diff --git a/Justfile b/Justfile index cef749d..ed1c81b 100644 --- a/Justfile +++ b/Justfile @@ -33,3 +33,6 @@ ai: installer-iso: nix shell nixpkgs#nixos-generators --command nixos-generate -f install-iso --flake ./#nixos + +vps: + nixos-rebuild switch --flake ./#vps --target-host root@10.0.0.1 diff --git a/flake.lock b/flake.lock index d7d30db..9b38b45 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "devshell": { "inputs": { "nixpkgs": [ @@ -22,6 +38,30 @@ "type": "github" } }, + "devshell_2": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": [ + "webshite", + "ide", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717408969, + "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=", + "owner": "numtide", + "repo": "devshell", + "rev": "1ebbe68d57457c8cae98145410b164b5477761f4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -68,6 +108,84 @@ "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" } }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_6": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_7": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-compat_8": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -134,6 +252,75 @@ "type": "github" } }, + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "webshite", + "ide", + "neovim-nightly-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_5": { + "inputs": { + "nixpkgs-lib": [ + "webshite", + "ide", + "neovim-nightly-overlay", + "hercules-ci-effects", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "flake-parts_6": { + "inputs": { + "nixpkgs-lib": [ + "webshite", + "ide", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": [ @@ -173,6 +360,46 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": [ + "webshite", + "ide", + "systems" + ] + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "git-hooks": { "inputs": { "flake-compat": "flake-compat_2", @@ -235,6 +462,68 @@ "type": "github" } }, + "git-hooks_3": { + "inputs": { + "flake-compat": "flake-compat_6", + "gitignore": "gitignore_3", + "nixpkgs": [ + "webshite", + "ide", + "neovim-nightly-overlay", + "nixpkgs" + ], + "nixpkgs-stable": [ + "webshite", + "ide", + "neovim-nightly-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718879355, + "narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "git-hooks_4": { + "inputs": { + "flake-compat": "flake-compat_8", + "gitignore": "gitignore_4", + "nixpkgs": [ + "webshite", + "ide", + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "webshite", + "ide", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718879355, + "narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -281,6 +570,54 @@ "type": "github" } }, + "gitignore_3": { + "inputs": { + "nixpkgs": [ + "webshite", + "ide", + "neovim-nightly-overlay", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_4": { + "inputs": { + "nixpkgs": [ + "webshite", + "ide", + "nixvim", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "hercules-ci-effects": { "inputs": { "flake-parts": "flake-parts_2", @@ -304,6 +641,30 @@ "type": "github" } }, + "hercules-ci-effects_2": { + "inputs": { + "flake-parts": "flake-parts_5", + "nixpkgs": [ + "webshite", + "ide", + "neovim-nightly-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718018037, + "narHash": "sha256-03rLBd/lKecgaKz0j5ESUf9lDn5R0SJatZTKLL5unWE=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "0ab08b23ce3c3f75fe9a5598756b6fb8bcf0b414", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -346,6 +707,29 @@ "type": "github" } }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "webshite", + "ide", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719037157, + "narHash": "sha256-aOKd8+mhBsLQChCu1mn/W5ww79ta5cXVE59aJFrifM8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "cd886711998fe5d9ff7979fdd4b4cbd17b1f1511", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "hosts": { "inputs": { "nixpkgs": [ @@ -390,6 +774,31 @@ "type": "github" } }, + "ide_2": { + "inputs": { + "flake-utils": "flake-utils_3", + "neovim-nightly-overlay": "neovim-nightly-overlay_2", + "nixpkgs": [ + "webshite", + "nixpkgs" + ], + "nixvim": "nixvim_2", + "systems": "systems_4" + }, + "locked": { + "lastModified": 1720387774, + "narHash": "sha256-vbdLOPW2s5HZ/aRJl2GtcL1d4racetoPRn6W7dGVl+E=", + "owner": "ivandimitrov8080", + "repo": "flake-ide", + "rev": "7194c89a92430d755aabd11d2eae25d13b6e8f00", + "type": "github" + }, + "original": { + "owner": "ivandimitrov8080", + "repo": "flake-ide", + "type": "github" + } + }, "musnix": { "inputs": { "nixpkgs": [ @@ -436,6 +845,33 @@ "type": "github" } }, + "neovim-nightly-overlay_2": { + "inputs": { + "flake-compat": "flake-compat_5", + "flake-parts": "flake-parts_4", + "git-hooks": "git-hooks_3", + "hercules-ci-effects": "hercules-ci-effects_2", + "neovim-src": "neovim-src_2", + "nixpkgs": [ + "webshite", + "ide", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719211247, + "narHash": "sha256-GaEckCf2RaHzoEDj/j07BIV6eyDOT5wCFVSdbbkZ87U=", + "owner": "nix-community", + "repo": "neovim-nightly-overlay", + "rev": "820da0e6b6127df9ad05ef3af40d767577e21ba1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "neovim-nightly-overlay", + "type": "github" + } + }, "neovim-src": { "flake": false, "locked": { @@ -452,6 +888,22 @@ "type": "github" } }, + "neovim-src_2": { + "flake": false, + "locked": { + "lastModified": 1719138008, + "narHash": "sha256-+rM0RjvuW6/vzxdJxEU6KvQEF159NXrgB+irtS044Cc=", + "owner": "neovim", + "repo": "neovim", + "rev": "be999e6a0e5b251b2b37500d06636d4167334c6e", + "type": "github" + }, + "original": { + "owner": "neovim", + "repo": "neovim", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -474,6 +926,29 @@ "type": "github" } }, + "nix-darwin_2": { + "inputs": { + "nixpkgs": [ + "webshite", + "ide", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719128254, + "narHash": "sha256-I7jMpq0CAOZA/i70+HDQO/ulLttyQu/K70cSESiMX7A=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "50581970f37f06a4719001735828519925ef8310", + "type": "github" + }, + "original": { + "owner": "lnl7", + "repo": "nix-darwin", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1722421184, @@ -490,6 +965,21 @@ "type": "github" } }, + "nixpkgs-24_05": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, "nixvim": { "inputs": { "devshell": "devshell", @@ -519,6 +1009,35 @@ "type": "github" } }, + "nixvim_2": { + "inputs": { + "devshell": "devshell_2", + "flake-compat": "flake-compat_7", + "flake-parts": "flake-parts_6", + "git-hooks": "git-hooks_4", + "home-manager": "home-manager_3", + "nix-darwin": "nix-darwin_2", + "nixpkgs": [ + "webshite", + "ide", + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1719228487, + "narHash": "sha256-eJUcZAjOcGAoh97ZRsy+ls8IkHPMpDuh0IpRKSmoWs4=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "66c8592b31845cb0a1335ecc31ea40e89bed1a38", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, "nuschtosSearch": { "inputs": { "flake-utils": "flake-utils_2", @@ -570,7 +1089,10 @@ "musnix": "musnix", "nixpkgs": "nixpkgs", "parts": "parts", - "sal": "sal" + "sal": "sal", + "simple-nixos-mailserver": "simple-nixos-mailserver", + "vpsadminos": "vpsadminos", + "webshite": "webshite" } }, "sal": { @@ -596,6 +1118,29 @@ "type": "github" } }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_4", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-24_05": "nixpkgs-24_05" + }, + "locked": { + "lastModified": 1721121314, + "narHash": "sha256-zwc7YXga/1ppaZMWFreZykXtFwBgXodxUZiUx969r+g=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "059b50b2e729729ea00c6831124d3837c494f3d5", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -626,6 +1171,36 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1680978846, + "narHash": "sha256-Gtqg8b/v49BFDpDetjclCYXm8mAnTrUzR0JnE2nv5aw=", + "owner": "nix-systems", + "repo": "x86_64-linux", + "rev": "2ecfcac5e15790ba6ce360ceccddb15ad16d08a8", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "x86_64-linux", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -647,6 +1222,65 @@ "repo": "treefmt-nix", "type": "github" } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "webshite", + "ide", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718522839, + "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "vpsadminos": { + "locked": { + "lastModified": 1722101851, + "narHash": "sha256-fM5Z8Qhk9/AbGYJ4VrJilGlFK9btBEF+ROtbYYJZJ1I=", + "owner": "vpsfreecz", + "repo": "vpsadminos", + "rev": "2c8ff8462a6f4aefb7bd2663d6ddbedd9d161f2c", + "type": "github" + }, + "original": { + "owner": "vpsfreecz", + "repo": "vpsadminos", + "type": "github" + } + }, + "webshite": { + "inputs": { + "ide": "ide_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722604181, + "narHash": "sha256-lbli+H6fgQlVyXX4qtU8SfvncDB+HZOUd53Rj23pyv0=", + "owner": "ivandimitrov8080", + "repo": "idimitrov.dev", + "rev": "4d1b71bf30bcf24b0ef5e347026d2c5369cad8eb", + "type": "github" + }, + "original": { + "owner": "ivandimitrov8080", + "repo": "idimitrov.dev", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 8d595cf..0585670 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,7 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + vpsadminos.url = "github:vpsfreecz/vpsadminos"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -25,6 +26,14 @@ url = "github:musnix/musnix"; inputs.nixpkgs.follows = "nixpkgs"; }; + simple-nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + webshite = { + url = "github:ivandimitrov8080/idimitrov.dev"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: inputs.parts.lib.mkFlake { inherit inputs; } { imports = [ ./. ]; }; } diff --git a/hardware-configurations/default.nix b/hardware-configurations/default.nix index 09ceac4..91f9607 100644 --- a/hardware-configurations/default.nix +++ b/hardware-configurations/default.nix @@ -16,8 +16,8 @@ top@{ ... }: { "/boot" = { device = "/dev/disk/by-uuid/4C3C-993A"; fsType = "vfat"; }; }; swapDevices = [ ]; - networking.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + networking.useDHCP = lib.mkForce true; + nixpkgs.hostPlatform = lib.mkForce "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkForce false; }; }; diff --git a/hosts/vps/mailserver/configuration.nix b/hosts/vps/mailserver/configuration.nix new file mode 100644 index 0000000..aac497e --- /dev/null +++ b/hosts/vps/mailserver/configuration.nix @@ -0,0 +1,103 @@ +{ pkgs, ... }: +{ + time.timeZone = "Europe/Prague"; + + fileSystems."/mnt/export1981" = { + device = "172.16.128.47:/nas/5490"; + fsType = "nfs"; + options = [ "nofail" ]; + }; + + nix = { + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + security = { + acme = { + acceptTerms = true; + defaults.email = "security@idimitrov.dev"; + }; + }; + + networking = { + firewall = pkgs.lib.mkForce { + enable = true; + allowedTCPPorts = [ + 25 # smtp + 465 # smtps + 80 # http + 443 # https + ]; + allowedUDPPorts = [ + 25 + 465 + 80 + 443 + 51820 # wireguard + ]; + extraCommands = '' + iptables -N vpn # create a new chain named vpn + iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow + iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow + iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow + iptables -A vpn -j DROP # drop everyone else + iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn + ''; + extraStopCommands = '' + iptables -F vpn + iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn + iptables -X vpn + ''; + }; + }; + + users = { + users.ivand = { + isNormalUser = true; + hashedPassword = + "$2b$05$hPrPcewxj4qjLCRQpKBAu.FKvKZdIVlnyn4uYsWE8lc21Jhvc9jWG"; + extraGroups = [ "wheel" "adm" "mlocate" ]; + openssh.authorizedKeys.keys = [ + '' + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyW157tNiQdeoQsoo5AEzhyi6BvPeqEvChCxCHf3hikmFDqb6bvvlKYb9grW+fqE0HzALRwpXvPKnuUwHKPVG8HZ7NC9bT5RPMO0rFviNoxWF2PNDWG0ivPmLrQGKtCPM3aUIhSdUdlJ7ImYl34KBkUIrSmL7WlLJUvh1PtyyuVfrhpFzFxHwYwVCNO33L89lfl5PY/G9qrjlH64urt/6aWqMdHD8bZ4MHBPcnSwLMd7f0nNa0aTAJMabsfmndZhV24y7T1FUWG0dl27Q4rnpnZJWBDD1IyWIX/aN+DD6eVVWa4tRVJs6ycfw48hft0zs9zLn9mU4a2hxQ6VvfwpqZHOO8XqqOSai9Yw9Ba60iVQokQQiL91KidoSF7zD0U0szdEmylANyAntUcJ1kdu496s21IU2hjYfN/3seH5a9hBk8iPHp/eTeVUXFKh27rRWn0gc+rba1LF0BWfTjRYR7e1uvPEau0I61sNsp3lnMULdkgkZ9rap1sRM6ULlaRXM= ivand@nixos + '' + ]; + }; + extraGroups = { mlocate = { }; }; + }; + + environment = { + enableAllTerminfo = true; + }; + + services = { + openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + }; + }; + }; + systemd = { + timers = { + bingwp = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*-*-* 10:00:00"; + Persistent = true; + }; + }; + }; + services = { + bingwp = { + description = "Download bing image of the day"; + script = '' + ${pkgs.nushell}/bin/nu -c "http get ('https://bing.com' + ((http get https://www.bing.com/HPImageArchive.aspx?format=js&n=1).images.0.url)) | save ('/var/pic' | path join ( [ (date now | format date '%Y-%m-%d'), '.png' ] | str join ))" + ${pkgs.nushell}/bin/nu -c "${pkgs.toybox}/bin/ln -sf (ls /var/pic | where type == file | get name | sort | last) /var/pic/latest.png" + ''; + }; + }; + }; +} diff --git a/hosts/vps/mailserver/default.nix b/hosts/vps/mailserver/default.nix new file mode 100644 index 0000000..775958f --- /dev/null +++ b/hosts/vps/mailserver/default.nix @@ -0,0 +1,3 @@ +{ + imports = [ ./configuration.nix ./mailserver ./roundcube ./postgres ./wireguard ./nginx ./tor ./i2pd ./gitea ./dnscrypt ./monero ]; +} diff --git a/hosts/vps/mailserver/dnscrypt/default.nix b/hosts/vps/mailserver/dnscrypt/default.nix new file mode 100644 index 0000000..66a708b --- /dev/null +++ b/hosts/vps/mailserver/dnscrypt/default.nix @@ -0,0 +1,33 @@ +{ + networking = { + nameservers = [ "127.0.0.1" "::1" ]; + dhcpcd.extraConfig = "nohook resolv.conf"; + }; + + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv4_servers = true; + ipv6_servers = true; + dnscrypt_servers = true; + doh_servers = false; + odoh_servers = false; + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + }; + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; +} + + diff --git a/hosts/vps/mailserver/gitea/default.nix b/hosts/vps/mailserver/gitea/default.nix new file mode 100644 index 0000000..bb6942b --- /dev/null +++ b/hosts/vps/mailserver/gitea/default.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + services.gitea = { + enable = true; + appName = "src"; + database = { + type = "postgres"; + }; + settings = { + server = { + DOMAIN = "src.idimitrov.dev"; + ROOT_URL = "https://src.idimitrov.dev/"; + HTTP_PORT = 3001; + }; + repository = { + DEFAULT_BRANCH = "master"; + }; + service = { + DISABLE_REGISTRATION = true; + }; + }; + }; +} diff --git a/hosts/vps/mailserver/i2pd/default.nix b/hosts/vps/mailserver/i2pd/default.nix new file mode 100644 index 0000000..2966e7e --- /dev/null +++ b/hosts/vps/mailserver/i2pd/default.nix @@ -0,0 +1,14 @@ +{ + services.i2pd = { + enable = true; + inTunnels = { + idimitrov = { + enable = true; + keys = "idimitrov-keys.dat"; + inPort = 80; + destination = "127.0.0.1"; + port = 3000; + }; + }; + }; +} diff --git a/hosts/vps/mailserver/mailserver/default.nix