StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: StuRa:master
Branches Tags
StuRa:master
StuRa:new-mail
...
pull from: StuRa:new-mail
Branches Tags
StuRa:new-mail
StuRa:master
Sign in to create a new pull request.

8 commits
master ... new-mail

Author SHA1 Message Date
goeranh
9c10e99502
wireguard network 
connection proxy->v6proxy works
connection mail->v6proxy blocked
 2026-03-21 21:27:14 +01:00
goeranh
26d56a1dfe
update dovecot ldap credentials 2026-03-21 18:23:28 +01:00
goeranh
e3a9a391c2
use secret files 2026-03-21 18:04:08 +01:00
goeranh
2fa576a302
init sops for mail and auth 2026-03-21 18:03:50 +01:00
goeranh
43cfebcec6
disable dhcp 2026-03-20 17:18:22 +01:00
goeranh
e6442b2442
add auth and mail as containers 2026-03-20 17:09:23 +01:00
goeranh
9e3fa025cd
redirect bbb 2026-03-20 17:09:01 +01:00
goeranh
5bed1bbba1
remove git hooks 2026-03-20 16:24:09 +01:00
13 changed files with 577 additions and 114 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.pre-commit-config.yaml
View file

@ -1 +0,0 @@
/nix/store/1w2s62i701n28sj08gn1445qr4v3vijp-pre-commit-config.json

59
.sops.yaml
View file

@ -1,38 +1,29 @@
# SOPS configuration for StuRa HTW Dresden infrastructure
#
# This file defines which keys can decrypt which secrets.
# Add GPG public keys (.asc files) or age keys to keys/hosts/ and keys/users/
# to grant decryption access to hosts and users respectively.
keys: keys:
# Admin/user keys - add GPG public keys here - &goeranh age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
# Example: - &mail age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
# - &user_admin_key age1... or pgp fingerprint - &auth age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5
- &v6proxy age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6
- &proxy age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4
# Host keys - add host-specific keys here
# Example:
# - &host_proxy_key age1... or pgp fingerprint
# - &host_git_key age1... or pgp fingerprint
# Define which keys can access which files
creation_rules: creation_rules:
# Default rule: all secrets can be decrypted by admin keys - path_regex: hosts/mail/secrets.sops.yml$
- path_regex: secrets/.*\.yaml$ key_groups:
# key_groups: - age:
# - pgp: - *mail
# - *user_admin_key - *goeranh
# - age: - path_regex: hosts/auth/secrets.sops.yml$
# - *user_admin_key key_groups:
- age:
# Host-specific secrets (example) - *auth
# - path_regex: secrets/proxy/.*\.yaml$ - *goeranh
# key_groups: - path_regex: hosts/v6proxy/secrets.sops.yml$
# - pgp: key_groups:
# - *user_admin_key - age:
# - *host_proxy_key - *v6proxy
- *goeranh
# - path_regex: secrets/git/.*\.yaml$ - path_regex: hosts/proxy/secrets.sops.yml$
# key_groups: key_groups:
# - pgp: - age:
# - *user_admin_key - *proxy
# - *host_git_key - *goeranh

66
flake.lock generated
View file

@ -114,22 +114,6 @@
} }
}, },
"flake-compat_2": { "flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1767039857,
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "NixOS",
"repo": "flake-compat",
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1761588595, "lastModified": 1761588595,
@ -185,34 +169,12 @@
} }
}, },
"git-hooks": { "git-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1772893680,
"narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "8baab586afc9c9b57645a734c820e4ac0a604af9",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"git-hooks_2": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
"mailserver", "mailserver",
"flake-compat" "flake-compat"
], ],
"gitignore": "gitignore_2", "gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"mailserver", "mailserver",
"nixpkgs" "nixpkgs"
@ -233,27 +195,6 @@
} }
}, },
"gitignore": { "gitignore": {
"inputs": {
"nixpkgs": [
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"mailserver", "mailserver",
@ -278,8 +219,8 @@
"mailserver": { "mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_2",
"git-hooks": "git-hooks_2", "git-hooks": "git-hooks",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
@ -440,7 +381,6 @@
"inputs": { "inputs": {
"authentik": "authentik", "authentik": "authentik",
"disko": "disko", "disko": "disko",
"git-hooks": "git-hooks",
"mailserver": "mailserver", "mailserver": "mailserver",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"sops": "sops" "sops": "sops"

