From 420b963a601fc6f36bee30b9c1266a5866ad71d7 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sat, 30 Oct 2021 21:04:53 +0300 Subject: [PATCH] trying to run a mailserver --- flake.lock | 70 +++++++++++++++++ flake.nix | 4 + profiles/applications/packages.nix | 1 - profiles/boot.nix | 2 +- profiles/hardware.nix | 2 +- profiles/nix/default.nix | 2 +- profiles/servers/caddy.nix | 105 ++++++++++++++++++++++++++ profiles/servers/coturn.nix | 7 +- profiles/servers/mailserver.nix | 112 ++++++++++++++++++++++++++++ profiles/servers/matrix-synapse.nix | 10 +-- profiles/servers/nginx.nix | 8 +- roles/server.nix | 21 +----- 12 files changed, 312 insertions(+), 32 deletions(-) create mode 100644 profiles/servers/caddy.nix create mode 100644 profiles/servers/mailserver.nix diff --git a/flake.lock b/flake.lock index cbdc9c2..c5deb70 100644 --- a/flake.lock +++ b/flake.lock @@ -50,6 +50,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -206,6 +222,21 @@ "type": "indirect" } }, + "nixpkgs-21_05": { + "locked": { + "lastModified": 1625692408, + "narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c06613c25df3fe1dd26243847a3c105cf6770627", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-21.05", + "type": "indirect" + } + }, "nixpkgs-master": { "locked": { "lastModified": 1635333802, @@ -335,6 +366,7 @@ "nixpkgs-stable": "nixpkgs-stable", "qbittorrent-ee": "qbittorrent-ee", "rycee": "rycee", + "simple-nixos-mailserver": "simple-nixos-mailserver", "zsh-autosuggestions": "zsh-autosuggestions", "zsh-cod": "zsh-cod", "zsh-nix-shell": "zsh-nix-shell", @@ -357,6 +389,44 @@ "type": "gitlab" } }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-21_05": "nixpkgs-21_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1634237121, + "narHash": "sha256-rOHq6XaWzMnQXRsgcDiA2Dbzl7IZ0Q5S6RI+k63z3nQ=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "0d9a880c0e41a553c5d9af4efa62169db7ddeb62", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "zsh-autosuggestions": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 661b74b..363b242 100644 --- a/flake.nix +++ b/flake.nix @@ -56,6 +56,10 @@ url = "gitlab:rycee/nur-expressions"; flake = false; }; + simple-nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + }; zsh-autosuggestions = { url = "github:zsh-users/zsh-autosuggestions"; flake = false; diff --git a/profiles/applications/packages.nix b/profiles/applications/packages.nix index 687b2f3..a0f4652 100644 --- a/profiles/applications/packages.nix +++ b/profiles/applications/packages.nix @@ -51,7 +51,6 @@ with config.deviceSpecific; { discord element-desktop feh - fractal gnome.eog gparted keepassxc diff --git a/profiles/boot.nix b/profiles/boot.nix index fc3d905..a95019d 100644 --- a/profiles/boot.nix +++ b/profiles/boot.nix @@ -27,7 +27,7 @@ with config.deviceSpecific; { "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10; }; } else { - kernelPackages = pkgs.linuxPackages_hardened; + # kernelPackages = pkgs.linuxPackages_hardened; kernelModules = [ "tcp_bbr" ]; kernel.sysctl = { "kernel.sysrq" = 0; diff --git a/profiles/hardware.nix b/profiles/hardware.nix index 3aea5e6..640283d 100644 --- a/profiles/hardware.nix +++ b/profiles/hardware.nix @@ -30,6 +30,6 @@ with config.deviceSpecific; { boot.initrd.kernelModules = if devInfo.gpu.vendor == "amd" then [ "amdgpu" ] else if devInfo.gpu.vendor == "intel" then [ - i915 + "i915" ] else [ ]; } diff --git a/profiles/nix/default.nix b/profiles/nix/default.nix index 3d9feda..a99e13b 100644 --- a/profiles/nix/default.nix +++ b/profiles/nix/default.nix @@ -21,7 +21,7 @@ autoOptimiseStore = false; - package = inputs.nix.defaultPackage.x86_64-linux.overrideAttrs (oa: { + package = inputs.nix.defaultPackage.