2020-06-22 13:29:33 -07:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
hostname = "procul";
|
2020-06-25 20:38:50 -07:00
|
|
|
domain = "informis.land";
|
2020-06-22 13:29:33 -07:00
|
|
|
mail-hostname = hostname;
|
|
|
|
host_ipv4 = "172.86.179.18";
|
2020-06-25 20:38:50 -07:00
|
|
|
host-fqdn = "${hostname}.${domain}";
|
2020-06-22 13:29:33 -07:00
|
|
|
all-hostnames = [];
|
|
|
|
|
|
|
|
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
|
|
|
|
acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
|
|
|
|
acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";
|
|
|
|
|
|
|
|
fudo-ca = "/etc/nixos/static/fudo_ca.pem";
|
|
|
|
|
|
|
|
in {
|
|
|
|
|
|
|
|
boot.loader.grub = {
|
|
|
|
enable = true;
|
|
|
|
version = 2;
|
|
|
|
device = "/dev/sdb";
|
|
|
|
};
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
../hardware-configuration.nix
|
|
|
|
|
|
|
|
../defaults.nix
|
|
|
|
|
2020-06-25 20:38:50 -07:00
|
|
|
../informis/users.nix
|
|
|
|
];
|
2020-06-22 13:29:33 -07:00
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
multipath-tools
|
|
|
|
];
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
hostName = hostname;
|
|
|
|
|
2020-06-25 20:38:50 -07:00
|
|
|
# provided by secure-dns-proxy
|
|
|
|
nameservers = [ "127.0.0.1" ];
|
|
|
|
|
2020-06-22 13:29:33 -07:00
|
|
|
dhcpcd.enable = false;
|
|
|
|
useDHCP = false;
|
|
|
|
|
|
|
|
# TODO: fix IPv6
|
|
|
|
enableIPv6 = true;
|
|
|
|
|
|
|
|
# Create a bridge for VMs to use
|
|
|
|
macvlans = {
|
|
|
|
extif0 = {
|
|
|
|
interface = "enp0s25";
|
|
|
|
mode = "bridge";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-07-23 22:38:48 -07:00
|
|
|
# For WireGuard
|
|
|
|
nat = {
|
|
|
|
enable = true;
|
|
|
|
externalInterface = "extif0";
|
|
|
|
internalInterfaces = [ "wgtun0" ];
|
|
|
|
};
|
|
|
|
|
2020-06-22 13:29:33 -07:00
|
|
|
interfaces = {
|
|
|
|
extif0 = {
|
|
|
|
# result of:
|
|
|
|
# echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
|
|
|
macAddress = "02:e2:b7:db:e8:af";
|
|
|
|
ipv4.addresses = [
|
|
|
|
{
|
|
|
|
address = host_ipv4;
|
|
|
|
prefixLength = 29;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
hardware.bluetooth.enable = false;
|
2020-06-25 20:38:50 -07:00
|
|
|
|
|
|
|
users = {
|
|
|
|
users = {
|
|
|
|
gituser = {
|
|
|
|
isSystemUser = true;
|
|
|
|
group = "nogroup";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
fudo = {
|
|
|
|
|
|
|
|
common = {
|
|
|
|
# Sets some server-common settings. See /etc/nixos/fudo/profiles/...
|
|
|
|
profile = "server";
|
|
|
|
|
|
|
|
# Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
|
|
|
|
site = "joes";
|
|
|
|
|
|
|
|
domain = domain;
|
|
|
|
|
|
|
|
admin-email = "admin@${domain}";
|
|
|
|
|
|
|
|
local-networks = [
|
|
|
|
"172.86.179.16/29"
|
|
|
|
"208.81.1.128/28"
|
|
|
|
"208.81.3.112/28"
|
|
|
|
"172.17.0.0/16"
