dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: mailserver

Browse source
This commit is contained in:
DACHXY 2025-08-14 12:27:49 +08:00
parent 0ebf0d7a29
commit b8a31b6264
28 changed files with 2446 additions and 1350 deletions
Download patch file Download diff file Expand all files Collapse all files

86
system/dev/dn-server/default.nix
View file

@ -1,9 +1,14 @@
{
pkgs,
lib,
inputs,
username,
...
}:
let
inherit (lib) optionalAttrs;
inherit (builtins) toString;
in
{
imports = [
(import ../../modules/nvidia.nix {
@ -18,28 +23,97 @@
./services.nix
./nginx.nix
./step-ca.nix
./mail-server.nix
../../modules/presets/minimal.nix
../../modules/bluetooth.nix
../../modules/gc.nix
../../modules/certbot.nix
../../modules/mail-server
(import ../../modules/prometheus.nix {
fqdn = "metrics.net.dn";
selfMonitor = true;
configureNginx = true;
scrapes = [
(optionalAttrs config.services.pdns-recursor.enable {
job_name = "powerdns_recursor";
static_configs = [
{
targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
}
];
})
];
})
(import ../../modules/actual.nix {
fqdn = "actual.net.dn";
})
(import ../../modules/nextcloud.nix {
hostname = "nextcloud.net.dn";
dataBackupPath = "/mnt/backup_dn";
dbBackupPath = "/mnt/backup_dn";
})
(import ../../modules/vaultwarden.nix {
domain = "https://bitwarden.net.dn";
domain = "bitwarden.net.dn";
})
(import ../../modules/openldap.nix { })
../../modules/terraria.nix
(import ../../modules/grafana.nix {
domain = "grafana.net.dn";
passFile = config.sops.secrets."grafana/password".path;
smtpHost = config.mail-server.domain;
smtpDomain = config.mail-server.domain;
extraSettings = {
"auth.generic_oauth" =
let
OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
in
{
enabled = true;
allow_sign_up = true;
client_id = "grafana";
client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
scopes = "openid email profile offline_access roles";
email_attribute_path = "email";
login_attribute_path = "username";
name_attribute_path = "full_name";
auth_url = "${OIDCBaseUrl}/auth";
token_url = "${OIDCBaseUrl}/token";
api_url = "${OIDCBaseUrl}/userinfo";
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
};
};
})
../../modules/postgresql.nix
];
environment.systemPackages = with pkgs; [
ferium
openssl
];
mail-server = {
enable = true;
mailDir = "~/Maildir";
caFile = "" + ../../extra/ca.crt;
virtualMailDir = "/var/mail/vhosts";
domain = "net.dn";
rootAlias = "${settings.personal.username}";
networks = [
"127.0.0.0/8"
"10.0.0.0/24"
];
virtual = ''
admin@net.dn ${settings.personal.username}@net.dn
postmaster@net.dn ${settings.personal.username}@net.dn
'';
openFirewall = true;
oauth = {
passwordFile = config.sops.secrets."oauth/password".path;
};
ldap = {
passwordFile = config.sops.secrets."ldap/password".path;
webEnv = config.sops.secrets."ldap/env".path;
};
rspamd = {
trainerSecret = config.sops.secrets."rspamd-trainer".path;
};
};
home-manager = {
users."${username}" = {
imports = [

64
system/dev/dn-server/mail-server.nix
View file

@ -1,64 +0,0 @@
{
config,
lib,
settings,
...
}:
with builtins;
let
interfaces = config.networking.wireguard.interfaces;
allowedIPs = concatLists [
(concatLists (map (interface: interfaces.${interface}.ips) (attrNames interfaces)))
[
"127.0.0.1"
]
];
fqdn = config.networking.fqdn;
# fqdn = "dn-server.daccc.info";
in
{
networking.firewall.allowedTCPPorts = [
25
587
];
services.postfix = {
enable = true;
hostname = fqdn;
origin = fqdn;
networks = allowedIPs;
destination = [
"localhost"
"localhost.${fqdn}"
fqdn
];
config = {
home_mailbox = "Mailbox";
};
postmasterAlias = "root";
rootAlias = settings.personal.username;
config = {
alias_maps = [ "ldap:${config.sops.secrets."postfix/openldap".path}" ];
};
extraAliases = ''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
vaultwarden: root
'';
};
programs.msmtp.enable = lib.mkForce false;
}

