chore: routine maintenance

2025-11-23 16:24:38 +08:00 · 2025-11-23 16:24:38 +08:00 · c7743490a7
commit c7743490a7
parent c45ba82b90
75 changed files with 1200 additions and 634 deletions
--- a/system/dev/dn-server/services/default.nix
+++ b/system/dev/dn-server/services/default.nix
@ -3,7 +3,7 @@
  imports = [
    ./actual-budget.nix
    ./bitwarden.nix
-    ./docmost.nix
+    # ./docmost.nix
    ./mail-server.nix
    ./nextcloud.nix
    ./paperless-ngx.nix
--- a/system/dev/dn-server/services/mail-server.nix
+++ b/system/dev/dn-server/services/mail-server.nix
@ -1,5 +1,6 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
+  inherit (lib) mkForce;
  inherit (config.systemConf) username;
 in
 {
@ -46,6 +47,30 @@ in
        '';
        secretFile = config.sops.secrets."ldap/password".path;
        webSecretFile = config.sops.secrets."ldap/env".path;
+        olcAccess =
+          let
+            olcDN = "dc=net,dc=dn";
+          in
+          [
+            ''
+              {0}to attrs=userPassword
+                  by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+                  by dn.exact="cn=admin,${olcDN}" manage
+                  by dn.exact="uid=admin,ou=people,${olcDN}" manage
+                  by self write
+                  by anonymous auth
+                  by * none
+            ''
+            ''
+              {1}to *
+                  by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+                  by dn.exact="cn=admin,${olcDN}" manage
+                  by dn.exact="uid=admin,ou=people,${olcDN}" manage
+                  by self read
+                  by anonymous auth
+                  by * none
+            ''
+          ];
      };
      rspamd = {
        secretFile = config.sops.secrets."rspamd".path;
@ -55,4 +80,30 @@ in
        enable = true;
      };
    };
+
+  services.openldap.settings.attrs.olcLogLevel = mkForce "config";
+
+  services.postfix.settings.main = {
+    # internal_mail_filter_classes = [ "bounce" ];
+  };
+
+  services.rspamd = {
+    locals."logging.conf".text = ''
+      level = "debug";
+    '';
+    locals."settings.conf".text = ''
+      bounce {
+        id = "bounce";
+        priority = high;
+        ip = "127.0.0.1";
+        selector = 'smtp_from.regexp("/^$/").last';
+
+        apply {
+          BOUNCE = -25.0;
+        }
+
+        symbols [ "BOUNCE" ]
+      }
+    '';
+  };
 }
--- a/system/dev/dn-server/services/nextcloud.nix
+++ b/system/dev/dn-server/services/nextcloud.nix
@ -4,11 +4,16 @@
    (import ../../../modules/nextcloud.nix {
      hostname = "nextcloud.net.dn";
      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
-      trusted-domains = [ "nextcloud.daccc.info" ];
      trusted-proxies = [ "10.0.0.0/24" ];
      whiteboardSecrets = [
        config.sops.secrets."nextcloud/whiteboard".path
      ];
    })
  ];
+
+  services.nextcloud = {
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) music;
+    };
+  };
 }
--- a/system/dev/dn-server/services/ntfy.nix
+++ b/system/dev/dn-server/services/ntfy.nix
@ -19,7 +19,11 @@ in
      upstream-base-url = "https://ntfy.sh";
      behind-proxy = true;
      proxy-trusted-hosts = "127.0.0.1";
+      auth-default-access = "deny-all";
+      enable-login = true;
+      auth-file = "/var/lib/ntfy-sh/user.db";
    };
+    environmentFile = config.sops.secrets."ntfy".path;
  };

  services.nginx.virtualHosts = {
--- a/system/dev/dn-server/services/paperless-ngx.nix
+++ b/system/dev/dn-server/services/paperless-ngx.nix
@ -6,14 +6,4 @@
      passwordFile = config.sops.secrets."paperless/adminPassword".path;
    })
  ];
-
-  # OIDC
-  services.paperless = {
-    settings = {
-      PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
-      PAPERLESS_SOCIAL_AUTO_SIGNUP = true;
-      PAPERLESS_SOCIAL_ALLOW_SIGNUPS = true;
-    };
-    environmentFile = config.sops.secrets."paperless/envFile".path;
-  };
 }