2023-07-07 23:44:40 -05:00
|
|
|
{ lib, config, pkgs, ... }:
|
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
{
|
2023-07-07 23:44:40 -05:00
|
|
|
imports =
|
|
|
|
[
|
2023-08-01 15:43:38 -05:00
|
|
|
../modules/mail.nix
|
2023-08-01 15:46:57 -05:00
|
|
|
../common/main.nix
|
2023-07-07 23:44:40 -05:00
|
|
|
];
|
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
boot.loader.grub.enable = true;
|
|
|
|
boot.loader.grub.device = "/dev/vda";
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
networking.hostName = "netbox";
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-12-03 20:48:49 -06:00
|
|
|
services.rss2email = {
|
|
|
|
enable = true;
|
2023-12-03 21:46:37 -06:00
|
|
|
to = "ryan@beepboop.systems";
|
2023-12-03 20:48:49 -06:00
|
|
|
feeds = {
|
|
|
|
"eff" = {
|
|
|
|
url = "https://www.eff.org/rss/updates.xml";
|
|
|
|
};
|
2023-12-03 21:46:37 -06:00
|
|
|
"nixos" = {
|
|
|
|
url = "https://nixos.org/blog/announcements-rss.xml";
|
|
|
|
};
|
|
|
|
"drewdevault" = {
|
|
|
|
url = "https://drewdevault.com/blog/index.xml";
|
|
|
|
};
|
|
|
|
"nullprogram" = {
|
|
|
|
url = "https://nullprogram.com/feed/";
|
|
|
|
};
|
2023-12-03 20:48:49 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-12-03 21:46:37 -06:00
|
|
|
services.fail2ban = {
|
|
|
|
enable = true;
|
|
|
|
ignoreIP = [
|
|
|
|
"192.168.1.0/24"
|
|
|
|
];
|
|
|
|
extraPackages = [pkgs.ipset];
|
|
|
|
banaction = "iptables-ipset-proto6-allports";
|
|
|
|
|
|
|
|
jails = {
|
|
|
|
"nginx-bruteforce" = ''
|
|
|
|
enabled = true
|
|
|
|
filter = nginx-bruteforce
|
|
|
|
logpath = /var/log/nginx/access.log
|
|
|
|
backend = auto
|
|
|
|
maxretry = 6
|
|
|
|
findtime = 600
|
|
|
|
'';
|
|
|
|
|
|
|
|
"postfix-bruteforce" = ''
|
|
|
|
enabled = true
|
|
|
|
filter = postfix-bruteforce
|
|
|
|
maxretry = 6
|
|
|
|
findtime = 600
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.etc = {
|
|
|
|
"fail2ban/filter.d/nginx-bruteforce.conf".text = ''
|
|
|
|
[Definition]
|
|
|
|
failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
|
|
|
|
'';
|
|
|
|
|
|
|
|
"fail2ban/filter.d/postfix-bruteforce.conf".text = ''
|
|
|
|
[Definition]
|
|
|
|
failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
|
|
|
|
journalmatch = _SYSTEMD_UNIT=postfix.service
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
users.users.useracc = {
|
|
|
|
isNormalUser = true;
|
|
|
|
extraGroups = [ "wheel" "docker" ];
|
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-10-30 16:25:45 -05:00
|
|
|
users.users.paperlesspassthrough = {
|
|
|
|
isNormalUser = true;
|
|
|
|
};
|
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
environment.systemPackages = with pkgs; [
|
2023-09-23 03:42:22 -05:00
|
|
|
neovim
|
2023-07-08 16:22:38 -05:00
|
|
|
# nothing more needed, at the moment
|
|
|
|
];
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
ports = [55555];
|
|
|
|
};
|
|
|
|
|
2023-12-03 19:50:26 -06:00
|
|
|
services.endlessh.enable = true;
|
2023-12-03 20:02:19 -06:00
|
|
|
services.endlessh.port = 22;
|
2023-12-03 19:50:26 -06:00
|
|
|
services.vaultwarden.enable = true;
|
|
|
|
services.vaultwarden.config = {
|
|
|
|
DOMAIN = "https://bitwarden.beepboop.systems";
|
|
|
|
SIGNUPS_ALLOWED = false;
|
|
|
|
};
|
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
networking.usePredictableInterfaceNames = false;
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.nixosmail.enable = true;
|
|
|
|
|
|
|
|
services.gitea = {
|
|
|
|
enable = true;
|
|
|
|
appName = "crappy code"; # Give the site a name
|
|
|
|
database = {
|
|
|
|
type = "postgres";
|