18
flake.nix
View file

@ -18,10 +18,6 @@
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
git-hooks = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@ -32,7 +28,6 @@
mailserver, mailserver,
disko, disko,
sops, sops,
git-hooks,
}: }:
let let
sshkeys = [ sshkeys = [
@ -47,12 +42,6 @@
devShells.x86_64-linux.default = devShells.x86_64-linux.default =
let let
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
pre-commit-check = git-hooks.lib.x86_64-linux.run {
src = ./.;
hooks = {
nixfmt-rfc-style.enable = true;
};
};
in in
pkgs.mkShell { pkgs.mkShell {
# Import GPG keys from keys directory # Import GPG keys from keys directory
@ -64,15 +53,11 @@
# Isolate sops GPG keys to .git/gnupg (optional) # Isolate sops GPG keys to .git/gnupg (optional)
# sopsCreateGPGHome = true; # sopsCreateGPGHome = true;
shellHook = ''
${pre-commit-check.shellHook}
'';
nativeBuildInputs = [ nativeBuildInputs = [
sops.packages.x86_64-linux.sops-import-keys-hook sops.packages.x86_64-linux.sops-import-keys-hook
]; ];
buildInputs = pre-commit-check.enabledPackages ++ [ buildInputs = [
pkgs.sops pkgs.sops
]; ];
}; };
@ -211,6 +196,7 @@
disko.nixosModules.disko disko.nixosModules.disko
authentik.nixosModules.default authentik.nixosModules.default
mailserver.nixosModules.mailserver mailserver.nixosModules.mailserver
sops.nixosModules.default
{ {
_module.args = { inherit self modulesPath; }; _module.args = { inherit self modulesPath; };
} }

84
hosts/auth/authentik.nix Normal file
View file

@ -0,0 +1,84 @@
{
config,
lib,
pkgs,
...
}:
{
users.groups.authentik = { };
users.users.authentik = {
isSystemUser = true;
extraGroups = [ "docker" ];
group = "authentik";
};
virtualisation.docker.enable = true;
systemd.services = {
authentik-secrets-setup = {
enable = true;
};
};
users.groups.authentik-ldap = {};
users.users.authentik-ldap = {
isSystemUser = true;
group = "authentik-ldap";
};
systemd.services.authentik-ldap.serviceConfig = {
DynamicUser = lib.mkForce false;
User = "authentik-ldap";
};
services.authentik-ldap = {
enable = true;
environmentFile = config.sops.secrets."auth/ldap-env-file".path;
# environmentFile = "/var/lib/authentik-ldap-env";
};
services.authentik = {
enable = true;
# environmentFile = "/var/lib/authentik_secret";
environmentFile = config.sops.secrets."auth/env-file".path;
settings = {
email = {
host = "mail.${config.networking.domain}";
port = 25;
username = "authentik@${config.networking.domain}";
use_tls = false;
use_ssl = false;
from = "authentik@${config.networking.domain}";
};
disable_startup_analytics = true;
avatars = "initials";
};
};
systemd.services.authentik-secrets-generator = {
enable = true;
requiredBy = [
"authentik-secrets-setup.service"
"authentik-worker.service"
];
script = ''
echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
'';
};
services.nginx = {
enable = true;
virtualHosts = {
"auth.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:9000";
proxyWebsockets = true;
recommendedProxySettings = true;
extraConfig = ''
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
};
}

45
hosts/auth/default.nix Normal file
View file

@ -0,0 +1,45 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
sops = {
defaultSopsFile = ./secrets.sops.yml;
secrets = {
"auth/env-file".owner = "authentik";
"auth/ldap-env-file".owner = "authentik";
};
};
imports = [
"${modulesPath}/virtualisation/proxmox-lxc.nix"
./authentik.nix
];
networking = {
hostName = "auth";
domain = lib.mkForce "test.htw.stura-dresden.de";
useDHCP = false;
interfaces.eth0.ipv4.addresses = [
{
address = "141.56.51.96";
prefixLength = 24;
}
];
defaultGateway = {
address = "141.56.51.254";
interface = "eth0";
};
firewall.allowedTCPPorts = [
80
443
3389
];
};
system.stateVersion = "25.05";
}