${system}.overrideAttrs (oa: { patches = [ ./nix.patch ./unset-is-macho.patch ] ++ oa.patches or [ ]; doInstallCheck = false; }); diff --git a/profiles/servers/caddy.nix b/profiles/servers/caddy.nix new file mode 100644 index 0000000..e935a83 --- /dev/null +++ b/profiles/servers/caddy.nix @@ -0,0 +1,105 @@ +{ pkgs, config, lib, ... }: { + users.groups.cert.members = [ "turnserver" "caddy" "dovecot2" ]; + + secrets."ataraxiadev.com.pem" = { + owner = "root:cert"; + permissions = "440"; + }; + secrets."ataraxiadev.com.key" = { + owner = "root:cert"; + permissions = "440"; + }; + secrets."origin-pull-ca.pem" = { + owner = "root:cert"; + permissions = "440"; + }; + + ## DNS-over-TLS + services.stubby = { + enable = true; + listenAddresses = [ "0::1" "127.0.0.1" ]; + roundRobinUpstreams = false; + upstreamServers = '' + ## Quad9 + - address_data: 2620:fe::fe + tls_auth_name: "dns.quad9.net" + - address_data: 2620:fe::9 + tls_auth_name: "dns.quad9.net" + - address_data: 9.9.9.9 + tls_auth_name: "dns.quad9.net" + - address_data: 149.112.112.112 + tls_auth_name: "dns.quad9.net" + ## Cloudflare + - address_data: 2606:4700:4700::1112 + tls_auth_name: "cloudflare-dns.com" + - address_data: 2606:4700:4700::1002 + tls_auth_name: "cloudflare-dns.com" + - address_data: 1.1.1.2 + tls_auth_name: "cloudflare-dns.com" + - address_data: 1.0.0.2 + tls_auth_name: "cloudflare-dns.com" + ''; + extraConfig = '' + # Set TLS 1.3 as minimum acceptable version + tls_min_version: GETDNS_TLS1_3 + # Require DNSSEC validation + dnssec: GETDNS_EXTENSION_TRUE + ''; + }; + + networking.nameservers = [ "::1" "127.0.0.1" ]; + services.resolved = { + enable = true; + fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ]; + }; + + services.caddy = { + enable = true; + email = "ataraxiadev@ataraxiadev.com"; + group = "cert"; + ca = null; + config = '' + (matrix-well-known-header) { + # Headers + header Access-Control-Allow-Origin "*" + header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" + header Content-Type "application/json" + } + + ataraxiadev.com { + handle /.well-known/matrix/server { + import matrix-well-known-header + respond `{"m.server":"matrix.ataraxiadev.com:443"}` + } + reverse_proxy /_matrix/* http://localhost:13748 + tls ${config.secrets."ataraxiadev.com.pem".decrypted} ${config.secrets."ataraxiadev.com.key".decrypted} { + protocols tls1.3 + client_auth { + mode require_and_verify + trusted_ca_cert MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkxMDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20eihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBwhLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoYQSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRnaL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGRPpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5HhCvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REzalfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3ISzVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoXVcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2jbA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGmiYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07FAnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tMfVQ6VpyjEXdiIXWUq/o= + } + } + } + + matrix.ataraxiadev.com { + reverse_proxy /* http://localhost:13748 + reverse_proxy /mautrix-telegram/* http://localhost:29317 + tls ${config.secrets."ataraxiadev.com.pem".decrypted} ${config.secrets."ataraxiadev.com.key".decrypted} { + protocols