Jimbo/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Fully switch to nftables and have it work finally

Browse source
This commit is contained in:
Jimbo 2024-08-12 03:27:41 -04:00
parent ef40fb1f4b
commit 2260afc205
1 changed files with 125 additions and 152 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

277
Server/configuration.nix
View file

@ -5,14 +5,15 @@ let
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz"; "https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
# Define domains and ips # Define domains and ips
jimdomain = ''jimbosfiles.com''; jimDomain = ''jimbosfiles.com'';
bloxeldomain = ''bloxelcom.net''; bloxelDomain = ''bloxelcom.net'';
# IPs # IPs
localspan = ''192.168.2''; netInt = ''eno1'';
pc = ''${localspan}.10''; localSpan = ''192.168.2'';
server = ''${localspan}.11''; pcIP = ''${localSpan}.10'';
vm = ''${localspan}.70''; serverIP = ''${localSpan}.11'';
vmIP = ''${localSpan}.70'';
# Secrets and passwords # Secrets and passwords
secrets = import ./secrets.nix; secrets = import ./secrets.nix;
@ -43,7 +44,6 @@ in
# Choose Grub as the bootloader # Choose Grub as the bootloader
boot = { boot = {
kernelPackages = pkgs.linuxPackages_xanmod;
loader.systemd-boot = { loader.systemd-boot = {
enable = true; enable = true;
netbootxyz.enable = true; netbootxyz.enable = true;
@ -108,75 +108,63 @@ in
# Define timezone and networking settings # Define timezone and networking settings
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
networking = { networking = {
# Set hostname
hostName = "JimNixServer"; hostName = "JimNixServer";
# Choose networking method # Choose networking method
dhcpcd.enable = true; dhcpcd.enable = true;
wireless.enable = false; wireless.enable = false;
# Enable nftables over iptables
nftables.enable = true;
# Configure firewall # Configure firewall
firewall = { firewall = {
# Allow different ports
allowedTCPPorts = [ allowedTCPPorts = [
# NFS 80 443 # Nginx
2049 25565 19132 5657 # Minecraft & Pufferpanel SFTP
2299 # Gitea SSH
# Nginx 3478 5349 # Coturn
80 443
# Minecraft
25565 19132
# Pufferpanel SFTP
5657
# Gitea SSH
2299
# Coturn
3478 5349
]; ];
allowedTCPPortRanges = [ allowedTCPPortRanges = [
# Also Azuracast { from = 8100; to = 8150; } # Azuracast
{ from = 8100; to = 8150; }
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
# Minecraft Voicechat and Bedrock 25565 19132 # Minecraft Voicechat and Bedrock
25565 19132 3478 5349 # Coturn UDP
# Coturn again
3478 5349
]; ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
# Coturn { from = 49000; to = 50000; } # Coturn range
{ from = 49000; to = 50000; }
]; ];
# Forward rules for nftables # Add extra input rules using nftables
extraForwardRules = ''
# Allow forwarding of basic ports from PC
ip saddr ${pc} tcp dport 2211 accept comment "SSH from PC"
ip saddr ${pc} udp dport { 27005, 27015, 7777, 29000 } accept comment "Games from PC"
# Allow forwarding of Sunshine traffic
ip saddr ${pc} tcp dport { 48010, 47989, 47984 } accept comment "Sunshine TCP from PC"
ip saddr ${pc} udp dport { 47998, 47999, 48000 } accept comment "Sunshine UDP from PC"
'';
# Completely change to nftables
extraInputRules = '' extraInputRules = ''
# Set an IP firewall for RTMP ip saddr ${localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
ip saddr { ${pc}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
ip saddr { 0.0.0.0/0 } tcp dport { 1935, 1945 } drop
''; '';
# Disallow pinging this server # Disallow pinging this server
allowPing = false; allowPing = false;
}; };
# Enable nftables and forwarding
nftables = {
enable = true;
tables.forwarding = {
family = "ip";
content = ''
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 2211 dnat to ${pcIP} comment "SSH from PC"
udp dport { 27005, 27015, 7777 } dnat to ${pcIP} comment "Games from PC"
tcp dport { 58010, 57989, 57984 } dnat to ${pcIP} comment "Sunshine TCP from PC"
udp dport { 57998, 57999, 58000 } dnat to ${pcIP} comment "Sunshine UDP from PC"