27
hosts/auth/secrets.sops.yml Normal file
View file

@ -0,0 +1,27 @@
auth:
env-file: ENC[AES256_GCM,data:WDJ3daYCxybublm8VWO8W5HHmYYWKOcw81f+fQ0Vz78EOvbYI+SgEwnuAd/0/eeGkTPEJPSCfbymArs+YRTdibgO5y/34jdN0DOVQetZLPXrDbcZ/Sg=,iv:bykKdvkgmxwgptkGHKH4rnFknPA0PTrW+mEqIzIYERk=,tag:8UKhLz/VoPiXckcIEBfrLg==,type:str]
ldap-env-file: ENC[AES256_GCM,data:CpgiiUin3hj8+aykcSU2rasaCFt/CAC5lK3Ek7zxzw6hYCkhwxIc9a4Xfy9SxSQtASJ5dOOrOaa8gA1ahf4Z1g/1981fhxlQPeJd9PlJFgdL4CP5P6ZrPBKZKgygnreUo6HC7Rfc9x2CRmnDhQvMVUmQL9akZRNYasX+9IlRyKmLSFmi35IuryFhVLwfjfECmq51/Xo2WYzjWrayfFuOpS0jHWicQxXvXq6QcLvqmbk5euXiHDkFXOXcwMRr6mAompDAKa9BKXqcRDbxOWqzJ1gflEJvOJi249PeYFo+poTK1CUtBCTejFo=,iv:P1xN6wq5oeba1LSEn6UiArOka37alV/PhI5kOmpfDG0=,tag:Xisd5elHQ8mhvE6YEbCuLg==,type:str]
sops:
age:
- recipient: age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRmV2dGt1UXZ3M2RKd24y
V0x4MzZyYUh0aDVwQ1NmOCtyOHR6Z1c0R1ZNCi80Nk9PZFVTcVFIQjlZVXJNeXBN
TC9td05ZeWVVTCtFSWhqazN6bFF3akkKLS0tIEV3YzdRUDA5Q2dBd2JWUWNqOTU4
SnZtdVd4Q3lCaStJTnV4U2cvZUZEMlkK85XYSh6VbDFPKPIhKBKtkErGtgsHjXxy
kq14EXwfZnnBlR76JMQgPvSLrDLdj+4tDIVcuE4JplCoSvbGKckGww==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQm5nUHkzZExKOXNzNjk4
Y1JURVJwNXhFUGZJak8vbEtCNnE2dHFuNVVNClJHQ3E2RGJkbUtlMDNwcy9Ib01Q
dG9nRTVJejkySTdlb2IrbHF4Z3ZMTmcKLS0tIHUwNndGdW9EaWwyNmRUb2NQU2Vs
MC9VSmVqVlVHRlJ4NXozUkQ4ZDVEVlkKbfVoBNsral3n7rG7ujUgdQXF68EVB+4G
MKMuOiY05QGBViLYyKh1jioHv6nds1hCuc2vpLNB3J0KT3I2q/a0VQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-21T16:42:34Z"
mac: ENC[AES256_GCM,data:i9hTUqbrmc2mD8PAbCe2gWern4ArMIkTQWN7eaJcsjZ9m6LZjOQFpnrpgPg6fj3hazgnFn86veNvQGe/J50NLnwj2FCyF3jKG3xkc7rKa9fyD0Yz0XnpbNKtDb2YGxwyBmLsnnyl6sdpyvPipZYCfwM+bhB8OERIXVXKwbZOn1A=,iv:dKI/NsMcVBNBOw0kYEQqrgfdvLKDg4NM/yRBYDqXIxU=,tag:xkg0z7IUy2m4ivosB925vQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

