natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Remilia: add SNM and vault-agent

Browse Source
This commit is contained in:
Amneesh Singh
2021-06-07 10:23:28 +05:30
parent 7602cbf16a
commit 2ffcab212c
5 changed files with 69 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/servers/remilia.nix
View File

@@ -9,6 +9,7 @@
./remilia/boot.nix
./remilia/services.nix
./remilia/builder.nix
./remilia/mailserver.nix
../../configs/nvim.nix
];
# programs.gnupg.agent.enable = lib.mkForce false;

16
hosts/servers/remilia/mailserver.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, pkgs, ... }:
{
mailserver = {
enable = true;
fqdn = "mail.weirdnatto.in";
domains = [ "weirdnatto.in" ];
loginAccounts = {
"natto@weirdnatto.in" = {
hashedPasswordFile = "/var/secrets/natto@weirdnatto.in.key";
aliases = ["@weirdnatto.in"];
};
};
enablePop3 = false;
enablePop3Ssl = false;
};
}

9
hosts/servers/remilia/networking.nix
View File

@@ -6,7 +6,12 @@
firewall = {
interfaces = {
ens3 = {
allowedTCPPorts = [ 22 80 443 ];
allowedTCPPorts = [
22
80 81
443 444
993 465 143 25
];
allowedUDPPorts = [ 17840 ];
};
};
@@ -33,7 +38,7 @@
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE
'';
privateKeyFile = "/var/secrets/wg";
privateKeyFile = "/var/secrets/wg.key";
peers = [
{
publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4=";

52
hosts/servers/remilia/services.nix
View File

@@ -1,18 +1,20 @@
{config, pkgs, ...}:
{
services = {
openssh = {
enable = true;
openssh = { enable = true;
permitRootLogin = "yes";
};
nginx = {
enable = true;
package = pkgs.nginx;
package = (pkgs.nginx.overrideAttrs(oa: {
configureFlags = oa.configureFlags ++ [ "--with-mail" "--with-mail_ssl_module" ];
}));
virtualHosts = {
"weirdnatto.in" = {
addSSL = true;
enableACME = true;
locations."/".proxyPass = "http://10.55.0.2:80";
serverAliases = [ "www.weirdnatto.in" ];
};
"git.weirdnatto.in" = {
addSSL = true;
@@ -21,27 +23,57 @@
proxyPass = "http://10.55.0.2:5001";
extraConfig = ''
proxy_set_header Host $host;
'';
'';
};
};
"mail.weirdnatto.in" = {
addSSL = true;
enableACME = true;
locations."/" = {};
};
};
};
vault-agent = {
enable = true;
settings = {
vault = {
address = "https://10.55.0.2:8800";
client_cert = "/var/vault/cert.pem";
client_key = "/var/vault/key.pem";
};
auto_auth = {
method = [
{
"cert" = {
name = "Remilia";
};
}
];
};
template = [
{
source = pkgs.writeText "wg.tpl" ''
{{ with secret "kv/systems/Remilia/wg" }}{{ .Data.data.private }}{{ end }}
'';
destination = "/var/secrets/wg.key";
}
{
source = pkgs.writeText "natto@weirdnatto.in.tpl" ''
{{ with secret "kv/systems/Remilia" }}{{ .Data.data.nattomail }}{{ end }}
'';
destination = "/var/secrets/natto@weirdnatto.in.key";
}
];
};
};
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCH975XCps+VCzo8Fpp5BkbtiFmj9y3//FBVYlQ7/yo"
];
security.acme = {
acceptTerms = true;
certs = {
"weirdnatto.in".email = "natto+acme@weirdnatto.in";
"git.weirdnatto.in".email = "git+acme@weirdnatto.in";
"mail.weirdnatto.in".email = "mail+acme@weirdnatto.in";
};
};
security.pki.certificateFiles = [ ../../../cert.pem ];
}