trying to run a mailserver

flake.lock

@@ -50,6 +50,22 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -206,6 +222,21 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-21_05": {
+      "locked": {
+        "lastModified": 1625692408,
+        "narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c06613c25df3fe1dd26243847a3c105cf6770627",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-21.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-master": {
       "locked": {
         "lastModified": 1635333802,
@@ -335,6 +366,7 @@
         "nixpkgs-stable": "nixpkgs-stable",
         "qbittorrent-ee": "qbittorrent-ee",
         "rycee": "rycee",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
         "zsh-autosuggestions": "zsh-autosuggestions",
         "zsh-cod": "zsh-cod",
         "zsh-nix-shell": "zsh-nix-shell",
@@ -357,6 +389,44 @@
         "type": "gitlab"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-21_05": "nixpkgs-21_05",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1634237121,
+        "narHash": "sha256-rOHq6XaWzMnQXRsgcDiA2Dbzl7IZ0Q5S6RI+k63z3nQ=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "0d9a880c0e41a553c5d9af4efa62169db7ddeb62",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "zsh-autosuggestions": {
       "flake": false,
       "locked": {

flake.nix

@@ -56,6 +56,10 @@
       url = "gitlab:rycee/nur-expressions";
       flake = false;
     };
+    simple-nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     zsh-autosuggestions = {
       url = "github:zsh-users/zsh-autosuggestions";
       flake = false;

profiles/applications/packages.nix

@@ -51,7 +51,6 @@ with config.deviceSpecific; {
     discord
     element-desktop
     feh
-    fractal
     gnome.eog
     gparted
     keepassxc

profiles/boot.nix

@@ -27,7 +27,7 @@ with config.deviceSpecific; {
       "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10;
     };
   } else {
-    kernelPackages = pkgs.linuxPackages_hardened;
+    # kernelPackages = pkgs.linuxPackages_hardened;
     kernelModules = [ "tcp_bbr" ];
     kernel.sysctl = {
       "kernel.sysrq" = 0;

profiles/hardware.nix

@@ -30,6 +30,6 @@ with config.deviceSpecific; {
   boot.initrd.kernelModules = if devInfo.gpu.vendor == "amd" then [
     "amdgpu"
   ] else if devInfo.gpu.vendor == "intel" then [
-    i915
+    "i915"
   ] else [ ];
 }

profiles/nix/default.nix

@@ -21,7 +21,7 @@
 
     autoOptimiseStore = false;
 
-    package = inputs.nix.defaultPackage.x86_64-linux.overrideAttrs (oa: {
+    package = inputs.nix.defaultPackage.${system}.overrideAttrs (oa: {
       patches = [ ./nix.patch ./unset-is-macho.patch ] ++ oa.patches or [ ];
       doInstallCheck = false;
     });

profiles/servers/caddy.nix

@@ -0,0 +1,105 @@
+{ pkgs, config, lib, ... }: {
+  users.groups.cert.members = [ "turnserver" "caddy" "dovecot2" ];
+
+  secrets."ataraxiadev.com.pem" = {
+    owner = "root:cert";
+    permissions = "440";
+  };
+  secrets."ataraxiadev.com.key" = {
+    owner = "root:cert";
+    permissions = "440";
+  };
+  secrets."origin-pull-ca.pem" = {
+    owner = "root:cert";
+    permissions = "440";
+  };
+
+  ## DNS-over-TLS
+  services.stubby = {
+    enable = true;
+    listenAddresses = [ "0::1" "127.0.0.1" ];
+    roundRobinUpstreams = false;
+    upstreamServers = ''
+      ## Quad9
+      - address_data: 2620:fe::fe
+        tls_auth_name: "dns.quad9.net"
+      - address_data: 2620:fe::9
+        tls_auth_name: "dns.quad9.net"
+      - address_data: 9.9.9.9
+        tls_auth_name: "dns.quad9.net"
+      - address_data: 149.112.112.112
+        tls_auth_name: "dns.quad9.net"
+      ## Cloudflare
+      - address_data: 2606:4700:4700::1112
+        tls_auth_name: "cloudflare-dns.com"
+      - address_data: 2606:4700:4700::1002
+        tls_auth_name: "cloudflare-dns.com"
+      - address_data: 1.1.1.2
+        tls_auth_name: "cloudflare-dns.com"
+      - address_data: 1.0.0.2
+        tls_auth_name: "cloudflare-dns.com"
+    '';
+    extraConfig = ''
+      # Set TLS 1.3 as minimum acceptable version
+      tls_min_version: GETDNS_TLS1_3
+      # Require DNSSEC validation
+      dnssec: GETDNS_EXTENSION_TRUE
+    '';
+  };
+
+  networking.nameservers = [ "::1" "127.0.0.1" ];
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
+  };
+
+  services.caddy = {
+    enable = true;
+    email = "ataraxiadev@ataraxiadev.com";
+    group = "cert";
+    ca = null;
+    config = ''
+      (matrix-well-known-header) {
+        # Headers
+        header Access-Control-Allow-Origin "*"
+        header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+        header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+        header Content-Type "application/json"
+      }
+
+      ataraxiadev.com {
+        handle /.well-known/matrix/server {
+          import matrix-well-known-header
+          respond `{"m.server":"matrix.ataraxiadev.com:443"}`
+        }
+        reverse_proxy /_matrix/* http://localhost:13748
+        tls ${config.secrets."ataraxiadev.com.pem".decrypted} ${config.secrets."ataraxiadev.com.key".decrypted} {
+          protocols tls1.3
+          client_auth {
+            mode require_and_verify
+            trusted_ca_cert MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkxMDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20eihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBwhLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoYQSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRnaL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGRPpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5HhCvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REzalfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3ISzVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoXVcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2jbA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGmiYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07FAnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tMfVQ6VpyjEXdiIXWUq/o=
+          }
+        }
+      }
+
+      matrix.ataraxiadev.com {
+        reverse_proxy /* http://localhost:13748
+        reverse_proxy /mautrix-telegram/* http://localhost:29317
+        tls ${config.secrets."ataraxiadev.com.pem".decrypted} ${config.secrets."ataraxiadev.com.key".decrypted} {
+          protocols tls1.3
+          client_auth {
+            mode require_and_verify
+            trusted_ca_cert MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkxMDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQDExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20eihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBwhLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoYQSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRnaL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGRPpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5HhCvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REzalfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3ISzVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoXVcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2jbA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGmiYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07FAnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tMfVQ6VpyjEXdiIXWUq/o=
+          }
+        }
+      }
+    '';
+  };
+}
+
+# handle /.well-known/matrix/client {
+#     import matrix-well-known-header
+#     respond `{"m.homeserver":{"base_url":"https://matrix.ataraxiadev.com"},"m.identity_server":{"base_url":"https://identity.ataraxiadev.com"}}`
+# }
+
+# reverse_proxy /_synapse/client/* http://localhost:8008