8
system/dev/dn-server/networking.nix
View file

@ -1,8 +1,12 @@
{ ... }:
{ lib, ... }:
with lib;
{
networking = {
domain = "net.dn";
networkmanager.enable = true;
networkmanager = {
enable = true;
insertNameservers = mkForce [ "127.0.0.1" ];
};
enableIPv6 = true;
firewall = {
enable = true;

162
system/dev/dn-server/nginx.nix
View file

@ -1,139 +1,35 @@
{
config,
pkgs,
...
}:
let
mkProxyHost = (
{
domain,
proxyPass,
ssl ? false,
}:
(
if ssl then
{
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${domain}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${domain}/privkey.pem";
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
}
else
{
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
}
)
// {
locations."/" = {
proxyPass = proxyPass;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${domain}/html";
extraConfig = ''
default_type "text/plain";
'';
};
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
}
);
certScript = pkgs.writeShellScriptBin "genCert" ''
acmeWebRoot="/var/www/$1/html/";
if [ ! -d "$acmeWebRoot" ]; then
mkdir -p "$acmeWebRoot"
fi
REQUESTS_CA_BUNDLE=${../../../system/extra/ca.crt} \
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path $acmeWebRoot -v \
-d "$1" \
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
vaultwarden = {
domain = "bitwarden.net.dn";
};
in
{
environment.systemPackages = [
certScript
];
security.acme = {
acceptTerms = true;
defaults = {
validMinDays = 2;
server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
renewInterval = "daily";
email = "danny@net.dn";
dnsProvider = "pdns";
dnsPropagationCheck = false;
environmentFile = config.sops.secrets."acme/env".path;
};
};
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# Nextcloud - Server
${config.services.nextcloud.hostName} = {
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${config.services.nextcloud.hostName}/html";
extraConfig = ''
default_type "text/plain";
'';
};
"files.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
"files.net.dn" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
root = "/var/www/files";
locations."/" = {
@ -153,10 +49,20 @@ in
'';
};
${vaultwarden.domain} = mkProxyHost {
domain = vaultwarden.domain;
proxyPass = "http://127.0.0.1:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
ssl = true;
"webcam.net.dn" = {
enableACME = true;
forceSSL = true;
locations."/ws/" = {
proxyPass = "http://10.0.0.130:8080/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
};
};
};

