From c927f8675b3a87b3efe7b19d1624038b35ce0a71 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:59:56 +0100 Subject: [PATCH] this will be developed on a separate branch --- hosts/auth/authentik.nix | 74 --------- hosts/auth/default.nix | 34 ----- hosts/auth/hardware-configuration.nix | 38 ----- hosts/auth/hetzner-disk.nix | 56 ------- hosts/mail/default.nix | 206 -------------------------- hosts/mail/hardware-configuration.nix | 38 ----- hosts/mail/hetzner-disk.nix | 56 ------- 7 files changed, 502 deletions(-) delete mode 100644 hosts/auth/authentik.nix delete mode 100644 hosts/auth/default.nix delete mode 100644 hosts/auth/hardware-configuration.nix delete mode 100644 hosts/auth/hetzner-disk.nix delete mode 100644 hosts/mail/default.nix delete mode 100644 hosts/mail/hardware-configuration.nix delete mode 100644 hosts/mail/hetzner-disk.nix diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix deleted file mode 100644 index c7e1c3f..0000000 --- a/hosts/auth/authentik.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - users.groups.authentik = { }; - users.users.authentik = { - isSystemUser = true; - extraGroups = [ "docker" ]; - group = "authentik"; - }; - - virtualisation.docker.enable = true; - - systemd.services = { - authentik-secrets-setup = { - enable = true; - }; - }; - services.authentik-ldap = { - enable = true; - environmentFile = "/var/lib/authentik-ldap-env"; - }; - services.authentik = { - enable = true; - # The environmentFile needs to be on the target host! - # Best use something like sops-nix or agenix to manage it - environmentFile = "/var/lib/authentik_secret"; - settings = { - email = { - host = "mail.${config.networking.domain}"; - port = 25; - username = "authentik@${config.networking.domain}"; - use_tls = false; - use_ssl = false; - from = "authentik@${config.networking.domain}"; - }; - disable_startup_analytics = true; - avatars = "initials"; - }; - }; - - systemd.services.authentik-secrets-generator = { - enable = true; - requiredBy = [ - "authentik-secrets-setup.service" - "authentik-worker.service" - ]; - script = '' - echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret - ''; - }; - - services.nginx = { - enable = true; - virtualHosts = { - "auth.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:9000"; - proxyWebsockets = true; - recommendedProxySettings = true; - extraConfig = '' - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; - }; - }; - }; -} diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix deleted file mode 100644 index 5954d64..0000000 --- a/hosts/auth/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - imports = [ - ./hardware-configuration.nix - ./authentik.nix - ]; - - networking.hostName = "auth"; - networking.interfaces.ens18.ipv4.addresses = [ - { - address = "141.56.51.96"; - prefixLength = 24; - } - ]; - - networking.defaultGateway.address = "141.56.51.254"; - networking.nameservers = [ - "9.9.9.9" - "1.1.1.1" - ]; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 3389 - ]; - - system.stateVersion = "25.05"; -} diff --git a/hosts/auth/hardware-configuration.nix b/hosts/auth/hardware-configuration.nix deleted file mode 100644 index b92ae55..0000000 --- a/hosts/auth/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # fileSystems."/" = - # { - # device = "/dev/sda1"; - # fsType = "ext4"; - # }; - - # swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/auth/hetzner-disk.nix b/hosts/auth/hetzner-disk.nix deleted file mode 100644 index a679e7c..0000000 --- a/hosts/auth/hetzner-disk.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - disko.devices = { - disk = { - main = { - type = "disk"; - device = "/dev/sda"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - ESP = { - priority = 1; - name = "ESP"; - start = "1M"; - end = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - "/rootfs" = { - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - # Sub(sub)volume doesn't need a mountpoint as its parent is mounted - "/nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix deleted file mode 100644 index 75b5f84..0000000 --- a/hosts/mail/default.nix +++ /dev/null @@ -1,206 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - generatedAliases = pkgs.writeText "generated-aliases" ( - lib.concatStringsSep "\n" ( - lib.mapCartesianProduct - ({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de") - { - aliases = [ - "abuse" - "hostmaster" - "noreply" - "postmaster" - "webmaster" - ]; - domain = config.mailserver.domains; - } - ) - ); - -in -{ - imports = [ - ./hardware-configuration.nix - ]; - - security.pam.loginLimits = [ - { - domain = "*"; - type = "soft"; - item = "nofile"; - value = "8192"; - } - ]; - # nix.settings.trusted-users = [ "administration" ]; - # nix.settings.download-buffer-size = 6710886400; - # boot.loader.grub.enable = true; - # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - # boot.loader.grub.enable = true; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - - networking.hostName = "mail"; - networking.domain = "test.htw.stura-dresden.de"; - networking.interfaces.ens18.ipv4.addresses = [ - { - address = "141.56.51.95"; - prefixLength = 24; - } - ]; - - networking.defaultGateway.address = "141.56.51.254"; - networking.nameservers = [ - "9.9.9.9" - "1.1.1.1" - ]; - - services.nginx.virtualHosts = { - "lists.