dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: mailserver

Browse source
This commit is contained in:
DACHXY 2025-08-14 12:27:49 +08:00
parent 0ebf0d7a29
commit b8a31b6264
28 changed files with 2446 additions and 1350 deletions
Download patch file Download diff file Expand all files Collapse all files

352
flake.lock generated
View file

@ -8,11 +8,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1752663231,
"narHash": "sha256-rTItuAWpzICMREF8Ww8cK4hYgNMRXJ4wjkN0akLlaWE=",
"lastModified": 1753590784,
"narHash": "sha256-Q30DFlPwD1ZK52TD4wSnqDO5gk9Kvifr923siI8AdVQ=",
"owner": "KZDKM",
"repo": "Hyprspace",
"rev": "0a82e3724f929de8ad8fb04d2b7fa128493f24f7",
"rev": "a847f1d6a7326395d17fe9b6b4ab63a10eb152eb",
"type": "github"
},
"original": {
@ -21,6 +21,27 @@
"type": "github"
}
},
"actual-budget-api": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1753936121,
"narHash": "sha256-gRZAewG5grwOchBqsZiOpJud3dMUColzvCoCkMRmJVo=",
"owner": "DACHXY",
"repo": "actual-budget-api",
"rev": "368035ec590180f1229b1fccef33c16a2ba4df9a",
"type": "github"
},
"original": {
"owner": "DACHXY",
"repo": "actual-budget-api",
"type": "github"
}
},
"aquamarine": {
"inputs": {
"hyprutils": [
@ -121,11 +142,11 @@
]
},
"locked": {
"lastModified": 1753360872,
"narHash": "sha256-U6cjsjnGrUbZj8WLtwkdwmrPGTmHEuLY2eS2N1En+ZM=",
"lastModified": 1753925620,
"narHash": "sha256-i39h2itBWoMgiKT0m5tf3/B+mUFk4m6/+GgTc4g3rsE=",
"owner": "nix-community",
"repo": "flake-firefox-nightly",
"rev": "843548be22ed257f97a28632c798fe1d95292b47",
"rev": "7d4349a2c46b51ed4712e66e0cb372d828bd92ae",
"type": "github"
},
"original": {
@ -245,22 +266,6 @@
"type": "github"
}
},
"flake-compat_8": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -376,7 +381,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_7"
"systems": "systems_4"
},
"locked": {
"lastModified": 1731533236,
@ -410,21 +415,38 @@
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_8"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"ghostty": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs",
"zig": "zig",
"zon2nix": "zon2nix"
},
"locked": {
"lastModified": 1746806042,
"narHash": "sha256-Hx92i3f5IjHaWpReyCKvGdqG55bZFU3wxGzA3wv9VLA=",
"lastModified": 1753893528,
"narHash": "sha256-5oc0by3pe2KqJDbbkQP5R5u5ybx4Fj/5Ff8eAZ4yG6s=",
"owner": "ghostty-org",
"repo": "ghostty",
"rev": "7f9bb3c0e54f585e11259bc0c9064813d061929c",
"rev": "d4c825186e4b80c3d95db4e5ccf8b7dcfc671197",
"type": "github"
},
"original": {
@ -553,31 +575,11 @@
]
},
"locked": {
"lastModified": 1754886238,
"narHash": "sha256-LTQomWOwG70lZR+78ZYSZ9sYELWNq3HJ7/tdHzfif/s=",
"lastModified": 1753888434,
"narHash": "sha256-xQhSeLJVsxxkwchE4s6v1CnOI6YegCqeA1fgk/ivVI4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0d492b89d1993579e63b9dbdaed17fd7824834da",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1753365873,
"narHash": "sha256-+Swd3wJppukESlWkbdopl9ZThjNVIFARVlb/eA2xjUA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e2fe7256c4ebbb35bfd1b4c6f52b57a3845ab1d0",
"rev": "0630790b31d4547d79ff247bc3ba1adda3a017d9",
"type": "github"
},
"original": {
@ -644,35 +646,6 @@
"type": "github"
}
},
"hyprgraphics_2": {
"inputs": {
"hyprutils": [
"hyprlock",
"hyprutils"
],
"nixpkgs": [
"hyprlock",
"nixpkgs"
],
"systems": [
"hyprlock",
"systems"
]
},
"locked": {
"lastModified": 1750621377,
"narHash": "sha256-8u6b5oAdX0rCuoR8wFenajBRmI+mzbpNig6hSCuWUzE=",
"owner": "hyprwm",
"repo": "hyprgraphics",
"rev": "b3d628d01693fb9bb0a6690cd4e7b80abda04310",
"type": "github"
},
"original": {
"owner": "hyprwm",
"repo": "hyprgraphics",
"type": "github"
}
},
"hyprgrass": {
"inputs": {
"hyprland": [
@ -710,15 +683,15 @@
"hyprwayland-scanner": "hyprwayland-scanner",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks",
"systems": "systems_4",
"systems": "systems_5",
"xdph": "xdph"
},
"locked": {
"lastModified": 1753310189,
"narHash": "sha256-EgDpsy/2ge/88Zd5ML+m0tyFVwXCeUoPQTOs4YtWZ8w=",
"lastModified": 1753917125,
"narHash": "sha256-AiLcR+4gVhJnJsO2fMEW83dMZbGPYs13d6S8yrbPXew=",
"ref": "refs/heads/main",
"rev": "31cc7f3b87d1d9670b66e73e3720da2e2da49acd",
"revCount": 6311,
"rev": "3e35797b18d35baae82657bb0438af88156e273f",
"revCount": 6328,
"submodules": true,
"type": "git",
"url": "https://github.com/hyprwm/Hyprland"
@ -746,11 +719,11 @@
]
},
"locked": {
"lastModified": 1753028264,
"narHash": "sha256-GbfsRZWW5uBAOeddLkmrYV2XmAbI0etVUTBXFH5thcw=",
"lastModified": 1753894287,
"narHash": "sha256-yPeP6mY5Mdozji7xZBWYy6K166RcCuJgnOXxQt7vl3s=",
"owner": "hyprwm",
"repo": "hyprland-plugins",
"rev": "14f9a444793d6dd78c29033acf9c3c974ded708d",
"rev": "bf310cda4a09b79725c2919688881959ebf3229e",
"type": "github"
},
"original": {
@ -973,36 +946,11 @@
]
},
"locked": {
"lastModified": 1752252310,
"narHash": "sha256-06i1pIh6wb+sDeDmWlzuPwIdaFMxLlj1J9I5B9XqSeo=",
"lastModified": 1753800567,
"narHash": "sha256-W0xgXsaqGa/5/7IBzKNhf0+23MqGPymYYfqT7ECqeTE=",
"owner": "hyprwm",
"repo": "hyprutils",
"rev": "bcabcbada90ed2aacb435dc09b91001819a6dc82",
"type": "github"
},
"original": {
"owner": "hyprwm",
"repo": "hyprutils",
"type": "github"
}
},
"hyprutils_2": {
"inputs": {
"nixpkgs": [
"hyprlock",
"nixpkgs"
],
"systems": [
"hyprlock",
"systems"
]
},
"locked": {
"lastModified": 1751061882,
"narHash": "sha256-g9n8Vrbx+2JYM170P9BbvGHN39Wlkr4U+V2WLHQsXL8=",
"owner": "hyprwm",
"repo": "hyprutils",
"rev": "4737241eaf8a1e51671a2a088518071f9a265cf4",
"rev": "c65d41d4f4e6ded6fdb9d508a73e2fe90e55cdf7",
"type": "github"
},
"original": {
@ -1111,15 +1059,15 @@
},
"lib-aggregate": {
"inputs": {
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1753013761,
"narHash": "sha256-ggvjKAeIsjwdu6+ECBGieyBgtotD7BrsGX5BirCacYU=",
"lastModified": 1753618592,
"narHash": "sha256-9sDACkrSbZOA1srKWQzvbkBFHZeXvHW8EYpWrVZPxDg=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "f7c04e5ad6aa43a0f9698edb0d74b44e88ee99ee",
"rev": "81b2f78680ca3864bfdc0d4cbc3444af3e1ff271",
"type": "github"
},
"original": {
@ -1139,11 +1087,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1753343196,
"narHash": "sha256-o9veRunwEQOhokmU9J+sQao/TRGtgwK20CGCiHtzKdM=",
"lastModified": 1753917868,
"narHash": "sha256-khP5mhM320Uzu1lz0T2iVOFMdTdOFCsCW4ZOgQjBm4M=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"rev": "e2091f21d83fd357ebb79ff566428826bbb4f565",
"rev": "76251f3ad50697027b37cfc602b847e24fb5834f",
"type": "github"
},
"original": {
@ -1155,11 +1103,11 @@
"neovim-src": {
"flake": false,
"locked": {
"lastModified": 1753271847,
"narHash": "sha256-RuuJ3b4otjQGraffcktEvP6Wk54MCHWwXnvoIy01dyo=",
"lastModified": 1753830218,
"narHash": "sha256-PpZUuVOB11MD7gNql5XIS/rEzbhkSmdODK+WUqDah6w=",
"owner": "neovim",
"repo": "neovim",
"rev": "0dcdd65dcc08483d9a5c106f62b862a9de30983e",
"rev": "1256daeead27722263614c1e57899dff6d802b98",
"type": "github"
},
"original": {
@ -1198,11 +1146,11 @@
]
},
"locked": {
"lastModified": 1752985182,
"narHash": "sha256-sX8Neff8lp3TCHai6QmgLr5AD8MdsQQX3b52C1DVXR8=",
"lastModified": 1753589988,
"narHash": "sha256-y1JlcMB2dKFkrr6g+Ucmj8L//IY09BtSKTH/A7OU7mU=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "fafdcb505ba605157ff7a7eeea452bc6d6cbc23c",
"rev": "f0736b09c43028fd726fb70c3eb3d1f0795454cf",
"type": "github"
},
"original": {
@ -1214,15 +1162,15 @@
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat_7",
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1753237324,
"narHash": "sha256-iXvv/VYLMyAoaTadYrX0PGwd6N2wVX337Os6k8TAlF4=",
"lastModified": 1753928630,
"narHash": "sha256-ASqyvmJ2EEUCyDJGMHRQ1ZqWnCd4SiVd7hi7dGBuSvw=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "64ca2cbbf9c65dd3bd98192d74872a80e8dcb871",
"rev": "30af81148ee29a4a13c938c25d3e68877b1b27fb",
"type": "github"
},
"original": {
@ -1251,27 +1199,24 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1754725699,
"narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
"type": "github"
"lastModified": 1748189127,
"narHash": "sha256-zRDR+EbbeObu4V2X5QCd2Bk5eltfDlCr5yvhBwUT6pY=",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/25.05/nixos-25.05.802491.7c43f080a7f2/nixexprs.tar.xz"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
"type": "tarball",
"url": "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1752974445,
"narHash": "sha256-jj/HBJFSapTk4LfeJgNLk2wEE2BO6dgBYVRbXMNOCeM=",
"lastModified": 1753579242,
"narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "9100109c11b6b5482ea949c980b86e24740dca08",
"rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
"type": "github"
},
"original": {
@ -1281,22 +1226,6 @@
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1751290243,
"narHash": "sha256-kNf+obkpJZWar7HZymXZbW+Rlk3HTEIMlpc6FCNz0Ds=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5ab036a8d97cb9476fbe81b09076e6e91d15e1b6",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
@ -1312,34 +1241,34 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"nixpkgs_2": {
"locked": {
"lastModified": 1753369216,
"narHash": "sha256-Jx2i6loWL755GD+GlCXESMhIiO0aFc/pDo82N16fEiw=",
"owner": "nixos",
"lastModified": 1752687322,
"narHash": "sha256-RKwfXA4OZROjBTQAl9WOZQFm7L8Bo93FQwSJpAiSRvo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b74a30dbc0a72e20df07d43109339f780b439291",
"rev": "6e987485eb2c77e5dcc5af4e3c70843711ef9251",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_10": {
"nixpkgs_3": {
"locked": {
"lastModified": 1727348695,
"narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=",
"owner": "nixos",
"lastModified": 1753750875,
"narHash": "sha256-J1P0aQymehe8AHsID9wwoMjbaYrIB2eH5HftoXhF9xk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784",
"rev": "871381d997e4a063f25a3994ce8a9ac595246610",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -1394,11 +1323,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1753250450,
"narHash": "sha256-i+CQV2rPmP8wHxj0aq4siYyohHwVlsh40kV89f3nw1s=",
"lastModified": 1753694789,
"narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fc02ee70efb805d3b2865908a13ddd4474557ecf",
"rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
"type": "github"
},
"original": {
@ -1410,11 +1339,11 @@
},
"nixpkgs_6": {
"locked": {
"lastModified": 1754725699,
"narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
"lastModified": 1753694789,
"narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
"rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
"type": "github"
},
"original": {
@ -1441,22 +1370,6 @@
}
},
"nixpkgs_8": {
"locked": {
"lastModified": 1753934836,
"narHash": "sha256-G06FmIBj0I5bMW1Q8hAEIl5N7IHMK7+Ta4KA+BmneDA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8679b16e11becd487b45d568358ddf9d5640d860",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_9": {
"locked": {
"lastModified": 1752596105,
"narHash": "sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k=",
@ -1506,7 +1419,7 @@
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
@ -1525,7 +1438,7 @@
"root": {
"inputs": {
"Hyprspace": "Hyprspace",
"chaotic": "chaotic",
"actual-budget-api": "actual-budget-api",
"disko": "disko",
"firefox": "firefox",
"ghostty": "ghostty",
@ -1716,16 +1629,16 @@
},
"systems_4": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"repo": "default",
"type": "github"
}
},
@ -1797,11 +1710,11 @@
]
},
"locked": {
"lastModified": 1753006367,
"narHash": "sha256-tzbhc4XttkyEhswByk5R38l+ztN9UDbnj0cTcP6Hp9A=",
"lastModified": 1753772294,
"narHash": "sha256-8rkd13WfClfZUBIYpX5dvG3O9V9w3K9FPQ9rY14VtBE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "421b56313c65a0815a52b424777f55acf0b56ddf",
"rev": "6b9214fffbcf3f1e608efa15044431651635ca83",
"type": "github"
},
"original": {
@ -1853,16 +1766,16 @@
},
"yazi": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_9",
"rust-overlay": "rust-overlay_4"
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_8",
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1753281791,
"narHash": "sha256-HfWJw+p8j9CQR2PG2mDhhJ1YRdFf5edoINUyc8/UcJI=",
"lastModified": 1753894134,
"narHash": "sha256-krVLqRHpRG+qxjYuXgV3m1HzkJRRYJL7dtYvz655doo=",
"owner": "sxyazi",
"repo": "yazi",
"rev": "c2883f1e05bdafead994d5d28098e58de0ad514b",
"rev": "da97e5a8b4580add8f5eb2f97f0fe80886becf06",
"type": "github"
},
"original": {
@ -1892,7 +1805,8 @@
"zig": {
"inputs": {
"flake-compat": [
"ghostty"
"ghostty",
"flake-compat"
],
"flake-utils": [
"ghostty",
@ -1900,7 +1814,7 @@
],
"nixpkgs": [
"ghostty",
"nixpkgs-stable"
"nixpkgs"
]
},
"locked": {
@ -1925,7 +1839,7 @@
],
"nixpkgs": [
"ghostty",
"nixpkgs-unstable"
"nixpkgs"
]
},
"locked": {
@ -1938,8 +1852,8 @@
},
"original": {
"owner": "jcollie",
"ref": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
"repo": "zon2nix",
"rev": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
"type": "github"
}
}

