keyrings" - # ".local/share/Steam" - # ".mozilla" - # ".ssh" - # ".thunderbird" - # ".var" - # "cloud.cloonar.com" - # "nextcloud.cloonar.com" - # "cloud.epicenter.works" - # "OpenAudible" - # "VirtualBox VMs" - # "projects" - # "go" - # ]; - # }; - gtk = { enable = true; gtk2.extraConfig = '' From d199e5a4756b5ba7a15957678eaa07233d608e17 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Polakovics Date: Sat, 16 Aug 2025 13:14:21 +0200 Subject: [PATCH 3/7] change wireguard key for gpd win 4 --- hosts/fw/modules/wireguard.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/fw/modules/wireguard.nix b/hosts/fw/modules/wireguard.nix index 76fba0f..239e36f 100644 --- a/hosts/fw/modules/wireguard.nix +++ b/hosts/fw/modules/wireguard.nix @@ -22,7 +22,7 @@ allowedIPs = [ "${config.networkPrefix}.98.202/32" ]; } { # GPD Win 4 - publicKey = "HE4eX4IMKG8eRDzcriy6XdIPV71uBY5VTqjKzfHPsFI="; + publicKey = "p3wnxXK7hurOKxruFCRoefj6gCoQeD5XXxD/ogMpew8="; allowedIPs = [ "${config.networkPrefix}.98.203/32" ]; } { From eb40b7ff06fd7af8aae35531153bca4d52da5861 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Mon, 8 Sep 2025 17:12:53 +0200 Subject: [PATCH 4/7] feat: add webmail to webhost --- hosts/web-arm/configuration.nix | 1 + hosts/web-arm/sites/webmail.cloonar.com.nix | 78 +++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 hosts/web-arm/sites/webmail.cloonar.com.nix diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index b8f9db4..5a058ec 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -35,6 +35,7 @@ ./sites/autoconfig.cloonar.com.nix ./sites/feeds.cloonar.com.nix + ./sites/webmail.cloonar.com.nix ./sites/vcard.cloonar.dev.nix ./sites/vcard.cloonar.com.nix diff --git a/hosts/web-arm/sites/webmail.cloonar.com.nix b/hosts/web-arm/sites/webmail.cloonar.com.nix new file mode 100644 index 0000000..bae375b --- /dev/null +++ b/hosts/web-arm/sites/webmail.cloonar.com.nix @@ -0,0 +1,78 @@ +{ config, pkgs, lib, ... }: +let + domain = config.networking.domain; + roundcubeRoot = "${config.services.roundcube.package}/public_html"; + # PHP-FPM socket created by the roundcube module (pool named "roundcube"): + fpmSocket = config.services.phpfpm.pools.roundcube.socket; +in +{ + # DB for Roundcube (PostgreSQL shown; MariaDB works too) + services.postgresql = { + enable = true; + ensureDatabases = [ "roundcube" ]; + ensureUsers = [ + { name = "roundcube"; ensureDBOwnership = true; } + ]; + }; + + services.roundcube = { + enable = true; + configureNginx = false; # <-- you’ll provide your own vhost + plugins = [ "managesieve" "archive" "zipdownload" ]; + database = { + host = "localhost"; + dbname = "roundcube"; + username = "roundcube"; + }; + + extraConfig = '' + // IMAP & SMTP + $config['imap_host'] = 'ssl://imap.${domain}:993'; + $config['smtp_host'] = 'tls://mail.${domain}:587'; + $config['smtp_user'] = '%u'; + $config['smtp_pass'] = '%p'; + + // ManageSieve (filters + vacation) + $config['managesieve_host'] = 'tls://imap.${domain}:4190'; + ''; + }; + + services.nginx = { + enable = true; + + virtualHosts."webmail.${domain}" = { + forceSSL = true; + enableACME = true; + root = roundcubeRoot; + + extraConfig = '' + client_max_body_size 50m; + ''; + + locations = { + # Serve static assets directly + "~* ^/(favicon\\.ico|robots\\.txt|browserconfig\\.xml)$".tryFiles = "$uri =404"; + "~* ^/(assets|installer|public|skins|plugins)/" = { + tryFiles = "$uri =404"; + }; + + # PHP entry points + "~ \\.php$" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param HTTPS on; + fastcgi_pass unix:${fpmSocket}; + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; + ''; + }; + + # Default: let Roundcube handle routing + "/" = { + tryFiles = "$uri /index.php?