tcp dport { 38010, 37989, 37984 } dnat to ${vmIP} comment "Sunshine TCP from VM"
udp dport { 37998, 37999, 38000 } dnat to ${vmIP} comment "Sunshine UDP from VM"
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
oifname "${netInt}" masquerade
}
'';
};
};
}; };
# Boot with compatibility for IP forwarding # Boot with compatibility for IP forwarding
@ -203,14 +191,15 @@ in
fail2ban = { fail2ban = {
enable = true; enable = true;
maxretry = 5; maxretry = 5;
ignoreIP = [ "${pc}" "${server}" "${vm}" ]; bantime = "5m";
ignoreIP = [ "${pcIP}" "${vmIP}" ];
}; };
# NFS server # NFS server
nfs.server = { nfs.server = {
enable = true; enable = true;
exports = '' exports = ''
/export/JimboNFS ${localspan}.0/24(rw,no_subtree_check) /export/JimboNFS ${localSpan}.0/24(rw,no_subtree_check)
''; '';
}; };
@ -226,18 +215,18 @@ in
recommendedProxySettings = true; recommendedProxySettings = true;
virtualHosts = { virtualHosts = {
# Homepage redirect # Homepage redirect
"${jimdomain}" = { "${jimDomain}" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
locations."/" = { locations."/" = {
extraConfig = " extraConfig = "
return 301 https://social.${bloxeldomain}/@jimbo; return 301 https://social.${bloxelDomain}/@jimbo;
"; ";
}; };
}; };
# Nextcloud Proxy # Nextcloud Proxy
"cloud.${jimdomain}" = { "cloud.${jimDomain}" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
locations."/" = { locations."/" = {
@ -255,7 +244,7 @@ in
}; };
# Vaultwarden Proxy # Vaultwarden Proxy
"warden.${jimdomain}" = { "warden.${jimDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -265,7 +254,7 @@ in
}; };
# Recipes Proxy # Recipes Proxy
"recipes.${jimdomain}" = { "recipes.${jimDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -275,7 +264,7 @@ in
}; };
# Bluemap Proxy # Bluemap Proxy
"bluemap.${jimdomain}" = { "bluemap.${jimDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -285,7 +274,7 @@ in
}; };
# Gitea Proxy # Gitea Proxy
"git.${jimdomain}" = { "git.${jimDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -295,7 +284,7 @@ in
}; };
# Gitea Proxy # Gitea Proxy
"mc.${jimdomain}" = { "mc.${jimDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -305,51 +294,37 @@ in
}; };
# Matrix Proxy # Matrix Proxy
"matrix.${bloxeldomain}" = { "matrix.${bloxelDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations = { locations = {
"/".extraConfig = ''return 403;''; "/".extraConfig = ''return 403;'';
"/_matrix".proxyPass = "http://[::1]:8008"; "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse".proxyPass = "http://[::1]:8008"; "/client".proxyPass = "http://127.0.0.1:8009";
"/client".proxyPass = "http://[::1]:8008"; "/_matrix".proxyPass = "http://127.0.0.1:8008";
}; "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
# Matrix Sliding Sync Proxy
"syncv3.${bloxeldomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/_matrix".proxyPass = "http://[::1]:8009";
"/client".proxyPass = "http://[::1]:8009";
"/sync".proxyPass = "http://[::1]:8009";
"/unstable".proxyPass = "http://[::1]:8009";
"/org.matrix.msc3575".proxyPass = "http://[::1]:8009";
}; };
}; };
# Element Proxy # Element Proxy
"chat.${bloxeldomain}" = { "chat.${bloxelDomain}" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
root = "${pkgs.element-web}"; root = "${pkgs.element-web}";
}; };
# Coturn Proxy # Coturn Proxy
"turn.${bloxeldomain}" = { "turn.${bloxelDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
listen = [ listen = [
{ addr = "[::]"; port = 80; ssl = false; }
{ addr = "0.0.0.0"; port = 80; ssl = false; } { addr = "0.0.0.0"; port = 80; ssl = false; }
]; ];
locations."/".proxyPass = "http://[::1]:1380"; locations."/".proxyPass = "http://127.0.0.1:1380";
}; };
# Radio Proxy # Radio Proxy
"wbxdradio.${bloxeldomain}" = { "wbxdradio.${bloxelDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -359,7 +334,7 @@ in
}; };
# Streaming proxy # Streaming proxy
"live.${bloxeldomain}" = { "live.${bloxelDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -369,7 +344,7 @@ in