7
flake.nix
View file

@ -91,6 +91,10 @@
};
chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
actual-budget-api = {
url = "github:DACHXY/actual-budget-api";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
@ -112,6 +116,7 @@
nix-index-database.nixosModules.nix-index
inputs.sops-nix.nixosModules.sops
inputs.chaotic.nixosModules.default
inputs.actual-budget-api.nixosModules.default
];
args = {
inherit
@ -159,10 +164,12 @@
inputs.nix-minecraft.nixosModules.minecraft-servers
inputs.nix-tmodloader.nixosModules.tmodloader
./system/dev/dn-server
./pkgs/options/dovecot.nix
];
overlays = [
inputs.nix-minecraft.overlay
inputs.nix-tmodloader.overlay
(import ./pkgs/overlays/dovecot.nix)
];
};
};

871
pkgs/options/dovecot.nix Normal file
View file

@ -0,0 +1,871 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
attrValues
concatMapStringsSep
concatStrings
concatStringsSep
flatten
imap1
literalExpression
mapAttrsToList
mkEnableOption
mkIf
mkOption
optional
optionalAttrs
optionalString
singleton
types
nameValuePair
mapAttrs'
listToAttrs
filter
;
inherit (lib.strings) match hasPrefix;
cfg = config.services.dovecot;
dovecotPkg = pkgs.dovecot;
pversion = dovecotPkg.version;
isVersion24 = hasPrefix "2.4" pversion;
baseDir = "/run/dovecot";
stateDir = "/var/lib/dovecot";
sieveScriptSettings = mapAttrs' (
to: _: nameValuePair "sieve_${to}" "${stateDir}/sieve/${to}"
) cfg.sieve.scripts;
imapSieveMailboxSettings = listToAttrs (
flatten (
imap1 (
idx: el:
singleton {
name = "imapsieve_mailbox${toString idx}_name";
value = el.name;
}
++ optional (el.from != null) {
name = "imapsieve_mailbox${toString idx}_from";
value = el.from;
}
++ optional (el.causes != [ ]) {
name = "imapsieve_mailbox${toString idx}_causes";
value = concatStringsSep "," el.causes;
}
++ optional (el.before != null) {
name = "imapsieve_mailbox${toString idx}_before";
value = "file:${stateDir}/imapsieve/before/${baseNameOf el.before}";
}
++ optional (el.after != null) {
name = "imapsieve_mailbox${toString idx}_after";
value = "file:${stateDir}/imapsieve/after/${baseNameOf el.after}";
}
) cfg.imapsieve.mailbox
)
);
mkExtraConfigCollisionWarning = term: ''
You referred to ${term} in `services.dovecot.extraConfig`.
Due to gradual transition to structured configuration for plugin configuration, it is possible
this will cause your plugin configuration to be ignored.
Consider setting `services.dovecot.pluginSettings.${term}` instead.
'';
# Those settings are automatically set based on other parts
# of this module.
automaticallySetPluginSettings =
[
"sieve_plugins"
"sieve_extensions"
"sieve_global_extensions"
"sieve_pipe_bin_dir"
]
++ (builtins.attrNames sieveScriptSettings)
++ (builtins.attrNames imapSieveMailboxSettings);
# The idea is to match everything that looks like `$term =`
# but not `# $term something something`
# or `# $term = some value` because those are comments.
configContainsSetting = lines: term: (match "[[:blank:]]*${term}[[:blank:]]*=.*" lines) != null;
warnAboutExtraConfigCollisions = map mkExtraConfigCollisionWarning (
filter (configContainsSetting cfg.extraConfig) automaticallySetPluginSettings
);
sievePipeBinScriptDirectory = pkgs.linkFarm "sieve-pipe-bins" (
map (el: {
name = builtins.unsafeDiscardStringContext (baseNameOf el);
path = el;
}) cfg.sieve.pipeBins
);
dovecotConf = concatStrings [
(optionalString isVersion24 ''
dovecot_config_version = ${pversion}
dovecot_storage_version = ${pversion}
'')
''
base_dir = ${baseDir}
protocols = ${(concatStringsSep " " cfg.protocols)}
sendmail_path = /run/wrappers/bin/sendmail
mail_plugin_dir = /run/current-system/sw/lib/dovecot/modules
# defining mail_plugins must be done before the first protocol {} filter because of https://doc.dovecot.org/configuration_manual/config_file/config_file_syntax/#variable-expansion
mail_plugins = ${concatStringsSep " " cfg.mailPlugins.globally.enable}
''
(concatStringsSep "\n" (
mapAttrsToList (protocol: plugins: ''
protocol ${protocol} {
mail_plugins = $mail_plugins ${concatStringsSep " " plugins.enable}
}
'') cfg.mailPlugins.perProtocol
))
(
if cfg.sslServerCert == null then
''
ssl = no
auth_allow_cleartext = yes
''
else
''
ssl_server_cert_file = ${cfg.sslServerCert}
ssl_server_key_file = ${cfg.sslServerKey}
${optionalString (cfg.sslCACert != null) ("ssl_server_ca_file = " + cfg.sslCACert)}
${optionalString cfg.enableDHE ''ssl_server_dh_file = ${config.security.dhparams.params.dovecot.path}''}
auth_allow_cleartext = no
''
)
''
default_internal_user = ${cfg.user}
default_internal_group = ${cfg.group}
${optionalString (cfg.mailUser != null) "mail_uid = ${cfg.mailUser}"}
${optionalString (cfg.mailGroup != null) "mail_gid = ${cfg.mailGroup}"}
mail_driver = maildir
mail_path = ${cfg.mailLocation}
mail_inbox_path = ${cfg.mailLocation}/.INBOX
maildir_copy_with_hardlinks = yes
${
if isVersion24 then
''
pop3_uidl_format = %{uidvalidity | hex(8)}%{user | hex(8)}
''
else
''
pop3_uidl_format = %08Xv%08Xu
''
}
auth_mechanisms = plain login
service auth {
user = root
}
''
(optionalString cfg.enablePAM ''
userdb passwd {
}
passdb pam {
session = yes
service_name = dovecot
${optionalString cfg.showPAMFailure "failure_show_msg=yes"}
}
'')
(optionalString (cfg.mailboxes != { }) ''
namespace inbox {
inbox=yes
${concatStringsSep "\n" (map mailboxConfig (attrValues cfg.mailboxes))}
}
'')
(optionalString cfg.enableQuota ''
service quota-status {
executable = ${dovecotPkg}/libexec/dovecot/quota-status -p postfix
inet_listener quota {
port ${cfg.quotaPort}
}
client_limit = 1
}
quota "User quota" {
driver = count
storage = {
size = ${cfg.quotaGlobalPerUser}
grace = 10M
}
status {
success = DUNNO
nouser = DUNNO
overquota = "552 5.2.2 Mailbox is full"
}
}
'')
# General plugin settings:
# - sieve is mostly generated here, refer to `pluginSettings` to follow
# the control flow.
''
${concatStringsSep "\n" (
mapAttrsToList (
key: value:
if (key == "sieve_extensions") then
''
${key} {
${value}
}
''
else
"${key} = ${value}"
) cfg.pluginSettings
)}
''
(optionalString cfg.enableHealthCheck (
let
healthCheckWrapper = pkgs.writeShellScript "health-check-wrapper.sh" ''
export PATH="${pkgs.coreutils}/bin:${pkgs.gnused}/bin:$PATH"
${pkgs.dovecot}/libexec/dovecot/health-check.sh
'';
in
''
service health-check {
executable = script -p ${healthCheckWrapper}
inet_listener health-check {
port = ${toString cfg.healthCheckPort}
}
}
''
))
cfg.extraConfig
];
mailboxConfig =
mailbox:
''
mailbox "${mailbox.name}" {
auto = ${toString mailbox.auto}
''
+ optionalString (mailbox.autoexpunge != null) ''
autoexpunge = ${mailbox.autoexpunge}
''
+ optionalString (mailbox.specialUse != null) ''
special_use = \${toString mailbox.specialUse}
''
+ "}";
mailboxes =
{ name, ... }:
{
options = {
name = mkOption {
type = types.strMatching ''[^"]+'';
example = "Spam";
default = name;
readOnly = true;
description = "The name of the mailbox.";
};
auto = mkOption {
type = types.enum [
"no"
"create"
"subscribe"
];
default = "no";
example = "subscribe";
description = "Whether to automatically create or create and subscribe to the mailbox or not.";
};
specialUse = mkOption {
type = types.nullOr (
types.enum [
"All"
"Archive"
"Drafts"
"Flagged"
"Junk"
"Sent"
"Trash"
]
);
default = null;
example = "Junk";
description = "Null if no special use flag is set. Other than that every use flag mentioned in the RFC is valid.";
};
autoexpunge = mkOption {
type = types.nullOr types.str;
default = null;
example = "60d";
description = ''
To automatically remove all email from the mailbox which is older than the
specified time.
'';
};
};
};
in
{
options.services.dovecot = {
enable = mkEnableOption "the dovecot POP3/IMAP server";
enablePop3 = mkEnableOption "starting the POP3 listener (when Dovecot is enabled)";
enableImap = mkEnableOption "starting the IMAP listener (when Dovecot is enabled)" // {
default = true;
};
enableLmtp = mkEnableOption "starting the LMTP listener (when Dovecot is enabled)";
enableHealthCheck = mkEnableOption "starting the HealthCheck listener (when Dovecot is enabled)";
healthCheckPort = mkOption {
type = types.int;
default = 5001;
description = "Listen port for health check service";
};
protocols = mkOption {
type = types.listOf types.str;
default = [ ];
description = "Additional listeners to start when Dovecot is enabled.";
};
user = mkOption {
type = types.str;
default = "dovecot";
description = "Dovecot user name.";
};
group = mkOption {
type = types.str;
default = "dovecot";
description = "Dovecot group name.";
};
extraConfig = mkOption {
type = types.lines;
default = "";
example = "mail_debug = yes";
description = "Additional entries to put verbatim into Dovecot's config file.";
};
mailPlugins =
let
plugins =
hint:
types.submodule {
options = {
enable = mkOption {
type = types.listOf types.str;
default = [ ];
description = "mail plugins to enable as a list of strings to append to the ${hint} `$mail_plugins` configuration variable";
};
};
};
in
mkOption {
type =
with types;
submodule {
options = {
globally = mkOption {
description = "Additional entries to add to the mail_plugins variable for all protocols";
type = plugins "top-level";
example = {
enable = [ "virtual" ];
};
default = {
enable = [ ];
};
};
perProtocol = mkOption {
description = "Additional entries to add to the mail_plugins variable, per protocol";
type = attrsOf (plugins "corresponding per-protocol");
default = { };
example = {
imap = [ "imap_acl" ];
};
};
};
};
description = "Additional entries to add to the mail_plugins variable, globally and per protocol";
example = {
globally.enable = [ "acl" ];
perProtocol.imap.enable = [ "imap_acl" ];
};
default = {
globally.enable = [ ];
perProtocol = { };
};
};
configFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Config file used for the whole dovecot configuration.";
apply = v: if v != null then v else pkgs.writeText "dovecot.conf" dovecotConf;
};
mailLocation = mkOption {
type = types.str;
default = "/var/spool/mail/%{user}"; # Same as inbox, as postfix
example = "~/mail";
description = ''
Location that dovecot will use for mail folders. Dovecot mail_location option.
'';
};
mailUser = mkOption {
type = types.nullOr types.str;
default = null;
description = "Default user to store mail for virtual users.";
};
mailGroup = mkOption {
type = types.nullOr types.str;
default = null;
description = "Default group to store mail for virtual users.";
};
createMailUser =
mkEnableOption ''
automatically creating the user
given in {option}`services.dovecot.user` and the group
given in {option}`services.dovecot.group`''
// {
default = true;
};
sslCACert = mkOption {
type = types.nullOr types.str;
default = null;
description = "Path to the server's CA certificate key.";
};
sslServerCert = mkOption {
type = types.nullOr types.str;
default = null;
description = "Path to the server's public key.";
};
sslServerKey = mkOption {
type = types.nullOr types.str;
default = null;
description = "Path to the server's private key.";
};
enablePAM = mkEnableOption "creating a own Dovecot PAM service and configure PAM user logins" // {
default = true;
};
enableDHE = mkEnableOption "ssl_dh and generation of primes for the key exchange" // {
default = true;
};
showPAMFailure = mkEnableOption "showing the PAM failure message on authentication error (useful for OTPW)";
mailboxes = mkOption {
type =
with types;
coercedTo (listOf unspecified) (
list:
listToAttrs (
map (entry: {
name = entry.name;
value = removeAttrs entry [ "name" ];
}) list
)
) (attrsOf (submodule mailboxes));
default = { };
example = literalExpression ''
{
Spam = { specialUse = "Junk"; auto = "create"; };
}
'';
description = "Configure mailboxes and auto create or subscribe them.";
};
enableQuota = mkEnableOption "the dovecot quota service";
quotaPort = mkOption {
type = types.str;
default = "12340";
description = ''
The Port the dovecot quota service binds to.
If using postfix, add check_policy_service inet:localhost:12340 to your smtpd_recipient_restrictions in your postfix config.
'';
};
quotaGlobalPerUser = mkOption {
type = types.str;
default = "100G";
example = "10G";
description = "Quota limit for the user in bytes. Supports suffixes b, k, M, G, T and %.";
};
pluginSettings = mkOption {
# types.str does not coerce from packages, like `sievePipeBinScriptDirectory`.
type = types.attrsOf (
types.oneOf [
types.str
types.package
]
);
default = { };
example = literalExpression ''
{
sieve = "file:~/sieve;active=~/.dovecot.sieve";
}
'';
description = ''
Plugin settings for dovecot in general, e.g. `sieve`, `sieve_default`, etc.
Some of the other knobs of this module will influence by default the plugin settings, but you
can still override any plugin settings.
If you override a plugin setting, its value is cleared and you have to copy over the defaults.
'';
};
imapsieve.mailbox = mkOption {
default = [ ];
description = "Configure Sieve filtering rules on IMAP actions";
type = types.listOf (
types.submodule (
{ config, ... }:
{
options = {
name = mkOption {
description = ''
This setting configures the name of a mailbox for which administrator scripts are configured.
The settings defined hereafter with matching sequence numbers apply to the mailbox named by this setting.
This setting supports wildcards with a syntax compatible with the IMAP LIST command, meaning that this setting can apply to multiple or even all ("*") mailboxes.
'';
example = "Junk";
type = types.str;
};
from = mkOption {
default = null;
description = ''
Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot.imapsieve.mailbox.<name>.name when the message originates from the indicated mailbox.
This setting supports wildcards with a syntax compatible with the IMAP LIST command, meaning that this setting can apply to multiple or even all ("*") mailboxes.
'';
example = "*";
type = types.nullOr types.str;
};
causes = mkOption {
default = [ ];
description = ''
Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot.imapsieve.mailbox.<name>.name when one of the listed IMAPSIEVE causes apply.
This has no effect on the user script, which is always executed no matter the cause.
'';
example = [
"COPY"
"APPEND"
];
type = types.listOf (
types.enum [
"APPEND"
"COPY"
"FLAG"
]
);
};
before = mkOption {
default = null;
description = ''
When an IMAP event of interest occurs, this sieve script is executed before any user script respectively.
This setting each specify the location of a single sieve script. The semantics of this setting is similar to sieve_before: the specified scripts form a sequence together with the user script in which the next script is only executed when an (implicit) keep action is executed.
'';
example = literalExpression "./report-spam.sieve";
type = types.nullOr types.path;
};
after = mkOption {
default = null;
description = ''
When an IMAP event of interest occurs, this sieve script is executed after any user script respectively.
This setting each specify the location of a single sieve script. The semantics of this setting is similar to sieve_after: the specified scripts form a sequence together with the user script in which the next script is only executed when an (implicit) keep action is executed.
'';
example = literalExpression "./report-spam.sieve";
type = types.nullOr types.path;
};
};
}
)
);
};
sieve = {
plugins = mkOption {
default = [ ];
example = [ "sieve_extprograms" ];
description = "Sieve plugins to load";
type = types.listOf types.str;
};
extensions = mkOption {
default = [ ];
description = "Sieve extensions for use in user scripts";
example = [
"notify"
"imapflags"
"vnd.dovecot.filter"
];
type = types.listOf types.str;
};
globalExtensions = mkOption {
default = [ ];
example = [ "vnd.dovecot.environment" ];
description = "Sieve extensions for use in global scripts";
type = types.listOf types.str;
};
scripts = mkOption {
type = types.attrsOf types.path;
default = { };
description = "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc.";
};
pipeBins = mkOption {
default = [ ];
example = literalExpression ''
map lib.getExe [
(pkgs.writeShellScriptBin "learn-ham.sh" "exec ''${pkgs.rspamd}/bin/rspamc learn_ham")
(pkgs.writeShellScriptBin "learn-spam.sh" "exec ''${pkgs.rspamd}/bin/rspamc learn_spam")
]
'';
description = "Programs available for use by the vnd.dovecot.pipe extension";
type = types.listOf types.path;
};
};
};
config = mkIf cfg.enable {
security.pam.services.dovecot = mkIf cfg.enablePAM { };
security.dhparams = mkIf (cfg.sslServerCert != null && cfg.enableDHE) {
enable = true;
params.dovecot = { };
};
services.dovecot = {
protocols =
optional cfg.enableImap "imap" ++ optional cfg.enablePop3 "pop3" ++ optional cfg.enableLmtp "lmtp";
mailPlugins = mkIf cfg.enableQuota {
globally.enable = [ "quota" ];
perProtocol.imap.enable = [ "imap_quota" ];
};
sieve.plugins =
optional (cfg.imapsieve.mailbox != [ ]) "sieve_imapsieve"
++ optional (cfg.sieve.pipeBins != [ ]) "sieve_extprograms";
sieve.globalExtensions = optional (cfg.sieve.pipeBins != [ ]) "vnd.dovecot.pipe";
pluginSettings = lib.mapAttrs (n: lib.mkDefault) (
{
# sieve_plugins = concatStringsSep " " cfg.sieve.plugins;
# sieve_extensions = concatMapStrings (p: p + " = yes\n") cfg.sieve.extensions;
# sieve_global_extensions = concatStringsSep " " (map (el: "+${el}") cfg.sieve.globalExtensions);
# sieve_pipe_bin_dir = sievePipeBinScriptDirectory;
}
// sieveScriptSettings
// imapSieveMailboxSettings
);
};
users.users =
{
dovenull = {
uid = config.ids.uids.dovenull2;
description = "Dovecot user for untrusted logins";
group = "dovenull";
};
}
// optionalAttrs (cfg.user == "dovecot") {
dovecot = {
uid = config.ids.uids.dovecot;
description = "Dovecot user";
group = cfg.group;
};
}
// optionalAttrs (cfg.createMailUser && cfg.mailUser != null) {
${cfg.mailUser} = {
description = "Virtual Mail User";
isSystemUser = true;
} // optionalAttrs (cfg.mailGroup != null) { group = cfg.mailGroup; };
};
users.groups =
{
dovenull.gid = config.ids.gids.dovenull2;
}
// optionalAttrs (cfg.group == "dovecot") {
dovecot.gid = config.ids.gids.dovecot;
}
// optionalAttrs (cfg.createMailUser && cfg.mailGroup != null) {
${cfg.mailGroup} = { };
};
environment.etc."dovecot/dovecot.conf".source = cfg.configFile;
systemd.services.dovecot = {
description = "Dovecot IMAP/POP3 server";
documentation = [
"man:dovecot(1)"
"https://doc.dovecot.org"
];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ cfg.configFile ];
startLimitIntervalSec = 60; # 1 min
serviceConfig = {
Type = "notify";
ExecStart = "${dovecotPkg}/sbin/dovecot -F";
ExecReload = "${dovecotPkg}/sbin/doveadm reload";
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_DAC_OVERRIDE"
"CAP_FOWNER"
"CAP_KILL" # Required for child process management
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"CAP_SYS_RESOURCE"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = false; # e.g for sendmail
OOMPolicy = "continue";
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = lib.mkDefault false;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
PrivateDevices = true;
Restart = "on-failure";
RestartSec = "1s";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK" # e.g. getifaddrs in sieve handling
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = false; # sets sgid on maildirs
RuntimeDirectory = [ "dovecot" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @resources"
"~@privileged"
"@chown @setuid capset chroot"
];
};
# When copying sieve scripts preserve the original time stamp
# (should be 0) so that the compiled sieve script is newer than
# the source file and Dovecot won't try to compile it.
preStart =
''
rm -rf ${stateDir}/sieve ${stateDir}/imapsieve
''
+ optionalString (cfg.sieve.scripts != { }) ''
mkdir -p ${stateDir}/sieve
${concatStringsSep "\n" (
mapAttrsToList (to: from: ''
if [ -d '${from}' ]; then
mkdir '${stateDir}/sieve/${to}'
cp -p "${from}/"*.sieve '${stateDir}/sieve/${to}'
else
cp -p '${from}' '${stateDir}/sieve/${to}'
fi
${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}'
'') cfg.sieve.scripts
)}
chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve'
''
+ optionalString (cfg.imapsieve.mailbox != [ ]) ''
mkdir -p ${stateDir}/imapsieve/{before,after}
${concatMapStringsSep "\n" (
el:
optionalString (el.before != null) ''
cp -p ${el.before} ${stateDir}/imapsieve/before/${baseNameOf el.before}
${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/imapsieve/before/${baseNameOf el.before}'
''
+ optionalString (el.after != null) ''
cp -p ${el.after} ${stateDir}/imapsieve/after/${baseNameOf el.after}
${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/imapsieve/after/${baseNameOf el.after}'
''
) cfg.imapsieve.mailbox}
${optionalString (
cfg.mailUser != null && cfg.mailGroup != null
) "chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/imapsieve'"}
'';
};
environment.systemPackages = [ dovecotPkg ];
warnings = warnAboutExtraConfigCollisions;
assertions = [
{
assertion =
(cfg.sslServerCert == null) == (cfg.sslServerKey == null)
&& (cfg.sslCACert != null -> !(cfg.sslServerCert == null || cfg.sslServerKey == null));
message = "dovecot needs both sslServerCert and sslServerKey defined for working crypto";
}
{
assertion = cfg.showPAMFailure -> cfg.enablePAM;
message = "dovecot is configured with showPAMFailure while enablePAM is disabled";
}
{
assertion = cfg.sieve.scripts != { } -> (cfg.mailUser != null && cfg.mailGroup != null);
message = "dovecot requires mailUser and mailGroup to be set when `sieve.scripts` is set";
}
];
};
meta.maintainers = [ lib.maintainers.dblsaiko ];
}