tls1.3 + client_auth { + mode require_and_verify + trusted_ca_cert MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkxMDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20eihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBwhLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoYQSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRnaL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGRPpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5HhCvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REzalfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3ISzVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoXVcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2jbA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGmiYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07FAnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tMfVQ6VpyjEXdiIXWUq/o= + } + } + } + ''; + }; +} + +# handle /.well-known/matrix/client { +# import matrix-well-known-header +# respond `{"m.homeserver":{"base_url":"https://matrix.ataraxiadev.com"},"m.identity_server":{"base_url":"https://identity.ataraxiadev.com"}}` +# } + +# reverse_proxy /_synapse/client/* http://localhost:8008 \ No newline at end of file diff --git a/profiles/servers/coturn.nix b/profiles/servers/coturn.nix index 6ee0d96..2f03503 100644 --- a/profiles/servers/coturn.nix +++ b/profiles/servers/coturn.nix @@ -21,7 +21,8 @@ user-quota=20 total-quota=600 # for debugging - verbose + #verbose + allowed-peer-ip=10.0.0.1 # ban private IP ranges no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 @@ -58,9 +59,9 @@ in { allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 ]; + allowedUDPPorts = [ 3478 5349 ]; allowedTCPPortRanges = range; - allowedTCPPorts = [ 3478 ]; + allowedTCPPorts = [ 3478 5349 ]; }; }; } \ No newline at end of file diff --git a/profiles/servers/mailserver.nix b/profiles/servers/mailserver.nix new file mode 100644 index 0000000..418783d --- /dev/null +++ b/profiles/servers/mailserver.nix @@ -0,0 +1,112 @@ +{ pkgs, config, lib, inputs, ... }: +let + module = toString inputs.simple-nixos-mailserver; +in { + imports = [ module ]; + secrets.mailserver = { + owner = "dovecot2:cert"; + services = [ "dovecot2" ]; + }; + secrets.sasl_passwd = { + permissions = "444"; + }; + + security.acme = { + email = "ataraxiadev@ataraxiadev.com"; + acceptTerms = true; + certs."mail.ataraxiadev.com" = { }; + }; + + services.postfix = { + relayHost = "smtp.email.eu-zurich-1.oci.oraclecloud.com"; + relayPort = 587; + enableSubmission = true; + submissionOptions = { + smtp_tls_security_level = "may"; + smtp_sasl_auth_enable = "yes"; + smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_passwd"; + smtp_sasl_security_options = ""; + }; + mapFiles = { sasl_passwd = config.secrets.sasl_passwd.decrypted; }; + # dnsBlacklists = [ + # "all.s5h.net" + # "b.barracudacentral.org" + # "bl.spamcop.net" + # "blacklist.woody.ch" + # "bogons.cymru.com" + # "cbl.abuseat.org" + # "combined.abuse.ch" + # "db.wpbl.info" + # "dnsbl-1.uceprotect.net" + # "dnsbl-2.uceprotect.net" + # "dnsbl-3.uceprotect.net" + # "dnsbl.anticaptcha.net" + # "dnsbl.dronebl.org" + # "dnsbl.inps.de" + # "dnsbl.sorbs.net" + # "dnsbl.spfbl.net" + # "drone.abuse.ch" + # "duinv.aupads.org" + # "dul.dnsbl.sorbs.net" + # "dyna.spamrats.com" + # "dynip.rothen.com" + # "http.dnsbl.sorbs.net" + # "ips.backscatterer.org" + # "ix.dnsbl.manitu.net" + # "korea.services.net" + # "misc.dnsbl.sorbs.net" + # "noptr.spamrats.com" + # "orvedb.aupads.org" + # "pbl.spamhaus.org" + # "proxy.bl.gweep.ca" + # "psbl.surriel.com