}; };
# Mail certificate proxy # Mail certificate proxy
"mx.${bloxeldomain}" = { "mx.${bloxelDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -379,26 +354,19 @@ in
}; };
# Add SSL to Lemmy # Add SSL to Lemmy
"lemmy.${bloxeldomain}" = { "lemmy.${bloxelDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
# Staging Bloxel Proxy # Staging Bloxel Proxy
"staging.${bloxeldomain}" = { "staging.${bloxelDomain}" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
root = "/var/www/bloxelcomweb/landing-page/"; root = "/var/www/bloxelcomweb/landing-page/";
locations = { locations = {
"/BloxelcomCable/hls" = { "/BloxelcomCable/hls" = {
extraConfig = '' extraConfig = ''
# Disable cache
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
# Allow serving m3u8 files # Allow serving m3u8 files
types { types {
application/vnd.apple.mpegurl m3u8; application/vnd.apple.mpegurl m3u8;
@ -412,10 +380,13 @@ in
return 200 ' return 200 '
{ {
"m.homeserver": { "m.homeserver": {
"base_url": "https://${bloxeldomain}" "base_url": "https://matrix.${bloxelDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.${bloxelDomain}"
}, },
"org.matrix.msc3575.proxy": { "org.matrix.msc3575.proxy": {
"url": "https://syncv3.${bloxeldomain}" "url": "https://matrix.${bloxelDomain}"
} }
}'; }';
''; '';
@ -423,7 +394,7 @@ in
"/.well-known/matrix/server" = { "/.well-known/matrix/server" = {
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; return 200 '{"m.server": "https://matrix.${bloxelDomain}"}';
''; '';
}; };
}; };
@ -459,7 +430,7 @@ in
nextcloud = { nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud29; package = pkgs.nextcloud29;
hostName = "cloud.${jimdomain}"; hostName = "cloud.${jimDomain}";
datadir = "/mnt/nextcloud"; datadir = "/mnt/nextcloud";
https = true; https = true;
config = { config = {
@ -468,15 +439,15 @@ in
}; };
settings = { settings = {
trusted_proxies = [ "127.0.0.1" ]; trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${jimdomain}" ]; trusted_domains = [ "cloud.${jimDomain}" ];
overwriteprotocol = "https"; overwriteprotocol = "https";
# Mailserver settings # Mailserver settings
mail_smtphost = "mx.${bloxeldomain}"; mail_smtphost = "mx.${bloxelDomain}";
mail_domain = "${bloxeldomain}"; mail_domain = "${bloxelDomain}";
mail_from_address = "noreply"; mail_from_address = "noreply";
mail_smtpauth = "true"; mail_smtpauth = "true";
mail_smtpname = "noreply@${bloxeldomain}"; mail_smtpname = "noreply@${bloxelDomain}";
mail_smtppassword = secrets.noreplyPassword; mail_smtppassword = secrets.noreplyPassword;
mail_smtpmode = "smtp"; mail_smtpmode = "smtp";
mail_smtpport = 587; mail_smtpport = 587;
@ -487,17 +458,17 @@ in
vaultwarden = { vaultwarden = {
enable = true; enable = true;
config = { config = {
DOMAIN = "https://warden.${jimdomain}"; DOMAIN = "https://warden.${jimDomain}";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222; ROCKET_PORT = 8222;
ROCKET_LOG = "critical"; ROCKET_LOG = "critical";
# Smtp email # Smtp email
SMTP_HOST = "mx.${bloxeldomain}"; SMTP_HOST = "mx.${bloxelDomain}";
SMTP_FROM = "noreply@${bloxeldomain}"; SMTP_FROM = "noreply@${bloxelDomain}";
SMTP_FROM_NAME = "Vaultwarden"; SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${bloxeldomain}"; SMTP_USERNAME = "noreply@${bloxelDomain}";
SMTP_PASSWORD = secrets.noreplyPassword; SMTP_PASSWORD = secrets.noreplyPassword;
SMTP_SECURITY = "starttls"; SMTP_SECURITY = "starttls";
SMTP_PORT = 587; SMTP_PORT = 587;
@ -516,16 +487,16 @@ in
enable = true; enable = true;
settings = { settings = {
server = { server = {
DOMAIN = "git.${jimdomain}"; DOMAIN = "git.${jimDomain}";
ROOT_URL = "https://git.${jimdomain}:443"; ROOT_URL = "https://git.${jimDomain}:443";
HTTP_PORT = 3110; HTTP_PORT = 3110;
SSH_PORT = 2299; SSH_PORT = 2299;
START_SSH_SERVER = true; START_SSH_SERVER = true;
}; };
mailer = { mailer = {
ENABLED = true; ENABLED = true;
SMTP_ADDR = "mx.${bloxeldomain}"; SMTP_ADDR = "mx.${bloxelDomain}";
