···

       
12
       
12
       
 
       
    ./dn42/default.nix

     

       
13
       
13
       
 
       


     

       
14
       
14
       
 
       
    # Running Services

     

       
15
       
15
       
-
       
    # ./services/acme.nix

     

       
16
       
16
       
-
       
    ./services/blog-update.nix

     

       
15
       
15
       
+
       
    ./services/acme.nix

     

       
16
       
16
       
+
       
    # ./services/blog-update.nix

     

       
17
       
17
       
 
       
    ./services/caddy.nix

     

       
18
       
18
       
 
       
    # ./services/dn42-peerfinder.nix

     

       
19
       
19
       
 
       
    ./services/fail2ban.nix

     
···

       
21
       
21
       
 
       
    ./services/mailserver

     

       
22
       
22
       
 
       
    ./services/mailserver/stalwart

     

       
23
       
23
       
 
       
    # ./services/netdata.nix

     

       
24
       
24
       
-
       
    ./services/nginx

     

       
24
       
24
       
+
       
    # ./services/nginx

     

       
25
       
25
       
 
       
    ./services/prometheus.nix

     

       
26
       
26
       
 
       
    ./services/secrets.nix

     

       
27
       
27
       
 
       
    ./services/tailscale.nix

     

···

       
1
       
1
       
 
       
age-encryption.org/v1

     

       
2
       
2
       
-
       
-> ssh-ed25519 LcWOqQ SK4nXQ08Kdv5W2oFVHMcFL3KkxBqpnFa6T/DmsQROnQ

     

       
3
       
3
       
-
       
Z2haZq1zi+5nwDgD1DaRZN6jfoG8nA7TUm0jeKcsExs

     

       
2
       
2
       
+
       
-> ssh-ed25519 LcWOqQ i/qdqW02ufOTMiy8czjhOa/AJRZTuAFQ5MNrQjNjgXI

     

       
3
       
3
       
+
       
ZcYytLIizQ25y/kwXmYy9q6e4fyvJju1HIYja2ucEcY

     

       
4
       
4
       
 
       
-> ssh-rsa fFaiTA

     

       
5
       
5
       
-
       
diaNjLb29gn/MLR+yPp4I7CxkRLU/2HRTuI0HrWMuLs8GJA5eaBMviuD9mM9onqs

     

       
6
       
6
       
-
       
1QoQYCeN4tVF4+6BNnzqwUcX33VHh03BQuoRP3nkmerL/BGx7Rw42XasP2mvLtco

     

       
7
       
7
       
-
       
uXiKeGg/Hp8LN1nnptgU4d6aMlJ1PUmEFdujp5vDQjUf3uZo6fx92CvYQnOFDrYC

     

       
8
       
8
       
-
       
+SVJhn2DrRBNajwz5SSzdg7dPOQ4EhyG6BFFA1KX0x1lUCoGW1MmOMpI/3P07eEA

     

       
9
       
9
       
-
       
qsiiIhEpON4AXLIy32ipopA3/GH4goT+D1ajN5R321OXmchHHMAnDelF5pgUNTN5

     

       
10
       
10
       
-
       
/GG1SZ6ztaSqHxK3LwLvMKIFTQy+Vk/0suOnWtmiu7zuSWAXJonkDDyWk/A9VIsG

     

       
11
       
11
       
-
       
RX700mmAXGoHNq/TfjU8UkLNez18IxPpuywBncz1tfSCaDduU2Ox+Yp3H0cJWZYs

     

       
12
       
12
       
-
       
eOUD2WX7PTtT3H6vWiMcN1e58bXi18Faa0W9zgI09QHOUtQnNd0m5+saxmAoaPy4

     

       
13
       
13
       
-
       
wiKzjrvgANcDa45RMFGSx94bNLVx4LNbKpEi4oIoTvIIiqyFG3F3BuhGjQfePH8w

     

       
14
       
14
       
-
       
Vd+AkDRFxHyUKRxTUINuocqGnesIy1VazsZGuG7HJvN5vt8ir26SGNfweVOtMmtC

     