b/hosts/vps/mailserver/mailserver/default.nix new file mode 100644 index 0000000..dd446e9 --- /dev/null +++ b/hosts/vps/mailserver/mailserver/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: +{ + mailserver = { + enable = true; + localDnsResolver = false; + fqdn = "mail.idimitrov.dev"; + domains = [ "idimitrov.dev" "mail.idimitrov.dev" ]; + loginAccounts = { + "ivan@idimitrov.dev" = { + hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm"; + aliases = [ "admin@idimitrov.dev" ]; + }; + "security@idimitrov.dev" = { + hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm"; + }; + }; + certificateScheme = "acme-nginx"; + hierarchySeparator = "/"; + }; + services.dovecot2.sieve.extensions = [ "fileinto" ]; +} diff --git a/hosts/vps/mailserver/monero/default.nix b/hosts/vps/mailserver/monero/default.nix new file mode 100644 index 0000000..91632af --- /dev/null +++ b/hosts/vps/mailserver/monero/default.nix @@ -0,0 +1,6 @@ +{ + services.monero = { + enable = false; + dataDir = "/mnt/export1981/monero"; + }; +} diff --git a/hosts/vps/mailserver/nginx/default.nix b/hosts/vps/mailserver/nginx/default.nix new file mode 100644 index 0000000..d2a4ee4 --- /dev/null +++ b/hosts/vps/mailserver/nginx/default.nix @@ -0,0 +1,72 @@ +{ config, pkgs, ... }: +let + webshiteConfig = '' + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Content-Type-Options nosniff; + add_header Onion-Location http://sxfx23zafag4lixkb4s6zwih7ga5jnzfgtgykcerd354bvb6u7alnkid.onion; + ''; + restrictToVpn = '' + allow 10.0.0.2/32; + allow fdc9:281f:04d7:9ee9::2/128; + allow 10.0.0.3/32; + allow 10.0.0.4/32; + deny all; + ''; + extensions = [ "html" "txt" "png" "jpg" "jpeg" ]; + serveStatic = exts: '' + try_files $uri $uri/ ${pkgs.lib.strings.concatStringsSep " " (builtins.map (x: "$uri." + "${x}") exts)} =404; + ''; +in +{ + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + virtualHosts = { + "idimitrov.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + root = "${pkgs.webshite}"; + extraConfig = serveStatic extensions; + }; + extraConfig = webshiteConfig; + }; + "www.idimitrov.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + root = "${pkgs.webshite}"; + extraConfig = serveStatic extensions; + }; + extraConfig = webshiteConfig; + }; + "${config.mailserver.fqdn}" = { + extraConfig = restrictToVpn; + }; + "src.idimitrov.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3001"; + }; + }; + "pic.idimitrov.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + root = "/var/pic"; + extraConfig = '' + autoindex on; + ${serveStatic ["png"]} + ''; + }; + }; + }; + }; + }; +} diff --git a/hosts/vps/mailserver/postgres/default.nix b/hosts/vps/mailserver/postgres/default.nix new file mode 100644 index 0000000..0657ecb --- /dev/null +++ b/hosts/vps/mailserver/postgres/default.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: +{ + services = { + postgresql = { + enable = true; + ensureDatabases = [ "roundcube" "gitea" ]; + ensureUsers = [ + { + name = "roundcube"; + ensureDBOwnership = true; + } + { + name = "gitea"; + ensureDBOwnership = true; + } + { + name = "root"; + ensureClauses = { + superuser = true; + createrole = true; + createdb = true; + }; + } + ]; + authentication = '' + local gitea all ident map=gitea-users + ''; + identMap = '' + gitea-users gitea gitea + ''; + initialScript = pkgs.writeText "init" '' + GRANT ALL PRIVILEGES ON DATABASE roundcube TO roundcube; + GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO roundcube; + GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO roundcube; + GRANT ALL PRIVILEGES ON SCHEMA public TO roundcube; + ''; + }; + }; +} diff --git a/hosts/vps/mailserver/roundcube/default.nix b/hosts/vps/mailserver/roundcube/default.nix new file mode 100644 index 0000000..ecfd0b1 --- /dev/null +++ b/hosts/vps/mailserver/roundcube/default.