2
pkgs/overlays/default.nix
View file

@ -1,4 +1,4 @@
[
# (import ./ferium.nix)
(import ./vesktop.nix)
(import ./powerdns-admin.nix)
]

34
pkgs/overlays/dovecot.nix Normal file
View file

@ -0,0 +1,34 @@
final: prev: {
dovecot = prev.dovecot.overrideAttrs (oldAttrs: rec {
version = "2.4.0";
src = prev.fetchurl {
url = "https://dovecot.org/releases/${prev.lib.versions.majorMinor version}/${oldAttrs.pname}-${version}.tar.gz";
hash = "sha256-6Q5J+MMbCaUIJJpP7oYF+qZf4yCBm/ytryUkEmJT1a4=";
};
# Dovecot 2.4 Not need this patch anymore
patches = builtins.filter (
patch: (!(prev.lib.hasInfix "Support-openssl-3.0.patch" (toString patch)))
) oldAttrs.patches;
# Dovecot 2.4 Not need this patch anymore
postPatch =
prev.lib.replaceStrings
[
# bash
''
# DES-encrypted passwords are not supported by NixPkgs anymore
sed '/test_password_scheme("CRYPT"/d' -i src/auth/test-libpassword.c
''
]
[
# bash
''
# DES-encrypted passwords are not supported by NixPkgs anymore
sed '/test_password_scheme("CRYPT"/d' -i src/lib-auth/test-password-scheme.c
''
]
oldAttrs.postPatch;
});
}

20
pkgs/overlays/ferium.nix
View file

@ -1,20 +0,0 @@
final: prev: {
ferium = prev.ferium.overrideAttrs (
final: prev: rec {
cargoHash = "sha256-yedl4KQCpT7Ai1EPvwD5kzhkHesIjGVAcxKjp5k2jmI=";
version = "4.7.0";
src = prev.fetchFromGitHub {
owner = "gorilla-devs";
repo = prev.pname;
rev = "v${version}";
hash = "sha256-jj3BdaxH7ofhHNF2eu+burn6+/0bPQQZ8JfjXAFyN4A=";
};
cargoDeps = prev.rustPlatform.fetchCargoVendor {
inherit (final) pname src version;
useFetchCargoVendor = true;
hash = final.cargoHash;
};
}
);
}