FROM = "noreply@${bloxeldomain}"; FROM = "noreply@${bloxelDomain}";
PASSWD = secrets.noreplyPassword; PASSWD = secrets.noreplyPassword;
PROTOCOL = "smtp+starttls"; PROTOCOL = "smtp+starttls";
SMTP_PORT = 587; SMTP_PORT = 587;
@ -539,12 +510,11 @@ in
enable = true; enable = true;
environment = { environment = {
PUFFER_WEB_HOST = ":5010"; PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimdomain}"; PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimDomain}";
PUFFER_PANEL_REGISTRATIONENABLED = "false";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp"; PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587"; PUFFER_PANEL_EMAIL_HOST = "mx.${bloxelDomain}:587";
PUFFER_PANEL_EMAIL_FROM = "noreply@${bloxeldomain}"; PUFFER_PANEL_EMAIL_FROM = "noreply@${bloxelDomain}";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${bloxeldomain}"; PUFFER_PANEL_EMAIL_USERNAME = "noreply@${bloxelDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword; PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword;
}; };
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ]; extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
@ -590,7 +560,7 @@ in
min-port = 49000; min-port = 49000;
max-port = 50000; max-port = 50000;
use-auth-secret = true; use-auth-secret = true;
realm = "turn.${bloxeldomain}"; realm = "turn.${bloxelDomain}";
static-auth-secret = "will be world readable for local users :("; static-auth-secret = "will be world readable for local users :(";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
@ -600,8 +570,8 @@ in
matrix-synapse = with config.services.coturn; { matrix-synapse = with config.services.coturn; {
enable = true; enable = true;
settings = { settings = {
server_name = "${bloxeldomain}"; server_name = "${bloxelDomain}";
public_baseurl = "https://matrix.${bloxeldomain}"; public_baseurl = "https://matrix.${bloxelDomain}";
suppress_key_server_warning = true; suppress_key_server_warning = true;
# Set the network config # Set the network config
@ -618,8 +588,8 @@ in
# Enable smtp for password resets # Enable smtp for password resets
email = { email = {
notif_from = "Bloxelcom's Matrix Homeserver <noreply@bloxelcom.net>"; notif_from = "Bloxelcom's Matrix Homeserver <noreply@bloxelcom.net>";
smtp_host = "mx.${bloxeldomain}"; smtp_host = "mx.${bloxelDomain}";
smtp_user = "noreply@${bloxeldomain}"; smtp_user = "noreply@${bloxelDomain}";
smtp_pass = secrets.noreplyPassword; smtp_pass = secrets.noreplyPassword;
enable_tls = true; enable_tls = true;
smtp_port = 587; smtp_port = 587;
@ -657,29 +627,32 @@ in
}; };
# Sliding sync proxy for Matrix # Sliding sync proxy for Matrix
matrix-sliding-sync = { matrix-sliding-sync = let
matrixSecretFile = pkgs.writeText "matrixsecret" ''
SYNCV3_SECRET=${secrets.matrixSecret}
'';
in {
enable = true; enable = true;
settings = { settings = {
SYNCV3_SERVER = "${bloxeldomain}"; SYNCV3_SERVER = "https://matrix.${bloxelDomain}";
SYNCV3_BINDADDR = "0.0.0.0:8009"; SYNCV3_BINDADDR = "0.0.0.0:8009";
SYNCV3_SECRET = secrets.matrixSecret;
}; };
environmentFile = "${pkgs.writeText "matrixsecret" secrets.matrixSecret}"; environmentFile = "${matrixSecretFile}";
}; };
# Mastodon # Mastodon
mastodon = { mastodon = {
enable = true; enable = true;
localDomain = "social.${bloxeldomain}"; localDomain = "social.${bloxelDomain}";
streamingProcesses = 4; streamingProcesses = 4;
configureNginx = true; configureNginx = true;
smtp = { smtp = {
createLocally = false; createLocally = false;
host = "mx.${bloxeldomain}"; host = "mx.${bloxelDomain}";
port = 587; port = 587;
authenticate = true; authenticate = true;
fromAddress = "noreply@${bloxeldomain}"; fromAddress = "noreply@${bloxelDomain}";
user = "noreply@${bloxeldomain}"; user = "noreply@${bloxelDomain}";
passwordFile = pkgs.writeText "smtp_pass.txt" secrets.noreplyPassword; passwordFile = pkgs.writeText "smtp_pass.txt" secrets.noreplyPassword;
}; };
}; };
@ -690,11 +663,11 @@ in
nginx.enable = true; nginx.enable = true;