233
hosts/mail/default.nix Normal file
View file

@ -0,0 +1,233 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
generatedAliases = pkgs.writeText "generated-aliases" (
lib.concatStringsSep "\n" (
lib.mapCartesianProduct
({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de")
{
aliases = [
"abuse"
"hostmaster"
"noreply"
"postmaster"
"webmaster"
];
domain = config.mailserver.domains;
}
)
);
in
{
sops = {
defaultSopsFile = ./secrets.sops.yml;
secrets = {
"ldap_passwd".owner = "dovecot2";
"wireguard-key".owner = "systemd-network";
};
};
imports = [
"${modulesPath}/virtualisation/proxmox-lxc.nix"
];
security.pam.loginLimits = [
{
domain = "*";
type = "soft";
item = "nofile";
value = "8192";
}
];
networking = {
hostName = "mail";
domain = lib.mkForce "test.htw.stura-dresden.de";
useDHCP = false;
interfaces.ens18.ipv4.addresses = [
{
address = "141.56.51.95";
prefixLength = 24;
}
];
defaultGateway = {
address = "141.56.51.254";
interface = "eth0";
};
wireguard = {
enable = true;
interfaces = {
sturauplink = {
privateKeyFile = config.sops.secrets."wireguard-key".path;
ips = [
"10.100.0.20/24"
"fd28:6691:1921:6299::20/64"
];
peers = [
# mail.test.htw.stura-dresden.de
{
endpoint = "hetzner.test.htw.stura-dresden.de:51820";
allowedIPs = [
"10.100.0.1/24"
];
publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0=";
}
];
};
};
};
};
services.nginx.virtualHosts = {
"lists.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
# locations."/" = {
# proxyPass = "http://127.0.0.1:18507";
# };
};
};
services.automx2 = {
enable = true;
domain = "${config.networking.domain}";
settings = {
automx2 = {
db_uri = "sqlite:////var/lib/automx2/db.sqlite";
proxy_count = 1;
};
};
};
services.mailman = {
enable = true;
hyperkitty = {
enable = true;
};
serve.enable = true;
webHosts = [
"lists.${config.networking.domain}"
];
};
services.mailman.siteOwner = "mailman@${config.networking.domain}";
mailserver = {
enable = true;
fqdn = "mail.${config.networking.domain}";
domains = [
"${config.networking.domain}"
"lists.${config.networking.domain}"
];
ldap = {
enable = true;
bind = {
# dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
dn = "cn=dovecot,ou=users,dc=mail,dc=htw,dc=stura-dresden,dc=de";
# passwordFile = "/var/lib/dovecot_ldap_passwd";
passwordFile = config.sops.secrets.ldap_passwd.path;
};
dovecot = {
userFilter = "(&(objectClass=posixAccount)(mail=%u))";
passFilter = "(&(objectClass=posixAccount)(mail=%u))";
userAttrs = "cn";
};
postfix = {
filter = "(|(&(objectClass=posixAccount)(mail=%s))(&(objectClass=posixAccount)(cn=%s)))";
mailAttribute = "mail";
uidAttribute = "cn";
};
#searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
searchBase = "dc=mail,dc=htw,dc=stura-dresden,dc=de";
uris = [
"ldap://auth.test.htw.stura-dresden.de:3389"
];
};
certificateScheme = "acme-nginx";
enableImap = true;
enableImapSsl = true;
enableManageSieve = true;
enableSubmission = true;
enableSubmissionSsl = true;
extraVirtualAliases = { };
lmtpSaveToDetailMailbox = "no"; # DOS potential
mailboxes = {
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Spam = {
auto = "subscribe";
specialUse = "Junk";
};
Trash = {
auto = "subscribe";
specialUse = "Trash";
};
};
maxConnectionsPerUser = 10;
messageSizeLimit = 10 * 1000 * 1024; # 10 MiB
stateVersion = 3;
};
# services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
services.postfix =
let
submissionOptions = {
# hash:/etc/postfix/virtual,
smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf";
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
};
in
{
masterConfig = {
submission = {
args = [ "-v" ];
};
submissions = {
args = [ "-v" ];
};
};
settings.main = {
unknown_local_recipient_reject_code = 550;
relay_domains = [
"hash:/var/lib/mailman/data/postfix_domains"
];
transport_maps = [
"hash:/var/lib/mailman/data/postfix_lmtp"
];
local_recipient_maps = [
"hash:/var/lib/mailman/data/postfix_lmtp"
];
};
# mapFiles = {
# "valias" = lib.mkForce "/var/lib/postfix/valias";
# "virtual" = lib.mkForce "/var/lib/postfix/virtual";
# };
submissionOptions = submissionOptions;
submissionsOptions = submissionOptions;
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de";
networking.firewall.allowedTCPPorts = [
25
80
443
597
];
system.stateVersion = "24.11";
}