       
15
       
15
       
-
       
spk4Cv4R4qOuAc8nifOISlzdvlmzCqCIHeCWf/aN1Dk

     

       
16
       
16
       
-
       
-> ssh-ed25519 wpmdHA xDq9RflMMee4GeBllnb5vGbu1GuKQEPyYE7i0xTD3BA

     

       
17
       
17
       
-
       
p2PYAhfBQgfmP+ElVvMp+ZMxF2Kji317X8XID1oryzE

     

       
18
       
18
       
-
       
--- e9B9Ypj91p0p2fraHLy6xURke2CvIQcPf8BPUQNjc4c

     

       
19
       
19
       
-
       
��B�X�'Dp����
٭0Tb� ��k�t�����F��j�Vn@}H���`�i,������֣Z��Fb9�0)��$Si�c1�3�ɫVc���8^
�:�i��v����,����e�C
     

       
5
       
5
       
+
       
od7jPtXTEEZ6xYCXScOFmNs1EFThNKoFlw1MRXBmlRW8+PlLyuQ6m3d3DsPpXXdk

     

       
6
       
6
       
+
       
VN/HUF5vSv8pHVXBuoBSCOG5c4uYfN1unsuHkj1R/rnlP7MP8R4KSnzgLWRgRGfg

     

       
7
       
7
       
+
       
xOGXvK+nUDqjEY7SousJ5n4E03FeuiQVrYV/YNZWhTgpuciX3BCcYQkgzZxsUAt/

     

       
8
       
8
       
+
       
tyMpEwGirr2PbAOPzeDN394yNfWQgU5PderJJuyiEywFn8kZJDlZZmex+PBuAzxQ

     

       
9
       
9
       
+
       
XJ+jmi0D7M/FsSzfv/G8xfaWCns/6FIvClK+vIhnInxVHz6aQnGSFHMsNTHaQTzI

     

       
10
       
10
       
+
       
+ps6A6cKrCpuhd0nuaibd9WE/EkU54q5lFiUQPVpr+8qBbYD+Jcqk763Z3dGYE6P

     

       
11
       
11
       
+
       
aNL8Xun0HjcifqEs67fsMLmUEnDaI5+xadPW90oCJcDtc/FYtUalUS/sf9LTlbzP

     

       
12
       
12
       
+
       
XOyj2xhRCRl+wxSLhZw28c/3L0eqsDzN3tZzLPHfXn3qR5D4ohfS/Cw5OZHENyrM

     

       
13
       
13
       
+
       
5EpjSPUr0OF7ySL7L2DGAG1zY0FhqcMJgl2ccVhyBzinzPWIEfnc29yrEvwG1ALq

     

       
14
       
14
       
+
       
bOAwDzMrJPhFgnLe4AdAeiOKcdUwa+/5wMepxCuzKyjCvTJxuet367ledF53fLMn

     

       
15
       
15
       
+
       
uXeltHwG5M4kCw7YoFGGoo0y8SrDLJEP78U8gfQEMwU

     

       
16
       
16
       
+
       
-> ssh-ed25519 wpmdHA oU+tow9XZ1O9mtSRV9U8tJGSoKALwBVncVbKQZd37Dc

     

       
17
       
17
       
+
       
ycDQoOW0EjZFTJjA6meC2E5naJrNy7Lg9VS4HlKZStI

     

       
18
       
18
       
+
       
--- nLQZlSx//ps1f1UOReCuNOYtGIP+XJlloVIbkiDNRsU

     

       
19
       
19
       
+
       
Ie�f�_�I���\Ќl,j3�u���E�������k�IZO�G�u���
��y��?���̟�ƨk�

     

       
20
       
20
       
+
       
ޱ?�;��
     

···

       
1
       
1
       
 
       
age-encryption.org/v1

     

       
2
       
2
       
-
       
-> ssh-ed25519 LcWOqQ S0HRjqp8jO+XO9hOUAHPqOVWRp094ee/Wf6YXngG6Vc

     