database.createLocally = true; database.createLocally = true;
settings = { settings = {
hostname = "lemmy.${bloxeldomain}"; hostname = "lemmy.${bloxelDomain}";
email = { email = {
smtp_server = "mx.${bloxeldomain}:587"; smtp_server = "mx.${bloxelDomain}:587";
smtp_login = "noreply@${bloxeldomain}"; smtp_login = "noreply@${bloxelDomain}";
smtp_from_address = "noreply@${bloxeldomain}"; smtp_from_address = "noreply@${bloxelDomain}";
smtp_password = secrets.noreplyPassword; smtp_password = secrets.noreplyPassword;
tls_type = "starttls"; tls_type = "starttls";
}; };
@ -704,7 +677,7 @@ in
# Roundcube mail server # Roundcube mail server
roundcube = { roundcube = {
enable = true; enable = true;
hostName = "mail.${bloxeldomain}"; hostName = "mail.${bloxelDomain}";
extraConfig = '' extraConfig = ''
$config['smtp_server'] = "tls://${config.mailserver.fqdn}"; $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u"; $config['smtp_user'] = "%u";
@ -742,16 +715,16 @@ in
nixpkgs.config.element-web.conf = { nixpkgs.config.element-web.conf = {
default_server_config = { default_server_config = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.${bloxeldomain}:443"; base_url = "https://matrix.${bloxelDomain}:443";
server_name = "matrix.${bloxeldomain}"; server_name = "matrix.${bloxelDomain}";
}; };
}; };
branding = { branding = {
welcome_background_url = "https://staging.${bloxeldomain}/images/backgrounds/bloxelcom-sunset.jpg"; welcome_background_url = "https://staging.${bloxelDomain}/images/backgrounds/bloxelcom-sunset.jpg";
auth_header_logo_url = "https://staging.${bloxeldomain}/images/logos/bloxelcom.png"; auth_header_logo_url = "https://staging.${bloxelDomain}/images/logos/bloxelcom.png";
}; };
embedded_pages = { embedded_pages = {
home_url = "https://www.${bloxeldomain}/"; home_url = "https://www.${bloxelDomain}/";
}; };
disable_custom_urls = true; disable_custom_urls = true;
disable_guests = true; disable_guests = true;
@ -770,32 +743,32 @@ in
mailserver = rec { mailserver = rec {
enable = true; enable = true;
enableManageSieve = true; enableManageSieve = true;
domains = [ "${bloxeldomain}" ]; domains = [ "${bloxelDomain}" ];
fqdn = "mx.${bloxeldomain}"; fqdn = "mx.${bloxelDomain}";
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
# A list of accounts. # A list of accounts.
# Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' # Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = { loginAccounts = {
"noreply@${bloxeldomain}" = { "noreply@${bloxelDomain}" = {
hashedPasswordFile = pkgs.writeText "noreply" secrets.noreplySmtpHash; hashedPasswordFile = pkgs.writeText "noreply" secrets.noreplySmtpHash;
sendOnly = true; sendOnly = true;
}; };
"jimbo@${bloxeldomain}" = { "jimbo@${bloxelDomain}" = {
hashedPasswordFile = pkgs.writeText "jimbo" secrets.jimboSmtpHash; hashedPasswordFile = pkgs.writeText "jimbo" secrets.jimboSmtpHash;
aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ]; aliases = [ "canada@${bloxelDomain}" "contact@${bloxelDomain}" ];
}; };
"lunamoonlight@${bloxeldomain}" = { "lunamoonlight@${bloxelDomain}" = {
hashedPasswordFile = pkgs.writeText "luna" secrets.lunaSmtpHash; hashedPasswordFile = pkgs.writeText "luna" secrets.lunaSmtpHash;
aliases = [ "us@${bloxeldomain}" "contact@${bloxeldomain}" ]; aliases = [ "us@${bloxelDomain}" "contact@${bloxelDomain}" ];
}; };
"freecorn1854@${bloxeldomain}" = { "freecorn1854@${bloxelDomain}" = {
hashedPasswordFile = pkgs.writeText "freecorn" secrets.freecornSmtpHash; hashedPasswordFile = pkgs.writeText "freecorn" secrets.freecornSmtpHash;
aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ]; aliases = [ "canada@${bloxelDomain}" "contact@${bloxelDomain}" ];
}; };
"tinyattack09@${bloxeldomain}" = { "tinyattack09@${bloxelDomain}" = {
hashedPasswordFile = pkgs.writeText "tiny" secrets.tinySmtpHash; hashedPasswordFile = pkgs.writeText "tiny" secrets.tinySmtpHash;
aliases = [ "smallthing@${bloxeldomain}" ]; aliases = [ "smallthing@${bloxelDomain}" ];
}; };
}; };
}; };