|
|
|
|
"127.0.0.0/8"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
# Not all users need access to procul; don't allow LDAP-user access.
|
|
|
|
authentication.enable = false;
|
|
|
|
|
|
|
|
auth.kdc = {
|
|
|
|
enable = true;
|
|
|
|
database-path = "/var/heimdal/heimdal";
|
|
|
|
realm = "INFORMIS.LAND";
|
|
|
|
mkey-file = "/srv/heimdal/secure/m-key";
|
|
|
|
acl-file = "/etc/heimdal/kdc.acl";
|
|
|
|
bind-addresses = [
|
|
|
|
host_ipv4
|
|
|
|
"127.0.0.1"
|
|
|
|
"127.0.1.1"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2020-07-23 22:38:48 -07:00
|
|
|
system.tmpOnTmpfs = false;
|
|
|
|
|
2020-06-25 20:38:50 -07:00
|
|
|
secure-dns-proxy = {
|
|
|
|
enable = true;
|
|
|
|
upstream-dns = [ "https://cloudflare-dns.com/dns-query" ];
|
|
|
|
bootstrap-dns = "1.1.1.1";
|
|
|
|
listen-ips = [ "127.0.0.1" ];
|
|
|
|
port = 53;
|
|
|
|
};
|
|
|
|
|
|
|
|
dns = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
dns-hosts = {
|
|
|
|
"ns1.informis.land" = "172.86.179.18";
|
|
|
|
"ns2.informis.land" = "172.86.179.18";
|
|
|
|
};
|
|
|
|
|
|
|
|
listen-ips = [host_ipv4];
|
|
|
|
|
|
|
|
domains = {
|
|
|
|
"informis.land" = import ../informis/informis.land.nix {
|
|
|
|
inherit host_ipv4 config;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
mail-server = {
|
|
|
|
enable = true;
|
|
|
|
debug = true;
|
|
|
|
|
|
|
|
domain = domain;
|
|
|
|
hostname = "${host-fqdn}";
|
|
|
|
monitoring = false;
|
|
|
|
mail-user = "mailuser";
|
|
|
|
mail-user-id = 525;
|
|
|
|
mail-group = "mailgroup";
|
|
|
|
clamav.enable = true;
|
|
|
|
dkim.signing = true;
|
|
|
|
|
|
|
|
dovecot = {
|
|
|
|
ssl-certificate = acme-certificate "imap.${domain}";
|
|
|
|
ssl-private-key = acme-private-key "imap.${domain}";
|
|
|
|
};
|
|
|
|
|
|
|
|
postfix = {
|
|
|
|
ssl-certificate = acme-certificate "smtp.${domain}";
|
|
|
|
ssl-private-key = acme-private-key "smtp.${domain}";
|
|
|
|
};
|
|
|
|
|
|
|
|
# This should NOT include the primary domain
|
|
|
|
local-domains = [
|
|
|
|
host-fqdn
|
|
|
|
"smtp.${domain}"
|
|
|
|
];
|
|
|
|
|
|
|
|
mail-directory = "/srv/mailserver/mail";
|
|
|
|
state-directory = "/srv/mailserver/state";
|
|
|
|
|
|
|
|
trusted-networks = [
|
|
|
|
"172.86.179.16/29"
|
|
|
|
"127.0.0.0/16"
|
|
|
|
];
|
|
|
|
|
|
|
|
alias-users = {
|
|
|
|
root = ["niten"];
|
|
|
|
postmaster = ["niten"];
|
|
|
|
hostmaster = ["niten"];
|
|
|
|
webmaster = ["niten"];
|
|
|
|
system = ["niten"];
|
|
|
|
admin = ["niten"];
|
|
|
|
dmarc-report = ["niten"];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
postgresql = {
|
|
|
|
enable = true;
|
|
|
|
ssl-certificate = (acme-certificate host-fqdn);
|
|
|
|
ssl-private-key = (acme-private-key host-fqdn);
|
|
|
|
keytab = "/srv/postgres/secure/postgres.keytab";
|
|
|
|
|
|
|
|
local-networks = [
|
|
|
