diff --git a/hosts/remilia/default.nix b/hosts/remilia/default.nix index 81e3af3..23530f8 100755 --- a/hosts/remilia/default.nix +++ b/hosts/remilia/default.nix @@ -8,5 +8,6 @@ ./services.nix ./mailserver.nix ]; + system.stateVersion = "21.11"; } diff --git a/hosts/remilia/mailserver.nix b/hosts/remilia/mailserver.nix index 4f42f87..2871d51 100644 --- a/hosts/remilia/mailserver.nix +++ b/hosts/remilia/mailserver.nix @@ -1,13 +1,20 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { - mailserver = { + mailserver = with lib; rec { enable = true; fqdn = "mail.weirdnatto.in"; - domains = [ "weirdnatto.in" ]; + sendingFqdn = fqdn; + domains = singleton "weirdnatto.in"; + certificateDomains = singleton "mail.weirdnatto.in"; + certificateScheme = 2; loginAccounts = { "natto@weirdnatto.in" = { hashedPasswordFile = "/var/secrets/natto@weirdnatto.in.key"; - aliases = ["@weirdnatto.in"]; + aliases = [ "@weirdnatto.in" ]; + }; + "masti@weirdnatto.in" = { + hashedPasswordFile = "/var/secrets/masti@weirdnatto.in.key"; + aliases = [ "@weirdnatto.in" ]; }; }; enablePop3 = false; diff --git a/hosts/remilia/networking.nix b/hosts/remilia/networking.nix index 66ae7b3..34c64e1 100755 --- a/hosts/remilia/networking.nix +++ b/hosts/remilia/networking.nix @@ -1,21 +1,41 @@ -{config, pkgs, ...}: +{ lib, config, pkgs, ... }: { networking = { useDHCP = false; hostName = "Remilia"; - firewall = { - interfaces = { - ens3 = { - allowedTCPPorts = [ - 22 - 80 81 - 443 444 - 993 465 143 25 - ]; - allowedUDPPorts = [ 17840 ]; + firewall = + { + interfaces = { + ens3 = { + allowedTCPPorts = [ + 22 + 80 + 81 + 443 + 444 + 993 + 465 + 143 + 25 + 22001 + 22002 + 6600 + 9898 + 8999 + ]; + allowedUDPPorts = [ 17840 ]; + }; }; + extraCommands = lib.concatMapStringsSep "\n" + (x: + let + t = lib.splitString ":" x.destination; + in + with builtins; + "iptables -t nat -A POSTROUTING -d ${head t} -p tcp -m tcp --dport ${head (tail t)} -j MASQUERADE" + ) + config.networking.nat.forwardPorts; }; - }; interfaces = { ens3 = { useDHCP = true; @@ -25,6 +45,16 @@ enable = true; externalInterface = "ens3"; internalInterfaces = [ "wg0" ]; + forwardPorts = [ + { + destination = "10.55.0.2:222"; + sourcePort = 22; + } + { + destination = "10.55.0.3:6600"; + sourcePort = 6600; + } + ]; }; wireguard.interfaces = { wg0 = { @@ -38,7 +68,7 @@ ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE ''; - privateKeyFile = "/var/secrets/wg.key"; + privateKeyFile = "/var/wg"; peers = [ { publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4="; diff --git a/hosts/remilia/services.nix b/hosts/remilia/services.nix index 0003359..e48205e 100755 --- a/hosts/remilia/services.nix +++ b/hosts/remilia/services.nix @@ -1,12 +1,19 @@ -{config, pkgs, ...}: +{ config, pkgs, lib, ... }: { services = { - openssh = { enable = true; + openssh = { + enable = true; permitRootLogin = "yes"; + ports = [ 22001 22002 ]; + }; + znc = { + enable = true; + mutable = true; + useLegacyConfig = false; }; nginx = { enable = true; - package = (pkgs.nginx.overrideAttrs(oa: { + package = (pkgs.nginx.overrideAttrs (oa: { configureFlags = oa.configureFlags ++ [ "--with-mail" "--with-mail_ssl_module" ]; })); virtualHosts = { @@ -20,13 +27,75 @@ addSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://10.55.0.2:5001"; + proxyPass = "http://10.55.0.2:5000"; + extraConfig = '' + client_max_body_size 64M; + proxy_set_header Host $host; + ''; + }; + }; + "vault.weirdnatto.in" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "https://10.55.0.2:8800"; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + "consul.weirdnatto.in" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.55.0.2:8500"; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + "nomad.weirdnatto.in" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.55.0.2:4646"; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + proxy_read_timeout 310s; + ''; + }; + }; + "radio.weirdnatto.in" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.55.0.3:8000"; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + "ci.weirdnatto.in" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://10.55.0.2:6666"; extraConfig = '' proxy_set_header Host $host; ''; }; }; }; + /*streamConfig = '' + upstream gitea { + server 10.55.0.2:222; + } + server { + listen 22001; + proxy_pass gitea; + } + '';*/ }; vault-agent = { enable = true; @@ -54,10 +123,16 @@ } { source = pkgs.writeText "natto@weirdnatto.in.tpl" '' - {{ with secret "kv/systems/Remilia" }}{{ .Data.data.nattomail }}{{ end }} + {{ with secret "kv/systems/Remilia/mail" }}{{ .Data.data.nattomail }}{{ end }} ''; destination = "/var/secrets/natto@weirdnatto.in.key"; } + { + source = pkgs.writeText "masti@weirdnatto.in.tpl" '' + {{ with secret "kv/systems/Remilia/mail" }}{{ .Data.data.mastimail }}{{ end }} + ''; + destination = "/var/secrets/masti@weirdnatto.in.key"; + } ]; }; }; @@ -67,13 +142,15 @@ users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCH975XCps+VCzo8Fpp5BkbtiFmj9y3//FBVYlQ7/yo" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0jyHWuWBKzucnARINqQ/A0AFPghxayh0DDthbpOhaz" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFyKi0HYfkgvEDvjzmDRGwAq2z2KOkfv7scTVSnonBh" ]; security.acme = { acceptTerms = true; certs = { - "weirdnatto.in".email = "natto+acme@weirdnatto.in"; - "git.weirdnatto.in".email = "git+acme@weirdnatto.in"; - }; + "weirdnatto.in".extraDomainNames = lib.singleton "www.weirdnatto.in"; + } // + lib.mapAttrs' (n: _: lib.nameValuePair n ({ email = "natto@weirdnatto.in"; })) config.services.nginx.virtualHosts; }; security.pki.certificateFiles = [ ../../cert.pem ]; } diff --git a/modules/min-pkgs.nix b/modules/min-pkgs.nix index 1b43b30..fdea9b6 100755 --- a/modules/min-pkgs.nix +++ b/modules/min-pkgs.nix @@ -35,7 +35,7 @@ nix = { package = pkgs.nixUnstable; extraOptions = '' - experimental-features = nix-command ca-references flakes + experimental-features = nix-command flakes ''; trustedUsers = [ "root" ]; };