150
pkgs/overlays/powerdns-admin.nix Normal file
View file

@ -0,0 +1,150 @@
final: prev: {
powerdns-admin = prev.powerdns-admin.overrideAttrs (
oldAttrs:
let
pname = "powerdns-admin";
version = "0.4.2";
src = prev.fetchFromGitHub {
owner = "PowerDNS-Admin";
repo = "PowerDNS-Admin";
rev = "v${version}";
hash = "sha256-q9mt8wjSNFb452Xsg+qhNOWa03KJkYVGAeCWVSzZCyk=";
};
python = prev.python3;
pythonDeps = with python.pkgs; [
distutils
flask
flask-assets
flask-login
flask-sqlalchemy
flask-migrate
flask-seasurf
flask-mail
flask-session
flask-session-captcha
flask-sslify
mysqlclient
psycopg2
sqlalchemy
certifi
cffi
configobj
cryptography
bcrypt
requests
python-ldap
pyotp
qrcode
dnspython
gunicorn
itsdangerous
python3-saml
pytz
rcssmin
rjsmin
authlib
bravado-core
lima
lxml
passlib
pyasn1
pytimeparse
pyyaml
jinja2
itsdangerous
webcolors
werkzeug
zipp
zxcvbn
standard-imghdr # Add extra dep
];
all_patches = [
(prev.pkgs.fetchpatch {
url = "https://raw.githubusercontent.com/NixOS/nixpkgs/refs/heads/nixos-unstable/pkgs/by-name/po/powerdns-admin/0001-Fix-flask-2.3-issue.patch";
sha256 = "sha256-EcyHbS9NJorEG0/7JlWdbaHFFZrq9Dy9F0IMxDKLMzw=";
})
];
assets = prev.stdenv.mkDerivation {
pname = "${pname}-assets";
inherit version src;
offlineCache = prev.fetchYarnDeps {
yarnLock = "${src}/yarn.lock";
hash = "sha256-rXIts+dgOuZQGyiSke1NIG7b4lFlR/Gfu3J6T3wP3aY=";
};
nativeBuildInputs = [
prev.yarnConfigHook
]
++ pythonDeps;
patches = all_patches ++ [
(prev.pkgs.fetchpatch {
url = "https://raw.githubusercontent.com/NixOS/nixpkgs/refs/heads/nixos-unstable/pkgs/by-name/po/powerdns-admin/0002-Remove-cssrewrite-filter.patch";
sha256 = "sha256-/5oRyD6T7PtofG1U26wiSigDVj2F+U6VLDMO5YH926o=";
})
];
buildPhase = ''
SESSION_TYPE=filesystem FLASK_APP=./powerdnsadmin/__init__.py flask assets build
'';
installPhase = ''
# https://github.com/PowerDNS-Admin/PowerDNS-Admin/blob/54b257768f600c5548a1c7e50eac49c40df49f92/docker/Dockerfile#L43
mkdir $out
cp -r powerdnsadmin/static/{generated,assets,img} $out
find powerdnsadmin/static/node_modules -name webfonts -exec cp -r {} $out \; -printf "Copying %P\n"
find powerdnsadmin/static/node_modules -name fonts -exec cp -r {} $out \; -printf "Copying %P\n"
find powerdnsadmin/static/node_modules/icheck/skins/square -name '*.png' -exec cp {} $out/generated \;
'';
};
assetsPy = prev.writeText "assets.py" ''
from flask_assets import Environment
assets = Environment()
assets.register('js_login', 'generated/login.js')
assets.register('js_validation', 'generated/validation.js')
assets.register('css_login', 'generated/login.css')
assets.register('js_main', 'generated/main.js')
assets.register('css_main', 'generated/main.css')
'';
in
{
pythonPath = pythonDeps;
nativeBuildInputs = [ python.pkgs.wrapPython ];
installPhase = ''
runHook preInstall
# Nasty hack: call wrapPythonPrograms to set program_PYTHONPATH (see tribler)
wrapPythonPrograms
mkdir -p $out/share $out/bin
cp -r migrations powerdnsadmin $out/share/
ln -s ${assets} $out/share/powerdnsadmin/static
ln -s ${assetsPy} $out/share/powerdnsadmin/assets.py
echo "$gunicornScript" > $out/bin/powerdns-admin
chmod +x $out/bin/powerdns-admin
wrapProgram $out/bin/powerdns-admin \
--set PATH ${python.pkgs.python}/bin \
--set PYTHONPATH $out/share:$program_PYTHONPATH
runHook postInstall
'';
passthru = {
# PYTHONPATH of all dependencies used by the package
pythonPath = prev.python3.pkgs.makePythonPath pythonDeps;
tests = prev.nixosTests.powerdns-admin;
};
}
);
}

86
system/dev/dn-server/default.nix
View file

@ -1,9 +1,14 @@
{
pkgs,
lib,
inputs,
username,
...
}:
let
inherit (lib) optionalAttrs;
inherit (builtins) toString;
in
{
imports = [
(import ../../modules/nvidia.nix {
@ -18,28 +23,97 @@
./services.nix
./nginx.nix
./step-ca.nix
./mail-server.nix
../../modules/presets/minimal.nix
../../modules/bluetooth.nix
../../modules/gc.nix
../../modules/certbot.nix
../../modules/mail-server
(import ../../modules/prometheus.nix {
fqdn = "metrics.net.dn";
selfMonitor = true;
configureNginx = true;
scrapes = [
(optionalAttrs config.services.pdns-recursor.enable {
job_name = "powerdns_recursor";
static_configs = [
{
targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
}
];
})
];
})
(import ../../modules/actual.nix {
fqdn = "actual.net.dn";
})
(import ../../modules/nextcloud.nix {
hostname = "nextcloud.net.dn";
dataBackupPath = "/mnt/backup_dn";
dbBackupPath = "/mnt/backup_dn";
})
(import ../../modules/vaultwarden.nix {
domain = "https://bitwarden.net.dn";
domain = "bitwarden.net.dn";
})
(import ../../modules/openldap.nix { })
../../modules/terraria.nix
(import ../../modules/grafana.nix {
domain = "grafana.net.dn";
passFile = config.sops.secrets."grafana/password".path;
smtpHost = config.mail-server.domain;
smtpDomain = config.mail-server.domain;
extraSettings = {
"auth.generic_oauth" =
let
OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
in
{
enabled = true;
allow_sign_up = true;
client_id = "grafana";
client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
scopes = "openid email profile offline_access roles";
email_attribute_path = "email";
login_attribute_path = "username";
name_attribute_path = "full_name";
auth_url = "${OIDCBaseUrl}/auth";
token_url = "${OIDCBaseUrl}/token";
api_url = "${OIDCBaseUrl}/userinfo";
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
};
};
})
../../modules/postgresql.nix
];
environment.systemPackages = with pkgs; [
ferium
openssl
];
mail-server = {
enable = true;
mailDir = "~/Maildir";
caFile = "" + ../../extra/ca.crt;
virtualMailDir = "/var/mail/vhosts";
domain = "net.dn";
rootAlias = "${settings.personal.username}";
networks = [
"127.0.0.0/8"
"10.0.0.0/24"
];
virtual = ''
admin@net.dn ${settings.personal.username}@net.dn
postmaster@net.dn ${settings.personal.username}@net.dn
'';
openFirewall = true;
oauth = {
passwordFile = config.sops.secrets."oauth/password".path;
};
ldap = {
passwordFile = config.sops.secrets."ldap/password".path;
webEnv = config.sops.secrets."ldap/env".path;
};
rspamd = {
trainerSecret = config.sops.secrets."rspamd-trainer".path;
};
};
home-manager = {
users."${username}" = {
imports = [

64
system/dev/dn-server/mail-server.nix
View file

@ -1,64 +0,0 @@
{
config,
lib,
settings,
...
}:
with builtins;
let
interfaces = config.networking.wireguard.interfaces;
allowedIPs = concatLists [
(concatLists (map (interface: interfaces.${interface}.ips) (attrNames interfaces)))
[
"127.0.0.1"
]
];
fqdn = config.networking.fqdn;
# fqdn = "dn-server.daccc.info";
in
{
networking.firewall.allowedTCPPorts = [
25
587
];
services.postfix = {
enable = true;
hostname = fqdn;
origin = fqdn;
networks = allowedIPs;
destination = [
"localhost"
"localhost.${fqdn}"
fqdn
];
config = {
home_mailbox = "Mailbox";
};
postmasterAlias = "root";
rootAlias = settings.personal.username;
config = {
alias_maps = [ "ldap:${config.sops.secrets."postfix/openldap".path}" ];
};
extraAliases = ''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
vaultwarden: root
'';
};
programs.msmtp.enable = lib.mkForce false;
}

8
system/dev/dn-server/networking.nix
View file

@ -1,8 +1,12 @@
{ ... }:
{ lib, ... }:
with lib;
{
networking = {
domain = "net.dn";
networkmanager.enable = true;
networkmanager = {
enable = true;
insertNameservers = mkForce [ "127.0.0.1" ];
};
enableIPv6 = true;
firewall = {
enable = true;

162
system/dev/dn-server/nginx.nix
View file

@ -1,139 +1,35 @@
{
config,
pkgs,
...
}:
let
mkProxyHost = (
{
domain,
proxyPass,
ssl ? false,
}:
(
if ssl then
{
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${domain}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${domain}/privkey.pem";
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
}
else
{
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
}
)
// {
locations."/" = {
proxyPass = proxyPass;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${domain}/html";
extraConfig = ''
default_type "text/plain";
'';
};
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
}
);
certScript = pkgs.writeShellScriptBin "genCert" ''
acmeWebRoot="/var/www/$1/html/";
if [ ! -d "$acmeWebRoot" ]; then
mkdir -p "$acmeWebRoot"
fi
REQUESTS_CA_BUNDLE=${../../../system/extra/ca.crt} \
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path $acmeWebRoot -v \
-d "$1" \
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
vaultwarden = {
domain = "bitwarden.net.dn";
};
in
{
environment.systemPackages = [
certScript
];
security.acme = {
acceptTerms = true;
defaults = {
validMinDays = 2;
server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
renewInterval = "daily";
email = "danny@net.dn";
dnsProvider = "pdns";
dnsPropagationCheck = false;
environmentFile = config.sops.secrets."acme/env".path;
};
};
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# Nextcloud - Server
${config.services.nextcloud.hostName} = {
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${config.services.nextcloud.hostName}/html";
extraConfig = ''
default_type "text/plain";
'';
};
"files.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
"files.net.dn" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
root = "/var/www/files";
locations."/" = {
@ -153,10 +49,20 @@ in
'';
};
${vaultwarden.domain} = mkProxyHost {
domain = vaultwarden.domain;
proxyPass = "http://127.0.0.1:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
ssl = true;
"webcam.net.dn" = {
enableACME = true;
forceSSL = true;
locations."/ws/" = {
proxyPass = "http://10.0.0.130:8080/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
};
};
};