40
system/dev/dn-server/secret.yaml
View file

@ -4,18 +4,29 @@ nextcloud:
adminPassword: ENC[AES256_GCM,data:O2rK18+riVrvloqqLsMUXw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:yh1ccDmthARLND0NwpLTCA==,type:str]
step_ca:
password: ENC[AES256_GCM,data:3EWxpk/ktZHJreqnR9ln5pfdPjgigoCC4lyoRWugHas=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:UHZagnLvorZUrPq43YU+Gw==,type:str]
vaultwarden: ENC[AES256_GCM,data:PSKtHBIxw0/z/rmtF83Yg3btHksbVVyWZ80nP0wl4zAHRpFXypvpchZu9/edX7RgREd+9okm21WyjNWRUDoGVTOJYOCFHZCvOUx4KzIL2c/i7jUjXwtvAEmikhL1qlunVrCPhDu0knQ5nvsqpgWyxgcZl52yxuskMSIRAOsMpCRePVwJerWW5tuQ5zteYeOR0GHR8Q0iwBm98YGlCbKvz/37jAjMQVxY5W9DE1Tu1XVyEPBeAVvEwZknFNIZg1ukB+kW9Z/sBwLEVbAGsiBSGjonP6KEsgKmtaIkbBPzpfA3CQ==,iv:X8x3ooFDkFIT2OuHICcP2J1zX8T6xZW8j71ZuaByx6Q=,tag:mfnDFf9riivZ3EBup1l6lw==,type:str]
openldap:
adminPassword: ENC[AES256_GCM,data:dSaynM6RBrhZLOwcN2djaA==,iv:t2xJuRO2irEFgcnNcZS25qCfXiZXHaoqcCZYcR041aY=,tag:K5DiJRp+AumtKafAOR49/w==,type:str]
postfix:
openldap: ENC[AES256_GCM,data:8woTLrSJ5qqZU7jizOIK9VGlaPaBuyhq6FOs6LwiE9WHYJzWCAw3D+449SmCVeEE2t+EZWmfRPaOQBceSeIfUY6WZ5vso1E29CWPq8Tk7AuHT2i/K82EhpapXst61IAgSa/y39MchA7LqwaiTzL3A2CJVM1k5Ay5iHUUDfXvLbUsVmn1NlNfOv2QPPd5g+2yR2oGGx5HTbTPQNfoiU77KtvtFmlrubAs413I3DGdhM4uiOS+FI9WgZ4Ia22BucaOLHp2odfWnEMbP+ZIyJFdu3CBcs1lbTnLLVI=,iv:RvPm2+WsTIPFWLlYzv/OyKKDy/fWhtEfut98mBoM/1A=,tag:wkkWK88D0jKfaudN+KpN0Q==,type:str]
dovecot:
openldap: ENC[AES256_GCM,data:G7jdoSqL2SYDv2alh7q65BaA8Ap898azUPf2KKWd5wbr9pRVsRhFxQxHdZDuTOHDhWcfaa+eqMgc5k9gGLBYIO9EWVyEZ01/QfG4GIHSDjubzZxCElwhJrtsFn1A+Ihv7T1IIGKBCdmQGhUwfBMtwYlIuj8PYZaty4+c/dxIOCfDr5HyM1C6qQ4RCJTDEh6B+Hpx8NlFO0+fRFC9+9tQYX0rjI7JZRSfbg7F23nEdkBATr/xlwQXj8dvXYMLZhUKaswFnRs5TrG97AVQ9t3rMguRHutCAqEROhml2lJvV3Vxb/yMmTrom8qSrbkuw00YfdlDCmUo5/E4Vu9DYL0kv0EnASyQ4vQbmVXz0clYEzEXBLWZIEu4QHGJ7jQWgsKFv+WSTvuunVQyNuij3SFWZLR/zdfJELxU,iv:bsGMMdDo1Mj4GxRbWuRmbH/WrLt25jK3we8JDYQRsLw=,tag:EugvDijjQnYcms70nZq5FQ==,type:str]
vaultwarden: ENC[AES256_GCM,data:TDKzc3xPGUiopJ6aXV5a9k8mFN/4NQpfp69vWqQRjpAzWnIM290s4FTnsxJAX0NFfjiuQODhhxTuSmFOXR3+Ti9djSrqJ/ZjrVAMvV4NlpBg6klrCgcDtIfbZ0GqZjdoQYHcCz7V33fQGyTmqehjuVxdlatuLGoekSnuGbfBwY8FQgB+JECy8Y16r+ejplopw60+d43rvYXX4g8v0r4Gey567HVVB/zVizNDocentMaf99UiO/GBSOgbuKlU7+TfC0xhVcekEfZusZd7+LHZshfAjg==,iv:JcExp8YkGwV2nMbCK+n0KSL3+SryJZ0iKtVcU/Q+Cgs=,tag:dnDNa5faICuPUWy4nT49rg==,type:str]
ldap:
password: ENC[AES256_GCM,data:pqPj3Ar6xBLhHl4Q363sHw==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:OaYsvds1tiw/x19UTAyizw==,type:str]
env: ENC[AES256_GCM,data:LwrcgbeJf4Sb0Bx+OZ/qCf811bDpDcloltUZIzpQYz0zc1gnRExFxLStLDYeq3vv6DEjgfRdoB61Y1fb,iv:1jK/J2qfKODrbrNpSHl110jPvbNLl0zI//laowerJOc=,tag:TWa//iCY+SuAgp/PSfPkEg==,type:str]
oauth:
password: ENC[AES256_GCM,data:0iW80Iz4whkuyl8qvHN96Q==,iv:BI1n7Jjklye6WM2ss7jpaGgokrJpAG2Ipil7VrY30XM=,tag:zu//brQdDL7mZEkPOKUqPw==,type:str]
powerdns-admin:
secret: ENC[AES256_GCM,data:PH5KE++Oo13xo/DcnI9U6+Ht9oIi4T3n5L7c09eDxf6zZesbg4lFLsq0/hrVFiElErXpC5W2k7NOjqGA385UPQ==,iv:xaSgzhqMU9+ud1xfXLVkg3v2xcmIo35BOhml5VfHKBI=,tag:blQXoyYWzfiF5RGO7ynz9g==,type:str]
salt: ENC[AES256_GCM,data:GITNFfimGPdPzOi2XD0ri2GMax30i+RwzNQrKL8nCOE=,iv:/lRVfNOpERS963+9JNf8wATIY9FcicT8xQ9Cbw2by/s=,tag:6193YZCQABce52qX6ISvzQ==,type:str]
powerdns: ENC[AES256_GCM,data:humQiv+ilGAjU0qMsv0zoKlI20PKxA0VS75ivjkPb/bfzkbvEtH+3u/T8r4OogIhOJtl50+iRZl1imcrXf7drH0A69zUIhBS0xCagmj7,iv:orfh5F4uCYq2IplG0Y7Q/RcSqIm5Xyzn3ejzPsm+/0k=,tag:XeSBbIyYmWSWlyu2gypDzQ==,type:str]
rspamd-trainer: ENC[AES256_GCM,data:XTKk0cBe+qIeTsTxlhPTPEbZS0cCoWH+,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:LZUEvgTC1GPxS7iD9jVy/w==,type:str]
acme:
env: ENC[AES256_GCM,data:TWCrj3ZaUHfegDuJJtHQgt516auYu/3qpe35lfha6c3RLHABXtRArD8P6RPZE3HVdpFM0mvxkyme5MW8IMv2yhN9JPz5HLWZv0rjzkbhVyWem0X47c49jF20SnoMZ4yo+X4PZZ9GJKR4fu+0YrQkQXPJB773Yj2scQKx3Glh+iJoRLR8zLcM6JqbaJ4xHH+du6bs1PNyviB5NrGKnxYqzuVmBVLk,iv:ftoFg7i5KyYzdYaYCA8IPBsjHO1Ne/k361XPZ7HYqLo=,tag:v+X6fx/1dU0yoa0bHBLkDw==,type:str]
postsrsd:
secret: ENC[AES256_GCM,data:9BZPa+A/vE4PLapUdaZIQ7QJ3W0x6DrFTnTPrFUJPc2LC9q2RO2gHXIV2bc=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:XxAJripX3eNM4jGFoZZ1+g==,type:str]
grafana:
password: ENC[AES256_GCM,data:3g7PymgXA27VxsLJA7U=,iv:09F8yEGw4j1Jd0HXDQyHbFxsr3Vg23mvWF5eZkU2KU8=,tag:y9AwmYwQjE1JB56sI8r8mA==,type:str]
client_secret: ENC[AES256_GCM,data:znYMvBZH6eFeUZ7Mit0JEhm8hH97M+TKmCcesC/IS9Y=,iv:qywQIHIpgaS2pUcW1Uau//JU6UdMY52EVYCjhmnWJt4=,tag:Xo1h7ODXOkAnETfSYo4rfw==,type:str]
prometheus:
powerdns:
password: ENC[AES256_GCM,data:pvb/aAvB/F1r0PW4mGJKQEExP88PapnViYpniOedJSf5e89/LwSeqYMd4x36zcGSlCV6myC+Xl/H+QBCw0ezcw==,iv:UI7UuJYJizYCO0ReC4SEPgmdPJNUnNuxgvkrhB1o/EQ=,tag:nUjTP7IQNx1ei8COQCTj+g==,type:str]
nginxAuth: ENC[AES256_GCM,data:rYwuXHboAe3rf5e3kcJliKKXZ/Kcg60vnPGP+wukpaDdN8yJ00kk9cCNCjcvIyINEtL7TpEDjBX9oRsZT/E/FfWI6s133tDY,iv:Z/IiEi6oZm1Hv3m8c522GK6eYFf0syFn3A0o4S58DUI=,tag:y4n0Fm+l0OgGVHG+yttHfg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
enc: |
@ -26,8 +37,7 @@ sops:
Qm0wbmNGZDZwZlNTOVl0WVh5RXNxK2cK1Fwbgl5kKAFyrIIhBP+X4ZKFS4Xl39QY
11qkglNgro/JBFJ/W7Hj5wtEd8QToiJM1RW0lQaI25sneQ2v6L5pDA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-04T13:11:13Z"
mac: ENC[AES256_GCM,data:+V5vP4XbeXQP49gyisV4uQJjUybtK792DaFEWBHzLlKn2HiRj+qqSVR5XQrQMQQ5mKMhzsZXGq7QjjXtzKqgLCz5snItU63HzxQ6OxarNeg5pctk7i8ueNST4JpMxZODKGJncz2Ysq8OGrjZ6Nf4QVjO0XhFxZP6MbZxZL7wbuY=,iv:7jKt3uAY/ks8m/uzpos6XvldkpQjkgCHcLn+oRiY3mk=,tag:d6V+waMu4m2wi/H/J3bMXg==,type:str]
pgp: []
lastmodified: "2025-08-01T03:07:16Z"
mac: ENC[AES256_GCM,data:VNmb5eOR2fEyBKD/MuHwC7IdN+SM2ybf/qtkvos3pakYFMCQcSQlJSCiassuZUxkEBl/rpMJ5NcObvuOJDAZZ/B7IAVTMJ8DkQy9cdIMLCRASNxd4EeWdZx517As8OslVdXKpPv15+i7buzj3X/QAPTVy2UUtyjWO2eqZ8ute0A=,iv:PpZmtmKsRKguFFkH2aqbLt54Ox7tOQwq1qtoQVN47Cs=,tag:kQ5kG6BODCqxuNl58EMvmQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.10.2