profiles/servers/coturn.nix

@@ -21,7 +21,8 @@
       user-quota=20
       total-quota=600
       # for debugging
-      verbose
+      #verbose
+      allowed-peer-ip=10.0.0.1
       # ban private IP ranges
       no-multicast-peers
       denied-peer-ip=0.0.0.0-0.255.255.255
@@ -58,9 +59,9 @@
     in
     {
       allowedUDPPortRanges = range;
-      allowedUDPPorts = [ 3478 ];
+      allowedUDPPorts = [ 3478 5349 ];
       allowedTCPPortRanges = range;
-      allowedTCPPorts = [ 3478 ];
+      allowedTCPPorts = [ 3478 5349 ];
     };
   };
 }

profiles/servers/mailserver.nix

@@ -0,0 +1,112 @@
+{ pkgs, config, lib, inputs, ... }:
+let
+  module = toString inputs.simple-nixos-mailserver;
+in {
+  imports = [ module ];
+  secrets.mailserver = {
+    owner = "dovecot2:cert";
+    services = [ "dovecot2" ];
+  };
+  secrets.sasl_passwd = {
+    permissions = "444";
+  };
+
+  security.acme = {
+    email = "ataraxiadev@ataraxiadev.com";
+    acceptTerms = true;
+    certs."mail.ataraxiadev.com" = { };
+  };
+
+  services.postfix = {
+    relayHost = "smtp.email.eu-zurich-1.oci.oraclecloud.com";
+    relayPort = 587;
+    enableSubmission = true;
+    submissionOptions = {
+      smtp_tls_security_level = "may";
+      smtp_sasl_auth_enable = "yes";
+      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_passwd";
+      smtp_sasl_security_options = "";
+    };
+    mapFiles = { sasl_passwd = config.secrets.sasl_passwd.decrypted; };
+    # dnsBlacklists = [
+    #   "all.s5h.net"
+    #   "b.barracudacentral.org"
+    #   "bl.spamcop.net"
+    #   "blacklist.woody.ch"
+      # "bogons.cymru.com"
+      # "cbl.abuseat.org"
+      # "combined.abuse.ch"
+      # "db.wpbl.info"
+      # "dnsbl-1.uceprotect.net"
+      # "dnsbl-2.uceprotect.net"
+      # "dnsbl-3.uceprotect.net"
+      # "dnsbl.anticaptcha.net"
+      # "dnsbl.dronebl.org"
+      # "dnsbl.inps.de"
+      # "dnsbl.sorbs.net"
+      # "dnsbl.spfbl.net"
+      # "drone.abuse.ch"
+      # "duinv.aupads.org"
+      # "dul.dnsbl.sorbs.net"
+      # "dyna.spamrats.com"
+      # "dynip.rothen.com"
+      # "http.dnsbl.sorbs.net"
+      # "ips.backscatterer.org"
+      # "ix.dnsbl.manitu.net"
+      # "korea.services.net"
+      # "misc.dnsbl.sorbs.net"
+      # "noptr.spamrats.com"
+      # "orvedb.aupads.org"
+      # "pbl.spamhaus.org"
+      # "proxy.bl.gweep.ca"
+      # "psbl.surriel.com"
+      # "relays.bl.gweep.ca"
+      # "relays.nether.net"
+      # "sbl.spamhaus.org"
+      # "singular.ttk.pte.hu"
+      # "smtp.dnsbl.sorbs.net"
+      # "socks.dnsbl.sorbs.net"
+      # "spam.abuse.ch"
+      # "spam.dnsbl.anonmails.de"
+      # "spam.dnsbl.sorbs.net"
+      # "spam.spamrats.com"
+      # "spambot.bls.digibase.ca"
+      # "spamrbl.imp.ch"
+      # "spamsources.fabel.dk"
+      # "ubl.lashback.com"
+      # "ubl.unsubscore.com"
+      # "virus.rbl.jp"
+      # "web.dnsbl.sorbs.net"
+      # "wormrbl.imp.ch"
+      # "xbl.spamhaus.org"
+      # "z.mailspike.net"
+      # "zen.spamhaus.org"
+      # "zombie.dnsbl.sorbs.net"
+    # ];
+    # dnsBlacklistOverrides = ''
+    #   ataraxiadev.com OK