40
system/dev/dn-server/secret.yaml
View file

@ -4,18 +4,29 @@ nextcloud:
adminPassword: ENC[AES256_GCM,data:O2rK18+riVrvloqqLsMUXw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:yh1ccDmthARLND0NwpLTCA==,type:str]
step_ca:
password: ENC[AES256_GCM,data:3EWxpk/ktZHJreqnR9ln5pfdPjgigoCC4lyoRWugHas=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:UHZagnLvorZUrPq43YU+Gw==,type:str]
vaultwarden: ENC[AES256_GCM,data:PSKtHBIxw0/z/rmtF83Yg3btHksbVVyWZ80nP0wl4zAHRpFXypvpchZu9/edX7RgREd+9okm21WyjNWRUDoGVTOJYOCFHZCvOUx4KzIL2c/i7jUjXwtvAEmikhL1qlunVrCPhDu0knQ5nvsqpgWyxgcZl52yxuskMSIRAOsMpCRePVwJerWW5tuQ5zteYeOR0GHR8Q0iwBm98YGlCbKvz/37jAjMQVxY5W9DE1Tu1XVyEPBeAVvEwZknFNIZg1ukB+kW9Z/sBwLEVbAGsiBSGjonP6KEsgKmtaIkbBPzpfA3CQ==,iv:X8x3ooFDkFIT2OuHICcP2J1zX8T6xZW8j71ZuaByx6Q=,tag:mfnDFf9riivZ3EBup1l6lw==,type:str]
openldap:
adminPassword: ENC[AES256_GCM,data:dSaynM6RBrhZLOwcN2djaA==,iv:t2xJuRO2irEFgcnNcZS25qCfXiZXHaoqcCZYcR041aY=,tag:K5DiJRp+AumtKafAOR49/w==,type:str]
postfix:
openldap: ENC[AES256_GCM,data:8woTLrSJ5qqZU7jizOIK9VGlaPaBuyhq6FOs6LwiE9WHYJzWCAw3D+449SmCVeEE2t+EZWmfRPaOQBceSeIfUY6WZ5vso1E29CWPq8Tk7AuHT2i/K82EhpapXst61IAgSa/y39MchA7LqwaiTzL3A2CJVM1k5Ay5iHUUDfXvLbUsVmn1NlNfOv2QPPd5g+2yR2oGGx5HTbTPQNfoiU77KtvtFmlrubAs413I3DGdhM4uiOS+FI9WgZ4Ia22BucaOLHp2odfWnEMbP+ZIyJFdu3CBcs1lbTnLLVI=,iv:RvPm2+WsTIPFWLlYzv/OyKKDy/fWhtEfut98mBoM/1A=,tag:wkkWK88D0jKfaudN+KpN0Q==,type:str]
dovecot:
openldap: ENC[AES256_GCM,data:G7jdoSqL2SYDv2alh7q65BaA8Ap898azUPf2KKWd5wbr9pRVsRhFxQxHdZDuTOHDhWcfaa+eqMgc5k9gGLBYIO9EWVyEZ01/QfG4GIHSDjubzZxCElwhJrtsFn1A+Ihv7T1IIGKBCdmQGhUwfBMtwYlIuj8PYZaty4+c/dxIOCfDr5HyM1C6qQ4RCJTDEh6B+Hpx8NlFO0+fRFC9+9tQYX0rjI7JZRSfbg7F23nEdkBATr/xlwQXj8dvXYMLZhUKaswFnRs5TrG97AVQ9t3rMguRHutCAqEROhml2lJvV3Vxb/yMmTrom8qSrbkuw00YfdlDCmUo5/E4Vu9DYL0kv0EnASyQ4vQbmVXz0clYEzEXBLWZIEu4QHGJ7jQWgsKFv+WSTvuunVQyNuij3SFWZLR/zdfJELxU,iv:bsGMMdDo1Mj4GxRbWuRmbH/WrLt25jK3we8JDYQRsLw=,tag:EugvDijjQnYcms70nZq5FQ==,type:str]
vaultwarden: ENC[AES256_GCM,data:TDKzc3xPGUiopJ6aXV5a9k8mFN/4NQpfp69vWqQRjpAzWnIM290s4FTnsxJAX0NFfjiuQODhhxTuSmFOXR3+Ti9djSrqJ/ZjrVAMvV4NlpBg6klrCgcDtIfbZ0GqZjdoQYHcCz7V33fQGyTmqehjuVxdlatuLGoekSnuGbfBwY8FQgB+JECy8Y16r+ejplopw60+d43rvYXX4g8v0r4Gey567HVVB/zVizNDocentMaf99UiO/GBSOgbuKlU7+TfC0xhVcekEfZusZd7+LHZshfAjg==,iv:JcExp8YkGwV2nMbCK+n0KSL3+SryJZ0iKtVcU/Q+Cgs=,tag:dnDNa5faICuPUWy4nT49rg==,type:str]
ldap:
password: ENC[AES256_GCM,data:pqPj3Ar6xBLhHl4Q363sHw==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:OaYsvds1tiw/x19UTAyizw==,type:str]
env: ENC[AES256_GCM,data:LwrcgbeJf4Sb0Bx+OZ/qCf811bDpDcloltUZIzpQYz0zc1gnRExFxLStLDYeq3vv6DEjgfRdoB61Y1fb,iv:1jK/J2qfKODrbrNpSHl110jPvbNLl0zI//laowerJOc=,tag:TWa//iCY+SuAgp/PSfPkEg==,type:str]
oauth:
password: ENC[AES256_GCM,data:0iW80Iz4whkuyl8qvHN96Q==,iv:BI1n7Jjklye6WM2ss7jpaGgokrJpAG2Ipil7VrY30XM=,tag:zu//brQdDL7mZEkPOKUqPw==,type:str]
powerdns-admin:
secret: ENC[AES256_GCM,data:PH5KE++Oo13xo/DcnI9U6+Ht9oIi4T3n5L7c09eDxf6zZesbg4lFLsq0/hrVFiElErXpC5W2k7NOjqGA385UPQ==,iv:xaSgzhqMU9+ud1xfXLVkg3v2xcmIo35BOhml5VfHKBI=,tag:blQXoyYWzfiF5RGO7ynz9g==,type:str]
salt: ENC[AES256_GCM,data:GITNFfimGPdPzOi2XD0ri2GMax30i+RwzNQrKL8nCOE=,iv:/lRVfNOpERS963+9JNf8wATIY9FcicT8xQ9Cbw2by/s=,tag:6193YZCQABce52qX6ISvzQ==,type:str]
powerdns: ENC[AES256_GCM,data:humQiv+ilGAjU0qMsv0zoKlI20PKxA0VS75ivjkPb/bfzkbvEtH+3u/T8r4OogIhOJtl50+iRZl1imcrXf7drH0A69zUIhBS0xCagmj7,iv:orfh5F4uCYq2IplG0Y7Q/RcSqIm5Xyzn3ejzPsm+/0k=,tag:XeSBbIyYmWSWlyu2gypDzQ==,type:str]
rspamd-trainer: ENC[AES256_GCM,data:XTKk0cBe+qIeTsTxlhPTPEbZS0cCoWH+,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:LZUEvgTC1GPxS7iD9jVy/w==,type:str]
acme:
env: ENC[AES256_GCM,data:TWCrj3ZaUHfegDuJJtHQgt516auYu/3qpe35lfha6c3RLHABXtRArD8P6RPZE3HVdpFM0mvxkyme5MW8IMv2yhN9JPz5HLWZv0rjzkbhVyWem0X47c49jF20SnoMZ4yo+X4PZZ9GJKR4fu+0YrQkQXPJB773Yj2scQKx3Glh+iJoRLR8zLcM6JqbaJ4xHH+du6bs1PNyviB5NrGKnxYqzuVmBVLk,iv:ftoFg7i5KyYzdYaYCA8IPBsjHO1Ne/k361XPZ7HYqLo=,tag:v+X6fx/1dU0yoa0bHBLkDw==,type:str]
postsrsd:
secret: ENC[AES256_GCM,data:9BZPa+A/vE4PLapUdaZIQ7QJ3W0x6DrFTnTPrFUJPc2LC9q2RO2gHXIV2bc=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:XxAJripX3eNM4jGFoZZ1+g==,type:str]
grafana:
password: ENC[AES256_GCM,data:3g7PymgXA27VxsLJA7U=,iv:09F8yEGw4j1Jd0HXDQyHbFxsr3Vg23mvWF5eZkU2KU8=,tag:y9AwmYwQjE1JB56sI8r8mA==,type:str]
client_secret: ENC[AES256_GCM,data:znYMvBZH6eFeUZ7Mit0JEhm8hH97M+TKmCcesC/IS9Y=,iv:qywQIHIpgaS2pUcW1Uau//JU6UdMY52EVYCjhmnWJt4=,tag:Xo1h7ODXOkAnETfSYo4rfw==,type:str]
prometheus:
powerdns:
password: ENC[AES256_GCM,data:pvb/aAvB/F1r0PW4mGJKQEExP88PapnViYpniOedJSf5e89/LwSeqYMd4x36zcGSlCV6myC+Xl/H+QBCw0ezcw==,iv:UI7UuJYJizYCO0ReC4SEPgmdPJNUnNuxgvkrhB1o/EQ=,tag:nUjTP7IQNx1ei8COQCTj+g==,type:str]
nginxAuth: ENC[AES256_GCM,data:rYwuXHboAe3rf5e3kcJliKKXZ/Kcg60vnPGP+wukpaDdN8yJ00kk9cCNCjcvIyINEtL7TpEDjBX9oRsZT/E/FfWI6s133tDY,iv:Z/IiEi6oZm1Hv3m8c522GK6eYFf0syFn3A0o4S58DUI=,tag:y4n0Fm+l0OgGVHG+yttHfg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
enc: |
@ -26,8 +37,7 @@ sops:
Qm0wbmNGZDZwZlNTOVl0WVh5RXNxK2cK1Fwbgl5kKAFyrIIhBP+X4ZKFS4Xl39QY
11qkglNgro/JBFJ/W7Hj5wtEd8QToiJM1RW0lQaI25sneQ2v6L5pDA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-04T13:11:13Z"
mac: ENC[AES256_GCM,data:+V5vP4XbeXQP49gyisV4uQJjUybtK792DaFEWBHzLlKn2HiRj+qqSVR5XQrQMQQ5mKMhzsZXGq7QjjXtzKqgLCz5snItU63HzxQ6OxarNeg5pctk7i8ueNST4JpMxZODKGJncz2Ysq8OGrjZ6Nf4QVjO0XhFxZP6MbZxZL7wbuY=,iv:7jKt3uAY/ks8m/uzpos6XvldkpQjkgCHcLn+oRiY3mk=,tag:d6V+waMu4m2wi/H/J3bMXg==,type:str]
pgp: []
lastmodified: "2025-08-01T03:07:16Z"
mac: ENC[AES256_GCM,data:VNmb5eOR2fEyBKD/MuHwC7IdN+SM2ybf/qtkvos3pakYFMCQcSQlJSCiassuZUxkEBl/rpMJ5NcObvuOJDAZZ/B7IAVTMJ8DkQy9cdIMLCRASNxd4EeWdZx517As8OslVdXKpPv15+i7buzj3X/QAPTVy2UUtyjWO2eqZ8ute0A=,iv:PpZmtmKsRKguFFkH2aqbLt54Ox7tOQwq1qtoQVN47Cs=,tag:kQ5kG6BODCqxuNl58EMvmQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.10.2

281
system/dev/dn-server/services.nix
View file

@ -1,6 +1,5 @@
{
config,
pkgs,
lib,
username,
...
@ -13,58 +12,6 @@ let
sshPorts = [ 30072 ];
sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
getCleanAddress =
ip:
with builtins;
let
result = replaceStrings [ "/24" "/32" ] [ "" "" ] ip;
in
result;
getReverseFilename =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = take 3 (splitString "." (getCleanAddress ip));
reversedFilename = "db." + (concatStringsSep "." (reverseList octets));
in
reversedFilename;
getSubAddress =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = reverseList (splitString "." (getCleanAddress ip));
sub = head octets;
in
sub;
reverseIP =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = splitString "." (getCleanAddress ip);
reversedIP = (concatStringsSep "." (reverseList octets)) + ".in-addr.arpa";
in
reversedIP;
reverseZone =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = take 3 (splitString "." (getCleanAddress ip));
reversedZone = (concatStringsSep "." (reverseList octets)) + ".in-addr.arpa";
in
reversedZone;
personal = {
ip = "10.0.0.1/24";
interface = "wg0";
@ -131,8 +78,8 @@ let
}
{
# ken
dns = "ken";
publicKey = "iWjBGArok96mFzFHXYjTxwyRHGQ4U0V77txoi6WS2QU=";
dns = "phone.ken";
publicKey = "knRpD7qb2JejioJBP5HZgWCrDEOWUq27+ueWPYwnWws=";
allowedIPs = [ "10.0.0.134/32" ];
}
{
@ -187,39 +134,12 @@ let
allowedIPs = [ "10.0.0.144/32" ];
}
{
dns = "rasp";
publicKey = "z+2d+4FhSClGlSiAtaGnTgU6utxElfdRqiwPpCJFRn8=";
# ken
dns = "pc.ken";
publicKey = "ERLMpSbSIYRN5HoKmvsk2852/aAvzjvMV7tOs0oupxI=";
allowedIPs = [ "10.0.0.145/32" ];
}
];
dnsRecords =
with builtins;
concatStringsSep "\n" (
map (
r:
let
ip = getCleanAddress (elemAt r.allowedIPs 0);
in
''
${r.dns} IN A ${ip}
''
) (fullRoute ++ meshRoute)
);
dnsReversedRecords =
with builtins;
concatStringsSep "\n" (
map (
r:
let
reversed = getSubAddress (getCleanAddress (elemAt r.allowedIPs 0));
in
''
${reversed} IN PTR ${r.dns}.${personal.domain}.
''
) (fullRoute ++ meshRoute)
);
in
{
networking = {
@ -334,6 +254,27 @@ in
extraHosts = "${kube.masterIP} ${kube.masterHostname}";
};
services.postgresql = {
enable = lib.mkDefault true;
authentication = ''
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
'';
ensureUsers = [
{
name = "powerdnsadmin";
ensureDBOwnership = true;
}
{
name = "pdns";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"powerdnsadmin"
"pdns"
];
};
services = {
dbus.enable = true;
blueman.enable = true;
@ -348,97 +289,58 @@ in
};
};
bind = {
powerdns = {
enable = true;
forwarders = [
"8.8.8.8"
"8.8.4.4"
];
cacheNetworks = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
zones = {
"${personal.domain}" = {
master = true;
allowQuery = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
file =
let
serverIP = getCleanAddress personal.ip;
kubeIP = getCleanAddress kube.ip;
origin = "${personal.domain}.";
hostname = config.networking.hostName;
in
pkgs.writeText "db.${personal.domain}" ''
$ORIGIN ${origin}
$TTL 1h
@ IN SOA dns.${origin} admin.dns.${origin} (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS dns.${origin}
@ IN A ${serverIP}
IN AAAA fe80::3319:e2bb:fc15:c9df
@ IN MX 10 mail.${origin}
IN TXT "v=spf1 mx"
dns IN A ${serverIP}
files IN A ${serverIP}
nextcloud IN A ${serverIP}
bitwarden IN A ${serverIP}
ca IN A ${serverIP}
${hostname} IN A ${serverIP}
mail IN A ${serverIP}
api-kube IN A ${kubeIP}
vmail IN A 10.0.0.130
${dnsRecords}
'';
};
extraConfig = ''
launch=gpgsql
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
webserver=yes
webserver-port=8081
local-port=5359
'';
secretFile = config.sops.secrets.powerdns.path;
};
"${reverseZone personal.ip}" = {
master = true;
allowQuery = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
file =
let
serverIP = getSubAddress personal.ip;
hostname = config.networking.hostName;
in
pkgs.writeText "${getReverseFilename personal.ip}" ''
$TTL 86400
@ IN SOA dns.${personal.domain}. admin.dns.${personal.domain}. (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS dns.${personal.domain}.
${serverIP} IN PTR dns.${personal.domain}.
${serverIP} IN PTR mail.${personal.domain}.
${serverIP} IN PTR ${hostname}.${personal.domain}.
${serverIP} IN PTR nextcloud.${personal.domain}.
${serverIP} IN PTR files.${personal.domain}.
${serverIP} IN PTR bitwarden.${personal.domain}.
${serverIP} IN PTR ca.${personal.domain}.
130 IN PTR vmail.${personal.domain}.
${dnsReversedRecords}
'';
};
pdns-recursor = {
enable = true;
forwardZones = {
"${config.networking.domain}." = "127.0.0.1:5359";
};
forwardZonesRecurse = {
"." = "8.8.8.8";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
"::1/128"
"fc00::/7"
"fe80::/10"
];
yaml-settings = {
webservice.webserver = true;
};
};
powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
xserver = {
@ -459,6 +361,39 @@ in
];
};
virtualisation = {
oci-containers = {
backend = "docker";
containers = {
uptime-kuma = {
extraOptions = [ "--network=host" ];
image = "louislam/uptime-kuma:1";
volumes = [
"/var/lib/uptime-kuma:/app/data"
"${config.security.pki.caBundle}:/etc/ca.crt:ro"
];
environment = {
NODE_EXTRA_CA_CERTS = "/etc/ca.crt";
};
};
};
};
};
services.nginx.virtualHosts = {
"powerdns.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8000";
};
"uptime.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:3001";
};
};
nix.settings.trusted-users = [
username
];

