diff --git a/flake.lock b/flake.lock index f58f20a..eb546ca 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,37 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -36,6 +68,54 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "simple-nixos-mailserver", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "simple-nixos-mailserver", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742649964, + "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "simple-nixos-mailserver", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -94,7 +174,39 @@ "type": "github" } }, + "nixpkgs-25_05": { + "locked": { + "lastModified": 1747610100, + "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { + "locked": { + "lastModified": 1747179050, + "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1736549401, "narHash": "sha256-ibkQrMHxF/7TqAYcQE+tOnIsSEzXmMegzyBWza6uHKM=", @@ -115,14 +227,38 @@ "home-manager": "home-manager", "nixgl": "nixgl", "nixpkgs": "nixpkgs", + "simple-nixos-mailserver": "simple-nixos-mailserver", "st-flexipatch": "st-flexipatch", "unstable": "unstable" } }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs_2", + "nixpkgs-25_05": "nixpkgs-25_05" + }, + "locked": { + "lastModified": 1755110674, + "narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "f5936247dbdb8501221978562ab0b302dd75456c", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-25.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "st-flexipatch": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1752791100, diff --git a/flake.nix b/flake.nix index 60e7f47..9734df0 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; st-flexipatch.url = "https://git.antoinevaure.fr/ant/st-flexipatch/archive/master.zip"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05"; }; outputs = @@ -22,6 +23,12 @@ pkgs = inputs.nixpkgs.legacyPackages.${system}; pkgs-unstable = inputs.unstable.legacyPackages.${system}; nixgl = inputs.nixgl.packages.${system}; + osConfig = name: nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./os/${name}/configuration.nix + ]; + }; in { homeConfigurations."anvaure@Allegro23-12" = inputs.home-manager.lib.homeManagerConfiguration { @@ -90,24 +97,10 @@ ]; }; - nixosConfigurations.basado = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./os/basado/configuration.nix - ]; - }; - - nixosConfigurations.moon = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./os/moon/configuration.nix - ]; - }; - - nixosConfigurations.hs = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ ./os/hs/configuration.nix ]; - }; + nixosConfigurations.basado = osConfig "basado"; + nixosConfigurations.moon = osConfig "moon"; + nixosConfigurations.hs = osConfig "hs"; + nixosConfigurations.ks = osConfig "ks"; build-all = pkgs.runCommandNoCC "build-all" { buildInputs = @@ -117,6 +110,7 @@ (osDerivation "basado") (osDerivation "moon") (osDerivation "hs") + (osDerivation "ks") (homeDerivation "anvaure@Allegro23-12") (homeDerivation "ant@hs") (homeDerivation "ant@basado") diff --git a/os/ks/configuration.nix b/os/ks/configuration.nix new file mode 100644 index 0000000..a95e640 --- /dev/null +++ b/os/ks/configuration.nix @@ -0,0 +1,177 @@ +{ config, inputs, lib, pkgs, ... }: + +let + domain = "antoinevaure.fr"; + domainAlex = "pulsewidth.ovh"; + sshKeys = with (import ../../sshKeys.nix); [ + basado + hs + moon + ]; +in { + imports = [ + ./hardware-configuration.nix + ../common.nix + inputs.simple-nixos-mailserver.nixosModule + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + + networking.domain = domain; + networking.hostName = "ks"; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users.ant = { + isNormalUser = true; + description = "ant"; + extraGroups = [ + "networkmanager" + "wheel" + "jellyfin" + ]; + openssh.authorizedKeys.keys = sshKeys; + }; + security.sudo.wheelNeedsPassword = false; + + services.fail2ban = { + enable = true; + ignoreIP = [ + "antoinev.freeboxos.fr" + ]; + }; + + mailserver = { + enable = true; + fqdn = "mail.${domain}"; + domains = [ domain domainAlex ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "contact@${domain}" = { + hashedPasswordFile = "/var/mail_passwd"; + # aliases = [ "me@${domain}" ]; + }; + "news@${domain}" = { hashedPasswordFile = "/var/mail_passwd"; }; + "me@${domain}" = { hashedPasswordFile = "/var/mail_passwd"; }; + "microsoft@${domain}" = { hashedPasswordFile = "/var/mail_passwd"; }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "contact@antoinevaure.fr"; + }; + services.qbittorrent = { + enable = true; + serverConfig = { + Preferences = { + WebUI = { + Username = "ant"; + Password_PBKDF2 = "HWKPqI96WHoQOR46XaKm6Q==:CybDN9tU8rH0aYcgo1X0m5R/6XiNtx9i5JBgLJlYlpv8oXejAYoJ7SqYjZInMbR2WJIQv76RlfAwJ/PepNtevg=="; + }; + }; + }; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = let + reverseProxy = port: { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + proxyWebsockets = true; + }; + }; + in { + "qbittorrent.${domain}" = (reverseProxy config.services.qbittorrent.webuiPort); + }; + }; + + nix.optimise.automatic = true; + programs.git = { enable = true; }; + + networking.firewall.allowedTCPPorts = [ + 22 # ssh + 80 # http + 443 # ssl + 9418 # git + 38774 # qbittorrent + 9191 + (9191 + 1) # jus + ]; + + services = { + syncthing = { + enable = true; + openDefaultPorts = true; + group = "syncthing"; + user = "syncthing"; + dataDir = "/home/syncthing/shares"; + configDir = "/home/syncthing/config"; + overrideDevices = + true; # overrides any devices added or deleted through the WebUI + overrideFolders = + true; # overrides any folders added or deleted through the WebUI + settings = { + devices = { + "home" = { + id = + "FRCTEHB-WI3Q3CH-6MPKKRX-FTJMOCK-44K2D32-ORM52ZI-S2GTX2X-IRUSAQ5"; + }; + "android" = { + id = + "4Z7HDYB-C56BONH-JRBN5D7-LDFNHQJ-5BQDLVU-O3SMBPI-3VZTL7V-ERGU2Q5"; + }; + "allegro" = { + id = + "CLANFN6-Q26KKQL-S6OZ4JW-75CM2JC-R47DIWM-G7RBX7T-B4TJPTS-5U3ZRQH"; + }; + }; + folders = { + "notes" = { + id = "njhxw-6wmte"; + type = "receiveencrypted"; + path = + "/home/syncthing/shares/notes"; # Which folder to add to Syncthing + devices = [ + "home" + "android" + "allegro" + ]; # Which devices to share the folder with + }; + + "passdb" = { + id = "eo3io-kbitv"; + type = "receiveencrypted"; + path = "~/passdb"; + devices = [ + "home" + "android" + "allegro" + ]; # Which devices to share the folder with + }; + }; + }; + }; + }; + + system.stateVersion = "23.11"; +} + diff --git a/os/ks/hardware-configuration.nix b/os/ks/hardware-configuration.nix new file mode 100644 index 0000000..3169acc --- /dev/null +++ b/os/ks/hardware-configuration.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/cce1fbc8-61ae-4efe-bcb7-007216abadbd"; + fsType = "ext4"; + }; + + fileSystems."/disk2" = + { device = "/dev/disk/by-uuid/34b2e8b1-a1e9-430a-9e0a-96e3386ab536"; + fsType = "ext4"; + }; + + fileSystems."/disk3" = + { device = "/dev/disk/by-uuid/312ff291-c648-4b62-a1f2-790ec8d41374"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.docker0.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.vethfd677c7.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}