       
3
       
3
       
-
       
SsNb4FTH0zwoJS3eS+A+Eyab2nVGSUfa1nhZsldRKYU

     

       
2
       
2
       
+
       
-> ssh-ed25519 LcWOqQ 7togPtzcJXZIAe+97CEtOpKYvKcXdMPZN1ZXaDtiF2M

     

       
3
       
3
       
+
       
bx4Slxv+LPXPTyjRbl/1fme4nEO2aY9pF6J5ww7k2gQ

     

       
4
       
4
       
 
       
-> ssh-rsa fFaiTA

     

       
5
       
5
       
-
       
G7PhLEp36AwfIC2SZX8xh59JH3o/lzeDPDdhnl0CcO8ZADkE0yVwmZCyyjAq/5O3

     

       
6
       
6
       
-
       
KQF8HrgooLx34ooniGPpPoMAMJttjuNuEKxWlunmhipG8i/5tjzlyILrbqnEX9jc

     

       
7
       
7
       
-
       
MLpUVnjJBOZSqTnin85n5V7nmRghhsLccOLqYEMV91z4tMeB3NOU0ULikLSPXNDM

     

       
8
       
8
       
-
       
V2LOV7fZDaY7CB/vQQdodQ5G8QoM2drk4OLC0tPUk/GsDhcUFN0J2vP5diMpsy5b

     

       
9
       
9
       
-
       
H7X/mDbnqvP6ZSs+vJ8laewzpMbSJXHRlVAlUoirBEAxOw75Zb0Z3N2VXNSkWWJ/

     

       
10
       
10
       
-
       
Tjq5VU/aK5FCIQs9CtFIL5h9Gs7+4ZACHu3KIQJGw3CerjEJE/USEGgkjF05QXAl

     

       
11
       
11
       
-
       
YLF4+SSgA+yknXVb3RnzkDmP2qWrwSIgzTNojtHky61ssuu/HlFa/sDy2qdXmvma

     

       
12
       
12
       
-
       
DNwl43aCpR9AHBLowBuDEd8YOydC4A9hi2KgGg43scUdqEsxkJo72PLHO8RlNqSe

     

       
13
       
13
       
-
       
AYbb/WX8Q5vtuOuf49/7qwO2moyNO306FtO7AXkUb+Kobc8c8ZOaQ8LWOl6nQUn6

     

       
14
       
14
       
-
       
F1f7ifv2tdFGkyaHffCr8BVCH4n4JdzZaR7sxO8vU6aS7CY+c/pRoi9Qy9ROy7EA

     

       
15
       
15
       
-
       
8NhCy3rGNk1KeiK95dZyl+i4SAH4EVlDHjLfRO+9Qvo

     

       
16
       
16
       
-
       
-> ssh-ed25519 wpmdHA ZFi1FtljkiRtG24iTzJK6fhen/xAl6ZT/lzVvE3OjRQ

     

       
17
       
17
       
-
       
BXI6c8iY+9f/cbSRKcsX23A68Eo3WbTITemlyTNSzT0

     

       
18
       
18
       
-
       
--- xtjZg8c7aBnCM3DiE8PlY/vy2nhGGuS1wadsW9k/gPE

     

       
19
       
19
       
-
       
��oK$�Ċ��i�������D캴Mr%�+:|�`k�a��T
�]�f<��}��Q���Am}��=)l�Hl��2����8�՟�
�X���?I����*��OT��i9�\��_y�7��Lo�62�V#���m���n
     

       
5
       
5
       
+
       
I9AeATPIo5M+Tqd0lbLs37jGa/I/m6C56/vVdVd2r2kH8FobbhFXkypmBfZjleNB

     

       
6
       
6
       
+
       
FqP4Jn12IAWACTY9LEoSrhaeABpdZAUE6Vt+hqYDOc8UL5WuTekVUCW+Sw2EJbnl

     