59
system/dev/dn-server/sops-conf.nix
View file

@ -1,4 +1,7 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (lib) mkIf;
in
{
sops = {
secrets = {
@ -6,10 +9,56 @@
"nextcloud/adminPassword" = { };
"step_ca/password" = { };
vaultwarden = { };
"postfix/openldap" = { };
"openldap/adminPassword" = {
owner = config.users.users.openldap.name;
group = config.users.users.openldap.group;
"oauth/password" = { };
"ldap/password" = lib.mkIf config.mail-server.enable {
mode = "0660";
owner = config.services.openldap.user;
group = config.services.openldap.group;
};
"ldap/env" = lib.mkIf config.mail-server.enable {
mode = "0660";
group = config.users.groups.docker.name;
};
"powerdns-admin/secret" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
"powerdns-admin/salt" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
powerdns = {
mode = "0660";
owner = "pdns";
group = "pdns";
};
rspamd-trainer = { };
"acme/env" = mkIf config.security.acme.acceptTerms {
mode = "0660";
owner = "acme";
group = "acme";
};
"postsrsd/secret" = mkIf config.services.postsrsd.enable {
mode = "0660";
owner = config.services.postsrsd.user;
group = config.services.postsrsd.group;
};
"grafana/password" = mkIf config.services.grafana.enable {
mode = "0660";
owner = "grafana";
group = "grafana";
};
"grafana/client_secret" = mkIf config.services.grafana.enable {
mode = "0660";
owner = "grafana";
group = "grafana";
};
"prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
mode = "0660";
owner = "prometheus";
group = config.users.users.prometheus.group;
};
};
};

7
system/dev/dn-server/step-ca.nix
View file

@ -32,12 +32,14 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI";
y = "y5OFjciRMVg8ePaEsjSPWbKp_NjQ6U4CtbplRx7z3Bw";
};
name = "danny@smallstep.net.dn";
name = "danny@net.dn";
type = "JWK";
}
{
claims = {
maxTLSCertDuration = "8760h";
minTLSCertDuration = "32h";
maxTLSCertDuration = "72h";
defaultTLSCertDuration = "72h";
};
name = "acme";
options = {
@ -73,7 +75,6 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
minVersion = 1.2;
renegotiation = false;
};
};
port = 8443;
openFirewall = true;

12
system/extra/ca.crt
View file

@ -1,4 +1,16 @@
-----BEGIN CERTIFICATE-----
MIIB0TCCAXegAwIBAgIRAINOgtMhBOgnEO8vDGPMgJwwCgYIKoZIzj0EAwIwMjET
MBEGA1UEChMKc3RlcC1jYS1kbjEbMBkGA1UEAxMSc3RlcC1jYS1kbiBSb290IENB
MB4XDTI1MDQxODE0NTY1NloXDTM1MDQxNjE0NTY1NlowOjETMBEGA1UEChMKc3Rl
cC1jYS1kbjEjMCEGA1UEAxMac3RlcC1jYS1kbiBJbnRlcm1lZGlhdGUgQ0EwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6KmC7bEeVgjTCYXfzlizToJyc++SFFfWO
F7VJ+wpsaIa/Rg6/M8K2HeZCUDRz6inzBoE9tXtZhwMSGvPUJemmo2YwZDAOBgNV
HQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUvbzEHd3+
ibxSROeCMteBg5JHcM0wHwYDVR0jBBgwFoAU2Cr1FiPu24tU5Asobi0Zt3R9HvUw
CgYIKoZIzj0EAwIDSAAwRQIgaMQwCoSw+dDYyQrODv6CQbyN83bSn/zsARhtzovQ
ZmQCIQC318dCE9AgP+vBFQrVnalkev9JusznTW9nT1iCof3+5g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBqDCCAU2gAwIBAgIQBnU3DLmknEy9zgvkjtIhEjAKBggqhkjOPQQDAjAyMRMw
EQYDVQQKEwpzdGVwLWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0Ew
HhcNMjUwNDE4MTQ1NjU1WhcNMzUwNDE2MTQ1NjU1WjAyMRMwEQYDVQQKEwpzdGVw

36
system/modules/actual.nix Normal file
View file

@ -0,0 +1,36 @@
{
fqdn ? null,
}:
{ config, ... }:
let
inherit (builtins) toString;
finalFqdn = if fqdn != null then fqdn else config.networking.fqdn;
in
{
services.actual = {
enable = true;
settings = {
port = 31000;
hostname = "127.0.0.1";
serverFiles = "/var/lib/actual/server-files";
userFiles = "/var/lib/actual/user-files";
loginMethod = "openid";
};
};
services.actual-budget-api = {
enable = true;
listenPort = 31001;
listenHost = "127.0.0.1";
serverURL = "https://${finalFqdn}";
};
services.nginx.virtualHosts."${finalFqdn}" = {
enableACME = true;
forceSSL = true;
locations."/api/".proxyPass =
"http://localhost:${toString config.services.actual-budget-api.listenPort}/";
locations."/".proxyPass = "http://localhost:${toString config.services.actual.settings.port}";
};
}

52
system/modules/certbot.nix
View file

@ -1,52 +0,0 @@
{
pkgs,
lib,
config,
...
}:
{
systemd.timers."certbot-renew" = {
enable = true;
description = "certbot renew";
timerConfig = {
Persistent = true;
OnCalendar = "*-*-* 16:30:00";
Unit = "certbot-renew.service";
};
wantedBy = [ "timers.target" ];
};
systemd.timers."certbot-nginx-reload" = lib.mkIf config.services.nginx.enable {
enable = true;
description = "certbot renew";
timerConfig = {
Persistent = true;
OnCalendar = "*-*-* 16:32:00";
Unit = "nginx-config-reload.service";
};
wantedBy = [ "timers.target" ];
};
systemd.services."certbot-renew" = {
enable = true;
after = (if config.services.nginx.enable then [ "nginx.service" ] else [ ]) ++ [
"network.target"
];
environment = {
"REQUESTS_CA_BUNDLE" = ../extra/ca.crt;
};
serviceConfig = {
ExecStart = ''${pkgs.certbot}/bin/certbot renew --no-random-sleep-on-renew --force-renewal'';
ExecStartPost = lib.mkIf config.services.nginx.enable "${pkgs.busybox}/bin/chown nginx:nginx -R /etc/letsencrypt";
};
};
systemd.services."nginx-config-reload" = lib.mkIf config.services.nginx.enable {
after = [ "certbot-renew.service" ];
wantedBy = [ "certbot-renew.service" ];
serviceConfig = {
User = "root";
ExecStartPre = "${pkgs.busybox}/bin/chown -R nginx:nginx /etc/letsencrypt/";
};
};
}

100
system/modules/dns-server/default.nix Normal file
View file

@ -0,0 +1,100 @@
{
config,
lib,
...
}:
let
cfg = config.dns-server;
in
with lib;
{
options.dns-server = {
enable = mkEnableOption "PowerDNS server and PowerDNS Recursor";
openFirewall = mkOption {
type = types.bool;
default = true;
description = ''
Open 53 port in firewall
'';
};
webAdmin = {
enable = mkEnableOption "Enable PowerDNS Admin";
saltFile = mkOption {
type = types.path;
description = ''
Slat value for serialization, can be generated with `openssl rand -hex 16`
'';
};
apiSecretFile = mkOption {
type = types.path;
description = ''
The file content should be
```
YOUR_PASSWORD
```
'';
};
};
};
config = mkIf cfg.enable {
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services = {
powerdns = {
enable = true;
extraConfig = ''
launch=gpgsql
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
webserver=yes
local-port=5359
'';
secretFile = config.sops.secrets.powerdns.path;
};
pdns-recursor = {
enable = true;
forwardZones = {
"net.dn" = "127.0.0.1:5359";
};
forwardZonesRecurse = {
"" = "8.8.8.8;8.8.4.4";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
"::1/128"
"fc00::/7"
"fe80::/10"
];
};
powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
};
};
}

50
system/modules/grafana.nix Normal file
View file

@ -0,0 +1,50 @@
{
passFile,
smtpHost,
smtpDomain,
domain,
extraSettings ? { },
}:
{ config, ... }:
let
email = "grafana@${smtpDomain}";
in
{
services.grafana = {
enable = true;
settings = (
{
server = {
http_addr = "127.0.0.1";
http_port = 31003;
root_url = "https://${domain}";
domain = domain;
};
smtp = {
enabled = true;
user = "grafana";
password = "$__file{${passFile}}";
host = smtpHost;
from_address = email;
cert_file = config.security.pki.caBundle;
};
security = {
admin_email = email;
admin_password = "$__file{${passFile}}";
};
}
// extraSettings
);
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}

322
system/modules/mail-server.nix
View file

@ -1,322 +0,0 @@
{
fqdn ? null,
origin ? null,
destination ? null,
networks ? null,
rootAlias ? "root",
extraAliases ? "",
enableOpenldap ? true,
dovecotLdapSecretFile,
openldapAdmPassPath,
sslKeyPath,
sslCertPath,
}:
{
config,
lib,
pkgs,
...
}:
let
postfixFqdn = if fqdn != null then fqdn else config.networking.fqdn;
postfixOrigin = if origin != null then origin else postfixFqdn;
postfixDest =
if destination != null then
destination
else
[
"localhost"
"localhost.${postfixFqdn}"
];
postfixNet =
if networks != null then
networks
else
[
"127.0.0.0/8"
"[::1]/128"
];
postfixMailDir = "~/Maildir";
mailLocationPrefix = "/var/mail/vhosts";
mailLocation = "${mailLocationPrefix}/%d/%n/";
dcList = lib.strings.splitString "." postfixFqdn;
domain = lib.strings.concatStringsSep "," (lib.lists.forEach dcList (x: "dc=" + x));
dovecotSecretPath = "/run/dovecot2-secret";
ldapSecretConf = "${dovecotSecretPath}/dovecot-ldap.conf.ext";
ldapDefaultConf = pkgs.writeText "dovecot-ldap.conf.ext" ''
ldap_version = 3
auth_bind_userdn = uid=%u,ou=mail,${domain}
auth_bind = yes
hosts = ${postfixFqdn}
dn = cn=admin,${domain}
base = ou=mail,${domain}
pass_filter = (&(objectClass=inetorgperson)(uid=%u))
user_filter = (&(objectClass=inetorgperson)(uid=%u))
'';
mailUser = "vmail";
in
with builtins;
{
environment.sessionVariables = {
MAILDIR = postfixMailDir;
};
networking.firewall.allowedTCPPorts = [
25 # SMTP
465 # SMTPS
587 # STARTTLS
80
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
];
users.groups.${mailUser} = {
gid = 5000;
};
users.users.${mailUser} = {
isSystemUser = true;
uid = 5000;
group = mailUser;
};
services.postfix = {
inherit rootAlias;
enable = lib.mkDefault true;
hostname = postfixFqdn;
origin = postfixOrigin;
destination = postfixDest;
networks = postfixNet;
sslKey = sslKeyPath;
sslCert = sslCertPath;
config = {
virtual_uid_maps = [
"static:${toString config.users.users.vmail.uid}"
];
virtual_gid_maps = [
"static:${toString config.users.groups.vmail.gid}"
];
virtual_mailbox_domains = [ postfixFqdn ];
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
tls_preempt_cipherlist = "yes";
smtpd_use_tls = "yes";
smtpd_tls_security_level = "may";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sasl_auth_enable = "yes";
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
home_mailbox = postfixMailDir;
};
postmasterAlias = "root";
extraAliases = ''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
''
+ extraAliases;
};
services.dovecot2 = {
enable = lib.mkDefault true;
enableImap = true;
enablePop3 = true;
enableLmtp = true;
mailLocation = lib.mkDefault "maildir:${mailLocation}";
mailUser = mailUser;
mailGroup = mailUser;
sslServerKey = sslKeyPath;
sslServerCert = sslCertPath;
sslCACert = config.security.pki.caBundle;
extraConfig = ''
log_path = /var/log/dovecot.log
auth_debug = yes
mail_debug = yes
auth_mechanisms = plain login
ssl = yes
ssl_dh_parameters_length = 2048
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes
service auth {
unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
service lmtp {
unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
mode = 0600
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
passdb ldap {
driver = ldap
args = ${ldapSecretConf}
}
userdb {
driver = static
args = uid=${mailUser} gid=${mailUser} home=${mailLocation}
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
'';
};
systemd.services.dovecot2 = {
serviceConfig = {
RuntimeDirectory = [ "dovecot2-secret" ];
RuntimeDirectoryMode = "0640";
ExecStartPre = [
''${pkgs.busybox.out}/bin/mkdir -p ${mailLocationPrefix}''
''${pkgs.busybox.out}/bin/chown -R ${mailUser}:${mailUser} ${mailLocationPrefix}''
''${pkgs.busybox.out}/bin/chmod 770 ${mailLocationPrefix}''
''${pkgs.busybox.out}/bin/sh -c "${pkgs.busybox.out}/bin/cat ${ldapDefaultConf} ${dovecotLdapSecretFile} > ${ldapSecretConf}"''
];
};
};
services.openldap = lib.mkIf enableOpenldap {
enable = true;
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "${domain}";
olcRootDN = "cn=admin,${domain}";
olcRootPW.path = openldapAdmPassPath;
olcAccess = [
''
{0}to attrs=userPassword
by dn="cn=admin,${domain}" read
by self write
by anonymous auth
by * none
''
''
{1}to *
by * read
''
];
};
};
};
};
environment.etc."openldap/base.ldif" = {
mode = "0770";
user = config.services.openldap.user;
group = config.services.openldap.group;
text = ''
dn: ${domain}
objectClass: top
objectClass: domain
dc: ${elemAt dcList 0}
'';
};
systemd.services.openldap-init-base = {
wantedBy = [ "openldap.service" ];
requires = [ "openldap.service" ];
after = [ "openldap.service" ];
serviceConfig = {
User = config.services.openldap.user;
Group = config.services.openldap.group;
Type = "oneshot";
ExecStart =
let
dcScript = pkgs.writeShellScriptBin "openldap-init" ''
BASE_DN="${domain}"
LDIF_FILE="/etc/openldap/base.ldif"
ADMIN_DN="cn=admin,${domain}"
${pkgs.openldap}/bin/ldapsearch -x -b "$BASE_DN" -s base "(objectclass=*)" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Base DN $BASE_DN not exist, import $LDIF_FILE"
${pkgs.openldap}/bin/ldapadd -x -D "$ADMIN_DN" -y ${openldapAdmPassPath} -W -f "$LDIF_FILE"
else
echo "Base DN $BASE_DN exists, skip"
fi
'';
in
"${dcScript}/bin/openldap-init";
};
};
virtualisation = {
docker = {
enable = lib.mkDefault true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
oci-containers = {
backend = "docker";
containers = {
lam = {
image = "ghcr.io/ldapaccountmanager/lam:9.2";
extraOptions = [ "--network=host" ];
autoStart = true;
environment = {
LDAP_DOMAIN = postfixFqdn;
LDAP_SERVER = "ldap://${postfixFqdn}";
LDAP_USERS_DN = "ou=mail,${domain}";
};
};
};
};
};
}