" + # "relays.bl.gweep.ca" + # "relays.nether.net" + # "sbl.spamhaus.org" + # "singular.ttk.pte.hu" + # "smtp.dnsbl.sorbs.net" + # "socks.dnsbl.sorbs.net" + # "spam.abuse.ch" + # "spam.dnsbl.anonmails.de" + # "spam.dnsbl.sorbs.net" + # "spam.spamrats.com" + # "spambot.bls.digibase.ca" + # "spamrbl.imp.ch" + # "spamsources.fabel.dk" + # "ubl.lashback.com" + # "ubl.unsubscore.com" + # "virus.rbl.jp" + # "web.dnsbl.sorbs.net" + # "wormrbl.imp.ch" + # "xbl.spamhaus.org" + # "z.mailspike.net" + # "zen.spamhaus.org" + # "zombie.dnsbl.sorbs.net" + # ]; + # dnsBlacklistOverrides = '' + # ataraxiadev.com OK + # 192.168.0.0/16 OK + # ${lib.concatMapStringsSep "\n" (machine: "${machine}.lan OK") (builtins.attrNames inputs.self.nixosConfigurations)} + # ''; + }; + mailserver = { + enable = true; + openFirewall = true; + fqdn = "mail.ataraxiadev.com"; + domains = [ "ataraxiadev.com" ]; + loginAccounts = { + "ataraxiadev@ataraxiadev.com" = { + aliases = + [ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ]; + hashedPasswordFile = config.secrets.mailserver.decrypted; + }; + }; + localDnsResolver = false; + certificateScheme = 1; + # certificateFile = config.secrets."ataraxiadev.com.pem".decrypted; + # keyFile = config.secrets."ataraxiadev.com.key".decrypted; + enableImap = true; + enableImapSsl = true; + virusScanning = false; + }; +} diff --git a/profiles/servers/matrix-synapse.nix b/profiles/servers/matrix-synapse.nix index 08d6c2d..70e1d65 100644 --- a/profiles/servers/matrix-synapse.nix +++ b/profiles/servers/matrix-synapse.nix @@ -36,8 +36,8 @@ plugins = with pkgs.matrix-synapse-plugins; [ matrix-synapse-shared-secret-auth ]; public_baseurl = "https://ataraxiadev.com"; server_name = "ataraxiadev.com"; - turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ]; - turn_user_lifetime = "12h"; + turn_uris = [ "turns:${realm}?transport=udp" "turns:${realm}?transport=tcp" ]; + turn_user_lifetime = "24h"; }; secrets-envsubst.matrix-shared-secret = { @@ -90,7 +90,7 @@ command_prefix = "!tg"; encryption = { allow = true; - default = true; + default = false; }; filter = { mode = "whitelist"; @@ -108,13 +108,13 @@ }; plaintext_highlights = true; startup_sync = false; - sync_direct_chat_list = true; + sync_direct_chat_list = false; sync_direct_chats = false; username_template = "tg_{userid}"; }; homeserver = { address = "https://matrix.ataraxiadev.com"; - asmux = true; + asmux = false; domain = "ataraxiadev.com"; verify_ssl = true; }; diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index 5d72c8b..93c082e 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -1,14 +1,16 @@ { pkgs, config, lib, ... }: { + users.groups.cert.members = [ "turnserver" "nginx" "dovecot2" ]; + secrets."ataraxiadev.com.pem" = { - owner = "nginx:turnserver"; + owner = "root:cert"; permissions = "440"; }; secrets."ataraxiadev.com.key" = { - owner = "nginx:turnserver"; + owner = "root:cert"; permissions = "440"; }; secrets."origin-pull-ca.pem" = { - owner = "nginx:turnserver"; + owner = "root:cert"; permissions = "440"; }; ## DNS-over-TLS diff --git a/roles/server.nix b/roles/server.nix index 3490994..3ca9ebc 100644 --- a/roles/server.nix +++ b/roles/server.nix @@ -1,31 +1,18 @@ { inputs, ... }: { imports = with inputs.self.nixosModules; with inputs.self.nixosProfiles; [ - inputs.home-manager.nixosModules.home-manager + ./base.nix inputs.base16.hmModule - applications - devices fonts - git - gpg - locale - misc - network - nix - overlay - secrets - secrets-envsubst - security - ssh themes - xdg - zsh direnv kitty coturn + mailserver matrix-synapse - nginx + # nginx + caddy ]; }