       
7
       
7
       
+
       
oyBBcTRSuSd3OEO3Q4hp5SmHiGUkL7eDfEdXMXe7fnYEIfJoYu6Op1bLoTK7Tiuz

     

       
8
       
8
       
+
       
g5c7a9kgxcD73ynfeRz0kQM/AXbEXrtu0Wr7CH9ZWWmCkkhcpNnS7CRtTb5Qhk4L

     

       
9
       
9
       
+
       
oTVn+Rs6Mgv395pmV0Ou3fqkys3+t7PdO+tHDtlMNqORn3KaQuPLAWjgBCG1408T

     

       
10
       
10
       
+
       
iGpbkqdoGb3VpBUfw/dWISPrDZsJGcLOFULHX76JKIGQXV/UG8zNlS5lddo7zY7T

     

       
11
       
11
       
+
       
mh8tBqZrj9MWOwkG0nDDV87sEFOqFfj4gclEF5GRE55Sypog6oRZLTVjvH636E+2

     

       
12
       
12
       
+
       
mztdPJyhUzMtvhQQfvftG+AwxhNGt4SRdMd7O+QeYSWmqykTlZx7nF73BBeYP0JC

     

       
13
       
13
       
+
       
xSmVsdxuS3aur2HcogCSICo2+jGGoP33FOYnpzVY/Y67B4tunfL1ItfmbGeKVwG0

     

       
14
       
14
       
+
       
f9sm6meYvRw9JvAdBcqFILOxPvg/P2VARaf5fDpZP6MmRTWkl9FH2J1Wp9m7ZMi3

     

       
15
       
15
       
+
       
m8RAfpH7l5U/vVcbLYUaL5w0e4cNeHBQSbn/AhqCeFQ

     

       
16
       
16
       
+
       
-> ssh-ed25519 wpmdHA rPRuQwrporOZbD6kpZwGZbZoEYNvG7E+t1zDolmwmzE

     

       
17
       
17
       
+
       
CtTiaRwa+S+vn1wrUjkZWatUkLcvXVPQDbsvtwdT7X4

     

       
18
       
18
       
+
       
--- xDaJBT4M3JZNN0aABAp9QnPw7rsl/D9/SRIz0aHEGRE

     

       
19
       
19
       
+
       
��?�%*�N��������"h#_E��:c&��f�d�r��

     

       
20
       
20
       
+
       
���J<Ci����X��g�;�ҏ�
f�\^����Y�q�+��S�{=܀a��L�ն�������Vt�n�����EXu�hݿZ0�׎�����u��+ޖ���
     

···

       
1
       
1
       
 
       
{ config, ... }:

     

       
2
       
2
       
 
       
{

     

       
3
       
3
       
 
       
  security.acme = {

     

       
4
       
4
       
-
       
    certs."pyrox.dev" = {

     

       
5
       
5
       
-
       
      domain = "*.pyrox.dev";

     

       
4
       
4
       
+
       
    acceptTerms = true;

     

       
5
       
5
       
+
       
    certs."mail.pyrox.dev" = {

     

       
6
       
6
       
+
       
      extraDomainNames = [

     

       
7
       
7
       
+
       
        "mail2.pyrox.dev"

     

       
8
       
8
       
+
       
        "mta-sts.pyrox.dev"

     

       
9
       
9
       
+
       
        "autoconfig.pyrox.dev"

     

       
10
       
10
       
+
       
        "autodiscover.pyrox.dev"

     

       
11
       
11
       
+
       
      ];

     

       
12
       
12
       
+
       
      reloadServices = [ "stalwart-mail.service" ];

     

       
6
       
13
       
 
       
    };

     

       
7
       
14
       
 
       
    defaults = {

     

       
8
       
15
       
 
       
      # LE Production Server

     

       
9
       
16
       
 
       
      server = "https://acme-v02.api.letsencrypt.org/directory";

     

       
10
       
10
       
-
       
      # use EC-384 instead of the default, EC-256

     

       
11
       
11
       
-
       
      keyType = "ec384";

     