81
system/modules/mail-server/default.nix
View file

@ -7,6 +7,13 @@ with lib;
{
options.mail-server = {
enable = mkEnableOption "mail-server";
caFile = mkOption {
type = types.path;
default = config.security.pki.caBundle;
description = ''
Extra CA certification to trust;
'';
};
openFirewall = mkOption {
type = types.bool;
@ -26,6 +33,23 @@ with lib;
'';
};
rootAlias = mkOption {
type = with types; uniq str;
default = "";
description = "Root alias";
example = ''
<your username>
'';
};
virtual = mkOption {
type = lib.types.lines;
default = "";
description = ''
Entries for the virtual alias map, cf. man-page {manpage}`virtual(5)`.
'';
};
extraAliases = mkOption {
type = with types; str;
default = "";
@ -86,37 +110,44 @@ with lib;
description = "Postfix networks";
};
sslKey = mkOption {
type = with types; path;
description = "Path to the SSL key";
example = "/etc/ssl/private/key.pem";
};
sslCert = mkOption {
type = with types; path;
description = "Path to the SSL Certification";
example = "/etc/ssl/private/cert.pem";
};
dovecot = {
ldapFile = mkOption {
type = with types; path;
description = "Path to the dovecot openldap config file";
example = "/run/secrets/dovecot/ldap";
oauth = {
username = mkOption {
type = with types; uniq str;
default = "keycloak";
description = "Keycloak username";
};
};
openldap = {
passwordFile = mkOption {
type = with types; path;
description = "Path to the openldap admin password file";
example = "/run/secrets/openldap/passwd";
description = "Path to the keycloak password file";
example = "/run/secrets/keycloak/password";
};
};
ldap = {
passwordFile = mkOption {
type = with types; path;
description = "Path to the openldap password file";
example = "/run/secrets/ldap/password";
};
enableWebUI = mkOption {
type = types.bool;
default = false;
description = "Use docker to run Ldap Account Manager for using web ui.";
webEnv = mkOption {
type = with types; path;
description = "Path to phpLDAPadmin env file";
example = "/run/secrets/ldap/env";
};
};
rspamd = {
trainerSecret = mkOption {
type = with types; path;
description = "Path to rspamd trainer secret";
example = "/run/secrets/rspamd-trainer/secret";
};
port = mkOption {
type = with types; int;
default = 11334;
description = "Port for rspamd webUI";
};
};
};

749
system/modules/mail-server/server.nix
View file

@ -4,155 +4,452 @@
pkgs,
...
}:
with lib;
let
cfg = config.mail-server;
dcList = strings.splitString "." cfg.domain;
ldapDomain = strings.concatStringsSep "," (lists.forEach dcList (dc: "dc=" + dc));
dcList = lib.strings.splitString "." cfg.domain;
ldapDomain = lib.strings.concatStringsSep "," (lib.lists.forEach dcList (x: "dc=" + x));
dovecotSecretPath = "/run/dovecot-secret";
authBaseConf = pkgs.writeText "dovecot-auth.conf.ext" ''
passdb ldap {
auth_username_format = %{user | lower}
ldap_bind = no
ldap_filter = (&(objectClass=inetOrgPerson)(uid=%{user | username}))
use_worker = no
dovecotSecretPath = "/run/dovecot2-secret";
ldapDefaultConf = pkgs.writeText "dovecot-ldap.conf.ext" ''
ldap_version = 3
auth_bind_userdn = uid=%u,ou=mail,${ldapDomain}
auth_bind = yes
hosts = ${cfg.domain}
dn = cn=admin,${ldapDomain}
base = ou=mail,${ldapDomain}
pass_filter = (&(objectClass=inetorgperson)(uid=%u))
user_filter = (&(objectClass=inetorgperson)(uid=%u))
fields {
user = %{ldap:mail}
password = %{ldap:userPassword}
}
}
ldap_auth_dn = cn=admin,${ldapDomain}
ldap_auth_dn_password = $LDAP_PASSWORD
ldap_uris = ldap://localhost
ldap_base = ${ldapDomain}
'';
ldapSecretConf = "${dovecotSecretPath}/dovecot-ldap.conf.ext";
authConf = "${dovecotSecretPath}/dovecot-auth.conf.ext";
oauthConf = pkgs.writeText "dovecot-oauth.conf.ext" ''
oauth2 {
client_id = dovecot
client_secret = 1l9EyvmaDQBMUHXgPkH69RwNcm7gDFbB
introspection_mode = post
introspection_url = https://keycloak.net.dn/realms/master/protocol/openid-connect/token/introspect
username_attribute = email
}
'';
dovecotDomain = config.services.postfix.hostname;
in
with builtins;
with lib;
{
config = mkIf cfg.enable {
security.acme.certs = {
"${config.services.postfix.hostname}" = {
dnsProvider = null;
webroot = "/var/lib/acme/acme-challenge";
postRun = ''
systemctl restart postfix.service
systemctl restart dovecot.service
systemctl restart rspamd-trainer.service
'';
};
"${cfg.domain}" = {
dnsProvider = null;
webroot = "/var/lib/acme/acme-challenge";
};
};
# ===== opendkim ===== #
services.opendkim = {
enable = true;
domains = "csl:${cfg.domain}";
selector = "mail";
};
# ===== Postfix ===== #
environment.sessionVariables = {
MAILDIR = cfg.mailDir;
};
systemd.services.postfix = {
requires = [
"acme-finished-${config.services.postfix.hostname}.target"
];
serviceConfig.LoadCredential =
let
certDir = config.security.acme.certs."${config.services.postfix.hostname}".directory;
in
[
"cert.pem:${certDir}/cert.pem"
"key.pem:${certDir}/key.pem"
];
};
services.postfix = {
enable = true;
hostname = cfg.domain;
hostname = "mail.${cfg.domain}";
origin = cfg.origin;
destination = cfg.destination;
networks = cfg.networks;
config = {
virtual_uid_maps = [
"static:${toString cfg.uid}"
];
virtual_gid_maps = [
"static:${toString cfg.gid}"
];
virtual_mailbox_domains = [ cfg.domain ];
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
tls_preempt_cipherlist = "yes";
smtpd_use_tls = "yes";
smtpd_tls_security_level = "may";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sasl_auth_enable = "yes";
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
virtual = cfg.virtual;
enableSubmissions = true;
relayPort = 465;
submissionOptions = {
milter_macro_daemon_name = "ORIGINATING";
smtpd_client_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject";
smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
home_mailbox = cfg.mailDir;
smtpd_tls_security_level = "encrypt";
smtpd_tls_loglevel = "10";
};
config =
let
credsDir = "/run/credentials/postfix.service";
certDir = "${credsDir}/cert.pem";
keyDir = "${credsDir}/key.pem";
in
{
virtual_uid_maps = [
"static:${toString cfg.uid}"
];
virtual_gid_maps = [
"static:${toString cfg.gid}"
];
virtual_mailbox_domains = [ cfg.domain ];
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sasl_auth_enable = "yes";
tls_random_source = "dev:/dev/urandom";
smtp_tls_security_level = "may";
smtp_tls_chain_files = [
keyDir
certDir
];
smtpd_tls_chain_files = [
keyDir
certDir
];
home_mailbox = cfg.mailDir;
}
// optionalAttrs config.services.opendkim.enable (
let
opendkimSocket = strings.removePrefix "local:" config.services.opendkim.socket;
in
{
smtpd_milters = [ "unix:${opendkimSocket}" ];
non_smtpd_milters = [ "unix:${opendkimSocket}" ];
milter_default_action = "accept";
}
);
rootAlias = cfg.rootAlias;
postmasterAlias = "root";
extraAliases =
''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
''
+ cfg.extraAliases;
extraAliases = ''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
''
+ cfg.extraAliases;
};
services.rspamd = {
enable = true;
postfix.enable = true;
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [
{
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
owner = "${config.services.rspamd.user}";
group = "${config.services.rspamd.group}";
}
];
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "127.0.0.1:${toString cfg.rspamd.port}" ];
extraConfig = ''
password=$2$w3asngzxwp3hoa67gimtrgmdxzmpq1n1$knfe5cyb1f769zro4rsi3j8ipc1p7ewh3u4cz63ngidmpjs8955y
'';
};
};
};
# ===== rspamd trainer ===== #
services.rspamd-trainer = {
enable = true;
settings = {
HOST = dovecotDomain;
USERNAME = "spam@${cfg.domain}";
INBOXPREFIX = "INBOX.";
};
secrets = [
cfg.rspamd.trainerSecret
];
};
systemd.services.rspamd-trainer = lib.mkIf config.services.rspamd-trainer.enable {
after = [
"postfix.service"
"dovecot.service"
"rspamd-trainer-pre.service"
];
requires = [ "rspamd-trainer-pre.service" ];
};
# ===== Create Mailbox for rspamd trainer ===== #
systemd.services.rspamd-trainer-pre = lib.mkIf config.services.rspamd-trainer.enable {
serviceConfig = {
ExecStart =
let
script = pkgs.writeShellScript "rspamd-trainer-pre.sh" ''
set -euo pipefail
username=${config.services.rspamd-trainer.settings.USERNAME}
domain="${cfg.domain}"
mailbox_list=("report_spam" "report_ham" "report_spam_reply")
for mailbox in ''\${mailbox_list[@]}; do
echo "Creating $mailbox..."
${pkgs.dovecot}/bin/doveadm mailbox create -u "$username@$domain" "INBOX.$mailbox" 2>/dev/null || true
done
'';
in
"${pkgs.bash}/bin/bash ${script}";
Type = "oneshot";
};
};
# ===== Dovecot ===== #
services.dovecot2 = {
enable = lib.mkDefault true;
enableImap = true;
enablePop3 = true;
enableLmtp = true;
mailLocation = lib.mkDefault "maildir:${cfg.virtualMailDir}";
mailUser = "vmail";
mailGroup = "vmail";
sslServerKey = cfg.sslKey;
sslServerCert = cfg.sslCert;
sslCACert = config.security.pki.caBundle;
extraConfig = ''
log_path = /var/log/dovecot.log
auth_debug = yes
mail_debug = yes
auth_mechanisms = plain login
ssl = yes
ssl_dh_parameters_length = 2048
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes
service auth {
unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
service lmtp {
unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
mode = 0600
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
passdb ldap {
driver = ldap
args = ${ldapSecretConf}
}
userdb {
driver = static
args = uid=${toString cfg.uid} gid=${toString cfg.gid} home=${cfg.virtualMailDir}/%d/%n/
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
'';
};
systemd.services.dovecot2 = {
systemd.services.dovecot = {
requires = [ "acme-finished-${dovecotDomain}.target" ];
serviceConfig = {
RuntimeDirectory = [ "dovecot2-secret" ];
RuntimeDirectory = [ "dovecot-secret" ];
RuntimeDirectoryMode = "0640";
ExecStartPre = [
''${pkgs.busybox.out}/bin/mkdir -p ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/chown -R vmail:vmail ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/chmod 770 ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/sh -c "${pkgs.busybox.out}/bin/cat ${ldapDefaultConf} ${cfg.dovecot.ldapFile} > ${ldapSecretConf}"''
''${pkgs.bash}/bin/bash -c "LDAP_PASSWORD=$(cat ${cfg.ldap.passwordFile}) ${pkgs.gettext.out}/bin/envsubst < ${authBaseConf} > ${authConf}"''
''${pkgs.busybox.out}/bin/chown ${config.services.dovecot.user}:${config.services.dovecot.group} ${authConf}''
''${pkgs.busybox.out}/bin/chmod 660 ${authConf}''
];
LoadCredential =
let
certDir = config.security.acme.certs."${dovecotDomain}".directory;
in
[
"cert.pem:${certDir}/cert.pem"
"key.pem:${certDir}/key.pem"
];
};
};
services.dovecot =
let
credsDir = "/run/credentials/dovecot.service";
certDir = "${credsDir}/cert.pem";
keyDir = "${credsDir}/key.pem";
in
{
enable = true;
enablePAM = false;
enableImap = true;
enablePop3 = true;
enableLmtp = true;
enableHealthCheck = true;
mailLocation = lib.mkDefault "${cfg.mailDir}";
mailUser = "vmail";
mailGroup = "vmail";
sslServerKey = keyDir;
sslServerCert = certDir;
mailboxes = {
Junk = {
specialUse = "Junk";
auto = "subscribe";
};
Drafts = {
specialUse = "Drafts";
auto = "subscribe";
};
Archive = {
specialUse = "Archive";
auto = "subscribe";
};
Sent = {
specialUse = "Sent";
auto = "subscribe";
};
};
extraConfig = ''
# authentication debug logging
log_path = /dev/stderr
log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started)
auth_mechanisms = plain login oauthbearer
ssl = required
service auth {
unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
type = postfix
}
}
service lmtp {
unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
type = postfix
}
}
userdb static {
fields {
uid = ${toString cfg.uid}
gid = ${toString cfg.gid}
home = ${cfg.virtualMailDir}/%{user | domain}/%{user | username}
}
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
!include ${authConf}
!include ${oauthConf}
'';
};
systemd.services.dovecot-healthcheck = mkIf config.services.dovecot.enableHealthCheck (
let
pythonServer =
pkgs.writeScript "dovecot-healthcheck"
# python
''
#!${pkgs.python3}/bin/python3
import socket
from http.server import BaseHTTPRequestHandler, HTTPServer
DOVECOT_HOST = '127.0.0.1'
DOVECOT_PORT = ${toString config.services.dovecot.healthCheckPort}
class HealthCheckHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path != '/ping':
self.send_response(404)
self.end_headers()
return
try:
with socket.create_connection((DOVECOT_HOST, DOVECOT_PORT), timeout=5) as sock:
sock.sendall(b"PING\n")
data = sock.recv(1024).strip()
except Exception as e:
self.send_response(500)
self.end_headers()
self.wfile.write(b"Error connecting to healthcheck service")
return
if data == b"PONG":
self.send_response(200)
self.send_header("Content-Type", "text/plain")
self.end_headers()
self.wfile.write(b"PONG")
else:
self.send_response(500)
self.end_headers()
self.wfile.write(b"Unexpected response")
if __name__ == '__main__':
server = HTTPServer(('0.0.0.0', 5002), HealthCheckHandler)
print("HTTP healthcheck proxy running on port 5002")
server.serve_forever()
'';
in
{
requires = [ "dovecot.service" ];
wantedBy = [ "multi-user.target" ];
after = [ "dovecot.service" ];
serviceConfig = {
Type = "simple";
ExecStart = pythonServer;
};
}
);
# ===== Firewall ===== #
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
80 # HTTP
443 # HTTPS
25 # SMTP
465 # SMTPS
587 # STARTTLS
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
389 # LDAP
];
services.postgresql = {
enable = true;
ensureDatabases = [ "keycloak" ];
ensureUsers = [
{
name = "keycloak";
ensureDBOwnership = true;
}
];
};
# ===== OAuth keycloak ===== #
services.keycloak = {
enable = true;
database = {
type = "postgresql";
host = "localhost";
name = "keycloak";
createLocally = false;
passwordFile = cfg.oauth.passwordFile;
};
settings = {
hostname = "keycloak.${cfg.domain}";
proxy-headers = "xforwarded";
http-port = 38080;
http-enabled = true;
health-enabled = true;
http-management-port = 38081;
truststore-paths = cfg.caFile;
};
};
# ==== LDAP ===== #
services.openldap = {
enable = true;
urlList = [ "ldap:///" ];
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
@ -163,91 +460,127 @@ with lib;
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "${ldapDomain}";
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcRootDN = "cn=admin,${ldapDomain}";
olcRootPW.path = cfg.openldap.passwordFile;
olcSuffix = ldapDomain;
olcAccess = [
''
{0}to attrs=userPassword
by dn="cn=admin,${ldapDomain}" read
by self write
by anonymous auth
by * none
''
''
{1}to *
by * read
''
];
olcRootDN = "cn=admin,${ldapDomain}";
olcRootPW.path = cfg.ldap.passwordFile;
olcAccess = [
''
{0}to attrs=userPassword
by dn.exact="cn=admin,${ldapDomain}" read
by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
by self write
by anonymous auth
by * none
''
''
{1}to *
by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
by * read
''
];
};
children = {
"olcOverlay={2}ppolicy".attrs = {
objectClass = [
"olcOverlayConfig"
"olcPPolicyConfig"
"top"
];
olcOverlay = "{2}ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcOverlay={3}memberof".attrs = {
objectClass = [
"olcOverlayConfig"
"olcMemberOf"
"top"
];
olcOverlay = "{3}memberof";
olcMemberOfRefInt = "TRUE";
olcMemberOfDangling = "ignore";
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
};
"olcOverlay={4}refint".attrs = {
objectClass = [
"olcOverlayConfig"
"olcRefintConfig"
"top"
];
olcOverlay = "{4}refint";
olcRefintAttribute = "memberof member manager owner";
};
};
};
};
};
};
# Openldap auto create baseDN
environment.etc."openldap/base.ldif" = {
mode = "0770";
user = config.services.openldap.user;
group = config.services.openldap.group;
text = ''
dn: ${ldapDomain}
objectClass: top
objectClass: domain
dc: ${elemAt dcList 0}
'';
};
systemd.services.openldap-init-base = {
wantedBy = [ "openldap.service" ];
requires = [ "openldap.service" ];
after = [ "openldap.service" ];
serviceConfig = {
User = config.services.openldap.user;
Group = config.services.openldap.group;
Type = "oneshot";
ExecStart =
let
dcScript = pkgs.writeShellScriptBin "openldap-init" ''
BASE_DN="${ldapDomain}"
LDIF_FILE="/etc/openldap/base.ldif"
ADMIN_DN="cn=admin,${ldapDomain}"
${pkgs.openldap}/bin/ldapsearch -x -b "$BASE_DN" -s base "(objectclass=*)" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Base DN $BASE_DN not exist, import $LDIF_FILE"
${pkgs.openldap}/bin/ldapadd -x -D "$ADMIN_DN" -y ${cfg.openldap.passwordFile} -W -f "$LDIF_FILE"
else
echo "Base DN $BASE_DN exists, skip"
fi
'';
in
"${dcScript}/bin/openldap-init";
# ==== postsrsd ==== #
services.postsrsd = {
enable = true;
configurePostfix = true;
secretsFile = config.sops.secrets."postsrsd/secret".path;
settings = {
srs-domain = cfg.domain;
domains = [ cfg.domain ];
};
};
# ===== Firewall ===== #
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
25 # SMTP
465 # SMTPS
587 # STARTTLS
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
];
virtualisation = {
docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
oci-containers = {
backend = "docker";
containers = {
phpLDAPadmin = {
extraOptions = [ "--network=host" ];
image = "phpldapadmin/phpldapadmin";
volumes = [
"/var/lib/pla/logs:/app/storage/logs"
"/var/lib/pla/sessions:/app/storage/framework/sessions"
];
environment = {
APP_URL = "https://ldap.${cfg.domain}";
ASSET_URL = "https://ldap.${cfg.domain}";
APP_TIMEZONE = "Asia/Taipei";
LDAP_HOST = "127.0.0.1";
SERVER_NAME = ":8080";
LDAP_LOGIN_OBJECTCLASS = "inetOrgPerson";
LDAP_BASE_DN = "${ldapDomain}";
LDAP_LOGIN_ATTR = "dn";
LDAP_LOGIN_ATTR_DESC = "Username";
};
environmentFiles = [
cfg.ldap.webEnv
];
};
};
};
};
# ===== Virtual Mail User ===== #
users.groups.vmail = {
@ -259,28 +592,36 @@ with lib;
group = "vmail";
};
virtualisation = mkIf cfg.openldap.enableWebUI {
docker = {
enable = lib.mkDefault true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
services.nginx = {
enable = mkDefault true;
recommendedGzipSettings = mkDefault true;
recommendedOptimisation = mkDefault true;
recommendedTlsSettings = mkDefault true;
recommendedProxySettings = mkDefault true;
oci-containers = {
backend = "docker";
containers = {
lam = {
image = "ghcr.io/ldapaccountmanager/lam:9.2";
extraOptions = [ "--network=host" ];
autoStart = true;
environment = {
LDAP_DOMAIN = cfg.domain;
LDAP_SERVER = "ldap://${cfg.domain}";
LDAP_USERS_DN = "ou=mail,${ldapDomain}";
};
};
virtualHosts = {
"${config.services.postfix.hostname}" = {
enableACME = true;
forceSSL = true;
locations."/dovecot/ping".proxyPass = "http://localhost:${toString 5002}/ping";
};
"ldap.${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString 8080}/";
};
"rspamd.${cfg.domain}" = mkIf config.services.rspamd.enable {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString cfg.rspamd.port}/";
};
"${config.services.keycloak.settings.hostname}" = mkIf config.services.keycloak.enable {
enableACME = true;
forceSSL = true;
locations."/".proxyPass =
"http://localhost:${toString config.services.keycloak.settings.http-port}";
locations."/health".proxyPass =
"http://localhost:${toString config.services.keycloak.settings.http-management-port}/health";
};
};
};