26
hosts/mail/secrets.sops.yml Normal file
View file

@ -0,0 +1,26 @@
ldap_passwd: ENC[AES256_GCM,data:adUZCZcYfoxBQm3e4YeeXcQJSZjB3+v2zSNy7q0Ao39aDQMH5H0w4o9MXTREkPHW53JejC2ivo8Zl3yUhkeYRw==,iv:XB25CmtUGf+PeSsHtr+CA/HIfZq1IrOBPPQD3/r6Kc4=,tag:A/WGViM/Ix7n6mhjnbCtZg==,type:str]
wireguard-key: ENC[AES256_GCM,data:5EWg5yF1CDKIusFwONVSzxSMM0cfOzyUYcWQ0f8xTHZ7bViAw8HbjJpRI4o=,iv:UNTv+994Q5VscsjgWS4ppkHX0gPy7vc/qmRCYKvR8CE=,tag:i8ydlyJSfIUj81j78EX5Fg==,type:str]
sops:
age:
- recipient: age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsenVrS0tkTWZRY2xDZklO
WTcwaENIY2I1bTFGMEZZVzBoeUNrT2RESmhFCnZXU2M1SjlGQWo0OEp0TzI0c21u
UkNuNEdQQldQdy9uSzhveEM2eFZrRUkKLS0tIGV4S3lreHJPVS96VUZ6SXRaSklW
MUE4eXN0bkNkU0dCckppdldvV2V4dHcKdKh6ekq6hB5pCUAEPdASqsxqAKZDwzCv
NyS2jitHo9XBtMQVJg4PmNcoRs5XLdqy2tP8upnGelj0B/Q9D+dhag==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVlVrdXhGMDRxMjhPb3Nv
c3lBS25OKzJIaWhHWHpKQXo0N1dFTnZLaHdnClVFVTFPVE1rNFVEclFVc3VjQVhu
SjF6Nnp6dE9oRUJYUVVnOWVpVE11WVkKLS0tIEJ0aVJzejROMHFPK1JQbkJjbUdi
bGU3WWhVMGJ2LzI4N2E1Zy9RNnJ2V2MK4UQPwE5GUVTGvnuZ9knQ+BHmzmRLA1V5
SinlJfHcs+9B7haHzAekDdNqZgEUh2tblabHqq/vNWzd0rWpK31Dww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-21T18:05:57Z"
mac: ENC[AES256_GCM,data:NJM8uwSGIrjy4t+3AwNxp2e569ArH/cnRDipsHnTTQYV5NJLOTtwoFnTqVHBSREc2Sh38gXKye1ncwS3IG5CMsF1nsLOL/+Y9mUqQkLeWeld6Kal8c99yIr2oz8Hk4JTJt4j2C8/aNFhqu62VF7F6JNElWq2F3J5TPKPHRbE9yY=,iv:mj18t2s9hqNV4ore9T4R4jOgUGPuXGqwW91M9Uoh6aQ=,tag:v6T7LXjLQGoc9leFI5zY0g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