       
12
       
17
       
 
       
      email = "pyrox@pyrox.dev";

     

       
13
       
13
       
-
       
      # Enable OSCP Must-Staple(see https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/ )

     

       
14
       
14
       
-
       
      ocspMustStaple = true;

     

       
15
       
15
       
-
       
      # For DNS Challenges, use ClouDNS(my provider)

     

       
16
       
16
       
-
       
      dnsProvider = "cloudns";

     

       
18
       
18
       
+
       
      # For DNS Challenges, use DeSec(my provider)

     

       
19
       
19
       
+
       
      dnsProvider = "desec";

     

       
17
       
20
       
 
       
      # Enable DNS Propagation checks(ensure DNS records exist before requesting certs)

     

       
18
       
21
       
 
       
      dnsPropagationCheck = true;

     

       
19
       
19
       
-
       
      # Agenix-encrypted credentials for ClouDNS

     

       
22
       
22
       
+
       
      # Agenix-encrypted credentials for ACME

     

       
20
       
23
       
 
       
      credentialsFile = config.age.secrets.acme-creds.path;

     

       
24
       
24
       
+
       
      dnsResolver = "9.9.9.9:53";

     

       
21
       
25
       
 
       
    };

     

       
26
       
26
       
+
       
  };

     

       
27
       
27
       
+
       
  age.secrets.acme-creds = {

     

       
28
       
28
       
+
       
    file = ../secrets/acme-creds.age;

     

       
29
       
29
       
+
       
    owner = "acme";

     

       
30
       
30
       
+
       
    group = "acme";

     

       
22
       
31
       
 
       
  };

     

       
23
       
32
       
 
       
}

     

···

       
16
       
16
       
 
       
    renew-before = "30d";

     

       
17
       
17
       
 
       
    default = true;

     

       
18
       
18
       
 
       
    provider = "desec";

     

       
19
       
19
       
-
       
    secret = "%{file:${sec.stalwart-desec-token.path}}";

     

       
19
       
19
       
+
       
    secret = "%{file:${sec.stalwart-desec-token.path}}%";

     

       
20
       
20
       
 
       
  };

     

       
21
       
21
       
 
       
}

     

···

       
8
       
8
       
 
       
  cfg = config.services.stalwart-mail;

     

       
9
       
9
       
 
       
  sec = config.age.secrets;

     

       
10
       
10
       
 
       
  creds = config.services.stalwart-mail.credentials;

     

       
11
       
11
       
+
       
  credsDir = "/run/credentials/stalwart-mail.service";

     

       
12
       
12
       
+
       
  certDir = config.security.acme.certs."mail.pyrox.dev".directory;

     

       
11
       
13
       
 
       
  isAuthenticated = d: {

     

       
12
       
14
       
 
       
    "if" = "!is_empty(authenticated_as)";

     

       
13
       
15
       
 
       
    "then" = d;

     
···

       
26
       
28
       
 
       
in

     

       
27
       
29
       
 
       
{

     

       
28
       
30
       
 
       
  services.stalwart-mail = {

     

       
31
       
31
       
+
       
    credentials = {

     

       
32
       
32
       
+
       
      cert = "${certDir}/cert.pem";

     

       
33
       
33
       
+
       
      key = "${certDir}/key.pem";

     

       
34
       
34
       
+
       
    };

     

       
29
       
35
       
 
       
    enable = true;

     

       
30
       
36
       
 
       
    dataDir = "/var/lib/stalwart";

     

       
31
       
37
       
 
       
    settings = {

     

       
32
       
38
       
 
       
      tracer.stdout.level = "debug";

     

       
33
       
39
       
 
       
      authentication.fallback-admin = {

     

       
34
       
40
       
 
       
        user = "fallback";

     

       
35
       
35
       
-
       
        secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}";

     

       
41
       
41
       
+
       
        secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}%";

     

       
36
       
42
       
 
       
      };

     

       
37
       
43
       
 
       
      config = {

     

       
38
       
44
       
 
       
        local-keys = [

     