+    #   192.168.0.0/16 OK
+    #   ${lib.concatMapStringsSep "\n" (machine: "${machine}.lan OK") (builtins.attrNames inputs.self.nixosConfigurations)}
+    # '';
+  };
+  mailserver = {
+    enable = true;
+    openFirewall = true;
+    fqdn = "mail.ataraxiadev.com";
+    domains = [ "ataraxiadev.com" ];
+    loginAccounts = {
+      "ataraxiadev@ataraxiadev.com" = {
+        aliases =
+          [ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ];
+        hashedPasswordFile = config.secrets.mailserver.decrypted;
+      };
+    };
+    localDnsResolver = false;
+    certificateScheme = 1;
+    # certificateFile = config.secrets."ataraxiadev.com.pem".decrypted;
+    # keyFile = config.secrets."ataraxiadev.com.key".decrypted;
+    enableImap = true;
+    enableImapSsl = true;
+    virusScanning = false;
+  };
+}

profiles/servers/matrix-synapse.nix

@@ -36,8 +36,8 @@
     plugins = with pkgs.matrix-synapse-plugins; [ matrix-synapse-shared-secret-auth ];
     public_baseurl = "https://ataraxiadev.com";
     server_name = "ataraxiadev.com";
-    turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ];
+    turn_uris = [ "turns:${realm}?transport=udp" "turns:${realm}?transport=tcp" ];
-    turn_user_lifetime = "12h";
+    turn_user_lifetime = "24h";
   };
 
   secrets-envsubst.matrix-shared-secret = {
@@ -90,7 +90,7 @@
         command_prefix = "!tg";
         encryption = {
           allow = true;
-          default = true;
+          default = false;
         };
         filter = {
           mode = "whitelist";
@@ -108,13 +108,13 @@
         };
         plaintext_highlights = true;
         startup_sync = false;
-        sync_direct_chat_list = true;
+        sync_direct_chat_list = false;
         sync_direct_chats = false;
         username_template = "tg_{userid}";
       };
       homeserver = {
         address = "https://matrix.ataraxiadev.com";
-        asmux = true;
+        asmux = false;
         domain = "ataraxiadev.com";
         verify_ssl = true;
       };

profiles/servers/nginx.nix

@@ -1,14 +1,16 @@
 { pkgs, config, lib, ... }: {
+  users.groups.cert.members = [ "turnserver" "nginx" "dovecot2" ];
+
   secrets."ataraxiadev.com.pem" = {
-    owner = "nginx:turnserver";
+    owner = "root:cert";
     permissions = "440";
   };
   secrets."ataraxiadev.com.key" = {
-    owner = "nginx:turnserver";
+    owner = "root:cert";
     permissions = "440";
   };
   secrets."origin-pull-ca.pem" = {
-    owner = "nginx:turnserver";
+    owner = "root:cert";
     permissions = "440";
   };
   ## DNS-over-TLS

roles/server.nix

@@ -1,31 +1,18 @@
 { inputs, ... }: {
   imports = with inputs.self.nixosModules; with inputs.self.nixosProfiles; [
-    inputs.home-manager.nixosModules.home-manager
+    ./base.nix
     inputs.base16.hmModule
 
-    applications
-    devices
     fonts
-    git
-    gpg
-    locale
-    misc
-    network
-    nix
-    overlay
-    secrets
-    secrets-envsubst
-    security
-    ssh
     themes
-    xdg
-    zsh
 
     direnv
     kitty
 
     coturn
+    mailserver
     matrix-synapse
-    nginx
+    # nginx
+    caddy
   ];
 }