44
hosts/proxy/default.nix
View file

@ -6,6 +6,12 @@
... ...
}: }:
{ {
sops = {
defaultSopsFile = ./secrets.sops.yml;
secrets = {
"wireguard-key".owner = "systemd-network";
};
};
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./hetzner-disk.nix ./hetzner-disk.nix
@ -13,6 +19,7 @@
networking = { networking = {
hostName = "proxy"; hostName = "proxy";
nameservers = [ "141.56.51.1" ];
interfaces.ens18.ipv4.addresses = [ interfaces.ens18.ipv4.addresses = [
{ {
address = "141.56.51.1"; address = "141.56.51.1";
@ -37,6 +44,30 @@
nftables = { nftables = {
enable = true; enable = true;
}; };
wireguard = {
enable = true;
interfaces = {
sturauplink = {
privateKeyFile = config.sops.secrets."wireguard-key".path;
ips = [
"10.100.0.2/24"
"fd28:6691:1921:6299::2/64"
];
listenPort = 51820;
peers = [
# mail.test.htw.stura-dresden.de
{
endpoint = "hetzner.test.htw.stura-dresden.de:51820";
allowedIPs = [
"10.100.0.0/24"
];
persistentKeepalive = 30;
publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0=";
}
];
};
};
};
}; };
# wenn instanzen in die flake migriert sind könnte man das autogenerierien # wenn instanzen in die flake migriert sind könnte man das autogenerierien
@ -143,6 +174,18 @@
httpPort = 80; httpPort = 80;
httpsPort = 443; httpsPort = 443;
}; };
bbb = {
dest = "141.56.51.94";
domain = "bbb.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
bbb-test = {
dest = "141.56.51.94";
domain = "bbb.test.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
} }
# zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert
// (builtins.foldl' // (builtins.foldl'
@ -243,6 +286,7 @@
proxy IN AAAA 2a01:4f8:1c19:96f8::1 proxy IN AAAA 2a01:4f8:1c19:96f8::1
; Auto-generated CNAME records for all subdomains pointing to proxy ; Auto-generated CNAME records for all subdomains pointing to proxy
hetzner.test IN A 178.104.18.93
${lib.foldlAttrs ( ${lib.foldlAttrs (
prev: name: value: prev: name: value:
let let

25
hosts/proxy/secrets.sops.yml Normal file
View file

@ -0,0 +1,25 @@
wireguard-key: ENC[AES256_GCM,data:tEKd+iwfyabTj/spqh08Um3FX4grLeffTxCvBivkXrNqIzOymBdcgQL4IJ4=,iv:Z2sr5yzxTKXgBgfcd3LWB9jT2fX3uRpX07r4yMplSNY=,tag:IWgiEjjbHbIUORhwKjTM6g==,type:str]
sops:
age:
- recipient: age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcUhhSlVQcHgvUEtDa0E2
UU1ON3NiUUlHTXFUOEdNeUdGVWNVTWRRNW0wCmhTVnJONlZSMmt2OVJiMys5bnM2
TDZPMExYaWlKSVFPVERnS1QvVTJlNXMKLS0tIElTYmxHNTFPSmNXYnkrY2RtRUVL
WHBCYWhtSWt1QW9hbEFwVmdqWUxjUmMKpqfV/bJVfyDI2Wa+jlwsXMx3tNV9G0S2
VhmmpDnEJn6UDWAMYxNv0g3rtfhBkb2HyCtANNVQ7QROua9WHzJjlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVUVkdDljcForNEJ2WmNm
N0QvTWhQWXQ1VHh5b0pCZFQ3aGxXSGY2bXprCmpEV2l6bkxnUDByNVZaVVR6N2lE
OG1sYkJrQmFVWW1vWXRZL1A2S29MejQKLS0tIEFKbkRmdWM0QW9vVlJWZElXSUcw
b1pCMjNIN1padE5JNVpZNFYwMnZGd00KM415cr6nuN6zfhDcfXFN2lMDWogLwDSE
Kq/ykUSuN9IU6AhslgBNRCmJRVHIzCmu5dU5NVZeqN1YT/EyAbEcyw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-21T18:56:03Z"
mac: ENC[AES256_GCM,data:v1RkpxjvgLHS3OOA2aEG+uJ3yWpOvJLwFA5jRBRtMoMvrBD8O8sikzWJUczQnpw85F/ieFqK6RdT8SBA9lIuPXYMRRS8icHI2a8P+zwySsWsnzc9UaJjjvKtkYo9nnPNCM36HAFOKHiAzBm7FWMt1Tl+WQMyVCWLXCN7ao0MjIo=,iv:8xCrY7QOhW5Mc/AWWXFocqwTUD9qvH4dLYYtnsU6PHw=,tag:09Nw7qFfjefrv0jBwaFINA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