|
"172.86.179.16/29"
|
|
|
|
"127.0.0.0/16"
|
|
|
|
];
|
|
|
|
|
|
|
|
users = {
|
|
|
|
gituser = {
|
|
|
|
password = fileContents "/srv/git/secure/db.passwd";
|
|
|
|
databases = {
|
|
|
|
git = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
databases = {
|
|
|
|
git = ["niten"];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
git = {
|
|
|
|
enable = true;
|
|
|
|
hostname = "git.informis.land";
|
|
|
|
site-name = "informis git";
|
|
|
|
user = "gituser";
|
|
|
|
repository-dir = /srv/git/repo;
|
|
|
|
state-dir = /srv/git/state;
|
|
|
|
database = {
|
|
|
|
user = "gituser";
|
|
|
|
password-file = /srv/git/secure/db.passwd;
|
|
|
|
hostname = "127.0.0.1";
|
|
|
|
name = "git";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
acme = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
admin-address = "admin@${domain}";
|
|
|
|
|
|
|
|
hostnames = [
|
2020-07-16 13:46:14 -07:00
|
|
|
"informis.land"
|
2020-06-25 20:38:50 -07:00
|
|
|
"imap.informis.land"
|
|
|
|
"smtp.informis.land"
|
2020-07-16 13:46:14 -07:00
|
|
|
"gemini.informis.land"
|
2020-06-25 20:38:50 -07:00
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
security.acme.certs.${host-fqdn}.email = "admin@${domain}";
|
|
|
|
|
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
|
|
|
|
virtualHosts = {
|
|
|
|
"${host-fqdn}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2020-07-16 13:46:14 -07:00
|
|
|
|
2020-07-23 22:38:48 -07:00
|
|
|
fudo.vpn = {
|
|
|
|
enable = true;
|
|
|
|
ips = "10.100.0.0/16";
|
|
|
|
private-key-file = "/srv/wireguard/secure/secret.key";
|
|
|
|
peers = {
|
|
|
|
peter = {
|
|
|
|
allowed-ips = [ "10.100.1.0/24" ];
|
|
|
|
public-key = "d1NfRFWRkcKq2gxvqfMy7Oe+JFYf5DjomnsTyisvgB4=";
|
|
|
|
};
|
|
|
|
ken = {
|
|
|
|
allowed-ips = [ "10.100.2.0/24" ];
|
|
|
|
public-key = "y294rTCK0iSRhA6EIOErPzEuqzJMuYAG4XbHasySMVU=";
|
|
|
|
};
|
|
|
|
helen = {
|
|
|
|
allowed-ips = [ "10.100.3.0/24" ];
|
|
|
|
public-key = "7Hdko6RibhIYdoPLWXGwmElY5vKvZ+rURmqFTDUfC2w=";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-07-16 13:46:14 -07:00
|
|
|
informis.cl-gemini = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
server-ip = host_ipv4;
|
2020-07-16 13:46:52 -07:00
|
|
|
document-root = "/srv/gemini/root";
|
|
|
|
ssl-private-key = "/srv/gemini/private/key.pem";
|
|
|
|
ssl-certificate = "/srv/gemini/private/cert.pem";
|
2020-07-16 13:46:14 -07:00
|
|
|
slynk-port = 4005;
|
2020-07-16 13:46:52 -07:00
|
|
|
|
|
|
|
textfiles-archive = "/srv/gemini/textfiles";
|
|
|
|
|
|
|
|
feeds = {
|
|
|
|
viator = {
|
|
|
|
title = "viator's phlog";
|
|
|
|
path = "/home/viator/gemini-public/feed/";
|
|
|
|
url = "gemini://informis.land/user/viator/feed/";
|
|
|
|
};
|
|
|
|
};
|
2020-07-16 13:46:14 -07:00
|
|
|
};
|
2020-06-22 13:29:33 -07:00
|
|
|
}
|