281
system/dev/dn-server/services.nix
View file

@ -1,6 +1,5 @@
{
config,
pkgs,
lib,
username,
...
@ -13,58 +12,6 @@ let
sshPorts = [ 30072 ];
sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
getCleanAddress =
ip:
with builtins;
let
result = replaceStrings [ "/24" "/32" ] [ "" "" ] ip;
in
result;
getReverseFilename =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = take 3 (splitString "." (getCleanAddress ip));
reversedFilename = "db." + (concatStringsSep "." (reverseList octets));
in
reversedFilename;
getSubAddress =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = reverseList (splitString "." (getCleanAddress ip));
sub = head octets;
in
sub;
reverseIP =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = splitString "." (getCleanAddress ip);
reversedIP = (concatStringsSep "." (reverseList octets)) + ".in-addr.arpa";
in
reversedIP;
reverseZone =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = take 3 (splitString "." (getCleanAddress ip));
reversedZone = (concatStringsSep "." (reverseList octets)) + ".in-addr.arpa";
in
reversedZone;
personal = {
ip = "10.0.0.1/24";
interface = "wg0";
@ -131,8 +78,8 @@ let
}
{
# ken
dns = "ken";
publicKey = "iWjBGArok96mFzFHXYjTxwyRHGQ4U0V77txoi6WS2QU=";
dns = "phone.ken";
publicKey = "knRpD7qb2JejioJBP5HZgWCrDEOWUq27+ueWPYwnWws=";
allowedIPs = [ "10.0.0.134/32" ];
}
{
@ -187,39 +134,12 @@ let
allowedIPs = [ "10.0.0.144/32" ];
}
{
dns = "rasp";
publicKey = "z+2d+4FhSClGlSiAtaGnTgU6utxElfdRqiwPpCJFRn8=";
# ken
dns = "pc.ken";
publicKey = "ERLMpSbSIYRN5HoKmvsk2852/aAvzjvMV7tOs0oupxI=";
allowedIPs = [ "10.0.0.145/32" ];
}
];
dnsRecords =
with builtins;
concatStringsSep "\n" (
map (
r:
let
ip = getCleanAddress (elemAt r.allowedIPs 0);
in
''
${r.dns} IN A ${ip}
''
) (fullRoute ++ meshRoute)
);
dnsReversedRecords =
with builtins;
concatStringsSep "\n" (
map (
r:
let
reversed = getSubAddress (getCleanAddress (elemAt r.allowedIPs 0));
in
''
${reversed} IN PTR ${r.dns}.${personal.domain}.
''
) (fullRoute ++ meshRoute)
);
in
{
networking = {
@ -334,6 +254,27 @@ in
extraHosts = "${kube.masterIP} ${kube.masterHostname}";
};
services.postgresql = {
enable = lib.mkDefault true;
authentication = ''
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
'';
ensureUsers = [
{
name = "powerdnsadmin";
ensureDBOwnership = true;
}
{
name = "pdns";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"powerdnsadmin"
"pdns"
];
};
services = {
dbus.enable = true;
blueman.enable = true;
@ -348,97 +289,58 @@ in
};
};
bind = {
powerdns = {
enable = true;
forwarders = [
"8.8.8.8"
"8.8.4.4"
];
cacheNetworks = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
zones = {
"${personal.domain}" = {
master = true;
allowQuery = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
file =
let
serverIP = getCleanAddress personal.ip;
kubeIP = getCleanAddress kube.ip;
origin = "${personal.domain}.";
hostname = config.networking.hostName;
in
pkgs.writeText "db.${personal.domain}" ''
$ORIGIN ${origin}
$TTL 1h
@ IN SOA dns.${origin} admin.dns.${origin} (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS dns.${origin}
@ IN A ${serverIP}
IN AAAA fe80::3319:e2bb:fc15:c9df
@ IN MX 10 mail.${origin}
IN TXT "v=spf1 mx"
dns IN A ${serverIP}
files IN A ${serverIP}
nextcloud IN A ${serverIP}
bitwarden IN A ${serverIP}
ca IN A ${serverIP}
${hostname} IN A ${serverIP}
mail IN A ${serverIP}
api-kube IN A ${kubeIP}
vmail IN A 10.0.0.130
${dnsRecords}
'';
};
extraConfig = ''
launch=gpgsql
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
webserver=yes
webserver-port=8081
local-port=5359
'';
secretFile = config.sops.secrets.powerdns.path;
};
"${reverseZone personal.ip}" = {
master = true;
allowQuery = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
file =
let
serverIP = getSubAddress personal.ip;
hostname = config.networking.hostName;
in
pkgs.writeText "${getReverseFilename personal.ip}" ''
$TTL 86400
@ IN SOA dns.${personal.domain}. admin.dns.${personal.domain}. (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS dns.${personal.domain}.
${serverIP} IN PTR dns.${personal.domain}.
${serverIP} IN PTR mail.${personal.domain}.
${serverIP} IN PTR ${hostname}.${personal.domain}.
${serverIP} IN PTR nextcloud.${personal.domain}.
${serverIP} IN PTR files.${personal.domain}.
${serverIP} IN PTR bitwarden.${personal.domain}.
${serverIP} IN PTR ca.${personal.domain}.
130 IN PTR vmail.${personal.domain}.
${dnsReversedRecords}
'';
};
pdns-recursor = {
enable = true;
forwardZones = {
"${config.networking.domain}." = "127.0.0.1:5359";
};
forwardZonesRecurse = {
"." = "8.8.8.8";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
"::1/128"
"fc00::/7"
"fe80::/10"
];
yaml-settings = {
webservice.webserver = true;
};
};
powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
xserver = {
@ -459,6 +361,39 @@ in
];
};
virtualisation = {
oci-containers = {
backend = "docker";
containers = {
uptime-kuma = {
extraOptions = [ "--network=host" ];
image = "louislam/uptime-kuma:1";
volumes = [
"/var/lib/uptime-kuma:/app/data"
"${config.security.pki.caBundle}:/etc/ca.crt:ro"
];
environment = {
NODE_EXTRA_CA_CERTS = "/etc/ca.crt";
};
};
};
};
};
services.nginx.virtualHosts = {
"powerdns.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8000";
};
"uptime.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:3001";
};
};
nix.settings.trusted-users = [
username
];