38
hosts/v6proxy/default.nix
View file

@ -6,6 +6,12 @@
... ...
}: }:
{ {
sops = {
defaultSopsFile = ./secrets.sops.yml;
secrets = {
"wireguard-key".owner = "systemd-network";
};
};
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./hetzner-disk.nix ./hetzner-disk.nix
@ -48,6 +54,37 @@
nftables = { nftables = {
enable = true; enable = true;
}; };
wireguard = {
enable = true;
interfaces = {
sturauplink = {
listenPort = 51820;
privateKeyFile = config.sops.secrets."wireguard-key".path;
ips = [
"10.100.0.1/24"
"fd28:6691:1921:6299::1/64"
];
peers = [
# mail.test.htw.stura-dresden.de
{
allowedIPs = [
"10.100.0.20/32"
];
publicKey = "9Ep/YZLbnGEVWHgVmmwq2Sv/8awwGaHdwiSuIUkWtnk=";
}
# proxy.htw.stura-dresden.de
{
allowedIPs = [
"10.100.0.2/32"
"fd28:6691:1921:6299::2/64"
];
endpoint = "141.56.51.1:51820";
publicKey = "pUHtAHCDHVQBnqtlIgTkEMHbxXpQmVA0HhxiFUrUb0U=";
}
];
};
};
};
}; };
# wenn instanzen in die flake migriert sind könnte man das autogenerierien # wenn instanzen in die flake migriert sind könnte man das autogenerierien
@ -102,6 +139,7 @@
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wireguard-tools
]; ];
system.stateVersion = "25.11"; system.stateVersion = "25.11";

25
hosts/v6proxy/secrets.sops.yml Normal file
View file

@ -0,0 +1,25 @@
wireguard-key: ENC[AES256_GCM,data:K3UoCWtF2rL8uCzmu8yn4sHKHOrcKmnNBvRQdC9Ph3fWMdDqNqh0jwSByjQ=,iv:feFxNykRK1RJ6EPPVXqXtEVmXeGez4PwJ9h7m1KYUIE=,tag:hSTf/gAUVSjI1GburqRDVA==,type:str]
sops:
age:
- recipient: age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbVd3OUNCMUI3eUI2QlVa
WFNjVUpXYVlLdUxiSzhQdHhhRWRpWEhzV1IwCkdYMG5DOXBxTnMwNFpYM1FweDNp
ZXd2aXJaNWxOYXRnaW1nSjdNQVpQOU0KLS0tIEY4Q1JqV1FSekVwc0prNjRCUDdm
cmpLdW1abFR5SlhxZnpJdnBlNjJQOGMK+JcLyiSCfhVPnhqpqTzB7flFWTff3GcK
9779AvKVnhsDb5LDPOi4Ah5gAJfq+JZ/+IiTUqk0a4AWuN9PiyTMGA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnVRVi91OWsxejJiS0Y0
L2licWRJQ1pGTlZOMEM0VHdyOWlFbEgyRENVCmwxSndQamRZM2NKbW14TTI4aFBV
MHQ3YkJwNUhkWlJNSTB2RFBpZEswT28KLS0tIC9EVUxvYk04ek5xc1d4TXl5RFVD
MkFyQkxCWDdWQjUxQ0QwcjlScGxPWWMKtzYvXoSSPGhVFlwzdtZylu3eTE5EKxqO
OIq9IOOujV3K1dzj5uwmCI+EoEasOMLy7Sa4++1WZmRVmVxFa91/gw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-21T17:41:20Z"
mac: ENC[AES256_GCM,data:f94ubkkhUDMkvEPEYYGVg1mahaMmXqAdMcF9Vl16jj7FQTvJy9GCg+1F7eBOu0endpcTQo2a/apd2u7tnzA0IE3CfXo2U8d8aun6yTxxn9qopnxypP2v6mGDHsGbaUI3r+/ZgLXtGDDN+gS/zyu06CPFq/TdLnmcO9zuXAeBmWc=,iv:5VEsRV20A56FKNRQlgojY5TQLhW+kgotQBPgElZY+uQ=,tag:K13Owxl3MDwf5n9soXxiXA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1