Compare commits

...

5 Commits

6 changed files with 36 additions and 11 deletions
Split View
  1. +13
    -0
      common/sysconfig.nix
  2. +1
    -1
      common/variables.nix
  3. +1
    -2
      hosts/m1vm/configuration.nix
  4. +5
    -0
      services/dns/default.nix
  5. +6
    -1
      services/httpd.nix
  6. +10
    -7
      services/postfix/default.nix

+ 13
- 0
common/sysconfig.nix View File

@@ -17,4 +17,17 @@ in {
# Enable rsyslog
services.rsyslogd.enable = true;
services.rsyslogd.extraConfig = "*.* @log.internal:6514;RSYSLOG_SyslogProtocol23Format";

# Enable LDAP
users.ldap.enable = true;
users.ldap.timeLimit = 2;
users.ldap.server = "ldap://ldap.internal/";
users.ldap.base = "o=redbrick";

# Add NFS mount
fileSystems."/home" = {
device = "192.168.0.24:/storage/home";
fsType = "nfs";
options = ["x-systemd.automount" "noauto" "nosuid" "nodev" "soft" "intr" "rw" "rsize=65536" "wsize=65536"];
};
}

+ 1
- 1
common/variables.nix View File

@@ -8,5 +8,5 @@
dovecotSaslPort = 3659;
dovecotLmtpPort = 24;

ldapHost = "ldap.internal";
ldapHost = "192.168.0.4";
}

+ 1
- 2
hosts/m1vm/configuration.nix View File

@@ -27,7 +27,6 @@
prefixLength = 24;
}];
networking.defaultGateway = "192.168.0.254";
networking.nameservers = ["192.168.0.4"];

# List packages installed in system profile. To search, run:
# $ nix search wget
@@ -40,6 +39,6 @@
home = "/home/lucasade";
description = "Lucas";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = user.users.root.openssh.authorizedKeys.keys;
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
};
}

+ 5
- 0
services/dns/default.nix View File

@@ -16,6 +16,11 @@
name = "15.206.136.in-addr.arpa";
}
];

# Disabled dnssec validation to solve issues querying .internal. names
extraOptions = ''
dnssec-validation no;
'';
};

networking.firewall.allowedTCPPorts = [ 53 ];


+ 6
- 1
services/httpd.nix View File

@@ -6,6 +6,9 @@ let
email = "admins+acme@${common.tld}";
webroot = common.webrootDir;
postRun = "systemctl reload httpd.service";
extraDomains = {
"mail.${common.tld}" = null;
};
};

# Define a base vhost for all TLDs. This will serve only ACME on port 80
@@ -28,6 +31,7 @@ let
in {

# Acme will automatically create the certsDir and webrootDir
security.acme.preliminarySelfsigned = true;
security.acme.directory = common.certsDir;
security.acme.certs = {
"${common.tld}" = acmeCert;
@@ -35,6 +39,7 @@ in {

services.httpd = {
enable = true;
enableSSL = true;
multiProcessingModule = "event";
maxClients = 50;
sslServerKey = "${common.certsDir}/${common.tld}/key.pem";
@@ -53,7 +58,7 @@ in {

# Only acme certs are accessible via port 80,
# everything else is explicitly upgraded to https
listen = [{ port = 80; }];
listen = [{ port = 80; } { port = 443; }];
};

networking.firewall.allowedTCPPorts = [ 80 443 ];


+ 10
- 7
services/postfix/default.nix View File

@@ -3,16 +3,20 @@ let
common = import ../../common/variables.nix;

ldapCommon = ''
server_host = ldap://ldap.internal/
server_host = ldap://${common.ldapHost}/
version = 3
bind = no
'';

virtualMailboxMaps = pkgs.writeText "virt-mailbox-maps" ldapCommon + ''
virtualMailboxMaps = pkgs.writeText "virt-mailbox-maps" (ldapCommon + ''
search_base = ou=accounts,o=redbrick
query_filter = (&(objectClass=posixAccount)(uid=%u))
result_attribute = uid
result_format = %s@${common.tld}
'');

virtualMailboxDomains = pkgs.writeText "virt-mailbox-domains" ''
redbricktest.ml
'';

commonRestrictions = [
@@ -31,7 +35,7 @@ in {
setSendmail = true;
origin = common.tld;
hostname = "mail.${common.tld}";
destination = ["mail.${common.tld}" "localhost"];
destination = ["localhost"];
recipientDelimiter = "+";

sslCert = "${common.certsDir}/${common.tld}/fullchain.pem";
@@ -55,14 +59,13 @@ in {
# IP address used by postfix to send outgoing mail. You only need this if
# your machine has multiple IP addresses - set it to your MX address to
# satisfy your SPF record.
# TODO allow this machine to connect to public addresses to send mail
inet_protocols = "ipv4";
smtp_bind_address = "192.168.0.135";
# http://www.postfix.org/BASIC_CONFIGURATION_README.html#proxy_interfaces
proxy_interfaces = "136.206.15.5";

virtual_mailbox_domains = "static:${common.tld}";
virtual_mailbox_maps = "ldap:${virtualMailboxMaps}";
# virtual_alias_maps = "ldap:" ++ ./ldap-virtual-alias-maps.cf;
virtual_alias_domains = "${common.tld}";
virtual_alias_maps = "hash:/var/lib/postfix/aliases";

# Generate own DHParams
smtpd_tls_dh512_param_file = config.security.dhparams.params.smtpd_512.path;


Loading…
Cancel
Save