dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: routine maintenance

Browse source
This commit is contained in:
danny 2025-11-23 16:24:38 +08:00
parent c45ba82b90
commit c7743490a7
75 changed files with 1200 additions and 634 deletions
Download patch file Download diff file Expand all files Collapse all files

3
system/dev/dn-server/default.nix
View file

@ -19,6 +19,8 @@ in
"maps.rspamd.com"
"cdn-hub.crowdsec.net"
"api.crowdsec.net"
"mx1.daccc.info"
"mx1.dnywe.com"
];
allowedIPs = [
"10.0.0.0/24"
@ -43,6 +45,7 @@ in
'';
imports = [
../public/dn/default.nix
./common
./home
./network

12
system/dev/dn-server/network/services.nix
View file

@ -384,7 +384,15 @@ in
"test.local." = "127.0.0.1:5359";
};
forwardZonesRecurse = {
"." = "168.95.1.1";
# ==== Rspamd DNS ==== #
"multi.uribl.com." = "168.95.1.1";
"score.senderscore.com." = "168.95.1.1";
"list.dnswl.org." = "168.95.1.1";
"dwl.dnswl.org." = "168.95.1.1";
# ==== Others ==== #
"tw." = "168.95.1.1";
"." = "8.8.8.8";
};
dnssecValidation = "off";
dns.allowFrom = [
@ -395,6 +403,7 @@ in
dns.port = 5300;
yaml-settings = {
webservice.webserver = true;
recordcache.max_negative_ttl = 60;
};
};
@ -451,7 +460,6 @@ in
virtualisation = {
oci-containers = {
backend = "docker";
containers = {
uptime-kuma = {
extraOptions = [ "--network=host" ];

3
system/dev/dn-server/nix/atticd.nix
View file

@ -1,10 +1,11 @@
{
pkgs,
config,
inputs,
system,
...
}:
let
inherit (pkgs.stdenv.hostPlatform) system;
listenPort = 30098;
in
{

2
system/dev/dn-server/options/network.nix
View file

@ -58,7 +58,7 @@ in
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = 10;
OnUnitActiveSec = 60;
OnUnitActiveSec = 360;
};
};

2
system/dev/dn-server/services/default.nix
View file

@ -3,7 +3,7 @@
imports = [
./actual-budget.nix
./bitwarden.nix
./docmost.nix
# ./docmost.nix
./mail-server.nix
./nextcloud.nix
./paperless-ngx.nix

53
system/dev/dn-server/services/mail-server.nix
View file

@ -1,5 +1,6 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (lib) mkForce;
inherit (config.systemConf) username;
in
{
@ -46,6 +47,30 @@ in
'';
secretFile = config.sops.secrets."ldap/password".path;
webSecretFile = config.sops.secrets."ldap/env".path;
olcAccess =
let
olcDN = "dc=net,dc=dn";
in
[
''
{0}to attrs=userPassword
by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=admin,${olcDN}" manage
by dn.exact="uid=admin,ou=people,${olcDN}" manage
by self write
by anonymous auth
by * none
''
''
{1}to *
by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=admin,${olcDN}" manage
by dn.exact="uid=admin,ou=people,${olcDN}" manage
by self read
by anonymous auth
by * none
''
];
};
rspamd = {
secretFile = config.sops.secrets."rspamd".path;
@ -55,4 +80,30 @@ in
enable = true;
};
};
services.openldap.settings.attrs.olcLogLevel = mkForce "config";
services.postfix.settings.main = {
# internal_mail_filter_classes = [ "bounce" ];
};
services.rspamd = {
locals."logging.conf".text = ''
level = "debug";
'';
locals."settings.conf".text = ''
bounce {
id = "bounce";
priority = high;
ip = "127.0.0.1";
selector = 'smtp_from.regexp("/^$/").last';
apply {
BOUNCE = -25.0;
}
symbols [ "BOUNCE" ]
}
'';
};
}

7
system/dev/dn-server/services/nextcloud.nix
View file

@ -4,11 +4,16 @@
(import ../../../modules/nextcloud.nix {
hostname = "nextcloud.net.dn";
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
trusted-domains = [ "nextcloud.daccc.info" ];
trusted-proxies = [ "10.0.0.0/24" ];
whiteboardSecrets = [
config.sops.secrets."nextcloud/whiteboard".path
];
})
];
services.nextcloud = {
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) music;
};
};
}

4
system/dev/dn-server/services/ntfy.nix
View file

@ -19,7 +19,11 @@ in
upstream-base-url = "https://ntfy.sh";
behind-proxy = true;
proxy-trusted-hosts = "127.0.0.1";
auth-default-access = "deny-all";
enable-login = true;
auth-file = "/var/lib/ntfy-sh/user.db";
};
environmentFile = config.sops.secrets."ntfy".path;
};
services.nginx.virtualHosts = {

10
system/dev/dn-server/services/paperless-ngx.nix
View file

@ -6,14 +6,4 @@
passwordFile = config.sops.secrets."paperless/adminPassword".path;
})
];
# OIDC
services.paperless = {
settings = {
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIAL_AUTO_SIGNUP = true;
PAPERLESS_SOCIAL_ALLOW_SIGNUPS = true;
};
environmentFile = config.sops.secrets."paperless/envFile".path;
};
}