       
39
       
39
       
-
       
          "!acme.*.eab.*"

     

       
40
       
40
       
-
       
          "acme.*"

     

       
41
       
45
       
 
       
          "asn.*"

     

       
42
       
46
       
 
       
          "auth.*"

     

       
43
       
47
       
 
       
          "authentication.*"

     
···

       
67
       
71
       
 
       
          "spam-filter.*"

     

       
68
       
72
       
 
       
        ];

     

       
69
       
73
       
 
       
      };

     

       
74
       
74
       
+
       
      certificate = {

     

       
75
       
75
       
+
       
        default = {

     

       
76
       
76
       
+
       
          default = true;

     

       
77
       
77
       
+
       
          cert = "%{file:${credsDir}/cert}%";

     

       
78
       
78
       
+
       
          private-key = "%{file:${credsDir}/key}%";

     

       
79
       
79
       
+
       
          subjects = [

     

       
80
       
80
       
+
       
            "mail.pyrox.dev"

     

       
81
       
81
       
+
       
            "mail2.pyrox.dev"

     

       
82
       
82
       
+
       
            "mta-sts.pyrox.dev"

     

       
83
       
83
       
+
       
            "autoconfig.pyrox.dev"

     

       
84
       
84
       
+
       
            "autodiscover.pyrox.dev"

     

       
85
       
85
       
+
       
          ];

     

       
86
       
86
       
+
       
        };

     

       
87
       
87
       
+
       
      };

     

       
70
       
88
       
 
       
      server = import ./server.nix { inherit d; };

     

       
71
       
71
       
-
       
      acme = import ./acme.nix { inherit cfg sec; };

     

       
89
       
89
       
+
       
      # Use NixOS-generated certs now, since stalwart can't do it on its own

     

       
90
       
90
       
+
       
      # (DeSec API Errors abound)

     

       
91
       
91
       
+
       
      # acme = import ./acme.nix { inherit cfg sec; };

     

       
72
       
92
       
 
       
      # HTTP Configuration

     

       
73
       
93
       
 
       
      # https://stalw.art/docs/http/overview

     

       
74
       
94
       
 
       
      http = {

     

···

       
21
       
21
       
 
       
{

     

       
22
       
22
       
 
       
  rsa = {

     

       
23
       
23
       
 
       
    inherit headers;

     

       
24
       
24
       
-
       
    private-key = "%{file:${sec.stalwart-secret-rsa.path}}";

     

       
24
       
24
       
+
       
    private-key = "%{file:${sec.stalwart-secret-rsa.path}}%";

     

       
25
       
25
       
 
       
    domain = "pyrox.dev";

     

       
26
       
26
       
 
       
    selector = "rsa-default";

     

       
27
       
27
       
 
       
    algorithm = "rsa-sha256";

     
···

       
31
       
31
       
 
       
  };

     

       
32
       
32
       
 
       
  ed25519 = {

     

       
33
       
33
       
 
       
    inherit headers;

     

       
34
       
34
       
-
       
    private-key = "%{file:${sec.stalwart-secret-ed25519.path}}";

     

       
34
       
34
       
+
       
    private-key = "%{file:${sec.stalwart-secret-ed25519.path}}%";

     

       
35
       
35
       
 
       
    domain = "pyrox.dev";

     

       
36
       
36
       
 
       
    selector = "default";

     

       
37
       
37
       
 
       
    algorithm = "ed25519-sha256";

     

···

       
18
       
18
       
 
       
      file = ../secrets/wireguard-priv-key.age;

     

       
19
       
19
       
 
       
      path = "/run/agenix/wireguard-priv-key";

     

       
20
       
20
       
 
       
    };

     

       
21
       
21
       
-
       
    acme-creds = {

     

       
22
       
22
       
-
       
      file = ../secrets/acme-creds.age;

     

       
23
       
23
       
-
       
      group = "acme";

     

       
24
       
24
       
-
       
    };

     

       
25
       
21
       
 
       
  };

     

       
26
       
22
       
 
       
}