59
system/dev/dn-server/sops-conf.nix
View file

@ -1,4 +1,7 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (lib) mkIf;
in
{
sops = {
secrets = {
@ -6,10 +9,56 @@
"nextcloud/adminPassword" = { };
"step_ca/password" = { };
vaultwarden = { };
"postfix/openldap" = { };
"openldap/adminPassword" = {
owner = config.users.users.openldap.name;
group = config.users.users.openldap.group;
"oauth/password" = { };
"ldap/password" = lib.mkIf config.mail-server.enable {
mode = "0660";
owner = config.services.openldap.user;
group = config.services.openldap.group;
};
"ldap/env" = lib.mkIf config.mail-server.enable {
mode = "0660";
group = config.users.groups.docker.name;
};
"powerdns-admin/secret" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
"powerdns-admin/salt" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
powerdns = {
mode = "0660";
owner = "pdns";
group = "pdns";
};
rspamd-trainer = { };
"acme/env" = mkIf config.security.acme.acceptTerms {
mode = "0660";
owner = "acme";
group = "acme";
};
"postsrsd/secret" = mkIf config.services.postsrsd.enable {
mode = "0660";
owner = config.services.postsrsd.user;
group = config.services.postsrsd.group;
};
"grafana/password" = mkIf config.services.grafana.enable {
mode = "0660";
owner = "grafana";
group = "grafana";
};
"grafana/client_secret" = mkIf config.services.grafana.enable {
mode = "0660";
owner = "grafana";
group = "grafana";
};
"prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
mode = "0660";
owner = "prometheus";
group = config.users.users.prometheus.group;
};
};
};

7
system/dev/dn-server/step-ca.nix
View file

@ -32,12 +32,14 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI";
y = "y5OFjciRMVg8ePaEsjSPWbKp_NjQ6U4CtbplRx7z3Bw";
};
name = "danny@smallstep.net.dn";
name = "danny@net.dn";
type = "JWK";
}
{
claims = {
maxTLSCertDuration = "8760h";
minTLSCertDuration = "32h";
maxTLSCertDuration = "72h";
defaultTLSCertDuration = "72h";
};
name = "acme";
options = {
@ -73,7 +75,6 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
minVersion = 1.2;
renegotiation = false;
};
};
port = 8443;
openFirewall = true;