5
system/dev/dn-server/sops/secret.yaml
View file

@ -40,6 +40,7 @@ crowdsec:
capi.yaml: ENC[AES256_GCM,data:+13mu3XXst8J5okb+jQ/IPOd5TfdcDgLuTP8L46U53GTgTJChQoT4Ttw6xKQhp6L7vNoArQBQL66leRt3DEXATUjxl/Zoi2eymxqLn6/NUpPkv0g7hszJGVbMZEUGjo3IAk5ZRQWaNXHA9mRq/OkHzpMMM6ZpCd0KpY92QbLSHxJ6yUMazL1Wh4hwvyWyN6lLxujrgnZWOQDPZYQmIi+c/Af,iv:OO+Ujqq89SbWcRoqhwiJX2jtIJIUrtgG9xll7WuDhzw=,tag:R+Mx2UAkwA238quvMKCBLQ==,type:str]
consoleToken: ENC[AES256_GCM,data:G/UfbMqHW0lecT7vKmZsusvXzgxz6apdRQ==,iv:JJTN1RPhFNMd2gqE3Vw2FvC+bA/vgOiYNfBhr96veIw=,tag:HKbhtwCWkLte8e8uGDt2Gw==,type:str]
opencloud: ENC[AES256_GCM,data:NrhvojLoMUbGkWNkfDN12iAU70F9o1MXa3m8RzYtcBU1r9zk0e+4ZlPAqw2SIobMDC3vo3few7cA21ruYGP2p36lskG6UjafyJPJoHQcxlq04Kp/9GVeSsvI3KP08WLmoaBqk6b+f1K57P4OzSHPYKQ4/f51B4yhmt8n/DNg7RgF8wNKi4KUTOBuC/j+T+51vsJdjqHUuBi1y2ZqaolAwfEYbnswNVJUcOxHUezIAGke/22U0fS01+p1JQ/PAzSeDdxuX8dAMDVYHHZ13A07kXIRchpSb63Y5pTLUUAl25zAaSYoq+fZ0s61DZrYCaityZCishhCpJwmyoOsCWEesOpRFYNjIALIxWmM9b3aU/5G1WNiPRdlfvZpowhm3r+4X7QGCoXvuoI94l8DuXW7wN77XhLr7s4w,iv:TrUgpRHN7NYFZw+tihcxJ+dhNi4nIuNHMxNWgCE53AA=,tag:YZNL/Pv8S0hYtSt5IBE1GA==,type:str]
ntfy: ENC[AES256_GCM,data:BapVKt2WzKLMP6KsxZ32+SS0mpIy0waqUTI7Rj0yyWA1mF9bstp0VfRv/6Dna41ttecFjyLRMmlF0jLqHXcNtqmlB3lHiE5IvVcEadjGB5C1fcQKrj5CveVPecvxzc+CfMMt4tlzike9TYL2tP5siGQzU7HvpNfIlT/Qfi40j8l7eT+Tne+XAadu/GQ1CH5dWKr8gPrR8fpfw6CgDvvc05SBLlfM2LsfTxz/UNV3vAbfRLchCsqd9s9jcR4UJPoJv6HVe480HXgY5SLcZA/Gh58=,iv:MqYwns9JITCskQo+ADgWghfRCwiSV+IGdUvi568Fmrc=,tag:Re20TMCnk5EA+X9wQRYg3w==,type:str]
sops:
age:
- recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
@ -69,7 +70,7 @@ sops:
OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK
9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-05T08:37:16Z"
mac: ENC[AES256_GCM,data:Qyb0Zu2MSu3TVdhh6/5iEMhPBpb+hfYFwkxZUSreXxnMtRKRaasKrcjfG/pBWmublUoJpfN6MMSyg5dqKmtPTCFEA1h2TywjjR1elZao3Fj61artd2gTR60heWMzJ1rRdczgYLkTO4dWp0JB3ShF75T5XQM2kGSB/d2pvfYv4bA=,iv:p3ZNr/ZMQhAbF+KbpxqY3/0mz5kkJ8BcwO7yW3NU6l8=,tag:WS9hH77KeeMYVO9eNu5wWA==,type:str]
lastmodified: "2025-11-22T18:17:35Z"
mac: ENC[AES256_GCM,data:88NsRj8t483hQ1jWu3u+772he7G2oyybf+pcgyFoBpfrb5GZqXzlae7TpTqstRLvXLcvaXXWI+QUA9WKvuozHEZ2OPzP84JbTjj72POBaIf5k9jHwzNrbXdWPlQF0PLHjnguniDeKLMC8KI7Aypww7CM3N3Gkuyr6bVGGDIsPLw=,iv:D0O8HmtjYyTRd+ZeDkGctA79i+LVOh2f8B1vUjWYqPI=,tag:OU77+XJh9nOOo54fmj35kQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

4
system/dev/dn-server/sops/sops-conf.nix
View file

@ -92,5 +92,9 @@ in
group = config.services.opencloud.group;
mode = "0600";
};
"ntfy" = mkIf config.services.ntfy-sh.enable {
owner = config.services.ntfy-sh.user;
mode = "0600";
};
};
}