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: +{ + services = { + roundcube = { + enable = true; + package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]); + plugins = [ + "persistent_login" + ]; + hostName = "${config.mailserver.fqdn}"; + extraConfig = '' + $config['smtp_host'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; + }; +} diff --git a/hosts/vps/mailserver/tor/default.nix b/hosts/vps/mailserver/tor/default.nix new file mode 100644 index 0000000..c90f341 --- /dev/null +++ b/hosts/vps/mailserver/tor/default.nix @@ -0,0 +1,21 @@ +{ + services.tor = { + enable = true; + client.enable = true; + relay = { + enable = true; + role = "relay"; + onionServices = { + idimitrov = { + map = [{ + port = 80; + target = { + addr = "127.0.0.1"; + port = 3000; + }; + }]; + }; + }; + }; + }; +} diff --git a/hosts/vps/mailserver/wireguard/default.nix b/hosts/vps/mailserver/wireguard/default.nix new file mode 100644 index 0000000..d4eb338 --- /dev/null +++ b/hosts/vps/mailserver/wireguard/default.nix @@ -0,0 +1,43 @@ +{ pkgs, ... }: { + + networking.nat = { + enable = true; + enableIPv6 = true; + externalInterface = "venet0"; + internalInterfaces = [ "wg0" ]; + }; + + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ]; + listenPort = 51820; + privateKeyFile = "/etc/wireguard/privatekey"; + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE + ''; + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE + ''; + peers = [ + { + publicKey = "28yXYLk4U0r6MdWFEZzk6apI8uhg962wMprF47wUJyI="; + allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; + } + { + publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY="; + allowedIPs = [ "10.0.0.3/32" ]; + } + { + publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo="; + allowedIPs = [ "10.0.0.4/32" ]; + } + ]; + }; + }; +} diff --git a/nixos/configs/default.nix b/nixos/configs/default.nix index 3132d04..9049206 100644 --- a/nixos/configs/default.nix +++ b/nixos/configs/default.nix @@ -21,5 +21,6 @@ in nonya = novaConfig (with mods; [ anon cryptocurrency ivand ]); ai = novaConfig (with mods; [ ai ivand ]); installer-iso = configWithModules { hardware = { }; modules = (with mods; [ grub base ]); }; + vps = configWithModules { hardware = { nixpkgs.hostPlatform = system; }; modules = (with mods; [ base shell vps ]); }; }; } diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 506d06e..59efe07 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -214,5 +214,12 @@ top@{ inputs, moduleWithSystem, ... }: { environment.systemPackages = with pkgs; [ monero-cli ]; services = { monero.enable = true; }; }); + vps = moduleWithSystem (toplevel@{ ... }: perSystem@{ ... }: { + imports = [ + inputs.vpsadminos.nixosConfigurations.container + inputs.simple-nixos-mailserver.nixosModule + ../../hosts/vps/mailserver + ]; + }); }; } diff --git a/overlays/default.nix b/overlays/default.nix index c23a88f..5d759b1 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,13 +1,13 @@ top@{ inputs, withSystem, ... }: { flake.overlays.default = final: prev: - let system = "x86_64-linux"; in - withSystem system ( + let system = "x86_64-linux"; in withSystem system ( { config, ... }: { nvim = config.packages.nvim; bingwp = config.packages.bingwp; screenshot = config.packages.screenshot; cursors = config.packages.cursors; wpd = config.packages.wpd; + webshite = config.packages.webshite; sal = inputs.sal.packages.${system}.default; } ); diff --git a/packages/default.nix b/packages/default.nix index a080d20..60f938d 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -60,6 +60,7 @@ top@{ inputs, ... }: { hash = "sha256-CuzD6O/RImFKLWzJoiUv7nlIdoXNvwwl+k5mTeVIY10="; }; }); + webshite = inputs.webshite.packages.${system}.default; }; }; }