|
|
|
passwordFile = "/etc/gittea-pass";
|
|
|
|
};
|
|
|
|
settings.server = {
|
|
|
|
DOMAIN = "git.beepboop.systems";
|
|
|
|
ROOT_URL = "https://git.beepboop.systems/";
|
|
|
|
HTTP_PORT = 3001;
|
2023-07-07 23:44:40 -05:00
|
|
|
};
|
2023-07-08 16:22:38 -05:00
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.postgresql = {
|
|
|
|
enable = true; # Ensure postgresql is enabled
|
|
|
|
authentication = ''
|
|
|
|
local gitea all ident map=gitea-users
|
|
|
|
'';
|
|
|
|
identMap = # Map the gitea user to postgresql
|
|
|
|
''
|
|
|
|
gitea-users gitea gitea
|
2023-07-07 23:44:40 -05:00
|
|
|
'';
|
2023-07-08 16:22:38 -05:00
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.nginx.enable = true;
|
|
|
|
services.nginx.clientMaxBodySize = "100m";
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.nginx.virtualHosts."beepboop.systems" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
root = "/var/www/beepboop.systems";
|
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.nginx.virtualHosts."git.beepboop.systems" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/".proxyPass = "http://localhost:3001";
|
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.nginx.virtualHosts."paperless.beepboop.systems" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/".proxyPass = "http://localhost:3004";
|
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.nginx.virtualHosts."bitwarden.beepboop.systems" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:8000";
|
2023-07-07 23:44:40 -05:00
|
|
|
};
|
2023-07-08 16:22:38 -05:00
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-12-06 18:22:25 -06:00
|
|
|
services.nginx.virtualHosts."radicale.beepboop.systems" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:5232";
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_set_header X-Script-Name /;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_pass_header Authorization;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-07-15 23:10:22 -05:00
|
|
|
services.nginx.virtualHosts."ntfy.beepboop.systems" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:3500";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.nginx.virtualHosts."skillissue.agency" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
root = "/var/www/skillissue.agency";
|
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
2023-12-03 19:50:26 -06:00
|
|
|
email = "nickforanick@protonmail.com";
|
2023-07-08 16:22:38 -05:00
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-07-08 16:22:38 -05:00
|
|
|
services.roundcube = {
|
|
|
|
enable = true;
|
|
|
|
# this is the url of the vhost, not necessarily the same as the fqdn of
|
|
|
|
# the mailserver
|
|
|
|
hostName = "cube.beepboop.systems";
|
|
|
|
extraConfig = ''
|
|
|
|
# starttls needed for authentication, so the fqdn required to match
|
|
|
|
# the certificate
|
|
|
|
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
|
|
|
|
$config['smtp_user'] = "%u";
|
|
|
|
$config['smtp_pass'] = "%p";
|
|
|
|
'';
|
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-12-03 19:50:26 -06:00
|
|
|
networking.firewall = {
|
|
|
|
enable = true;
|
|
|
|
allowedTCPPorts = [ 5232 55555 22 80 443 ];
|
|
|
|
};
|
2023-07-07 23:44:40 -05:00
|
|
|
|
2023-12-03 19:50:26 -06:00
|
|
|
# services.paperless = {
|
|
|
|
# enable = true;
|
|
|
|
# passwordFile = "/etc/paperless-password";
|
|
|
|
# port = 3004;
|
|
|
|
# address = "localhost";
|
|
|
|
# extraConfig = {
|
|
|
|
# PAPERLESS_URL = "https://paperless.beepboop.systems";
|
|
|
|
# };
|
|
|
|
# };
|
2023-07-07 23:44:40 -05:00
|
|
|
}
|