diff options
-rw-r--r-- | configuration.nix | 1 | ||||
-rw-r--r-- | dns.nix | 8 | ||||
-rw-r--r-- | mail.nix | 54 | ||||
-rw-r--r-- | vpn.nix | 38 |
4 files changed, 85 insertions, 16 deletions
diff --git a/configuration.nix b/configuration.nix index a847f29..15ef8c4 100644 --- a/configuration.nix +++ b/configuration.nix @@ -45,6 +45,7 @@ ./status.nix ./vpsadminos.nix ./wikiwiki.nix + ./vpn.nix ]; networking = { diff --git a/dns.nix b/dns.nix index c6223d3..a3776e0 100644 --- a/dns.nix +++ b/dns.nix @@ -97,16 +97,8 @@ in { } { domain = "giao.loan"; - file = builtins.toFile "giao.loan.zone" '' - @ SOA danh.loang.net. cnx.loang.net. 2024011642 14400 3600 604800 3600 - @ NS danh.loang.net. - @ NS puck.nether.net. - @ NS ns-global.kjsl.com. - @ A 112.185.162.184 - ''; notify = [ "ns-global" "puck" ]; acl = [ "ns-global" "puck" ]; - dnssec-signing = false; } { domain = "loang.net"; diff --git a/mail.nix b/mail.nix index 62a7f11..ae14556 100644 --- a/mail.nix +++ b/mail.nix @@ -192,16 +192,40 @@ in { enable = true; port = 1430; }; - inboxes = { - test = { - address = [ "test@${publicHost}" ]; - description = "test list"; - url = "https://${publicHost}/test"; + imap = let + certDir = config.security.acme.certs.${publicHost}.directory; + in { + cert = "${certDir}/cert.pem"; + enable = true; + key = "${certDir}/key.pem"; + port = 143; + }; + inboxes = builtins.mapAttrs (name: value: value // { + address = [ "${name}@${publicHost}" ]; + url = "https://${publicHost}/${name}"; + newsgroup = "inbox.${name}"; + }) { + test.description = "test list"; + chung = { + description = "News, requests and patches for loang.net"; + coderepo = [ "nixos-conf" "phylactery" "site" ]; }; }; mda.enable = true; postfix.enable = true; - settings.publicinbox.wwwlisting = "match=domain"; + settings = { + coderepo = builtins.listToAttrs (map (name: { + name = name; + value = { + cgitUrl = "https://trong.loang.net/${name}"; + dir = name; + }; + }) [ "nixos-conf" "phylactery" "site" ]); + publicinbox = { + imapserver = [ publicHost ]; + wwwlisting = "match=domain"; + }; + }; }; nginx.virtualHosts = { @@ -257,6 +281,20 @@ in { }; }; - systemd.services.alps.unitConfig.Requires = "maddy.service"; - users.extraUsers.maddy.extraGroups = [ "nginx" "shadow" ]; + systemd.services = { + alps.unitConfig.Requires = "maddy.service"; + public-inbox-imapd.serviceConfig.BindReadOnlyPaths = [ + config.security.acme.certs.${publicHost}.directory + ]; + }; + + users.users = { + maddy.extraGroups = [ + config.security.acme.certs.${hostname}.group + "shadow" + ]; + public-inbox.extraGroups = [ + config.security.acme.certs.${publicHost}.group + ]; + }; } diff --git a/vpn.nix b/vpn.nix new file mode 100644 index 0000000..b6c3f07 --- /dev/null +++ b/vpn.nix @@ -0,0 +1,38 @@ +# WireGuard peering +# Copyright (C) 2024 Nguyễn Gia Phong +# +# This file is part of loang configuration. +# +# Loang configuration is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published +# by the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Loang configuration is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with loang configuration. If not, see <https://www.gnu.org/licenses/>. + +{ config, ... }: +let wireguardPort = 51820; +in { + networking = { + firewall.allowedUDPPorts = [ wireguardPort ]; + wireguard.interfaces.wg0 = { + ips = [ "192.168.144.24/24" "fdb1:87db:2ad4::18/64" ]; + listenPort = wireguardPort; + privateKeyFile = "/etc/wireguard/private.key"; + peers = [ + { + publicKey = "P2t6yzGuvx5u4nw0J7TfxUYZPYvyblXhDIN8cRcHgTU="; + allowedIPs = [ "192.168.144.0/24" "fdb1:87db:2ad4::/64" ]; + endpoint = "giao.loan:${toString wireguardPort}"; + persistentKeepalive = 25; + } + ]; + }; + }; +} |