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - # locations."/" = { - # proxyPass = "http://127.0.0.1:18507"; - # }; - }; - }; - services.automx2 = { - enable = true; - domain = "${config.networking.domain}"; - settings = { - automx2 = { - db_uri = "sqlite:////var/lib/automx2/db.sqlite"; - proxy_count = 1; - }; - }; - }; - services.mailman = { - enable = true; - hyperkitty = { - enable = true; - }; - serve.enable = true; - webHosts = [ - "lists.${config.networking.domain}" - ]; - }; - - services.mailman.siteOwner = "mailman@${config.networking.domain}"; - mailserver = { - enable = true; - fqdn = "mail.${config.networking.domain}"; - domains = [ - "${config.networking.domain}" - "lists.${config.networking.domain}" - ]; - ldap = { - enable = true; - bind = { - # dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de"; - dn = "cn=ldapuser,ou=users,dc=ldap,dc=goauthentik,dc=io"; - passwordFile = "/var/lib/dovecot_ldap_passwd"; - }; - dovecot = { - userFilter = "(&(objectClass=posixAccount)(mail=%u))"; - passFilter = "(&(objectClass=posixAccount)(mail=%u))"; - userAttrs = "cn"; - }; - postfix = { - filter = "(|(&(objectClass=posixAccount)(mail=%s))(&(objectClass=posixAccount)(cn=%s)))"; - mailAttribute = "mail"; - uidAttribute = "cn"; - }; - #searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de"; - searchBase = "DC=ldap,DC=goauthentik,DC=io"; - uris = [ - "ldap://auth.test.htw.stura-dresden.de:3389" - ]; - }; - - certificateScheme = "acme-nginx"; - enableImap = true; - enableImapSsl = true; - enableManageSieve = true; - enableSubmission = true; - enableSubmissionSsl = true; - extraVirtualAliases = { }; - lmtpSaveToDetailMailbox = "no"; # DOS potential - mailboxes = { - Drafts = { - auto = "subscribe"; - specialUse = "Drafts"; - }; - Sent = { - auto = "subscribe"; - specialUse = "Sent"; - }; - Spam = { - auto = "subscribe"; - specialUse = "Junk"; - }; - Trash = { - auto = "subscribe"; - specialUse = "Trash"; - }; - }; - maxConnectionsPerUser = 10; - messageSizeLimit = 10 * 1000 * 1024; # 10 MiB - - stateVersion = 3; - }; - - # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n"; - services.postfix = - let - submissionOptions = { - # hash:/etc/postfix/virtual, - smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf"; - smtpd_client_restrictions = "permit_sasl_authenticated,reject"; - }; - in - { - masterConfig = { - submission = { - args = [ "-v" ]; - }; - submissions = { - args = [ "-v" ]; - }; - }; - settings.main = { - unknown_local_recipient_reject_code = 550; - relay_domains = [ - "hash:/var/lib/mailman/data/postfix_domains" - ]; - transport_maps = [ - "hash:/var/lib/mailman/data/postfix_lmtp" - ]; - local_recipient_maps = [ - "hash:/var/lib/mailman/data/postfix_lmtp" - ]; - }; - # mapFiles = { - # "valias" = lib.mkForce "/var/lib/postfix/valias"; - # "virtual" = lib.mkForce "/var/lib/postfix/virtual"; - # }; - submissionOptions = submissionOptions; - submissionsOptions = submissionOptions; - }; - - security.acme.acceptTerms = true; - security.acme.defaults.email = "cert@stura.htw-dresden.de"; - - networking.firewall.allowedTCPPorts = [ - 25 - 80 - 443 - 597 - ]; - - system.stateVersion = "24.11"; - -} diff --git a/hosts/mail/hardware-configuration.nix b/hosts/mail/hardware-configuration.nix deleted file mode 100644 index b92ae55..0000000 --- a/hosts/mail/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # fileSystems."/" = - # { - # device = "/dev/sda1"; - # fsType = "ext4"; - # }; - - # swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/mail/hetzner-disk.nix b/hosts/mail/hetzner-disk.nix deleted file mode 100644 index a679e7c..0000000 --- a/hosts/mail/hetzner-disk.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - disko.devices = { - disk = { - main = { - type = "disk"; - device = "/dev/sda"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - ESP = { - priority = 1; - name = "ESP"; - start = "1M"; - end = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - "/rootfs" = { - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - # Sub(sub)volume doesn't need a mountpoint as its parent is mounted - "/nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; - }; - }; - }; - }; - }; - }; - }; - }; -}