$query_string"; + }; + }; + }; + }; +} From a0ffb52f98ad5d2f7c8e1d281f5b14913ed8b34f Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Mon, 8 Sep 2025 17:13:02 +0200 Subject: [PATCH 5/7] feat: add foundry vtt to allerting --- hosts/web-arm/modules/blackbox-exporter.nix | 16 +++++++++++++--- .../grafana/alerting/websites/default.nix | 5 ++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/hosts/web-arm/modules/blackbox-exporter.nix b/hosts/web-arm/modules/blackbox-exporter.nix index 27f265a..a9ded44 100644 --- a/hosts/web-arm/modules/blackbox-exporter.nix +++ b/hosts/web-arm/modules/blackbox-exporter.nix @@ -7,7 +7,9 @@ let cfg = config.services.blackbox-exporter; nginxVHosts = config.services.nginx.virtualHosts or {}; - allDomains = lib.attrNames nginxVHosts; + allDomains = (lib.attrNames nginxVHosts) ++ [ + "foundry-vtt.cloonar.com" + ]; filteredDomains = builtins.filter (d: !builtins.elem d cfg.blacklistDomains) allDomains; httpsDomains = lib.map (d: "https://${d}") filteredDomains; domainsString = builtins.concatStringsSep "\n " @@ -45,8 +47,16 @@ in { # Configuration file for Blackbox Exporter environment.etc."blackbox_exporter/blackbox.yml".text = '' modules: - http_2xx: + http_200_final: prober: http + http: + method: GET + follow_redirects: true + preferred_ip_protocol: "ip4" # <-- important: avoid blanket IPv6 failures + # optional: if you want to prefer v6 but fall back to v4, add: + # ip_protocol_fallback: true + valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] # tidy, not required but nice + valid_status_codes: [200] ''; # Add scrape config for VictoriaMetrics agent @@ -55,7 +65,7 @@ in { - job_name: "blackbox_http_all_domains" metrics_path: "/probe" params: - module: ["http_2xx"] + module: ["http_200_final"] static_configs: - targets: diff --git a/hosts/web-arm/modules/grafana/alerting/websites/default.nix b/hosts/web-arm/modules/grafana/alerting/websites/default.nix index b6139f6..7e65cf2 100644 --- a/hosts/web-arm/modules/grafana/alerting/websites/default.nix +++ b/hosts/web-arm/modules/grafana/alerting/websites/default.nix @@ -3,7 +3,10 @@ let cfg = config.services.blackbox-exporter; nginxVHosts = config.services.nginx.virtualHosts or {}; - allDomains = lib.attrNames nginxVHosts; + allDomains = + (lib.attrNames nginxVHosts) ++ [ + "foundry-vtt.cloonar.com" + ]; filteredDomains = builtins.filter (d: !builtins.elem d cfg.blacklistDomains) allDomains; httpsDomains = lib.map (d: "https://${d}") filteredDomains; websiteAlertRules = lib.map (target: From b7287b0d519557afa7edec3bd6d154571047c954 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Mon, 8 Sep 2025 17:15:20 +0200 Subject: [PATCH 6/7] feat: change gpd win 4 wireguard --- hosts/fw/modules/wireguard.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/fw/modules/wireguard.nix b/hosts/fw/modules/wireguard.nix index 76fba0f..239e36f 100644 --- a/hosts/fw/modules/wireguard.nix +++ b/hosts/fw/modules/wireguard.nix @@ -22,7 +22,7 @@ allowedIPs = [ "${config.networkPrefix}.98.202/32" ]; } { # GPD Win 4 - publicKey = "HE4eX4IMKG8eRDzcriy6XdIPV71uBY5VTqjKzfHPsFI="; + publicKey = "p3wnxXK7hurOKxruFCRoefj6gCoQeD5XXxD/ogMpew8="; allowedIPs = [ "${config.networkPrefix}.98.203/32" ]; } { From 536fc2b463f5a08d580b21fc4299db0c78edeec5 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Mon, 8 Sep 2025 17:15:37 +0200 Subject: [PATCH 7/7] feat: change dovecot2 sieve --- hosts/mail/modules/dovecot.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix index 9a47590..b7f25bd 100644 --- a/hosts/mail/modules/dovecot.nix +++ b/hosts/mail/modules/dovecot.nix @@ -189,10 +189,15 @@ in managesieve_logout_format = bytes ( in=%i : out=%o ) } + lda_original_recipient_header = X-Original-To + plugin { sieve_dir = /var/vmail/%d/%n/sieve/scripts/ sieve = /var/vmail/%d/%n/sieve/active-script.sieve - sieve_extensions = +vacation-seconds +editheader + sieve_extensions = +vacation +vacation-seconds +editheader + sieve_vacation_use_original_recipient = yes + sieve_vacation_dont_check_recipient = yes + sieve_vacation_database = file:/var/vmail/%d/%n/sieve/vacation.db; sieve_vacation_min_period = 1min fts = lucene