128
system/modules/nextcloud.nix
View file

@ -11,6 +11,14 @@
lib,
...
}:
let
nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec {
caBundle = config.security.pki.caBundle;
postPatch = ''
cp ${caBundle} resources/config/ca-bundle.crt
'';
});
in
{
imports = [
"${
@ -23,10 +31,6 @@
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
@ -40,7 +44,7 @@
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31;
package = nextcloudPkg;
configureRedis = true;
hostName = hostname;
https = if https then true else false;
@ -50,8 +54,6 @@
imagick
];
maxUploadSize = "10240M";
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
contacts
@ -64,6 +66,12 @@
sha256 = "sha256-aiMUSJQVbr3xlJkqOaE3cNhdZu3CnPEIWTNVOoG4HSo=";
license = "agpl3Plus";
};
user_oidc = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v7.2.0/user_oidc-v7.2.0.tar.gz";
sha256 = "sha256-nXDWfRP9n9eH+JGg1a++kD5uLMsXh5BHAaTAOgLI9W4=";
license = "agpl3Plus";
};
};
extraAppsEnable = true;
@ -74,7 +82,8 @@
};
settings = {
log_type = "file";
allow_local_remote_servers = true;
log_type = "syslog";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
@ -89,12 +98,15 @@
"OC\\Preview\\HEIC"
"OC\\Preview\\SVG"
"OC\\Preview\\FONT"
"OC\\Preview\\Imaginary"
"OC\\Preview\\ImaginaryPDF"
];
};
};
services.nginx.virtualHosts.${hostname} = {
enableACME = true;
forceSSL = true;
};
environment.systemPackages = with pkgs; [
exiftool
];
@ -115,59 +127,57 @@
};
};
services = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
"nextcloud-backup" = {
enable = true;
serviceConfig = {
User = "nextcloud";
ExecStart =
let
script = pkgs.writeShellScriptBin "backup" (
''
nextcloudPath="${config.services.nextcloud.datadir}"
services."nextcloud-backup" = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
enable = true;
serviceConfig = {
User = "nextcloud";
ExecStart =
let
script = pkgs.writeShellScriptBin "backup" (
''
nextcloudPath="${config.services.nextcloud.datadir}"
if [ ! -d "$nextcloudPath" ]; then
echo "nextcloud path not found: $nextcloudPath"
exit 1
fi
''
+ (
if dataBackupPath != null then
''
backupPath="${dataBackupPath}"
nextcloudBakPath="$backupPath"
if [ ! -d "$nextcloudPath" ]; then
echo "nextcloud path not found: $nextcloudPath"
exit 1
fi
''
+ (
if dataBackupPath != null then
''
backupPath="${dataBackupPath}"
nextcloudBakPath="$backupPath"
if [ ! -d "$backupPath" ]; then
echo "Backup device is not mounted: $backupPath"
exit 1
fi
if [ ! -d "$backupPath" ]; then
echo "Backup device is not mounted: $backupPath"
exit 1
fi
echo "Start syncing..."
${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
echo "Data dir backup completed."
''
else
""
)
+ (
if dbBackupPath != null then
''
nextcloudDBBakPath="${dbBackupPath}/nextcloud-db.bak.tar"
if [ ! -d "$nextcloudBakPath" ]; then
mkdir -p "$nextcloudBakPath"
fi
echo "Start syncing..."
${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
echo "Data dir backup completed."
''
else
""
)
+ (
if dbBackupPath != null then
''
nextcloudDBBakPath="${dbBackupPath}/nextcloud-db.bak.tar"
if [ ! -d "$nextcloudBakPath" ]; then
mkdir -p "$nextcloudBakPath"
fi
echo "Try backing up database (postgresql)"
${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
echo "Database backup completed."
''
else
""
)
);
in
"${script}/bin/backup";
};
echo "Try backing up database (postgresql)"
${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
echo "Database backup completed."
''
else
""
)
);
in
"${script}/bin/backup";
};
};
};

10
system/modules/postgresql.nix Normal file
View file

@ -0,0 +1,10 @@
{ lib, ... }:
{
services.postgresql = {
enable = lib.mkDefault true;
authentication = ''
#type database DBuser origin-address auth-method
local all all trust
'';
};
}

53
system/modules/prometheus.nix Normal file
View file

@ -0,0 +1,53 @@
{
fqdn,
selfMonitor ? true,
configureNginx ? true,
scrapes ? [ ],
}:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf optionalAttrs;
inherit (builtins) toString;
in
{
services.prometheus.exporters.node = mkIf selfMonitor {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
};
services.prometheus = {
enable = true;
webExternalUrl = "https://${fqdn}";
globalConfig = {
scrape_interval = "10s";
};
scrapeConfigs = (
[
{
job_name = "master-server";
static_configs = [
(optionalAttrs selfMonitor {
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
})
];
}
]
++ scrapes
);
};
services.nginx.virtualHosts."${fqdn}" = mkIf configureNginx {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.prometheus.port}";
};
};
}

51
system/modules/terraria.nix
View file

@ -1,51 +0,0 @@
{ pkgs, ... }:
let
serverPkg = pkgs.tmodloader-server.overrideAttrs (
final: prev: rec {
version = "v2025.04.3.0";
name = "tmodloader-${version}";
url = "https://github.com/tModLoader/tModLoader/releases/download/${version}/tModLoader.zip";
src = pkgs.fetchurl {
inherit url;
hash = "sha256-cu98vb3T2iGC9W3e3nfls3mYTUQ4sviRHyViL0Qexn0=";
};
}
);
in
{
services.tmodloader = {
enable = true;
servers.pokemon = {
enable = true;
openFirewall = true;
port = 7777;
autoStart = true;
package = serverPkg;
world = "/var/lib/tmodloader/pokemon/Worlds/default.wld";
autocreate = "large";
install = [
3039823461
2619954303
2563851005
3378168037
3173371762
2800050107
2785100219
3018447913
2565540604
2563309347
2908170107
2669644269
3439924021
2599842771
2797518634
2565639705
3497111954
2563815443
2707400823
];
};
};
}

9
system/modules/vaultwarden.nix
View file

@ -19,7 +19,7 @@
dbBackend = "postgresql";
environmentFile = config.sops.secrets.vaultwarden.path;
config = {
DOMAIN = domain;
DOMAIN = "https://${domain}";
SIGNUPS_ALLOWED = true;
SIGNUPS_VERIFY = true;
ROCKET_PORT = 8222;
@ -29,4 +29,11 @@
DATABASE_URL = "postgresql:///vaultwarden";
};
};
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass =
"http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
};
}